diff options
author | Richard Levitte <levitte@openssl.org> | 2015-03-26 21:33:18 +0100 |
---|---|---|
committer | Richard Levitte <levitte@openssl.org> | 2015-03-31 20:16:01 +0200 |
commit | dee502be89e78e2979e3bd1d7724cf79daa6ef61 (patch) | |
tree | 53e97582c488f1a484bd42e570de6a99768fd1df /test/ssltest.c | |
parent | 30cd4ff294252c4b6a4b69cbef6a5b4117705d22 (diff) |
Stop symlinking, move files to intended directory
Rather than making include/openssl/foo.h a symlink to
crypto/foo/foo.h, this change moves the file to include/openssl/foo.h
once and for all.
Likewise, move crypto/foo/footest.c to test/footest.c, instead of
symlinking it there.
Originally-by: Geoff Thorpe <geoff@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Diffstat (limited to 'test/ssltest.c')
-rw-r--r-- | test/ssltest.c | 3207 |
1 files changed, 3207 insertions, 0 deletions
diff --git a/test/ssltest.c b/test/ssltest.c new file mode 100644 index 0000000000..508fedd613 --- /dev/null +++ b/test/ssltest.c @@ -0,0 +1,3207 @@ +/* ssl/ssltest.c */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) + * All rights reserved. + * + * This package is an SSL implementation written + * by Eric Young (eay@cryptsoft.com). + * The implementation was written so as to conform with Netscapes SSL. + * + * This library is free for commercial and non-commercial use as long as + * the following conditions are aheared to. The following conditions + * apply to all code found in this distribution, be it the RC4, RSA, + * lhash, DES, etc., code; not just the SSL code. The SSL documentation + * included with this distribution is covered by the same copyright terms + * except that the holder is Tim Hudson (tjh@cryptsoft.com). + * + * Copyright remains Eric Young's, and as such any Copyright notices in + * the code are not to be removed. + * If this package is used in a product, Eric Young should be given attribution + * as the author of the parts of the library used. + * This can be in the form of a textual message at program startup or + * in documentation (online or textual) provided with the package. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * "This product includes cryptographic software written by + * Eric Young (eay@cryptsoft.com)" + * The word 'cryptographic' can be left out if the rouines from the library + * being used are not cryptographic related :-). + * 4. If you include any Windows specific code (or a derivative thereof) from + * the apps directory (application code) you must include an acknowledgement: + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" + * + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * The licence and distribution terms for any publically available version or + * derivative of this code cannot be changed. i.e. this code cannot simply be + * copied and put under another distribution licence + * [including the GNU Public Licence.] + */ +/* ==================================================================== + * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ +/* ==================================================================== + * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. + * ECC cipher suite support in OpenSSL originally developed by + * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. + */ +/* ==================================================================== + * Copyright 2005 Nokia. All rights reserved. + * + * The portions of the attached software ("Contribution") is developed by + * Nokia Corporation and is licensed pursuant to the OpenSSL open source + * license. + * + * The Contribution, originally written by Mika Kousa and Pasi Eronen of + * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites + * support (see RFC 4279) to OpenSSL. + * + * No patent licenses or other rights except those expressly stated in + * the OpenSSL open source license shall be deemed granted or received + * expressly, by implication, estoppel, or otherwise. + * + * No assurances are provided by Nokia that the Contribution does not + * infringe the patent or other intellectual property rights of any third + * party or that the license provides you with all the necessary rights + * to make use of the Contribution. + * + * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN + * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA + * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY + * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR + * OTHERWISE. + */ + +/* Or gethostname won't be declared properly on Linux and GNU platforms. */ +#define _BSD_SOURCE 1 + +#include <assert.h> +#include <errno.h> +#include <limits.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <time.h> + +#define USE_SOCKETS +#include "e_os.h" + +#ifdef OPENSSL_SYS_VMS +/* + * Or isascii won't be declared properly on VMS (at least with DECompHP C). + */ +# define _XOPEN_SOURCE 500 +#endif + +#include <ctype.h> + +#include <openssl/bio.h> +#include <openssl/crypto.h> +#include <openssl/evp.h> +#include <openssl/x509.h> +#include <openssl/x509v3.h> +#include <openssl/ssl.h> +#ifndef OPENSSL_NO_ENGINE +# include <openssl/engine.h> +#endif +#include <openssl/err.h> +#include <openssl/rand.h> +#ifndef OPENSSL_NO_RSA +# include <openssl/rsa.h> +#endif +#ifndef OPENSSL_NO_DSA +# include <openssl/dsa.h> +#endif +#ifndef OPENSSL_NO_DH +# include <openssl/dh.h> +#endif +#ifndef OPENSSL_NO_SRP +# include <openssl/srp.h> +#endif +#include <openssl/bn.h> + +#include "../ssl/ssl_locl.h" + +/* + * Or gethostname won't be declared properly + * on Compaq platforms (at least with DEC C). + * Do not try to put it earlier, or IPv6 includes + * get screwed... + */ +#define _XOPEN_SOURCE_EXTENDED 1 + +#ifdef OPENSSL_SYS_WINDOWS +# include <winsock.h> +#else +# include OPENSSL_UNISTD +#endif + +#ifdef OPENSSL_SYS_VMS +# define TEST_SERVER_CERT "SYS$DISK:[-.APPS]SERVER.PEM" +# define TEST_CLIENT_CERT "SYS$DISK:[-.APPS]CLIENT.PEM" +#elif defined(OPENSSL_SYS_WINCE) +# define TEST_SERVER_CERT "\\OpenSSL\\server.pem" +# define TEST_CLIENT_CERT "\\OpenSSL\\client.pem" +#elif defined(OPENSSL_SYS_NETWARE) +# define TEST_SERVER_CERT "\\openssl\\apps\\server.pem" +# define TEST_CLIENT_CERT "\\openssl\\apps\\client.pem" +#else +# define TEST_SERVER_CERT "../apps/server.pem" +# define TEST_CLIENT_CERT "../apps/client.pem" +#endif + +/* + * There is really no standard for this, so let's assign some tentative + * numbers. In any case, these numbers are only for this test + */ +#define COMP_RLE 255 +#define COMP_ZLIB 1 + +static int verify_callback(int ok, X509_STORE_CTX *ctx); +#ifndef OPENSSL_NO_RSA +static RSA *tmp_rsa_cb(SSL *s, int is_export, int keylength); +static void free_tmp_rsa(void); +#endif +static int app_verify_callback(X509_STORE_CTX *ctx, void *arg); +#define APP_CALLBACK_STRING "Test Callback Argument" +struct app_verify_arg { + char *string; + int app_verify; + int allow_proxy_certs; + char *proxy_auth; + char *proxy_cond; +}; + +#ifndef OPENSSL_NO_DH +static DH *get_dh512(void); +static DH *get_dh1024(void); +static DH *get_dh1024dsa(void); +#endif + +static char *psk_key = NULL; /* by default PSK is not used */ +#ifndef OPENSSL_NO_PSK +static unsigned int psk_client_callback(SSL *ssl, const char *hint, + char *identity, + unsigned int max_identity_len, + unsigned char *psk, + unsigned int max_psk_len); +static unsigned int psk_server_callback(SSL *ssl, const char *identity, + unsigned char *psk, + unsigned int max_psk_len); +#endif + +#ifndef OPENSSL_NO_SRP +/* SRP client */ +/* This is a context that we pass to all callbacks */ +typedef struct srp_client_arg_st { + char *srppassin; + char *srplogin; +} SRP_CLIENT_ARG; + +# define PWD_STRLEN 1024 + +static char *ssl_give_srp_client_pwd_cb(SSL *s, void *arg) +{ + SRP_CLIENT_ARG *srp_client_arg = (SRP_CLIENT_ARG *)arg; + return BUF_strdup((char *)srp_client_arg->srppassin); +} + +/* SRP server */ +/* This is a context that we pass to SRP server callbacks */ +typedef struct srp_server_arg_st { + char *expected_user; + char *pass; +} SRP_SERVER_ARG; + +static int ssl_srp_server_param_cb(SSL *s, int *ad, void *arg) +{ + SRP_SERVER_ARG *p = (SRP_SERVER_ARG *)arg; + + if (strcmp(p->expected_user, SSL_get_srp_username(s)) != 0) { + fprintf(stderr, "User %s doesn't exist\n", SSL_get_srp_username(s)); + return SSL3_AL_FATAL; + } + if (SSL_set_srp_server_param_pw(s, p->expected_user, p->pass, "1024") < 0) { + *ad = SSL_AD_INTERNAL_ERROR; + return SSL3_AL_FATAL; + } + return SSL_ERROR_NONE; +} +#endif + +static BIO *bio_err = NULL; +static BIO *bio_stdout = NULL; + +#ifndef OPENSSL_NO_NEXTPROTONEG +/* Note that this code assumes that this is only a one element list: */ +static const char NEXT_PROTO_STRING[] = "\x09testproto"; +int npn_client = 0; +int npn_server = 0; +int npn_server_reject = 0; + +static int cb_client_npn(SSL *s, unsigned char **out, unsigned char *outlen, + const unsigned char *in, unsigned int inlen, + void *arg) +{ + /* + * This callback only returns the protocol string, rather than a length + * prefixed set. We assume that NEXT_PROTO_STRING is a one element list + * and remove the first byte to chop off the length prefix. + */ + *out = (unsigned char *)NEXT_PROTO_STRING + 1; + *outlen = sizeof(NEXT_PROTO_STRING) - 2; + return SSL_TLSEXT_ERR_OK; +} + +static int cb_server_npn(SSL *s, const unsigned char **data, + unsigned int *len, void *arg) +{ + *data = (const unsigned char *)NEXT_PROTO_STRING; + *len = sizeof(NEXT_PROTO_STRING) - 1; + return SSL_TLSEXT_ERR_OK; +} + +static int cb_server_rejects_npn(SSL *s, const unsigned char **data, + unsigned int *len, void *arg) +{ + return SSL_TLSEXT_ERR_NOACK; +} + +static int verify_npn(SSL *client, SSL *server) +{ + const unsigned char *client_s; + unsigned client_len; + const unsigned char *server_s; + unsigned server_len; + + SSL_get0_next_proto_negotiated(client, &client_s, &client_len); + SSL_get0_next_proto_negotiated(server, &server_s, &server_len); + + if (client_len) { + BIO_printf(bio_stdout, "Client NPN: "); + BIO_write(bio_stdout, client_s, client_len); + BIO_printf(bio_stdout, "\n"); + } + + if (server_len) { + BIO_printf(bio_stdout, "Server NPN: "); + BIO_write(bio_stdout, server_s, server_len); + BIO_printf(bio_stdout, "\n"); + } + + /* + * If an NPN string was returned, it must be the protocol that we + * expected to negotiate. + */ + if (client_len && (client_len != sizeof(NEXT_PROTO_STRING) - 2 || + memcmp(client_s, NEXT_PROTO_STRING + 1, client_len))) + return -1; + if (server_len && (server_len != sizeof(NEXT_PROTO_STRING) - 2 || + memcmp(server_s, NEXT_PROTO_STRING + 1, server_len))) + return -1; + + if (!npn_client && client_len) + return -1; + if (!npn_server && server_len) + return -1; + if (npn_server_reject && server_len) + return -1; + if (npn_client && npn_server && (!client_len || !server_len)) + return -1; + + return 0; +} +#endif + +static const char *alpn_client; +static const char *alpn_server; +static const char *alpn_expected; +static unsigned char *alpn_selected; + +/*- + * next_protos_parse parses a comma separated list of strings into a string + * in a format suitable for passing to SSL_CTX_set_next_protos_advertised. + * outlen: (output) set to the length of the resulting buffer on success. + * err: (maybe NULL) on failure, an error message line is written to this BIO. + * in: a NUL terminated string like "abc,def,ghi" + * + * returns: a malloced buffer or NULL on failure. + */ +static unsigned char *next_protos_parse(unsigned short *outlen, + const char *in) +{ + size_t len; + unsigned char *out; + size_t i, start = 0; + + len = strlen(in); + if (len >= 65535) + return NULL; + + out = OPENSSL_malloc(strlen(in) + 1); + if (!out) + return NULL; + + for (i = 0; i <= len; ++i) { + if (i == len || in[i] == ',') { + if (i - start > 255) { + OPENSSL_free(out); + return NULL; + } + out[start] = i - start; + start = i + 1; + } else + out[i + 1] = in[i]; + } + + *outlen = len + 1; + return out; +} + +static int cb_server_alpn(SSL *s, const unsigned char **out, + unsigned char *outlen, const unsigned char *in, + unsigned int inlen, void *arg) +{ + unsigned char *protos; + unsigned short protos_len; + + protos = next_protos_parse(&protos_len, alpn_server); + if (protos == NULL) { + fprintf(stderr, "failed to parser ALPN server protocol string: %s\n", + alpn_server); + abort(); + } + + if (SSL_select_next_proto + ((unsigned char **)out, outlen, protos, protos_len, in, + inlen) != OPENSSL_NPN_NEGOTIATED) { + OPENSSL_free(protos); + return SSL_TLSEXT_ERR_NOACK; + } + + /* + * Make a copy of the selected protocol which will be freed in + * verify_alpn. + */ + alpn_selected = OPENSSL_malloc(*outlen); + memcpy(alpn_selected, *out, *outlen); + *out = alpn_selected; + + OPENSSL_free(protos); + return SSL_TLSEXT_ERR_OK; +} + +static int verify_alpn(SSL *client, SSL *server) +{ + const unsigned char *client_proto, *server_proto; + unsigned int client_proto_len = 0, server_proto_len = 0; + SSL_get0_alpn_selected(client, &client_proto, &client_proto_len); + SSL_get0_alpn_selected(server, &server_proto, &server_proto_len); + + if (alpn_selected != NULL) { + OPENSSL_free(alpn_selected); + alpn_selected = NULL; + } + + if (client_proto_len != server_proto_len || + memcmp(client_proto, server_proto, client_proto_len) != 0) { + BIO_printf(bio_stdout, "ALPN selected protocols differ!\n"); + goto err; + } + + if (client_proto_len > 0 && alpn_expected == NULL) { + BIO_printf(bio_stdout, "ALPN unexpectedly negotiated\n"); + goto err; + } + + if (alpn_expected != NULL && + (client_proto_len != strlen(alpn_expected) || + memcmp(client_proto, alpn_expected, client_proto_len) != 0)) { + BIO_printf(bio_stdout, + "ALPN selected protocols not equal to expected protocol: %s\n", + alpn_expected); + goto err; + } + + return 0; + + err: + BIO_printf(bio_stdout, "ALPN results: client: '"); + BIO_write(bio_stdout, client_proto, client_proto_len); + BIO_printf(bio_stdout, "', server: '"); + BIO_write(bio_stdout, server_proto, server_proto_len); + BIO_printf(bio_stdout, "'\n"); + BIO_printf(bio_stdout, "ALPN configured: client: '%s', server: '%s'\n", + alpn_client, alpn_server); + return -1; +} + +#define SCT_EXT_TYPE 18 + +/* + * WARNING : below extension types are *NOT* IETF assigned, and could + * conflict if these types are reassigned and handled specially by OpenSSL + * in the future + */ +#define TACK_EXT_TYPE 62208 +#define CUSTOM_EXT_TYPE_0 1000 +#define CUSTOM_EXT_TYPE_1 1001 +#define CUSTOM_EXT_TYPE_2 1002 +#define CUSTOM_EXT_TYPE_3 1003 + +const char custom_ext_cli_string[] = "abc"; +const char custom_ext_srv_string[] = "defg"; + +/* These set from cmdline */ +char *serverinfo_file = NULL; +int serverinfo_sct = 0; +int serverinfo_tack = 0; + +/* These set based on extension callbacks */ +int serverinfo_sct_seen = 0; +int serverinfo_tack_seen = 0; +int serverinfo_other_seen = 0; + +/* This set from cmdline */ +int custom_ext = 0; + +/* This set based on extension callbacks */ +int custom_ext_error = 0; + +static int serverinfo_cli_parse_cb(SSL *s, unsigned int ext_type, + const unsigned char *in, size_t inlen, + int *al, void *arg) +{ + if (ext_type == SCT_EXT_TYPE) + serverinfo_sct_seen++; + else if (ext_type == TACK_EXT_TYPE) + serverinfo_tack_seen++; + else + serverinfo_other_seen++; + return 1; +} + +static int verify_serverinfo() +{ + if (serverinfo_sct != serverinfo_sct_seen) + return -1; + if (serverinfo_tack != serverinfo_tack_seen) + return -1; + if (serverinfo_other_seen) + return -1; + return 0; +} + +/*- + * Four test cases for custom extensions: + * 0 - no ClientHello extension or ServerHello response + * 1 - ClientHello with "abc", no response + * 2 - ClientHello with "abc", empty response + * 3 - ClientHello with "abc", "defg" response + */ + +static int custom_ext_0_cli_add_cb(SSL *s, unsigned int ext_type, + const unsigned char **out, + size_t *outlen, int *al, void *arg) +{ + if (ext_type != CUSTOM_EXT_TYPE_0) + custom_ext_error = 1; + return 0; /* Don't send an extension */ +} + +static int custom_ext_0_cli_parse_cb(SSL *s, unsigned int ext_type, + const unsigned char *in, + size_t inlen, int *al, void *arg) +{ + return 1; +} + +static int custom_ext_1_cli_add_cb(SSL *s, unsigned int ext_type, + const unsigned char **out, + size_t *outlen, int *al, void *arg) +{ + if (ext_type != CUSTOM_EXT_TYPE_1) + custom_ext_error = 1; + *out = (const unsigned char *)custom_ext_cli_string; + *outlen = strlen(custom_ext_cli_string); + return 1; /* Send "abc" */ +} + +static int custom_ext_1_cli_parse_cb(SSL *s, unsigned int ext_type, + const unsigned char *in, + size_t inlen, int *al, void *arg) +{ + return 1; +} + +static int custom_ext_2_cli_add_cb(SSL *s, unsigned int ext_type, + const unsigned char **out, + size_t *outlen, int *al, void *arg) +{ + if (ext_type != CUSTOM_EXT_TYPE_2) + custom_ext_error = 1; + *out = (const unsigned char *)custom_ext_cli_string; + *outlen = strlen(custom_ext_cli_string); + return 1; /* Send "abc" */ +} + +static int custom_ext_2_cli_parse_cb(SSL *s, unsigned int ext_type, + const unsigned char *in, + size_t inlen, int *al, void *arg) +{ + if (ext_type != CUSTOM_EXT_TYPE_2) + custom_ext_error = 1; + if (inlen != 0) + custom_ext_error = 1; /* Should be empty response */ + return 1; +} + +static int custom_ext_3_cli_add_cb(SSL *s, unsigned int ext_type, + const unsigned char **out, + size_t *outlen, int *al, void *arg) +{ + if (ext_type != CUSTOM_EXT_TYPE_3) + custom_ext_error = 1; + *out = (const unsigned char *)custom_ext_cli_string; + *outlen = strlen(custom_ext_cli_string); + return 1; /* Send "abc" */ +} + +static int custom_ext_3_cli_parse_cb(SSL *s, unsigned int ext_type, + const unsigned char *in, + size_t inlen, int *al, void *arg) +{ + if (ext_type != CUSTOM_EXT_TYPE_3) + custom_ext_error = 1; + if (inlen != strlen(custom_ext_srv_string)) + custom_ext_error = 1; + if (memcmp(custom_ext_srv_string, in, inlen) != 0) + custom_ext_error = 1; /* Check for "defg" */ + return 1; +} + +/* + * custom_ext_0_cli_add_cb returns 0 - the server won't receive a callback + * for this extension + */ +static int custom_ext_0_srv_parse_cb(SSL *s, unsigned int ext_type, + const unsigned char *in, + size_t inlen, int *al, void *arg) +{ + custom_ext_error = 1; + return 1; +} + +/* 'add' callbacks are only called if the 'parse' callback is called */ +static int custom_ext_0_srv_add_cb(SSL *s, unsigned int ext_type, + const unsigned char **out, + size_t *outlen, int *al, void *arg) +{ + /* Error: should not have been called */ + custom_ext_error = 1; + return 0; /* Don't send an extension */ +} + +static int custom_ext_1_srv_parse_cb(SSL *s, unsigned int ext_type, + const unsigned char *in, + size_t inlen, int *al, void *arg) +{ + if (ext_type != CUSTOM_EXT_TYPE_1) + custom_ext_error = 1; + /* Check for "abc" */ + if (inlen != strlen(custom_ext_cli_string)) + custom_ext_error = 1; + if (memcmp(in, custom_ext_cli_string, inlen) != 0) + custom_ext_error = 1; + return 1; +} + +static int custom_ext_1_srv_add_cb(SSL *s, unsigned int ext_type, + const unsigned char **out, + size_t *outlen, int *al, void *arg) +{ + return 0; /* Don't send an extension */ +} + +static int custom_ext_2_srv_parse_cb(SSL *s, unsigned int ext_type, + const unsigned char *in, + size_t inlen, int *al, void *arg) +{ + if (ext_type != CUSTOM_EXT_TYPE_2) + custom_ext_error = 1; + /* Check for "abc" */ + if (inlen != strlen(custom_ext_cli_string)) + custom_ext_error = 1; + if (memcmp(in, custom_ext_cli_string, inlen) != 0) + custom_ext_error = 1; + return 1; +} + +static int custom_ext_2_srv_add_cb(SSL *s, unsigned int ext_type, + const unsigned char **out, + size_t *outlen, int *al, void *arg) +{ + *out = NULL; + *outlen = 0; + return 1; /* Send empty extension */ +} + +static int custom_ext_3_srv_parse_cb(SSL *s, unsigned int ext_type, + const unsigned char *in, + size_t inlen, int *al, void *arg) +{ + if (ext_type != CUSTOM_EXT_TYPE_3) + custom_ext_error = 1; + /* Check for "abc" */ + if (inlen != strlen(custom_ext_cli_string)) + custom_ext_error = 1; + if (memcmp(in, custom_ext_cli_string, inlen) != 0) + custom_ext_error = 1; + return 1; +} + +static int custom_ext_3_srv_add_cb(SSL *s, unsigned int ext_type, + const unsigned char **out, + size_t *outlen, int *al, void *arg) +{ + *out = (const unsigned char *)custom_ext_srv_string; + *outlen = strlen(custom_ext_srv_string); + return 1; /* Send "defg" */ +} + +static char *cipher = NULL; +static int verbose = 0; +static int debug = 0; +static const char rnd_seed[] = + "string to make the random number generator think it has entropy"; + +int doit_biopair(SSL *s_ssl, SSL *c_ssl, long bytes, clock_t *s_time, + clock_t *c_time); +int doit(SSL *s_ssl, SSL *c_ssl, long bytes); +static int do_test_cipherlist(void); + +static void sv_usage(void) +{ + fprintf(stderr, "usage: ssltest [args ...]\n"); + fprintf(stderr, "\n"); +#ifdef OPENSSL_FIPS + fprintf(stderr, "-F - run test in FIPS mode\n"); +#endif + fprintf(stderr, " -server_auth - check server certificate\n"); + fprintf(stderr, " -client_auth - do client authentication\n"); + fprintf(stderr, " -proxy - allow proxy certificates\n"); + fprintf(stderr, " -proxy_auth <val> - set proxy policy rights\n"); + fprintf(stderr, + " -proxy_cond <val> - expression to test proxy policy rights\n"); + fprintf(stderr, " -v - more output\n"); + fprintf(stderr, " -d - debug output\n"); + fprintf(stderr, " -reuse - use session-id reuse\n"); + fprintf(stderr, " -num <val> - number of connections to perform\n"); + fprintf(stderr, + " -bytes <val> - number of bytes to swap between client/server\n"); +#ifndef OPENSSL_NO_DH + fprintf(stderr, + " -dhe1024 - use 1024 bit key (safe prime) for DHE\n"); + fprintf(stderr, + " -dhe1024dsa - use 1024 bit key (with 160-bit subprime) for DHE\n"); + fprintf(stderr, " -no_dhe - disable DHE\n"); +#endif +#ifndef OPENSSL_NO_EC + fprintf(stderr, " -no_ecdhe - disable ECDHE\n"); +#endif +#ifndef OPENSSL_NO_PSK + fprintf(stderr, " -psk arg - PSK in hex (without 0x)\n"); +#endif +#ifndef OPENSSL_NO_SRP + fprintf(stderr, " -srpuser user - SRP username to use\n"); + fprintf(stderr, " -srppass arg - password for 'user'\n"); +#endif +#ifndef OPENSSL_NO_SSL3_METHOD + fprintf(stderr, " -ssl3 - use SSLv3\n"); +#endif + fprintf(stderr, " -tls1 - use TLSv1\n"); +#ifndef OPENSSL_NO_DTLS + fprintf(stderr, " -dtls1 - use DTLSv1\n"); + fprintf(stderr, " -dtls12 - use DTLSv1.2\n"); +#endif + fprintf(stderr, " -CApath arg - PEM format directory of CA's\n"); + fprintf(stderr, " -CAfile arg - PEM format file of CA's\n"); + fprintf(stderr, " -cert arg - Server certificate file\n"); + fprintf(stderr, + " -key arg - Server key file (default: same as -cert)\n"); + fprintf(stderr, " -c_cert arg - Client certificate file\n"); + fprintf(stderr, + " -c_key arg - Client key file (default: same as -c_cert)\n"); + fprintf(stderr, " -cipher arg - The cipher list\n"); + fprintf(stderr, " -bio_pair - Use BIO pairs\n"); + fprintf(stderr, " -f - Test even cases that can't work\n"); + fprintf(stderr, + " -time - measure processor time used by client and server\n"); + fprintf(stderr, " -zlib - use zlib compression\n"); + fprintf(stderr, " -rle - use rle compression\n"); +#ifndef OPENSSL_NO_EC + fprintf(stderr, + " -named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.\n" + " Use \"openssl ecparam -list_curves\" for all names\n" + " (default is sect163r2).\n"); +#endif + fprintf(stderr, + " -test_cipherlist - Verifies the order of the ssl cipher lists.\n" + " When this option is requested, the cipherlist\n" + " tests are run instead of handshake tests.\n"); +#ifndef OPENSSL_NO_NEXTPROTONEG + fprintf(stderr, " -npn_client - have client side offer NPN\n"); + fprintf(stderr, " -npn_server - have server side offer NPN\n"); + fprintf(stderr, " -npn_server_reject - have server reject NPN\n"); +#endif + fprintf(stderr, " -serverinfo_file file - have server use this file\n"); + fprintf(stderr, " -serverinfo_sct - have client offer and expect SCT\n"); + fprintf(stderr, + " -serverinfo_tack - have client offer and expect TACK\n"); + fprintf(stderr, + " -custom_ext - try various custom extension callbacks\n"); + fprintf(stderr, " -alpn_client <string> - have client side offer ALPN\n"); + fprintf(stderr, " -alpn_server <string> - have server side offer ALPN\n"); + fprintf(stderr, + " -alpn_expected <string> - the ALPN protocol that should be negotiated\n"); +} + +static void print_key_details(BIO *out, EVP_PKEY *key) +{ + int keyid = EVP_PKEY_id(key); +#ifndef OPENSSL_NO_EC + if (keyid == EVP_PKEY_EC) { + EC_KEY *ec = EVP_PKEY_get1_EC_KEY(key); + int nid; + const char *cname; + nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec)); + EC_KEY_free(ec); + cname = EC_curve_nid2nist(nid); + if (!cname) + cname = OBJ_nid2sn(nid); + BIO_printf(out, "%d bits EC (%s)", EVP_PKEY_bits(key), cname); + } else +#endif + { + const char *algname; + switch (keyid) { + case EVP_PKEY_RSA: + algname = "RSA"; + break; + case EVP_PKEY_DSA: + algname = "DSA"; + break; + case EVP_PKEY_DH: + algname = "DH"; + break; + default: + algname = OBJ_nid2sn(keyid); + break; + } + BIO_printf(out, "%d bits %s", EVP_PKEY_bits(key), algname); + } +} + +static void print_details(SSL *c_ssl, const char *prefix) +{ + const SSL_CIPHER *ciph; + int mdnid; + X509 *cert; + EVP_PKEY *pkey; + + ciph = SSL_get_current_cipher(c_ssl); + BIO_printf(bio_stdout, "%s%s, cipher %s %s", + prefix, + SSL_get_version(c_ssl), + SSL_CIPHER_get_version(ciph), SSL_CIPHER_get_name(ciph)); + cert = SSL_get_peer_certificate(c_ssl); + if (cert != NULL) { + pkey = X509_get_pubkey(cert); + if (pkey != NULL) { + BIO_puts(bio_stdout, ", "); + print_key_details(bio_stdout, pkey); + EVP_PKEY_free(pkey); + } + X509_free(cert); + } + if (SSL_get_server_tmp_key(c_ssl, &pkey)) { + BIO_puts(bio_stdout, ", temp key: "); + print_key_details(bio_stdout, pkey); + EVP_PKEY_free(pkey); + } + if (SSL_get_peer_signature_nid(c_ssl, &mdnid)) + BIO_printf(bio_stdout, ", digest=%s", OBJ_nid2sn(mdnid)); + BIO_printf(bio_stdout, "\n"); +} + +static void lock_dbg_cb(int mode, int type, const char *file, int line) +{ + static int modes[CRYPTO_NUM_LOCKS]; /* = {0, 0, ... } */ + const char *errstr = NULL; + int rw; + + rw = mode & (CRYPTO_READ | CRYPTO_WRITE); + if (!((rw == CRYPTO_READ) || (rw == CRYPTO_WRITE))) { + errstr = "invalid mode"; + goto err; + } + + if (type < 0 || type >= CRYPTO_NUM_LOCKS) { + errstr = "type out of bounds"; + goto err; + } + + if (mode & CRYPTO_LOCK) { + if (modes[type]) { + errstr = "already locked"; + /* + * must not happen in a single-threaded program (would deadlock) + */ + goto err; + } + + modes[type] = rw; + } else if (mode & CRYPTO_UNLOCK) { + if (!modes[type]) { + errstr = "not locked"; + goto err; + } + + if (modes[type] != rw) { + errstr = (rw == CRYPTO_READ) ? + "CRYPTO_r_unlock on write lock" : + "CRYPTO_w_unlock on read lock"; + } + + modes[type] = 0; + } else { + errstr = "invalid mode"; + goto err; + } + + err: + if (errstr) { + /* we cannot use bio_err here */ + fprintf(stderr, + "openssl (lock_dbg_cb): %s (mode=%d, type=%d) at %s:%d\n", + errstr, mode, type, file, line); + } +} + +int main(int argc, char *argv[]) +{ + char *CApath = NULL, *CAfile = NULL; + int badop = 0; + int bio_pair = 0; + int force = 0; + int dtls1 = 0, dtls12 = 0, tls1 = 0, ssl3 = 0, ret = 1; + int client_auth = 0; + int server_auth = 0, i; + struct app_verify_arg app_verify_arg = + { APP_CALLBACK_STRING, 0, 0, NULL, NULL }; + c |