#define USE_SOCKETS
#include "e_os.h"
+#ifdef OPENSSL_SYS_VMS
#define _XOPEN_SOURCE 500 /* Or isascii won't be declared properly on
VMS (at least with DECompHP C). */
+#endif
+
#include <ctype.h>
#include <openssl/bio.h>
#ifndef OPENSSL_NO_DH
#include <openssl/dh.h>
#endif
+#ifndef OPENSSL_NO_SRP
+#include <openssl/srp.h>
+#endif
#include <openssl/bn.h>
#define _XOPEN_SOURCE_EXTENDED 1 /* Or gethostname won't be declared properly
unsigned int max_psk_len);
#endif
+#ifndef OPENSSL_NO_SRP
+/* SRP client */
+/* This is a context that we pass to all callbacks */
+typedef struct srp_client_arg_st
+ {
+ char *srppassin;
+ char *srplogin;
+ } SRP_CLIENT_ARG;
+
+#define PWD_STRLEN 1024
+
+static char * MS_CALLBACK ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
+ {
+ SRP_CLIENT_ARG *srp_client_arg = (SRP_CLIENT_ARG *)arg;
+ return BUF_strdup((char *)srp_client_arg->srppassin);
+ }
+
+/* SRP server */
+/* This is a context that we pass to SRP server callbacks */
+typedef struct srp_server_arg_st
+ {
+ char *expected_user;
+ char *pass;
+ } SRP_SERVER_ARG;
+
+static int MS_CALLBACK ssl_srp_server_param_cb(SSL *s, int *ad, void *arg)
+ {
+ SRP_SERVER_ARG * p = (SRP_SERVER_ARG *) arg;
+
+ if (strcmp(p->expected_user, SSL_get_srp_username(s)) != 0)
+ {
+ fprintf(stderr, "User %s doesn't exist\n", SSL_get_srp_username(s));
+ return SSL3_AL_FATAL;
+ }
+ if (SSL_set_srp_server_param_pw(s,p->expected_user,p->pass,"1024")<0)
+ {
+ *ad = SSL_AD_INTERNAL_ERROR;
+ return SSL3_AL_FATAL;
+ }
+ return SSL_ERROR_NONE;
+ }
+#endif
+
static BIO *bio_err=NULL;
static BIO *bio_stdout=NULL;
{
fprintf(stderr,"usage: ssltest [args ...]\n");
fprintf(stderr,"\n");
+#ifdef OPENSSL_FIPS
+ fprintf(stderr,"-F - run test in FIPS mode\n");
+#endif
fprintf(stderr," -server_auth - check server certificate\n");
fprintf(stderr," -client_auth - do client authentication\n");
fprintf(stderr," -proxy - allow proxy certificates\n");
#ifndef OPENSSL_NO_PSK
fprintf(stderr," -psk arg - PSK in hex (without 0x)\n");
#endif
+#ifndef OPENSSL_NO_SRP
+ fprintf(stderr," -srpuser user - SRP username to use\n");
+ fprintf(stderr," -srppass arg - password for 'user'\n");
+#endif
#ifndef OPENSSL_NO_SSL2
fprintf(stderr," -ssl2 - use SSLv2\n");
#endif
" (default is sect163r2).\n");
#endif
fprintf(stderr," -test_cipherlist - verifies the order of the ssl cipher lists\n");
+#ifndef OPENSSL_NO_TLSEXT
+ fprintf(stderr," -server_authz arg - binary authz file for certificate\n");
+ fprintf(stderr," -c_support_proof - indicate client support for server_authz audit proofs\n");
+ fprintf(stderr," -c_require_proof - fail if no audit proof is sent\n");
+#endif
}
static void print_details(SSL *c_ssl, const char *prefix)
}
#endif
+#ifndef OPENSSL_NO_TLSEXT
+struct audit_proof_cb_arg_st
+ {
+ unsigned char *expected_proof;
+ size_t expected_proof_length;
+ int require;
+ };
+
+struct audit_proof_cb_arg_st c_expected = { NULL, 0, 0 };
+
+static int audit_proof_cb(SSL *s, void *arg)
+ {
+ const unsigned char *proof;
+ size_t proof_len;
+ SSL_SESSION *sess = SSL_get_session(s);
+ struct audit_proof_cb_arg_st *cb_arg = (struct audit_proof_cb_arg_st*)arg;
+
+ proof = SSL_SESSION_get_tlsext_authz_server_audit_proof(sess,
+ &proof_len);
+ if (proof != NULL)
+ {
+ if (proof_len == cb_arg->expected_proof_length &&
+ cb_arg->expected_proof != NULL &&
+ memcmp(proof, cb_arg->expected_proof, proof_len) == 0)
+ {
+ BIO_printf(bio_stdout, "Audit proof OK (%lu bytes).\n",
+ (long)proof_len);
+ return 1;
+ }
+ else
+ {
+ BIO_printf(bio_stdout, "Audit proof mismatch.\n");
+ /* Cause handshake failure. */
+ return 0;
+ }
+ }
+
+ else /* proof == NULL */
+ {
+ BIO_printf(bio_stdout, "No audit proof found.\n");
+ if (cb_arg->require)
+ {
+ /* Cause handshake failure. */
+ return 0;
+ }
+ return 1;
+ }
+ }
+#endif
+
int main(int argc, char *argv[])
{
char *CApath=NULL,*CAfile=NULL;
#endif
#ifndef OPENSSL_NO_ECDH
EC_KEY *ecdh = NULL;
+#endif
+#ifndef OPENSSL_NO_SRP
+ /* client */
+ SRP_CLIENT_ARG srp_client_arg = {NULL,NULL};
+ /* server */
+ SRP_SERVER_ARG srp_server_arg = {NULL,NULL};
#endif
int no_dhe = 0;
int no_ecdhe = 0;
int no_psk = 0;
int print_time = 0;
clock_t s_time = 0, c_time = 0;
- int comp = 0;
#ifndef OPENSSL_NO_COMP
+ int comp = 0;
COMP_METHOD *cm = NULL;
-#endif
STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
+#endif
int test_cipherlist = 0;
+#ifdef OPENSSL_FIPS
+ int fips_mode=0;
+#endif
+#ifndef OPENSSL_NO_TLSEXT
+ char *s_authz_file = NULL;
+ int c_support_proof = 0;
+ int c_require_proof = 0;
+#endif
verbose = 0;
debug = 0;
while (argc >= 1)
{
- if (strcmp(*argv,"-server_auth") == 0)
+ if(!strcmp(*argv,"-F"))
+ {
+#ifdef OPENSSL_FIPS
+ fips_mode=1;
+#else
+ fprintf(stderr,"not compiled with FIPS support, so exitting without running.\n");
+ EXIT(0);
+#endif
+ }
+ else if (strcmp(*argv,"-server_auth") == 0)
server_auth=1;
else if (strcmp(*argv,"-client_auth") == 0)
client_auth=1;
no_psk=1;
#endif
}
+#ifndef OPENSSL_NO_SRP
+ else if (strcmp(*argv,"-srpuser") == 0)
+ {
+ if (--argc < 1) goto bad;
+ srp_server_arg.expected_user = srp_client_arg.srplogin= *(++argv);
+ tls1=1;
+ }
+ else if (strcmp(*argv,"-srppass") == 0)
+ {
+ if (--argc < 1) goto bad;
+ srp_server_arg.pass = srp_client_arg.srppassin= *(++argv);
+ tls1=1;
+ }
+#endif
else if (strcmp(*argv,"-ssl2") == 0)
ssl2=1;
else if (strcmp(*argv,"-tls1") == 0)
{
print_time = 1;
}
+#ifndef OPENSSL_NO_COMP
else if (strcmp(*argv,"-zlib") == 0)
{
comp = COMP_ZLIB;
{
comp = COMP_RLE;
}
+#endif
else if (strcmp(*argv,"-named_curve") == 0)
{
if (--argc < 1) goto bad;
{
test_cipherlist = 1;
}
+#ifndef OPENSSL_NO_TLSEXT
+ else if(strcmp(*argv,"-server_authz") == 0)
+ {
+ if (--argc < 1) goto bad;
+ s_authz_file = *(++argv);
+ tls1 = 1;
+ }
+ else if (strcmp(*argv,"-c_support_proof") == 0)
+ {
+ c_support_proof = 1;
+ tls1 = 1;
+ }
+ else if (strcmp(*argv,"-c_require_proof") == 0)
+ {
+ c_require_proof = 1;
+ tls1 = 1;
+ }
+#endif
else
{
fprintf(stderr,"unknown option %s\n",*argv);
"to avoid protocol mismatch.\n");
EXIT(1);
}
+ if (c_require_proof && s_authz_file == NULL && !force)
+ {
+ fprintf(stderr, "This case cannot work. -c_require_proof "
+ "requires an audit proof, but none was supplied. "
+ "Use -f to perform the test anyway (and\n-d to see "
+ "what happens), or use -server_authz to supply an "
+ "audit proof.\n");
+ EXIT(1);
+ }
+
+#ifdef OPENSSL_FIPS
+ if(fips_mode)
+ {
+ if(!FIPS_mode_set(1))
+ {
+ ERR_load_crypto_strings();
+ ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
+ EXIT(1);
+ }
+ else
+ fprintf(stderr,"*** IN FIPS MODE ***\n");
+ }
+#endif
if (print_time)
{
meth=SSLv23_method();
#else
#ifdef OPENSSL_NO_SSL2
- meth=SSLv3_method();
+ if (tls1)
+ meth=TLSv1_method();
+ else
+ if (ssl3)
+ meth=SSLv3_method();
+ else
+ meth=SSLv23_method();
#else
meth=SSLv2_method();
#endif
}
}
else
+#ifdef OPENSSL_NO_EC2M
+ nid = NID_X9_62_prime256v1;
+#else
nid = NID_sect163r2;
+#endif
ecdh = EC_KEY_new_by_curve_name(nid);
if (ecdh == NULL)
}
#endif
}
+#ifndef OPENSSL_NO_SRP
+ if (srp_client_arg.srplogin)
+ {
+ if (!SSL_CTX_set_srp_username(c_ctx, srp_client_arg.srplogin))
+ {
+ BIO_printf(bio_err,"Unable to set SRP username\n");
+ goto end;
+ }
+ SSL_CTX_set_srp_cb_arg(c_ctx,&srp_client_arg);
+ SSL_CTX_set_srp_client_pwd_callback(c_ctx, ssl_give_srp_client_pwd_cb);
+ /*SSL_CTX_set_srp_strength(c_ctx, srp_client_arg.strength);*/
+ }
+
+ if (srp_server_arg.expected_user != NULL)
+ {
+ SSL_CTX_set_verify(s_ctx,SSL_VERIFY_NONE,verify_callback);
+ SSL_CTX_set_srp_cb_arg(s_ctx, &srp_server_arg);
+ SSL_CTX_set_srp_username_callback(s_ctx, ssl_srp_server_param_cb);
+ }
+#endif
+#ifndef OPENSSL_NO_TLSEXT
+ if (s_authz_file != NULL)
+ {
+ if(!SSL_CTX_use_authz_file(s_ctx, s_authz_file))
+ {
+ BIO_printf(bio_err, "Unable to set authz data\n");
+ goto end;
+ }
+ }
+ if (c_support_proof || c_require_proof)
+ {
+ size_t proof_length;
+ const unsigned char *proof = SSL_CTX_get_authz_data(s_ctx,
+ TLSEXT_AUTHZDATAFORMAT_audit_proof, &proof_length);
+ if (proof != NULL)
+ {
+ /* Store a local copy. */
+ c_expected.expected_proof = OPENSSL_malloc(proof_length);
+ c_expected.expected_proof_length = proof_length;
+ memcpy(c_expected.expected_proof, proof, proof_length);
+ }
+ c_expected.require = c_require_proof;
+ SSL_CTX_set_tlsext_authz_server_audit_proof_cb(c_ctx,
+ audit_proof_cb);
+ SSL_CTX_set_tlsext_authz_server_audit_proof_cb_arg(c_ctx,
+ &c_expected);
+ }
+#endif
c_ssl=SSL_new(c_ctx);
s_ssl=SSL_new(s_ctx);
#endif
#ifndef OPENSSL_NO_ENGINE
ENGINE_cleanup();
+#endif
+#ifndef OPENSSL_NO_TLSEXT
+ if (c_expected.expected_proof != NULL)
+ OPENSSL_free(c_expected.expected_proof);
#endif
CRYPTO_cleanup_all_ex_data();
ERR_free_strings();
BIO *c_bio=NULL;
BIO *s_bio=NULL;
int c_r,c_w,s_r,s_w;
- int c_want,s_want;
int i,j;
int done=0;
int c_write,s_write;
c_r=0; s_r=1;
c_w=1; s_w=0;
- c_want=W_WRITE;
- s_want=0;
c_write=1,s_write=0;
/* We can always do writes */
}
#ifndef OPENSSL_NO_X509_VERIFY
-# ifdef OPENSSL_FIPS
- if(s->version == TLS1_VERSION)
- FIPS_allow_md5(1);
-# endif
ok = X509_verify_cert(ctx);
-# ifdef OPENSSL_FIPS
- if(s->version == TLS1_VERSION)
- FIPS_allow_md5(0);
-# endif
#endif
if (cb_arg->proxy_auth)