#define USE_SOCKETS
#include "e_os.h"
+#ifdef OPENSSL_SYS_VMS
#define _XOPEN_SOURCE 500 /* Or isascii won't be declared properly on
VMS (at least with DECompHP C). */
+#endif
+
#include <ctype.h>
#include <openssl/bio.h>
#ifndef OPENSSL_NO_DH
#include <openssl/dh.h>
#endif
+#ifndef OPENSSL_NO_SRP
+#include <openssl/srp.h>
+#endif
#include <openssl/bn.h>
#define _XOPEN_SOURCE_EXTENDED 1 /* Or gethostname won't be declared properly
unsigned int max_psk_len);
#endif
+#ifndef OPENSSL_NO_SRP
+/* SRP client */
+/* This is a context that we pass to all callbacks */
+typedef struct srp_client_arg_st
+ {
+ char *srppassin;
+ char *srplogin;
+ } SRP_CLIENT_ARG;
+
+#define PWD_STRLEN 1024
+
+static char * MS_CALLBACK ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
+ {
+ SRP_CLIENT_ARG *srp_client_arg = (SRP_CLIENT_ARG *)arg;
+ return BUF_strdup((char *)srp_client_arg->srppassin);
+ }
+
+/* SRP server */
+/* This is a context that we pass to SRP server callbacks */
+typedef struct srp_server_arg_st
+ {
+ char *expected_user;
+ char *pass;
+ } SRP_SERVER_ARG;
+
+static int MS_CALLBACK ssl_srp_server_param_cb(SSL *s, int *ad, void *arg)
+ {
+ SRP_SERVER_ARG * p = (SRP_SERVER_ARG *) arg;
+
+ if (strcmp(p->expected_user, SSL_get_srp_username(s)) != 0)
+ {
+ fprintf(stderr, "User %s doesn't exist\n", SSL_get_srp_username(s));
+ return SSL3_AL_FATAL;
+ }
+ if (SSL_set_srp_server_param_pw(s,p->expected_user,p->pass,"1024")<0)
+ {
+ *ad = SSL_AD_INTERNAL_ERROR;
+ return SSL3_AL_FATAL;
+ }
+ return SSL_ERROR_NONE;
+ }
+#endif
+
static BIO *bio_err=NULL;
static BIO *bio_stdout=NULL;
+#ifndef OPENSSL_NO_NEXTPROTONEG
+/* Note that this code assumes that this is only a one element list: */
+static const char NEXT_PROTO_STRING[] = "\x09testproto";
+int npn_client = 0;
+int npn_server = 0;
+int npn_server_reject = 0;
+
+static int cb_client_npn(SSL *s, unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg)
+ {
+ /* This callback only returns the protocol string, rather than a length
+ prefixed set. We assume that NEXT_PROTO_STRING is a one element list and
+ remove the first byte to chop off the length prefix. */
+ *out = (unsigned char*) NEXT_PROTO_STRING + 1;
+ *outlen = sizeof(NEXT_PROTO_STRING) - 2;
+ return SSL_TLSEXT_ERR_OK;
+ }
+
+static int cb_server_npn(SSL *s, const unsigned char **data, unsigned int *len, void *arg)
+ {
+ *data = (const unsigned char *) NEXT_PROTO_STRING;
+ *len = sizeof(NEXT_PROTO_STRING) - 1;
+ return SSL_TLSEXT_ERR_OK;
+ }
+
+static int cb_server_rejects_npn(SSL *s, const unsigned char **data, unsigned int *len, void *arg)
+ {
+ return SSL_TLSEXT_ERR_NOACK;
+ }
+
+static int verify_npn(SSL *client, SSL *server)
+ {
+ const unsigned char *client_s;
+ unsigned client_len;
+ const unsigned char *server_s;
+ unsigned server_len;
+
+ SSL_get0_next_proto_negotiated(client, &client_s, &client_len);
+ SSL_get0_next_proto_negotiated(server, &server_s, &server_len);
+
+ if (client_len)
+ {
+ BIO_printf(bio_stdout, "Client NPN: ");
+ BIO_write(bio_stdout, client_s, client_len);
+ BIO_printf(bio_stdout, "\n");
+ }
+
+ if (server_len)
+ {
+ BIO_printf(bio_stdout, "Server NPN: ");
+ BIO_write(bio_stdout, server_s, server_len);
+ BIO_printf(bio_stdout, "\n");
+ }
+
+ /* If an NPN string was returned, it must be the protocol that we
+ * expected to negotiate. */
+ if (client_len && (client_len != sizeof(NEXT_PROTO_STRING) - 2 ||
+ memcmp(client_s, NEXT_PROTO_STRING + 1, client_len)))
+ return -1;
+ if (server_len && (server_len != sizeof(NEXT_PROTO_STRING) - 2 ||
+ memcmp(server_s, NEXT_PROTO_STRING + 1, server_len)))
+ return -1;
+
+ if (!npn_client && client_len)
+ return -1;
+ if (!npn_server && server_len)
+ return -1;
+ if (npn_server_reject && server_len)
+ return -1;
+ if (npn_client && npn_server && (!client_len || !server_len))
+ return -1;
+
+ return 0;
+ }
+#endif
+
+static const char *alpn_client;
+static const char *alpn_server;
+static const char *alpn_expected;
+static unsigned char *alpn_selected;
+
+/* next_protos_parse parses a comma separated list of strings into a string
+ * in a format suitable for passing to SSL_CTX_set_next_protos_advertised.
+ * outlen: (output) set to the length of the resulting buffer on success.
+ * err: (maybe NULL) on failure, an error message line is written to this BIO.
+ * in: a NUL terminated string like "abc,def,ghi"
+ *
+ * returns: a malloced buffer or NULL on failure.
+ */
+static unsigned char *next_protos_parse(unsigned short *outlen, const char *in)
+ {
+ size_t len;
+ unsigned char *out;
+ size_t i, start = 0;
+
+ len = strlen(in);
+ if (len >= 65535)
+ return NULL;
+
+ out = OPENSSL_malloc(strlen(in) + 1);
+ if (!out)
+ return NULL;
+
+ for (i = 0; i <= len; ++i)
+ {
+ if (i == len || in[i] == ',')
+ {
+ if (i - start > 255)
+ {
+ OPENSSL_free(out);
+ return NULL;
+ }
+ out[start] = i - start;
+ start = i + 1;
+ }
+ else
+ out[i+1] = in[i];
+ }
+
+ *outlen = len + 1;
+ return out;
+ }
+
+static int cb_server_alpn(SSL *s, const unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg)
+ {
+ unsigned char *protos;
+ unsigned short protos_len;
+
+ protos = next_protos_parse(&protos_len, alpn_server);
+ if (protos == NULL)
+ {
+ fprintf(stderr, "failed to parser ALPN server protocol string: %s\n", alpn_server);
+ abort();
+ }
+
+ if (SSL_select_next_proto((unsigned char**) out, outlen, protos, protos_len, in, inlen) !=
+ OPENSSL_NPN_NEGOTIATED)
+ {
+ OPENSSL_free(protos);
+ return SSL_TLSEXT_ERR_NOACK;
+ }
+
+ /* Make a copy of the selected protocol which will be freed in verify_alpn. */
+ alpn_selected = OPENSSL_malloc(*outlen);
+ memcpy(alpn_selected, *out, *outlen);
+ *out = alpn_selected;
+
+ OPENSSL_free(protos);
+ return SSL_TLSEXT_ERR_OK;
+ }
+
+static int verify_alpn(SSL *client, SSL *server)
+ {
+ const unsigned char *client_proto, *server_proto;
+ unsigned int client_proto_len = 0, server_proto_len = 0;
+ SSL_get0_alpn_selected(client, &client_proto, &client_proto_len);
+ SSL_get0_alpn_selected(server, &server_proto, &server_proto_len);
+
+ if (alpn_selected != NULL)
+ {
+ OPENSSL_free(alpn_selected);
+ alpn_selected = NULL;
+ }
+
+ if (client_proto_len != server_proto_len ||
+ memcmp(client_proto, server_proto, client_proto_len) != 0)
+ {
+ BIO_printf(bio_stdout, "ALPN selected protocols differ!\n");
+ goto err;
+ }
+
+ if (client_proto_len > 0 && alpn_expected == NULL)
+ {
+ BIO_printf(bio_stdout, "ALPN unexpectedly negotiated\n");
+ goto err;
+ }
+
+ if (alpn_expected != NULL &&
+ (client_proto_len != strlen(alpn_expected) ||
+ memcmp(client_proto, alpn_expected, client_proto_len) != 0))
+ {
+ BIO_printf(bio_stdout, "ALPN selected protocols not equal to expected protocol: %s\n", alpn_expected);
+ goto err;
+ }
+
+ return 0;
+
+err:
+ BIO_printf(bio_stdout, "ALPN results: client: '");
+ BIO_write(bio_stdout, client_proto, client_proto_len);
+ BIO_printf(bio_stdout, "', server: '");
+ BIO_write(bio_stdout, server_proto, server_proto_len);
+ BIO_printf(bio_stdout, "'\n");
+ BIO_printf(bio_stdout, "ALPN configured: client: '%s', server: '%s'\n", alpn_client, alpn_server);
+ return -1;
+ }
+
+#define SCT_EXT_TYPE 18
+
+/* WARNING : below extension types are *NOT* IETF assigned, and
+ could conflict if these types are reassigned and handled
+ specially by OpenSSL in the future */
+#define TACK_EXT_TYPE 62208
+#define CUSTOM_EXT_TYPE_0 1000
+#define CUSTOM_EXT_TYPE_1 1001
+#define CUSTOM_EXT_TYPE_2 1002
+#define CUSTOM_EXT_TYPE_3 1003
+
+const char custom_ext_cli_string[] = "abc";
+const char custom_ext_srv_string[] = "defg";
+
+/* These set from cmdline */
+char* serverinfo_file = NULL;
+int serverinfo_sct = 0;
+int serverinfo_tack = 0;
+
+/* These set based on extension callbacks */
+int serverinfo_sct_seen = 0;
+int serverinfo_tack_seen = 0;
+int serverinfo_other_seen = 0;
+
+/* This set from cmdline */
+int custom_ext = 0;
+
+/* This set based on extension callbacks */
+int custom_ext_error = 0;
+
+static int serverinfo_cli_parse_cb(SSL *s, unsigned int ext_type,
+ const unsigned char *in, size_t inlen,
+ int *al, void *arg)
+ {
+ if (ext_type == SCT_EXT_TYPE)
+ serverinfo_sct_seen++;
+ else if (ext_type == TACK_EXT_TYPE)
+ serverinfo_tack_seen++;
+ else
+ serverinfo_other_seen++;
+ return 1;
+ }
+
+static int verify_serverinfo()
+ {
+ if (serverinfo_sct != serverinfo_sct_seen)
+ return -1;
+ if (serverinfo_tack != serverinfo_tack_seen)
+ return -1;
+ if (serverinfo_other_seen)
+ return -1;
+ return 0;
+ }
+
+/* Four test cases for custom extensions:
+ * 0 - no ClientHello extension or ServerHello response
+ * 1 - ClientHello with "abc", no response
+ * 2 - ClientHello with "abc", empty response
+ * 3 - ClientHello with "abc", "defg" response
+ */
+
+static int custom_ext_0_cli_add_cb(SSL *s, unsigned int ext_type,
+ const unsigned char **out,
+ size_t *outlen, int *al, void *arg)
+ {
+ if (ext_type != CUSTOM_EXT_TYPE_0)
+ custom_ext_error = 1;
+ return 0; /* Don't send an extension */
+ }
+
+static int custom_ext_0_cli_parse_cb(SSL *s, unsigned int ext_type,
+ const unsigned char *in,
+ size_t inlen, int *al,
+ void *arg)
+ {
+ return 1;
+ }
+
+static int custom_ext_1_cli_add_cb(SSL *s, unsigned int ext_type,
+ const unsigned char **out,
+ size_t *outlen, int *al, void *arg)
+ {
+ if (ext_type != CUSTOM_EXT_TYPE_1)
+ custom_ext_error = 1;
+ *out = (const unsigned char*)custom_ext_cli_string;
+ *outlen = strlen(custom_ext_cli_string);
+ return 1; /* Send "abc" */
+ }
+
+static int custom_ext_1_cli_parse_cb(SSL *s, unsigned int ext_type,
+ const unsigned char *in,
+ size_t inlen, int *al,
+ void *arg)
+ {
+ return 1;
+ }
+
+static int custom_ext_2_cli_add_cb(SSL *s, unsigned int ext_type,
+ const unsigned char **out,
+ size_t *outlen, int *al, void *arg)
+ {
+ if (ext_type != CUSTOM_EXT_TYPE_2)
+ custom_ext_error = 1;
+ *out = (const unsigned char*)custom_ext_cli_string;
+ *outlen = strlen(custom_ext_cli_string);
+ return 1; /* Send "abc" */
+ }
+
+static int custom_ext_2_cli_parse_cb(SSL *s, unsigned int ext_type,
+ const unsigned char *in,
+ size_t inlen, int *al,
+ void *arg)
+ {
+ if (ext_type != CUSTOM_EXT_TYPE_2)
+ custom_ext_error = 1;
+ if (inlen != 0)
+ custom_ext_error = 1; /* Should be empty response */
+ return 1;
+ }
+
+static int custom_ext_3_cli_add_cb(SSL *s, unsigned int ext_type,
+ const unsigned char **out,
+ size_t *outlen, int *al, void *arg)
+ {
+ if (ext_type != CUSTOM_EXT_TYPE_3)
+ custom_ext_error = 1;
+ *out = (const unsigned char*)custom_ext_cli_string;
+ *outlen = strlen(custom_ext_cli_string);
+ return 1; /* Send "abc" */
+ }
+
+static int custom_ext_3_cli_parse_cb(SSL *s, unsigned int ext_type,
+ const unsigned char *in,
+ size_t inlen, int *al,
+ void *arg)
+ {
+ if (ext_type != CUSTOM_EXT_TYPE_3)
+ custom_ext_error = 1;
+ if (inlen != strlen(custom_ext_srv_string))
+ custom_ext_error = 1;
+ if (memcmp(custom_ext_srv_string, in, inlen) != 0)
+ custom_ext_error = 1; /* Check for "defg" */
+ return 1;
+ }
+
+/* custom_ext_0_cli_add_cb returns 0 - the server won't receive a callback for this extension */
+static int custom_ext_0_srv_parse_cb(SSL *s, unsigned int ext_type,
+ const unsigned char *in,
+ size_t inlen, int *al,
+ void *arg)
+ {
+ custom_ext_error = 1;
+ return 1;
+ }
+
+/* 'add' callbacks are only called if the 'parse' callback is called */
+static int custom_ext_0_srv_add_cb(SSL *s, unsigned int ext_type,
+ const unsigned char **out,
+ size_t *outlen, int *al, void *arg)
+ {
+ /* Error: should not have been called */
+ custom_ext_error = 1;
+ return 0; /* Don't send an extension */
+ }
+
+static int custom_ext_1_srv_parse_cb(SSL *s, unsigned int ext_type,
+ const unsigned char *in,
+ size_t inlen, int *al,
+ void *arg)
+ {
+ if (ext_type != CUSTOM_EXT_TYPE_1)
+ custom_ext_error = 1;
+ /* Check for "abc" */
+ if (inlen != strlen(custom_ext_cli_string))
+ custom_ext_error = 1;
+ if (memcmp(in, custom_ext_cli_string, inlen) != 0)
+ custom_ext_error = 1;
+ return 1;
+ }
+
+static int custom_ext_1_srv_add_cb(SSL *s, unsigned int ext_type,
+ const unsigned char **out,
+ size_t *outlen, int *al, void *arg)
+ {
+ return 0; /* Don't send an extension */
+ }
+
+static int custom_ext_2_srv_parse_cb(SSL *s, unsigned int ext_type,
+ const unsigned char *in,
+ size_t inlen, int *al,
+ void *arg)
+ {
+ if (ext_type != CUSTOM_EXT_TYPE_2)
+ custom_ext_error = 1;
+ /* Check for "abc" */
+ if (inlen != strlen(custom_ext_cli_string))
+ custom_ext_error = 1;
+ if (memcmp(in, custom_ext_cli_string, inlen) != 0)
+ custom_ext_error = 1;
+ return 1;
+ }
+
+static int custom_ext_2_srv_add_cb(SSL *s, unsigned int ext_type,
+ const unsigned char **out,
+ size_t *outlen, int *al, void *arg)
+ {
+ *out = NULL;
+ *outlen = 0;
+ return 1; /* Send empty extension */
+ }
+
+static int custom_ext_3_srv_parse_cb(SSL *s, unsigned int ext_type,
+ const unsigned char *in,
+ size_t inlen, int *al,
+ void *arg)
+ {
+ if (ext_type != CUSTOM_EXT_TYPE_3)
+ custom_ext_error = 1;
+ /* Check for "abc" */
+ if (inlen != strlen(custom_ext_cli_string))
+ custom_ext_error = 1;
+ if (memcmp(in, custom_ext_cli_string, inlen) != 0)
+ custom_ext_error = 1;
+ return 1;
+ }
+
+static int custom_ext_3_srv_add_cb(SSL *s, unsigned int ext_type,
+ const unsigned char **out,
+ size_t *outlen, int *al, void *arg)
+ {
+ *out = (const unsigned char*)custom_ext_srv_string;
+ *outlen = strlen(custom_ext_srv_string);
+ return 1; /* Send "defg" */
+ }
+
static char *cipher=NULL;
static int verbose=0;
static int debug=0;
{
fprintf(stderr,"usage: ssltest [args ...]\n");
fprintf(stderr,"\n");
+#ifdef OPENSSL_FIPS
+ fprintf(stderr,"-F - run test in FIPS mode\n");
+#endif
fprintf(stderr," -server_auth - check server certificate\n");
fprintf(stderr," -client_auth - do client authentication\n");
fprintf(stderr," -proxy - allow proxy certificates\n");
fprintf(stderr," -proxy_auth <val> - set proxy policy rights\n");
- fprintf(stderr," -proxy_cond <val> - experssion to test proxy policy rights\n");
+ fprintf(stderr," -proxy_cond <val> - expression to test proxy policy rights\n");
fprintf(stderr," -v - more output\n");
fprintf(stderr," -d - debug output\n");
fprintf(stderr," -reuse - use session-id reuse\n");
#ifndef OPENSSL_NO_PSK
fprintf(stderr," -psk arg - PSK in hex (without 0x)\n");
#endif
+#ifndef OPENSSL_NO_SRP
+ fprintf(stderr," -srpuser user - SRP username to use\n");
+ fprintf(stderr," -srppass arg - password for 'user'\n");
+#endif
#ifndef OPENSSL_NO_SSL2
fprintf(stderr," -ssl2 - use SSLv2\n");
#endif
-#ifndef OPENSSL_NO_SSL3
+#ifndef OPENSSL_NO_SSL3_METHOD
fprintf(stderr," -ssl3 - use SSLv3\n");
#endif
#ifndef OPENSSL_NO_TLS1
" Use \"openssl ecparam -list_curves\" for all names\n" \
" (default is sect163r2).\n");
#endif
- fprintf(stderr," -test_cipherlist - verifies the order of the ssl cipher lists\n");
+ fprintf(stderr," -test_cipherlist - Verifies the order of the ssl cipher lists.\n"
+ " When this option is requested, the cipherlist\n"
+ " tests are run instead of handshake tests.\n");
+#ifndef OPENSSL_NO_NEXTPROTONEG
+ fprintf(stderr," -npn_client - have client side offer NPN\n");
+ fprintf(stderr," -npn_server - have server side offer NPN\n");
+ fprintf(stderr," -npn_server_reject - have server reject NPN\n");
+#endif
+ fprintf(stderr," -serverinfo_file file - have server use this file\n");
+ fprintf(stderr," -serverinfo_sct - have client offer and expect SCT\n");
+ fprintf(stderr," -serverinfo_tack - have client offer and expect TACK\n");
+ fprintf(stderr," -custom_ext - try various custom extension callbacks\n");
+ fprintf(stderr," -alpn_client <string> - have client side offer ALPN\n");
+ fprintf(stderr," -alpn_server <string> - have server side offer ALPN\n");
+ fprintf(stderr," -alpn_expected <string> - the ALPN protocol that should be negotiated\n");
+ }
+
+static void print_key_details(BIO *out, EVP_PKEY *key)
+ {
+ int keyid = EVP_PKEY_id(key);
+#ifndef OPENSSL_NO_EC
+ if (keyid == EVP_PKEY_EC)
+ {
+ EC_KEY *ec = EVP_PKEY_get1_EC_KEY(key);
+ int nid;
+ const char *cname;
+ nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
+ EC_KEY_free(ec);
+ cname = EC_curve_nid2nist(nid);
+ if (!cname)
+ cname = OBJ_nid2sn(nid);
+ BIO_printf(out, "%d bits EC (%s)",
+ EVP_PKEY_bits(key), cname);
+ }
+ else
+#endif
+ {
+ const char *algname;
+ switch (keyid)
+ {
+ case EVP_PKEY_RSA:
+ algname = "RSA";
+ break;
+ case EVP_PKEY_DSA:
+ algname = "DSA";
+ break;
+ case EVP_PKEY_DH:
+ algname = "DH";
+ break;
+ default:
+ algname = OBJ_nid2sn(keyid);
+ break;
+ }
+ BIO_printf(out, "%d bits %s", EVP_PKEY_bits(key), algname);
+ }
}
static void print_details(SSL *c_ssl, const char *prefix)
{
const SSL_CIPHER *ciph;
+ int mdnid;
X509 *cert;
+ EVP_PKEY *pkey;
ciph=SSL_get_current_cipher(c_ssl);
BIO_printf(bio_stdout,"%s%s, cipher %s %s",
cert=SSL_get_peer_certificate(c_ssl);
if (cert != NULL)
{
- EVP_PKEY *pkey = X509_get_pubkey(cert);
+ pkey = X509_get_pubkey(cert);
if (pkey != NULL)
{
- if (0)
- ;
-#ifndef OPENSSL_NO_RSA
- else if (pkey->type == EVP_PKEY_RSA && pkey->pkey.rsa != NULL
- && pkey->pkey.rsa->n != NULL)
- {
- BIO_printf(bio_stdout, ", %d bit RSA",
- BN_num_bits(pkey->pkey.rsa->n));
- }
-#endif
-#ifndef OPENSSL_NO_DSA
- else if (pkey->type == EVP_PKEY_DSA && pkey->pkey.dsa != NULL
- && pkey->pkey.dsa->p != NULL)
- {
- BIO_printf(bio_stdout, ", %d bit DSA",
- BN_num_bits(pkey->pkey.dsa->p));
- }
-#endif
+ BIO_puts(bio_stdout, ", ");
+ print_key_details(bio_stdout, pkey);
EVP_PKEY_free(pkey);
}
X509_free(cert);
}
- /* The SSL API does not allow us to look at temporary RSA/DH keys,
- * otherwise we should print their lengths too */
+ if (SSL_get_server_tmp_key(c_ssl, &pkey))
+ {
+ BIO_puts(bio_stdout, ", temp key: ");
+ print_key_details(bio_stdout, pkey);
+ EVP_PKEY_free(pkey);
+ }
+ if (SSL_get_peer_signature_nid(c_ssl, &mdnid))
+ BIO_printf(bio_stdout, ", digest=%s", OBJ_nid2sn(mdnid));
BIO_printf(bio_stdout,"\n");
}
#endif
#ifndef OPENSSL_NO_ECDH
EC_KEY *ecdh = NULL;
+#endif
+#ifndef OPENSSL_NO_SRP
+ /* client */
+ SRP_CLIENT_ARG srp_client_arg = {NULL,NULL};
+ /* server */
+ SRP_SERVER_ARG srp_server_arg = {NULL,NULL};
#endif
int no_dhe = 0;
int no_ecdhe = 0;
int no_psk = 0;
int print_time = 0;
clock_t s_time = 0, c_time = 0;
- int comp = 0;
#ifndef OPENSSL_NO_COMP
+ int comp = 0;
COMP_METHOD *cm = NULL;
-#endif
STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
+#endif
int test_cipherlist = 0;
+#ifdef OPENSSL_FIPS
+ int fips_mode=0;
+#endif
+ int no_protocol = 0;
+
+ SSL_CONF_CTX *s_cctx = NULL, *c_cctx = NULL;
+ STACK_OF(OPENSSL_STRING) *conf_args = NULL;
+ const char *arg = NULL, *argn = NULL;
verbose = 0;
debug = 0;
bio_stdout=BIO_new_fp(stdout,BIO_NOCLOSE|BIO_FP_TEXT);
+ s_cctx = SSL_CONF_CTX_new();
+ c_cctx = SSL_CONF_CTX_new();
+
+ if (!s_cctx || !c_cctx)
+ {
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+
+ SSL_CONF_CTX_set_flags(s_cctx,
+ SSL_CONF_FLAG_CMDLINE|SSL_CONF_FLAG_SERVER);
+ if (!SSL_CONF_CTX_set1_prefix(s_cctx, "-s_"))
+ {
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+
+ SSL_CONF_CTX_set_flags(c_cctx,
+ SSL_CONF_FLAG_CMDLINE|SSL_CONF_FLAG_CLIENT);
+ if (!SSL_CONF_CTX_set1_prefix(c_cctx, "-c_"))
+ {
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+
argc--;
argv++;
while (argc >= 1)
{
- if (strcmp(*argv,"-server_auth") == 0)
+ if(!strcmp(*argv,"-F"))
+ {
+#ifdef OPENSSL_FIPS
+ fips_mode=1;
+#else
+ fprintf(stderr,"not compiled with FIPS support, so exiting without running.\n");
+ EXIT(0);
+#endif
+ }
+ else if (strcmp(*argv,"-server_auth") == 0)
server_auth=1;
else if (strcmp(*argv,"-client_auth") == 0)
client_auth=1;
no_psk=1;
#endif
}
+#ifndef OPENSSL_NO_SRP
+ else if (strcmp(*argv,"-srpuser") == 0)
+ {
+ if (--argc < 1) goto bad;
+ srp_server_arg.expected_user = srp_client_arg.srplogin= *(++argv);
+ tls1=1;
+ }
+ else if (strcmp(*argv,"-srppass") == 0)
+ {
+ if (--argc < 1) goto bad;
+ srp_server_arg.pass = srp_client_arg.srppassin= *(++argv);
+ tls1=1;
+ }
+#endif
else if (strcmp(*argv,"-ssl2") == 0)
- ssl2=1;
+ {
+#ifdef OPENSSL_NO_SSL2
+ no_protocol = 1;
+#endif
+ ssl2 = 1;
+ }
else if (strcmp(*argv,"-tls1") == 0)
- tls1=1;
+ {
+#ifdef OPENSSL_NO_TLS1
+ no_protocol = 1;
+#endif
+ tls1 = 1;
+ }
else if (strcmp(*argv,"-ssl3") == 0)
- ssl3=1;
+ {
+#ifdef OPENSSL_NO_SSL3_METHOD
+ no_protocol = 1;
+#endif
+ ssl3 = 1;
+ }
else if (strncmp(*argv,"-num",4) == 0)
{
if (--argc < 1) goto bad;
{
print_time = 1;
}
+#ifndef OPENSSL_NO_COMP
else if (strcmp(*argv,"-zlib") == 0)
{
comp = COMP_ZLIB;
{
comp = COMP_RLE;
}
+#endif
else if (strcmp(*argv,"-named_curve") == 0)
{
if (--argc < 1) goto bad;
{
test_cipherlist = 1;
}
+#ifndef OPENSSL_NO_NEXTPROTONEG
+ else if (strcmp(*argv,"-npn_client") == 0)
+ {
+ npn_client = 1;
+ }
+ else if (strcmp(*argv,"-npn_server") == 0)
+ {
+ npn_server = 1;
+ }
+ else if (strcmp(*argv,"-npn_server_reject") == 0)
+ {
+ npn_server_reject = 1;
+ }
+#endif
+ else if (strcmp(*argv,"-serverinfo_sct") == 0)
+ {
+ serverinfo_sct = 1;
+ }
+ else if (strcmp(*argv,"-serverinfo_tack") == 0)
+ {
+ serverinfo_tack = 1;
+ }
+ else if (strcmp(*argv,"-serverinfo_file") == 0)
+ {
+ if (--argc < 1) goto bad;
+ serverinfo_file = *(++argv);
+ }
+ else if (strcmp(*argv,"-custom_ext") == 0)
+ {
+ custom_ext = 1;
+ }
+ else if (strcmp(*argv,"-alpn_client") == 0)
+ {
+ if (--argc < 1) goto bad;
+ alpn_client = *(++argv);
+ }
+ else if (strcmp(*argv,"-alpn_server") == 0)
+ {
+ if (--argc < 1) goto bad;
+ alpn_server = *(++argv);
+ }
+ else if (strcmp(*argv,"-alpn_expected") == 0)
+ {
+ if (--argc < 1) goto bad;
+ alpn_expected = *(++argv);
+ }
else
{
- fprintf(stderr,"unknown option %s\n",*argv);
- badop=1;
+ int rv;
+ arg = argv[0];
+ argn = argv[1];
+ /* Try to process command using SSL_CONF */
+ rv = SSL_CONF_cmd_argv(c_cctx, &argc, &argv);
+ /* If not processed try server */
+ if (rv == 0)
+ rv = SSL_CONF_cmd_argv(s_cctx, &argc, &argv);
+ /* Recognised: store it for later use */
+ if (rv > 0)
+ {
+ if (rv == 1)
+ argn = NULL;
+ if (!conf_args)
+ {
+ conf_args = sk_OPENSSL_STRING_new_null();
+ if (!conf_args)
+ goto end;
+ }
+ if (!sk_OPENSSL_STRING_push(conf_args, arg))
+ goto end;
+ if (!sk_OPENSSL_STRING_push(conf_args, argn))
+ goto end;
+ continue;
+ }
+ if (rv == -3)
+ BIO_printf(bio_err, "Missing argument for %s\n",
+ arg);
+ else if (rv < 0)
+ BIO_printf(bio_err, "Error with command %s\n",
+ arg);
+ else if (rv == 0)
+ BIO_printf(bio_err,"unknown option %s\n", arg);
+ badop = 1;
break;
}
argc--;
goto end;
}
+ /*
+ * test_cipherlist prevails over protocol switch: we test the cipherlist
+ * for all enabled protocols.
+ */
if (test_cipherlist == 1)
{
/* ensure that the cipher list are correctly sorted and exit */
+ fprintf(stdout, "Testing cipherlist order only. Ignoring all "
+ "other options.\n");
if (do_test_cipherlist() == 0)
EXIT(1);
ret = 0;
goto end;
}
+ if (ssl2 + ssl3 + tls1 > 1)
+ {
+ fprintf(stderr, "At most one of -ssl2, -ssl3, or -tls1 should "
+ "be requested.\n");
+ EXIT(1);
+ }
+
+ /*
+ * Testing was requested for a compiled-out protocol (e.g. SSLv2).
+ * Ideally, we would error out, but the generic test wrapper can't know
+ * when to expect failure. So we do nothing and return success.
+ */
+ if (no_protocol)
+ {
+ fprintf(stderr, "Testing was requested for a disabled protocol. "
+ "Skipping tests.\n");
+ ret = 0;
+ goto end;
+ }
+
if (!ssl2 && !ssl3 && !tls1 && number > 1 && !reuse && !force)
{
fprintf(stderr, "This case cannot work. Use -f to perform "
EXIT(1);
}
+#ifdef OPENSSL_FIPS
+ if(fips_mode)
+ {
+ if(!FIPS_mode_set(1))
+ {
+ ERR_load_crypto_strings();
+ ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
+ EXIT(1);
+ }
+ else
+ fprintf(stderr,"*** IN FIPS MODE ***\n");
+ }
+#endif
+
if (print_time)
{
if (!bio_pair)
}
#endif
-#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
+/* At this point, ssl2/ssl3/tls1 is only set if the protocol is available.
+ * (Otherwise we exit early.)
+ * However the compiler doesn't know this, so we ifdef. */
+#ifndef OPENSSL_NO_SSL2
if (ssl2)
meth=SSLv2_method();
- else
- if (tls1)
- meth=TLSv1_method();
else
+#endif
+#ifndef OPENSSL_NO_SSL3
if (ssl3)
meth=SSLv3_method();
else
- meth=SSLv23_method();
-#else
-#ifdef OPENSSL_NO_SSL2
- meth=SSLv3_method();
-#else
- meth=SSLv2_method();
#endif
+#ifndef OPENSSL_NO_TLS1
+ if (tls1)
+ meth=TLSv1_method();
+ else
#endif
+ meth=SSLv23_method();
c_ctx=SSL_CTX_new(meth);
s_ctx=SSL_CTX_new(meth);
ERR_print_errors(bio_err);
goto end;
}
+ /* Since we will use low security ciphersuites and keys for
+ * testing set security level to zero.
+ */
+ SSL_CTX_set_security_level(c_ctx, 0);
+ SSL_CTX_set_security_level(s_ctx, 0);
if (cipher != NULL)
{
SSL_CTX_set_cipher_list(s_ctx,cipher);
}
+ /* Process SSL_CONF arguments */
+ SSL_CONF_CTX_set_ssl_ctx(c_cctx, c_ctx);
+ SSL_CONF_CTX_set_ssl_ctx(s_cctx, s_ctx);
+
+ for (i = 0; i < sk_OPENSSL_STRING_num(conf_args); i += 2)
+ {
+ int rv;
+ arg = sk_OPENSSL_STRING_value(conf_args, i);
+ argn = sk_OPENSSL_STRING_value(conf_args, i + 1);
+ rv = SSL_CONF_cmd(c_cctx, arg, argn);
+ /* If not recognised use server context */
+ if (rv == -2)
+ rv = SSL_CONF_cmd(s_cctx, arg, argn);
+ if (rv <= 0)
+ {
+ BIO_printf(bio_err, "Error processing %s %s\n",
+ arg, argn ? argn : "");
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+ }
+
+ if (!SSL_CONF_CTX_finish(s_cctx) || !SSL_CONF_CTX_finish(c_cctx))
+ {
+ BIO_puts(bio_err, "Error finishing context\n");
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+
#ifndef OPENSSL_NO_DH
if (!no_dhe)
{
}
}
else
+#ifdef OPENSSL_NO_EC2M
+ nid = NID_X9_62_prime256v1;
+#else
nid = NID_sect163r2;
+#endif
ecdh = EC_KEY_new_by_curve_name(nid);
if (ecdh == NULL)
}
#endif
}
+#ifndef OPENSSL_NO_SRP
+ if (srp_client_arg.srplogin)
+ {
+ if (!SSL_CTX_set_srp_username(c_ctx, srp_client_arg.srplogin))
+ {
+ BIO_printf(bio_err,"Unable to set SRP username\n");
+ goto end;
+ }
+ SSL_CTX_set_srp_cb_arg(c_ctx,&srp_client_arg);
+ SSL_CTX_set_srp_client_pwd_callback(c_ctx, ssl_give_srp_client_pwd_cb);
+ /*SSL_CTX_set_srp_strength(c_ctx, srp_client_arg.strength);*/
+ }
+
+ if (srp_server_arg.expected_user != NULL)
+ {
+ SSL_CTX_set_verify(s_ctx,SSL_VERIFY_NONE,verify_callback);
+ SSL_CTX_set_srp_cb_arg(s_ctx, &srp_server_arg);
+ SSL_CTX_set_srp_username_callback(s_ctx, ssl_srp_server_param_cb);
+ }
+#endif
+
+#ifndef OPENSSL_NO_NEXTPROTONEG
+ if (npn_client)
+ {
+ SSL_CTX_set_next_proto_select_cb(c_ctx, cb_client_npn, NULL);
+ }
+ if (npn_server)
+ {
+ if (npn_server_reject)
+ {
+ BIO_printf(bio_err, "Can't have both -npn_server and -npn_server_reject\n");
+ goto end;
+ }
+ SSL_CTX_set_next_protos_advertised_cb(s_ctx, cb_server_npn, NULL);
+ }
+ if (npn_server_reject)
+ {
+ SSL_CTX_set_next_protos_advertised_cb(s_ctx, cb_server_rejects_npn, NULL);
+ }
+#endif
+
+ if (serverinfo_sct)
+ SSL_CTX_add_client_custom_ext(c_ctx, SCT_EXT_TYPE,
+ NULL, NULL, NULL,
+ serverinfo_cli_parse_cb, NULL);
+ if (serverinfo_tack)
+ SSL_CTX_add_client_custom_ext(c_ctx, TACK_EXT_TYPE,
+ NULL, NULL, NULL,
+ serverinfo_cli_parse_cb, NULL);
+
+ if (serverinfo_file)
+ if (!SSL_CTX_use_serverinfo_file(s_ctx, serverinfo_file))
+ {
+ BIO_printf(bio_err, "missing serverinfo file\n");
+ goto end;
+ }
+
+ if (custom_ext)
+ {
+ SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_0,
+ custom_ext_0_cli_add_cb,
+ NULL, NULL,
+ custom_ext_0_cli_parse_cb, NULL);
+ SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_1,
+ custom_ext_1_cli_add_cb,
+ NULL, NULL,
+ custom_ext_1_cli_parse_cb, NULL);
+ SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_2,
+ custom_ext_2_cli_add_cb,
+ NULL, NULL,
+ custom_ext_2_cli_parse_cb, NULL);
+ SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_3,
+ custom_ext_3_cli_add_cb,
+ NULL, NULL,
+ custom_ext_3_cli_parse_cb, NULL);
+
+
+ SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_0,
+ custom_ext_0_srv_add_cb,
+ NULL, NULL,
+ custom_ext_0_srv_parse_cb, NULL);
+ SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_1,
+ custom_ext_1_srv_add_cb,
+ NULL, NULL,
+ custom_ext_1_srv_parse_cb, NULL);
+ SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_2,
+ custom_ext_2_srv_add_cb,
+ NULL, NULL,
+ custom_ext_2_srv_parse_cb, NULL);
+ SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_3,
+ custom_ext_3_srv_add_cb,
+ NULL, NULL,
+ custom_ext_3_srv_parse_cb, NULL);
+ }
+
+ if (alpn_server)
+ SSL_CTX_set_alpn_select_cb(s_ctx, cb_server_alpn, NULL);
+
+ if (alpn_client)
+ {
+ unsigned short alpn_len;
+ unsigned char *alpn = next_protos_parse(&alpn_len, alpn_client);
+
+ if (alpn == NULL)
+ {
+ BIO_printf(bio_err, "Error parsing -alpn_client argument\n");
+ goto end;
+ }
+ SSL_CTX_set_alpn_protos(c_ctx, alpn, alpn_len);
+ OPENSSL_free(alpn);
+ }
c_ssl=SSL_new(c_ctx);
s_ssl=SSL_new(s_ctx);
if (s_ctx != NULL) SSL_CTX_free(s_ctx);
if (c_ctx != NULL) SSL_CTX_free(c_ctx);
+ if (s_cctx)
+ SSL_CONF_CTX_free(s_cctx);
+ if (c_cctx)
+ SSL_CONF_CTX_free(c_cctx);
+ sk_OPENSSL_STRING_free(conf_args);
+
if (bio_stdout != NULL) BIO_free(bio_stdout);
#ifndef OPENSSL_NO_RSA
if (verbose)
print_details(c_ssl, "DONE via BIO pair: ");
+#ifndef OPENSSL_NO_NEXTPROTONEG
+ if (verify_npn(c_ssl, s_ssl) < 0)
+ {
+ ret = 1;
+ goto end;
+ }
+#endif
+ if (verify_serverinfo() < 0)
+ {
+ fprintf(stderr, "Server info verify error\n");
+ ret = 1;
+ goto err;
+ }
+ if (verify_alpn(c_ssl, s_ssl) < 0)
+ {
+ ret = 1;
+ goto err;
+ }
+
+ if (custom_ext_error)
+ {
+ fprintf(stderr, "Custom extension error\n");
+ ret = 1;
+ goto err;
+ }
+
end:
ret = 0;
int doit(SSL *s_ssl, SSL *c_ssl, long count)
{
- MS_STATIC char cbuf[1024*8],sbuf[1024*8];
+ char *cbuf=NULL,*sbuf=NULL;
+ long bufsiz;
long cw_num=count,cr_num=count;
long sw_num=count,sr_num=count;
int ret=1;
BIO *c_bio=NULL;
BIO *s_bio=NULL;
int c_r,c_w,s_r,s_w;
- int c_want,s_want;
int i,j;
int done=0;
int c_write,s_write;
int do_server=0,do_client=0;
+ int max_frag = 5*1024;
- memset(cbuf,0,sizeof(cbuf));
- memset(sbuf,0,sizeof(sbuf));
+ bufsiz = count>40*1024 ? 40*1024 : count;
+
+ if ((cbuf = OPENSSL_malloc(bufsiz))==NULL) goto err;
+ if ((sbuf = OPENSSL_malloc(bufsiz))==NULL) goto err;
+
+ memset(cbuf,0,bufsiz);
+ memset(sbuf,0,bufsiz);
c_to_s=BIO_new(BIO_s_mem());
s_to_c=BIO_new(BIO_s_mem());
SSL_set_connect_state(c_ssl);
SSL_set_bio(c_ssl,s_to_c,c_to_s);
+ SSL_set_max_send_fragment(c_ssl,max_frag);
BIO_set_ssl(c_bio,c_ssl,BIO_NOCLOSE);
SSL_set_accept_state(s_ssl);
SSL_set_bio(s_ssl,c_to_s,s_to_c);
+ SSL_set_max_send_fragment(s_ssl,max_frag);
BIO_set_ssl(s_bio,s_ssl,BIO_NOCLOSE);
c_r=0; s_r=1;
c_w=1; s_w=0;
- c_want=W_WRITE;
- s_want=0;
c_write=1,s_write=0;
/* We can always do writes */
{
if (c_write)
{
- j = (cw_num > (long)sizeof(cbuf)) ?
- (int)sizeof(cbuf) : (int)cw_num;
+ j = (cw_num > bufsiz) ?
+ (int)bufsiz : (int)cw_num;
i=BIO_write(c_bio,cbuf,j);
if (i < 0)
{
s_r=1;
c_write=0;
cw_num-=i;
+ if (max_frag>1029)
+ SSL_set_max_send_fragment(c_ssl,max_frag-=5);
}
}
else
{
- i=BIO_read(c_bio,cbuf,sizeof(cbuf));
+ i=BIO_read(c_bio,cbuf,bufsiz);
if (i < 0)
{
c_r=0;
{
if (!s_write)
{
- i=BIO_read(s_bio,sbuf,sizeof(cbuf));
+ i=BIO_read(s_bio,sbuf,bufsiz);
if (i < 0)
{
s_r=0;
}
else
{
- j = (sw_num > (long)sizeof(sbuf)) ?
- (int)sizeof(sbuf) : (int)sw_num;
+ j = (sw_num > bufsiz) ?
+ (int)bufsiz : (int)sw_num;
i=BIO_write(s_bio,sbuf,j);
if (i < 0)
{
c_r=1;
if (sw_num <= 0)
done|=S_DONE;
+ if (max_frag>1029)
+ SSL_set_max_send_fragment(s_ssl,max_frag-=5);
}
}
}
if (verbose)
print_details(c_ssl, "DONE: ");
+#ifndef OPENSSL_NO_NEXTPROTONEG
+ if (verify_npn(c_ssl, s_ssl) < 0)
+ {
+ ret = 1;
+ goto err;
+ }
+#endif
+ if (verify_serverinfo() < 0)
+ {
+ fprintf(stderr, "Server info verify error\n");
+ ret = 1;
+ goto err;
+ }
+ if (custom_ext_error)
+ {
+ fprintf(stderr, "Custom extension error\n");
+ ret = 1;
+ goto err;
+ }
ret=0;
err:
/* We have to set the BIO's to NULL otherwise they will be
if (s_to_c != NULL) BIO_free(s_to_c);
if (c_bio != NULL) BIO_free_all(c_bio);
if (s_bio != NULL) BIO_free_all(s_bio);
+
+ if (cbuf) OPENSSL_free(cbuf);
+ if (sbuf) OPENSSL_free(sbuf);
+
return(ret);
}
}
#ifndef OPENSSL_NO_X509_VERIFY
-# ifdef OPENSSL_FIPS
- if(s->version == TLS1_VERSION)
- FIPS_allow_md5(1);
-# endif
ok = X509_verify_cert(ctx);
-# ifdef OPENSSL_FIPS
- if(s->version == TLS1_VERSION)
- FIPS_allow_md5(0);
-# endif
#endif
if (cb_arg->proxy_auth)
{
- if (ok)
+ if (ok > 0)
{
const char *cond_end = NULL;