aboutsummaryrefslogtreecommitdiff
path: root/openssl/ssl/ssltest.c
diff options
context:
space:
mode:
Diffstat (limited to 'openssl/ssl/ssltest.c')
-rw-r--r--openssl/ssl/ssltest.c133
1 files changed, 124 insertions, 9 deletions
diff --git a/openssl/ssl/ssltest.c b/openssl/ssl/ssltest.c
index 0bb4fa43b..0f8fd3902 100644
--- a/openssl/ssl/ssltest.c
+++ b/openssl/ssl/ssltest.c
@@ -181,6 +181,9 @@
#ifndef OPENSSL_NO_DH
#include <openssl/dh.h>
#endif
+#ifndef OPENSSL_NO_SRP
+#include <openssl/srp.h>
+#endif
#include <openssl/bn.h>
#define _XOPEN_SOURCE_EXTENDED 1 /* Or gethostname won't be declared properly
@@ -246,6 +249,49 @@ static unsigned int psk_server_callback(SSL *ssl, const char *identity, unsigned
unsigned int max_psk_len);
#endif
+#ifndef OPENSSL_NO_SRP
+/* SRP client */
+/* This is a context that we pass to all callbacks */
+typedef struct srp_client_arg_st
+ {
+ char *srppassin;
+ char *srplogin;
+ } SRP_CLIENT_ARG;
+
+#define PWD_STRLEN 1024
+
+static char * MS_CALLBACK ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
+ {
+ SRP_CLIENT_ARG *srp_client_arg = (SRP_CLIENT_ARG *)arg;
+ return BUF_strdup((char *)srp_client_arg->srppassin);
+ }
+
+/* SRP server */
+/* This is a context that we pass to SRP server callbacks */
+typedef struct srp_server_arg_st
+ {
+ char *expected_user;
+ char *pass;
+ } SRP_SERVER_ARG;
+
+static int MS_CALLBACK ssl_srp_server_param_cb(SSL *s, int *ad, void *arg)
+ {
+ SRP_SERVER_ARG * p = (SRP_SERVER_ARG *) arg;
+
+ if (strcmp(p->expected_user, SSL_get_srp_username(s)) != 0)
+ {
+ fprintf(stderr, "User %s doesn't exist\n", SSL_get_srp_username(s));
+ return SSL3_AL_FATAL;
+ }
+ if (SSL_set_srp_server_param_pw(s,p->expected_user,p->pass,"1024")<0)
+ {
+ *ad = SSL_AD_INTERNAL_ERROR;
+ return SSL3_AL_FATAL;
+ }
+ return SSL_ERROR_NONE;
+ }
+#endif
+
static BIO *bio_err=NULL;
static BIO *bio_stdout=NULL;
@@ -268,6 +314,9 @@ static void sv_usage(void)
{
fprintf(stderr,"usage: ssltest [args ...]\n");
fprintf(stderr,"\n");
+#ifdef OPENSSL_FIPS
+ fprintf(stderr,"-F - run test in FIPS mode\n");
+#endif
fprintf(stderr," -server_auth - check server certificate\n");
fprintf(stderr," -client_auth - do client authentication\n");
fprintf(stderr," -proxy - allow proxy certificates\n");
@@ -289,6 +338,10 @@ static void sv_usage(void)
#ifndef OPENSSL_NO_PSK
fprintf(stderr," -psk arg - PSK in hex (without 0x)\n");
#endif
+#ifndef OPENSSL_NO_SRP
+ fprintf(stderr," -srpuser user - SRP username to use\n");
+ fprintf(stderr," -srppass arg - password for 'user'\n");
+#endif
#ifndef OPENSSL_NO_SSL2
fprintf(stderr," -ssl2 - use SSLv2\n");
#endif
@@ -476,6 +529,12 @@ int main(int argc, char *argv[])
#ifndef OPENSSL_NO_ECDH
EC_KEY *ecdh = NULL;
#endif
+#ifndef OPENSSL_NO_SRP
+ /* client */
+ SRP_CLIENT_ARG srp_client_arg = {NULL,NULL};
+ /* server */
+ SRP_SERVER_ARG srp_server_arg = {NULL,NULL};
+#endif
int no_dhe = 0;
int no_ecdhe = 0;
int no_psk = 0;
@@ -487,6 +546,9 @@ int main(int argc, char *argv[])
#endif
STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
int test_cipherlist = 0;
+#ifdef OPENSSL_FIPS
+ int fips_mode=0;
+#endif
verbose = 0;
debug = 0;
@@ -518,7 +580,16 @@ int main(int argc, char *argv[])
while (argc >= 1)
{
- if (strcmp(*argv,"-server_auth") == 0)
+ if(!strcmp(*argv,"-F"))
+ {
+#ifdef OPENSSL_FIPS
+ fips_mode=1;
+#else
+ fprintf(stderr,"not compiled with FIPS support, so exitting without running.\n");
+ EXIT(0);
+#endif
+ }
+ else if (strcmp(*argv,"-server_auth") == 0)
server_auth=1;
else if (strcmp(*argv,"-client_auth") == 0)
client_auth=1;
@@ -572,6 +643,20 @@ int main(int argc, char *argv[])
no_psk=1;
#endif
}
+#ifndef OPENSSL_NO_SRP
+ else if (strcmp(*argv,"-srpuser") == 0)
+ {
+ if (--argc < 1) goto bad;
+ srp_server_arg.expected_user = srp_client_arg.srplogin= *(++argv);
+ tls1=1;
+ }
+ else if (strcmp(*argv,"-srppass") == 0)
+ {
+ if (--argc < 1) goto bad;
+ srp_server_arg.pass = srp_client_arg.srppassin= *(++argv);
+ tls1=1;
+ }
+#endif
else if (strcmp(*argv,"-ssl2") == 0)
ssl2=1;
else if (strcmp(*argv,"-tls1") == 0)
@@ -714,6 +799,20 @@ bad:
EXIT(1);
}
+#ifdef OPENSSL_FIPS
+ if(fips_mode)
+ {
+ if(!FIPS_mode_set(1))
+ {
+ ERR_load_crypto_strings();
+ ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
+ EXIT(1);
+ }
+ else
+ fprintf(stderr,"*** IN FIPS MODE ***\n");
+ }
+#endif
+
if (print_time)
{
if (!bio_pair)
@@ -837,7 +936,11 @@ bad:
}
}
else
+#ifdef OPENSSL_NO_EC2M
+ nid = NID_X9_62_prime256v1;
+#else
nid = NID_sect163r2;
+#endif
ecdh = EC_KEY_new_by_curve_name(nid);
if (ecdh == NULL)
@@ -940,6 +1043,26 @@ bad:
}
#endif
}
+#ifndef OPENSSL_NO_SRP
+ if (srp_client_arg.srplogin)
+ {
+ if (!SSL_CTX_set_srp_username(c_ctx, srp_client_arg.srplogin))
+ {
+ BIO_printf(bio_err,"Unable to set SRP username\n");
+ goto end;
+ }
+ SSL_CTX_set_srp_cb_arg(c_ctx,&srp_client_arg);
+ SSL_CTX_set_srp_client_pwd_callback(c_ctx, ssl_give_srp_client_pwd_cb);
+ /*SSL_CTX_set_srp_strength(c_ctx, srp_client_arg.strength);*/
+ }
+
+ if (srp_server_arg.expected_user != NULL)
+ {
+ SSL_CTX_set_verify(s_ctx,SSL_VERIFY_NONE,verify_callback);
+ SSL_CTX_set_srp_cb_arg(s_ctx, &srp_server_arg);
+ SSL_CTX_set_srp_username_callback(s_ctx, ssl_srp_server_param_cb);
+ }
+#endif
c_ssl=SSL_new(c_ctx);
s_ssl=SSL_new(s_ctx);
@@ -2164,15 +2287,7 @@ static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg)
}
#ifndef OPENSSL_NO_X509_VERIFY
-# ifdef OPENSSL_FIPS
- if(s->version == TLS1_VERSION)
- FIPS_allow_md5(1);
-# endif
ok = X509_verify_cert(ctx);
-# ifdef OPENSSL_FIPS
- if(s->version == TLS1_VERSION)
- FIPS_allow_md5(0);
-# endif
#endif
if (cb_arg->proxy_auth)