X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=test%2Fssltest.c;h=b5d44a0c0fe5db1b4aa9515d863fca9cd113123d;hb=8c6afbc55cc8e2d036c0af5adbaff82d8117c6b2;hp=25bec77031fee14f11d0d06d367d5b55fe15860e;hpb=e0e920b1a063f14f36418f8795c96f2c649400e1;p=oweals%2Fopenssl.git diff --git a/test/ssltest.c b/test/ssltest.c index 25bec77031..b5d44a0c0f 100644 --- a/test/ssltest.c +++ b/test/ssltest.c @@ -1,4 +1,3 @@ -/* ssl/ssltest.c */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -142,6 +141,7 @@ /* Or gethostname won't be declared properly on Linux and GNU platforms. */ #define _BSD_SOURCE 1 +#define _DEFAULT_SOURCE 1 #include #include @@ -204,32 +204,13 @@ # include OPENSSL_UNISTD #endif -#ifdef OPENSSL_SYS_VMS -# define TEST_SERVER_CERT "SYS$DISK:[-.APPS]SERVER.PEM" -# define TEST_CLIENT_CERT "SYS$DISK:[-.APPS]CLIENT.PEM" -#elif defined(OPENSSL_SYS_WINCE) -# define TEST_SERVER_CERT "\\OpenSSL\\server.pem" -# define TEST_CLIENT_CERT "\\OpenSSL\\client.pem" -#elif defined(OPENSSL_SYS_NETWARE) -# define TEST_SERVER_CERT "\\openssl\\apps\\server.pem" -# define TEST_CLIENT_CERT "\\openssl\\apps\\client.pem" -#else -# define TEST_SERVER_CERT "../apps/server.pem" -# define TEST_CLIENT_CERT "../apps/client.pem" -#endif - /* - * There is really no standard for this, so let's assign some tentative - * numbers. In any case, these numbers are only for this test + * There is really no standard for this, so let's assign something + * only for this test */ -#define COMP_RLE 255 #define COMP_ZLIB 1 static int verify_callback(int ok, X509_STORE_CTX *ctx); -#ifndef OPENSSL_NO_RSA -static RSA *tmp_rsa_cb(SSL *s, int is_export, int keylength); -static void free_tmp_rsa(void); -#endif static int app_verify_callback(X509_STORE_CTX *ctx, void *arg); #define APP_CALLBACK_STRING "Test Callback Argument" struct app_verify_arg { @@ -271,7 +252,7 @@ typedef struct srp_client_arg_st { static char *ssl_give_srp_client_pwd_cb(SSL *s, void *arg) { SRP_CLIENT_ARG *srp_client_arg = (SRP_CLIENT_ARG *)arg; - return BUF_strdup((char *)srp_client_arg->srppassin); + return OPENSSL_strdup((char *)srp_client_arg->srppassin); } /* SRP server */ @@ -303,9 +284,9 @@ static BIO *bio_stdout = NULL; #ifndef OPENSSL_NO_NEXTPROTONEG /* Note that this code assumes that this is only a one element list: */ static const char NEXT_PROTO_STRING[] = "\x09testproto"; -int npn_client = 0; -int npn_server = 0; -int npn_server_reject = 0; +static int npn_client = 0; +static int npn_server = 0; +static int npn_server_reject = 0; static int cb_client_npn(SSL *s, unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, @@ -385,6 +366,11 @@ static const char *alpn_client; static const char *alpn_server; static const char *alpn_expected; static unsigned char *alpn_selected; +static const char *server_min_proto; +static const char *server_max_proto; +static const char *client_min_proto; +static const char *client_max_proto; +static const char *should_negotiate; /*- * next_protos_parse parses a comma separated list of strings into a string @@ -466,12 +452,15 @@ static int verify_alpn(SSL *client, SSL *server) SSL_get0_alpn_selected(client, &client_proto, &client_proto_len); SSL_get0_alpn_selected(server, &server_proto, &server_proto_len); - if (alpn_selected != NULL) { - OPENSSL_free(alpn_selected); - alpn_selected = NULL; + OPENSSL_free(alpn_selected); + alpn_selected = NULL; + + if (client_proto_len != server_proto_len) { + BIO_printf(bio_stdout, "ALPN selected protocols differ!\n"); + goto err; } - if (client_proto_len != server_proto_len || + if (client_proto != NULL && memcmp(client_proto, server_proto, client_proto_len) != 0) { BIO_printf(bio_stdout, "ALPN selected protocols differ!\n"); goto err; @@ -517,24 +506,24 @@ static int verify_alpn(SSL *client, SSL *server) #define CUSTOM_EXT_TYPE_2 1002 #define CUSTOM_EXT_TYPE_3 1003 -const char custom_ext_cli_string[] = "abc"; -const char custom_ext_srv_string[] = "defg"; +static const char custom_ext_cli_string[] = "abc"; +static const char custom_ext_srv_string[] = "defg"; /* These set from cmdline */ -char *serverinfo_file = NULL; -int serverinfo_sct = 0; -int serverinfo_tack = 0; +static char *serverinfo_file = NULL; +static int serverinfo_sct = 0; +static int serverinfo_tack = 0; /* These set based on extension callbacks */ -int serverinfo_sct_seen = 0; -int serverinfo_tack_seen = 0; -int serverinfo_other_seen = 0; +static int serverinfo_sct_seen = 0; +static int serverinfo_tack_seen = 0; +static int serverinfo_other_seen = 0; /* This set from cmdline */ -int custom_ext = 0; +static int custom_ext = 0; /* This set based on extension callbacks */ -int custom_ext_error = 0; +static int custom_ext_error = 0; static int serverinfo_cli_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in, size_t inlen, @@ -743,6 +732,8 @@ static int debug = 0; static const char rnd_seed[] = "string to make the random number generator think it has entropy"; +int doit_localhost(SSL *s_ssl, SSL *c_ssl, int family, + long bytes, clock_t *s_time, clock_t *c_time); int doit_biopair(SSL *s_ssl, SSL *c_ssl, long bytes, clock_t *s_time, clock_t *c_time); int doit(SSL *s_ssl, SSL *c_ssl, long bytes); @@ -769,7 +760,9 @@ static void sv_usage(void) " -bytes - number of bytes to swap between client/server\n"); #ifndef OPENSSL_NO_DH fprintf(stderr, - " -dhe1024 - use 1024 bit key (safe prime) for DHE\n"); + " -dhe512 - use 512 bit key for DHE (to test failure)\n"); + fprintf(stderr, + " -dhe1024 - use 1024 bit key (safe prime) for DHE (default, no-op)\n"); fprintf(stderr, " -dhe1024dsa - use 1024 bit key (with 160-bit subprime) for DHE\n"); fprintf(stderr, " -no_dhe - disable DHE\n"); @@ -784,13 +777,20 @@ static void sv_usage(void) fprintf(stderr, " -srpuser user - SRP username to use\n"); fprintf(stderr, " -srppass arg - password for 'user'\n"); #endif -#ifndef OPENSSL_NO_SSL3_METHOD +#ifndef OPENSSL_NO_SSL3 fprintf(stderr, " -ssl3 - use SSLv3\n"); #endif +#ifndef OPENSSL_NO_TLS1 fprintf(stderr, " -tls1 - use TLSv1\n"); +#endif #ifndef OPENSSL_NO_DTLS + fprintf(stderr, " -dtls - use DTLS\n"); +#ifndef OPENSSL_NO_DTLS1 fprintf(stderr, " -dtls1 - use DTLSv1\n"); +#endif +#ifndef OPENSSL_NO_DTLS1_2 fprintf(stderr, " -dtls12 - use DTLSv1.2\n"); +#endif #endif fprintf(stderr, " -CApath arg - PEM format directory of CA's\n"); fprintf(stderr, " -CAfile arg - PEM format file of CA's\n"); @@ -802,11 +802,12 @@ static void sv_usage(void) " -c_key arg - Client key file (default: same as -c_cert)\n"); fprintf(stderr, " -cipher arg - The cipher list\n"); fprintf(stderr, " -bio_pair - Use BIO pairs\n"); + fprintf(stderr, " -ipv4 - Use IPv4 connection on localhost\n"); + fprintf(stderr, " -ipv6 - Use IPv6 connection on localhost\n"); fprintf(stderr, " -f - Test even cases that can't work\n"); fprintf(stderr, " -time - measure processor time used by client and server\n"); fprintf(stderr, " -zlib - use zlib compression\n"); - fprintf(stderr, " -rle - use rle compression\n"); #ifndef OPENSSL_NO_EC fprintf(stderr, " -named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.\n" @@ -832,6 +833,11 @@ static void sv_usage(void) fprintf(stderr, " -alpn_server - have server side offer ALPN\n"); fprintf(stderr, " -alpn_expected - the ALPN protocol that should be negotiated\n"); + fprintf(stderr, " -server_min_proto - Minimum version the server should support\n"); + fprintf(stderr, " -server_max_proto - Maximum version the server should support\n"); + fprintf(stderr, " -client_min_proto - Minimum version the client should support\n"); + fprintf(stderr, " -client_max_proto - Maximum version the client should support\n"); + fprintf(stderr, " -should_negotiate - The version that should be negotiated, fail-client or fail-server\n"); } static void print_key_details(BIO *out, EVP_PKEY *key) @@ -956,21 +962,63 @@ static void lock_dbg_cb(int mode, int type, const char *file, int line) } } +/* + * protocol_from_string - converts a protocol version string to a number + * + * Returns -1 on failure or the version on success + */ +static int protocol_from_string(const char *value) +{ + struct protocol_versions { + const char *name; + int version; + }; + static const struct protocol_versions versions[] = { + {"ssl3", SSL3_VERSION}, + {"tls1", TLS1_VERSION}, + {"tls1.1", TLS1_1_VERSION}, + {"tls1.2", TLS1_2_VERSION}, + {"dtls1", DTLS1_VERSION}, + {"dtls1.2", DTLS1_2_VERSION}}; + size_t i; + size_t n = OSSL_NELEM(versions); + + for (i = 0; i < n; i++) + if (strcmp(versions[i].name, value) == 0) + return versions[i].version; + return -1; +} + +/* + * set_protocol_version - Sets protocol version minimum or maximum + * + * Returns 0 on failure and 1 on success + */ +static int set_protocol_version(const char *version, SSL *ssl, int setting) +{ + if (version != NULL) { + int ver = protocol_from_string(version); + if (ver < 0) { + BIO_printf(bio_err, "Error parsing: %s\n", version); + return 0; + } + return SSL_ctrl(ssl, setting, ver, NULL); + } + return 1; +} + int main(int argc, char *argv[]) { char *CApath = NULL, *CAfile = NULL; int badop = 0; - int bio_pair = 0; + enum { BIO_MEM, BIO_PAIR, BIO_IPV4, BIO_IPV6 } bio_type = BIO_MEM; int force = 0; - int dtls1 = 0, dtls12 = 0, tls1 = 0, ssl3 = 0, ret = 1; + int dtls1 = 0, dtls12 = 0, dtls = 0, tls1 = 0, ssl3 = 0, ret = 1; int client_auth = 0; int server_auth = 0, i; struct app_verify_arg app_verify_arg = { APP_CALLBACK_STRING, 0, 0, NULL, NULL }; - char *server_cert = TEST_SERVER_CERT; - char *server_key = NULL; - char *client_cert = TEST_CLIENT_CERT; - char *client_key = NULL; + char *p; #ifndef OPENSSL_NO_EC char *named_curve = NULL; #endif @@ -982,7 +1030,7 @@ int main(int argc, char *argv[]) long bytes = 256L; #ifndef OPENSSL_NO_DH DH *dh; - int dhe1024 = 0, dhe1024dsa = 0; + int dhe512 = 0, dhe1024dsa = 0; #endif #ifndef OPENSSL_NO_EC EC_KEY *ecdh = NULL; @@ -999,7 +1047,7 @@ int main(int argc, char *argv[]) int print_time = 0; clock_t s_time = 0, c_time = 0; #ifndef OPENSSL_NO_COMP - int comp = 0; + int n, comp = 0; COMP_METHOD *cm = NULL; STACK_OF(SSL_COMP) *ssl_comp_methods = NULL; #endif @@ -1007,11 +1055,11 @@ int main(int argc, char *argv[]) #ifdef OPENSSL_FIPS int fips_mode = 0; #endif - int no_protocol = 0; + int no_protocol; SSL_CONF_CTX *s_cctx = NULL, *c_cctx = NULL; STACK_OF(OPENSSL_STRING) *conf_args = NULL; - const char *arg = NULL, *argn = NULL; + char *arg = NULL, *argn = NULL; verbose = 0; debug = 0; @@ -1021,15 +1069,9 @@ int main(int argc, char *argv[]) CRYPTO_set_locking_callback(lock_dbg_cb); - /* enable memory leak checking unless explicitly disabled */ - if (!((getenv("OPENSSL_DEBUG_MEMORY") != NULL) - && (0 == strcmp(getenv("OPENSSL_DEBUG_MEMORY"), "off")))) { - CRYPTO_malloc_debug_init(); - CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL); - } else { - /* OPENSSL_DEBUG_MEMORY=off */ - CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0); - } + p = getenv("OPENSSL_DEBUG_MEMORY"); + if (p != NULL && strcmp(p, "on") == 0) + CRYPTO_set_mem_debug(1); CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); RAND_seed(rnd_seed, sizeof rnd_seed); @@ -1045,14 +1087,18 @@ int main(int argc, char *argv[]) } SSL_CONF_CTX_set_flags(s_cctx, - SSL_CONF_FLAG_CMDLINE | SSL_CONF_FLAG_SERVER); + SSL_CONF_FLAG_CMDLINE | SSL_CONF_FLAG_SERVER | + SSL_CONF_FLAG_CERTIFICATE | + SSL_CONF_FLAG_REQUIRE_PRIVATE); if (!SSL_CONF_CTX_set1_prefix(s_cctx, "-s_")) { ERR_print_errors(bio_err); goto end; } SSL_CONF_CTX_set_flags(c_cctx, - SSL_CONF_FLAG_CMDLINE | SSL_CONF_FLAG_CLIENT); + SSL_CONF_FLAG_CMDLINE | SSL_CONF_FLAG_CLIENT | + SSL_CONF_FLAG_CERTIFICATE | + SSL_CONF_FLAG_REQUIRE_PRIVATE); if (!SSL_CONF_CTX_set1_prefix(c_cctx, "-c_")) { ERR_print_errors(bio_err); goto end; @@ -1062,7 +1108,7 @@ int main(int argc, char *argv[]) argv++; while (argc >= 1) { - if (!strcmp(*argv, "-F")) { + if (strcmp(*argv, "-F") == 0) { #ifdef OPENSSL_FIPS fips_mode = 1; #else @@ -1088,19 +1134,19 @@ int main(int argc, char *argv[]) debug = 1; else if (strcmp(*argv, "-reuse") == 0) reuse = 1; - else if (strcmp(*argv, "-dhe1024") == 0) { + else if (strcmp(*argv, "-dhe512") == 0) { #ifndef OPENSSL_NO_DH - dhe1024 = 1; + dhe512 = 1; #else fprintf(stderr, - "ignoring -dhe1024, since I'm compiled without DH\n"); + "ignoring -dhe512, since I'm compiled without DH\n"); #endif } else if (strcmp(*argv, "-dhe1024dsa") == 0) { #ifndef OPENSSL_NO_DH dhe1024dsa = 1; #else fprintf(stderr, - "ignoring -dhe1024, since I'm compiled without DH\n"); + "ignoring -dhe1024dsa, since I'm compiled without DH\n"); #endif } else if (strcmp(*argv, "-no_dhe") == 0) no_dhe = 1; @@ -1136,20 +1182,13 @@ int main(int argc, char *argv[]) else if (strcmp(*argv, "-tls1") == 0) { tls1 = 1; } else if (strcmp(*argv, "-ssl3") == 0) { -#ifdef OPENSSL_NO_SSL3_METHOD - no_protocol = 1; -#endif ssl3 = 1; } else if (strcmp(*argv, "-dtls1") == 0) { -#ifdef OPENSSL_NO_DTLS - no_protocol = 1; -#endif dtls1 = 1; } else if (strcmp(*argv, "-dtls12") == 0) { -#ifdef OPENSSL_NO_DTLS - no_protocol = 1; -#endif dtls12 = 1; + } else if (strcmp(*argv, "-dtls") == 0) { + dtls = 1; } else if (strncmp(*argv, "-num", 4) == 0) { if (--argc < 1) goto bad; @@ -1167,30 +1206,6 @@ int main(int argc, char *argv[]) bytes *= 1024L; if (argv[0][i - 1] == 'm') bytes *= 1024L * 1024L; - } else if (strcmp(*argv, "-cert") == 0) { - if (--argc < 1) - goto bad; - server_cert = *(++argv); - } else if (strcmp(*argv, "-s_cert") == 0) { - if (--argc < 1) - goto bad; - server_cert = *(++argv); - } else if (strcmp(*argv, "-key") == 0) { - if (--argc < 1) - goto bad; - server_key = *(++argv); - } else if (strcmp(*argv, "-s_key") == 0) { - if (--argc < 1) - goto bad; - server_key = *(++argv); - } else if (strcmp(*argv, "-c_cert") == 0) { - if (--argc < 1) - goto bad; - client_cert = *(++argv); - } else if (strcmp(*argv, "-c_key") == 0) { - if (--argc < 1) - goto bad; - client_key = *(++argv); } else if (strcmp(*argv, "-cipher") == 0) { if (--argc < 1) goto bad; @@ -1204,7 +1219,11 @@ int main(int argc, char *argv[]) goto bad; CAfile = *(++argv); } else if (strcmp(*argv, "-bio_pair") == 0) { - bio_pair = 1; + bio_type = BIO_PAIR; + } else if (strcmp(*argv, "-ipv4") == 0) { + bio_type = BIO_IPV4; + } else if (strcmp(*argv, "-ipv6") == 0) { + bio_type = BIO_IPV6; } else if (strcmp(*argv, "-f") == 0) { force = 1; } else if (strcmp(*argv, "-time") == 0) { @@ -1213,8 +1232,6 @@ int main(int argc, char *argv[]) #ifndef OPENSSL_NO_COMP else if (strcmp(*argv, "-zlib") == 0) { comp = COMP_ZLIB; - } else if (strcmp(*argv, "-rle") == 0) { - comp = COMP_RLE; } #endif else if (strcmp(*argv, "-named_curve") == 0) { @@ -1265,6 +1282,26 @@ int main(int argc, char *argv[]) if (--argc < 1) goto bad; alpn_expected = *(++argv); + } else if (strcmp(*argv, "-server_min_proto") == 0) { + if (--argc < 1) + goto bad; + server_min_proto = *(++argv); + } else if (strcmp(*argv, "-server_max_proto") == 0) { + if (--argc < 1) + goto bad; + server_max_proto = *(++argv); + } else if (strcmp(*argv, "-client_min_proto") == 0) { + if (--argc < 1) + goto bad; + client_min_proto = *(++argv); + } else if (strcmp(*argv, "-client_max_proto") == 0) { + if (--argc < 1) + goto bad; + client_max_proto = *(++argv); + } else if (strcmp(*argv, "-should_negotiate") == 0) { + if (--argc < 1) + goto bad; + should_negotiate = *(++argv); } else { int rv; arg = argv[0]; @@ -1323,12 +1360,34 @@ int main(int argc, char *argv[]) goto end; } - if (ssl3 + tls1 + dtls1 + dtls12 > 1) { - fprintf(stderr, "At most one of -ssl3, -tls1, -dtls1 or -dtls12 should " + if (ssl3 + tls1 + dtls + dtls1 + dtls12 > 1) { + fprintf(stderr, "At most one of -ssl3, -tls1, -dtls, -dtls1 or -dtls12 should " "be requested.\n"); EXIT(1); } +#ifdef OPENSSL_NO_SSL3 + if (ssl3) + no_protocol = 1; + else +#endif +#ifdef OPENSSL_NO_TLS1 + if (tls1) + no_protocol = 1; + else +#endif +#if defined(OPENSSL_NO_DTLS) || defined(OPENSSL_NO_DTLS1) + if (dtls1) + no_protocol = 1; + else +#endif +#if defined(OPENSSL_NO_DTLS) || defined(OPENSSL_NO_DTLS1_2) + if (dtls12) + no_protocol = 1; + else +#endif + no_protocol = 0; + /* * Testing was requested for a compiled-out protocol (e.g. SSLv3). * Ideally, we would error out, but the generic test wrapper can't know @@ -1341,18 +1400,17 @@ int main(int argc, char *argv[]) goto end; } - if (!ssl3 && !tls1 && !dtls1 && !dtls12 && number > 1 && !reuse && !force) { + if (!ssl3 && !tls1 && !dtls && !dtls1 && !dtls12 && number > 1 && !reuse && !force) { fprintf(stderr, "This case cannot work. Use -f to perform " "the test anyway (and\n-d to see what happens), " - "or add one of -ssl3, -tls1, -dtls1, -dtls12, -reuse\n" + "or add one of -ssl3, -tls1, -dtls, -dtls1, -dtls12, -reuse\n" "to avoid protocol mismatch.\n"); EXIT(1); } #ifdef OPENSSL_FIPS if (fips_mode) { if (!FIPS_mode_set(1)) { - ERR_load_crypto_strings(); - ERR_print_errors(BIO_new_fp(stderr, BIO_NOCLOSE)); + ERR_print_errors(bio_err); EXIT(1); } else fprintf(stderr, "*** IN FIPS MODE ***\n"); @@ -1360,9 +1418,9 @@ int main(int argc, char *argv[]) #endif if (print_time) { - if (!bio_pair) { + if (bio_type != BIO_PAIR) { fprintf(stderr, "Using BIO pair (-bio_pair)\n"); - bio_pair = 1; + bio_type = BIO_PAIR; } if (number < 50 && !force) fprintf(stderr, @@ -1371,16 +1429,11 @@ int main(int argc, char *argv[]) /* if (cipher == NULL) cipher=getenv("SSL_CIPHER"); */ - SSL_library_init(); - SSL_load_error_strings(); - #ifndef OPENSSL_NO_COMP if (comp == COMP_ZLIB) cm = COMP_zlib(); - if (comp == COMP_RLE) - cm = COMP_rle(); if (cm != NULL) { - if (cm->type != NID_undef) { + if (COMP_get_type(cm) != NID_undef) { if (SSL_COMP_add_compression_method(comp, cm) != 0) { fprintf(stderr, "Failed to add compression method\n"); ERR_print_errors_fp(stderr); @@ -1388,24 +1441,20 @@ int main(int argc, char *argv[]) } else { fprintf(stderr, "Warning: %s compression not supported\n", - (comp == COMP_RLE ? "rle" : - (comp == COMP_ZLIB ? "zlib" : "unknown"))); + comp == COMP_ZLIB ? "zlib" : "unknown"); ERR_print_errors_fp(stderr); } } ssl_comp_methods = SSL_COMP_get_compression_methods(); - fprintf(stderr, "Available compression methods:"); - { - int j, n = sk_SSL_COMP_num(ssl_comp_methods); - if (n == 0) - fprintf(stderr, " NONE\n"); - else { - for (j = 0; j < n; j++) { - SSL_COMP *c = sk_SSL_COMP_value(ssl_comp_methods, j); - fprintf(stderr, " %s:%d", c->name, c->id); - } - fprintf(stderr, "\n"); + n = sk_SSL_COMP_num(ssl_comp_methods); + if (n) { + int j; + printf("Available compression methods:"); + for (j = 0; j < n; j++) { + SSL_COMP *c = sk_SSL_COMP_value(ssl_comp_methods, j); + printf(" %s:%d", c->name, c->id); } + printf("\n"); } #endif @@ -1414,22 +1463,32 @@ int main(int argc, char *argv[]) * (Otherwise we exit early.) However the compiler doesn't know this, so * we ifdef. */ -#ifndef OPENSSL_NO_SSL3 - if (ssl3) - meth = SSLv3_method(); - else -#endif #ifndef OPENSSL_NO_DTLS +#ifndef OPENSSL_NO_DTLS1 if (dtls1) meth = DTLSv1_method(); - else if (dtls12) + else +#endif +#ifndef OPENSSL_NO_DTLS1_2 + if (dtls12) meth = DTLSv1_2_method(); else #endif + if (dtls) + meth = DTLS_method(); + else +#endif +#ifndef OPENSSL_NO_SSL3 + if (ssl3) + meth = SSLv3_method(); + else +#endif +#ifndef OPENSSL_NO_TLS1 if (tls1) meth = TLSv1_method(); else - meth = SSLv23_method(); +#endif + meth = TLS_method(); c_ctx = SSL_CTX_new(meth); s_ctx = SSL_CTX_new(meth); @@ -1439,13 +1498,14 @@ int main(int argc, char *argv[]) } /* * Since we will use low security ciphersuites and keys for testing set - * security level to zero. + * security level to zero by default. Tests can override this by adding + * "@SECLEVEL=n" to the cipher string. */ SSL_CTX_set_security_level(c_ctx, 0); SSL_CTX_set_security_level(s_ctx, 0); if (cipher != NULL) { - if(!SSL_CTX_set_cipher_list(c_ctx, cipher) + if (!SSL_CTX_set_cipher_list(c_ctx, cipher) || !SSL_CTX_set_cipher_list(s_ctx, cipher)) { ERR_print_errors(bio_err); goto end; @@ -1485,10 +1545,10 @@ int main(int argc, char *argv[]) */ SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE); dh = get_dh1024dsa(); - } else if (dhe1024) - dh = get_dh1024(); - else + } else if (dhe512) dh = get_dh512(); + else + dh = get_dh1024(); SSL_CTX_set_tmp_dh(s_ctx, dh); DH_free(dh); } @@ -1506,12 +1566,9 @@ int main(int argc, char *argv[]) BIO_printf(bio_err, "unknown curve name (%s)\n", named_curve); goto end; } - } else -# ifdef OPENSSL_NO_EC2M + } else { nid = NID_X9_62_prime256v1; -# else - nid = NID_sect163r2; -# endif + } ecdh = EC_KEY_new_by_curve_name(nid); if (ecdh == NULL) { @@ -1527,30 +1584,6 @@ int main(int argc, char *argv[]) (void)no_ecdhe; #endif -#ifndef OPENSSL_NO_RSA - SSL_CTX_set_tmp_rsa_callback(s_ctx, tmp_rsa_cb); -#endif - - if (!SSL_CTX_use_certificate_file(s_ctx, server_cert, SSL_FILETYPE_PEM)) { - ERR_print_errors(bio_err); - } else if (!SSL_CTX_use_PrivateKey_file(s_ctx, - (server_key ? server_key : - server_cert), - SSL_FILETYPE_PEM)) { - ERR_print_errors(bio_err); - goto end; - } - - if (client_auth) { - if(!SSL_CTX_use_certificate_file(c_ctx, client_cert, SSL_FILETYPE_PEM) - || !SSL_CTX_use_PrivateKey_file(c_ctx, - (client_key ? client_key : client_cert), - SSL_FILETYPE_PEM)) { - ERR_print_errors(bio_err); - goto end; - } - } - if ((!SSL_CTX_load_verify_locations(s_ctx, CAfile, CApath)) || (!SSL_CTX_set_default_verify_paths(s_ctx)) || (!SSL_CTX_load_verify_locations(c_ctx, CAfile, CApath)) || @@ -1561,7 +1594,7 @@ int main(int argc, char *argv[]) } if (client_auth) { - BIO_printf(bio_err, "client authentication\n"); + printf("client authentication\n"); SSL_CTX_set_verify(s_ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback); @@ -1569,7 +1602,7 @@ int main(int argc, char *argv[]) &app_verify_arg); } if (server_auth) { - BIO_printf(bio_err, "server authentication\n"); + printf("server authentication\n"); SSL_CTX_set_verify(c_ctx, SSL_VERIFY_PEER, verify_callback); SSL_CTX_set_cert_verify_callback(c_ctx, app_verify_callback, &app_verify_arg); @@ -1577,7 +1610,7 @@ int main(int argc, char *argv[]) { int session_id_context = 0; - if(!SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context, + if (!SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context, sizeof session_id_context)) { ERR_print_errors(bio_err); goto end; @@ -1649,7 +1682,7 @@ int main(int argc, char *argv[]) #endif if (serverinfo_sct) { - if(!SSL_CTX_add_client_custom_ext(c_ctx, SCT_EXT_TYPE, + if (!SSL_CTX_add_client_custom_ext(c_ctx, SCT_EXT_TYPE, NULL, NULL, NULL, serverinfo_cli_parse_cb, NULL)) { BIO_printf(bio_err, "Error adding SCT extension\n"); @@ -1657,7 +1690,7 @@ int main(int argc, char *argv[]) } } if (serverinfo_tack) { - if(!SSL_CTX_add_client_custom_ext(c_ctx, TACK_EXT_TYPE, + if (!SSL_CTX_add_client_custom_ext(c_ctx, TACK_EXT_TYPE, NULL, NULL, NULL, serverinfo_cli_parse_cb, NULL)) { BIO_printf(bio_err, "Error adding TACK extension\n"); @@ -1671,35 +1704,35 @@ int main(int argc, char *argv[]) } if (custom_ext) { - if(!SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_0, + if (!SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_0, custom_ext_0_cli_add_cb, NULL, NULL, custom_ext_0_cli_parse_cb, NULL) - || !SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_1, + || !SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_1, custom_ext_1_cli_add_cb, NULL, NULL, custom_ext_1_cli_parse_cb, NULL) - || !SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_2, + || !SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_2, custom_ext_2_cli_add_cb, NULL, NULL, custom_ext_2_cli_parse_cb, NULL) - || !SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_3, + || !SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_3, custom_ext_3_cli_add_cb, NULL, NULL, custom_ext_3_cli_parse_cb, NULL) - || !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_0, + || !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_0, custom_ext_0_srv_add_cb, NULL, NULL, custom_ext_0_srv_parse_cb, NULL) - || !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_1, + || !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_1, custom_ext_1_srv_add_cb, NULL, NULL, custom_ext_1_srv_parse_cb, NULL) - || !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_2, + || !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_2, custom_ext_2_srv_add_cb, NULL, NULL, custom_ext_2_srv_parse_cb, NULL) - || !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_3, + || !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_3, custom_ext_3_srv_add_cb, NULL, NULL, custom_ext_3_srv_parse_cb, NULL)) { @@ -1720,7 +1753,7 @@ int main(int argc, char *argv[]) goto end; } /* Returns 0 on success!! */ - if(SSL_CTX_set_alpn_protos(c_ctx, alpn, alpn_len)) { + if (SSL_CTX_set_alpn_protos(c_ctx, alpn, alpn_len)) { BIO_printf(bio_err, "Error setting ALPN\n"); OPENSSL_free(alpn); goto end; @@ -1731,41 +1764,62 @@ int main(int argc, char *argv[]) c_ssl = SSL_new(c_ctx); s_ssl = SSL_new(s_ctx); -#ifndef OPENSSL_NO_KRB5 - if (c_ssl && c_ssl->kssl_ctx) { - char localhost[MAXHOSTNAMELEN + 2]; - - if (gethostname(localhost, sizeof localhost - 1) == 0) { - localhost[sizeof localhost - 1] = '\0'; - if (strlen(localhost) == sizeof localhost - 1) { - BIO_printf(bio_err, "localhost name too long\n"); - goto end; - } - kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER, localhost); - } - } -#endif /* OPENSSL_NO_KRB5 */ + if (!set_protocol_version(server_min_proto, s_ssl, SSL_CTRL_SET_MIN_PROTO_VERSION)) + goto end; + if (!set_protocol_version(server_max_proto, s_ssl, SSL_CTRL_SET_MAX_PROTO_VERSION)) + goto end; + if (!set_protocol_version(client_min_proto, c_ssl, SSL_CTRL_SET_MIN_PROTO_VERSION)) + goto end; + if (!set_protocol_version(client_max_proto, c_ssl, SSL_CTRL_SET_MAX_PROTO_VERSION)) + goto end; + BIO_printf(bio_stdout, "Doing handshakes=%d bytes=%ld\n", number, bytes); for (i = 0; i < number; i++) { if (!reuse) { - if(!SSL_set_session(c_ssl, NULL)) { + if (!SSL_set_session(c_ssl, NULL)) { BIO_printf(bio_err, "Failed to set session\n"); goto end; } } - if (bio_pair) - ret = doit_biopair(s_ssl, c_ssl, bytes, &s_time, &c_time); - else + switch (bio_type) { + case BIO_MEM: ret = doit(s_ssl, c_ssl, bytes); - if (ret) break; + break; + case BIO_PAIR: + ret = doit_biopair(s_ssl, c_ssl, bytes, &s_time, &c_time); + break; + case BIO_IPV4: + ret = doit_localhost(s_ssl, c_ssl, BIO_FAMILY_IPV4, + bytes, &s_time, &c_time); + break; + case BIO_IPV6: + ret = doit_localhost(s_ssl, c_ssl, BIO_FAMILY_IPV6, + bytes, &s_time, &c_time); + break; + } + if (ret) break; + } + + if (should_negotiate && ret == 0 && + strcmp(should_negotiate, "fail-server") != 0 && + strcmp(should_negotiate, "fail-client") != 0) { + int version = protocol_from_string(should_negotiate); + if (version < 0) { + BIO_printf(bio_err, "Error parsing: %s\n", should_negotiate); + ret = 1; + goto err; + } + if (SSL_version(c_ssl) != version) { + BIO_printf(bio_err, "Unxpected version negotiated. " + "Expected: %s, got %s\n", should_negotiate, SSL_get_version(c_ssl)); + ret = 1; + goto err; + } } if (!verbose) { print_details(c_ssl, ""); } - if ((i > 1) || (bytes > 1L)) - BIO_printf(bio_stdout, "%d handshakes of %ld bytes done\n", i, - bytes); if (print_time) { #ifdef CLOCKS_PER_SEC /* @@ -1785,6 +1839,7 @@ int main(int argc, char *argv[]) #endif } + err: SSL_free(s_ssl); SSL_free(c_ssl); @@ -1797,21 +1852,295 @@ int main(int argc, char *argv[]) BIO_free(bio_stdout); -#ifndef OPENSSL_NO_RSA - free_tmp_rsa(); -#endif -#ifndef OPENSSL_NO_ENGINE - ENGINE_cleanup(); +#ifndef OPENSSL_NO_CRYPTO_MDEBUG + if (CRYPTO_mem_leaks(bio_err) <= 0) + ret = 1; #endif - CRYPTO_cleanup_all_ex_data(); - ERR_free_strings(); - ERR_remove_thread_state(NULL); - EVP_cleanup(); - CRYPTO_mem_leaks(bio_err); BIO_free(bio_err); EXIT(ret); } +int doit_localhost(SSL *s_ssl, SSL *c_ssl, int family, long count, + clock_t *s_time, clock_t *c_time) +{ + long cw_num = count, cr_num = count, sw_num = count, sr_num = count; + BIO *s_ssl_bio = NULL, *c_ssl_bio = NULL; + BIO *acpt = NULL, *server = NULL, *client = NULL; + char addr_str[40]; + int ret = 1; + int err_in_client = 0; + int err_in_server = 0; + + acpt = BIO_new_accept("0"); + if (acpt == NULL) + goto err; + BIO_set_accept_ip_family(acpt, family); + BIO_set_bind_mode(acpt, BIO_SOCK_NONBLOCK | BIO_SOCK_REUSEADDR); + if (BIO_do_accept(acpt) <= 0) + goto err; + + BIO_snprintf(addr_str, sizeof(addr_str), ":%s", BIO_get_accept_port(acpt)); + + client = BIO_new_connect(addr_str); + BIO_set_conn_ip_family(client, family); + if (!client) + goto err; + + if (BIO_set_nbio(client, 1) <= 0) + goto err; + if (BIO_set_nbio(acpt, 1) <= 0) + goto err; + + { + int st_connect = 0, st_accept = 0; + + while(!st_connect || !st_accept) { + if (!st_connect) { + if (BIO_do_connect(client) <= 0) { + if (!BIO_should_retry(client)) + goto err; + } else { + st_connect = 1; + } + } + if (!st_accept) { + if (BIO_do_accept(acpt) <= 0) { + if (!BIO_should_retry(acpt)) + goto err; + } else { + st_accept = 1; + } + } + } + } + /* We're not interested in accepting further connects */ + server = BIO_pop(acpt); + BIO_free_all(acpt); + acpt = NULL; + + s_ssl_bio = BIO_new(BIO_f_ssl()); + if (!s_ssl_bio) + goto err; + + c_ssl_bio = BIO_new(BIO_f_ssl()); + if (!c_ssl_bio) + goto err; + + SSL_set_connect_state(c_ssl); + SSL_set_bio(c_ssl, client, client); + (void)BIO_set_ssl(c_ssl_bio, c_ssl, BIO_NOCLOSE); + + SSL_set_accept_state(s_ssl); + SSL_set_bio(s_ssl, server, server); + (void)BIO_set_ssl(s_ssl_bio, s_ssl, BIO_NOCLOSE); + + do { + /*- + * c_ssl_bio: SSL filter BIO + * + * client: I/O for SSL library + * + * + * server: I/O for SSL library + * + * s_ssl_bio: SSL filter BIO + */ + + /* + * We have non-blocking behaviour throughout this test program, but + * can be sure that there is *some* progress in each iteration; so we + * don't have to worry about ..._SHOULD_READ or ..._SHOULD_WRITE -- + * we just try everything in each iteration + */ + + { + /* CLIENT */ + + char cbuf[1024 * 8]; + int i, r; + clock_t c_clock = clock(); + + memset(cbuf, 0, sizeof(cbuf)); + + if (debug) + if (SSL_in_init(c_ssl)) + printf("client waiting in SSL_connect - %s\n", + SSL_state_string_long(c_ssl)); + + if (cw_num > 0) { + /* Write to server. */ + + if (cw_num > (long)sizeof cbuf) + i = sizeof cbuf; + else + i = (int)cw_num; + r = BIO_write(c_ssl_bio, cbuf, i); + if (r < 0) { + if (!BIO_should_retry(c_ssl_bio)) { + fprintf(stderr, "ERROR in CLIENT\n"); + err_in_client = 1; + goto err; + } + /* + * BIO_should_retry(...) can just be ignored here. The + * library expects us to call BIO_write with the same + * arguments again, and that's what we will do in the + * next iteration. + */ + } else if (r == 0) { + fprintf(stderr, "SSL CLIENT STARTUP FAILED\n"); + goto err; + } else { + if (debug) + printf("client wrote %d\n", r); + cw_num -= r; + } + } + + if (cr_num > 0) { + /* Read from server. */ + + r = BIO_read(c_ssl_bio, cbuf, sizeof(cbuf)); + if (r < 0) { + if (!BIO_should_retry(c_ssl_bio)) { + fprintf(stderr, "ERROR in CLIENT\n"); + err_in_client = 1; + goto err; + } + /* + * Again, "BIO_should_retry" can be ignored. + */ + } else if (r == 0) { + fprintf(stderr, "SSL CLIENT STARTUP FAILED\n"); + goto err; + } else { + if (debug) + printf("client read %d\n", r); + cr_num -= r; + } + } + + /* + * c_time and s_time increments will typically be very small + * (depending on machine speed and clock tick intervals), but + * sampling over a large number of connections should result in + * fairly accurate figures. We cannot guarantee a lot, however + * -- if each connection lasts for exactly one clock tick, it + * will be counted only for the client or only for the server or + * even not at all. + */ + *c_time += (clock() - c_clock); + } + + { + /* SERVER */ + + char sbuf[1024 * 8]; + int i, r; + clock_t s_clock = clock(); + + memset(sbuf, 0, sizeof(sbuf)); + + if (debug) + if (SSL_in_init(s_ssl)) + printf("server waiting in SSL_accept - %s\n", + SSL_state_string_long(s_ssl)); + + if (sw_num > 0) { + /* Write to client. */ + + if (sw_num > (long)sizeof sbuf) + i = sizeof sbuf; + else + i = (int)sw_num; + r = BIO_write(s_ssl_bio, sbuf, i); + if (r < 0) { + if (!BIO_should_retry(s_ssl_bio)) { + fprintf(stderr, "ERROR in SERVER\n"); + err_in_server = 1; + goto err; + } + /* Ignore "BIO_should_retry". */ + } else if (r == 0) { + fprintf(stderr, "SSL SERVER STARTUP FAILED\n"); + goto err; + } else { + if (debug) + printf("server wrote %d\n", r); + sw_num -= r; + } + } + + if (sr_num > 0) { + /* Read from client. */ + + r = BIO_read(s_ssl_bio, sbuf, sizeof(sbuf)); + if (r < 0) { + if (!BIO_should_retry(s_ssl_bio)) { + fprintf(stderr, "ERROR in SERVER\n"); + err_in_server = 1; + goto err; + } + /* blah, blah */ + } else if (r == 0) { + fprintf(stderr, "SSL SERVER STARTUP FAILED\n"); + goto err; + } else { + if (debug) + printf("server read %d\n", r); + sr_num -= r; + } + } + + *s_time += (clock() - s_clock); + } + } + while (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0); + + if (verbose) + print_details(c_ssl, "DONE via TCP connect: "); +#ifndef OPENSSL_NO_NEXTPROTONEG + if (verify_npn(c_ssl, s_ssl) < 0) { + ret = 1; + goto end; + } +#endif + if (verify_serverinfo() < 0) { + fprintf(stderr, "Server info verify error\n"); + ret = 1; + goto err; + } + if (verify_alpn(c_ssl, s_ssl) < 0) { + ret = 1; + goto err; + } + + if (custom_ext_error) { + fprintf(stderr, "Custom extension error\n"); + ret = 1; + goto err; + } + + end: + ret = 0; + + err: + ERR_print_errors(bio_err); + + BIO_free_all(acpt); + BIO_free(server); + BIO_free(client); + BIO_free(s_ssl_bio); + BIO_free(c_ssl_bio); + + if (should_negotiate != NULL && strcmp(should_negotiate, "fail-client") == 0) + ret = (err_in_client != 0) ? 0 : 1; + else if (should_negotiate != NULL && strcmp(should_negotiate, "fail-server") == 0) + ret = (err_in_server != 0) ? 0 : 1; + + return ret; +} + int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count, clock_t *s_time, clock_t *c_time) { @@ -1819,6 +2148,8 @@ int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count, BIO *s_ssl_bio = NULL, *c_ssl_bio = NULL; BIO *server = NULL, *server_io = NULL, *client = NULL, *client_io = NULL; int ret = 1; + int err_in_client = 0; + int err_in_server = 0; size_t bufsiz = 256; /* small buffer for testing */ @@ -1911,6 +2242,7 @@ int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count, if (r < 0) { if (!BIO_should_retry(c_ssl_bio)) { fprintf(stderr, "ERROR in CLIENT\n"); + err_in_client = 1; goto err; } /* @@ -1936,6 +2268,7 @@ int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count, if (r < 0) { if (!BIO_should_retry(c_ssl_bio)) { fprintf(stderr, "ERROR in CLIENT\n"); + err_in_client = 1; goto err; } /* @@ -1988,6 +2321,7 @@ int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count, if (r < 0) { if (!BIO_should_retry(s_ssl_bio)) { fprintf(stderr, "ERROR in SERVER\n"); + err_in_server = 1; goto err; } /* Ignore "BIO_should_retry". */ @@ -2008,6 +2342,7 @@ int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count, if (r < 0) { if (!BIO_should_retry(s_ssl_bio)) { fprintf(stderr, "ERROR in SERVER\n"); + err_in_server = 1; goto err; } /* blah, blah */ @@ -2175,6 +2510,11 @@ int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count, BIO_free(s_ssl_bio); BIO_free(c_ssl_bio); + if (should_negotiate != NULL && strcmp(should_negotiate, "fail-client") == 0) + ret = (err_in_client != 0) ? 0 : 1; + else if (should_negotiate != NULL && strcmp(should_negotiate, "fail-server") == 0) + ret = (err_in_server != 0) ? 0 : 1; + return ret; } @@ -2200,17 +2540,16 @@ int doit(SSL *s_ssl, SSL *c_ssl, long count) int c_write, s_write; int do_server = 0, do_client = 0; int max_frag = 5 * 1024; + int err_in_client = 0; + int err_in_server = 0; bufsiz = count > 40 * 1024 ? 40 * 1024 : count; - if ((cbuf = OPENSSL_malloc(bufsiz)) == NULL) + if ((cbuf = OPENSSL_zalloc(bufsiz)) == NULL) goto err; - if ((sbuf = OPENSSL_malloc(bufsiz)) == NULL) + if ((sbuf = OPENSSL_zalloc(bufsiz)) == NULL) goto err; - memset(cbuf, 0, bufsiz); - memset(sbuf, 0, bufsiz); - c_to_s = BIO_new(BIO_s_mem()); s_to_c = BIO_new(BIO_s_mem()); if ((s_to_c == NULL) || (c_to_s == NULL)) { @@ -2295,6 +2634,7 @@ int doit(SSL *s_ssl, SSL *c_ssl, long count) c_w = 1; } else { fprintf(stderr, "ERROR in CLIENT\n"); + err_in_client = 1; ERR_print_errors(bio_err); goto err; } @@ -2323,6 +2663,7 @@ int doit(SSL *s_ssl, SSL *c_ssl, long count) c_w = 1; } else { fprintf(stderr, "ERROR in CLIENT\n"); + err_in_client = 1; ERR_print_errors(bio_err); goto err; } @@ -2359,6 +2700,7 @@ int doit(SSL *s_ssl, SSL *c_ssl, long count) s_w = 1; } else { fprintf(stderr, "ERROR in SERVER\n"); + err_in_server = 1; ERR_print_errors(bio_err); goto err; } @@ -2394,6 +2736,7 @@ int doit(SSL *s_ssl, SSL *c_ssl, long count) s_w = 1; } else { fprintf(stderr, "ERROR in SERVER\n"); + err_in_server = 1; ERR_print_errors(bio_err); goto err; } @@ -2461,11 +2804,13 @@ int doit(SSL *s_ssl, SSL *c_ssl, long count) BIO_free(s_to_c); BIO_free_all(c_bio); BIO_free_all(s_bio); + OPENSSL_free(cbuf); + OPENSSL_free(sbuf); - if (cbuf) - OPENSSL_free(cbuf); - if (sbuf) - OPENSSL_free(sbuf); + if (should_negotiate != NULL && strcmp(should_negotiate, "fail-client") == 0) + ret = (err_in_client != 0) ? 0 : 1; + else if (should_negotiate != NULL && strcmp(should_negotiate, "fail-server") == 0) + ret = (err_in_server != 0) ? 0 : 1; return (ret); } @@ -2493,7 +2838,7 @@ static int verify_callback(int ok, X509_STORE_CTX *ctx) sizeof buf); if (s != NULL) { if (ok) - fprintf(stderr, "depth=%d %s\n", ctx->error_depth, buf); + printf("depth=%d %s\n", ctx->error_depth, buf); else { fprintf(stderr, "depth=%d error=%d %s\n", ctx->error_depth, ctx->error, buf); @@ -2501,20 +2846,21 @@ static int verify_callback(int ok, X509_STORE_CTX *ctx) } if (ok == 0) { - fprintf(stderr, "Error string: %s\n", - X509_verify_cert_error_string(ctx->error)); switch (ctx->error) { + default: + fprintf(stderr, "Error string: %s\n", + X509_verify_cert_error_string(ctx->error)); + break; case X509_V_ERR_CERT_NOT_YET_VALID: case X509_V_ERR_CERT_HAS_EXPIRED: case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: - fprintf(stderr, " ... ignored.\n"); ok = 1; } } if (ok == 1) { X509 *xs = ctx->current_cert; - if (xs->ex_flags & EXFLAG_PROXY) { + if (X509_get_extension_flags(xs) & EXFLAG_PROXY) { unsigned int *letters = X509_STORE_CTX_get_ex_data(ctx, get_proxy_auth_ex_data_idx ()); @@ -2566,7 +2912,7 @@ static int verify_callback(int ok, X509_STORE_CTX *ctx) * others. */ - fprintf(stderr, " Certificate proxy rights = %*.*s", i, + printf(" Certificate proxy rights = %*.*s", i, i, s); while (i-- > 0) { int c = *s++; @@ -2584,15 +2930,15 @@ static int verify_callback(int ok, X509_STORE_CTX *ctx) } found_any = 0; - fprintf(stderr, ", resulting proxy rights = "); + printf(", resulting proxy rights = "); for (i = 0; i < 26; i++) if (letters[i]) { - fprintf(stderr, "%c", i + 'A'); + printf("%c", i + 'A'); found_any = 1; } if (!found_any) - fprintf(stderr, "none"); - fprintf(stderr, "\n"); + printf("none"); + printf("\n"); PROXY_CERT_INFO_EXTENSION_free(pci); } @@ -2851,15 +3197,14 @@ static int app_verify_callback(X509_STORE_CTX *ctx, void *arg) if (cb_arg->app_verify) { char *s = NULL, buf[256]; - fprintf(stderr, "In app_verify_callback, allowing cert. "); - fprintf(stderr, "Arg is: %s\n", cb_arg->string); - fprintf(stderr, - "Finished printing do we have a context? 0x%p a cert? 0x%p\n", + printf("In app_verify_callback, allowing cert. "); + printf("Arg is: %s\n", cb_arg->string); + printf("Finished printing do we have a context? 0x%p a cert? 0x%p\n", (void *)ctx, (void *)ctx->cert); if (ctx->cert) s = X509_NAME_oneline(X509_get_subject_name(ctx->cert), buf, 256); if (s != NULL) { - fprintf(stderr, "cert depth=%d %s\n", ctx->error_depth, buf); + printf("cert depth=%d %s\n", ctx->error_depth, buf); } return (1); } @@ -2878,15 +3223,15 @@ static int app_verify_callback(X509_STORE_CTX *ctx, void *arg) } } - fprintf(stderr, " Initial proxy rights = "); + printf(" Initial proxy rights = "); for (i = 0; i < 26; i++) if (letters[i]) { - fprintf(stderr, "%c", i + 'A'); + printf("%c", i + 'A'); found_any = 1; } if (!found_any) - fprintf(stderr, "none"); - fprintf(stderr, "\n"); + printf("none"); + printf("\n"); X509_STORE_CTX_set_ex_data(ctx, get_proxy_auth_ex_data_idx(), letters); @@ -2911,53 +3256,16 @@ static int app_verify_callback(X509_STORE_CTX *ctx, void *arg) } if (!ok) fprintf(stderr, - "Proxy rights check with condition '%s' proved invalid\n", + "Proxy rights check with condition '%s' invalid\n", cb_arg->proxy_cond); else - fprintf(stderr, - "Proxy rights check with condition '%s' proved valid\n", + printf("Proxy rights check with condition '%s' ok\n", cb_arg->proxy_cond); } } return (ok); } -#ifndef OPENSSL_NO_RSA -static RSA *rsa_tmp = NULL; - -static RSA *tmp_rsa_cb(SSL *s, int is_export, int keylength) -{ - BIGNUM *bn = NULL; - if (rsa_tmp == NULL) { - bn = BN_new(); - rsa_tmp = RSA_new(); - if (!bn || !rsa_tmp || !BN_set_word(bn, RSA_F4)) { - BIO_printf(bio_err, "Memory error..."); - goto end; - } - BIO_printf(bio_err, "Generating temp (%d bit) RSA key...", keylength); - (void)BIO_flush(bio_err); - if (!RSA_generate_key_ex(rsa_tmp, keylength, bn, NULL)) { - BIO_printf(bio_err, "Error generating key."); - RSA_free(rsa_tmp); - rsa_tmp = NULL; - } - end: - BIO_printf(bio_err, "\n"); - (void)BIO_flush(bio_err); - } - if (bn) - BN_free(bn); - return (rsa_tmp); -} - -static void free_tmp_rsa(void) -{ - RSA_free(rsa_tmp); - rsa_tmp = NULL; -} -#endif - #ifndef OPENSSL_NO_DH /*- * These DH parameters have been generated as follows: @@ -3113,8 +3421,7 @@ static int psk_key2bn(const char *pskkey, unsigned char *psk, if (!ret) { BIO_printf(bio_err, "Could not convert PSK key '%s' to BIGNUM\n", pskkey); - if (bn) - BN_free(bn); + BN_free(bn); return 0; } if (BN_num_bytes(bn) > (int)max_psk_len) { @@ -3169,36 +3476,38 @@ static unsigned int psk_server_callback(SSL *ssl, const char *identity, static int do_test_cipherlist(void) { +#if !defined(OPENSSL_NO_SSL3) || !defined(OPENSSL_NO_TLS1) int i = 0; const SSL_METHOD *meth; const SSL_CIPHER *ci, *tci = NULL; +#endif #ifndef OPENSSL_NO_SSL3 - fprintf(stderr, "testing SSLv3 cipher list order: "); meth = SSLv3_method(); tci = NULL; while ((ci = meth->get_cipher(i++)) != NULL) { if (tci != NULL) if (ci->id >= tci->id) { - fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id); + fprintf(stderr, "testing SSLv3 cipher list order: "); + fprintf(stderr, "failed %x vs. %x\n", ci->id, tci->id); return 0; } tci = ci; } - fprintf(stderr, "ok\n"); #endif - fprintf(stderr, "testing TLSv1 cipher list order: "); +#ifndef OPENSSL_NO_TLS1 meth = TLSv1_method(); tci = NULL; while ((ci = meth->get_cipher(i++)) != NULL) { if (tci != NULL) if (ci->id >= tci->id) { - fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id); + fprintf(stderr, "testing TLSv1 cipher list order: "); + fprintf(stderr, "failed %x vs. %x\n", ci->id, tci->id); return 0; } tci = ci; } - fprintf(stderr, "ok\n"); +#endif return 1; }