1 files changed, 11 insertions, 124 deletions
diff --git a/src/lib/libssl/src/ssl/ssltest.c b/src/lib/libssl/src/ssl/ssltest.c
index 0f8fd3902d..08c90478f4 100644
--- a/src/lib/libssl/src/ssl/ssltest.c
+++ b/src/lib/libssl/src/ssl/ssltest.c
@@ -150,6 +150,8 @@
 #include <stdlib.h>
 #include <string.h>
 #include <time.h>
+#include <inttypes.h>
+#include <ctype.h>
 #define USE_SOCKETS
 #include "e_os.h"
@@ -181,9 +183,6 @@
 #ifndef OPENSSL_NO_DH
 #include <openssl/dh.h>
 #endif
-#ifndef OPENSSL_NO_SRP
-#include <openssl/srp.h>
-#endif
 #include <openssl/bn.h>
 #define _XOPEN_SOURCE_EXTENDED  1 /* Or gethostname won't be declared properly
@@ -249,49 +248,6 @@ static unsigned int psk_server_callback(SSL *ssl, const char *identity, unsigned
        unsigned int max_psk_len);
 #endif
-#ifndef OPENSSL_NO_SRP
-/* SRP client */
-/* This is a context that we pass to all callbacks */
-typedef struct srp_client_arg_st
-        {
-        char *srppassin;
-        char *srplogin;
-        } SRP_CLIENT_ARG;
-#define PWD_STRLEN 1024
-static char * MS_CALLBACK ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
-        {
-        SRP_CLIENT_ARG *srp_client_arg = (SRP_CLIENT_ARG *)arg;
-        return BUF_strdup((char *)srp_client_arg->srppassin);
-        }
-/* SRP server */
-/* This is a context that we pass to SRP server callbacks */
-typedef struct srp_server_arg_st
-        {
-        char *expected_user;
-        char *pass;
-        } SRP_SERVER_ARG;
-static int MS_CALLBACK ssl_srp_server_param_cb(SSL *s, int *ad, void *arg)
-        {
-        SRP_SERVER_ARG * p = (SRP_SERVER_ARG *) arg;
-        if (strcmp(p->expected_user, SSL_get_srp_username(s)) != 0)
-                {
-                fprintf(stderr, "User %s doesn't exist\n", SSL_get_srp_username(s));
-                return SSL3_AL_FATAL;
-                }
-        if (SSL_set_srp_server_param_pw(s,p->expected_user,p->pass,"1024")<0)
-                {
-                *ad = SSL_AD_INTERNAL_ERROR;
-                return SSL3_AL_FATAL;
-                }
-        return SSL_ERROR_NONE;
-        }
-#endif
 static BIO *bio_err=NULL;
 static BIO *bio_stdout=NULL;
@@ -314,9 +270,6 @@ static void sv_usage(void)
        {
        fprintf(stderr,"usage: ssltest [args ...]\n");
        fprintf(stderr,"\n");
-#ifdef OPENSSL_FIPS
-        fprintf(stderr,"-F             - run test in FIPS mode\n");
-#endif
        fprintf(stderr," -server_auth  - check server certificate\n");
        fprintf(stderr," -client_auth  - do client authentication\n");
        fprintf(stderr," -proxy        - allow proxy certificates\n");
@@ -338,10 +291,6 @@ static void sv_usage(void)
 #ifndef OPENSSL_NO_PSK
        fprintf(stderr," -psk arg      - PSK in hex (without 0x)\n");
 #endif
-#ifndef OPENSSL_NO_SRP
-        fprintf(stderr," -srpuser user  - SRP username to use\n");
-        fprintf(stderr," -srppass arg   - password for 'user'\n");
-#endif
 #ifndef OPENSSL_NO_SSL2
        fprintf(stderr," -ssl2         - use SSLv2\n");
 #endif
@@ -529,12 +478,6 @@ int main(int argc, char *argv[])
 #ifndef OPENSSL_NO_ECDH
        EC_KEY *ecdh = NULL;
 #endif
-#ifndef OPENSSL_NO_SRP
-        /* client */
-        SRP_CLIENT_ARG srp_client_arg = {NULL,NULL};
-        /* server */
-        SRP_SERVER_ARG srp_server_arg = {NULL,NULL};
-#endif
        int no_dhe = 0;
        int no_ecdhe = 0;
        int no_psk = 0;
@@ -546,9 +489,6 @@ int main(int argc, char *argv[])
 #endif
        STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
        int test_cipherlist = 0;
-#ifdef OPENSSL_FIPS
-        int fips_mode=0;
-#endif
        verbose = 0;
        debug = 0;
@@ -580,16 +520,7 @@ int main(int argc, char *argv[])
        while (argc >= 1)
                {
-                if(!strcmp(*argv,"-F"))
+                if      (strcmp(*argv,"-server_auth") == 0)
-                        {
-#ifdef OPENSSL_FIPS
-                        fips_mode=1;
-#else
-                        fprintf(stderr,"not compiled with FIPS support, so exitting without running.\n");
-                        EXIT(0);
-#endif
-                        }
-                else if (strcmp(*argv,"-server_auth") == 0)
                        server_auth=1;
                else if (strcmp(*argv,"-client_auth") == 0)
                        client_auth=1;
@@ -643,20 +574,6 @@ int main(int argc, char *argv[])
                        no_psk=1;
 #endif
                        }
-#ifndef OPENSSL_NO_SRP
-                else if (strcmp(*argv,"-srpuser") == 0)
-                        {
-                        if (--argc < 1) goto bad;
-                        srp_server_arg.expected_user = srp_client_arg.srplogin= *(++argv);
-                        tls1=1;
-                        }
-                else if (strcmp(*argv,"-srppass") == 0)
-                        {
-                        if (--argc < 1) goto bad;
-                        srp_server_arg.pass = srp_client_arg.srppassin= *(++argv);
-                        tls1=1;
-                        }
-#endif
                else if (strcmp(*argv,"-ssl2") == 0)
                        ssl2=1;
                else if (strcmp(*argv,"-tls1") == 0)
@@ -799,20 +716,6 @@ bad:
                EXIT(1);
                }
-#ifdef OPENSSL_FIPS
-        if(fips_mode)
-                {
-                if(!FIPS_mode_set(1))
-                        {
-                        ERR_load_crypto_strings();
-                        ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
-                        EXIT(1);
-                        }
-                else
-                        fprintf(stderr,"*** IN FIPS MODE ***\n");
-                }
-#endif
        if (print_time)
                {
                if (!bio_pair)
@@ -936,11 +839,7 @@ bad:
                                }
                        }
                else
-#ifdef OPENSSL_NO_EC2M
-                        nid = NID_X9_62_prime256v1;
-#else
                        nid = NID_sect163r2;
-#endif
                ecdh = EC_KEY_new_by_curve_name(nid);
                if (ecdh == NULL)
@@ -1043,26 +942,6 @@ bad:
                        }
 #endif
                }
-#ifndef OPENSSL_NO_SRP
-        if (srp_client_arg.srplogin)
-                {
-                if (!SSL_CTX_set_srp_username(c_ctx, srp_client_arg.srplogin))
-                        {
-                        BIO_printf(bio_err,"Unable to set SRP username\n");
-                        goto end;
-                        }
-                SSL_CTX_set_srp_cb_arg(c_ctx,&srp_client_arg);
-                SSL_CTX_set_srp_client_pwd_callback(c_ctx, ssl_give_srp_client_pwd_cb);
-                /*SSL_CTX_set_srp_strength(c_ctx, srp_client_arg.strength);*/
-                }
-        if (srp_server_arg.expected_user != NULL)
-                {
-                SSL_CTX_set_verify(s_ctx,SSL_VERIFY_NONE,verify_callback);
-                SSL_CTX_set_srp_cb_arg(s_ctx, &srp_server_arg);
-                SSL_CTX_set_srp_username_callback(s_ctx, ssl_srp_server_param_cb);
-                }
-#endif
        c_ssl=SSL_new(c_ctx);
        s_ssl=SSL_new(s_ctx);
@@ -2287,7 +2166,15 @@ static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg)
                }
 #ifndef OPENSSL_NO_X509_VERIFY
+# ifdef OPENSSL_FIPS
+        if(s->version == TLS1_VERSION)
+                FIPS_allow_md5(1);
+# endif
        ok = X509_verify_cert(ctx);
+# ifdef OPENSSL_FIPS
+        if(s->version == TLS1_VERSION)
+                FIPS_allow_md5(0);
+# endif
 #endif
        if (cb_arg->proxy_auth)

diff --git a/src/lib/libssl/src/ssl/ssltest.c b/src/lib/libssl/src/ssl/ssltest.c index 0f8fd3902d..08c90478f4 100644 --- a/src/lib/libssl/src/ssl/ssltest.c +++ b/src/lib/libssl/src/ssl/ssltest.c
@@ -150,6 +150,8 @@
150	#include <stdlib.h>	150	#include <stdlib.h>
151	#include <string.h>	151	#include <string.h>
152	#include <time.h>	152	#include <time.h>
		153	#include <inttypes.h>
		154	#include <ctype.h>
153		155
154	#define USE_SOCKETS	156	#define USE_SOCKETS
155	#include "e_os.h"	157	#include "e_os.h"
@@ -181,9 +183,6 @@
181	#ifndef OPENSSL_NO_DH	183	#ifndef OPENSSL_NO_DH
182	#include <openssl/dh.h>	184	#include <openssl/dh.h>
183	#endif	185	#endif
184	#ifndef OPENSSL_NO_SRP
185	#include <openssl/srp.h>
186	#endif
187	#include <openssl/bn.h>	186	#include <openssl/bn.h>
188		187
189	#define _XOPEN_SOURCE_EXTENDED 1 /* Or gethostname won't be declared properly	188	#define _XOPEN_SOURCE_EXTENDED 1 /* Or gethostname won't be declared properly
@@ -249,49 +248,6 @@ static unsigned int psk_server_callback(SSL ssl, const char identity, unsigned
249	unsigned int max_psk_len);	248	unsigned int max_psk_len);
250	#endif	249	#endif
251		250
252	#ifndef OPENSSL_NO_SRP
253	/* SRP client */
254	/* This is a context that we pass to all callbacks */
255	typedef struct srp_client_arg_st
256	{
257	char *srppassin;
258	char *srplogin;
259	} SRP_CLIENT_ARG;
260
261	#define PWD_STRLEN 1024
262
263	static char * MS_CALLBACK ssl_give_srp_client_pwd_cb(SSL s, void arg)
264	{
265	SRP_CLIENT_ARG srp_client_arg = (SRP_CLIENT_ARG )arg;
266	return BUF_strdup((char *)srp_client_arg->srppassin);
267	}
268
269	/* SRP server */
270	/* This is a context that we pass to SRP server callbacks */
271	typedef struct srp_server_arg_st
272	{
273	char *expected_user;
274	char *pass;
275	} SRP_SERVER_ARG;
276
277	static int MS_CALLBACK ssl_srp_server_param_cb(SSL s, int ad, void *arg)
278	{
279	SRP_SERVER_ARG * p = (SRP_SERVER_ARG *) arg;
280
281	if (strcmp(p->expected_user, SSL_get_srp_username(s)) != 0)
282	{
283	fprintf(stderr, "User %s doesn't exist\n", SSL_get_srp_username(s));
284	return SSL3_AL_FATAL;
285	}
286	if (SSL_set_srp_server_param_pw(s,p->expected_user,p->pass,"1024")<0)
287	{
288	*ad = SSL_AD_INTERNAL_ERROR;
289	return SSL3_AL_FATAL;
290	}
291	return SSL_ERROR_NONE;
292	}
293	#endif
294
295	static BIO *bio_err=NULL;	251	static BIO *bio_err=NULL;
296	static BIO *bio_stdout=NULL;	252	static BIO *bio_stdout=NULL;
297		253
@@ -314,9 +270,6 @@ static void sv_usage(void)
314	{	270	{
315	fprintf(stderr,"usage: ssltest [args ...]\n");	271	fprintf(stderr,"usage: ssltest [args ...]\n");
316	fprintf(stderr,"\n");	272	fprintf(stderr,"\n");
317	#ifdef OPENSSL_FIPS
318	fprintf(stderr,"-F - run test in FIPS mode\n");
319	#endif
320	fprintf(stderr," -server_auth - check server certificate\n");	273	fprintf(stderr," -server_auth - check server certificate\n");
321	fprintf(stderr," -client_auth - do client authentication\n");	274	fprintf(stderr," -client_auth - do client authentication\n");
322	fprintf(stderr," -proxy - allow proxy certificates\n");	275	fprintf(stderr," -proxy - allow proxy certificates\n");
@@ -338,10 +291,6 @@ static void sv_usage(void)
338	#ifndef OPENSSL_NO_PSK	291	#ifndef OPENSSL_NO_PSK
339	fprintf(stderr," -psk arg - PSK in hex (without 0x)\n");	292	fprintf(stderr," -psk arg - PSK in hex (without 0x)\n");
340	#endif	293	#endif
341	#ifndef OPENSSL_NO_SRP
342	fprintf(stderr," -srpuser user - SRP username to use\n");
343	fprintf(stderr," -srppass arg - password for 'user'\n");
344	#endif
345	#ifndef OPENSSL_NO_SSL2	294	#ifndef OPENSSL_NO_SSL2
346	fprintf(stderr," -ssl2 - use SSLv2\n");	295	fprintf(stderr," -ssl2 - use SSLv2\n");
347	#endif	296	#endif
@@ -529,12 +478,6 @@ int main(int argc, char *argv[])
529	#ifndef OPENSSL_NO_ECDH	478	#ifndef OPENSSL_NO_ECDH
530	EC_KEY *ecdh = NULL;	479	EC_KEY *ecdh = NULL;
531	#endif	480	#endif
532	#ifndef OPENSSL_NO_SRP
533	/* client */
534	SRP_CLIENT_ARG srp_client_arg = {NULL,NULL};
535	/* server */
536	SRP_SERVER_ARG srp_server_arg = {NULL,NULL};
537	#endif
538	int no_dhe = 0;	481	int no_dhe = 0;
539	int no_ecdhe = 0;	482	int no_ecdhe = 0;
540	int no_psk = 0;	483	int no_psk = 0;
@@ -546,9 +489,6 @@ int main(int argc, char *argv[])
546	#endif	489	#endif
547	STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;	490	STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
548	int test_cipherlist = 0;	491	int test_cipherlist = 0;
549	#ifdef OPENSSL_FIPS
550	int fips_mode=0;
551	#endif
552		492
553	verbose = 0;	493	verbose = 0;
554	debug = 0;	494	debug = 0;
@@ -580,16 +520,7 @@ int main(int argc, char *argv[])
580		520
581	while (argc >= 1)	521	while (argc >= 1)
582	{	522	{
583	if(!strcmp(*argv,"-F"))	523	if (strcmp(*argv,"-server_auth") == 0)
584	{
585	#ifdef OPENSSL_FIPS
586	fips_mode=1;
587	#else
588	fprintf(stderr,"not compiled with FIPS support, so exitting without running.\n");
589	EXIT(0);
590	#endif
591	}
592	else if (strcmp(*argv,"-server_auth") == 0)
593	server_auth=1;	524	server_auth=1;
594	else if (strcmp(*argv,"-client_auth") == 0)	525	else if (strcmp(*argv,"-client_auth") == 0)
595	client_auth=1;	526	client_auth=1;
@@ -643,20 +574,6 @@ int main(int argc, char *argv[])
643	no_psk=1;	574	no_psk=1;
644	#endif	575	#endif
645	}	576	}
646	#ifndef OPENSSL_NO_SRP
647	else if (strcmp(*argv,"-srpuser") == 0)
648	{
649	if (--argc < 1) goto bad;
650	srp_server_arg.expected_user = srp_client_arg.srplogin= *(++argv);
651	tls1=1;
652	}
653	else if (strcmp(*argv,"-srppass") == 0)
654	{
655	if (--argc < 1) goto bad;
656	srp_server_arg.pass = srp_client_arg.srppassin= *(++argv);
657	tls1=1;
658	}
659	#endif
660	else if (strcmp(*argv,"-ssl2") == 0)	577	else if (strcmp(*argv,"-ssl2") == 0)
661	ssl2=1;	578	ssl2=1;
662	else if (strcmp(*argv,"-tls1") == 0)	579	else if (strcmp(*argv,"-tls1") == 0)
@@ -799,20 +716,6 @@ bad:
799	EXIT(1);	716	EXIT(1);
800	}	717	}
801		718
802	#ifdef OPENSSL_FIPS
803	if(fips_mode)
804	{
805	if(!FIPS_mode_set(1))
806	{
807	ERR_load_crypto_strings();
808	ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
809	EXIT(1);
810	}
811	else
812	fprintf(stderr,"* IN FIPS MODE *\n");
813	}
814	#endif
815
816	if (print_time)	719	if (print_time)
817	{	720	{
818	if (!bio_pair)	721	if (!bio_pair)
@@ -936,11 +839,7 @@ bad:
936	}	839	}
937	}	840	}
938	else	841	else
939	#ifdef OPENSSL_NO_EC2M
940	nid = NID_X9_62_prime256v1;
941	#else
942	nid = NID_sect163r2;	842	nid = NID_sect163r2;
943	#endif
944		843
945	ecdh = EC_KEY_new_by_curve_name(nid);	844	ecdh = EC_KEY_new_by_curve_name(nid);
946	if (ecdh == NULL)	845	if (ecdh == NULL)
@@ -1043,26 +942,6 @@ bad:
1043	}	942	}
1044	#endif	943	#endif
1045	}	944	}
1046	#ifndef OPENSSL_NO_SRP
1047	if (srp_client_arg.srplogin)
1048	{
1049	if (!SSL_CTX_set_srp_username(c_ctx, srp_client_arg.srplogin))
1050	{
1051	BIO_printf(bio_err,"Unable to set SRP username\n");
1052	goto end;
1053	}
1054	SSL_CTX_set_srp_cb_arg(c_ctx,&srp_client_arg);
1055	SSL_CTX_set_srp_client_pwd_callback(c_ctx, ssl_give_srp_client_pwd_cb);
1056	/SSL_CTX_set_srp_strength(c_ctx, srp_client_arg.strength);/
1057	}
1058
1059	if (srp_server_arg.expected_user != NULL)
1060	{
1061	SSL_CTX_set_verify(s_ctx,SSL_VERIFY_NONE,verify_callback);
1062	SSL_CTX_set_srp_cb_arg(s_ctx, &srp_server_arg);
1063	SSL_CTX_set_srp_username_callback(s_ctx, ssl_srp_server_param_cb);
1064	}
1065	#endif
1066		945
1067	c_ssl=SSL_new(c_ctx);	946	c_ssl=SSL_new(c_ctx);
1068	s_ssl=SSL_new(s_ctx);	947	s_ssl=SSL_new(s_ctx);
@@ -2287,7 +2166,15 @@ static int MS_CALLBACK app_verify_callback(X509_STORE_CTX ctx, void arg)
2287	}	2166	}
2288		2167
2289	#ifndef OPENSSL_NO_X509_VERIFY	2168	#ifndef OPENSSL_NO_X509_VERIFY
		2169	# ifdef OPENSSL_FIPS
		2170	if(s->version == TLS1_VERSION)
		2171	FIPS_allow_md5(1);
		2172	# endif
2290	ok = X509_verify_cert(ctx);	2173	ok = X509_verify_cert(ctx);
		2174	# ifdef OPENSSL_FIPS
		2175	if(s->version == TLS1_VERSION)
		2176	FIPS_allow_md5(0);
		2177	# endif
2291	#endif	2178	#endif
2292		2179
2293	if (cb_arg->proxy_auth)	2180	if (cb_arg->proxy_auth)