/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
* Copyright 2005 Nokia. All rights reserved.
*
- * Licensed under the OpenSSL license (the "License"). You may not use
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
#ifndef OPENSSL_NO_DSA
# include <openssl/dsa.h>
#endif
-#ifndef OPENSSL_NO_DH
-# include <openssl/dh.h>
-#endif
#include <openssl/bn.h>
#ifndef OPENSSL_NO_CT
# include <openssl/ct.h>
#endif
+#include <openssl/provider.h>
+#include <openssl/core_names.h>
+#include <openssl/param_build.h>
/*
* Or gethostname won't be declared properly
#ifdef OPENSSL_SYS_WINDOWS
# include <winsock.h>
#else
-# include OPENSSL_UNISTD
+# include <unistd.h>
#endif
static SSL_CTX *s_ctx = NULL;
int app_verify;
};
-#ifndef OPENSSL_NO_DH
-static DH *get_dh512(void);
-static DH *get_dh1024(void);
-static DH *get_dh1024dsa(void);
-#endif
+static EVP_PKEY *get_dh512(OSSL_LIB_CTX *libctx);
+static EVP_PKEY *get_dh1024(OSSL_LIB_CTX *libctx);
+static EVP_PKEY *get_dh1024dsa(OSSL_LIB_CTX *libctx);
static char *psk_key = NULL; /* by default PSK is not used */
#ifndef OPENSSL_NO_PSK
fprintf(stderr, " -num <val> - number of connections to perform\n");
fprintf(stderr,
" -bytes <val> - number of bytes to swap between client/server\n");
-#ifndef OPENSSL_NO_DH
fprintf(stderr,
" -dhe512 - use 512 bit key for DHE (to test failure)\n");
fprintf(stderr,
fprintf(stderr,
" -dhe1024dsa - use 1024 bit key (with 160-bit subprime) for DHE\n");
fprintf(stderr, " -no_dhe - disable DHE\n");
-#endif
#ifndef OPENSSL_NO_EC
fprintf(stderr, " -no_ecdhe - disable ECDHE\nTODO(openssl-team): no_ecdhe was broken by auto ecdh. Make this work again.\n");
#endif
fprintf(stderr, " -client_sess_in <file> - Read the client session from a file\n");
fprintf(stderr, " -should_reuse <number> - The expected state of reusing the session\n");
fprintf(stderr, " -no_ticket - do not issue TLS session ticket\n");
+ fprintf(stderr, " -provider <name> - Load the given provider into the library context\n");
+ fprintf(stderr, " -config <cnf> - Load the given config file into the library context\n");
}
static void print_key_details(BIO *out, EVP_PKEY *key)
prefix,
SSL_get_version(c_ssl),
SSL_CIPHER_get_version(ciph), SSL_CIPHER_get_name(ciph));
- cert = SSL_get_peer_certificate(c_ssl);
+ cert = SSL_get0_peer_certificate(c_ssl);
if (cert != NULL) {
EVP_PKEY* pubkey = X509_get0_pubkey(cert);
BIO_puts(bio_stdout, ", ");
print_key_details(bio_stdout, pubkey);
}
- X509_free(cert);
}
- if (SSL_get_server_tmp_key(c_ssl, &pkey)) {
+ if (SSL_get_peer_tmp_key(c_ssl, &pkey)) {
BIO_puts(bio_stdout, ", temp key: ");
print_key_details(bio_stdout, pkey);
EVP_PKEY_free(pkey);
int server_auth = 0, i;
struct app_verify_arg app_verify_arg =
{ APP_CALLBACK_STRING, 0 };
- char *p;
SSL_CTX *c_ctx = NULL;
const SSL_METHOD *meth = NULL;
SSL *c_ssl, *s_ssl;
int should_reuse = -1;
int no_ticket = 0;
long bytes = 256L;
-#ifndef OPENSSL_NO_DH
- DH *dh;
+ EVP_PKEY *dhpkey;
int dhe512 = 0, dhe1024dsa = 0;
-#endif
+#ifndef OPENSSL_NO_DH
int no_dhe = 0;
+#else
+ int no_dhe = 1;
+#endif
int no_psk = 0;
int print_time = 0;
clock_t s_time = 0, c_time = 0;
SSL_CONF_CTX *s_cctx = NULL, *c_cctx = NULL, *s_cctx2 = NULL;
STACK_OF(OPENSSL_STRING) *conf_args = NULL;
char *arg = NULL, *argn = NULL;
+ const char *provider = NULL, *config = NULL;
+ OSSL_PROVIDER *thisprov = NULL, *defctxnull = NULL;
+ OSSL_LIB_CTX *libctx = NULL;
verbose = 0;
debug = 0;
bio_err = BIO_new_fp(stderr, BIO_NOCLOSE | BIO_FP_TEXT);
-
- p = getenv("OPENSSL_DEBUG_MEMORY");
- if (p != NULL && strcmp(p, "on") == 0)
- CRYPTO_set_mem_debug(1);
- CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
-
bio_stdout = BIO_new_fp(stdout, BIO_NOCLOSE | BIO_FP_TEXT);
s_cctx = SSL_CONF_CTX_new();
else if (strcmp(*argv, "-reuse") == 0)
reuse = 1;
else if (strcmp(*argv, "-dhe512") == 0) {
-#ifndef OPENSSL_NO_DH
dhe512 = 1;
-#else
- fprintf(stderr,
- "ignoring -dhe512, since I'm compiled without DH\n");
-#endif
} else if (strcmp(*argv, "-dhe1024dsa") == 0) {
-#ifndef OPENSSL_NO_DH
dhe1024dsa = 1;
-#else
- fprintf(stderr,
- "ignoring -dhe1024dsa, since I'm compiled without DH\n");
-#endif
} else if (strcmp(*argv, "-no_dhe") == 0)
no_dhe = 1;
else if (strcmp(*argv, "-no_ecdhe") == 0)
should_reuse = !!atoi(*(++argv));
} else if (strcmp(*argv, "-no_ticket") == 0) {
no_ticket = 1;
+ } else if (strcmp(*argv, "-provider") == 0) {
+ if (--argc < 1)
+ goto bad;
+ provider = *(++argv);
+ } else if (strcmp(*argv, "-config") == 0) {
+ if (--argc < 1)
+ goto bad;
+ config = *(++argv);
} else {
int rv;
arg = argv[0];
min_version = TLS1_2_VERSION;
max_version = TLS1_2_VERSION;
} else {
- min_version = SSL3_VERSION;
- max_version = TLS_MAX_VERSION;
+ min_version = 0;
+ max_version = 0;
}
#endif
#ifndef OPENSSL_NO_DTLS
min_version = DTLS1_2_VERSION;
max_version = DTLS1_2_VERSION;
} else {
- min_version = DTLS_MIN_VERSION;
- max_version = DTLS_MAX_VERSION;
+ min_version = 0;
+ max_version = 0;
}
}
#endif
- c_ctx = SSL_CTX_new(meth);
- s_ctx = SSL_CTX_new(meth);
- s_ctx2 = SSL_CTX_new(meth); /* no SSL_CTX_dup! */
+ if (provider != NULL) {
+ defctxnull = OSSL_PROVIDER_load(NULL, "null");
+ if (defctxnull == NULL)
+ goto end;
+ libctx = OSSL_LIB_CTX_new();
+ if (libctx == NULL)
+ goto end;
+
+ if (config != NULL
+ && !OSSL_LIB_CTX_load_config(libctx, config))
+ goto end;
+
+ thisprov = OSSL_PROVIDER_load(libctx, provider);
+ if (thisprov == NULL)
+ goto end;
+ }
+
+ c_ctx = SSL_CTX_new_ex(libctx, NULL, meth);
+ s_ctx = SSL_CTX_new_ex(libctx, NULL, meth);
+ s_ctx2 = SSL_CTX_new_ex(libctx, NULL, meth); /* no SSL_CTX_dup! */
if ((c_ctx == NULL) || (s_ctx == NULL) || (s_ctx2 == NULL)) {
ERR_print_errors(bio_err);
goto end;
goto end;
if (cipher != NULL) {
- if (!SSL_CTX_set_cipher_list(c_ctx, cipher)
- || !SSL_CTX_set_cipher_list(s_ctx, cipher)
- || !SSL_CTX_set_cipher_list(s_ctx2, cipher)) {
- ERR_print_errors(bio_err);
- goto end;
+ if (strcmp(cipher, "") == 0) {
+ if (!SSL_CTX_set_cipher_list(c_ctx, cipher)) {
+ if (ERR_GET_REASON(ERR_peek_error()) == SSL_R_NO_CIPHER_MATCH) {
+ ERR_clear_error();
+ } else {
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+ } else {
+ /* Should have failed when clearing all TLSv1.2 ciphers. */
+ fprintf(stderr, "CLEARING ALL TLSv1.2 CIPHERS SHOULD FAIL\n");
+ goto end;
+ }
+
+ if (!SSL_CTX_set_cipher_list(s_ctx, cipher)) {
+ if (ERR_GET_REASON(ERR_peek_error()) == SSL_R_NO_CIPHER_MATCH) {
+ ERR_clear_error();
+ } else {
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+ } else {
+ /* Should have failed when clearing all TLSv1.2 ciphers. */
+ fprintf(stderr, "CLEARING ALL TLSv1.2 CIPHERS SHOULD FAIL\n");
+ goto end;
+ }
+
+ if (!SSL_CTX_set_cipher_list(s_ctx2, cipher)) {
+ if (ERR_GET_REASON(ERR_peek_error()) == SSL_R_NO_CIPHER_MATCH) {
+ ERR_clear_error();
+ } else {
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+ } else {
+ /* Should have failed when clearing all TLSv1.2 ciphers. */
+ fprintf(stderr, "CLEARING ALL TLSv1.2 CIPHERS SHOULD FAIL\n");
+ goto end;
+ }
+ } else {
+ if (!SSL_CTX_set_cipher_list(c_ctx, cipher)
+ || !SSL_CTX_set_cipher_list(s_ctx, cipher)
+ || !SSL_CTX_set_cipher_list(s_ctx2, cipher)) {
+ ERR_print_errors(bio_err);
+ goto end;
+ }
}
}
if (ciphersuites != NULL) {
ERR_print_errors(bio_err);
goto end;
}
-#ifndef OPENSSL_NO_DH
if (!no_dhe) {
if (dhe1024dsa) {
- dh = get_dh1024dsa();
+ dhpkey = get_dh1024dsa(libctx);
} else if (dhe512)
- dh = get_dh512();
+ dhpkey = get_dh512(libctx);
else
- dh = get_dh1024();
- SSL_CTX_set_tmp_dh(s_ctx, dh);
- SSL_CTX_set_tmp_dh(s_ctx2, dh);
- DH_free(dh);
- }
-#else
- (void)no_dhe;
-#endif
-
- if ((!SSL_CTX_load_verify_locations(s_ctx, CAfile, CApath)) ||
- (!SSL_CTX_set_default_verify_paths(s_ctx)) ||
- (!SSL_CTX_load_verify_locations(s_ctx2, CAfile, CApath)) ||
- (!SSL_CTX_set_default_verify_paths(s_ctx2)) ||
- (!SSL_CTX_load_verify_locations(c_ctx, CAfile, CApath)) ||
- (!SSL_CTX_set_default_verify_paths(c_ctx))) {
+ dhpkey = get_dh1024(libctx);
+ if (dhpkey == NULL || !EVP_PKEY_up_ref(dhpkey)) {
+ EVP_PKEY_free(dhpkey);
+ BIO_puts(bio_err, "Error getting DH parameters\n");
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+ SSL_CTX_set0_tmp_dh_pkey(s_ctx, dhpkey);
+ SSL_CTX_set0_tmp_dh_pkey(s_ctx2, dhpkey);
+ }
+
+ if (!(SSL_CTX_load_verify_file(s_ctx, CAfile)
+ || SSL_CTX_load_verify_dir(s_ctx, CApath))
+ || !SSL_CTX_set_default_verify_paths(s_ctx)
+ || !(SSL_CTX_load_verify_file(s_ctx2, CAfile)
+ || SSL_CTX_load_verify_dir(s_ctx2, CApath))
+ || !SSL_CTX_set_default_verify_paths(s_ctx2)
+ || !(SSL_CTX_load_verify_file(c_ctx, CAfile)
+ || SSL_CTX_load_verify_dir(c_ctx, CApath))
+ || !SSL_CTX_set_default_verify_paths(c_ctx)) {
ERR_print_errors(bio_err);
}
SSL_SESSION_free(server_sess);
SSL_SESSION_free(client_sess);
-#ifndef OPENSSL_NO_CRYPTO_MDEBUG
- if (CRYPTO_mem_leaks(bio_err) <= 0)
- ret = EXIT_FAILURE;
-#endif
+ OSSL_PROVIDER_unload(defctxnull);
+ OSSL_PROVIDER_unload(thisprov);
+ OSSL_LIB_CTX_free(libctx);
+
BIO_free(bio_err);
EXIT(ret);
}
return ok;
}
-#ifndef OPENSSL_NO_DH
-/*-
- * These DH parameters have been generated as follows:
- * $ openssl dhparam -C -noout 512
- * $ openssl dhparam -C -noout 1024
- * $ openssl dhparam -C -noout -dsaparam 1024
- * (The third function has been renamed to avoid name conflicts.)
- */
-static DH *get_dh512(void)
+static EVP_PKEY *get_dh_from_pg(OSSL_LIB_CTX *libctx, unsigned char *pdata,
+ size_t plen, unsigned char *gdata, size_t glen)
+{
+ EVP_PKEY_CTX *pctx = EVP_PKEY_CTX_new_from_name(libctx, "DH", NULL);
+ OSSL_PARAM_BLD *tmpl = NULL;
+ OSSL_PARAM *params = NULL;
+ EVP_PKEY *dhpkey = NULL;
+ BIGNUM *p = NULL, *g = NULL;
+
+ if (pctx == NULL || !EVP_PKEY_key_fromdata_init(pctx))
+ goto err;
+
+ p = BN_bin2bn(pdata, plen, NULL);
+ g = BN_bin2bn(gdata, glen, NULL);
+ if (p == NULL || g == NULL)
+ goto err;
+
+ tmpl = OSSL_PARAM_BLD_new();
+ if (tmpl == NULL
+ || !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_FFC_P, p)
+ || !OSSL_PARAM_BLD_push_BN(tmpl, OSSL_PKEY_PARAM_FFC_G, g))
+ goto err;
+
+ params = OSSL_PARAM_BLD_to_param(tmpl);
+ if (params == NULL || !EVP_PKEY_fromdata(pctx, &dhpkey, params))
+ goto err;
+
+ err:
+ BN_free(p);
+ BN_free(g);
+ EVP_PKEY_CTX_free(pctx);
+ OSSL_PARAM_BLD_free_params(params);
+ OSSL_PARAM_BLD_free(tmpl);
+ return dhpkey;
+}
+
+/* These DH parameters were generated using the dhparam command line app */
+static EVP_PKEY *get_dh512(OSSL_LIB_CTX *libctx)
{
static unsigned char dh512_p[] = {
0xCB, 0xC8, 0xE1, 0x86, 0xD0, 0x1F, 0x94, 0x17, 0xA6, 0x99, 0xF0,
static unsigned char dh512_g[] = {
0x02,
};
- DH *dh;
- BIGNUM *p, *g;
- if ((dh = DH_new()) == NULL)
- return NULL;
- p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
- g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL);
- if ((p == NULL) || (g == NULL) || !DH_set0_pqg(dh, p, NULL, g)) {
- DH_free(dh);
- BN_free(p);
- BN_free(g);
- return NULL;
- }
- return dh;
+ return get_dh_from_pg(libctx, dh512_p, sizeof(dh512_p), dh512_g,
+ sizeof(dh512_g));
}
-static DH *get_dh1024(void)
+static EVP_PKEY *get_dh1024(OSSL_LIB_CTX *libctx)
{
static unsigned char dh1024_p[] = {
0xF8, 0x81, 0x89, 0x7D, 0x14, 0x24, 0xC5, 0xD1, 0xE6, 0xF7, 0xBF,
static unsigned char dh1024_g[] = {
0x02,
};
- DH *dh;
- BIGNUM *p, *g;
- if ((dh = DH_new()) == NULL)
- return NULL;
- p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
- g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
- if ((p == NULL) || (g == NULL) || !DH_set0_pqg(dh, p, NULL, g)) {
- DH_free(dh);
- BN_free(p);
- BN_free(g);
- return NULL;
- }
- return dh;
+ return get_dh_from_pg(libctx, dh1024_p, sizeof(dh1024_p), dh1024_g,
+ sizeof(dh1024_g));
}
-static DH *get_dh1024dsa(void)
+static EVP_PKEY *get_dh1024dsa(OSSL_LIB_CTX *libctx)
{
static unsigned char dh1024_p[] = {
0xC8, 0x00, 0xF7, 0x08, 0x07, 0x89, 0x4D, 0x90, 0x53, 0xF3, 0xD5,
0x60,
0x07, 0xE7, 0x68, 0x1A, 0x82, 0x5D, 0x32, 0xA2,
};
- DH *dh;
- BIGNUM *p, *g;
- if ((dh = DH_new()) == NULL)
- return NULL;
- p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
- g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
- if ((p == NULL) || (g == NULL) || !DH_set0_pqg(dh, p, NULL, g)) {
- DH_free(dh);
- BN_free(p);
- BN_free(g);
- return NULL;
- }
- DH_set_length(dh, 160);
- return dh;
+ return get_dh_from_pg(libctx, dh1024_p, sizeof(dh1024_p), dh1024_g,
+ sizeof(dh1024_g));
}
-#endif
#ifndef OPENSSL_NO_PSK
/* convert the PSK key (psk_key) in ascii to binary (psk) */