return BUF_strdup((char *)srp_client_arg->srppassin);
}
-static char * MS_CALLBACK missing_srp_username_callback(SSL *s, void *arg)
- {
- SRP_CLIENT_ARG *srp_client_arg = (SRP_CLIENT_ARG *)arg;
- return BUF_strdup(srp_client_arg->srplogin);
- }
-
/* SRP server */
/* This is a context that we pass to SRP server callbacks */
typedef struct srp_server_arg_st
{
fprintf(stderr,"usage: ssltest [args ...]\n");
fprintf(stderr,"\n");
+#ifdef OPENSSL_FIPS
+ fprintf(stderr,"-F - run test in FIPS mode\n");
+#endif
fprintf(stderr," -server_auth - check server certificate\n");
fprintf(stderr," -client_auth - do client authentication\n");
fprintf(stderr," -proxy - allow proxy certificates\n");
" (default is sect163r2).\n");
#endif
fprintf(stderr," -test_cipherlist - verifies the order of the ssl cipher lists\n");
+#ifndef OPENSSL_NO_TLSEXT
+ fprintf(stderr," -server_authz arg - binary authz file for certificate\n");
+ fprintf(stderr," -c_support_proof - indicate client support for server_authz audit proofs\n");
+ fprintf(stderr," -c_require_proof - fail if no audit proof is sent\n");
+#endif
}
static void print_details(SSL *c_ssl, const char *prefix)
}
#endif
+#ifndef OPENSSL_NO_TLSEXT
+struct audit_proof_cb_arg_st
+ {
+ unsigned char *expected_proof;
+ size_t expected_proof_length;
+ int require;
+ };
+
+struct audit_proof_cb_arg_st c_expected = { NULL, 0, 0 };
+
+static int audit_proof_cb(SSL *s, void *arg)
+ {
+ const unsigned char *proof;
+ size_t proof_len;
+ SSL_SESSION *sess = SSL_get_session(s);
+ struct audit_proof_cb_arg_st *cb_arg = (struct audit_proof_cb_arg_st*)arg;
+
+ proof = SSL_SESSION_get_tlsext_authz_server_audit_proof(sess,
+ &proof_len);
+ if (proof != NULL)
+ {
+ if (proof_len == cb_arg->expected_proof_length &&
+ cb_arg->expected_proof != NULL &&
+ memcmp(proof, cb_arg->expected_proof, proof_len) == 0)
+ {
+ BIO_printf(bio_stdout, "Audit proof OK (%lu bytes).\n",
+ (long)proof_len);
+ return 1;
+ }
+ else
+ {
+ BIO_printf(bio_stdout, "Audit proof mismatch.\n");
+ /* Cause handshake failure. */
+ return 0;
+ }
+ }
+
+ else /* proof == NULL */
+ {
+ BIO_printf(bio_stdout, "No audit proof found.\n");
+ if (cb_arg->require)
+ {
+ /* Cause handshake failure. */
+ return 0;
+ }
+ return 1;
+ }
+ }
+#endif
+
int main(int argc, char *argv[])
{
char *CApath=NULL,*CAfile=NULL;
#endif
#ifndef OPENSSL_NO_SRP
/* client */
- int srp_lateuser = 0;
SRP_CLIENT_ARG srp_client_arg = {NULL,NULL};
/* server */
SRP_SERVER_ARG srp_server_arg = {NULL,NULL};
int no_psk = 0;
int print_time = 0;
clock_t s_time = 0, c_time = 0;
- int comp = 0;
#ifndef OPENSSL_NO_COMP
+ int comp = 0;
COMP_METHOD *cm = NULL;
-#endif
STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
+#endif
int test_cipherlist = 0;
+#ifdef OPENSSL_FIPS
+ int fips_mode=0;
+#endif
+#ifndef OPENSSL_NO_TLSEXT
+ char *s_authz_file = NULL;
+ int c_support_proof = 0;
+ int c_require_proof = 0;
+#endif
verbose = 0;
debug = 0;
while (argc >= 1)
{
- if (strcmp(*argv,"-server_auth") == 0)
+ if(!strcmp(*argv,"-F"))
+ {
+#ifdef OPENSSL_FIPS
+ fips_mode=1;
+#else
+ fprintf(stderr,"not compiled with FIPS support, so exitting without running.\n");
+ EXIT(0);
+#endif
+ }
+ else if (strcmp(*argv,"-server_auth") == 0)
server_auth=1;
else if (strcmp(*argv,"-client_auth") == 0)
client_auth=1;
{
print_time = 1;
}
+#ifndef OPENSSL_NO_COMP
else if (strcmp(*argv,"-zlib") == 0)
{
comp = COMP_ZLIB;
{
comp = COMP_RLE;
}
+#endif
else if (strcmp(*argv,"-named_curve") == 0)
{
if (--argc < 1) goto bad;
{
test_cipherlist = 1;
}
+#ifndef OPENSSL_NO_TLSEXT
+ else if(strcmp(*argv,"-server_authz") == 0)
+ {
+ if (--argc < 1) goto bad;
+ s_authz_file = *(++argv);
+ tls1 = 1;
+ }
+ else if (strcmp(*argv,"-c_support_proof") == 0)
+ {
+ c_support_proof = 1;
+ tls1 = 1;
+ }
+ else if (strcmp(*argv,"-c_require_proof") == 0)
+ {
+ c_require_proof = 1;
+ tls1 = 1;
+ }
+#endif
else
{
fprintf(stderr,"unknown option %s\n",*argv);
"to avoid protocol mismatch.\n");
EXIT(1);
}
+ if (c_require_proof && s_authz_file == NULL && !force)
+ {
+ fprintf(stderr, "This case cannot work. -c_require_proof "
+ "requires an audit proof, but none was supplied. "
+ "Use -f to perform the test anyway (and\n-d to see "
+ "what happens), or use -server_authz to supply an "
+ "audit proof.\n");
+ EXIT(1);
+ }
+
+#ifdef OPENSSL_FIPS
+ if(fips_mode)
+ {
+ if(!FIPS_mode_set(1))
+ {
+ ERR_load_crypto_strings();
+ ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
+ EXIT(1);
+ }
+ else
+ fprintf(stderr,"*** IN FIPS MODE ***\n");
+ }
+#endif
if (print_time)
{
meth=SSLv23_method();
#else
#ifdef OPENSSL_NO_SSL2
- meth=SSLv3_method();
+ if (tls1)
+ meth=TLSv1_method();
+ else
+ if (ssl3)
+ meth=SSLv3_method();
+ else
+ meth=SSLv23_method();
#else
meth=SSLv2_method();
#endif
}
}
else
+#ifdef OPENSSL_NO_EC2M
+ nid = NID_X9_62_prime256v1;
+#else
nid = NID_sect163r2;
+#endif
ecdh = EC_KEY_new_by_curve_name(nid);
if (ecdh == NULL)
#ifndef OPENSSL_NO_SRP
if (srp_client_arg.srplogin)
{
- if (srp_lateuser)
- SSL_CTX_set_srp_missing_srp_username_callback(c_ctx,missing_srp_username_callback);
- else if (!SSL_CTX_set_srp_username(c_ctx, srp_client_arg.srplogin))
+ if (!SSL_CTX_set_srp_username(c_ctx, srp_client_arg.srplogin))
{
BIO_printf(bio_err,"Unable to set SRP username\n");
goto end;
SSL_CTX_set_srp_username_callback(s_ctx, ssl_srp_server_param_cb);
}
#endif
+#ifndef OPENSSL_NO_TLSEXT
+ if (s_authz_file != NULL)
+ {
+ if(!SSL_CTX_use_authz_file(s_ctx, s_authz_file))
+ {
+ BIO_printf(bio_err, "Unable to set authz data\n");
+ goto end;
+ }
+ }
+ if (c_support_proof || c_require_proof)
+ {
+ size_t proof_length;
+ const unsigned char *proof = SSL_CTX_get_authz_data(s_ctx,
+ TLSEXT_AUTHZDATAFORMAT_audit_proof, &proof_length);
+ if (proof != NULL)
+ {
+ /* Store a local copy. */
+ c_expected.expected_proof = OPENSSL_malloc(proof_length);
+ c_expected.expected_proof_length = proof_length;
+ memcpy(c_expected.expected_proof, proof, proof_length);
+ }
+ c_expected.require = c_require_proof;
+ SSL_CTX_set_tlsext_authz_server_audit_proof_cb(c_ctx,
+ audit_proof_cb);
+ SSL_CTX_set_tlsext_authz_server_audit_proof_cb_arg(c_ctx,
+ &c_expected);
+ }
+#endif
c_ssl=SSL_new(c_ctx);
s_ssl=SSL_new(s_ctx);
#endif
#ifndef OPENSSL_NO_ENGINE
ENGINE_cleanup();
+#endif
+#ifndef OPENSSL_NO_TLSEXT
+ if (c_expected.expected_proof != NULL)
+ OPENSSL_free(c_expected.expected_proof);
#endif
CRYPTO_cleanup_all_ex_data();
ERR_free_strings();
projects / openssl.git / blobdiff