int doit_biopair(SSL *s_ssl,SSL *c_ssl,long bytes,clock_t *s_time,clock_t *c_time);
int doit(SSL *s_ssl,SSL *c_ssl,long bytes);
+static int do_test_cipherlist(void);
static void sv_usage(void)
{
fprintf(stderr,"usage: ssltest [args ...]\n");
fprintf(stderr,"\n");
+#ifdef OPENSSL_FIPS
+ fprintf(stderr,"-F - run test in FIPS mode\n");
+#endif
fprintf(stderr," -server_auth - check server certificate\n");
fprintf(stderr," -client_auth - do client authentication\n");
fprintf(stderr," -proxy - allow proxy certificates\n");
" Use \"openssl ecparam -list_curves\" for all names\n" \
" (default is sect163r2).\n");
#endif
+ fprintf(stderr," -test_cipherlist - verifies the order of the ssl cipher lists\n");
}
static void print_details(SSL *c_ssl, const char *prefix)
}
}
+
int main(int argc, char *argv[])
{
char *CApath=NULL,*CAfile=NULL;
int print_time = 0;
clock_t s_time = 0, c_time = 0;
int comp = 0;
+#ifndef OPENSSL_NO_COMP
COMP_METHOD *cm = NULL;
+#endif
STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
+ int test_cipherlist = 0;
+#ifdef OPENSSL_FIPS
+ int fips_mode=0;
+#endif
verbose = 0;
debug = 0;
while (argc >= 1)
{
- if (strcmp(*argv,"-server_auth") == 0)
+ if(!strcmp(*argv,"-F"))
+ {
+#ifdef OPENSSL_FIPS
+ fips_mode=1;
+#else
+ fprintf(stderr,"not compiled with FIPS support, so exitting without running.\n");
+ EXIT(0);
+#endif
+ }
+ else if (strcmp(*argv,"-server_auth") == 0)
server_auth=1;
else if (strcmp(*argv,"-client_auth") == 0)
client_auth=1;
{
app_verify_arg.allow_proxy_certs = 1;
}
+ else if (strcmp(*argv,"-test_cipherlist") == 0)
+ {
+ test_cipherlist = 1;
+ }
else
{
fprintf(stderr,"unknown option %s\n",*argv);
goto end;
}
+ if (test_cipherlist == 1)
+ {
+ /* ensure that the cipher list are correctly sorted and exit */
+ if (do_test_cipherlist() == 0)
+ EXIT(1);
+ ret = 0;
+ goto end;
+ }
+
if (!ssl2 && !ssl3 && !tls1 && number > 1 && !reuse && !force)
{
fprintf(stderr, "This case cannot work. Use -f to perform "
EXIT(1);
}
+#ifdef OPENSSL_FIPS
+ if(fips_mode)
+ {
+ if(!FIPS_mode_set(1))
+ {
+ ERR_load_crypto_strings();
+ ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
+ EXIT(1);
+ }
+ else
+ fprintf(stderr,"*** IN FIPS MODE ***\n");
+ }
+#endif
+
if (print_time)
{
if (!bio_pair)
SSL_library_init();
SSL_load_error_strings();
+#ifndef OPENSSL_NO_COMP
if (comp == COMP_ZLIB) cm = COMP_zlib();
if (comp == COMP_RLE) cm = COMP_rle();
if (cm != NULL)
fprintf(stderr, " %d: %s\n", c->id, c->name);
}
}
+#endif
#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
if (ssl2)
}
#ifndef OPENSSL_NO_X509_VERIFY
-# ifdef OPENSSL_FIPS
- if(s->version == TLS1_VERSION)
- FIPS_allow_md5(1);
-# endif
ok = X509_verify_cert(ctx);
-# ifdef OPENSSL_FIPS
- if(s->version == TLS1_VERSION)
- FIPS_allow_md5(0);
-# endif
#endif
if (cb_arg->proxy_auth)
return(dh);
}
#endif
+
+static int do_test_cipherlist(void)
+ {
+ int i = 0;
+ const SSL_METHOD *meth;
+ SSL_CIPHER *ci, *tci = NULL;
+
+#ifndef OPENSSL_NO_SSL2
+ fprintf(stderr, "testing SSLv2 cipher list order: ");
+ meth = SSLv2_method();
+ while ((ci = meth->get_cipher(i++)) != NULL)
+ {
+ if (tci != NULL)
+ if (ci->id >= tci->id)
+ {
+ fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
+ return 0;
+ }
+ tci = ci;
+ }
+ fprintf(stderr, "ok\n");
+#endif
+#ifndef OPENSSL_NO_SSL3
+ fprintf(stderr, "testing SSLv3 cipher list order: ");
+ meth = SSLv3_method();
+ tci = NULL;
+ while ((ci = meth->get_cipher(i++)) != NULL)
+ {
+ if (tci != NULL)
+ if (ci->id >= tci->id)
+ {
+ fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
+ return 0;
+ }
+ tci = ci;
+ }
+ fprintf(stderr, "ok\n");
+#endif
+#ifndef OPENSSL_NO_TLS1
+ fprintf(stderr, "testing TLSv1 cipher list order: ");
+ meth = TLSv1_method();
+ tci = NULL;
+ while ((ci = meth->get_cipher(i++)) != NULL)
+ {
+ if (tci != NULL)
+ if (ci->id >= tci->id)
+ {
+ fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
+ return 0;
+ }
+ tci = ci;
+ }
+ fprintf(stderr, "ok\n");
+#endif
+
+ return 1;
+ }
projects / oweals / openssl.git / blobdiff