X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=test%2Fssltest_old.c;h=e0d5a08c9657a9d2354a794696d9dde8f6164db0;hp=bc73380146fefb3e297cce54dc6228b42589552b;hb=adcd8e37db682a5818415b1e0e1d8847dd9ab1e6;hpb=2a7de0fd5d9baf946ef4d2c51096b04dd47a8143 diff --git a/test/ssltest_old.c b/test/ssltest_old.c index bc73380146..e0d5a08c96 100644 --- a/test/ssltest_old.c +++ b/test/ssltest_old.c @@ -73,9 +73,6 @@ #include #include #include -#ifndef OPENSSL_NO_ENGINE -# include -#endif #include #include #ifndef OPENSSL_NO_RSA @@ -87,16 +84,11 @@ #ifndef OPENSSL_NO_DH # include #endif -#ifndef OPENSSL_NO_SRP -# include -#endif #include #ifndef OPENSSL_NO_CT # include #endif -#include "../ssl/ssl_locl.h" - /* * Or gethostname won't be declared properly * on Compaq platforms (at least with DEC C). @@ -146,45 +138,6 @@ static unsigned int psk_server_callback(SSL *ssl, const char *identity, unsigned int max_psk_len); #endif -#ifndef OPENSSL_NO_SRP -/* SRP client */ -/* This is a context that we pass to all callbacks */ -typedef struct srp_client_arg_st { - char *srppassin; - char *srplogin; -} SRP_CLIENT_ARG; - -# define PWD_STRLEN 1024 - -static char *ssl_give_srp_client_pwd_cb(SSL *s, void *arg) -{ - SRP_CLIENT_ARG *srp_client_arg = (SRP_CLIENT_ARG *)arg; - return OPENSSL_strdup((char *)srp_client_arg->srppassin); -} - -/* SRP server */ -/* This is a context that we pass to SRP server callbacks */ -typedef struct srp_server_arg_st { - char *expected_user; - char *pass; -} SRP_SERVER_ARG; - -static int ssl_srp_server_param_cb(SSL *s, int *ad, void *arg) -{ - SRP_SERVER_ARG *p = (SRP_SERVER_ARG *)arg; - - if (strcmp(p->expected_user, SSL_get_srp_username(s)) != 0) { - fprintf(stderr, "User %s doesn't exist\n", SSL_get_srp_username(s)); - return SSL3_AL_FATAL; - } - if (SSL_set_srp_server_param_pw(s, p->expected_user, p->pass, "1024") < 0) { - *ad = SSL_AD_INTERNAL_ERROR; - return SSL3_AL_FATAL; - } - return SSL_ERROR_NONE; -} -#endif - static BIO *bio_err = NULL; static BIO *bio_stdout = NULL; @@ -332,7 +285,6 @@ static int verify_servername(SSL *client, SSL *server) * next_protos_parse parses a comma separated list of strings into a string * in a format suitable for passing to SSL_CTX_set_next_protos_advertised. * outlen: (output) set to the length of the resulting buffer on success. - * err: (maybe NULL) on failure, an error message line is written to this BIO. * in: a NUL terminated string like "abc,def,ghi" * * returns: a malloced buffer or NULL on failure. @@ -704,9 +656,6 @@ static void sv_usage(void) { fprintf(stderr, "usage: ssltest [args ...]\n"); fprintf(stderr, "\n"); -#ifdef OPENSSL_FIPS - fprintf(stderr, "-F - run test in FIPS mode\n"); -#endif fprintf(stderr, " -server_auth - check server certificate\n"); fprintf(stderr, " -client_auth - do client authentication\n"); fprintf(stderr, " -v - more output\n"); @@ -730,10 +679,6 @@ static void sv_usage(void) #ifndef OPENSSL_NO_PSK fprintf(stderr, " -psk arg - PSK in hex (without 0x)\n"); #endif -#ifndef OPENSSL_NO_SRP - fprintf(stderr, " -srpuser user - SRP username to use\n"); - fprintf(stderr, " -srppass arg - password for 'user'\n"); -#endif #ifndef OPENSSL_NO_SSL3 fprintf(stderr, " -ssl3 - use SSLv3\n"); #endif @@ -855,11 +800,11 @@ static void print_details(SSL *c_ssl, const char *prefix) SSL_CIPHER_get_version(ciph), SSL_CIPHER_get_name(ciph)); cert = SSL_get_peer_certificate(c_ssl); if (cert != NULL) { - pkey = X509_get_pubkey(cert); - if (pkey != NULL) { + EVP_PKEY* pubkey = X509_get0_pubkey(cert); + + if (pubkey != NULL) { BIO_puts(bio_stdout, ", "); - print_key_details(bio_stdout, pkey); - EVP_PKEY_free(pkey); + print_key_details(bio_stdout, pubkey); } X509_free(cert); } @@ -889,6 +834,7 @@ static int protocol_from_string(const char *value) {"tls1", TLS1_VERSION}, {"tls1.1", TLS1_1_VERSION}, {"tls1.2", TLS1_2_VERSION}, + {"tls1.3", TLS1_3_VERSION}, {"dtls1", DTLS1_VERSION}, {"dtls1.2", DTLS1_2_VERSION}}; size_t i; @@ -957,11 +903,11 @@ static int set_protocol_version(const char *version, SSL *ssl, int setting) int main(int argc, char *argv[]) { - char *CApath = NULL, *CAfile = NULL; + const char *CApath = NULL, *CAfile = NULL; int badop = 0; enum { BIO_MEM, BIO_PAIR, BIO_IPV4, BIO_IPV6 } bio_type = BIO_MEM; int force = 0; - int dtls1 = 0, dtls12 = 0, dtls = 0, tls1 = 0, ssl3 = 0, ret = 1; + int dtls1 = 0, dtls12 = 0, dtls = 0, tls1 = 0, tls1_2 = 0, ssl3 = 0, ret = 1; int client_auth = 0; int server_auth = 0, i; struct app_verify_arg app_verify_arg = @@ -977,12 +923,6 @@ int main(int argc, char *argv[]) #ifndef OPENSSL_NO_DH DH *dh; int dhe512 = 0, dhe1024dsa = 0; -#endif -#ifndef OPENSSL_NO_SRP - /* client */ - SRP_CLIENT_ARG srp_client_arg = { NULL, NULL }; - /* server */ - SRP_SERVER_ARG srp_server_arg = { NULL, NULL }; #endif int no_dhe = 0; int no_psk = 0; @@ -992,9 +932,6 @@ int main(int argc, char *argv[]) int n, comp = 0; COMP_METHOD *cm = NULL; STACK_OF(SSL_COMP) *ssl_comp_methods = NULL; -#endif -#ifdef OPENSSL_FIPS - int fips_mode = 0; #endif int no_protocol; int min_version = 0, max_version = 0; @@ -1064,13 +1001,9 @@ int main(int argc, char *argv[]) while (argc >= 1) { if (strcmp(*argv, "-F") == 0) { -#ifdef OPENSSL_FIPS - fips_mode = 1; -#else fprintf(stderr, "not compiled with FIPS support, so exiting without running.\n"); EXIT(0); -#endif } else if (strcmp(*argv, "-server_auth") == 0) server_auth = 1; else if (strcmp(*argv, "-client_auth") == 0) @@ -1112,21 +1045,9 @@ int main(int argc, char *argv[]) no_psk = 1; #endif } -#ifndef OPENSSL_NO_SRP - else if (strcmp(*argv, "-srpuser") == 0) { - if (--argc < 1) - goto bad; - srp_server_arg.expected_user = srp_client_arg.srplogin = - *(++argv); - min_version = TLS1_VERSION; - } else if (strcmp(*argv, "-srppass") == 0) { - if (--argc < 1) - goto bad; - srp_server_arg.pass = srp_client_arg.srppassin = *(++argv); - min_version = TLS1_VERSION; - } -#endif - else if (strcmp(*argv, "-tls1") == 0) { + else if (strcmp(*argv, "-tls1_2") == 0) { + tls1_2 = 1; + } else if (strcmp(*argv, "-tls1") == 0) { tls1 = 1; } else if (strcmp(*argv, "-ssl3") == 0) { ssl3 = 1; @@ -1332,8 +1253,8 @@ int main(int argc, char *argv[]) goto end; } - if (ssl3 + tls1 + dtls + dtls1 + dtls12 > 1) { - fprintf(stderr, "At most one of -ssl3, -tls1, -dtls, -dtls1 or -dtls12 should " + if (ssl3 + tls1 + tls1_2 + dtls + dtls1 + dtls12 > 1) { + fprintf(stderr, "At most one of -ssl3, -tls1, -tls1_2, -dtls, -dtls1 or -dtls12 should " "be requested.\n"); EXIT(1); } @@ -1348,6 +1269,11 @@ int main(int argc, char *argv[]) no_protocol = 1; else #endif +#ifdef OPENSSL_NO_TLS1_2 + if (tls1_2) + no_protocol = 1; + else +#endif #if defined(OPENSSL_NO_DTLS) || defined(OPENSSL_NO_DTLS1) if (dtls1) no_protocol = 1; @@ -1372,22 +1298,14 @@ int main(int argc, char *argv[]) goto end; } - if (!ssl3 && !tls1 && !dtls && !dtls1 && !dtls12 && number > 1 && !reuse && !force) { + if (!ssl3 && !tls1 && !tls1_2 && !dtls && !dtls1 && !dtls12 && number > 1 + && !reuse && !force) { fprintf(stderr, "This case cannot work. Use -f to perform " "the test anyway (and\n-d to see what happens), " - "or add one of -ssl3, -tls1, -dtls, -dtls1, -dtls12, -reuse\n" + "or add one of -ssl3, -tls1, -tls1_2, -dtls, -dtls1, -dtls12, -reuse\n" "to avoid protocol mismatch.\n"); EXIT(1); } -#ifdef OPENSSL_FIPS - if (fips_mode) { - if (!FIPS_mode_set(1)) { - ERR_print_errors(bio_err); - EXIT(1); - } else - fprintf(stderr, "*** IN FIPS MODE ***\n"); - } -#endif if (print_time) { if (bio_type != BIO_PAIR) { @@ -1399,8 +1317,6 @@ int main(int argc, char *argv[]) "Warning: For accurate timings, use more connections (e.g. -num 1000)\n"); } -/* if (cipher == NULL) cipher=getenv("SSL_CIPHER"); */ - #ifndef OPENSSL_NO_COMP if (comp == COMP_ZLIB) cm = COMP_zlib(); @@ -1424,7 +1340,7 @@ int main(int argc, char *argv[]) printf("Available compression methods:"); for (j = 0; j < n; j++) { SSL_COMP *c = sk_SSL_COMP_value(ssl_comp_methods, j); - printf(" %s:%d", c->name, c->id); + printf(" %s:%d", SSL_COMP_get0_name(c), SSL_COMP_get_id(c)); } printf("\n"); } @@ -1438,6 +1354,9 @@ int main(int argc, char *argv[]) } else if (tls1) { min_version = TLS1_VERSION; max_version = TLS1_VERSION; + } else if (tls1_2) { + min_version = TLS1_2_VERSION; + max_version = TLS1_2_VERSION; } #endif #ifndef OPENSSL_NO_DTLS @@ -1550,9 +1469,7 @@ int main(int argc, char *argv[]) (!SSL_CTX_set_default_verify_paths(s_ctx2)) || (!SSL_CTX_load_verify_locations(c_ctx, CAfile, CApath)) || (!SSL_CTX_set_default_verify_paths(c_ctx))) { - /* fprintf(stderr,"SSL_load_verify_locations\n"); */ ERR_print_errors(bio_err); - /* goto end; */ } #ifndef OPENSSL_NO_CT @@ -1621,29 +1538,6 @@ int main(int argc, char *argv[]) } #endif } -#ifndef OPENSSL_NO_SRP - if (srp_client_arg.srplogin) { - if (!SSL_CTX_set_srp_username(c_ctx, srp_client_arg.srplogin)) { - BIO_printf(bio_err, "Unable to set SRP username\n"); - goto end; - } - SSL_CTX_set_srp_cb_arg(c_ctx, &srp_client_arg); - SSL_CTX_set_srp_client_pwd_callback(c_ctx, - ssl_give_srp_client_pwd_cb); - /* - * SSL_CTX_set_srp_strength(c_ctx, srp_client_arg.strength); - */ - } - - if (srp_server_arg.expected_user != NULL) { - SSL_CTX_set_verify(s_ctx, SSL_VERIFY_NONE, verify_callback); - SSL_CTX_set_verify(s_ctx2, SSL_VERIFY_NONE, verify_callback); - SSL_CTX_set_srp_cb_arg(s_ctx, &srp_server_arg); - SSL_CTX_set_srp_cb_arg(s_ctx2, &srp_server_arg); - SSL_CTX_set_srp_username_callback(s_ctx, ssl_srp_server_param_cb); - SSL_CTX_set_srp_username_callback(s_ctx2, ssl_srp_server_param_cb); - } -#endif #ifndef OPENSSL_NO_NEXTPROTONEG if (npn_client) { @@ -1655,14 +1549,12 @@ int main(int argc, char *argv[]) "Can't have both -npn_server and -npn_server_reject\n"); goto end; } - SSL_CTX_set_next_protos_advertised_cb(s_ctx, cb_server_npn, NULL); - SSL_CTX_set_next_protos_advertised_cb(s_ctx2, cb_server_npn, NULL); + SSL_CTX_set_npn_advertised_cb(s_ctx, cb_server_npn, NULL); + SSL_CTX_set_npn_advertised_cb(s_ctx2, cb_server_npn, NULL); } if (npn_server_reject) { - SSL_CTX_set_next_protos_advertised_cb(s_ctx, cb_server_rejects_npn, - NULL); - SSL_CTX_set_next_protos_advertised_cb(s_ctx2, cb_server_rejects_npn, - NULL); + SSL_CTX_set_npn_advertised_cb(s_ctx, cb_server_rejects_npn, NULL); + SSL_CTX_set_npn_advertised_cb(s_ctx2, cb_server_rejects_npn, NULL); } #endif @@ -1865,7 +1757,7 @@ int main(int argc, char *argv[]) goto err; } if (SSL_version(c_ssl) != version) { - BIO_printf(bio_err, "Unxpected version negotiated. " + BIO_printf(bio_err, "Unexpected version negotiated. " "Expected: %s, got %s\n", should_negotiate, SSL_get_version(c_ssl)); ret = 1; goto err; @@ -2667,8 +2559,29 @@ int doit(SSL *s_ssl, SSL *c_ssl, long count) SSL_set_max_send_fragment(c_ssl, max_frag); BIO_set_ssl(c_bio, c_ssl, BIO_NOCLOSE); + /* + * We've just given our ref to these BIOs to c_ssl. We need another one to + * give to s_ssl + */ + if (!BIO_up_ref(c_to_s)) { + /* c_to_s and s_to_c will get freed when we free c_ssl */ + c_to_s = NULL; + s_to_c = NULL; + goto err; + } + if (!BIO_up_ref(s_to_c)) { + /* s_to_c will get freed when we free c_ssl */ + s_to_c = NULL; + goto err; + } + SSL_set_accept_state(s_ssl); SSL_set_bio(s_ssl, c_to_s, s_to_c); + + /* We've used up all our refs to these now */ + c_to_s = NULL; + s_to_c = NULL; + SSL_set_max_send_fragment(s_ssl, max_frag); BIO_set_ssl(s_bio, s_ssl, BIO_NOCLOSE); @@ -2695,22 +2608,12 @@ int doit(SSL *s_ssl, SSL *c_ssl, long count) if (SSL_in_init(s_ssl)) printf("server waiting in SSL_accept - %s\n", SSL_state_string_long(s_ssl)); -/*- - else if (s_write) - printf("server:SSL_write()\n"); - else - printf("server:SSL_read()\n"); */ } if (do_client && debug) { if (SSL_in_init(c_ssl)) printf("client waiting in SSL_connect - %s\n", SSL_state_string_long(c_ssl)); -/*- - else if (c_write) - printf("client:SSL_write()\n"); - else - printf("client:SSL_read()\n"); */ } if (!do_client && !do_server) { @@ -2881,23 +2784,6 @@ int doit(SSL *s_ssl, SSL *c_ssl, long count) } ret = 0; err: - /* - * We have to set the BIO's to NULL otherwise they will be - * OPENSSL_free()ed twice. Once when th s_ssl is SSL_free()ed and again - * when c_ssl is SSL_free()ed. This is a hack required because s_ssl and - * c_ssl are sharing the same BIO structure and SSL_set_bio() and - * SSL_free() automatically BIO_free non NULL entries. You should not - * normally do this or be required to do this - */ - if (s_ssl != NULL) { - s_ssl->rbio = NULL; - s_ssl->wbio = NULL; - } - if (c_ssl != NULL) { - c_ssl->rbio = NULL; - c_ssl->wbio = NULL; - } - BIO_free(c_to_s); BIO_free(s_to_c); BIO_free_all(c_bio);