X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=test%2Fssltest_old.c;h=00fb1a88c7a3efbd097785a87e514cb3ce39a209;hp=2fd7da824adf3e06d5d25eecdac281e3dc9a6351;hb=ea1ecd9831cfe8de9dbeafdfec344b8c944c9b84;hpb=f0e0fd51fd8307f6eae64862ad9aaea113f1177a diff --git a/test/ssltest_old.c b/test/ssltest_old.c index 2fd7da824a..00fb1a88c7 100644 --- a/test/ssltest_old.c +++ b/test/ssltest_old.c @@ -1,112 +1,12 @@ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ -/* ==================================================================== - * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). +/* + * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html */ + /* ==================================================================== * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. * ECC cipher suite support in OpenSSL originally developed by @@ -140,8 +40,12 @@ */ /* Or gethostname won't be declared properly on Linux and GNU platforms. */ -#define _BSD_SOURCE 1 -#define _DEFAULT_SOURCE 1 +#ifndef _BSD_SOURCE +# define _BSD_SOURCE 1 +#endif +#ifndef _DEFAULT_SOURCE +# define _DEFAULT_SOURCE 1 +#endif #include #include @@ -169,9 +73,6 @@ #include #include #include -#ifndef OPENSSL_NO_ENGINE -# include -#endif #include #include #ifndef OPENSSL_NO_RSA @@ -183,17 +84,11 @@ #ifndef OPENSSL_NO_DH # include #endif -#ifndef OPENSSL_NO_SRP -# include -#endif #include #ifndef OPENSSL_NO_CT # include #endif -#include "internal/threads.h" -#include "../ssl/ssl_locl.h" - /* * Or gethostname won't be declared properly * on Compaq platforms (at least with DEC C). @@ -223,9 +118,6 @@ static int app_verify_callback(X509_STORE_CTX *ctx, void *arg); struct app_verify_arg { char *string; int app_verify; - int allow_proxy_certs; - char *proxy_auth; - char *proxy_cond; }; #ifndef OPENSSL_NO_DH @@ -246,45 +138,6 @@ static unsigned int psk_server_callback(SSL *ssl, const char *identity, unsigned int max_psk_len); #endif -#ifndef OPENSSL_NO_SRP -/* SRP client */ -/* This is a context that we pass to all callbacks */ -typedef struct srp_client_arg_st { - char *srppassin; - char *srplogin; -} SRP_CLIENT_ARG; - -# define PWD_STRLEN 1024 - -static char *ssl_give_srp_client_pwd_cb(SSL *s, void *arg) -{ - SRP_CLIENT_ARG *srp_client_arg = (SRP_CLIENT_ARG *)arg; - return OPENSSL_strdup((char *)srp_client_arg->srppassin); -} - -/* SRP server */ -/* This is a context that we pass to SRP server callbacks */ -typedef struct srp_server_arg_st { - char *expected_user; - char *pass; -} SRP_SERVER_ARG; - -static int ssl_srp_server_param_cb(SSL *s, int *ad, void *arg) -{ - SRP_SERVER_ARG *p = (SRP_SERVER_ARG *)arg; - - if (strcmp(p->expected_user, SSL_get_srp_username(s)) != 0) { - fprintf(stderr, "User %s doesn't exist\n", SSL_get_srp_username(s)); - return SSL3_AL_FATAL; - } - if (SSL_set_srp_server_param_pw(s, p->expected_user, p->pass, "1024") < 0) { - *ad = SSL_AD_INTERNAL_ERROR; - return SSL3_AL_FATAL; - } - return SSL_ERROR_NONE; -} -#endif - static BIO *bio_err = NULL; static BIO *bio_stdout = NULL; @@ -799,21 +652,13 @@ int doit_localhost(SSL *s_ssl, SSL *c_ssl, int family, int doit_biopair(SSL *s_ssl, SSL *c_ssl, long bytes, clock_t *s_time, clock_t *c_time); int doit(SSL *s_ssl, SSL *c_ssl, long bytes); -static int do_test_cipherlist(void); static void sv_usage(void) { fprintf(stderr, "usage: ssltest [args ...]\n"); fprintf(stderr, "\n"); -#ifdef OPENSSL_FIPS - fprintf(stderr, "-F - run test in FIPS mode\n"); -#endif fprintf(stderr, " -server_auth - check server certificate\n"); fprintf(stderr, " -client_auth - do client authentication\n"); - fprintf(stderr, " -proxy - allow proxy certificates\n"); - fprintf(stderr, " -proxy_auth - set proxy policy rights\n"); - fprintf(stderr, - " -proxy_cond - expression to test proxy policy rights\n"); fprintf(stderr, " -v - more output\n"); fprintf(stderr, " -d - debug output\n"); fprintf(stderr, " -reuse - use session-id reuse\n"); @@ -835,10 +680,6 @@ static void sv_usage(void) #ifndef OPENSSL_NO_PSK fprintf(stderr, " -psk arg - PSK in hex (without 0x)\n"); #endif -#ifndef OPENSSL_NO_SRP - fprintf(stderr, " -srpuser user - SRP username to use\n"); - fprintf(stderr, " -srppass arg - password for 'user'\n"); -#endif #ifndef OPENSSL_NO_SSL3 fprintf(stderr, " -ssl3 - use SSLv3\n"); #endif @@ -870,10 +711,6 @@ static void sv_usage(void) fprintf(stderr, " -time - measure processor time used by client and server\n"); fprintf(stderr, " -zlib - use zlib compression\n"); - fprintf(stderr, - " -test_cipherlist - Verifies the order of the ssl cipher lists.\n" - " When this option is requested, the cipherlist\n" - " tests are run instead of handshake tests.\n"); #ifndef OPENSSL_NO_NEXTPROTONEG fprintf(stderr, " -npn_client - have client side offer NPN\n"); fprintf(stderr, " -npn_server - have server side offer NPN\n"); @@ -964,11 +801,11 @@ static void print_details(SSL *c_ssl, const char *prefix) SSL_CIPHER_get_version(ciph), SSL_CIPHER_get_name(ciph)); cert = SSL_get_peer_certificate(c_ssl); if (cert != NULL) { - pkey = X509_get_pubkey(cert); - if (pkey != NULL) { + EVP_PKEY* pubkey = X509_get0_pubkey(cert); + + if (pubkey != NULL) { BIO_puts(bio_stdout, ", "); - print_key_details(bio_stdout, pkey); - EVP_PKEY_free(pkey); + print_key_details(bio_stdout, pubkey); } X509_free(cert); } @@ -998,6 +835,7 @@ static int protocol_from_string(const char *value) {"tls1", TLS1_VERSION}, {"tls1.1", TLS1_1_VERSION}, {"tls1.2", TLS1_2_VERSION}, + {"tls1.3", TLS1_3_VERSION}, {"dtls1", DTLS1_VERSION}, {"dtls1.2", DTLS1_2_VERSION}}; size_t i; @@ -1066,15 +904,15 @@ static int set_protocol_version(const char *version, SSL *ssl, int setting) int main(int argc, char *argv[]) { - char *CApath = NULL, *CAfile = NULL; + const char *CApath = NULL, *CAfile = NULL; int badop = 0; enum { BIO_MEM, BIO_PAIR, BIO_IPV4, BIO_IPV6 } bio_type = BIO_MEM; int force = 0; - int dtls1 = 0, dtls12 = 0, dtls = 0, tls1 = 0, ssl3 = 0, ret = 1; + int dtls1 = 0, dtls12 = 0, dtls = 0, tls1 = 0, tls1_2 = 0, ssl3 = 0, ret = 1; int client_auth = 0; int server_auth = 0, i; struct app_verify_arg app_verify_arg = - { APP_CALLBACK_STRING, 0, 0, NULL, NULL }; + { APP_CALLBACK_STRING, 0 }; char *p; SSL_CTX *c_ctx = NULL; const SSL_METHOD *meth = NULL; @@ -1086,12 +924,6 @@ int main(int argc, char *argv[]) #ifndef OPENSSL_NO_DH DH *dh; int dhe512 = 0, dhe1024dsa = 0; -#endif -#ifndef OPENSSL_NO_SRP - /* client */ - SRP_CLIENT_ARG srp_client_arg = { NULL, NULL }; - /* server */ - SRP_SERVER_ARG srp_server_arg = { NULL, NULL }; #endif int no_dhe = 0; int no_psk = 0; @@ -1101,10 +933,6 @@ int main(int argc, char *argv[]) int n, comp = 0; COMP_METHOD *cm = NULL; STACK_OF(SSL_COMP) *ssl_comp_methods = NULL; -#endif - int test_cipherlist = 0; -#ifdef OPENSSL_FIPS - int fips_mode = 0; #endif int no_protocol; int min_version = 0, max_version = 0; @@ -1174,26 +1002,14 @@ int main(int argc, char *argv[]) while (argc >= 1) { if (strcmp(*argv, "-F") == 0) { -#ifdef OPENSSL_FIPS - fips_mode = 1; -#else fprintf(stderr, "not compiled with FIPS support, so exiting without running.\n"); EXIT(0); -#endif } else if (strcmp(*argv, "-server_auth") == 0) server_auth = 1; else if (strcmp(*argv, "-client_auth") == 0) client_auth = 1; - else if (strcmp(*argv, "-proxy_auth") == 0) { - if (--argc < 1) - goto bad; - app_verify_arg.proxy_auth = *(++argv); - } else if (strcmp(*argv, "-proxy_cond") == 0) { - if (--argc < 1) - goto bad; - app_verify_arg.proxy_cond = *(++argv); - } else if (strcmp(*argv, "-v") == 0) + else if (strcmp(*argv, "-v") == 0) verbose = 1; else if (strcmp(*argv, "-d") == 0) debug = 1; @@ -1230,21 +1046,9 @@ int main(int argc, char *argv[]) no_psk = 1; #endif } -#ifndef OPENSSL_NO_SRP - else if (strcmp(*argv, "-srpuser") == 0) { - if (--argc < 1) - goto bad; - srp_server_arg.expected_user = srp_client_arg.srplogin = - *(++argv); - min_version = TLS1_VERSION; - } else if (strcmp(*argv, "-srppass") == 0) { - if (--argc < 1) - goto bad; - srp_server_arg.pass = srp_client_arg.srppassin = *(++argv); - min_version = TLS1_VERSION; - } -#endif - else if (strcmp(*argv, "-tls1") == 0) { + else if (strcmp(*argv, "-tls1_2") == 0) { + tls1_2 = 1; + } else if (strcmp(*argv, "-tls1") == 0) { tls1 = 1; } else if (strcmp(*argv, "-ssl3") == 0) { ssl3 = 1; @@ -1313,13 +1117,9 @@ int main(int argc, char *argv[]) #endif else if (strcmp(*argv, "-app_verify") == 0) { app_verify_arg.app_verify = 1; - } else if (strcmp(*argv, "-proxy") == 0) { - app_verify_arg.allow_proxy_certs = 1; - } else if (strcmp(*argv, "-test_cipherlist") == 0) { - test_cipherlist = 1; } #ifndef OPENSSL_NO_NEXTPROTONEG - else if (strcmp(*argv, "-npn_client") == 0) { + else if (strcmp(*argv, "-npn_client") == 0) { npn_client = 1; } else if (strcmp(*argv, "-npn_server") == 0) { npn_server = 1; @@ -1454,24 +1254,8 @@ int main(int argc, char *argv[]) goto end; } - /* - * test_cipherlist prevails over protocol switch: we test the cipherlist - * for all enabled protocols. - */ - if (test_cipherlist == 1) { - /* - * ensure that the cipher list are correctly sorted and exit - */ - fprintf(stdout, "Testing cipherlist order only. Ignoring all " - "other options.\n"); - if (do_test_cipherlist() == 0) - EXIT(1); - ret = 0; - goto end; - } - - if (ssl3 + tls1 + dtls + dtls1 + dtls12 > 1) { - fprintf(stderr, "At most one of -ssl3, -tls1, -dtls, -dtls1 or -dtls12 should " + if (ssl3 + tls1 + tls1_2 + dtls + dtls1 + dtls12 > 1) { + fprintf(stderr, "At most one of -ssl3, -tls1, -tls1_2, -dtls, -dtls1 or -dtls12 should " "be requested.\n"); EXIT(1); } @@ -1486,6 +1270,11 @@ int main(int argc, char *argv[]) no_protocol = 1; else #endif +#ifdef OPENSSL_NO_TLS1_2 + if (tls1_2) + no_protocol = 1; + else +#endif #if defined(OPENSSL_NO_DTLS) || defined(OPENSSL_NO_DTLS1) if (dtls1) no_protocol = 1; @@ -1510,22 +1299,14 @@ int main(int argc, char *argv[]) goto end; } - if (!ssl3 && !tls1 && !dtls && !dtls1 && !dtls12 && number > 1 && !reuse && !force) { + if (!ssl3 && !tls1 && !tls1_2 && !dtls && !dtls1 && !dtls12 && number > 1 + && !reuse && !force) { fprintf(stderr, "This case cannot work. Use -f to perform " "the test anyway (and\n-d to see what happens), " - "or add one of -ssl3, -tls1, -dtls, -dtls1, -dtls12, -reuse\n" + "or add one of -ssl3, -tls1, -tls1_2, -dtls, -dtls1, -dtls12, -reuse\n" "to avoid protocol mismatch.\n"); EXIT(1); } -#ifdef OPENSSL_FIPS - if (fips_mode) { - if (!FIPS_mode_set(1)) { - ERR_print_errors(bio_err); - EXIT(1); - } else - fprintf(stderr, "*** IN FIPS MODE ***\n"); - } -#endif if (print_time) { if (bio_type != BIO_PAIR) { @@ -1537,8 +1318,6 @@ int main(int argc, char *argv[]) "Warning: For accurate timings, use more connections (e.g. -num 1000)\n"); } -/* if (cipher == NULL) cipher=getenv("SSL_CIPHER"); */ - #ifndef OPENSSL_NO_COMP if (comp == COMP_ZLIB) cm = COMP_zlib(); @@ -1562,7 +1341,7 @@ int main(int argc, char *argv[]) printf("Available compression methods:"); for (j = 0; j < n; j++) { SSL_COMP *c = sk_SSL_COMP_value(ssl_comp_methods, j); - printf(" %s:%d", c->name, c->id); + printf(" %s:%d", SSL_COMP_get0_name(c), SSL_COMP_get_id(c)); } printf("\n"); } @@ -1576,6 +1355,9 @@ int main(int argc, char *argv[]) } else if (tls1) { min_version = TLS1_VERSION; max_version = TLS1_VERSION; + } else if (tls1_2) { + min_version = TLS1_2_VERSION; + max_version = TLS1_2_VERSION; } #endif #ifndef OPENSSL_NO_DTLS @@ -1688,9 +1470,7 @@ int main(int argc, char *argv[]) (!SSL_CTX_set_default_verify_paths(s_ctx2)) || (!SSL_CTX_load_verify_locations(c_ctx, CAfile, CApath)) || (!SSL_CTX_set_default_verify_paths(c_ctx))) { - /* fprintf(stderr,"SSL_load_verify_locations\n"); */ ERR_print_errors(bio_err); - /* goto end; */ } #ifndef OPENSSL_NO_CT @@ -1759,29 +1539,6 @@ int main(int argc, char *argv[]) } #endif } -#ifndef OPENSSL_NO_SRP - if (srp_client_arg.srplogin) { - if (!SSL_CTX_set_srp_username(c_ctx, srp_client_arg.srplogin)) { - BIO_printf(bio_err, "Unable to set SRP username\n"); - goto end; - } - SSL_CTX_set_srp_cb_arg(c_ctx, &srp_client_arg); - SSL_CTX_set_srp_client_pwd_callback(c_ctx, - ssl_give_srp_client_pwd_cb); - /* - * SSL_CTX_set_srp_strength(c_ctx, srp_client_arg.strength); - */ - } - - if (srp_server_arg.expected_user != NULL) { - SSL_CTX_set_verify(s_ctx, SSL_VERIFY_NONE, verify_callback); - SSL_CTX_set_verify(s_ctx2, SSL_VERIFY_NONE, verify_callback); - SSL_CTX_set_srp_cb_arg(s_ctx, &srp_server_arg); - SSL_CTX_set_srp_cb_arg(s_ctx2, &srp_server_arg); - SSL_CTX_set_srp_username_callback(s_ctx, ssl_srp_server_param_cb); - SSL_CTX_set_srp_username_callback(s_ctx2, ssl_srp_server_param_cb); - } -#endif #ifndef OPENSSL_NO_NEXTPROTONEG if (npn_client) { @@ -1793,14 +1550,12 @@ int main(int argc, char *argv[]) "Can't have both -npn_server and -npn_server_reject\n"); goto end; } - SSL_CTX_set_next_protos_advertised_cb(s_ctx, cb_server_npn, NULL); - SSL_CTX_set_next_protos_advertised_cb(s_ctx2, cb_server_npn, NULL); + SSL_CTX_set_npn_advertised_cb(s_ctx, cb_server_npn, NULL); + SSL_CTX_set_npn_advertised_cb(s_ctx2, cb_server_npn, NULL); } if (npn_server_reject) { - SSL_CTX_set_next_protos_advertised_cb(s_ctx, cb_server_rejects_npn, - NULL); - SSL_CTX_set_next_protos_advertised_cb(s_ctx2, cb_server_rejects_npn, - NULL); + SSL_CTX_set_npn_advertised_cb(s_ctx, cb_server_rejects_npn, NULL); + SSL_CTX_set_npn_advertised_cb(s_ctx2, cb_server_rejects_npn, NULL); } #endif @@ -2805,8 +2560,29 @@ int doit(SSL *s_ssl, SSL *c_ssl, long count) SSL_set_max_send_fragment(c_ssl, max_frag); BIO_set_ssl(c_bio, c_ssl, BIO_NOCLOSE); + /* + * We've just given our ref to these BIOs to c_ssl. We need another one to + * give to s_ssl + */ + if (!BIO_up_ref(c_to_s)) { + /* c_to_s and s_to_c will get freed when we free c_ssl */ + c_to_s = NULL; + s_to_c = NULL; + goto err; + } + if (!BIO_up_ref(s_to_c)) { + /* s_to_c will get freed when we free c_ssl */ + s_to_c = NULL; + goto err; + } + SSL_set_accept_state(s_ssl); SSL_set_bio(s_ssl, c_to_s, s_to_c); + + /* We've used up all our refs to these now */ + c_to_s = NULL; + s_to_c = NULL; + SSL_set_max_send_fragment(s_ssl, max_frag); BIO_set_ssl(s_bio, s_ssl, BIO_NOCLOSE); @@ -2833,22 +2609,12 @@ int doit(SSL *s_ssl, SSL *c_ssl, long count) if (SSL_in_init(s_ssl)) printf("server waiting in SSL_accept - %s\n", SSL_state_string_long(s_ssl)); -/*- - else if (s_write) - printf("server:SSL_write()\n"); - else - printf("server:SSL_read()\n"); */ } if (do_client && debug) { if (SSL_in_init(c_ssl)) printf("client waiting in SSL_connect - %s\n", SSL_state_string_long(c_ssl)); -/*- - else if (c_write) - printf("client:SSL_write()\n"); - else - printf("client:SSL_read()\n"); */ } if (!do_client && !do_server) { @@ -3019,23 +2785,6 @@ int doit(SSL *s_ssl, SSL *c_ssl, long count) } ret = 0; err: - /* - * We have to set the BIO's to NULL otherwise they will be - * OPENSSL_free()ed twice. Once when th s_ssl is SSL_free()ed and again - * when c_ssl is SSL_free()ed. This is a hack required because s_ssl and - * c_ssl are sharing the same BIO structure and SSL_set_bio() and - * SSL_free() automatically BIO_free non NULL entries. You should not - * normally do this or be required to do this - */ - if (s_ssl != NULL) { - s_ssl->rbio = NULL; - s_ssl->wbio = NULL; - } - if (c_ssl != NULL) { - c_ssl->rbio = NULL; - c_ssl->wbio = NULL; - } - BIO_free(c_to_s); BIO_free(s_to_c); BIO_free_all(c_bio); @@ -3051,23 +2800,6 @@ int doit(SSL *s_ssl, SSL *c_ssl, long count) return (ret); } -static CRYPTO_ONCE proxy_auth_ex_data_once = CRYPTO_ONCE_STATIC_INIT; -static volatile int proxy_auth_ex_data_idx = -1; - -static void do_get_proxy_auth_ex_data_idx(void) -{ - proxy_auth_ex_data_idx = X509_STORE_CTX_get_ex_new_index(0, - "SSLtest for verify callback", - NULL, NULL, NULL); -} - -static int get_proxy_auth_ex_data_idx(void) -{ - CRYPTO_THREAD_run_once(&proxy_auth_ex_data_once, - do_get_proxy_auth_ex_data_idx); - return proxy_auth_ex_data_idx; -} - static int verify_callback(int ok, X509_STORE_CTX *ctx) { char *s, buf[256]; @@ -3100,341 +2832,13 @@ static int verify_callback(int ok, X509_STORE_CTX *ctx) } } - if (ok == 1) { - X509 *xs = X509_STORE_CTX_get_current_cert(ctx); - if (X509_get_extension_flags(xs) & EXFLAG_PROXY) { - unsigned int *letters = X509_STORE_CTX_get_ex_data(ctx, - get_proxy_auth_ex_data_idx - ()); - - if (letters) { - int found_any = 0; - int i; - PROXY_CERT_INFO_EXTENSION *pci = - X509_get_ext_d2i(xs, NID_proxyCertInfo, - NULL, NULL); - - switch (OBJ_obj2nid(pci->proxyPolicy->policyLanguage)) { - case NID_Independent: - /* - * Completely meaningless in this program, as there's no - * way to grant explicit rights to a specific PrC. - * Basically, using id-ppl-Independent is the perfect way - * to grant no rights at all. - */ - fprintf(stderr, " Independent proxy certificate"); - for (i = 0; i < 26; i++) - letters[i] = 0; - break; - case NID_id_ppl_inheritAll: - /* - * This is basically a NOP, we simply let the current - * rights stand as they are. - */ - fprintf(stderr, " Proxy certificate inherits all"); - break; - default: - s = (char *) - pci->proxyPolicy->policy->data; - i = pci->proxyPolicy->policy->length; - - /* - * The algorithm works as follows: it is assumed that - * previous iterations or the initial granted rights has - * already set some elements of `letters'. What we need - * to do is to clear those that weren't granted by the - * current PrC as well. The easiest way to do this is to - * add 1 to all the elements whose letters are given with - * the current policy. That way, all elements that are - * set by the current policy and were already set by - * earlier policies and through the original grant of - * rights will get the value 2 or higher. The last thing - * to do is to sweep through `letters' and keep the - * elements having the value 2 as set, and clear all the - * others. - */ - - printf(" Certificate proxy rights = %*.*s", i, - i, s); - while (i-- > 0) { - int c = *s++; - if (isascii(c) && isalpha(c)) { - if (islower(c)) - c = toupper(c); - letters[c - 'A']++; - } - } - for (i = 0; i < 26; i++) - if (letters[i] < 2) - letters[i] = 0; - else - letters[i] = 1; - } - - found_any = 0; - printf(", resulting proxy rights = "); - for (i = 0; i < 26; i++) - if (letters[i]) { - printf("%c", i + 'A'); - found_any = 1; - } - if (!found_any) - printf("none"); - printf("\n"); - - PROXY_CERT_INFO_EXTENSION_free(pci); - } - } - } - return (ok); } -static void process_proxy_debug(int indent, const char *format, ...) -{ - /* That's 80 > */ - static const char indentation[] = - ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>" - ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"; - char my_format[256]; - va_list args; - - BIO_snprintf(my_format, sizeof(my_format), "%*.*s %s", - indent, indent, indentation, format); - - va_start(args, format); - vfprintf(stderr, my_format, args); - va_end(args); -} - -/*- - * Priority levels: - * 0 [!]var, () - * 1 & ^ - * 2 | - */ -static int process_proxy_cond_adders(unsigned int letters[26], - const char *cond, const char **cond_end, - int *pos, int indent); -static int process_proxy_cond_val(unsigned int letters[26], const char *cond, - const char **cond_end, int *pos, int indent) -{ - int c; - int ok = 1; - int negate = 0; - - while (isspace((int)*cond)) { - cond++; - (*pos)++; - } - c = *cond; - - if (debug) - process_proxy_debug(indent, - "Start process_proxy_cond_val at position %d: %s\n", - *pos, cond); - - while (c == '!') { - negate = !negate; - cond++; - (*pos)++; - while (isspace((int)*cond)) { - cond++; - (*pos)++; - } - c = *cond; - } - - if (c == '(') { - cond++; - (*pos)++; - ok = process_proxy_cond_adders(letters, cond, cond_end, pos, - indent + 1); - cond = *cond_end; - if (ok < 0) - goto end; - while (isspace((int)*cond)) { - cond++; - (*pos)++; - } - c = *cond; - if (c != ')') { - fprintf(stderr, - "Weird condition character in position %d: " - "%c\n", *pos, c); - ok = -1; - goto end; - } - cond++; - (*pos)++; - } else if (isascii(c) && isalpha(c)) { - if (islower(c)) - c = toupper(c); - ok = letters[c - 'A']; - cond++; - (*pos)++; - } else { - fprintf(stderr, - "Weird condition character in position %d: " "%c\n", *pos, c); - ok = -1; - goto end; - } - end: - *cond_end = cond; - if (ok >= 0 && negate) - ok = !ok; - - if (debug) - process_proxy_debug(indent, - "End process_proxy_cond_val at position %d: %s, returning %d\n", - *pos, cond, ok); - - return ok; -} - -static int process_proxy_cond_multipliers(unsigned int letters[26], - const char *cond, - const char **cond_end, int *pos, - int indent) -{ - int ok; - char c; - - if (debug) - process_proxy_debug(indent, - "Start process_proxy_cond_multipliers at position %d: %s\n", - *pos, cond); - - ok = process_proxy_cond_val(letters, cond, cond_end, pos, indent + 1); - cond = *cond_end; - if (ok < 0) - goto end; - - while (ok >= 0) { - while (isspace((int)*cond)) { - cond++; - (*pos)++; - } - c = *cond; - - switch (c) { - case '&': - case '^': - { - int save_ok = ok; - - cond++; - (*pos)++; - ok = process_proxy_cond_val(letters, - cond, cond_end, pos, indent + 1); - cond = *cond_end; - if (ok < 0) - break; - - switch (c) { - case '&': - ok &= save_ok; - break; - case '^': - ok ^= save_ok; - break; - default: - fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!" - " STOPPING\n"); - EXIT(1); - } - } - break; - default: - goto end; - } - } - end: - if (debug) - process_proxy_debug(indent, - "End process_proxy_cond_multipliers at position %d: %s, returning %d\n", - *pos, cond, ok); - - *cond_end = cond; - return ok; -} - -static int process_proxy_cond_adders(unsigned int letters[26], - const char *cond, const char **cond_end, - int *pos, int indent) -{ - int ok; - char c; - - if (debug) - process_proxy_debug(indent, - "Start process_proxy_cond_adders at position %d: %s\n", - *pos, cond); - - ok = process_proxy_cond_multipliers(letters, cond, cond_end, pos, - indent + 1); - cond = *cond_end; - if (ok < 0) - goto end; - - while (ok >= 0) { - while (isspace((int)*cond)) { - cond++; - (*pos)++; - } - c = *cond; - - switch (c) { - case '|': - { - int save_ok = ok; - - cond++; - (*pos)++; - ok = process_proxy_cond_multipliers(letters, - cond, cond_end, pos, - indent + 1); - cond = *cond_end; - if (ok < 0) - break; - - switch (c) { - case '|': - ok |= save_ok; - break; - default: - fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!" - " STOPPING\n"); - EXIT(1); - } - } - break; - default: - goto end; - } - } - end: - if (debug) - process_proxy_debug(indent, - "End process_proxy_cond_adders at position %d: %s, returning %d\n", - *pos, cond, ok); - - *cond_end = cond; - return ok; -} - -static int process_proxy_cond(unsigned int letters[26], - const char *cond, const char **cond_end) -{ - int pos = 1; - return process_proxy_cond_adders(letters, cond, cond_end, &pos, 1); -} - static int app_verify_callback(X509_STORE_CTX *ctx, void *arg) { int ok = 1; struct app_verify_arg *cb_arg = arg; - unsigned int letters[26]; /* only used with proxy_auth */ if (cb_arg->app_verify) { char *s = NULL, buf[256]; @@ -3452,61 +2856,9 @@ static int app_verify_callback(X509_STORE_CTX *ctx, void *arg) } return (1); } - if (cb_arg->proxy_auth) { - int found_any = 0, i; - char *sp; - - for (i = 0; i < 26; i++) - letters[i] = 0; - for (sp = cb_arg->proxy_auth; *sp; sp++) { - int c = *sp; - if (isascii(c) && isalpha(c)) { - if (islower(c)) - c = toupper(c); - letters[c - 'A'] = 1; - } - } - printf(" Initial proxy rights = "); - for (i = 0; i < 26; i++) - if (letters[i]) { - printf("%c", i + 'A'); - found_any = 1; - } - if (!found_any) - printf("none"); - printf("\n"); - - X509_STORE_CTX_set_ex_data(ctx, - get_proxy_auth_ex_data_idx(), letters); - } - if (cb_arg->allow_proxy_certs) { - X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS); - } ok = X509_verify_cert(ctx); - if (cb_arg->proxy_auth) { - if (ok > 0) { - const char *cond_end = NULL; - - ok = process_proxy_cond(letters, cb_arg->proxy_cond, &cond_end); - - if (ok < 0) - EXIT(3); - if (*cond_end) { - fprintf(stderr, - "Stopped processing condition before it's end.\n"); - ok = 0; - } - if (!ok) - fprintf(stderr, - "Proxy rights check with condition '%s' invalid\n", - cb_arg->proxy_cond); - else - printf("Proxy rights check with condition '%s' ok\n", - cb_arg->proxy_cond); - } - } return (ok); } @@ -3726,33 +3078,3 @@ static unsigned int psk_server_callback(SSL *ssl, const char *identity, return psk_len; } #endif - -static int do_test_cipherlist(void) -{ -#ifndef OPENSSL_NO_TLS - int i = 0; - const SSL_METHOD *meth; - const SSL_CIPHER *ci, *tci = NULL; - - /* - * This is required because ssltest "cheats" and uses internal headers to - * call functions, thus avoiding auto-init - */ - OPENSSL_init_crypto(0, NULL); - OPENSSL_init_ssl(0, NULL); - - meth = TLS_method(); - tci = NULL; - while ((ci = meth->get_cipher(i++)) != NULL) { - if (tci != NULL) - if (ci->id >= tci->id) { - fprintf(stderr, "testing SSLv3 cipher list order: "); - fprintf(stderr, "failed %x vs. %x\n", ci->id, tci->id); - return 0; - } - tci = ci; - } -#endif - - return 1; -}