" (default is sect163r2).\n");
#endif
fprintf(stderr," -test_cipherlist - verifies the order of the ssl cipher lists\n");
-#ifndef OPENSSL_NO_TLSEXT
- fprintf(stderr," -server_authz arg - binary authz file for certificate\n");
- fprintf(stderr," -c_support_proof - indicate client support for server_authz audit proofs\n");
- fprintf(stderr," -c_require_proof - fail if no audit proof is sent\n");
-#endif
fprintf(stderr," -serverinfo_file file - have server use this file\n");
fprintf(stderr," -serverinfo_sct - have client offer and expect SCT\n");
fprintf(stderr," -serverinfo_tack - have client offer and expect TACK\n");
}
#endif
-#ifndef OPENSSL_NO_TLSEXT
-struct audit_proof_cb_arg_st
- {
- unsigned char *expected_proof;
- size_t expected_proof_length;
- int require;
- };
-
-struct audit_proof_cb_arg_st c_expected = { NULL, 0, 0 };
-
-static int audit_proof_cb(SSL *s, void *arg)
- {
- const unsigned char *proof;
- size_t proof_len;
- SSL_SESSION *sess = SSL_get_session(s);
- struct audit_proof_cb_arg_st *cb_arg = (struct audit_proof_cb_arg_st*)arg;
-
- proof = SSL_SESSION_get_tlsext_authz_server_audit_proof(sess,
- &proof_len);
- if (proof != NULL)
- {
- if (proof_len == cb_arg->expected_proof_length &&
- cb_arg->expected_proof != NULL &&
- memcmp(proof, cb_arg->expected_proof, proof_len) == 0)
- {
- BIO_printf(bio_stdout, "Audit proof OK (%lu bytes).\n",
- (long)proof_len);
- return 1;
- }
- else
- {
- BIO_printf(bio_stdout, "Audit proof mismatch.\n");
- /* Cause handshake failure. */
- return 0;
- }
- }
-
- else /* proof == NULL */
- {
- BIO_printf(bio_stdout, "No audit proof found.\n");
- if (cb_arg->require)
- {
- /* Cause handshake failure. */
- return 0;
- }
- return 1;
- }
- }
-#endif
-
int main(int argc, char *argv[])
{
char *CApath=NULL,*CAfile=NULL;
#ifdef OPENSSL_FIPS
int fips_mode=0;
#endif
-#ifndef OPENSSL_NO_TLSEXT
- char *s_authz_file = NULL;
- int c_support_proof = 0;
- int c_require_proof = 0;
-#endif
verbose = 0;
debug = 0;
{
test_cipherlist = 1;
}
-#ifndef OPENSSL_NO_TLSEXT
- else if(strcmp(*argv,"-server_authz") == 0)
- {
- if (--argc < 1) goto bad;
- s_authz_file = *(++argv);
- tls1 = 1;
- }
- else if (strcmp(*argv,"-c_support_proof") == 0)
- {
- c_support_proof = 1;
- tls1 = 1;
- }
- else if (strcmp(*argv,"-c_require_proof") == 0)
- {
- c_require_proof = 1;
- tls1 = 1;
- }
-#endif
else if (strcmp(*argv,"-serverinfo_sct") == 0)
{
serverinfo_sct = 1;
"to avoid protocol mismatch.\n");
EXIT(1);
}
- if (c_require_proof && s_authz_file == NULL && !force)
- {
- fprintf(stderr, "This case cannot work. -c_require_proof "
- "requires an audit proof, but none was supplied. "
- "Use -f to perform the test anyway (and\n-d to see "
- "what happens), or use -server_authz to supply an "
- "audit proof.\n");
- EXIT(1);
- }
#ifdef OPENSSL_FIPS
if(fips_mode)
SSL_CTX_set_srp_username_callback(s_ctx, ssl_srp_server_param_cb);
}
#endif
-#ifndef OPENSSL_NO_TLSEXT
- if (s_authz_file != NULL)
- {
- if(!SSL_CTX_use_authz_file(s_ctx, s_authz_file))
- {
- BIO_printf(bio_err, "Unable to set authz data\n");
- goto end;
- }
- }
- if (c_support_proof || c_require_proof)
- {
- size_t proof_length;
- const unsigned char *proof = SSL_CTX_get_authz_data(s_ctx,
- TLSEXT_AUTHZDATAFORMAT_audit_proof, &proof_length);
- if (proof != NULL)
- {
- /* Store a local copy. */
- c_expected.expected_proof = OPENSSL_malloc(proof_length);
- c_expected.expected_proof_length = proof_length;
- memcpy(c_expected.expected_proof, proof, proof_length);
- }
- c_expected.require = c_require_proof;
- SSL_CTX_set_tlsext_authz_server_audit_proof_cb(c_ctx,
- audit_proof_cb);
- SSL_CTX_set_tlsext_authz_server_audit_proof_cb_arg(c_ctx,
- &c_expected);
- }
-#endif
if (serverinfo_sct)
SSL_CTX_set_custom_cli_ext(c_ctx, SCT_EXT_TYPE, NULL,
#endif
#ifndef OPENSSL_NO_ENGINE
ENGINE_cleanup();
-#endif
-#ifndef OPENSSL_NO_TLSEXT
- if (c_expected.expected_proof != NULL)
- OPENSSL_free(c_expected.expected_proof);
#endif
CRYPTO_cleanup_all_ex_data();
ERR_free_strings();
projects / openssl / commitdiff