summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/regress/lib/libssl/interop/LICENSE2
-rw-r--r--src/regress/lib/libssl/interop/Makefile3
-rw-r--r--src/regress/lib/libssl/interop/Makefile.inc36
-rw-r--r--src/regress/lib/libssl/interop/README4
-rw-r--r--src/regress/lib/libssl/interop/cert/Makefile8
-rw-r--r--src/regress/lib/libssl/interop/cipher/Makefile180
-rw-r--r--src/regress/lib/libssl/interop/client.c39
-rw-r--r--src/regress/lib/libssl/interop/server.c62
8 files changed, 308 insertions, 26 deletions
diff --git a/src/regress/lib/libssl/interop/LICENSE b/src/regress/lib/libssl/interop/LICENSE
index 8695620495..838e7f45cc 100644
--- a/src/regress/lib/libssl/interop/LICENSE
+++ b/src/regress/lib/libssl/interop/LICENSE
@@ -1,5 +1,5 @@
1/* 1/*
2 * Copyright (c) 2018 Alexander Bluhm <bluhm@openbsd.org> 2 * Copyright (c) 2018-2019 Alexander Bluhm <bluhm@openbsd.org>
3 * 3 *
4 * Permission to use, copy, modify, and distribute this software for any 4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above 5 * purpose with or without fee is hereby granted, provided that the above
diff --git a/src/regress/lib/libssl/interop/Makefile b/src/regress/lib/libssl/interop/Makefile
index dcde044d97..36b233c189 100644
--- a/src/regress/lib/libssl/interop/Makefile
+++ b/src/regress/lib/libssl/interop/Makefile
@@ -1,9 +1,10 @@
1# $OpenBSD: Makefile,v 1.5 2018/11/11 00:15:04 bluhm Exp $ 1# $OpenBSD: Makefile,v 1.6 2019/02/21 23:06:33 bluhm Exp $
2 2
3SUBDIR = libressl openssl openssl11 3SUBDIR = libressl openssl openssl11
4# the above binaries must have been built before we can continue 4# the above binaries must have been built before we can continue
5SUBDIR += netcat 5SUBDIR += netcat
6SUBDIR += session 6SUBDIR += session
7SUBDIR += cipher
7SUBDIR += cert 8SUBDIR += cert
8 9
9.include <bsd.subdir.mk> 10.include <bsd.subdir.mk>
diff --git a/src/regress/lib/libssl/interop/Makefile.inc b/src/regress/lib/libssl/interop/Makefile.inc
index 7dadc3607b..dfe1424949 100644
--- a/src/regress/lib/libssl/interop/Makefile.inc
+++ b/src/regress/lib/libssl/interop/Makefile.inc
@@ -1,4 +1,4 @@
1# $OpenBSD: Makefile.inc,v 1.5 2018/11/11 00:15:04 bluhm Exp $ 1# $OpenBSD: Makefile.inc,v 1.6 2019/02/21 23:06:33 bluhm Exp $
2 2
3.PATH: ${.CURDIR}/.. 3.PATH: ${.CURDIR}/..
4 4
@@ -37,7 +37,9 @@ run-self-client-server: client server 127.0.0.1.crt
37 37
38CLEANFILES += 127.0.0.1.{crt,key} \ 38CLEANFILES += 127.0.0.1.{crt,key} \
39 ca.{crt,key,srl} fake-ca.{crt,key} \ 39 ca.{crt,key,srl} fake-ca.{crt,key} \
40 {client,server}.{req,crt,key} 40 {client,server}.{req,crt,key} \
41 {dsa,ec,gost,rsa}.{key,req,crt} \
42 dh.param
41 43
42127.0.0.1.crt: 44127.0.0.1.crt:
43 openssl req -batch -new \ 45 openssl req -batch -new \
@@ -57,3 +59,33 @@ client.req server.req:
57client.crt server.crt: ca.crt ${@:R}.req 59client.crt server.crt: ca.crt ${@:R}.req
58 openssl x509 -CAcreateserial -CAkey ca.key -CA ca.crt \ 60 openssl x509 -CAcreateserial -CAkey ca.key -CA ca.crt \
59 -req -in ${@:R}.req -out $@ 61 -req -in ${@:R}.req -out $@
62
63dh.param:
64 openssl dhparam -out $@ 1024
65
66dsa.key:
67 openssl dsaparam -genkey -out $@ 2048
68
69ec.key:
70 openssl ecparam -genkey -name secp256r1 -out $@
71
72gost.key:
73 openssl genpkey -algorithm gost2001 \
74 -pkeyopt paramset:A -pkeyopt dgst:md_gost94 -out $@
75
76rsa.key:
77 openssl genrsa -out $@ 2048
78
79dsa.req ec.req rsa.req: ${@:R}.key
80 openssl req -batch -new \
81 -subj /L=OpenBSD/O=tls-regress/OU=${@:R}/CN=localhost/ \
82 -nodes -key ${@:R}.key -out $@
83
84gost.req: ${@:R}.key
85 openssl req -batch -new -md_gost94 \
86 -subj /L=OpenBSD/O=tls-regress/OU=${@:R}/CN=localhost/ \
87 -nodes -key ${@:R}.key -out $@
88
89dsa.crt ec.crt gost.crt rsa.crt: ca.crt ${@:R}.req
90 openssl x509 -CAcreateserial -CAkey ca.key -CA ca.crt \
91 -req -in ${@:R}.req -out $@
diff --git a/src/regress/lib/libssl/interop/README b/src/regress/lib/libssl/interop/README
index 42d87acfdb..54910e554d 100644
--- a/src/regress/lib/libssl/interop/README
+++ b/src/regress/lib/libssl/interop/README
@@ -17,4 +17,6 @@ libtls. Test TLS session reuse multiple times with different library
17combinations. The cert subdir is testing all combinations of 17combinations. The cert subdir is testing all combinations of
18certificate validation. Having the three libraries, client and 18certificate validation. Having the three libraries, client and
19server certificates, missing or invalid CA or certificates, and 19server certificates, missing or invalid CA or certificates, and
20enforcing peer certificate results in 1944 test cases. 20enforcing peer certificate results in 1944 test cases. The cipher
21test establishes connections between implementations for each
22supported cipher.
diff --git a/src/regress/lib/libssl/interop/cert/Makefile b/src/regress/lib/libssl/interop/cert/Makefile
index 3e7a07cdfe..11bc4aa2ab 100644
--- a/src/regress/lib/libssl/interop/cert/Makefile
+++ b/src/regress/lib/libssl/interop/cert/Makefile
@@ -1,4 +1,10 @@
1# $OpenBSD: Makefile,v 1.3 2018/11/11 07:39:34 bluhm Exp $ 1# $OpenBSD: Makefile,v 1.4 2019/02/21 23:06:33 bluhm Exp $
2
3# Connect a client to a server. Both can be current libressl, or
4# openssl 1.0.2, or openssl 1.1. Create client and server certificates
5# that are signed by a CA and not signed by a fake CA. Try all
6# combinations with, without, and with wrong CA for client and server
7# and check the result of certificate verification.
2 8
3LIBRARIES = libressl 9LIBRARIES = libressl
4.if exists(/usr/local/bin/eopenssl) 10.if exists(/usr/local/bin/eopenssl)
diff --git a/src/regress/lib/libssl/interop/cipher/Makefile b/src/regress/lib/libssl/interop/cipher/Makefile
new file mode 100644
index 0000000000..5593ab233f
--- /dev/null
+++ b/src/regress/lib/libssl/interop/cipher/Makefile
@@ -0,0 +1,180 @@
1# $OpenBSD: Makefile,v 1.1 2019/02/21 23:06:33 bluhm Exp $
2
3# Connect a client to a server. Both can be current libressl, or
4# openssl 1.0.2, or openssl 1.1. Create lists of supported ciphers
5# and pin client and server to one of the ciphers. Use server
6# certificate with compatible type. Check that client and server
7# have used correct cipher by grepping in their session print out.
8
9check-cipher-GOST2001-GOST89-GOST89-client-libressl-server-libressl:
10 # cipher GOST2012256-GOST89-GOST89 is used in out file
11 # TODO: figure out why it is not GOST2001
12 @echo DISABLED
13
14check-cipher-ADH-AES128-GCM-SHA256-client-openssl11-server-openssl11 \
15check-cipher-ADH-AES128-SHA-client-openssl11-server-openssl11 \
16check-cipher-ADH-AES128-SHA256-client-openssl11-server-openssl11 \
17check-cipher-ADH-AES256-GCM-SHA384-client-openssl11-server-openssl11 \
18check-cipher-ADH-AES256-SHA-client-openssl11-server-openssl11 \
19check-cipher-ADH-AES256-SHA256-client-openssl11-server-openssl11 \
20check-cipher-ADH-CAMELLIA128-SHA-client-openssl11-server-openssl11 \
21check-cipher-ADH-CAMELLIA128-SHA256-client-openssl11-server-openssl11 \
22check-cipher-ADH-CAMELLIA256-SHA-client-openssl11-server-openssl11 \
23check-cipher-ADH-CAMELLIA256-SHA256-client-openssl11-server-openssl11 \
24check-cipher-AECDH-AES128-SHA-client-openssl11-server-openssl11 \
25check-cipher-AECDH-AES256-SHA-client-openssl11-server-openssl11 \
26check-cipher-AES128-GCM-SHA256-client-openssl11-server-openssl11 \
27check-cipher-AES128-SHA-client-openssl11-server-openssl11 \
28check-cipher-AES128-SHA256-client-openssl11-server-openssl11 \
29check-cipher-AES256-GCM-SHA384-client-openssl11-server-openssl11 \
30check-cipher-AES256-SHA-client-openssl11-server-openssl11 \
31check-cipher-AES256-SHA256-client-openssl11-server-openssl11 \
32check-cipher-CAMELLIA128-SHA-client-openssl11-server-openssl11 \
33check-cipher-CAMELLIA128-SHA256-client-openssl11-server-openssl11 \
34check-cipher-CAMELLIA256-SHA-client-openssl11-server-openssl11 \
35check-cipher-CAMELLIA256-SHA256-client-openssl11-server-openssl11 \
36check-cipher-DHE-RSA-AES128-GCM-SHA256-client-openssl11-server-openssl11 \
37check-cipher-DHE-RSA-AES128-SHA-client-openssl11-server-openssl11 \
38check-cipher-DHE-RSA-AES128-SHA256-client-openssl11-server-openssl11 \
39check-cipher-DHE-RSA-AES256-GCM-SHA384-client-openssl11-server-openssl11 \
40check-cipher-DHE-RSA-AES256-SHA-client-openssl11-server-openssl11 \
41check-cipher-DHE-RSA-AES256-SHA256-client-openssl11-server-openssl11 \
42check-cipher-DHE-RSA-CAMELLIA128-SHA-client-openssl11-server-openssl11 \
43check-cipher-DHE-RSA-CAMELLIA128-SHA256-client-openssl11-server-openssl11 \
44check-cipher-DHE-RSA-CAMELLIA256-SHA-client-openssl11-server-openssl11 \
45check-cipher-DHE-RSA-CAMELLIA256-SHA256-client-openssl11-server-openssl11 \
46check-cipher-DHE-RSA-CHACHA20-POLY1305-client-openssl11-server-openssl11 \
47check-cipher-ECDHE-ECDSA-AES128-GCM-SHA256-client-openssl11-server-openssl11 \
48check-cipher-ECDHE-ECDSA-AES128-SHA-client-openssl11-server-openssl11 \
49check-cipher-ECDHE-ECDSA-AES128-SHA256-client-openssl11-server-openssl11 \
50check-cipher-ECDHE-ECDSA-AES256-GCM-SHA384-client-openssl11-server-openssl11 \
51check-cipher-ECDHE-ECDSA-AES256-SHA-client-openssl11-server-openssl11 \
52check-cipher-ECDHE-ECDSA-AES256-SHA384-client-openssl11-server-openssl11 \
53check-cipher-ECDHE-ECDSA-CHACHA20-POLY1305-client-openssl11-server-openssl11 \
54check-cipher-ECDHE-RSA-AES128-GCM-SHA256-client-openssl11-server-openssl11 \
55check-cipher-ECDHE-RSA-AES128-SHA-client-openssl11-server-openssl11 \
56check-cipher-ECDHE-RSA-AES128-SHA256-client-openssl11-server-openssl11 \
57check-cipher-ECDHE-RSA-AES256-GCM-SHA384-client-openssl11-server-openssl11 \
58check-cipher-ECDHE-RSA-AES256-SHA-client-openssl11-server-openssl11 \
59check-cipher-ECDHE-RSA-AES256-SHA384-client-openssl11-server-openssl11 \
60check-cipher-ECDHE-RSA-CHACHA20-POLY1305-client-openssl11-server-openssl11:
61 # openssl11 always prints TLS_AES_256_GCM_SHA384 as cipher in out file
62 @echo DISABLED
63
64LIBRARIES = libressl
65.if exists(/usr/local/bin/eopenssl)
66LIBRARIES += openssl
67.endif
68.if exists(/usr/local/bin/eopenssl11)
69LIBRARIES += openssl11
70.endif
71
72CLEANFILES = *.tmp *.ciphers ciphers.mk
73
74.for clib in ${LIBRARIES}
75client-${clib}.ciphers:
76 LD_LIBRARY_PATH=/usr/local/lib/e${clib} \
77 ../${clib}/client -l ALL -L >$@.tmp
78 sed -n 's/^cipher //p' <$@.tmp | sort -u >$@
79 rm $@.tmp
80.endfor
81.for slib in ${LIBRARIES}
82server-${slib}.ciphers: 127.0.0.1.crt dsa.crt ec.crt rsa.crt
83 LD_LIBRARY_PATH=/usr/local/lib/e${slib} \
84 ../${slib}/server -l ALL -L >$@.tmp
85 sed -n 's/^cipher //p' <$@.tmp | sort -u >$@
86 rm $@.tmp
87.endfor
88
89.for clib in ${LIBRARIES}
90.for slib in ${LIBRARIES}
91ciphers.mk: client-${clib}-server-${slib}.ciphers
92client-${clib}-server-${slib}.ciphers: \
93 client-${clib}.ciphers server-${slib}.ciphers client-libressl.ciphers
94 # get ciphers shared between client and server
95 sort client-${clib}.ciphers server-${slib}.ciphers >$@.tmp
96 uniq -d <$@.tmp >$@
97 # we are only interested in cipers supported by libressl
98 sort $@ client-libressl.ciphers >$@.tmp
99 uniq -d <$@.tmp >$@
100 rm $@.tmp
101.endfor
102.endfor
103
104ciphers.mk:
105 rm -f $@ $@.tmp
106.for clib in ${LIBRARIES}
107.for slib in ${LIBRARIES}
108 echo 'CIPHERS_${clib}_${slib} =' >>$@.tmp \
109 `cat client-${clib}-server-${slib}.ciphers`
110.endfor
111.endfor
112 mv $@.tmp $@
113
114# hack to convert generated lists into usable make variables
115.if exists(ciphers.mk)
116.include "ciphers.mk"
117.else
118regress: ciphers.mk
119 ${MAKE} -C ${.CURDIR} regress
120.endif
121
122LEVEL_libressl =
123LEVEL_openssl =
124LEVEL_openssl11 = ,@SECLEVEL=0
125
126.for clib in ${LIBRARIES}
127.for slib in ${LIBRARIES}
128.for cipher in ${CIPHERS_${clib}_${slib}}
129
130.if "${cipher:M*-DSS-*}" != ""
131TYPE_${cipher} = dsa
132.elif "${cipher:M*-ECDSA-*}" != ""
133TYPE_${cipher} = ec
134.elif "${cipher:M*-GOST89-*}" != ""
135TYPE_${cipher} = gost
136.elif "${cipher:M*-RSA-*}" != ""
137TYPE_${cipher} = rsa
138.else
139TYPE_${cipher} = 127.0.0.1
140.endif
141
142.if "${slib}" == "openssl" && \
143 "${cipher:MADH-*}${cipher:MEDH-*}${cipher:MDHE-*}" != ""
144DHPARAM_${cipher}_${slib} = -p dh.param
145.else
146DHPARAM_${cipher}_${slib} =
147.endif
148
149REGRESS_TARGETS += run-cipher-${cipher}-client-${clib}-server-${slib}
150run-cipher-${cipher}-client-${clib}-server-${slib} \
151client-cipher-${cipher}-client-${clib}-server-${slib}.out \
152server-cipher-${cipher}-client-${clib}-server-${slib}.out: dh.param \
153 127.0.0.1.crt ${TYPE_${cipher}}.crt ../${clib}/client ../${slib}/server
154 @echo '\n======== $@ ========'
155 LD_LIBRARY_PATH=/usr/local/lib/e${slib} \
156 ../${slib}/server >${@:S/^run/server/}.out \
157 -c ${TYPE_${cipher}}.crt -k ${TYPE_${cipher}}.key \
158 -l ${cipher}${LEVEL_${slib}} ${DHPARAM_${cipher}_${slib}} \
159 127.0.0.1 0
160 LD_LIBRARY_PATH=/usr/local/lib/e${clib} \
161 ../${clib}/client >${@:S/^run/client/}.out \
162 -l ${cipher}${LEVEL_${clib}} \
163 `sed -n 's/listen sock: //p' ${@:S/^run/server/}.out`
164 grep -q '^success$$' ${@:S/^run/server/}.out || \
165 { sleep 1; grep -q '^success$$' ${@:S/^run/server/}.out; }
166 grep -q '^success$$' ${@:S/^run/client/}.out
167
168REGRESS_TARGETS += check-cipher-${cipher}-client-${clib}-server-${slib}
169check-cipher-${cipher}-client-${clib}-server-${slib}: \
170 client-cipher-${cipher}-client-${clib}-server-${slib}.out \
171 server-cipher-${cipher}-client-${clib}-server-${slib}.out
172 @echo '\n======== $@ ========'
173 grep -q ' Cipher *: ${cipher}$$' ${@:S/^check/server/}.out
174 grep -q ' Cipher *: ${cipher}$$' ${@:S/^check/client/}.out
175
176.endfor
177.endfor
178.endfor
179
180.include <bsd.regress.mk>
diff --git a/src/regress/lib/libssl/interop/client.c b/src/regress/lib/libssl/interop/client.c
index 6f14837895..136dc38d09 100644
--- a/src/regress/lib/libssl/interop/client.c
+++ b/src/regress/lib/libssl/interop/client.c
@@ -1,6 +1,6 @@
1/* $OpenBSD: client.c,v 1.6 2019/02/11 12:22:44 bluhm Exp $ */ 1/* $OpenBSD: client.c,v 1.7 2019/02/21 23:06:33 bluhm Exp $ */
2/* 2/*
3 * Copyright (c) 2018 Alexander Bluhm <bluhm@openbsd.org> 3 * Copyright (c) 2018-2019 Alexander Bluhm <bluhm@openbsd.org>
4 * 4 *
5 * Permission to use, copy, modify, and distribute this software for any 5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above 6 * purpose with or without fee is hereby granted, provided that the above
@@ -34,8 +34,8 @@ void __dead usage(void);
34void __dead 34void __dead
35usage(void) 35usage(void)
36{ 36{
37 fprintf(stderr, 37 fprintf(stderr, "usage: client [-Lsv] [-C CA] [-c crt -k key] "
38 "usage: client [-sv] [-C CA] [-c crt -k key] host port"); 38 "[-l cipers] host port\n");
39 exit(2); 39 exit(2);
40} 40}
41 41
@@ -47,12 +47,13 @@ main(int argc, char *argv[])
47 SSL *ssl; 47 SSL *ssl;
48 BIO *bio; 48 BIO *bio;
49 SSL_SESSION *session = NULL; 49 SSL_SESSION *session = NULL;
50 int ch, error, sessionreuse = 0, verify = 0; 50 int ch, error, listciphers = 0, sessionreuse = 0, verify = 0;
51 char buf[256]; 51 char buf[256];
52 char *ca = NULL, *crt = NULL, *key = NULL; 52 char *ca = NULL, *crt = NULL, *key = NULL, *ciphers = NULL;
53 char *host_port, *host, *port; 53 char *host_port, *host = "127.0.0.1", *port = "0";
54 54
55 while ((ch = getopt(argc, argv, "C:c:k:sv")) != -1) { 55
56 while ((ch = getopt(argc, argv, "C:c:k:Ll:sv")) != -1) {
56 switch (ch) { 57 switch (ch) {
57 case 'C': 58 case 'C':
58 ca = optarg; 59 ca = optarg;
@@ -63,6 +64,12 @@ main(int argc, char *argv[])
63 case 'k': 64 case 'k':
64 key = optarg; 65 key = optarg;
65 break; 66 break;
67 case 'L':
68 listciphers = 1;
69 break;
70 case 'l':
71 ciphers = optarg;
72 break;
66 case 's': 73 case 's':
67 /* multiple reueses are possible */ 74 /* multiple reueses are possible */
68 sessionreuse++; 75 sessionreuse++;
@@ -79,7 +86,7 @@ main(int argc, char *argv[])
79 if (argc == 2) { 86 if (argc == 2) {
80 host = argv[0]; 87 host = argv[0];
81 port = argv[1]; 88 port = argv[1];
82 } else { 89 } else if (!listciphers) {
83 usage(); 90 usage();
84 } 91 }
85 if (asprintf(&host_port, strchr(host, ':') ? "[%s]:%s" : "%s:%s", 92 if (asprintf(&host_port, strchr(host, ':') ? "[%s]:%s" : "%s:%s",
@@ -130,6 +137,19 @@ main(int argc, char *argv[])
130 SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_CLIENT); 137 SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_CLIENT);
131 } 138 }
132 139
140 if (ciphers) {
141 if (SSL_CTX_set_cipher_list(ctx, ciphers) <= 0)
142 err_ssl(1, "SSL_CTX_set_cipher_list");
143 }
144
145 if (listciphers) {
146 ssl = SSL_new(ctx);
147 if (ssl == NULL)
148 err_ssl(1, "SSL_new");
149 print_ciphers(SSL_get_ciphers(ssl));
150 return 0;
151 }
152
133 do { 153 do {
134 /* setup bio for socket operations */ 154 /* setup bio for socket operations */
135 bio = BIO_new_connect(host_port); 155 bio = BIO_new_connect(host_port);
@@ -148,7 +168,6 @@ main(int argc, char *argv[])
148 ssl = SSL_new(ctx); 168 ssl = SSL_new(ctx);
149 if (ssl == NULL) 169 if (ssl == NULL)
150 err_ssl(1, "SSL_new"); 170 err_ssl(1, "SSL_new");
151 print_ciphers(SSL_get_ciphers(ssl));
152 SSL_set_bio(ssl, bio, bio); 171 SSL_set_bio(ssl, bio, bio);
153 /* resuse session if possible */ 172 /* resuse session if possible */
154 if (session != NULL) { 173 if (session != NULL) {
diff --git a/src/regress/lib/libssl/interop/server.c b/src/regress/lib/libssl/interop/server.c
index 3cbadda4c5..ee9c7c70a0 100644
--- a/src/regress/lib/libssl/interop/server.c
+++ b/src/regress/lib/libssl/interop/server.c
@@ -1,6 +1,6 @@
1/* $OpenBSD: server.c,v 1.6 2019/02/11 12:22:44 bluhm Exp $ */ 1/* $OpenBSD: server.c,v 1.7 2019/02/21 23:06:33 bluhm Exp $ */
2/* 2/*
3 * Copyright (c) 2018 Alexander Bluhm <bluhm@openbsd.org> 3 * Copyright (c) 2018-2019 Alexander Bluhm <bluhm@openbsd.org>
4 * 4 *
5 * Permission to use, copy, modify, and distribute this software for any 5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above 6 * purpose with or without fee is hereby granted, provided that the above
@@ -35,8 +35,8 @@ void __dead usage(void);
35void __dead 35void __dead
36usage(void) 36usage(void)
37{ 37{
38 fprintf(stderr, 38 fprintf(stderr, "usage: server [-Lsvv] [-C CA] [-c crt -k key] "
39 "usage: server [-svv] [-C CA] [-c crt -k key] [host port]"); 39 "[-l cipers] [-p dhparam] [host port]\n");
40 exit(2); 40 exit(2);
41} 41}
42 42
@@ -48,12 +48,12 @@ main(int argc, char *argv[])
48 SSL *ssl; 48 SSL *ssl;
49 BIO *abio, *cbio; 49 BIO *abio, *cbio;
50 SSL_SESSION *session; 50 SSL_SESSION *session;
51 int ch, error, sessionreuse = 0, verify = 0; 51 int ch, error, listciphers = 0, sessionreuse = 0, verify = 0;
52 char buf[256]; 52 char buf[256], *dhparam = NULL;
53 char *ca = NULL, *crt = NULL, *key = NULL; 53 char *ca = NULL, *crt = NULL, *key = NULL, *ciphers = NULL;
54 char *host_port, *host = "127.0.0.1", *port = "0"; 54 char *host_port, *host = "127.0.0.1", *port = "0";
55 55
56 while ((ch = getopt(argc, argv, "C:c:k:sv")) != -1) { 56 while ((ch = getopt(argc, argv, "C:c:k:Ll:p:sv")) != -1) {
57 switch (ch) { 57 switch (ch) {
58 case 'C': 58 case 'C':
59 ca = optarg; 59 ca = optarg;
@@ -64,6 +64,15 @@ main(int argc, char *argv[])
64 case 'k': 64 case 'k':
65 key = optarg; 65 key = optarg;
66 break; 66 break;
67 case 'L':
68 listciphers = 1;
69 break;
70 case 'l':
71 ciphers = optarg;
72 break;
73 case 'p':
74 dhparam = optarg;
75 break;
67 case 's': 76 case 's':
68 /* multiple reueses are possible */ 77 /* multiple reueses are possible */
69 sessionreuse++; 78 sessionreuse++;
@@ -81,7 +90,7 @@ main(int argc, char *argv[])
81 if (argc == 2) { 90 if (argc == 2) {
82 host = argv[0]; 91 host = argv[0];
83 port = argv[1]; 92 port = argv[1];
84 } else if (argc != 0) { 93 } else if (argc != 0 && !listciphers) {
85 usage(); 94 usage();
86 } 95 }
87 if (asprintf(&host_port, strchr(host, ':') ? "[%s]:%s" : "%s:%s", 96 if (asprintf(&host_port, strchr(host, ':') ? "[%s]:%s" : "%s:%s",
@@ -112,6 +121,27 @@ main(int argc, char *argv[])
112 if (ctx == NULL) 121 if (ctx == NULL)
113 err_ssl(1, "SSL_CTX_new"); 122 err_ssl(1, "SSL_CTX_new");
114 123
124#if OPENSSL_VERSION_NUMBER >= 0x10100000
125 /* needed to use DHE cipher with libressl */
126 if (SSL_CTX_set_dh_auto(ctx, 1) <= 0)
127 err_ssl(1, "SSL_CTX_set_dh_auto");
128#endif
129 /* needed to use ADH, EDH, DHE cipher with openssl */
130 if (dhparam != NULL) {
131 DH *dh;
132 FILE *file;
133
134 file = fopen(dhparam, "r");
135 if (file == NULL)
136 err(1, "fopen %s", dhparam);
137 dh = PEM_read_DHparams(file, NULL, NULL, NULL);
138 if (dh == NULL)
139 err_ssl(1, "PEM_read_DHparams");
140 if (SSL_CTX_set_tmp_dh(ctx, dh) <= 0)
141 err_ssl(1, "SSL_CTX_set_tmp_dh");
142 fclose(file);
143 }
144
115 /* needed when linking with OpenSSL 1.0.2p */ 145 /* needed when linking with OpenSSL 1.0.2p */
116 if (SSL_CTX_set_ecdh_auto(ctx, 1) <= 0) 146 if (SSL_CTX_set_ecdh_auto(ctx, 1) <= 0)
117 err_ssl(1, "SSL_CTX_set_ecdh_auto"); 147 err_ssl(1, "SSL_CTX_set_ecdh_auto");
@@ -151,6 +181,19 @@ main(int argc, char *argv[])
151 err_ssl(1, "SSL_CTX_set_session_id_context"); 181 err_ssl(1, "SSL_CTX_set_session_id_context");
152 } 182 }
153 183
184 if (ciphers) {
185 if (SSL_CTX_set_cipher_list(ctx, ciphers) <= 0)
186 err_ssl(1, "SSL_CTX_set_cipher_list");
187 }
188
189 if (listciphers) {
190 ssl = SSL_new(ctx);
191 if (ssl == NULL)
192 err_ssl(1, "SSL_new");
193 print_ciphers(SSL_get_ciphers(ssl));
194 return 0;
195 }
196
154 /* setup bio for socket operations */ 197 /* setup bio for socket operations */
155 abio = BIO_new_accept(host_port); 198 abio = BIO_new_accept(host_port);
156 if (abio == NULL) 199 if (abio == NULL)
@@ -182,7 +225,6 @@ main(int argc, char *argv[])
182 ssl = SSL_new(ctx); 225 ssl = SSL_new(ctx);
183 if (ssl == NULL) 226 if (ssl == NULL)
184 err_ssl(1, "SSL_new"); 227 err_ssl(1, "SSL_new");
185 print_ciphers(SSL_get_ciphers(ssl));
186 SSL_set_bio(ssl, cbio, cbio); 228 SSL_set_bio(ssl, cbio, cbio);
187 if ((error = SSL_accept(ssl)) <= 0) 229 if ((error = SSL_accept(ssl)) <= 0)
188 err_ssl(1, "SSL_accept %d", error); 230 err_ssl(1, "SSL_accept %d", error);
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-10-26 12:46:06 +0000