# include <openssl/ct.h>
#endif
+#include "internal/threads.h"
#include "../ssl/ssl_locl.h"
/*
# include OPENSSL_UNISTD
#endif
-SSL_CTX *s_ctx = NULL;
-SSL_CTX *s_ctx2 = NULL;
+static SSL_CTX *s_ctx = NULL;
+static SSL_CTX *s_ctx2 = NULL;
/*
* There is really no standard for this, so let's assign something
fprintf(stderr, " -psk arg - PSK in hex (without 0x)\n");
#endif
#ifndef OPENSSL_NO_SRP
- fprintf(stderr, " -srpuser user - SRP username to use\n");
- fprintf(stderr, " -srppass arg - password for 'user'\n");
+ fprintf(stderr, " -srpuser user - SRP username to use\n");
+ fprintf(stderr, " -srppass arg - password for 'user'\n");
#endif
#ifndef OPENSSL_NO_SSL3
fprintf(stderr, " -ssl3 - use SSLv3\n");
fprintf(stderr, " -tls1 - use TLSv1\n");
#endif
#ifndef OPENSSL_NO_DTLS
- fprintf(stderr, " -dtls - use DTLS\n");
+ fprintf(stderr, " -dtls - use DTLS\n");
#ifndef OPENSSL_NO_DTLS1
fprintf(stderr, " -dtls1 - use DTLSv1\n");
#endif
BIO_printf(bio_stdout, "\n");
}
-static void lock_dbg_cb(int mode, int type, const char *file, int line)
-{
- static int modes[CRYPTO_NUM_LOCKS]; /* = {0, 0, ... } */
- const char *errstr = NULL;
- int rw;
-
- rw = mode & (CRYPTO_READ | CRYPTO_WRITE);
- if (!((rw == CRYPTO_READ) || (rw == CRYPTO_WRITE))) {
- errstr = "invalid mode";
- goto err;
- }
-
- if (type < 0 || type >= CRYPTO_NUM_LOCKS) {
- errstr = "type out of bounds";
- goto err;
- }
-
- if (mode & CRYPTO_LOCK) {
- if (modes[type]) {
- errstr = "already locked";
- /*
- * must not happen in a single-threaded program (would deadlock)
- */
- goto err;
- }
-
- modes[type] = rw;
- } else if (mode & CRYPTO_UNLOCK) {
- if (!modes[type]) {
- errstr = "not locked";
- goto err;
- }
-
- if (modes[type] != rw) {
- errstr = (rw == CRYPTO_READ) ?
- "CRYPTO_r_unlock on write lock" :
- "CRYPTO_w_unlock on read lock";
- }
-
- modes[type] = 0;
- } else {
- errstr = "invalid mode";
- goto err;
- }
-
- err:
- if (errstr) {
- /* we cannot use bio_err here */
- fprintf(stderr,
- "openssl (lock_dbg_cb): %s (mode=%d, type=%d) at %s:%d\n",
- errstr, mode, type, file, line);
- }
-}
-
/*
* protocol_from_string - converts a protocol version string to a number
*
int fips_mode = 0;
#endif
int no_protocol;
+ int min_version = 0, max_version = 0;
#ifndef OPENSSL_NO_CT
/*
bio_err = BIO_new_fp(stderr, BIO_NOCLOSE | BIO_FP_TEXT);
- CRYPTO_set_locking_callback(lock_dbg_cb);
-
p = getenv("OPENSSL_DEBUG_MEMORY");
if (p != NULL && strcmp(p, "on") == 0)
CRYPTO_set_mem_debug(1);
goto bad;
srp_server_arg.expected_user = srp_client_arg.srplogin =
*(++argv);
- tls1 = 1;
+ min_version = TLS1_VERSION;
} else if (strcmp(*argv, "-srppass") == 0) {
if (--argc < 1)
goto bad;
srp_server_arg.pass = srp_client_arg.srppassin = *(++argv);
- tls1 = 1;
+ min_version = TLS1_VERSION;
}
#endif
else if (strcmp(*argv, "-tls1") == 0) {
}
#endif
- /*
- * At this point, ssl3/tls1 is only set if the protocol is available.
- * (Otherwise we exit early.) However the compiler doesn't know this, so
- * we ifdef.
- */
-#ifndef OPENSSL_NO_DTLS
-#ifndef OPENSSL_NO_DTLS1
- if (dtls1)
- meth = DTLSv1_method();
- else
-#endif
-#ifndef OPENSSL_NO_DTLS1_2
- if (dtls12)
- meth = DTLSv1_2_method();
- else
+#ifndef OPENSSL_NO_TLS
+ meth = TLS_method();
+ if (ssl3) {
+ min_version = SSL3_VERSION;
+ max_version = SSL3_VERSION;
+ } else if (tls1) {
+ min_version = TLS1_VERSION;
+ max_version = TLS1_VERSION;
+ }
#endif
- if (dtls)
+#ifndef OPENSSL_NO_DTLS
+ if (dtls || dtls1 || dtls12)
meth = DTLS_method();
- else
-#endif
-#ifndef OPENSSL_NO_SSL3
- if (ssl3)
- meth = SSLv3_method();
- else
-#endif
-#ifndef OPENSSL_NO_TLS1
- if (tls1)
- meth = TLSv1_method();
- else
+ if (dtls1) {
+ min_version = DTLS1_VERSION;
+ max_version = DTLS1_VERSION;
+ } else if (dtls12) {
+ min_version = DTLS1_2_VERSION;
+ max_version = DTLS1_2_VERSION;
+ }
#endif
- meth = TLS_method();
c_ctx = SSL_CTX_new(meth);
s_ctx = SSL_CTX_new(meth);
SSL_CTX_set_security_level(s_ctx, 0);
SSL_CTX_set_security_level(s_ctx2, 0);
+ if (SSL_CTX_set_min_proto_version(c_ctx, min_version) == 0)
+ goto end;
+ if (SSL_CTX_set_max_proto_version(c_ctx, max_version) == 0)
+ goto end;
+ if (SSL_CTX_set_min_proto_version(s_ctx, min_version) == 0)
+ goto end;
+ if (SSL_CTX_set_max_proto_version(s_ctx, max_version) == 0)
+ goto end;
+
if (cipher != NULL) {
if (!SSL_CTX_set_cipher_list(c_ctx, cipher)
|| !SSL_CTX_set_cipher_list(s_ctx, cipher)
rv = SSL_CONF_cmd(c_cctx, arg, argn);
/* If not recognised use server context */
if (rv == -2) {
- SSL_CONF_cmd(s_cctx2, arg, argn);
- rv = SSL_CONF_cmd(s_cctx, arg, argn);
+ rv = SSL_CONF_cmd(s_cctx2, arg, argn);
+ if (rv > 0)
+ rv = SSL_CONF_cmd(s_cctx, arg, argn);
}
if (rv <= 0) {
BIO_printf(bio_err, "Error processing %s %s\n",
/* goto end; */
}
+#ifndef OPENSSL_NO_CT
if (!SSL_CTX_set_default_ctlog_list_file(s_ctx) ||
!SSL_CTX_set_default_ctlog_list_file(s_ctx2) ||
!SSL_CTX_set_default_ctlog_list_file(c_ctx)) {
ERR_print_errors(bio_err);
}
+#endif
if (client_auth) {
printf("client authentication\n");
return (ret);
}
+static CRYPTO_ONCE proxy_auth_ex_data_once = CRYPTO_ONCE_STATIC_INIT;
+static volatile int proxy_auth_ex_data_idx = -1;
+
+static void do_get_proxy_auth_ex_data_idx(void)
+{
+ proxy_auth_ex_data_idx = X509_STORE_CTX_get_ex_new_index(0,
+ "SSLtest for verify callback",
+ NULL, NULL, NULL);
+}
+
static int get_proxy_auth_ex_data_idx(void)
{
- static volatile int idx = -1;
- if (idx < 0) {
- CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
- if (idx < 0) {
- idx = X509_STORE_CTX_get_ex_new_index(0,
- "SSLtest for verify callback",
- NULL, NULL, NULL);
- }
- CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
- }
- return idx;
+ CRYPTO_THREAD_run_once(&proxy_auth_ex_data_once,
+ do_get_proxy_auth_ex_data_idx);
+ return proxy_auth_ex_data_idx;
}
static int verify_callback(int ok, X509_STORE_CTX *ctx)
static int do_test_cipherlist(void)
{
-#if !defined(OPENSSL_NO_SSL3) || !defined(OPENSSL_NO_TLS1)
+#ifndef OPENSSL_NO_TLS
int i = 0;
const SSL_METHOD *meth;
const SSL_CIPHER *ci, *tci = NULL;
-#endif
-#ifndef OPENSSL_NO_SSL3
- meth = SSLv3_method();
+ /*
+ * This is required because ssltest "cheats" and uses internal headers to
+ * call functions, thus avoiding auto-init
+ */
+ OPENSSL_init_crypto(0, NULL);
+
+ meth = TLS_method();
tci = NULL;
while ((ci = meth->get_cipher(i++)) != NULL) {
if (tci != NULL)
tci = ci;
}
#endif
-#ifndef OPENSSL_NO_TLS1
- meth = TLSv1_method();
- tci = NULL;
- while ((ci = meth->get_cipher(i++)) != NULL) {
- if (tci != NULL)
- if (ci->id >= tci->id) {
- fprintf(stderr, "testing TLSv1 cipher list order: ");
- fprintf(stderr, "failed %x vs. %x\n", ci->id, tci->id);
- return 0;
- }
- tci = ci;
- }
-#endif
return 1;
}