diff options
Diffstat (limited to 'src/lib/libssl/src/ssl/ssltest.c')
| -rw-r--r-- | src/lib/libssl/src/ssl/ssltest.c | 133 |
1 files changed, 124 insertions, 9 deletions
diff --git a/src/lib/libssl/src/ssl/ssltest.c b/src/lib/libssl/src/ssl/ssltest.c index 08c90478f4..a0e2af6647 100644 --- a/src/lib/libssl/src/ssl/ssltest.c +++ b/src/lib/libssl/src/ssl/ssltest.c | |||
| @@ -183,6 +183,9 @@ | |||
| 183 | #ifndef OPENSSL_NO_DH | 183 | #ifndef OPENSSL_NO_DH |
| 184 | #include <openssl/dh.h> | 184 | #include <openssl/dh.h> |
| 185 | #endif | 185 | #endif |
| 186 | #ifndef OPENSSL_NO_SRP | ||
| 187 | #include <openssl/srp.h> | ||
| 188 | #endif | ||
| 186 | #include <openssl/bn.h> | 189 | #include <openssl/bn.h> |
| 187 | 190 | ||
| 188 | #define _XOPEN_SOURCE_EXTENDED 1 /* Or gethostname won't be declared properly | 191 | #define _XOPEN_SOURCE_EXTENDED 1 /* Or gethostname won't be declared properly |
| @@ -248,6 +251,49 @@ static unsigned int psk_server_callback(SSL *ssl, const char *identity, unsigned | |||
| 248 | unsigned int max_psk_len); | 251 | unsigned int max_psk_len); |
| 249 | #endif | 252 | #endif |
| 250 | 253 | ||
| 254 | #ifndef OPENSSL_NO_SRP | ||
| 255 | /* SRP client */ | ||
| 256 | /* This is a context that we pass to all callbacks */ | ||
| 257 | typedef struct srp_client_arg_st | ||
| 258 | { | ||
| 259 | char *srppassin; | ||
| 260 | char *srplogin; | ||
| 261 | } SRP_CLIENT_ARG; | ||
| 262 | |||
| 263 | #define PWD_STRLEN 1024 | ||
| 264 | |||
| 265 | static char * MS_CALLBACK ssl_give_srp_client_pwd_cb(SSL *s, void *arg) | ||
| 266 | { | ||
| 267 | SRP_CLIENT_ARG *srp_client_arg = (SRP_CLIENT_ARG *)arg; | ||
| 268 | return BUF_strdup((char *)srp_client_arg->srppassin); | ||
| 269 | } | ||
| 270 | |||
| 271 | /* SRP server */ | ||
| 272 | /* This is a context that we pass to SRP server callbacks */ | ||
| 273 | typedef struct srp_server_arg_st | ||
| 274 | { | ||
| 275 | char *expected_user; | ||
| 276 | char *pass; | ||
| 277 | } SRP_SERVER_ARG; | ||
| 278 | |||
| 279 | static int MS_CALLBACK ssl_srp_server_param_cb(SSL *s, int *ad, void *arg) | ||
| 280 | { | ||
| 281 | SRP_SERVER_ARG * p = (SRP_SERVER_ARG *) arg; | ||
| 282 | |||
| 283 | if (strcmp(p->expected_user, SSL_get_srp_username(s)) != 0) | ||
| 284 | { | ||
| 285 | fprintf(stderr, "User %s doesn't exist\n", SSL_get_srp_username(s)); | ||
| 286 | return SSL3_AL_FATAL; | ||
| 287 | } | ||
| 288 | if (SSL_set_srp_server_param_pw(s,p->expected_user,p->pass,"1024")<0) | ||
| 289 | { | ||
| 290 | *ad = SSL_AD_INTERNAL_ERROR; | ||
| 291 | return SSL3_AL_FATAL; | ||
| 292 | } | ||
| 293 | return SSL_ERROR_NONE; | ||
| 294 | } | ||
| 295 | #endif | ||
| 296 | |||
| 251 | static BIO *bio_err=NULL; | 297 | static BIO *bio_err=NULL; |
| 252 | static BIO *bio_stdout=NULL; | 298 | static BIO *bio_stdout=NULL; |
| 253 | 299 | ||
| @@ -270,6 +316,9 @@ static void sv_usage(void) | |||
| 270 | { | 316 | { |
| 271 | fprintf(stderr,"usage: ssltest [args ...]\n"); | 317 | fprintf(stderr,"usage: ssltest [args ...]\n"); |
| 272 | fprintf(stderr,"\n"); | 318 | fprintf(stderr,"\n"); |
| 319 | #ifdef OPENSSL_FIPS | ||
| 320 | fprintf(stderr,"-F - run test in FIPS mode\n"); | ||
| 321 | #endif | ||
| 273 | fprintf(stderr," -server_auth - check server certificate\n"); | 322 | fprintf(stderr," -server_auth - check server certificate\n"); |
| 274 | fprintf(stderr," -client_auth - do client authentication\n"); | 323 | fprintf(stderr," -client_auth - do client authentication\n"); |
| 275 | fprintf(stderr," -proxy - allow proxy certificates\n"); | 324 | fprintf(stderr," -proxy - allow proxy certificates\n"); |
| @@ -291,6 +340,10 @@ static void sv_usage(void) | |||
| 291 | #ifndef OPENSSL_NO_PSK | 340 | #ifndef OPENSSL_NO_PSK |
| 292 | fprintf(stderr," -psk arg - PSK in hex (without 0x)\n"); | 341 | fprintf(stderr," -psk arg - PSK in hex (without 0x)\n"); |
| 293 | #endif | 342 | #endif |
| 343 | #ifndef OPENSSL_NO_SRP | ||
| 344 | fprintf(stderr," -srpuser user - SRP username to use\n"); | ||
| 345 | fprintf(stderr," -srppass arg - password for 'user'\n"); | ||
| 346 | #endif | ||
| 294 | #ifndef OPENSSL_NO_SSL2 | 347 | #ifndef OPENSSL_NO_SSL2 |
| 295 | fprintf(stderr," -ssl2 - use SSLv2\n"); | 348 | fprintf(stderr," -ssl2 - use SSLv2\n"); |
| 296 | #endif | 349 | #endif |
| @@ -478,6 +531,12 @@ int main(int argc, char *argv[]) | |||
| 478 | #ifndef OPENSSL_NO_ECDH | 531 | #ifndef OPENSSL_NO_ECDH |
| 479 | EC_KEY *ecdh = NULL; | 532 | EC_KEY *ecdh = NULL; |
| 480 | #endif | 533 | #endif |
| 534 | #ifndef OPENSSL_NO_SRP | ||
| 535 | /* client */ | ||
| 536 | SRP_CLIENT_ARG srp_client_arg = {NULL,NULL}; | ||
| 537 | /* server */ | ||
| 538 | SRP_SERVER_ARG srp_server_arg = {NULL,NULL}; | ||
| 539 | #endif | ||
| 481 | int no_dhe = 0; | 540 | int no_dhe = 0; |
| 482 | int no_ecdhe = 0; | 541 | int no_ecdhe = 0; |
| 483 | int no_psk = 0; | 542 | int no_psk = 0; |
| @@ -489,6 +548,9 @@ int main(int argc, char *argv[]) | |||
| 489 | #endif | 548 | #endif |
| 490 | STACK_OF(SSL_COMP) *ssl_comp_methods = NULL; | 549 | STACK_OF(SSL_COMP) *ssl_comp_methods = NULL; |
| 491 | int test_cipherlist = 0; | 550 | int test_cipherlist = 0; |
| 551 | #ifdef OPENSSL_FIPS | ||
| 552 | int fips_mode=0; | ||
| 553 | #endif | ||
| 492 | 554 | ||
| 493 | verbose = 0; | 555 | verbose = 0; |
| 494 | debug = 0; | 556 | debug = 0; |
| @@ -520,7 +582,16 @@ int main(int argc, char *argv[]) | |||
| 520 | 582 | ||
| 521 | while (argc >= 1) | 583 | while (argc >= 1) |
| 522 | { | 584 | { |
| 523 | if (strcmp(*argv,"-server_auth") == 0) | 585 | if(!strcmp(*argv,"-F")) |
| 586 | { | ||
| 587 | #ifdef OPENSSL_FIPS | ||
| 588 | fips_mode=1; | ||
| 589 | #else | ||
| 590 | fprintf(stderr,"not compiled with FIPS support, so exitting without running.\n"); | ||
| 591 | EXIT(0); | ||
| 592 | #endif | ||
| 593 | } | ||
| 594 | else if (strcmp(*argv,"-server_auth") == 0) | ||
| 524 | server_auth=1; | 595 | server_auth=1; |
| 525 | else if (strcmp(*argv,"-client_auth") == 0) | 596 | else if (strcmp(*argv,"-client_auth") == 0) |
| 526 | client_auth=1; | 597 | client_auth=1; |
| @@ -574,6 +645,20 @@ int main(int argc, char *argv[]) | |||
| 574 | no_psk=1; | 645 | no_psk=1; |
| 575 | #endif | 646 | #endif |
| 576 | } | 647 | } |
| 648 | #ifndef OPENSSL_NO_SRP | ||
| 649 | else if (strcmp(*argv,"-srpuser") == 0) | ||
| 650 | { | ||
| 651 | if (--argc < 1) goto bad; | ||
| 652 | srp_server_arg.expected_user = srp_client_arg.srplogin= *(++argv); | ||
| 653 | tls1=1; | ||
| 654 | } | ||
| 655 | else if (strcmp(*argv,"-srppass") == 0) | ||
| 656 | { | ||
| 657 | if (--argc < 1) goto bad; | ||
| 658 | srp_server_arg.pass = srp_client_arg.srppassin= *(++argv); | ||
| 659 | tls1=1; | ||
| 660 | } | ||
| 661 | #endif | ||
| 577 | else if (strcmp(*argv,"-ssl2") == 0) | 662 | else if (strcmp(*argv,"-ssl2") == 0) |
| 578 | ssl2=1; | 663 | ssl2=1; |
| 579 | else if (strcmp(*argv,"-tls1") == 0) | 664 | else if (strcmp(*argv,"-tls1") == 0) |
| @@ -716,6 +801,20 @@ bad: | |||
| 716 | EXIT(1); | 801 | EXIT(1); |
| 717 | } | 802 | } |
| 718 | 803 | ||
| 804 | #ifdef OPENSSL_FIPS | ||
| 805 | if(fips_mode) | ||
| 806 | { | ||
| 807 | if(!FIPS_mode_set(1)) | ||
| 808 | { | ||
| 809 | ERR_load_crypto_strings(); | ||
| 810 | ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE)); | ||
| 811 | EXIT(1); | ||
| 812 | } | ||
| 813 | else | ||
| 814 | fprintf(stderr,"*** IN FIPS MODE ***\n"); | ||
| 815 | } | ||
| 816 | #endif | ||
| 817 | |||
| 719 | if (print_time) | 818 | if (print_time) |
| 720 | { | 819 | { |
| 721 | if (!bio_pair) | 820 | if (!bio_pair) |
| @@ -839,7 +938,11 @@ bad: | |||
| 839 | } | 938 | } |
| 840 | } | 939 | } |
| 841 | else | 940 | else |
| 941 | #ifdef OPENSSL_NO_EC2M | ||
| 942 | nid = NID_X9_62_prime256v1; | ||
| 943 | #else | ||
| 842 | nid = NID_sect163r2; | 944 | nid = NID_sect163r2; |
| 945 | #endif | ||
| 843 | 946 | ||
| 844 | ecdh = EC_KEY_new_by_curve_name(nid); | 947 | ecdh = EC_KEY_new_by_curve_name(nid); |
| 845 | if (ecdh == NULL) | 948 | if (ecdh == NULL) |
| @@ -942,6 +1045,26 @@ bad: | |||
| 942 | } | 1045 | } |
| 943 | #endif | 1046 | #endif |
| 944 | } | 1047 | } |
| 1048 | #ifndef OPENSSL_NO_SRP | ||
| 1049 | if (srp_client_arg.srplogin) | ||
| 1050 | { | ||
| 1051 | if (!SSL_CTX_set_srp_username(c_ctx, srp_client_arg.srplogin)) | ||
| 1052 | { | ||
| 1053 | BIO_printf(bio_err,"Unable to set SRP username\n"); | ||
| 1054 | goto end; | ||
| 1055 | } | ||
| 1056 | SSL_CTX_set_srp_cb_arg(c_ctx,&srp_client_arg); | ||
| 1057 | SSL_CTX_set_srp_client_pwd_callback(c_ctx, ssl_give_srp_client_pwd_cb); | ||
| 1058 | /*SSL_CTX_set_srp_strength(c_ctx, srp_client_arg.strength);*/ | ||
| 1059 | } | ||
| 1060 | |||
| 1061 | if (srp_server_arg.expected_user != NULL) | ||
| 1062 | { | ||
| 1063 | SSL_CTX_set_verify(s_ctx,SSL_VERIFY_NONE,verify_callback); | ||
| 1064 | SSL_CTX_set_srp_cb_arg(s_ctx, &srp_server_arg); | ||
| 1065 | SSL_CTX_set_srp_username_callback(s_ctx, ssl_srp_server_param_cb); | ||
| 1066 | } | ||
| 1067 | #endif | ||
| 945 | 1068 | ||
| 946 | c_ssl=SSL_new(c_ctx); | 1069 | c_ssl=SSL_new(c_ctx); |
| 947 | s_ssl=SSL_new(s_ctx); | 1070 | s_ssl=SSL_new(s_ctx); |
| @@ -2166,15 +2289,7 @@ static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg) | |||
| 2166 | } | 2289 | } |
| 2167 | 2290 | ||
| 2168 | #ifndef OPENSSL_NO_X509_VERIFY | 2291 | #ifndef OPENSSL_NO_X509_VERIFY |
| 2169 | # ifdef OPENSSL_FIPS | ||
| 2170 | if(s->version == TLS1_VERSION) | ||
| 2171 | FIPS_allow_md5(1); | ||
| 2172 | # endif | ||
| 2173 | ok = X509_verify_cert(ctx); | 2292 | ok = X509_verify_cert(ctx); |
| 2174 | # ifdef OPENSSL_FIPS | ||
| 2175 | if(s->version == TLS1_VERSION) | ||
| 2176 | FIPS_allow_md5(0); | ||
| 2177 | # endif | ||
| 2178 | #endif | 2293 | #endif |
| 2179 | 2294 | ||
| 2180 | if (cb_arg->proxy_auth) | 2295 | if (cb_arg->proxy_auth) |