-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to. The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code. The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- * must display the following acknowledgement:
- * "This product includes cryptographic software written by
- * Eric Young (eay@cryptsoft.com)"
- * The word 'cryptographic' can be left out if the rouines from the library
- * being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- * the apps directory (application code) you must include an acknowledgement:
- * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed. i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-/* ====================================================================
- * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in
- * the documentation and/or other materials provided with the
- * distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- * software must display the following acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- * endorse or promote products derived from this software without
- * prior written permission. For written permission, please contact
- * openssl-core@openssl.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- * nor may "OpenSSL" appear in their names without prior written
- * permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- * acknowledgment:
- * "This product includes software developed by the OpenSSL Project
- * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay@cryptsoft.com). This product includes software written by Tim
- * Hudson (tjh@cryptsoft.com).
- *
- */
-/* ====================================================================
- * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
- * ECC cipher suite support in OpenSSL originally developed by
- * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
- */
-/* ====================================================================
+/*
+ * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
* Copyright 2005 Nokia. All rights reserved.
*
- * The portions of the attached software ("Contribution") is developed by
- * Nokia Corporation and is licensed pursuant to the OpenSSL open source
- * license.
- *
- * The Contribution, originally written by Mika Kousa and Pasi Eronen of
- * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
- * support (see RFC 4279) to OpenSSL.
- *
- * No patent licenses or other rights except those expressly stated in
- * the OpenSSL open source license shall be deemed granted or received
- * expressly, by implication, estoppel, or otherwise.
- *
- * No assurances are provided by Nokia that the Contribution does not
- * infringe the patent or other intellectual property rights of any third
- * party or that the license provides you with all the necessary rights
- * to make use of the Contribution.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
- * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
- * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
- * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
- * OTHERWISE.
+ * Licensed under the OpenSSL license (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
*/
/* Or gethostname won't be declared properly on Linux and GNU platforms. */
-#define _BSD_SOURCE 1
-#define _DEFAULT_SOURCE 1
+#ifndef _BSD_SOURCE
+# define _BSD_SOURCE 1
+#endif
+#ifndef _DEFAULT_SOURCE
+# define _DEFAULT_SOURCE 1
+#endif
#include <assert.h>
#include <errno.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include <openssl/ssl.h>
-#ifndef OPENSSL_NO_ENGINE
-# include <openssl/engine.h>
-#endif
#include <openssl/err.h>
#include <openssl/rand.h>
#ifndef OPENSSL_NO_RSA
#ifndef OPENSSL_NO_DH
# include <openssl/dh.h>
#endif
-#ifndef OPENSSL_NO_SRP
-# include <openssl/srp.h>
-#endif
#include <openssl/bn.h>
#ifndef OPENSSL_NO_CT
# include <openssl/ct.h>
#endif
-#include "internal/threads.h"
-#include "../ssl/ssl_locl.h"
-
/*
* Or gethostname won't be declared properly
* on Compaq platforms (at least with DEC C).
struct app_verify_arg {
char *string;
int app_verify;
- int allow_proxy_certs;
- char *proxy_auth;
- char *proxy_cond;
};
#ifndef OPENSSL_NO_DH
unsigned int max_psk_len);
#endif
-#ifndef OPENSSL_NO_SRP
-/* SRP client */
-/* This is a context that we pass to all callbacks */
-typedef struct srp_client_arg_st {
- char *srppassin;
- char *srplogin;
-} SRP_CLIENT_ARG;
-
-# define PWD_STRLEN 1024
-
-static char *ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
-{
- SRP_CLIENT_ARG *srp_client_arg = (SRP_CLIENT_ARG *)arg;
- return OPENSSL_strdup((char *)srp_client_arg->srppassin);
-}
-
-/* SRP server */
-/* This is a context that we pass to SRP server callbacks */
-typedef struct srp_server_arg_st {
- char *expected_user;
- char *pass;
-} SRP_SERVER_ARG;
-
-static int ssl_srp_server_param_cb(SSL *s, int *ad, void *arg)
-{
- SRP_SERVER_ARG *p = (SRP_SERVER_ARG *)arg;
-
- if (strcmp(p->expected_user, SSL_get_srp_username(s)) != 0) {
- fprintf(stderr, "User %s doesn't exist\n", SSL_get_srp_username(s));
- return SSL3_AL_FATAL;
- }
- if (SSL_set_srp_server_param_pw(s, p->expected_user, p->pass, "1024") < 0) {
- *ad = SSL_AD_INTERNAL_ERROR;
- return SSL3_AL_FATAL;
- }
- return SSL_ERROR_NONE;
-}
-#endif
-
static BIO *bio_err = NULL;
static BIO *bio_stdout = NULL;
* next_protos_parse parses a comma separated list of strings into a string
* in a format suitable for passing to SSL_CTX_set_next_protos_advertised.
* outlen: (output) set to the length of the resulting buffer on success.
- * err: (maybe NULL) on failure, an error message line is written to this BIO.
* in: a NUL terminated string like "abc,def,ghi"
*
* returns: a malloced buffer or NULL on failure.
int doit_biopair(SSL *s_ssl, SSL *c_ssl, long bytes, clock_t *s_time,
clock_t *c_time);
int doit(SSL *s_ssl, SSL *c_ssl, long bytes);
-static int do_test_cipherlist(void);
static void sv_usage(void)
{
fprintf(stderr, "usage: ssltest [args ...]\n");
fprintf(stderr, "\n");
-#ifdef OPENSSL_FIPS
- fprintf(stderr, "-F - run test in FIPS mode\n");
-#endif
fprintf(stderr, " -server_auth - check server certificate\n");
fprintf(stderr, " -client_auth - do client authentication\n");
- fprintf(stderr, " -proxy - allow proxy certificates\n");
- fprintf(stderr, " -proxy_auth <val> - set proxy policy rights\n");
- fprintf(stderr,
- " -proxy_cond <val> - expression to test proxy policy rights\n");
fprintf(stderr, " -v - more output\n");
fprintf(stderr, " -d - debug output\n");
fprintf(stderr, " -reuse - use session-id reuse\n");
#ifndef OPENSSL_NO_PSK
fprintf(stderr, " -psk arg - PSK in hex (without 0x)\n");
#endif
-#ifndef OPENSSL_NO_SRP
- fprintf(stderr, " -srpuser user - SRP username to use\n");
- fprintf(stderr, " -srppass arg - password for 'user'\n");
-#endif
#ifndef OPENSSL_NO_SSL3
fprintf(stderr, " -ssl3 - use SSLv3\n");
#endif
fprintf(stderr,
" -time - measure processor time used by client and server\n");
fprintf(stderr, " -zlib - use zlib compression\n");
- fprintf(stderr,
- " -test_cipherlist - Verifies the order of the ssl cipher lists.\n"
- " When this option is requested, the cipherlist\n"
- " tests are run instead of handshake tests.\n");
#ifndef OPENSSL_NO_NEXTPROTONEG
fprintf(stderr, " -npn_client - have client side offer NPN\n");
fprintf(stderr, " -npn_server - have server side offer NPN\n");
SSL_CIPHER_get_version(ciph), SSL_CIPHER_get_name(ciph));
cert = SSL_get_peer_certificate(c_ssl);
if (cert != NULL) {
- pkey = X509_get_pubkey(cert);
- if (pkey != NULL) {
+ EVP_PKEY* pubkey = X509_get0_pubkey(cert);
+
+ if (pubkey != NULL) {
BIO_puts(bio_stdout, ", ");
- print_key_details(bio_stdout, pkey);
- EVP_PKEY_free(pkey);
+ print_key_details(bio_stdout, pubkey);
}
X509_free(cert);
}
{"tls1", TLS1_VERSION},
{"tls1.1", TLS1_1_VERSION},
{"tls1.2", TLS1_2_VERSION},
+ {"tls1.3", TLS1_3_VERSION},
{"dtls1", DTLS1_VERSION},
{"dtls1.2", DTLS1_2_VERSION}};
size_t i;
int main(int argc, char *argv[])
{
- char *CApath = NULL, *CAfile = NULL;
+ const char *CApath = NULL, *CAfile = NULL;
int badop = 0;
enum { BIO_MEM, BIO_PAIR, BIO_IPV4, BIO_IPV6 } bio_type = BIO_MEM;
int force = 0;
- int dtls1 = 0, dtls12 = 0, dtls = 0, tls1 = 0, ssl3 = 0, ret = 1;
+ int dtls1 = 0, dtls12 = 0, dtls = 0, tls1 = 0, tls1_2 = 0, ssl3 = 0, ret = 1;
int client_auth = 0;
int server_auth = 0, i;
struct app_verify_arg app_verify_arg =
- { APP_CALLBACK_STRING, 0, 0, NULL, NULL };
+ { APP_CALLBACK_STRING, 0 };
char *p;
SSL_CTX *c_ctx = NULL;
const SSL_METHOD *meth = NULL;
#ifndef OPENSSL_NO_DH
DH *dh;
int dhe512 = 0, dhe1024dsa = 0;
-#endif
-#ifndef OPENSSL_NO_SRP
- /* client */
- SRP_CLIENT_ARG srp_client_arg = { NULL, NULL };
- /* server */
- SRP_SERVER_ARG srp_server_arg = { NULL, NULL };
#endif
int no_dhe = 0;
int no_psk = 0;
int n, comp = 0;
COMP_METHOD *cm = NULL;
STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
-#endif
- int test_cipherlist = 0;
-#ifdef OPENSSL_FIPS
- int fips_mode = 0;
#endif
int no_protocol;
int min_version = 0, max_version = 0;
while (argc >= 1) {
if (strcmp(*argv, "-F") == 0) {
-#ifdef OPENSSL_FIPS
- fips_mode = 1;
-#else
fprintf(stderr,
"not compiled with FIPS support, so exiting without running.\n");
EXIT(0);
-#endif
} else if (strcmp(*argv, "-server_auth") == 0)
server_auth = 1;
else if (strcmp(*argv, "-client_auth") == 0)
client_auth = 1;
- else if (strcmp(*argv, "-proxy_auth") == 0) {
- if (--argc < 1)
- goto bad;
- app_verify_arg.proxy_auth = *(++argv);
- } else if (strcmp(*argv, "-proxy_cond") == 0) {
- if (--argc < 1)
- goto bad;
- app_verify_arg.proxy_cond = *(++argv);
- } else if (strcmp(*argv, "-v") == 0)
+ else if (strcmp(*argv, "-v") == 0)
verbose = 1;
else if (strcmp(*argv, "-d") == 0)
debug = 1;
no_psk = 1;
#endif
}
-#ifndef OPENSSL_NO_SRP
- else if (strcmp(*argv, "-srpuser") == 0) {
- if (--argc < 1)
- goto bad;
- srp_server_arg.expected_user = srp_client_arg.srplogin =
- *(++argv);
- min_version = TLS1_VERSION;
- } else if (strcmp(*argv, "-srppass") == 0) {
- if (--argc < 1)
- goto bad;
- srp_server_arg.pass = srp_client_arg.srppassin = *(++argv);
- min_version = TLS1_VERSION;
- }
-#endif
- else if (strcmp(*argv, "-tls1") == 0) {
+ else if (strcmp(*argv, "-tls1_2") == 0) {
+ tls1_2 = 1;
+ } else if (strcmp(*argv, "-tls1") == 0) {
tls1 = 1;
} else if (strcmp(*argv, "-ssl3") == 0) {
ssl3 = 1;
#endif
else if (strcmp(*argv, "-app_verify") == 0) {
app_verify_arg.app_verify = 1;
- } else if (strcmp(*argv, "-proxy") == 0) {
- app_verify_arg.allow_proxy_certs = 1;
- } else if (strcmp(*argv, "-test_cipherlist") == 0) {
- test_cipherlist = 1;
}
#ifndef OPENSSL_NO_NEXTPROTONEG
- else if (strcmp(*argv, "-npn_client") == 0) {
+ else if (strcmp(*argv, "-npn_client") == 0) {
npn_client = 1;
} else if (strcmp(*argv, "-npn_server") == 0) {
npn_server = 1;
goto end;
}
- /*
- * test_cipherlist prevails over protocol switch: we test the cipherlist
- * for all enabled protocols.
- */
- if (test_cipherlist == 1) {
- /*
- * ensure that the cipher list are correctly sorted and exit
- */
- fprintf(stdout, "Testing cipherlist order only. Ignoring all "
- "other options.\n");
- if (do_test_cipherlist() == 0)
- EXIT(1);
- ret = 0;
- goto end;
- }
-
- if (ssl3 + tls1 + dtls + dtls1 + dtls12 > 1) {
- fprintf(stderr, "At most one of -ssl3, -tls1, -dtls, -dtls1 or -dtls12 should "
+ if (ssl3 + tls1 + tls1_2 + dtls + dtls1 + dtls12 > 1) {
+ fprintf(stderr, "At most one of -ssl3, -tls1, -tls1_2, -dtls, -dtls1 or -dtls12 should "
"be requested.\n");
EXIT(1);
}
no_protocol = 1;
else
#endif
+#ifdef OPENSSL_NO_TLS1_2
+ if (tls1_2)
+ no_protocol = 1;
+ else
+#endif
#if defined(OPENSSL_NO_DTLS) || defined(OPENSSL_NO_DTLS1)
if (dtls1)
no_protocol = 1;
goto end;
}
- if (!ssl3 && !tls1 && !dtls && !dtls1 && !dtls12 && number > 1 && !reuse && !force) {
+ if (!ssl3 && !tls1 && !tls1_2 && !dtls && !dtls1 && !dtls12 && number > 1
+ && !reuse && !force) {
fprintf(stderr, "This case cannot work. Use -f to perform "
"the test anyway (and\n-d to see what happens), "
- "or add one of -ssl3, -tls1, -dtls, -dtls1, -dtls12, -reuse\n"
+ "or add one of -ssl3, -tls1, -tls1_2, -dtls, -dtls1, -dtls12, -reuse\n"
"to avoid protocol mismatch.\n");
EXIT(1);
}
-#ifdef OPENSSL_FIPS
- if (fips_mode) {
- if (!FIPS_mode_set(1)) {
- ERR_print_errors(bio_err);
- EXIT(1);
- } else
- fprintf(stderr, "*** IN FIPS MODE ***\n");
- }
-#endif
if (print_time) {
if (bio_type != BIO_PAIR) {
"Warning: For accurate timings, use more connections (e.g. -num 1000)\n");
}
-/* if (cipher == NULL) cipher=getenv("SSL_CIPHER"); */
-
#ifndef OPENSSL_NO_COMP
if (comp == COMP_ZLIB)
cm = COMP_zlib();
printf("Available compression methods:");
for (j = 0; j < n; j++) {
SSL_COMP *c = sk_SSL_COMP_value(ssl_comp_methods, j);
- printf(" %s:%d", c->name, c->id);
+ printf(" %s:%d", SSL_COMP_get0_name(c), SSL_COMP_get_id(c));
}
printf("\n");
}
} else if (tls1) {
min_version = TLS1_VERSION;
max_version = TLS1_VERSION;
+ } else if (tls1_2) {
+ min_version = TLS1_2_VERSION;
+ max_version = TLS1_2_VERSION;
}
#endif
#ifndef OPENSSL_NO_DTLS
(!SSL_CTX_set_default_verify_paths(s_ctx2)) ||
(!SSL_CTX_load_verify_locations(c_ctx, CAfile, CApath)) ||
(!SSL_CTX_set_default_verify_paths(c_ctx))) {
- /* fprintf(stderr,"SSL_load_verify_locations\n"); */
ERR_print_errors(bio_err);
- /* goto end; */
}
#ifndef OPENSSL_NO_CT
}
#endif
}
-#ifndef OPENSSL_NO_SRP
- if (srp_client_arg.srplogin) {
- if (!SSL_CTX_set_srp_username(c_ctx, srp_client_arg.srplogin)) {
- BIO_printf(bio_err, "Unable to set SRP username\n");
- goto end;
- }
- SSL_CTX_set_srp_cb_arg(c_ctx, &srp_client_arg);
- SSL_CTX_set_srp_client_pwd_callback(c_ctx,
- ssl_give_srp_client_pwd_cb);
- /*
- * SSL_CTX_set_srp_strength(c_ctx, srp_client_arg.strength);
- */
- }
-
- if (srp_server_arg.expected_user != NULL) {
- SSL_CTX_set_verify(s_ctx, SSL_VERIFY_NONE, verify_callback);
- SSL_CTX_set_verify(s_ctx2, SSL_VERIFY_NONE, verify_callback);
- SSL_CTX_set_srp_cb_arg(s_ctx, &srp_server_arg);
- SSL_CTX_set_srp_cb_arg(s_ctx2, &srp_server_arg);
- SSL_CTX_set_srp_username_callback(s_ctx, ssl_srp_server_param_cb);
- SSL_CTX_set_srp_username_callback(s_ctx2, ssl_srp_server_param_cb);
- }
-#endif
#ifndef OPENSSL_NO_NEXTPROTONEG
if (npn_client) {
"Can't have both -npn_server and -npn_server_reject\n");
goto end;
}
- SSL_CTX_set_next_protos_advertised_cb(s_ctx, cb_server_npn, NULL);
- SSL_CTX_set_next_protos_advertised_cb(s_ctx2, cb_server_npn, NULL);
+ SSL_CTX_set_npn_advertised_cb(s_ctx, cb_server_npn, NULL);
+ SSL_CTX_set_npn_advertised_cb(s_ctx2, cb_server_npn, NULL);
}
if (npn_server_reject) {
- SSL_CTX_set_next_protos_advertised_cb(s_ctx, cb_server_rejects_npn,
- NULL);
- SSL_CTX_set_next_protos_advertised_cb(s_ctx2, cb_server_rejects_npn,
- NULL);
+ SSL_CTX_set_npn_advertised_cb(s_ctx, cb_server_rejects_npn, NULL);
+ SSL_CTX_set_npn_advertised_cb(s_ctx2, cb_server_rejects_npn, NULL);
}
#endif
goto err;
}
if (SSL_version(c_ssl) != version) {
- BIO_printf(bio_err, "Unxpected version negotiated. "
+ BIO_printf(bio_err, "Unexpected version negotiated. "
"Expected: %s, got %s\n", should_negotiate, SSL_get_version(c_ssl));
ret = 1;
goto err;
goto err;
}
+# ifndef OPENSSL_NO_NEXTPROTONEG
end:
+# endif
ret = 0;
err:
goto err;
}
+#ifndef OPENSSL_NO_NEXTPROTONEG
end:
+#endif
ret = 0;
err:
SSL_set_max_send_fragment(c_ssl, max_frag);
BIO_set_ssl(c_bio, c_ssl, BIO_NOCLOSE);
+ /*
+ * We've just given our ref to these BIOs to c_ssl. We need another one to
+ * give to s_ssl
+ */
+ if (!BIO_up_ref(c_to_s)) {
+ /* c_to_s and s_to_c will get freed when we free c_ssl */
+ c_to_s = NULL;
+ s_to_c = NULL;
+ goto err;
+ }
+ if (!BIO_up_ref(s_to_c)) {
+ /* s_to_c will get freed when we free c_ssl */
+ s_to_c = NULL;
+ goto err;
+ }
+
SSL_set_accept_state(s_ssl);
SSL_set_bio(s_ssl, c_to_s, s_to_c);
+
+ /* We've used up all our refs to these now */
+ c_to_s = NULL;
+ s_to_c = NULL;
+
SSL_set_max_send_fragment(s_ssl, max_frag);
BIO_set_ssl(s_bio, s_ssl, BIO_NOCLOSE);
if (SSL_in_init(s_ssl))
printf("server waiting in SSL_accept - %s\n",
SSL_state_string_long(s_ssl));
-/*-
- else if (s_write)
- printf("server:SSL_write()\n");
- else
- printf("server:SSL_read()\n"); */
}
if (do_client && debug) {
if (SSL_in_init(c_ssl))
printf("client waiting in SSL_connect - %s\n",
SSL_state_string_long(c_ssl));
-/*-
- else if (c_write)
- printf("client:SSL_write()\n");
- else
- printf("client:SSL_read()\n"); */
}
if (!do_client && !do_server) {
}
ret = 0;
err:
- /*
- * We have to set the BIO's to NULL otherwise they will be
- * OPENSSL_free()ed twice. Once when th s_ssl is SSL_free()ed and again
- * when c_ssl is SSL_free()ed. This is a hack required because s_ssl and
- * c_ssl are sharing the same BIO structure and SSL_set_bio() and
- * SSL_free() automatically BIO_free non NULL entries. You should not
- * normally do this or be required to do this
- */
- if (s_ssl != NULL) {
- s_ssl->rbio = NULL;
- s_ssl->wbio = NULL;
- }
- if (c_ssl != NULL) {
- c_ssl->rbio = NULL;
- c_ssl->wbio = NULL;
- }
-
BIO_free(c_to_s);
BIO_free(s_to_c);
BIO_free_all(c_bio);
return (ret);
}
-static CRYPTO_ONCE proxy_auth_ex_data_once = CRYPTO_ONCE_STATIC_INIT;
-static volatile int proxy_auth_ex_data_idx = -1;
-
-static void do_get_proxy_auth_ex_data_idx(void)
-{
- proxy_auth_ex_data_idx = X509_STORE_CTX_get_ex_new_index(0,
- "SSLtest for verify callback",
- NULL, NULL, NULL);
-}
-
-static int get_proxy_auth_ex_data_idx(void)
-{
- CRYPTO_THREAD_run_once(&proxy_auth_ex_data_once,
- do_get_proxy_auth_ex_data_idx);
- return proxy_auth_ex_data_idx;
-}
-
static int verify_callback(int ok, X509_STORE_CTX *ctx)
{
char *s, buf[256];
- s = X509_NAME_oneline(X509_get_subject_name(ctx->current_cert), buf,
- sizeof buf);
+ s = X509_NAME_oneline(X509_get_subject_name(X509_STORE_CTX_get_current_cert(ctx)),
+ buf, sizeof buf);
if (s != NULL) {
if (ok)
- printf("depth=%d %s\n", ctx->error_depth, buf);
+ printf("depth=%d %s\n", X509_STORE_CTX_get_error_depth(ctx), buf);
else {
fprintf(stderr, "depth=%d error=%d %s\n",
- ctx->error_depth, ctx->error, buf);
+ X509_STORE_CTX_get_error_depth(ctx),
+ X509_STORE_CTX_get_error(ctx), buf);
}
}
if (ok == 0) {
- switch (ctx->error) {
+ int i = X509_STORE_CTX_get_error(ctx);
+
+ switch (i) {
default:
fprintf(stderr, "Error string: %s\n",
- X509_verify_cert_error_string(ctx->error));
+ X509_verify_cert_error_string(i));
break;
case X509_V_ERR_CERT_NOT_YET_VALID:
case X509_V_ERR_CERT_HAS_EXPIRED:
case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
ok = 1;
- }
- }
-
- if (ok == 1) {
- X509 *xs = ctx->current_cert;
- if (X509_get_extension_flags(xs) & EXFLAG_PROXY) {
- unsigned int *letters = X509_STORE_CTX_get_ex_data(ctx,
- get_proxy_auth_ex_data_idx
- ());
-
- if (letters) {
- int found_any = 0;
- int i;
- PROXY_CERT_INFO_EXTENSION *pci =
- X509_get_ext_d2i(xs, NID_proxyCertInfo,
- NULL, NULL);
-
- switch (OBJ_obj2nid(pci->proxyPolicy->policyLanguage)) {
- case NID_Independent:
- /*
- * Completely meaningless in this program, as there's no
- * way to grant explicit rights to a specific PrC.
- * Basically, using id-ppl-Independent is the perfect way
- * to grant no rights at all.
- */
- fprintf(stderr, " Independent proxy certificate");
- for (i = 0; i < 26; i++)
- letters[i] = 0;
- break;
- case NID_id_ppl_inheritAll:
- /*
- * This is basically a NOP, we simply let the current
- * rights stand as they are.
- */
- fprintf(stderr, " Proxy certificate inherits all");
- break;
- default:
- s = (char *)
- pci->proxyPolicy->policy->data;
- i = pci->proxyPolicy->policy->length;
-
- /*
- * The algorithm works as follows: it is assumed that
- * previous iterations or the initial granted rights has
- * already set some elements of `letters'. What we need
- * to do is to clear those that weren't granted by the
- * current PrC as well. The easiest way to do this is to
- * add 1 to all the elements whose letters are given with
- * the current policy. That way, all elements that are
- * set by the current policy and were already set by
- * earlier policies and through the original grant of
- * rights will get the value 2 or higher. The last thing
- * to do is to sweep through `letters' and keep the
- * elements having the value 2 as set, and clear all the
- * others.
- */
-
- printf(" Certificate proxy rights = %*.*s", i,
- i, s);
- while (i-- > 0) {
- int c = *s++;
- if (isascii(c) && isalpha(c)) {
- if (islower(c))
- c = toupper(c);
- letters[c - 'A']++;
- }
- }
- for (i = 0; i < 26; i++)
- if (letters[i] < 2)
- letters[i] = 0;
- else
- letters[i] = 1;
- }
-
- found_any = 0;
- printf(", resulting proxy rights = ");
- for (i = 0; i < 26; i++)
- if (letters[i]) {
- printf("%c", i + 'A');
- found_any = 1;
- }
- if (!found_any)
- printf("none");
- printf("\n");
-
- PROXY_CERT_INFO_EXTENSION_free(pci);
- }
- }
- }
-
- return (ok);
-}
-
-static void process_proxy_debug(int indent, const char *format, ...)
-{
- /* That's 80 > */
- static const char indentation[] =
- ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"
- ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>";
- char my_format[256];
- va_list args;
-
- BIO_snprintf(my_format, sizeof(my_format), "%*.*s %s",
- indent, indent, indentation, format);
-
- va_start(args, format);
- vfprintf(stderr, my_format, args);
- va_end(args);
-}
-
-/*-
- * Priority levels:
- * 0 [!]var, ()
- * 1 & ^
- * 2 |
- */
-static int process_proxy_cond_adders(unsigned int letters[26],
- const char *cond, const char **cond_end,
- int *pos, int indent);
-static int process_proxy_cond_val(unsigned int letters[26], const char *cond,
- const char **cond_end, int *pos, int indent)
-{
- int c;
- int ok = 1;
- int negate = 0;
-
- while (isspace((int)*cond)) {
- cond++;
- (*pos)++;
- }
- c = *cond;
-
- if (debug)
- process_proxy_debug(indent,
- "Start process_proxy_cond_val at position %d: %s\n",
- *pos, cond);
-
- while (c == '!') {
- negate = !negate;
- cond++;
- (*pos)++;
- while (isspace((int)*cond)) {
- cond++;
- (*pos)++;
- }
- c = *cond;
- }
-
- if (c == '(') {
- cond++;
- (*pos)++;
- ok = process_proxy_cond_adders(letters, cond, cond_end, pos,
- indent + 1);
- cond = *cond_end;
- if (ok < 0)
- goto end;
- while (isspace((int)*cond)) {
- cond++;
- (*pos)++;
- }
- c = *cond;
- if (c != ')') {
- fprintf(stderr,
- "Weird condition character in position %d: "
- "%c\n", *pos, c);
- ok = -1;
- goto end;
- }
- cond++;
- (*pos)++;
- } else if (isascii(c) && isalpha(c)) {
- if (islower(c))
- c = toupper(c);
- ok = letters[c - 'A'];
- cond++;
- (*pos)++;
- } else {
- fprintf(stderr,
- "Weird condition character in position %d: " "%c\n", *pos, c);
- ok = -1;
- goto end;
- }
- end:
- *cond_end = cond;
- if (ok >= 0 && negate)
- ok = !ok;
-
- if (debug)
- process_proxy_debug(indent,
- "End process_proxy_cond_val at position %d: %s, returning %d\n",
- *pos, cond, ok);
-
- return ok;
-}
-
-static int process_proxy_cond_multipliers(unsigned int letters[26],
- const char *cond,
- const char **cond_end, int *pos,
- int indent)
-{
- int ok;
- char c;
-
- if (debug)
- process_proxy_debug(indent,
- "Start process_proxy_cond_multipliers at position %d: %s\n",
- *pos, cond);
-
- ok = process_proxy_cond_val(letters, cond, cond_end, pos, indent + 1);
- cond = *cond_end;
- if (ok < 0)
- goto end;
-
- while (ok >= 0) {
- while (isspace((int)*cond)) {
- cond++;
- (*pos)++;
- }
- c = *cond;
-
- switch (c) {
- case '&':
- case '^':
- {
- int save_ok = ok;
-
- cond++;
- (*pos)++;
- ok = process_proxy_cond_val(letters,
- cond, cond_end, pos, indent + 1);
- cond = *cond_end;
- if (ok < 0)
- break;
-
- switch (c) {
- case '&':
- ok &= save_ok;
- break;
- case '^':
- ok ^= save_ok;
- break;
- default:
- fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
- " STOPPING\n");
- EXIT(1);
- }
- }
break;
- default:
- goto end;
}
}
- end:
- if (debug)
- process_proxy_debug(indent,
- "End process_proxy_cond_multipliers at position %d: %s, returning %d\n",
- *pos, cond, ok);
-
- *cond_end = cond;
- return ok;
-}
-
-static int process_proxy_cond_adders(unsigned int letters[26],
- const char *cond, const char **cond_end,
- int *pos, int indent)
-{
- int ok;
- char c;
-
- if (debug)
- process_proxy_debug(indent,
- "Start process_proxy_cond_adders at position %d: %s\n",
- *pos, cond);
-
- ok = process_proxy_cond_multipliers(letters, cond, cond_end, pos,
- indent + 1);
- cond = *cond_end;
- if (ok < 0)
- goto end;
-
- while (ok >= 0) {
- while (isspace((int)*cond)) {
- cond++;
- (*pos)++;
- }
- c = *cond;
-
- switch (c) {
- case '|':
- {
- int save_ok = ok;
-
- cond++;
- (*pos)++;
- ok = process_proxy_cond_multipliers(letters,
- cond, cond_end, pos,
- indent + 1);
- cond = *cond_end;
- if (ok < 0)
- break;
-
- switch (c) {
- case '|':
- ok |= save_ok;
- break;
- default:
- fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
- " STOPPING\n");
- EXIT(1);
- }
- }
- break;
- default:
- goto end;
- }
- }
- end:
- if (debug)
- process_proxy_debug(indent,
- "End process_proxy_cond_adders at position %d: %s, returning %d\n",
- *pos, cond, ok);
-
- *cond_end = cond;
- return ok;
-}
-static int process_proxy_cond(unsigned int letters[26],
- const char *cond, const char **cond_end)
-{
- int pos = 1;
- return process_proxy_cond_adders(letters, cond, cond_end, &pos, 1);
+ return (ok);
}
static int app_verify_callback(X509_STORE_CTX *ctx, void *arg)
{
int ok = 1;
struct app_verify_arg *cb_arg = arg;
- unsigned int letters[26]; /* only used with proxy_auth */
if (cb_arg->app_verify) {
char *s = NULL, buf[256];
+ X509 *c = X509_STORE_CTX_get0_cert(ctx);
printf("In app_verify_callback, allowing cert. ");
printf("Arg is: %s\n", cb_arg->string);
printf("Finished printing do we have a context? 0x%p a cert? 0x%p\n",
- (void *)ctx, (void *)ctx->cert);
- if (ctx->cert)
- s = X509_NAME_oneline(X509_get_subject_name(ctx->cert), buf, 256);
+ (void *)ctx, (void *)c);
+ if (c)
+ s = X509_NAME_oneline(X509_get_subject_name(c), buf, 256);
if (s != NULL) {
- printf("cert depth=%d %s\n", ctx->error_depth, buf);
+ printf("cert depth=%d %s\n",
+ X509_STORE_CTX_get_error_depth(ctx), buf);
}
return (1);
}
- if (cb_arg->proxy_auth) {
- int found_any = 0, i;
- char *sp;
-
- for (i = 0; i < 26; i++)
- letters[i] = 0;
- for (sp = cb_arg->proxy_auth; *sp; sp++) {
- int c = *sp;
- if (isascii(c) && isalpha(c)) {
- if (islower(c))
- c = toupper(c);
- letters[c - 'A'] = 1;
- }
- }
-
- printf(" Initial proxy rights = ");
- for (i = 0; i < 26; i++)
- if (letters[i]) {
- printf("%c", i + 'A');
- found_any = 1;
- }
- if (!found_any)
- printf("none");
- printf("\n");
- X509_STORE_CTX_set_ex_data(ctx,
- get_proxy_auth_ex_data_idx(), letters);
- }
- if (cb_arg->allow_proxy_certs) {
- X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS);
- }
ok = X509_verify_cert(ctx);
- if (cb_arg->proxy_auth) {
- if (ok > 0) {
- const char *cond_end = NULL;
-
- ok = process_proxy_cond(letters, cb_arg->proxy_cond, &cond_end);
-
- if (ok < 0)
- EXIT(3);
- if (*cond_end) {
- fprintf(stderr,
- "Stopped processing condition before it's end.\n");
- ok = 0;
- }
- if (!ok)
- fprintf(stderr,
- "Proxy rights check with condition '%s' invalid\n",
- cb_arg->proxy_cond);
- else
- printf("Proxy rights check with condition '%s' ok\n",
- cb_arg->proxy_cond);
- }
- }
return (ok);
}
return psk_len;
}
#endif
-
-static int do_test_cipherlist(void)
-{
-#ifndef OPENSSL_NO_TLS
- int i = 0;
- const SSL_METHOD *meth;
- const SSL_CIPHER *ci, *tci = NULL;
-
- /*
- * This is required because ssltest "cheats" and uses internal headers to
- * call functions, thus avoiding auto-init
- */
- OPENSSL_init_crypto(0, NULL);
- OPENSSL_init_ssl(0, NULL);
-
- meth = TLS_method();
- tci = NULL;
- while ((ci = meth->get_cipher(i++)) != NULL) {
- if (tci != NULL)
- if (ci->id >= tci->id) {
- fprintf(stderr, "testing SSLv3 cipher list order: ");
- fprintf(stderr, "failed %x vs. %x\n", ci->id, tci->id);
- return 0;
- }
- tci = ci;
- }
-#endif
-
- return 1;
-}
projects / openssl.git / blobdiff