X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=test%2Fssltest.c;h=68d48d1d739b6c4f649689eb0ff03c271b653df7;hp=1fa2aa2c720f4b62503e465a6ffa875666ce3403;hb=f9fd35248c9a3b1125d9ab82ffb19d62e86533ac;hpb=55a9a16f1c02837058173c41fa26f36ec3acd22e diff --git a/test/ssltest.c b/test/ssltest.c index 1fa2aa2c72..68d48d1d73 100644 --- a/test/ssltest.c +++ b/test/ssltest.c @@ -142,6 +142,7 @@ /* Or gethostname won't be declared properly on Linux and GNU platforms. */ #define _BSD_SOURCE 1 +#define _DEFAULT_SOURCE 1 #include #include @@ -204,20 +205,6 @@ # include OPENSSL_UNISTD #endif -#ifdef OPENSSL_SYS_VMS -# define TEST_SERVER_CERT "SYS$DISK:[-.APPS]SERVER.PEM" -# define TEST_CLIENT_CERT "SYS$DISK:[-.APPS]CLIENT.PEM" -#elif defined(OPENSSL_SYS_WINCE) -# define TEST_SERVER_CERT "\\OpenSSL\\server.pem" -# define TEST_CLIENT_CERT "\\OpenSSL\\client.pem" -#elif defined(OPENSSL_SYS_NETWARE) -# define TEST_SERVER_CERT "\\openssl\\apps\\server.pem" -# define TEST_CLIENT_CERT "\\openssl\\apps\\client.pem" -#else -# define TEST_SERVER_CERT "../apps/server.pem" -# define TEST_CLIENT_CERT "../apps/client.pem" -#endif - /* * There is really no standard for this, so let's assign something * only for this test @@ -302,9 +289,9 @@ static BIO *bio_stdout = NULL; #ifndef OPENSSL_NO_NEXTPROTONEG /* Note that this code assumes that this is only a one element list: */ static const char NEXT_PROTO_STRING[] = "\x09testproto"; -int npn_client = 0; -int npn_server = 0; -int npn_server_reject = 0; +static int npn_client = 0; +static int npn_server = 0; +static int npn_server_reject = 0; static int cb_client_npn(SSL *s, unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, @@ -468,7 +455,12 @@ static int verify_alpn(SSL *client, SSL *server) OPENSSL_free(alpn_selected); alpn_selected = NULL; - if (client_proto_len != server_proto_len || + if (client_proto_len != server_proto_len) { + BIO_printf(bio_stdout, "ALPN selected protocols differ!\n"); + goto err; + } + + if (client_proto != NULL && memcmp(client_proto, server_proto, client_proto_len) != 0) { BIO_printf(bio_stdout, "ALPN selected protocols differ!\n"); goto err; @@ -514,24 +506,24 @@ static int verify_alpn(SSL *client, SSL *server) #define CUSTOM_EXT_TYPE_2 1002 #define CUSTOM_EXT_TYPE_3 1003 -const char custom_ext_cli_string[] = "abc"; -const char custom_ext_srv_string[] = "defg"; +static const char custom_ext_cli_string[] = "abc"; +static const char custom_ext_srv_string[] = "defg"; /* These set from cmdline */ -char *serverinfo_file = NULL; -int serverinfo_sct = 0; -int serverinfo_tack = 0; +static char *serverinfo_file = NULL; +static int serverinfo_sct = 0; +static int serverinfo_tack = 0; /* These set based on extension callbacks */ -int serverinfo_sct_seen = 0; -int serverinfo_tack_seen = 0; -int serverinfo_other_seen = 0; +static int serverinfo_sct_seen = 0; +static int serverinfo_tack_seen = 0; +static int serverinfo_other_seen = 0; /* This set from cmdline */ -int custom_ext = 0; +static int custom_ext = 0; /* This set based on extension callbacks */ -int custom_ext_error = 0; +static int custom_ext_error = 0; static int serverinfo_cli_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in, size_t inlen, @@ -766,7 +758,9 @@ static void sv_usage(void) " -bytes - number of bytes to swap between client/server\n"); #ifndef OPENSSL_NO_DH fprintf(stderr, - " -dhe1024 - use 1024 bit key (safe prime) for DHE\n"); + " -dhe512 - use 512 bit key for DHE (to test failure)\n"); + fprintf(stderr, + " -dhe1024 - use 1024 bit key (safe prime) for DHE (default, no-op)\n"); fprintf(stderr, " -dhe1024dsa - use 1024 bit key (with 160-bit subprime) for DHE\n"); fprintf(stderr, " -no_dhe - disable DHE\n"); @@ -963,10 +957,6 @@ int main(int argc, char *argv[]) int server_auth = 0, i; struct app_verify_arg app_verify_arg = { APP_CALLBACK_STRING, 0, 0, NULL, NULL }; - char *server_cert = TEST_SERVER_CERT; - char *server_key = NULL; - char *client_cert = TEST_CLIENT_CERT; - char *client_key = NULL; #ifndef OPENSSL_NO_EC char *named_curve = NULL; #endif @@ -978,7 +968,7 @@ int main(int argc, char *argv[]) long bytes = 256L; #ifndef OPENSSL_NO_DH DH *dh; - int dhe1024 = 0, dhe1024dsa = 0; + int dhe512 = 0, dhe1024dsa = 0; #endif #ifndef OPENSSL_NO_EC EC_KEY *ecdh = NULL; @@ -1041,14 +1031,18 @@ int main(int argc, char *argv[]) } SSL_CONF_CTX_set_flags(s_cctx, - SSL_CONF_FLAG_CMDLINE | SSL_CONF_FLAG_SERVER); + SSL_CONF_FLAG_CMDLINE | SSL_CONF_FLAG_SERVER | + SSL_CONF_FLAG_CERTIFICATE | + SSL_CONF_FLAG_REQUIRE_PRIVATE); if (!SSL_CONF_CTX_set1_prefix(s_cctx, "-s_")) { ERR_print_errors(bio_err); goto end; } SSL_CONF_CTX_set_flags(c_cctx, - SSL_CONF_FLAG_CMDLINE | SSL_CONF_FLAG_CLIENT); + SSL_CONF_FLAG_CMDLINE | SSL_CONF_FLAG_CLIENT | + SSL_CONF_FLAG_CERTIFICATE | + SSL_CONF_FLAG_REQUIRE_PRIVATE); if (!SSL_CONF_CTX_set1_prefix(c_cctx, "-c_")) { ERR_print_errors(bio_err); goto end; @@ -1084,19 +1078,19 @@ int main(int argc, char *argv[]) debug = 1; else if (strcmp(*argv, "-reuse") == 0) reuse = 1; - else if (strcmp(*argv, "-dhe1024") == 0) { + else if (strcmp(*argv, "-dhe512") == 0) { #ifndef OPENSSL_NO_DH - dhe1024 = 1; + dhe512 = 1; #else fprintf(stderr, - "ignoring -dhe1024, since I'm compiled without DH\n"); + "ignoring -dhe512, since I'm compiled without DH\n"); #endif } else if (strcmp(*argv, "-dhe1024dsa") == 0) { #ifndef OPENSSL_NO_DH dhe1024dsa = 1; #else fprintf(stderr, - "ignoring -dhe1024, since I'm compiled without DH\n"); + "ignoring -dhe1024dsa, since I'm compiled without DH\n"); #endif } else if (strcmp(*argv, "-no_dhe") == 0) no_dhe = 1; @@ -1163,30 +1157,6 @@ int main(int argc, char *argv[]) bytes *= 1024L; if (argv[0][i - 1] == 'm') bytes *= 1024L * 1024L; - } else if (strcmp(*argv, "-cert") == 0) { - if (--argc < 1) - goto bad; - server_cert = *(++argv); - } else if (strcmp(*argv, "-s_cert") == 0) { - if (--argc < 1) - goto bad; - server_cert = *(++argv); - } else if (strcmp(*argv, "-key") == 0) { - if (--argc < 1) - goto bad; - server_key = *(++argv); - } else if (strcmp(*argv, "-s_key") == 0) { - if (--argc < 1) - goto bad; - server_key = *(++argv); - } else if (strcmp(*argv, "-c_cert") == 0) { - if (--argc < 1) - goto bad; - client_cert = *(++argv); - } else if (strcmp(*argv, "-c_key") == 0) { - if (--argc < 1) - goto bad; - client_key = *(++argv); } else if (strcmp(*argv, "-cipher") == 0) { if (--argc < 1) goto bad; @@ -1346,7 +1316,7 @@ int main(int argc, char *argv[]) if (fips_mode) { if (!FIPS_mode_set(1)) { ERR_load_crypto_strings(); - ERR_print_errors(BIO_new_fp(stderr, BIO_NOCLOSE)); + ERR_print_errors(bio_err); EXIT(1); } else fprintf(stderr, "*** IN FIPS MODE ***\n"); @@ -1417,7 +1387,7 @@ int main(int argc, char *argv[]) if (tls1) meth = TLSv1_method(); else - meth = SSLv23_method(); + meth = TLS_method(); c_ctx = SSL_CTX_new(meth); s_ctx = SSL_CTX_new(meth); @@ -1427,7 +1397,8 @@ int main(int argc, char *argv[]) } /* * Since we will use low security ciphersuites and keys for testing set - * security level to zero. + * security level to zero by default. Tests can override this by adding + * "@SECLEVEL=n" to the cipher string. */ SSL_CTX_set_security_level(c_ctx, 0); SSL_CTX_set_security_level(s_ctx, 0); @@ -1473,10 +1444,10 @@ int main(int argc, char *argv[]) */ SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE); dh = get_dh1024dsa(); - } else if (dhe1024) - dh = get_dh1024(); - else + } else if (dhe512) dh = get_dh512(); + else + dh = get_dh1024(); SSL_CTX_set_tmp_dh(s_ctx, dh); DH_free(dh); } @@ -1494,12 +1465,9 @@ int main(int argc, char *argv[]) BIO_printf(bio_err, "unknown curve name (%s)\n", named_curve); goto end; } - } else -# ifdef OPENSSL_NO_EC2M + } else { nid = NID_X9_62_prime256v1; -# else - nid = NID_sect163r2; -# endif + } ecdh = EC_KEY_new_by_curve_name(nid); if (ecdh == NULL) { @@ -1519,26 +1487,6 @@ int main(int argc, char *argv[]) SSL_CTX_set_tmp_rsa_callback(s_ctx, tmp_rsa_cb); #endif - if (!SSL_CTX_use_certificate_file(s_ctx, server_cert, SSL_FILETYPE_PEM)) { - ERR_print_errors(bio_err); - } else if (!SSL_CTX_use_PrivateKey_file(s_ctx, - (server_key ? server_key : - server_cert), - SSL_FILETYPE_PEM)) { - ERR_print_errors(bio_err); - goto end; - } - - if (client_auth) { - if (!SSL_CTX_use_certificate_file(c_ctx, client_cert, SSL_FILETYPE_PEM) - || !SSL_CTX_use_PrivateKey_file(c_ctx, - (client_key ? client_key : client_cert), - SSL_FILETYPE_PEM)) { - ERR_print_errors(bio_err); - goto end; - } - } - if ((!SSL_CTX_load_verify_locations(s_ctx, CAfile, CApath)) || (!SSL_CTX_set_default_verify_paths(s_ctx)) || (!SSL_CTX_load_verify_locations(c_ctx, CAfile, CApath)) || @@ -2174,14 +2122,11 @@ int doit(SSL *s_ssl, SSL *c_ssl, long count) bufsiz = count > 40 * 1024 ? 40 * 1024 : count; - if ((cbuf = OPENSSL_malloc(bufsiz)) == NULL) + if ((cbuf = OPENSSL_zalloc(bufsiz)) == NULL) goto err; - if ((sbuf = OPENSSL_malloc(bufsiz)) == NULL) + if ((sbuf = OPENSSL_zalloc(bufsiz)) == NULL) goto err; - memset(cbuf, 0, bufsiz); - memset(sbuf, 0, bufsiz); - c_to_s = BIO_new(BIO_s_mem()); s_to_c = BIO_new(BIO_s_mem()); if ((s_to_c == NULL) || (c_to_s == NULL)) { @@ -2483,7 +2428,7 @@ static int verify_callback(int ok, X509_STORE_CTX *ctx) if (ok == 1) { X509 *xs = ctx->current_cert; - if (xs->ex_flags & EXFLAG_PROXY) { + if (X509_get_extension_flags(xs) & EXFLAG_PROXY) { unsigned int *letters = X509_STORE_CTX_get_ex_data(ctx, get_proxy_auth_ex_data_idx ()); @@ -3143,7 +3088,7 @@ static int do_test_cipherlist(void) if (tci != NULL) if (ci->id >= tci->id) { fprintf(stderr, "testing SSLv3 cipher list order: "); - fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id); + fprintf(stderr, "failed %x vs. %x\n", ci->id, tci->id); return 0; } tci = ci; @@ -3155,7 +3100,7 @@ static int do_test_cipherlist(void) if (tci != NULL) if (ci->id >= tci->id) { fprintf(stderr, "testing TLSv1 cipher list order: "); - fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id); + fprintf(stderr, "failed %x vs. %x\n", ci->id, tci->id); return 0; } tci = ci;