# include <openssl/ct.h>
#endif
-#include "../ssl/ssl_locl.h"
-
/*
* Or gethostname won't be declared properly
* on Compaq platforms (at least with DEC C).
{
fprintf(stderr, "usage: ssltest [args ...]\n");
fprintf(stderr, "\n");
-#ifdef OPENSSL_FIPS
- fprintf(stderr, "-F - run test in FIPS mode\n");
-#endif
fprintf(stderr, " -server_auth - check server certificate\n");
fprintf(stderr, " -client_auth - do client authentication\n");
fprintf(stderr, " -v - more output\n");
SSL_CIPHER_get_version(ciph), SSL_CIPHER_get_name(ciph));
cert = SSL_get_peer_certificate(c_ssl);
if (cert != NULL) {
- pkey = X509_get_pubkey(cert);
- if (pkey != NULL) {
+ EVP_PKEY* pubkey = X509_get0_pubkey(cert);
+
+ if (pubkey != NULL) {
BIO_puts(bio_stdout, ", ");
- print_key_details(bio_stdout, pkey);
- EVP_PKEY_free(pkey);
+ print_key_details(bio_stdout, pubkey);
}
X509_free(cert);
}
{"tls1", TLS1_VERSION},
{"tls1.1", TLS1_1_VERSION},
{"tls1.2", TLS1_2_VERSION},
+ {"tls1.3", TLS1_3_VERSION},
{"dtls1", DTLS1_VERSION},
{"dtls1.2", DTLS1_2_VERSION}};
size_t i;
int main(int argc, char *argv[])
{
- char *CApath = NULL, *CAfile = NULL;
+ const char *CApath = NULL, *CAfile = NULL;
int badop = 0;
enum { BIO_MEM, BIO_PAIR, BIO_IPV4, BIO_IPV6 } bio_type = BIO_MEM;
int force = 0;
- int dtls1 = 0, dtls12 = 0, dtls = 0, tls1 = 0, ssl3 = 0, ret = 1;
+ int dtls1 = 0, dtls12 = 0, dtls = 0, tls1 = 0, tls1_2 = 0, ssl3 = 0, ret = 1;
int client_auth = 0;
int server_auth = 0, i;
struct app_verify_arg app_verify_arg =
int n, comp = 0;
COMP_METHOD *cm = NULL;
STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
-#endif
-#ifdef OPENSSL_FIPS
- int fips_mode = 0;
#endif
int no_protocol;
int min_version = 0, max_version = 0;
while (argc >= 1) {
if (strcmp(*argv, "-F") == 0) {
-#ifdef OPENSSL_FIPS
- fips_mode = 1;
-#else
fprintf(stderr,
"not compiled with FIPS support, so exiting without running.\n");
EXIT(0);
-#endif
} else if (strcmp(*argv, "-server_auth") == 0)
server_auth = 1;
else if (strcmp(*argv, "-client_auth") == 0)
min_version = TLS1_VERSION;
}
#endif
- else if (strcmp(*argv, "-tls1") == 0) {
+ else if (strcmp(*argv, "-tls1_2") == 0) {
+ tls1_2 = 1;
+ } else if (strcmp(*argv, "-tls1") == 0) {
tls1 = 1;
} else if (strcmp(*argv, "-ssl3") == 0) {
ssl3 = 1;
goto end;
}
- if (ssl3 + tls1 + dtls + dtls1 + dtls12 > 1) {
- fprintf(stderr, "At most one of -ssl3, -tls1, -dtls, -dtls1 or -dtls12 should "
+ if (ssl3 + tls1 + tls1_2 + dtls + dtls1 + dtls12 > 1) {
+ fprintf(stderr, "At most one of -ssl3, -tls1, -tls1_2, -dtls, -dtls1 or -dtls12 should "
"be requested.\n");
EXIT(1);
}
no_protocol = 1;
else
#endif
+#ifdef OPENSSL_NO_TLS1_2
+ if (tls1_2)
+ no_protocol = 1;
+ else
+#endif
#if defined(OPENSSL_NO_DTLS) || defined(OPENSSL_NO_DTLS1)
if (dtls1)
no_protocol = 1;
goto end;
}
- if (!ssl3 && !tls1 && !dtls && !dtls1 && !dtls12 && number > 1 && !reuse && !force) {
+ if (!ssl3 && !tls1 && !tls1_2 && !dtls && !dtls1 && !dtls12 && number > 1
+ && !reuse && !force) {
fprintf(stderr, "This case cannot work. Use -f to perform "
"the test anyway (and\n-d to see what happens), "
- "or add one of -ssl3, -tls1, -dtls, -dtls1, -dtls12, -reuse\n"
+ "or add one of -ssl3, -tls1, -tls1_2, -dtls, -dtls1, -dtls12, -reuse\n"
"to avoid protocol mismatch.\n");
EXIT(1);
}
-#ifdef OPENSSL_FIPS
- if (fips_mode) {
- if (!FIPS_mode_set(1)) {
- ERR_print_errors(bio_err);
- EXIT(1);
- } else
- fprintf(stderr, "*** IN FIPS MODE ***\n");
- }
-#endif
if (print_time) {
if (bio_type != BIO_PAIR) {
"Warning: For accurate timings, use more connections (e.g. -num 1000)\n");
}
-/* if (cipher == NULL) cipher=getenv("SSL_CIPHER"); */
-
#ifndef OPENSSL_NO_COMP
if (comp == COMP_ZLIB)
cm = COMP_zlib();
printf("Available compression methods:");
for (j = 0; j < n; j++) {
SSL_COMP *c = sk_SSL_COMP_value(ssl_comp_methods, j);
- printf(" %s:%d", c->name, c->id);
+ printf(" %s:%d", SSL_COMP_get0_name(c), SSL_COMP_get_id(c));
}
printf("\n");
}
} else if (tls1) {
min_version = TLS1_VERSION;
max_version = TLS1_VERSION;
+ } else if (tls1_2) {
+ min_version = TLS1_2_VERSION;
+ max_version = TLS1_2_VERSION;
}
#endif
#ifndef OPENSSL_NO_DTLS
(!SSL_CTX_set_default_verify_paths(s_ctx2)) ||
(!SSL_CTX_load_verify_locations(c_ctx, CAfile, CApath)) ||
(!SSL_CTX_set_default_verify_paths(c_ctx))) {
- /* fprintf(stderr,"SSL_load_verify_locations\n"); */
ERR_print_errors(bio_err);
- /* goto end; */
}
#ifndef OPENSSL_NO_CT
"Can't have both -npn_server and -npn_server_reject\n");
goto end;
}
- SSL_CTX_set_next_protos_advertised_cb(s_ctx, cb_server_npn, NULL);
- SSL_CTX_set_next_protos_advertised_cb(s_ctx2, cb_server_npn, NULL);
+ SSL_CTX_set_npn_advertised_cb(s_ctx, cb_server_npn, NULL);
+ SSL_CTX_set_npn_advertised_cb(s_ctx2, cb_server_npn, NULL);
}
if (npn_server_reject) {
- SSL_CTX_set_next_protos_advertised_cb(s_ctx, cb_server_rejects_npn,
- NULL);
- SSL_CTX_set_next_protos_advertised_cb(s_ctx2, cb_server_rejects_npn,
- NULL);
+ SSL_CTX_set_npn_advertised_cb(s_ctx, cb_server_rejects_npn, NULL);
+ SSL_CTX_set_npn_advertised_cb(s_ctx2, cb_server_rejects_npn, NULL);
}
#endif
SSL_set_max_send_fragment(c_ssl, max_frag);
BIO_set_ssl(c_bio, c_ssl, BIO_NOCLOSE);
+ /*
+ * We've just given our ref to these BIOs to c_ssl. We need another one to
+ * give to s_ssl
+ */
+ if (!BIO_up_ref(c_to_s)) {
+ /* c_to_s and s_to_c will get freed when we free c_ssl */
+ c_to_s = NULL;
+ s_to_c = NULL;
+ goto err;
+ }
+ if (!BIO_up_ref(s_to_c)) {
+ /* s_to_c will get freed when we free c_ssl */
+ s_to_c = NULL;
+ goto err;
+ }
+
SSL_set_accept_state(s_ssl);
SSL_set_bio(s_ssl, c_to_s, s_to_c);
+
+ /* We've used up all our refs to these now */
+ c_to_s = NULL;
+ s_to_c = NULL;
+
SSL_set_max_send_fragment(s_ssl, max_frag);
BIO_set_ssl(s_bio, s_ssl, BIO_NOCLOSE);
if (SSL_in_init(s_ssl))
printf("server waiting in SSL_accept - %s\n",
SSL_state_string_long(s_ssl));
-/*-
- else if (s_write)
- printf("server:SSL_write()\n");
- else
- printf("server:SSL_read()\n"); */
}
if (do_client && debug) {
if (SSL_in_init(c_ssl))
printf("client waiting in SSL_connect - %s\n",
SSL_state_string_long(c_ssl));
-/*-
- else if (c_write)
- printf("client:SSL_write()\n");
- else
- printf("client:SSL_read()\n"); */
}
if (!do_client && !do_server) {
}
ret = 0;
err:
- /*
- * We have to set the BIO's to NULL otherwise they will be
- * OPENSSL_free()ed twice. Once when th s_ssl is SSL_free()ed and again
- * when c_ssl is SSL_free()ed. This is a hack required because s_ssl and
- * c_ssl are sharing the same BIO structure and SSL_set_bio() and
- * SSL_free() automatically BIO_free non NULL entries. You should not
- * normally do this or be required to do this
- */
- if (s_ssl != NULL) {
- s_ssl->rbio = NULL;
- s_ssl->wbio = NULL;
- }
- if (c_ssl != NULL) {
- c_ssl->rbio = NULL;
- c_ssl->wbio = NULL;
- }
-
BIO_free(c_to_s);
BIO_free(s_to_c);
BIO_free_all(c_bio);
projects / oweals / openssl.git / blobdiff