The cert subdir is testing all combinations of certificate validation.

Having the three libraries, client and server certificates, missing or invalid CA or certificates, and enforcing peer certificate results in 1944 new test cases.
author: bluhm <> 2018-11-09 06:30:41 +0000
committer: bluhm <> 2018-11-09 06:30:41 +0000
commit: e3076365506f38e78df5fe822fa92f5279cc68ca (patch)
tree: 645159c1ec7a09a740cc2fa32e1faad4aadb0291 /src/regress/lib/libssl/interop/client.c
parent: 5917d4731a2fb66998de8261b51a6ff11b1e07b7 (diff)
download: openbsd-e3076365506f38e78df5fe822fa92f5279cc68ca.tar.gz
openbsd-e3076365506f38e78df5fe822fa92f5279cc68ca.tar.bz2
openbsd-e3076365506f38e78df5fe822fa92f5279cc68ca.zip
1 files changed, 51 insertions, 7 deletions
diff --git a/src/regress/lib/libssl/interop/client.c b/src/regress/lib/libssl/interop/client.c
index 60fb718fdb..c312d7ae8a 100644
--- a/src/regress/lib/libssl/interop/client.c
+++ b/src/regress/lib/libssl/interop/client.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: client.c,v 1.3 2018/11/07 19:09:01 bluhm Exp $        */
+/*      $OpenBSD: client.c,v 1.4 2018/11/09 06:30:41 bluhm Exp $        */
 /*
 * Copyright (c) 2018 Alexander Bluhm <bluhm@openbsd.org>
 *
@@ -34,7 +34,8 @@ void __dead usage(void);
 void __dead
 usage(void)
 {
-        fprintf(stderr, "usage: client host port");
+        fprintf(stderr,
+            "usage: client [-c] [-C CA] [-c crt -k key] host port");
        exit(2);
 }
@@ -46,19 +47,42 @@ main(int argc, char *argv[])
        SSL *ssl;
        BIO *bio;
        SSL_SESSION *session;
-        int error;
+        int error, verify = 0;
-        char buf[256];
+        char buf[256], ch;
+        char *ca = NULL, *crt = NULL, *key = NULL;
        char *host_port, *host, *port;
-        if (argc == 3) {
+        while ((ch = getopt(argc, argv, "C:c:k:v")) != -1) {
-                host = argv[1];
+                switch (ch) {
-                port = argv[2];
+                case 'C':
+                        ca = optarg;
+                        break;
+                case 'c':
+                        crt = optarg;
+                        break;
+                case 'k':
+                        key = optarg;
+                        break;
+                case 'v':
+                        verify = 1;
+                        break;
+                default:
+                        usage();
+                }
+        }
+        argc -= optind;
+        argv += optind;
+        if (argc == 2) {
+                host = argv[0];
+                port = argv[1];
        } else {
                usage();
        }
        if (asprintf(&host_port, strchr(host, ':') ? "[%s]:%s" : "%s:%s",
            host, port) == -1)
                err(1, "asprintf host port");
+        if ((crt == NULL && key != NULL) || (crt != NULL && key == NULL))
+                errx(1, "certificate and private key must be used together");
        SSL_library_init();
        SSL_load_error_strings();
@@ -78,6 +102,26 @@ main(int argc, char *argv[])
        if (ctx == NULL)
                err_ssl(1, "SSL_CTX_new");
+        /* load client certificate */
+        if (crt != NULL) {
+                if (SSL_CTX_use_certificate_file(ctx, crt,
+                    SSL_FILETYPE_PEM) <= 0)
+                        err_ssl(1, "SSL_CTX_use_certificate_file");
+                if (SSL_CTX_use_PrivateKey_file(ctx, key,
+                    SSL_FILETYPE_PEM) <= 0)
+                        err_ssl(1, "SSL_CTX_use_PrivateKey_file");
+                if (SSL_CTX_check_private_key(ctx) <= 0)
+                        err_ssl(1, "SSL_CTX_check_private_key");
+        }
+        /* verify server certificate */
+        if (ca != NULL) {
+                if (SSL_CTX_load_verify_locations(ctx, ca, NULL) <= 0)
+                        err_ssl(1, "SSL_CTX_load_verify_locations");
+        }
+        SSL_CTX_set_verify(ctx, verify ? SSL_VERIFY_PEER : SSL_VERIFY_NONE,
+            verify_callback);
        /* setup ssl and bio for socket operations */
        ssl = SSL_new(ctx);
        if (ssl == NULL)
author	bluhm <>	2018-11-09 06:30:41 +0000
committer	bluhm <>	2018-11-09 06:30:41 +0000
commit	e3076365506f38e78df5fe822fa92f5279cc68ca (patch)
tree	645159c1ec7a09a740cc2fa32e1faad4aadb0291 /src/regress/lib/libssl/interop/client.c
parent	5917d4731a2fb66998de8261b51a6ff11b1e07b7 (diff)
download	openbsd-e3076365506f38e78df5fe822fa92f5279cc68ca.tar.gz openbsd-e3076365506f38e78df5fe822fa92f5279cc68ca.tar.bz2 openbsd-e3076365506f38e78df5fe822fa92f5279cc68ca.zip

diff --git a/src/regress/lib/libssl/interop/client.c b/src/regress/lib/libssl/interop/client.c index 60fb718fdb..c312d7ae8a 100644 --- a/src/regress/lib/libssl/interop/client.c +++ b/src/regress/lib/libssl/interop/client.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: client.c,v 1.3 2018/11/07 19:09:01 bluhm Exp $ */	1	/* $OpenBSD: client.c,v 1.4 2018/11/09 06:30:41 bluhm Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018 Alexander Bluhm <bluhm@openbsd.org>	3	* Copyright (c) 2018 Alexander Bluhm <bluhm@openbsd.org>
4	*	4	*
@@ -34,7 +34,8 @@ void __dead usage(void);
34	void __dead	34	void __dead
35	usage(void)	35	usage(void)
36	{	36	{
37	fprintf(stderr, "usage: client host port");	37	fprintf(stderr,
		38	"usage: client [-c] [-C CA] [-c crt -k key] host port");
38	exit(2);	39	exit(2);
39	}	40	}
40		41
@@ -46,19 +47,42 @@ main(int argc, char *argv[])
46	SSL *ssl;	47	SSL *ssl;
47	BIO *bio;	48	BIO *bio;
48	SSL_SESSION *session;	49	SSL_SESSION *session;
49	int error;	50	int error, verify = 0;
50	char buf[256];	51	char buf[256], ch;
		52	char ca = NULL, crt = NULL, *key = NULL;
51	char host_port, host, *port;	53	char host_port, host, *port;
52		54
53	if (argc == 3) {	55	while ((ch = getopt(argc, argv, "C:c:k:v")) != -1) {
54	host = argv[1];	56	switch (ch) {
55	port = argv[2];	57	case 'C':
		58	ca = optarg;
		59	break;
		60	case 'c':
		61	crt = optarg;
		62	break;
		63	case 'k':
		64	key = optarg;
		65	break;
		66	case 'v':
		67	verify = 1;
		68	break;
		69	default:
		70	usage();
		71	}
		72	}
		73	argc -= optind;
		74	argv += optind;
		75	if (argc == 2) {
		76	host = argv[0];
		77	port = argv[1];
56	} else {	78	} else {
57	usage();	79	usage();
58	}	80	}
59	if (asprintf(&host_port, strchr(host, ':') ? "[%s]:%s" : "%s:%s",	81	if (asprintf(&host_port, strchr(host, ':') ? "[%s]:%s" : "%s:%s",
60	host, port) == -1)	82	host, port) == -1)
61	err(1, "asprintf host port");	83	err(1, "asprintf host port");
		84	if ((crt == NULL && key != NULL) \|\| (crt != NULL && key == NULL))
		85	errx(1, "certificate and private key must be used together");
62		86
63	SSL_library_init();	87	SSL_library_init();
64	SSL_load_error_strings();	88	SSL_load_error_strings();
@@ -78,6 +102,26 @@ main(int argc, char *argv[])
78	if (ctx == NULL)	102	if (ctx == NULL)
79	err_ssl(1, "SSL_CTX_new");	103	err_ssl(1, "SSL_CTX_new");
80		104
		105	/* load client certificate */
		106	if (crt != NULL) {
		107	if (SSL_CTX_use_certificate_file(ctx, crt,
		108	SSL_FILETYPE_PEM) <= 0)
		109	err_ssl(1, "SSL_CTX_use_certificate_file");
		110	if (SSL_CTX_use_PrivateKey_file(ctx, key,
		111	SSL_FILETYPE_PEM) <= 0)
		112	err_ssl(1, "SSL_CTX_use_PrivateKey_file");
		113	if (SSL_CTX_check_private_key(ctx) <= 0)
		114	err_ssl(1, "SSL_CTX_check_private_key");
		115	}
		116
		117	/* verify server certificate */
		118	if (ca != NULL) {
		119	if (SSL_CTX_load_verify_locations(ctx, ca, NULL) <= 0)
		120	err_ssl(1, "SSL_CTX_load_verify_locations");
		121	}
		122	SSL_CTX_set_verify(ctx, verify ? SSL_VERIFY_PEER : SSL_VERIFY_NONE,
		123	verify_callback);
		124
81	/* setup ssl and bio for socket operations */	125	/* setup ssl and bio for socket operations */
82	ssl = SSL_new(ctx);	126	ssl = SSL_new(ctx);
83	if (ssl == NULL)	127	if (ssl == NULL)