X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=test%2Fssltest_old.c;h=349d30a325a992e152de38b55aabaf52b39c44e2;hp=e3f8d774cb9d60484a98c92883996bab111f4dbe;hb=4bed94f0c11ef63587c6b2edb03c3c438e221604;hpb=43341433a88a6a2cd38c35359f48653e809b10cd diff --git a/test/ssltest_old.c b/test/ssltest_old.c index e3f8d774cb..349d30a325 100644 --- a/test/ssltest_old.c +++ b/test/ssltest_old.c @@ -1,147 +1,23 @@ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ -/* ==================================================================== - * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ -/* ==================================================================== - * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. - * ECC cipher suite support in OpenSSL originally developed by - * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. - */ -/* ==================================================================== +/* + * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * Copyright 2005 Nokia. All rights reserved. * - * The portions of the attached software ("Contribution") is developed by - * Nokia Corporation and is licensed pursuant to the OpenSSL open source - * license. - * - * The Contribution, originally written by Mika Kousa and Pasi Eronen of - * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites - * support (see RFC 4279) to OpenSSL. - * - * No patent licenses or other rights except those expressly stated in - * the OpenSSL open source license shall be deemed granted or received - * expressly, by implication, estoppel, or otherwise. - * - * No assurances are provided by Nokia that the Contribution does not - * infringe the patent or other intellectual property rights of any third - * party or that the license provides you with all the necessary rights - * to make use of the Contribution. - * - * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN - * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA - * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY - * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR - * OTHERWISE. + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html */ +#include "e_os.h" + /* Or gethostname won't be declared properly on Linux and GNU platforms. */ -#define _BSD_SOURCE 1 -#define _DEFAULT_SOURCE 1 +#ifndef _BSD_SOURCE +# define _BSD_SOURCE 1 +#endif +#ifndef _DEFAULT_SOURCE +# define _DEFAULT_SOURCE 1 +#endif #include #include @@ -151,8 +27,7 @@ #include #include -#define USE_SOCKETS -#include "e_os.h" +#include "internal/nelem.h" #ifdef OPENSSL_SYS_VMS /* @@ -169,9 +44,6 @@ #include #include #include -#ifndef OPENSSL_NO_ENGINE -# include -#endif #include #include #ifndef OPENSSL_NO_RSA @@ -183,17 +55,11 @@ #ifndef OPENSSL_NO_DH # include #endif -#ifndef OPENSSL_NO_SRP -# include -#endif #include #ifndef OPENSSL_NO_CT # include #endif -#include "internal/threads.h" -#include "../ssl/ssl_locl.h" - /* * Or gethostname won't be declared properly * on Compaq platforms (at least with DEC C). @@ -223,9 +89,6 @@ static int app_verify_callback(X509_STORE_CTX *ctx, void *arg); struct app_verify_arg { char *string; int app_verify; - int allow_proxy_certs; - char *proxy_auth; - char *proxy_cond; }; #ifndef OPENSSL_NO_DH @@ -246,45 +109,6 @@ static unsigned int psk_server_callback(SSL *ssl, const char *identity, unsigned int max_psk_len); #endif -#ifndef OPENSSL_NO_SRP -/* SRP client */ -/* This is a context that we pass to all callbacks */ -typedef struct srp_client_arg_st { - char *srppassin; - char *srplogin; -} SRP_CLIENT_ARG; - -# define PWD_STRLEN 1024 - -static char *ssl_give_srp_client_pwd_cb(SSL *s, void *arg) -{ - SRP_CLIENT_ARG *srp_client_arg = (SRP_CLIENT_ARG *)arg; - return OPENSSL_strdup((char *)srp_client_arg->srppassin); -} - -/* SRP server */ -/* This is a context that we pass to SRP server callbacks */ -typedef struct srp_server_arg_st { - char *expected_user; - char *pass; -} SRP_SERVER_ARG; - -static int ssl_srp_server_param_cb(SSL *s, int *ad, void *arg) -{ - SRP_SERVER_ARG *p = (SRP_SERVER_ARG *)arg; - - if (strcmp(p->expected_user, SSL_get_srp_username(s)) != 0) { - fprintf(stderr, "User %s doesn't exist\n", SSL_get_srp_username(s)); - return SSL3_AL_FATAL; - } - if (SSL_set_srp_server_param_pw(s, p->expected_user, p->pass, "1024") < 0) { - *ad = SSL_AD_INTERNAL_ERROR; - return SSL3_AL_FATAL; - } - return SSL_ERROR_NONE; -} -#endif - static BIO *bio_err = NULL; static BIO *bio_stdout = NULL; @@ -432,7 +256,6 @@ static int verify_servername(SSL *client, SSL *server) * next_protos_parse parses a comma separated list of strings into a string * in a format suitable for passing to SSL_CTX_set_next_protos_advertised. * outlen: (output) set to the length of the resulting buffer on success. - * err: (maybe NULL) on failure, an error message line is written to this BIO. * in: a NUL terminated string like "abc,def,ghi" * * returns: a malloced buffer or NULL on failure. @@ -458,7 +281,7 @@ static unsigned char *next_protos_parse(size_t *outlen, OPENSSL_free(out); return NULL; } - out[start] = i - start; + out[start] = (unsigned char)(i - start); start = i + 1; } else out[i + 1] = in[i]; @@ -791,29 +614,19 @@ static int custom_ext_3_srv_add_cb(SSL *s, unsigned int ext_type, static char *cipher = NULL; static int verbose = 0; static int debug = 0; -static const char rnd_seed[] = - "string to make the random number generator think it has entropy"; int doit_localhost(SSL *s_ssl, SSL *c_ssl, int family, long bytes, clock_t *s_time, clock_t *c_time); int doit_biopair(SSL *s_ssl, SSL *c_ssl, long bytes, clock_t *s_time, clock_t *c_time); int doit(SSL *s_ssl, SSL *c_ssl, long bytes); -static int do_test_cipherlist(void); static void sv_usage(void) { fprintf(stderr, "usage: ssltest [args ...]\n"); fprintf(stderr, "\n"); -#ifdef OPENSSL_FIPS - fprintf(stderr, "-F - run test in FIPS mode\n"); -#endif fprintf(stderr, " -server_auth - check server certificate\n"); fprintf(stderr, " -client_auth - do client authentication\n"); - fprintf(stderr, " -proxy - allow proxy certificates\n"); - fprintf(stderr, " -proxy_auth - set proxy policy rights\n"); - fprintf(stderr, - " -proxy_cond - expression to test proxy policy rights\n"); fprintf(stderr, " -v - more output\n"); fprintf(stderr, " -d - debug output\n"); fprintf(stderr, " -reuse - use session-id reuse\n"); @@ -835,10 +648,6 @@ static void sv_usage(void) #ifndef OPENSSL_NO_PSK fprintf(stderr, " -psk arg - PSK in hex (without 0x)\n"); #endif -#ifndef OPENSSL_NO_SRP - fprintf(stderr, " -srpuser user - SRP username to use\n"); - fprintf(stderr, " -srppass arg - password for 'user'\n"); -#endif #ifndef OPENSSL_NO_SSL3 fprintf(stderr, " -ssl3 - use SSLv3\n"); #endif @@ -870,10 +679,6 @@ static void sv_usage(void) fprintf(stderr, " -time - measure processor time used by client and server\n"); fprintf(stderr, " -zlib - use zlib compression\n"); - fprintf(stderr, - " -test_cipherlist - Verifies the order of the ssl cipher lists.\n" - " When this option is requested, the cipherlist\n" - " tests are run instead of handshake tests.\n"); #ifndef OPENSSL_NO_NEXTPROTONEG fprintf(stderr, " -npn_client - have client side offer NPN\n"); fprintf(stderr, " -npn_server - have server side offer NPN\n"); @@ -964,11 +769,11 @@ static void print_details(SSL *c_ssl, const char *prefix) SSL_CIPHER_get_version(ciph), SSL_CIPHER_get_name(ciph)); cert = SSL_get_peer_certificate(c_ssl); if (cert != NULL) { - pkey = X509_get_pubkey(cert); - if (pkey != NULL) { + EVP_PKEY* pubkey = X509_get0_pubkey(cert); + + if (pubkey != NULL) { BIO_puts(bio_stdout, ", "); - print_key_details(bio_stdout, pkey); - EVP_PKEY_free(pkey); + print_key_details(bio_stdout, pubkey); } X509_free(cert); } @@ -998,6 +803,7 @@ static int protocol_from_string(const char *value) {"tls1", TLS1_VERSION}, {"tls1.1", TLS1_1_VERSION}, {"tls1.2", TLS1_2_VERSION}, + {"tls1.3", TLS1_3_VERSION}, {"dtls1", DTLS1_VERSION}, {"dtls1.2", DTLS1_2_VERSION}}; size_t i; @@ -1066,15 +872,16 @@ static int set_protocol_version(const char *version, SSL *ssl, int setting) int main(int argc, char *argv[]) { - char *CApath = NULL, *CAfile = NULL; + const char *CApath = NULL, *CAfile = NULL; int badop = 0; enum { BIO_MEM, BIO_PAIR, BIO_IPV4, BIO_IPV6 } bio_type = BIO_MEM; int force = 0; - int dtls1 = 0, dtls12 = 0, dtls = 0, tls1 = 0, ssl3 = 0, ret = 1; + int dtls1 = 0, dtls12 = 0, dtls = 0, tls1 = 0, tls1_2 = 0, ssl3 = 0; + int ret = EXIT_FAILURE; int client_auth = 0; int server_auth = 0, i; struct app_verify_arg app_verify_arg = - { APP_CALLBACK_STRING, 0, 0, NULL, NULL }; + { APP_CALLBACK_STRING, 0 }; char *p; SSL_CTX *c_ctx = NULL; const SSL_METHOD *meth = NULL; @@ -1086,12 +893,6 @@ int main(int argc, char *argv[]) #ifndef OPENSSL_NO_DH DH *dh; int dhe512 = 0, dhe1024dsa = 0; -#endif -#ifndef OPENSSL_NO_SRP - /* client */ - SRP_CLIENT_ARG srp_client_arg = { NULL, NULL }; - /* server */ - SRP_SERVER_ARG srp_server_arg = { NULL, NULL }; #endif int no_dhe = 0; int no_psk = 0; @@ -1101,10 +902,6 @@ int main(int argc, char *argv[]) int n, comp = 0; COMP_METHOD *cm = NULL; STACK_OF(SSL_COMP) *ssl_comp_methods = NULL; -#endif - int test_cipherlist = 0; -#ifdef OPENSSL_FIPS - int fips_mode = 0; #endif int no_protocol; int min_version = 0, max_version = 0; @@ -1130,8 +927,6 @@ int main(int argc, char *argv[]) CRYPTO_set_mem_debug(1); CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); - RAND_seed(rnd_seed, sizeof rnd_seed); - bio_stdout = BIO_new_fp(stdout, BIO_NOCLOSE | BIO_FP_TEXT); s_cctx = SSL_CONF_CTX_new(); @@ -1174,26 +969,14 @@ int main(int argc, char *argv[]) while (argc >= 1) { if (strcmp(*argv, "-F") == 0) { -#ifdef OPENSSL_FIPS - fips_mode = 1; -#else fprintf(stderr, "not compiled with FIPS support, so exiting without running.\n"); EXIT(0); -#endif } else if (strcmp(*argv, "-server_auth") == 0) server_auth = 1; else if (strcmp(*argv, "-client_auth") == 0) client_auth = 1; - else if (strcmp(*argv, "-proxy_auth") == 0) { - if (--argc < 1) - goto bad; - app_verify_arg.proxy_auth = *(++argv); - } else if (strcmp(*argv, "-proxy_cond") == 0) { - if (--argc < 1) - goto bad; - app_verify_arg.proxy_cond = *(++argv); - } else if (strcmp(*argv, "-v") == 0) + else if (strcmp(*argv, "-v") == 0) verbose = 1; else if (strcmp(*argv, "-d") == 0) debug = 1; @@ -1230,21 +1013,9 @@ int main(int argc, char *argv[]) no_psk = 1; #endif } -#ifndef OPENSSL_NO_SRP - else if (strcmp(*argv, "-srpuser") == 0) { - if (--argc < 1) - goto bad; - srp_server_arg.expected_user = srp_client_arg.srplogin = - *(++argv); - min_version = TLS1_VERSION; - } else if (strcmp(*argv, "-srppass") == 0) { - if (--argc < 1) - goto bad; - srp_server_arg.pass = srp_client_arg.srppassin = *(++argv); - min_version = TLS1_VERSION; - } -#endif - else if (strcmp(*argv, "-tls1") == 0) { + else if (strcmp(*argv, "-tls1_2") == 0) { + tls1_2 = 1; + } else if (strcmp(*argv, "-tls1") == 0) { tls1 = 1; } else if (strcmp(*argv, "-ssl3") == 0) { ssl3 = 1; @@ -1313,13 +1084,9 @@ int main(int argc, char *argv[]) #endif else if (strcmp(*argv, "-app_verify") == 0) { app_verify_arg.app_verify = 1; - } else if (strcmp(*argv, "-proxy") == 0) { - app_verify_arg.allow_proxy_certs = 1; - } else if (strcmp(*argv, "-test_cipherlist") == 0) { - test_cipherlist = 1; } #ifndef OPENSSL_NO_NEXTPROTONEG - else if (strcmp(*argv, "-npn_client") == 0) { + else if (strcmp(*argv, "-npn_client") == 0) { npn_client = 1; } else if (strcmp(*argv, "-npn_server") == 0) { npn_server = 1; @@ -1454,24 +1221,8 @@ int main(int argc, char *argv[]) goto end; } - /* - * test_cipherlist prevails over protocol switch: we test the cipherlist - * for all enabled protocols. - */ - if (test_cipherlist == 1) { - /* - * ensure that the cipher list are correctly sorted and exit - */ - fprintf(stdout, "Testing cipherlist order only. Ignoring all " - "other options.\n"); - if (do_test_cipherlist() == 0) - EXIT(1); - ret = 0; - goto end; - } - - if (ssl3 + tls1 + dtls + dtls1 + dtls12 > 1) { - fprintf(stderr, "At most one of -ssl3, -tls1, -dtls, -dtls1 or -dtls12 should " + if (ssl3 + tls1 + tls1_2 + dtls + dtls1 + dtls12 > 1) { + fprintf(stderr, "At most one of -ssl3, -tls1, -tls1_2, -dtls, -dtls1 or -dtls12 should " "be requested.\n"); EXIT(1); } @@ -1486,6 +1237,11 @@ int main(int argc, char *argv[]) no_protocol = 1; else #endif +#ifdef OPENSSL_NO_TLS1_2 + if (tls1_2) + no_protocol = 1; + else +#endif #if defined(OPENSSL_NO_DTLS) || defined(OPENSSL_NO_DTLS1) if (dtls1) no_protocol = 1; @@ -1506,26 +1262,18 @@ int main(int argc, char *argv[]) if (no_protocol) { fprintf(stderr, "Testing was requested for a disabled protocol. " "Skipping tests.\n"); - ret = 0; + ret = EXIT_SUCCESS; goto end; } - if (!ssl3 && !tls1 && !dtls && !dtls1 && !dtls12 && number > 1 && !reuse && !force) { + if (!ssl3 && !tls1 && !tls1_2 && !dtls && !dtls1 && !dtls12 && number > 1 + && !reuse && !force) { fprintf(stderr, "This case cannot work. Use -f to perform " "the test anyway (and\n-d to see what happens), " - "or add one of -ssl3, -tls1, -dtls, -dtls1, -dtls12, -reuse\n" + "or add one of -ssl3, -tls1, -tls1_2, -dtls, -dtls1, -dtls12, -reuse\n" "to avoid protocol mismatch.\n"); EXIT(1); } -#ifdef OPENSSL_FIPS - if (fips_mode) { - if (!FIPS_mode_set(1)) { - ERR_print_errors(bio_err); - EXIT(1); - } else - fprintf(stderr, "*** IN FIPS MODE ***\n"); - } -#endif if (print_time) { if (bio_type != BIO_PAIR) { @@ -1537,8 +1285,6 @@ int main(int argc, char *argv[]) "Warning: For accurate timings, use more connections (e.g. -num 1000)\n"); } -/* if (cipher == NULL) cipher=getenv("SSL_CIPHER"); */ - #ifndef OPENSSL_NO_COMP if (comp == COMP_ZLIB) cm = COMP_zlib(); @@ -1562,7 +1308,7 @@ int main(int argc, char *argv[]) printf("Available compression methods:"); for (j = 0; j < n; j++) { SSL_COMP *c = sk_SSL_COMP_value(ssl_comp_methods, j); - printf(" %s:%d", c->name, c->id); + printf(" %s:%d", SSL_COMP_get0_name(c), SSL_COMP_get_id(c)); } printf("\n"); } @@ -1576,6 +1322,9 @@ int main(int argc, char *argv[]) } else if (tls1) { min_version = TLS1_VERSION; max_version = TLS1_VERSION; + } else if (tls1_2) { + min_version = TLS1_2_VERSION; + max_version = TLS1_2_VERSION; } #endif #ifndef OPENSSL_NO_DTLS @@ -1688,9 +1437,7 @@ int main(int argc, char *argv[]) (!SSL_CTX_set_default_verify_paths(s_ctx2)) || (!SSL_CTX_load_verify_locations(c_ctx, CAfile, CApath)) || (!SSL_CTX_set_default_verify_paths(c_ctx))) { - /* fprintf(stderr,"SSL_load_verify_locations\n"); */ ERR_print_errors(bio_err); - /* goto end; */ } #ifndef OPENSSL_NO_CT @@ -1724,9 +1471,9 @@ int main(int argc, char *argv[]) { int session_id_context = 0; if (!SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context, - sizeof session_id_context) || + sizeof(session_id_context)) || !SSL_CTX_set_session_id_context(s_ctx2, (void *)&session_id_context, - sizeof session_id_context)) { + sizeof(session_id_context))) { ERR_print_errors(bio_err); goto end; } @@ -1742,7 +1489,7 @@ int main(int argc, char *argv[]) * if PSK is not compiled in and psk key is given, do nothing and * exit successfully */ - ret = 0; + ret = EXIT_SUCCESS; goto end; } #ifndef OPENSSL_NO_PSK @@ -1759,29 +1506,6 @@ int main(int argc, char *argv[]) } #endif } -#ifndef OPENSSL_NO_SRP - if (srp_client_arg.srplogin) { - if (!SSL_CTX_set_srp_username(c_ctx, srp_client_arg.srplogin)) { - BIO_printf(bio_err, "Unable to set SRP username\n"); - goto end; - } - SSL_CTX_set_srp_cb_arg(c_ctx, &srp_client_arg); - SSL_CTX_set_srp_client_pwd_callback(c_ctx, - ssl_give_srp_client_pwd_cb); - /* - * SSL_CTX_set_srp_strength(c_ctx, srp_client_arg.strength); - */ - } - - if (srp_server_arg.expected_user != NULL) { - SSL_CTX_set_verify(s_ctx, SSL_VERIFY_NONE, verify_callback); - SSL_CTX_set_verify(s_ctx2, SSL_VERIFY_NONE, verify_callback); - SSL_CTX_set_srp_cb_arg(s_ctx, &srp_server_arg); - SSL_CTX_set_srp_cb_arg(s_ctx2, &srp_server_arg); - SSL_CTX_set_srp_username_callback(s_ctx, ssl_srp_server_param_cb); - SSL_CTX_set_srp_username_callback(s_ctx2, ssl_srp_server_param_cb); - } -#endif #ifndef OPENSSL_NO_NEXTPROTONEG if (npn_client) { @@ -1793,14 +1517,12 @@ int main(int argc, char *argv[]) "Can't have both -npn_server and -npn_server_reject\n"); goto end; } - SSL_CTX_set_next_protos_advertised_cb(s_ctx, cb_server_npn, NULL); - SSL_CTX_set_next_protos_advertised_cb(s_ctx2, cb_server_npn, NULL); + SSL_CTX_set_npn_advertised_cb(s_ctx, cb_server_npn, NULL); + SSL_CTX_set_npn_advertised_cb(s_ctx2, cb_server_npn, NULL); } if (npn_server_reject) { - SSL_CTX_set_next_protos_advertised_cb(s_ctx, cb_server_rejects_npn, - NULL); - SSL_CTX_set_next_protos_advertised_cb(s_ctx2, cb_server_rejects_npn, - NULL); + SSL_CTX_set_npn_advertised_cb(s_ctx, cb_server_rejects_npn, NULL); + SSL_CTX_set_npn_advertised_cb(s_ctx2, cb_server_rejects_npn, NULL); } #endif @@ -1986,26 +1708,26 @@ int main(int argc, char *argv[]) #else case BIO_IPV4: case BIO_IPV6: - ret = 1; + ret = EXIT_FAILURE; goto err; #endif } - if (ret) break; + if (ret != EXIT_SUCCESS) break; } - if (should_negotiate && ret == 0 && + if (should_negotiate && ret == EXIT_SUCCESS && strcmp(should_negotiate, "fail-server") != 0 && strcmp(should_negotiate, "fail-client") != 0) { int version = protocol_from_string(should_negotiate); if (version < 0) { BIO_printf(bio_err, "Error parsing: %s\n", should_negotiate); - ret = 1; + ret = EXIT_FAILURE; goto err; } if (SSL_version(c_ssl) != version) { - BIO_printf(bio_err, "Unxpected version negotiated. " + BIO_printf(bio_err, "Unexpected version negotiated. " "Expected: %s, got %s\n", should_negotiate, SSL_get_version(c_ssl)); - ret = 1; + ret = EXIT_FAILURE; goto err; } } @@ -2016,20 +1738,20 @@ int main(int argc, char *argv[]) BIO_printf(bio_err, "Unexpected session reuse state. " "Expected: %d, server: %d, client: %d\n", should_reuse, SSL_session_reused(s_ssl), SSL_session_reused(c_ssl)); - ret = 1; + ret = EXIT_FAILURE; goto err; } } if (server_sess_out != NULL) { if (write_session(server_sess_out, SSL_get_session(s_ssl)) == 0) { - ret = 1; + ret = EXIT_FAILURE; goto err; } } if (client_sess_out != NULL) { if (write_session(client_sess_out, SSL_get_session(c_ssl)) == 0) { - ret = 1; + ret = EXIT_FAILURE; goto err; } } @@ -2076,7 +1798,7 @@ int main(int argc, char *argv[]) #ifndef OPENSSL_NO_CRYPTO_MDEBUG if (CRYPTO_mem_leaks(bio_err) <= 0) - ret = 1; + ret = EXIT_FAILURE; #endif BIO_free(bio_err); EXIT(ret); @@ -2090,7 +1812,7 @@ int doit_localhost(SSL *s_ssl, SSL *c_ssl, int family, long count, BIO *s_ssl_bio = NULL, *c_ssl_bio = NULL; BIO *acpt = NULL, *server = NULL, *client = NULL; char addr_str[40]; - int ret = 1; + int ret = EXIT_FAILURE; int err_in_client = 0; int err_in_server = 0; @@ -2193,8 +1915,8 @@ int doit_localhost(SSL *s_ssl, SSL *c_ssl, int family, long count, if (cw_num > 0) { /* Write to server. */ - if (cw_num > (long)sizeof cbuf) - i = sizeof cbuf; + if (cw_num > (long)sizeof(cbuf)) + i = sizeof(cbuf); else i = (int)cw_num; r = BIO_write(c_ssl_bio, cbuf, i); @@ -2272,8 +1994,8 @@ int doit_localhost(SSL *s_ssl, SSL *c_ssl, int family, long count, if (sw_num > 0) { /* Write to client. */ - if (sw_num > (long)sizeof sbuf) - i = sizeof sbuf; + if (sw_num > (long)sizeof(sbuf)) + i = sizeof(sbuf); else i = (int)sw_num; r = BIO_write(s_ssl_bio, sbuf, i); @@ -2323,33 +2045,26 @@ int doit_localhost(SSL *s_ssl, SSL *c_ssl, int family, long count, if (verbose) print_details(c_ssl, "DONE via TCP connect: "); # ifndef OPENSSL_NO_NEXTPROTONEG - if (verify_npn(c_ssl, s_ssl) < 0) { - ret = 1; + if (verify_npn(c_ssl, s_ssl) < 0) goto end; - } # endif if (verify_serverinfo() < 0) { fprintf(stderr, "Server info verify error\n"); - ret = 1; - goto err; - } - if (verify_alpn(c_ssl, s_ssl) < 0) { - ret = 1; goto err; } - if (verify_servername(c_ssl, s_ssl) < 0) { - ret = 1; + if (verify_alpn(c_ssl, s_ssl) < 0 + || verify_servername(c_ssl, s_ssl) < 0) goto err; - } if (custom_ext_error) { fprintf(stderr, "Custom extension error\n"); - ret = 1; goto err; } +# ifndef OPENSSL_NO_NEXTPROTONEG end: - ret = 0; +# endif + ret = EXIT_SUCCESS; err: ERR_print_errors(bio_err); @@ -2361,9 +2076,9 @@ int doit_localhost(SSL *s_ssl, SSL *c_ssl, int family, long count, BIO_free(c_ssl_bio); if (should_negotiate != NULL && strcmp(should_negotiate, "fail-client") == 0) - ret = (err_in_client != 0) ? 0 : 1; + ret = (err_in_client != 0) ? EXIT_SUCCESS : EXIT_FAILURE; else if (should_negotiate != NULL && strcmp(should_negotiate, "fail-server") == 0) - ret = (err_in_server != 0) ? 0 : 1; + ret = (err_in_server != 0) ? EXIT_SUCCESS : EXIT_FAILURE; return ret; } @@ -2375,7 +2090,7 @@ int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count, long cw_num = count, cr_num = count, sw_num = count, sr_num = count; BIO *s_ssl_bio = NULL, *c_ssl_bio = NULL; BIO *server = NULL, *server_io = NULL, *client = NULL, *client_io = NULL; - int ret = 1; + int ret = EXIT_FAILURE; int err_in_client = 0; int err_in_server = 0; @@ -2430,7 +2145,7 @@ int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count, * Useful functions for querying the state of BIO pair endpoints: * * BIO_ctrl_pending(bio) number of bytes we can read now - * BIO_ctrl_get_read_request(bio) number of bytes needed to fulfil + * BIO_ctrl_get_read_request(bio) number of bytes needed to fulfill * other side's read attempt * BIO_ctrl_get_write_guarantee(bio) number of bytes we can write now * @@ -2462,8 +2177,8 @@ int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count, if (cw_num > 0) { /* Write to server. */ - if (cw_num > (long)sizeof cbuf) - i = sizeof cbuf; + if (cw_num > (long)sizeof(cbuf)) + i = sizeof(cbuf); else i = (int)cw_num; r = BIO_write(c_ssl_bio, cbuf, i); @@ -2541,8 +2256,8 @@ int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count, if (sw_num > 0) { /* Write to client. */ - if (sw_num > (long)sizeof sbuf) - i = sizeof sbuf; + if (sw_num > (long)sizeof(sbuf)) + i = sizeof(sbuf); else i = (int)sw_num; r = BIO_write(s_ssl_bio, sbuf, i); @@ -2704,33 +2419,26 @@ int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count, if (verbose) print_details(c_ssl, "DONE via BIO pair: "); #ifndef OPENSSL_NO_NEXTPROTONEG - if (verify_npn(c_ssl, s_ssl) < 0) { - ret = 1; + if (verify_npn(c_ssl, s_ssl) < 0) goto end; - } #endif if (verify_serverinfo() < 0) { fprintf(stderr, "Server info verify error\n"); - ret = 1; goto err; } - if (verify_alpn(c_ssl, s_ssl) < 0) { - ret = 1; + if (verify_alpn(c_ssl, s_ssl) < 0 + || verify_servername(c_ssl, s_ssl) < 0) goto err; - } - if (verify_servername(c_ssl, s_ssl) < 0) { - ret = 1; - goto err; - } if (custom_ext_error) { fprintf(stderr, "Custom extension error\n"); - ret = 1; goto err; } +#ifndef OPENSSL_NO_NEXTPROTONEG end: - ret = 0; +#endif + ret = EXIT_SUCCESS; err: ERR_print_errors(bio_err); @@ -2743,9 +2451,9 @@ int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count, BIO_free(c_ssl_bio); if (should_negotiate != NULL && strcmp(should_negotiate, "fail-client") == 0) - ret = (err_in_client != 0) ? 0 : 1; + ret = (err_in_client != 0) ? EXIT_SUCCESS : EXIT_FAILURE; else if (should_negotiate != NULL && strcmp(should_negotiate, "fail-server") == 0) - ret = (err_in_server != 0) ? 0 : 1; + ret = (err_in_server != 0) ? EXIT_SUCCESS : EXIT_FAILURE; return ret; } @@ -2761,7 +2469,7 @@ int doit(SSL *s_ssl, SSL *c_ssl, long count) long bufsiz; long cw_num = count, cr_num = count; long sw_num = count, sr_num = count; - int ret = 1; + int ret = EXIT_FAILURE; BIO *c_to_s = NULL; BIO *s_to_c = NULL; BIO *c_bio = NULL; @@ -2801,8 +2509,29 @@ int doit(SSL *s_ssl, SSL *c_ssl, long count) SSL_set_max_send_fragment(c_ssl, max_frag); BIO_set_ssl(c_bio, c_ssl, BIO_NOCLOSE); + /* + * We've just given our ref to these BIOs to c_ssl. We need another one to + * give to s_ssl + */ + if (!BIO_up_ref(c_to_s)) { + /* c_to_s and s_to_c will get freed when we free c_ssl */ + c_to_s = NULL; + s_to_c = NULL; + goto err; + } + if (!BIO_up_ref(s_to_c)) { + /* s_to_c will get freed when we free c_ssl */ + s_to_c = NULL; + goto err; + } + SSL_set_accept_state(s_ssl); SSL_set_bio(s_ssl, c_to_s, s_to_c); + + /* We've used up all our refs to these now */ + c_to_s = NULL; + s_to_c = NULL; + SSL_set_max_send_fragment(s_ssl, max_frag); BIO_set_ssl(s_bio, s_ssl, BIO_NOCLOSE); @@ -2829,22 +2558,12 @@ int doit(SSL *s_ssl, SSL *c_ssl, long count) if (SSL_in_init(s_ssl)) printf("server waiting in SSL_accept - %s\n", SSL_state_string_long(s_ssl)); -/*- - else if (s_write) - printf("server:SSL_write()\n"); - else - printf("server:SSL_read()\n"); */ } if (do_client && debug) { if (SSL_in_init(c_ssl)) printf("client waiting in SSL_connect - %s\n", SSL_state_string_long(c_ssl)); -/*- - else if (c_write) - printf("client:SSL_write()\n"); - else - printf("client:SSL_read()\n"); */ } if (!do_client && !do_server) { @@ -2998,40 +2717,19 @@ int doit(SSL *s_ssl, SSL *c_ssl, long count) if (verbose) print_details(c_ssl, "DONE: "); #ifndef OPENSSL_NO_NEXTPROTONEG - if (verify_npn(c_ssl, s_ssl) < 0) { - ret = 1; + if (verify_npn(c_ssl, s_ssl) < 0) goto err; - } #endif if (verify_serverinfo() < 0) { fprintf(stderr, "Server info verify error\n"); - ret = 1; goto err; } if (custom_ext_error) { fprintf(stderr, "Custom extension error\n"); - ret = 1; goto err; } - ret = 0; + ret = EXIT_SUCCESS; err: - /* - * We have to set the BIO's to NULL otherwise they will be - * OPENSSL_free()ed twice. Once when th s_ssl is SSL_free()ed and again - * when c_ssl is SSL_free()ed. This is a hack required because s_ssl and - * c_ssl are sharing the same BIO structure and SSL_set_bio() and - * SSL_free() automatically BIO_free non NULL entries. You should not - * normally do this or be required to do this - */ - if (s_ssl != NULL) { - s_ssl->rbio = NULL; - s_ssl->wbio = NULL; - } - if (c_ssl != NULL) { - c_ssl->rbio = NULL; - c_ssl->wbio = NULL; - } - BIO_free(c_to_s); BIO_free(s_to_c); BIO_free_all(c_bio); @@ -3040,464 +2738,73 @@ int doit(SSL *s_ssl, SSL *c_ssl, long count) OPENSSL_free(sbuf); if (should_negotiate != NULL && strcmp(should_negotiate, "fail-client") == 0) - ret = (err_in_client != 0) ? 0 : 1; + ret = (err_in_client != 0) ? EXIT_SUCCESS : EXIT_FAILURE; else if (should_negotiate != NULL && strcmp(should_negotiate, "fail-server") == 0) - ret = (err_in_server != 0) ? 0 : 1; - - return (ret); -} + ret = (err_in_server != 0) ? EXIT_SUCCESS : EXIT_FAILURE; -static CRYPTO_ONCE proxy_auth_ex_data_once = CRYPTO_ONCE_STATIC_INIT; -static volatile int proxy_auth_ex_data_idx = -1; - -static void do_get_proxy_auth_ex_data_idx(void) -{ - proxy_auth_ex_data_idx = X509_STORE_CTX_get_ex_new_index(0, - "SSLtest for verify callback", - NULL, NULL, NULL); -} - -static int get_proxy_auth_ex_data_idx(void) -{ - CRYPTO_THREAD_run_once(&proxy_auth_ex_data_once, - do_get_proxy_auth_ex_data_idx); - return proxy_auth_ex_data_idx; + return ret; } static int verify_callback(int ok, X509_STORE_CTX *ctx) { char *s, buf[256]; - s = X509_NAME_oneline(X509_get_subject_name(ctx->current_cert), buf, - sizeof buf); + s = X509_NAME_oneline(X509_get_subject_name(X509_STORE_CTX_get_current_cert(ctx)), + buf, sizeof(buf)); if (s != NULL) { if (ok) - printf("depth=%d %s\n", ctx->error_depth, buf); + printf("depth=%d %s\n", X509_STORE_CTX_get_error_depth(ctx), buf); else { fprintf(stderr, "depth=%d error=%d %s\n", - ctx->error_depth, ctx->error, buf); + X509_STORE_CTX_get_error_depth(ctx), + X509_STORE_CTX_get_error(ctx), buf); } } if (ok == 0) { - switch (ctx->error) { + int i = X509_STORE_CTX_get_error(ctx); + + switch (i) { default: fprintf(stderr, "Error string: %s\n", - X509_verify_cert_error_string(ctx->error)); + X509_verify_cert_error_string(i)); break; case X509_V_ERR_CERT_NOT_YET_VALID: case X509_V_ERR_CERT_HAS_EXPIRED: case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: ok = 1; - } - } - - if (ok == 1) { - X509 *xs = ctx->current_cert; - if (X509_get_extension_flags(xs) & EXFLAG_PROXY) { - unsigned int *letters = X509_STORE_CTX_get_ex_data(ctx, - get_proxy_auth_ex_data_idx - ()); - - if (letters) { - int found_any = 0; - int i; - PROXY_CERT_INFO_EXTENSION *pci = - X509_get_ext_d2i(xs, NID_proxyCertInfo, - NULL, NULL); - - switch (OBJ_obj2nid(pci->proxyPolicy->policyLanguage)) { - case NID_Independent: - /* - * Completely meaningless in this program, as there's no - * way to grant explicit rights to a specific PrC. - * Basically, using id-ppl-Independent is the perfect way - * to grant no rights at all. - */ - fprintf(stderr, " Independent proxy certificate"); - for (i = 0; i < 26; i++) - letters[i] = 0; - break; - case NID_id_ppl_inheritAll: - /* - * This is basically a NOP, we simply let the current - * rights stand as they are. - */ - fprintf(stderr, " Proxy certificate inherits all"); - break; - default: - s = (char *) - pci->proxyPolicy->policy->data; - i = pci->proxyPolicy->policy->length; - - /* - * The algorithm works as follows: it is assumed that - * previous iterations or the initial granted rights has - * already set some elements of `letters'. What we need - * to do is to clear those that weren't granted by the - * current PrC as well. The easiest way to do this is to - * add 1 to all the elements whose letters are given with - * the current policy. That way, all elements that are - * set by the current policy and were already set by - * earlier policies and through the original grant of - * rights will get the value 2 or higher. The last thing - * to do is to sweep through `letters' and keep the - * elements having the value 2 as set, and clear all the - * others. - */ - - printf(" Certificate proxy rights = %*.*s", i, - i, s); - while (i-- > 0) { - int c = *s++; - if (isascii(c) && isalpha(c)) { - if (islower(c)) - c = toupper(c); - letters[c - 'A']++; - } - } - for (i = 0; i < 26; i++) - if (letters[i] < 2) - letters[i] = 0; - else - letters[i] = 1; - } - - found_any = 0; - printf(", resulting proxy rights = "); - for (i = 0; i < 26; i++) - if (letters[i]) { - printf("%c", i + 'A'); - found_any = 1; - } - if (!found_any) - printf("none"); - printf("\n"); - - PROXY_CERT_INFO_EXTENSION_free(pci); - } - } - } - - return (ok); -} - -static void process_proxy_debug(int indent, const char *format, ...) -{ - /* That's 80 > */ - static const char indentation[] = - ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>" - ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"; - char my_format[256]; - va_list args; - - BIO_snprintf(my_format, sizeof(my_format), "%*.*s %s", - indent, indent, indentation, format); - - va_start(args, format); - vfprintf(stderr, my_format, args); - va_end(args); -} - -/*- - * Priority levels: - * 0 [!]var, () - * 1 & ^ - * 2 | - */ -static int process_proxy_cond_adders(unsigned int letters[26], - const char *cond, const char **cond_end, - int *pos, int indent); -static int process_proxy_cond_val(unsigned int letters[26], const char *cond, - const char **cond_end, int *pos, int indent) -{ - int c; - int ok = 1; - int negate = 0; - - while (isspace((int)*cond)) { - cond++; - (*pos)++; - } - c = *cond; - - if (debug) - process_proxy_debug(indent, - "Start process_proxy_cond_val at position %d: %s\n", - *pos, cond); - - while (c == '!') { - negate = !negate; - cond++; - (*pos)++; - while (isspace((int)*cond)) { - cond++; - (*pos)++; - } - c = *cond; - } - - if (c == '(') { - cond++; - (*pos)++; - ok = process_proxy_cond_adders(letters, cond, cond_end, pos, - indent + 1); - cond = *cond_end; - if (ok < 0) - goto end; - while (isspace((int)*cond)) { - cond++; - (*pos)++; - } - c = *cond; - if (c != ')') { - fprintf(stderr, - "Weird condition character in position %d: " - "%c\n", *pos, c); - ok = -1; - goto end; - } - cond++; - (*pos)++; - } else if (isascii(c) && isalpha(c)) { - if (islower(c)) - c = toupper(c); - ok = letters[c - 'A']; - cond++; - (*pos)++; - } else { - fprintf(stderr, - "Weird condition character in position %d: " "%c\n", *pos, c); - ok = -1; - goto end; - } - end: - *cond_end = cond; - if (ok >= 0 && negate) - ok = !ok; - - if (debug) - process_proxy_debug(indent, - "End process_proxy_cond_val at position %d: %s, returning %d\n", - *pos, cond, ok); - - return ok; -} - -static int process_proxy_cond_multipliers(unsigned int letters[26], - const char *cond, - const char **cond_end, int *pos, - int indent) -{ - int ok; - char c; - - if (debug) - process_proxy_debug(indent, - "Start process_proxy_cond_multipliers at position %d: %s\n", - *pos, cond); - - ok = process_proxy_cond_val(letters, cond, cond_end, pos, indent + 1); - cond = *cond_end; - if (ok < 0) - goto end; - - while (ok >= 0) { - while (isspace((int)*cond)) { - cond++; - (*pos)++; - } - c = *cond; - - switch (c) { - case '&': - case '^': - { - int save_ok = ok; - - cond++; - (*pos)++; - ok = process_proxy_cond_val(letters, - cond, cond_end, pos, indent + 1); - cond = *cond_end; - if (ok < 0) - break; - - switch (c) { - case '&': - ok &= save_ok; - break; - case '^': - ok ^= save_ok; - break; - default: - fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!" - " STOPPING\n"); - EXIT(1); - } - } - break; - default: - goto end; - } - } - end: - if (debug) - process_proxy_debug(indent, - "End process_proxy_cond_multipliers at position %d: %s, returning %d\n", - *pos, cond, ok); - - *cond_end = cond; - return ok; -} - -static int process_proxy_cond_adders(unsigned int letters[26], - const char *cond, const char **cond_end, - int *pos, int indent) -{ - int ok; - char c; - - if (debug) - process_proxy_debug(indent, - "Start process_proxy_cond_adders at position %d: %s\n", - *pos, cond); - - ok = process_proxy_cond_multipliers(letters, cond, cond_end, pos, - indent + 1); - cond = *cond_end; - if (ok < 0) - goto end; - - while (ok >= 0) { - while (isspace((int)*cond)) { - cond++; - (*pos)++; - } - c = *cond; - - switch (c) { - case '|': - { - int save_ok = ok; - - cond++; - (*pos)++; - ok = process_proxy_cond_multipliers(letters, - cond, cond_end, pos, - indent + 1); - cond = *cond_end; - if (ok < 0) - break; - - switch (c) { - case '|': - ok |= save_ok; - break; - default: - fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!" - " STOPPING\n"); - EXIT(1); - } - } break; - default: - goto end; } } - end: - if (debug) - process_proxy_debug(indent, - "End process_proxy_cond_adders at position %d: %s, returning %d\n", - *pos, cond, ok); - *cond_end = cond; return ok; } -static int process_proxy_cond(unsigned int letters[26], - const char *cond, const char **cond_end) -{ - int pos = 1; - return process_proxy_cond_adders(letters, cond, cond_end, &pos, 1); -} - static int app_verify_callback(X509_STORE_CTX *ctx, void *arg) { int ok = 1; struct app_verify_arg *cb_arg = arg; - unsigned int letters[26]; /* only used with proxy_auth */ if (cb_arg->app_verify) { char *s = NULL, buf[256]; + X509 *c = X509_STORE_CTX_get0_cert(ctx); printf("In app_verify_callback, allowing cert. "); printf("Arg is: %s\n", cb_arg->string); printf("Finished printing do we have a context? 0x%p a cert? 0x%p\n", - (void *)ctx, (void *)ctx->cert); - if (ctx->cert) - s = X509_NAME_oneline(X509_get_subject_name(ctx->cert), buf, 256); + (void *)ctx, (void *)c); + if (c) + s = X509_NAME_oneline(X509_get_subject_name(c), buf, 256); if (s != NULL) { - printf("cert depth=%d %s\n", ctx->error_depth, buf); - } - return (1); - } - if (cb_arg->proxy_auth) { - int found_any = 0, i; - char *sp; - - for (i = 0; i < 26; i++) - letters[i] = 0; - for (sp = cb_arg->proxy_auth; *sp; sp++) { - int c = *sp; - if (isascii(c) && isalpha(c)) { - if (islower(c)) - c = toupper(c); - letters[c - 'A'] = 1; - } + printf("cert depth=%d %s\n", + X509_STORE_CTX_get_error_depth(ctx), buf); } - - printf(" Initial proxy rights = "); - for (i = 0; i < 26; i++) - if (letters[i]) { - printf("%c", i + 'A'); - found_any = 1; - } - if (!found_any) - printf("none"); - printf("\n"); - - X509_STORE_CTX_set_ex_data(ctx, - get_proxy_auth_ex_data_idx(), letters); - } - if (cb_arg->allow_proxy_certs) { - X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS); + return 1; } - ok = X509_verify_cert(ctx); - - if (cb_arg->proxy_auth) { - if (ok > 0) { - const char *cond_end = NULL; - ok = process_proxy_cond(letters, cb_arg->proxy_cond, &cond_end); + ok = X509_verify_cert(ctx); - if (ok < 0) - EXIT(3); - if (*cond_end) { - fprintf(stderr, - "Stopped processing condition before it's end.\n"); - ok = 0; - } - if (!ok) - fprintf(stderr, - "Proxy rights check with condition '%s' invalid\n", - cb_arg->proxy_cond); - else - printf("Proxy rights check with condition '%s' ok\n", - cb_arg->proxy_cond); - } - } - return (ok); + return ok; } #ifndef OPENSSL_NO_DH @@ -3527,16 +2834,19 @@ static DH *get_dh512() 0x02, }; DH *dh; + BIGNUM *p, *g; if ((dh = DH_new()) == NULL) - return (NULL); - dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL); - dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL); - if ((dh->p == NULL) || (dh->g == NULL)) { + return NULL; + p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL); + g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL); + if ((p == NULL) || (g == NULL) || !DH_set0_pqg(dh, p, NULL, g)) { DH_free(dh); - return (NULL); + BN_free(p); + BN_free(g); + return NULL; } - return (dh); + return dh; } static DH *get_dh1024() @@ -3568,16 +2878,19 @@ static DH *get_dh1024() 0x02, }; DH *dh; + BIGNUM *p, *g; if ((dh = DH_new()) == NULL) - return (NULL); - dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL); - dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL); - if ((dh->p == NULL) || (dh->g == NULL)) { + return NULL; + p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL); + g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL); + if ((p == NULL) || (g == NULL) || !DH_set0_pqg(dh, p, NULL, g)) { DH_free(dh); - return (NULL); + BN_free(p); + BN_free(g); + return NULL; } - return (dh); + return dh; } static DH *get_dh1024dsa() @@ -3629,17 +2942,20 @@ static DH *get_dh1024dsa() 0x07, 0xE7, 0x68, 0x1A, 0x82, 0x5D, 0x32, 0xA2, }; DH *dh; + BIGNUM *p, *g; if ((dh = DH_new()) == NULL) - return (NULL); - dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL); - dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL); - if ((dh->p == NULL) || (dh->g == NULL)) { + return NULL; + p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL); + g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL); + if ((p == NULL) || (g == NULL) || !DH_set0_pqg(dh, p, NULL, g)) { DH_free(dh); - return (NULL); + BN_free(p); + BN_free(g); + return NULL; } - dh->length = 160; - return (dh); + DH_set_length(dh, 160); + return dh; } #endif @@ -3707,33 +3023,3 @@ static unsigned int psk_server_callback(SSL *ssl, const char *identity, return psk_len; } #endif - -static int do_test_cipherlist(void) -{ -#ifndef OPENSSL_NO_TLS - int i = 0; - const SSL_METHOD *meth; - const SSL_CIPHER *ci, *tci = NULL; - - /* - * This is required because ssltest "cheats" and uses internal headers to - * call functions, thus avoiding auto-init - */ - OPENSSL_init_crypto(0, NULL); - OPENSSL_init_ssl(0, NULL); - - meth = TLS_method(); - tci = NULL; - while ((ci = meth->get_cipher(i++)) != NULL) { - if (tci != NULL) - if (ci->id >= tci->id) { - fprintf(stderr, "testing SSLv3 cipher list order: "); - fprintf(stderr, "failed %x vs. %x\n", ci->id, tci->id); - return 0; - } - tci = ci; - } -#endif - - return 1; -}