import OpenSSL-1.0.1c

author: djm <> 2012-10-13 21:23:58 +0000
committer: djm <> 2012-10-13 21:23:58 +0000
commit: eb9e590d2bbc1d57aee9aee0fe94c001fb27e697 (patch)
tree: cfb338ea736543eb88bd6c3f56f007ecb05dce51 /src/lib/libssl/src/ssl/ssltest.c
parent: dd489e85d1735eb58774a1c57c6f586cede35b5d (diff)
download: openbsd-eb9e590d2bbc1d57aee9aee0fe94c001fb27e697.tar.gz
openbsd-eb9e590d2bbc1d57aee9aee0fe94c001fb27e697.tar.bz2
openbsd-eb9e590d2bbc1d57aee9aee0fe94c001fb27e697.zip
1 files changed, 124 insertions, 9 deletions
diff --git a/src/lib/libssl/src/ssl/ssltest.c b/src/lib/libssl/src/ssl/ssltest.c
index 0bb4fa43bd..0f8fd3902d 100644
--- a/src/lib/libssl/src/ssl/ssltest.c
+++ b/src/lib/libssl/src/ssl/ssltest.c
@@ -181,6 +181,9 @@
 #ifndef OPENSSL_NO_DH
 #include <openssl/dh.h>
 #endif
+#ifndef OPENSSL_NO_SRP
+#include <openssl/srp.h>
+#endif
 #include <openssl/bn.h>
 #define _XOPEN_SOURCE_EXTENDED  1 /* Or gethostname won't be declared properly
@@ -246,6 +249,49 @@ static unsigned int psk_server_callback(SSL *ssl, const char *identity, unsigned
        unsigned int max_psk_len);
 #endif
+#ifndef OPENSSL_NO_SRP
+/* SRP client */
+/* This is a context that we pass to all callbacks */
+typedef struct srp_client_arg_st
+        {
+        char *srppassin;
+        char *srplogin;
+        } SRP_CLIENT_ARG;
+#define PWD_STRLEN 1024
+static char * MS_CALLBACK ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
+        {
+        SRP_CLIENT_ARG *srp_client_arg = (SRP_CLIENT_ARG *)arg;
+        return BUF_strdup((char *)srp_client_arg->srppassin);
+        }
+/* SRP server */
+/* This is a context that we pass to SRP server callbacks */
+typedef struct srp_server_arg_st
+        {
+        char *expected_user;
+        char *pass;
+        } SRP_SERVER_ARG;
+static int MS_CALLBACK ssl_srp_server_param_cb(SSL *s, int *ad, void *arg)
+        {
+        SRP_SERVER_ARG * p = (SRP_SERVER_ARG *) arg;
+        if (strcmp(p->expected_user, SSL_get_srp_username(s)) != 0)
+                {
+                fprintf(stderr, "User %s doesn't exist\n", SSL_get_srp_username(s));
+                return SSL3_AL_FATAL;
+                }
+        if (SSL_set_srp_server_param_pw(s,p->expected_user,p->pass,"1024")<0)
+                {
+                *ad = SSL_AD_INTERNAL_ERROR;
+                return SSL3_AL_FATAL;
+                }
+        return SSL_ERROR_NONE;
+        }
+#endif
 static BIO *bio_err=NULL;
 static BIO *bio_stdout=NULL;
@@ -268,6 +314,9 @@ static void sv_usage(void)
        {
        fprintf(stderr,"usage: ssltest [args ...]\n");
        fprintf(stderr,"\n");
+#ifdef OPENSSL_FIPS
+        fprintf(stderr,"-F             - run test in FIPS mode\n");
+#endif
        fprintf(stderr," -server_auth  - check server certificate\n");
        fprintf(stderr," -client_auth  - do client authentication\n");
        fprintf(stderr," -proxy        - allow proxy certificates\n");
@@ -289,6 +338,10 @@ static void sv_usage(void)
 #ifndef OPENSSL_NO_PSK
        fprintf(stderr," -psk arg      - PSK in hex (without 0x)\n");
 #endif
+#ifndef OPENSSL_NO_SRP
+        fprintf(stderr," -srpuser user  - SRP username to use\n");
+        fprintf(stderr," -srppass arg   - password for 'user'\n");
+#endif
 #ifndef OPENSSL_NO_SSL2
        fprintf(stderr," -ssl2         - use SSLv2\n");
 #endif
@@ -476,6 +529,12 @@ int main(int argc, char *argv[])
 #ifndef OPENSSL_NO_ECDH
        EC_KEY *ecdh = NULL;
 #endif
+#ifndef OPENSSL_NO_SRP
+        /* client */
+        SRP_CLIENT_ARG srp_client_arg = {NULL,NULL};
+        /* server */
+        SRP_SERVER_ARG srp_server_arg = {NULL,NULL};
+#endif
        int no_dhe = 0;
        int no_ecdhe = 0;
        int no_psk = 0;
@@ -487,6 +546,9 @@ int main(int argc, char *argv[])
 #endif
        STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
        int test_cipherlist = 0;
+#ifdef OPENSSL_FIPS
+        int fips_mode=0;
+#endif
        verbose = 0;
        debug = 0;
@@ -518,7 +580,16 @@ int main(int argc, char *argv[])
        while (argc >= 1)
                {
-                if      (strcmp(*argv,"-server_auth") == 0)
+                if(!strcmp(*argv,"-F"))
+                        {
+#ifdef OPENSSL_FIPS
+                        fips_mode=1;
+#else
+                        fprintf(stderr,"not compiled with FIPS support, so exitting without running.\n");
+                        EXIT(0);
+#endif
+                        }
+                else if (strcmp(*argv,"-server_auth") == 0)
                        server_auth=1;
                else if (strcmp(*argv,"-client_auth") == 0)
                        client_auth=1;
@@ -572,6 +643,20 @@ int main(int argc, char *argv[])
                        no_psk=1;
 #endif
                        }
+#ifndef OPENSSL_NO_SRP
+                else if (strcmp(*argv,"-srpuser") == 0)
+                        {
+                        if (--argc < 1) goto bad;
+                        srp_server_arg.expected_user = srp_client_arg.srplogin= *(++argv);
+                        tls1=1;
+                        }
+                else if (strcmp(*argv,"-srppass") == 0)
+                        {
+                        if (--argc < 1) goto bad;
+                        srp_server_arg.pass = srp_client_arg.srppassin= *(++argv);
+                        tls1=1;
+                        }
+#endif
                else if (strcmp(*argv,"-ssl2") == 0)
                        ssl2=1;
                else if (strcmp(*argv,"-tls1") == 0)
@@ -714,6 +799,20 @@ bad:
                EXIT(1);
                }
+#ifdef OPENSSL_FIPS
+        if(fips_mode)
+                {
+                if(!FIPS_mode_set(1))
+                        {
+                        ERR_load_crypto_strings();
+                        ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
+                        EXIT(1);
+                        }
+                else
+                        fprintf(stderr,"*** IN FIPS MODE ***\n");
+                }
+#endif
        if (print_time)
                {
                if (!bio_pair)
@@ -837,7 +936,11 @@ bad:
                                }
                        }
                else
+#ifdef OPENSSL_NO_EC2M
+                        nid = NID_X9_62_prime256v1;
+#else
                        nid = NID_sect163r2;
+#endif
                ecdh = EC_KEY_new_by_curve_name(nid);
                if (ecdh == NULL)
@@ -940,6 +1043,26 @@ bad:
                        }
 #endif
                }
+#ifndef OPENSSL_NO_SRP
+        if (srp_client_arg.srplogin)
+                {
+                if (!SSL_CTX_set_srp_username(c_ctx, srp_client_arg.srplogin))
+                        {
+                        BIO_printf(bio_err,"Unable to set SRP username\n");
+                        goto end;
+                        }
+                SSL_CTX_set_srp_cb_arg(c_ctx,&srp_client_arg);
+                SSL_CTX_set_srp_client_pwd_callback(c_ctx, ssl_give_srp_client_pwd_cb);
+                /*SSL_CTX_set_srp_strength(c_ctx, srp_client_arg.strength);*/
+                }
+        if (srp_server_arg.expected_user != NULL)
+                {
+                SSL_CTX_set_verify(s_ctx,SSL_VERIFY_NONE,verify_callback);
+                SSL_CTX_set_srp_cb_arg(s_ctx, &srp_server_arg);
+                SSL_CTX_set_srp_username_callback(s_ctx, ssl_srp_server_param_cb);
+                }
+#endif
        c_ssl=SSL_new(c_ctx);
        s_ssl=SSL_new(s_ctx);
@@ -2164,15 +2287,7 @@ static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg)
                }
 #ifndef OPENSSL_NO_X509_VERIFY
-# ifdef OPENSSL_FIPS
-        if(s->version == TLS1_VERSION)
-                FIPS_allow_md5(1);
-# endif
        ok = X509_verify_cert(ctx);
-# ifdef OPENSSL_FIPS
-        if(s->version == TLS1_VERSION)
-                FIPS_allow_md5(0);
-# endif
 #endif
        if (cb_arg->proxy_auth)
author	djm <>	2012-10-13 21:23:58 +0000
committer	djm <>	2012-10-13 21:23:58 +0000
commit	eb9e590d2bbc1d57aee9aee0fe94c001fb27e697 (patch)
tree	cfb338ea736543eb88bd6c3f56f007ecb05dce51 /src/lib/libssl/src/ssl/ssltest.c
parent	dd489e85d1735eb58774a1c57c6f586cede35b5d (diff)
download	openbsd-eb9e590d2bbc1d57aee9aee0fe94c001fb27e697.tar.gz openbsd-eb9e590d2bbc1d57aee9aee0fe94c001fb27e697.tar.bz2 openbsd-eb9e590d2bbc1d57aee9aee0fe94c001fb27e697.zip

diff --git a/src/lib/libssl/src/ssl/ssltest.c b/src/lib/libssl/src/ssl/ssltest.c index 0bb4fa43bd..0f8fd3902d 100644 --- a/src/lib/libssl/src/ssl/ssltest.c +++ b/src/lib/libssl/src/ssl/ssltest.c
@@ -181,6 +181,9 @@
181	#ifndef OPENSSL_NO_DH	181	#ifndef OPENSSL_NO_DH
182	#include <openssl/dh.h>	182	#include <openssl/dh.h>
183	#endif	183	#endif
		184	#ifndef OPENSSL_NO_SRP
		185	#include <openssl/srp.h>
		186	#endif
184	#include <openssl/bn.h>	187	#include <openssl/bn.h>
185		188
186	#define _XOPEN_SOURCE_EXTENDED 1 /* Or gethostname won't be declared properly	189	#define _XOPEN_SOURCE_EXTENDED 1 /* Or gethostname won't be declared properly
@@ -246,6 +249,49 @@ static unsigned int psk_server_callback(SSL ssl, const char identity, unsigned
246	unsigned int max_psk_len);	249	unsigned int max_psk_len);
247	#endif	250	#endif
248		251
		252	#ifndef OPENSSL_NO_SRP
		253	/* SRP client */
		254	/* This is a context that we pass to all callbacks */
		255	typedef struct srp_client_arg_st
		256	{
		257	char *srppassin;
		258	char *srplogin;
		259	} SRP_CLIENT_ARG;
		260
		261	#define PWD_STRLEN 1024
		262
		263	static char * MS_CALLBACK ssl_give_srp_client_pwd_cb(SSL s, void arg)
		264	{
		265	SRP_CLIENT_ARG srp_client_arg = (SRP_CLIENT_ARG )arg;
		266	return BUF_strdup((char *)srp_client_arg->srppassin);
		267	}
		268
		269	/* SRP server */
		270	/* This is a context that we pass to SRP server callbacks */
		271	typedef struct srp_server_arg_st
		272	{
		273	char *expected_user;
		274	char *pass;
		275	} SRP_SERVER_ARG;
		276
		277	static int MS_CALLBACK ssl_srp_server_param_cb(SSL s, int ad, void *arg)
		278	{
		279	SRP_SERVER_ARG * p = (SRP_SERVER_ARG *) arg;
		280
		281	if (strcmp(p->expected_user, SSL_get_srp_username(s)) != 0)
		282	{
		283	fprintf(stderr, "User %s doesn't exist\n", SSL_get_srp_username(s));
		284	return SSL3_AL_FATAL;
		285	}
		286	if (SSL_set_srp_server_param_pw(s,p->expected_user,p->pass,"1024")<0)
		287	{
		288	*ad = SSL_AD_INTERNAL_ERROR;
		289	return SSL3_AL_FATAL;
		290	}
		291	return SSL_ERROR_NONE;
		292	}
		293	#endif
		294
249	static BIO *bio_err=NULL;	295	static BIO *bio_err=NULL;
250	static BIO *bio_stdout=NULL;	296	static BIO *bio_stdout=NULL;
251		297
@@ -268,6 +314,9 @@ static void sv_usage(void)
268	{	314	{
269	fprintf(stderr,"usage: ssltest [args ...]\n");	315	fprintf(stderr,"usage: ssltest [args ...]\n");
270	fprintf(stderr,"\n");	316	fprintf(stderr,"\n");
		317	#ifdef OPENSSL_FIPS
		318	fprintf(stderr,"-F - run test in FIPS mode\n");
		319	#endif
271	fprintf(stderr," -server_auth - check server certificate\n");	320	fprintf(stderr," -server_auth - check server certificate\n");
272	fprintf(stderr," -client_auth - do client authentication\n");	321	fprintf(stderr," -client_auth - do client authentication\n");
273	fprintf(stderr," -proxy - allow proxy certificates\n");	322	fprintf(stderr," -proxy - allow proxy certificates\n");
@@ -289,6 +338,10 @@ static void sv_usage(void)
289	#ifndef OPENSSL_NO_PSK	338	#ifndef OPENSSL_NO_PSK
290	fprintf(stderr," -psk arg - PSK in hex (without 0x)\n");	339	fprintf(stderr," -psk arg - PSK in hex (without 0x)\n");
291	#endif	340	#endif
		341	#ifndef OPENSSL_NO_SRP
		342	fprintf(stderr," -srpuser user - SRP username to use\n");
		343	fprintf(stderr," -srppass arg - password for 'user'\n");
		344	#endif
292	#ifndef OPENSSL_NO_SSL2	345	#ifndef OPENSSL_NO_SSL2
293	fprintf(stderr," -ssl2 - use SSLv2\n");	346	fprintf(stderr," -ssl2 - use SSLv2\n");
294	#endif	347	#endif
@@ -476,6 +529,12 @@ int main(int argc, char *argv[])
476	#ifndef OPENSSL_NO_ECDH	529	#ifndef OPENSSL_NO_ECDH
477	EC_KEY *ecdh = NULL;	530	EC_KEY *ecdh = NULL;
478	#endif	531	#endif
		532	#ifndef OPENSSL_NO_SRP
		533	/* client */
		534	SRP_CLIENT_ARG srp_client_arg = {NULL,NULL};
		535	/* server */
		536	SRP_SERVER_ARG srp_server_arg = {NULL,NULL};
		537	#endif
479	int no_dhe = 0;	538	int no_dhe = 0;
480	int no_ecdhe = 0;	539	int no_ecdhe = 0;
481	int no_psk = 0;	540	int no_psk = 0;
@@ -487,6 +546,9 @@ int main(int argc, char *argv[])
487	#endif	546	#endif
488	STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;	547	STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
489	int test_cipherlist = 0;	548	int test_cipherlist = 0;
		549	#ifdef OPENSSL_FIPS
		550	int fips_mode=0;
		551	#endif
490		552
491	verbose = 0;	553	verbose = 0;
492	debug = 0;	554	debug = 0;
@@ -518,7 +580,16 @@ int main(int argc, char *argv[])
518		580
519	while (argc >= 1)	581	while (argc >= 1)
520	{	582	{
521	if (strcmp(*argv,"-server_auth") == 0)	583	if(!strcmp(*argv,"-F"))
		584	{
		585	#ifdef OPENSSL_FIPS
		586	fips_mode=1;
		587	#else
		588	fprintf(stderr,"not compiled with FIPS support, so exitting without running.\n");
		589	EXIT(0);
		590	#endif
		591	}
		592	else if (strcmp(*argv,"-server_auth") == 0)
522	server_auth=1;	593	server_auth=1;
523	else if (strcmp(*argv,"-client_auth") == 0)	594	else if (strcmp(*argv,"-client_auth") == 0)
524	client_auth=1;	595	client_auth=1;
@@ -572,6 +643,20 @@ int main(int argc, char *argv[])
572	no_psk=1;	643	no_psk=1;
573	#endif	644	#endif
574	}	645	}
		646	#ifndef OPENSSL_NO_SRP
		647	else if (strcmp(*argv,"-srpuser") == 0)
		648	{
		649	if (--argc < 1) goto bad;
		650	srp_server_arg.expected_user = srp_client_arg.srplogin= *(++argv);
		651	tls1=1;
		652	}
		653	else if (strcmp(*argv,"-srppass") == 0)
		654	{
		655	if (--argc < 1) goto bad;
		656	srp_server_arg.pass = srp_client_arg.srppassin= *(++argv);
		657	tls1=1;
		658	}
		659	#endif
575	else if (strcmp(*argv,"-ssl2") == 0)	660	else if (strcmp(*argv,"-ssl2") == 0)
576	ssl2=1;	661	ssl2=1;
577	else if (strcmp(*argv,"-tls1") == 0)	662	else if (strcmp(*argv,"-tls1") == 0)
@@ -714,6 +799,20 @@ bad:
714	EXIT(1);	799	EXIT(1);
715	}	800	}
716		801
		802	#ifdef OPENSSL_FIPS
		803	if(fips_mode)
		804	{
		805	if(!FIPS_mode_set(1))
		806	{
		807	ERR_load_crypto_strings();
		808	ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
		809	EXIT(1);
		810	}
		811	else
		812	fprintf(stderr,"* IN FIPS MODE *\n");
		813	}
		814	#endif
		815
717	if (print_time)	816	if (print_time)
718	{	817	{
719	if (!bio_pair)	818	if (!bio_pair)
@@ -837,7 +936,11 @@ bad:
837	}	936	}
838	}	937	}
839	else	938	else
		939	#ifdef OPENSSL_NO_EC2M
		940	nid = NID_X9_62_prime256v1;
		941	#else
840	nid = NID_sect163r2;	942	nid = NID_sect163r2;
		943	#endif
841		944
842	ecdh = EC_KEY_new_by_curve_name(nid);	945	ecdh = EC_KEY_new_by_curve_name(nid);
843	if (ecdh == NULL)	946	if (ecdh == NULL)
@@ -940,6 +1043,26 @@ bad:
940	}	1043	}
941	#endif	1044	#endif
942	}	1045	}
		1046	#ifndef OPENSSL_NO_SRP
		1047	if (srp_client_arg.srplogin)
		1048	{
		1049	if (!SSL_CTX_set_srp_username(c_ctx, srp_client_arg.srplogin))
		1050	{
		1051	BIO_printf(bio_err,"Unable to set SRP username\n");
		1052	goto end;
		1053	}
		1054	SSL_CTX_set_srp_cb_arg(c_ctx,&srp_client_arg);
		1055	SSL_CTX_set_srp_client_pwd_callback(c_ctx, ssl_give_srp_client_pwd_cb);
		1056	/SSL_CTX_set_srp_strength(c_ctx, srp_client_arg.strength);/
		1057	}
		1058
		1059	if (srp_server_arg.expected_user != NULL)
		1060	{
		1061	SSL_CTX_set_verify(s_ctx,SSL_VERIFY_NONE,verify_callback);
		1062	SSL_CTX_set_srp_cb_arg(s_ctx, &srp_server_arg);
		1063	SSL_CTX_set_srp_username_callback(s_ctx, ssl_srp_server_param_cb);
		1064	}
		1065	#endif
943		1066
944	c_ssl=SSL_new(c_ctx);	1067	c_ssl=SSL_new(c_ctx);
945	s_ssl=SSL_new(s_ctx);	1068	s_ssl=SSL_new(s_ctx);
@@ -2164,15 +2287,7 @@ static int MS_CALLBACK app_verify_callback(X509_STORE_CTX ctx, void arg)
2164	}	2287	}
2165		2288
2166	#ifndef OPENSSL_NO_X509_VERIFY	2289	#ifndef OPENSSL_NO_X509_VERIFY
2167	# ifdef OPENSSL_FIPS
2168	if(s->version == TLS1_VERSION)
2169	FIPS_allow_md5(1);
2170	# endif
2171	ok = X509_verify_cert(ctx);	2290	ok = X509_verify_cert(ctx);
2172	# ifdef OPENSSL_FIPS
2173	if(s->version == TLS1_VERSION)
2174	FIPS_allow_md5(0);
2175	# endif
2176	#endif	2291	#endif
2177		2292
2178	if (cb_arg->proxy_auth)	2293	if (cb_arg->proxy_auth)