ag/cpython-source-deps
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update to OpenSSL 1.0.2.o

Browse Source
This commit is contained in:
Steve Dower
2018-04-13 17:29:45 +00:00
parent ccd3ab4aff
commit 4933cd8231
386 changed files with 5623 additions and 2984 deletions
Download Patch File Download Diff File Expand all files Collapse all files

228
ssl/ssltest.c
View File

@@ -311,6 +311,13 @@ static const char *sn_client;
static const char *sn_server1;
static const char *sn_server2;
static int sn_expect = 0;
static int s_ticket1 = 0;
static int s_ticket2 = 0;
static int c_ticket = 0;
static int ticket_expect = -1;
static int sni_in_cert_cb = 0;
static const char *client_sigalgs = NULL;
static const char *server_digest_expect = NULL;
static int servername_cb(SSL *s, int *ad, void *arg)
{
@@ -325,6 +332,9 @@ static int servername_cb(SSL *s, int *ad, void *arg)
!strcasecmp(servername, sn_server2)) {
BIO_printf(bio_stdout, "Switching server context.\n");
SSL_set_SSL_CTX(s, s_ctx2);
/* Copy over all the SSL_CTX options */
SSL_clear_options(s, 0xFFFFFFFFL);
SSL_set_options(s, SSL_CTX_get_options(s_ctx2));
}
}
return SSL_TLSEXT_ERR_OK;
@@ -348,6 +358,40 @@ static int verify_servername(SSL *client, SSL *server)
BIO_printf(bio_stdout, "Servername: context is unknown\n");
return -1;
}
static int cert_cb(SSL *ssl, void *arg)
{
int unused;
return servername_cb(ssl, &unused, NULL) != SSL_TLSEXT_ERR_ALERT_FATAL;
}
static int verify_ticket(SSL* ssl)
{
if (ticket_expect == -1)
return 0;
if (ticket_expect == 0 &&
(ssl->session->tlsext_tick == NULL ||
ssl->session->tlsext_ticklen == 0))
return 1;
if (ticket_expect == 1 &&
(ssl->session->tlsext_tick != NULL &&
ssl->session->tlsext_ticklen != 0))
return 1;
return -1;
}
static int verify_server_digest(SSL* ssl)
{
int nid = NID_undef;
if (server_digest_expect == NULL)
return 0;
SSL_get_peer_signature_nid(ssl, &nid);
if (strcmp(server_digest_expect, OBJ_nid2sn(nid)) == 0)
return 1;
BIO_printf(bio_stdout, "Expected server digest %s, got %s.\n",
server_digest_expect, OBJ_nid2sn(nid));
return -1;
}
/*-
* next_protos_parse parses a comma separated list of strings into a string
@@ -379,13 +423,13 @@ static unsigned char *next_protos_parse(unsigned short *outlen,
OPENSSL_free(out);
return NULL;
}
out[start] = i - start;
out[start] = (unsigned char)(i - start);
start = i + 1;
} else
out[i + 1] = in[i];
}
*outlen = len + 1;
*outlen = (unsigned char)(len + 1);
return out;
}
@@ -477,6 +521,43 @@ static int verify_alpn(SSL *client, SSL *server)
return -1;
}
#ifndef OPENSSL_NO_TLSEXT
static int cb_ticket0(SSL* s, unsigned char* key_name, unsigned char *iv, EVP_CIPHER_CTX *ctx, HMAC_CTX *hctx, int enc)
{
return 0;
}
static int cb_ticket1(SSL* s, unsigned char* key_name, unsigned char *iv, EVP_CIPHER_CTX *ctx, HMAC_CTX *hctx, int enc)
{
static unsigned char key[] = { 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16 };
static char name[] = "ticket11ticket11";
if (SSL_get_options(s) & SSL_OP_NO_TICKET)
return 0;
if (enc) {
RAND_pseudo_bytes(iv, EVP_MAX_IV_LENGTH);
EVP_EncryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv);
HMAC_Init_ex(hctx, key, sizeof(key), EVP_sha1(), NULL);
memcpy(key_name, name, 16);
return 1;
} else {
if (memcmp(key_name, name, 16) == 0) {
EVP_DecryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv);
HMAC_Init_ex(hctx, key, sizeof(key), EVP_sha1(), NULL);
return 1;
}
}
return 0;
}
static int cb_ticket2(SSL* s, unsigned char* key_name, unsigned char *iv, EVP_CIPHER_CTX *ctx, HMAC_CTX *hctx, int enc)
{
fprintf(stderr, "ticket callback for SNI context should never be called\n");
EXIT(1);
return 0;
}
#endif
#define SCT_EXT_TYPE 18
/*
@@ -773,6 +854,7 @@ static void sv_usage(void)
#endif
#ifndef OPENSSL_NO_TLS1
fprintf(stderr, " -tls1 - use TLSv1\n");
fprintf(stderr, " -tls12 - use TLSv1.2\n");
#endif
#ifndef OPENSSL_NO_DTLS
fprintf(stderr, " -dtls1 - use DTLSv1\n");
@@ -820,6 +902,15 @@ static void sv_usage(void)
fprintf(stderr, " -sn_server2 <string> - have server context 2 respond to this servername\n");
fprintf(stderr, " -sn_expect1 - expected server 1\n");
fprintf(stderr, " -sn_expect2 - expected server 2\n");
#ifndef OPENSSL_NO_TLSEXT
fprintf(stderr, " -s_ticket1 <yes|no|broken> - enable/disable session tickets on context 1\n");
fprintf(stderr, " -s_ticket2 <yes|no> - enable/disable session tickets on context 2\n");
fprintf(stderr, " -c_ticket <yes|no> - enable/disable session tickets on the client\n");
fprintf(stderr, " -ticket_expect <yes|no> - indicate that the client should (or should not) have a ticket\n");
#endif
fprintf(stderr, " -sni_in_cert_cb - have the server handle SNI in the certificate callback\n");
fprintf(stderr, " -client_sigalgs arg - the signature algorithms to configure on the client\n");
fprintf(stderr, " -server_digest_expect arg - the expected server signing digest\n");
}
static void print_details(SSL *c_ssl, const char *prefix)
@@ -946,7 +1037,7 @@ int main(int argc, char *argv[])
int badop = 0;
int bio_pair = 0;
int force = 0;
int dtls1 = 0, dtls12 = 0, tls1 = 0, ssl2 = 0, ssl3 = 0, ret = 1;
int dtls1 = 0, dtls12 = 0, tls1 = 0, tls12 = 0, ssl2 = 0, ssl3 = 0, ret = 1;
int client_auth = 0;
int server_auth = 0, i;
struct app_verify_arg app_verify_arg =
@@ -1011,7 +1102,7 @@ int main(int argc, char *argv[])
}
CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
RAND_seed(rnd_seed, sizeof rnd_seed);
RAND_seed(rnd_seed, sizeof(rnd_seed));
bio_stdout = BIO_new_fp(stdout, BIO_NOCLOSE | BIO_FP_TEXT);
@@ -1100,6 +1191,11 @@ int main(int argc, char *argv[])
no_protocol = 1;
#endif
tls1 = 1;
} else if (strcmp(*argv, "-tls12") == 0) {
#ifdef OPENSSL_NO_TLS1
no_protocol = 1;
#endif
tls12 = 1;
} else if (strcmp(*argv, "-ssl3") == 0) {
#ifdef OPENSSL_NO_SSL3_METHOD
no_protocol = 1;
@@ -1175,13 +1271,21 @@ int main(int argc, char *argv[])
} else if (strcmp(*argv, "-time") == 0) {
print_time = 1;
}
#ifndef OPENSSL_NO_COMP
else if (strcmp(*argv, "-zlib") == 0) {
#ifndef OPENSSL_NO_COMP
comp = COMP_ZLIB;
} else if (strcmp(*argv, "-rle") == 0) {
comp = COMP_RLE;
}
#else
fprintf(stderr,
"ignoring -zlib, since I'm compiled without COMP\n");
#endif
} else if (strcmp(*argv, "-rle") == 0) {
#ifndef OPENSSL_NO_COMP
comp = COMP_RLE;
#else
fprintf(stderr,
"ignoring -rle, since I'm compiled without COMP\n");
#endif
}
else if (strcmp(*argv, "-named_curve") == 0) {
if (--argc < 1)
goto bad;
@@ -1241,6 +1345,46 @@ int main(int argc, char *argv[])
sn_expect = 1;
} else if (strcmp(*argv, "-sn_expect2") == 0) {
sn_expect = 2;
#ifndef OPENSSL_NO_TLSEXT
} else if (strcmp(*argv, "-s_ticket1") == 0) {
if (--argc < 1)
goto bad;
argv++;
if (strcmp(*argv, "yes") == 0)
s_ticket1 = 1;
if (strcmp(*argv, "broken") == 0)
s_ticket1 = 2;
} else if (strcmp(*argv, "-s_ticket2") == 0) {
if (--argc < 1)
goto bad;
argv++;
if (strcmp(*argv, "yes") == 0)
s_ticket2 = 1;
} else if (strcmp(*argv, "-c_ticket") == 0) {
if (--argc < 1)
goto bad;
argv++;
if (strcmp(*argv, "yes") == 0)
c_ticket = 1;
} else if (strcmp(*argv, "-ticket_expect") == 0) {
if (--argc < 1)
goto bad;
argv++;
if (strcmp(*argv, "yes") == 0)
ticket_expect = 1;
else if (strcmp(*argv, "no") == 0)
ticket_expect = 0;
#endif
} else if (strcmp(*argv, "-sni_in_cert_cb") == 0) {
sni_in_cert_cb = 1;
} else if (strcmp(*argv, "-client_sigalgs") == 0) {
if (--argc < 1)
goto bad;
client_sigalgs = *(++argv);
} else if (strcmp(*argv, "-server_digest_expect") == 0) {
if (--argc < 1)
goto bad;
server_digest_expect = *(++argv);
} else {
fprintf(stderr, "unknown option %s\n", *argv);
badop = 1;
@@ -1271,9 +1415,9 @@ int main(int argc, char *argv[])
goto end;
}
if (ssl2 + ssl3 + tls1 + dtls1 + dtls12 > 1) {
fprintf(stderr, "At most one of -ssl2, -ssl3, -tls1, -dtls1 or -dtls12 should "
"be requested.\n");
if (ssl2 + ssl3 + tls1 + tls12 + dtls1 + dtls12 > 1) {
fprintf(stderr, "At most one of -ssl2, -ssl3, -tls1, -tls12, -dtls1 or "
"-dtls12 should be requested.\n");
EXIT(1);
}
@@ -1289,10 +1433,11 @@ int main(int argc, char *argv[])
goto end;
}
if (!ssl2 && !ssl3 && !tls1 && !dtls1 && !dtls12 && number > 1 && !reuse && !force) {
if (!ssl2 && !ssl3 && !tls1 && !tls12 && !dtls1 && !dtls12 && number > 1
&& !reuse && !force) {
fprintf(stderr, "This case cannot work. Use -f to perform "
"the test anyway (and\n-d to see what happens), "
"or add one of ssl2, -ssl3, -tls1, -dtls1, -dtls12, -reuse\n"
"or add one of ssl2, -ssl3, -tls1, -tls12, -dtls1, -dtls12, -reuse\n"
"to avoid protocol mismatch.\n");
EXIT(1);
}
@@ -1356,7 +1501,7 @@ int main(int argc, char *argv[])
#endif
/*
* At this point, ssl2/ssl3/tls1 is only set if the protocol is
* At this point, ssl2/ssl3/tls1/tls12 is only set if the protocol is
* available. (Otherwise we exit early.) However the compiler doesn't
* know this, so we ifdef.
*/
@@ -1380,6 +1525,8 @@ int main(int argc, char *argv[])
#ifndef OPENSSL_NO_TLS1
if (tls1)
meth = TLSv1_method();
else if (tls12)
meth = TLSv1_2_method();
else
#endif
meth = SSLv23_method();
@@ -1526,9 +1673,9 @@ int main(int argc, char *argv[])
{
int session_id_context = 0;
SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context,
sizeof session_id_context);
sizeof(session_id_context));
SSL_CTX_set_session_id_context(s_ctx2, (void *)&session_id_context,
sizeof session_id_context);
sizeof(session_id_context));
}
/* Use PSK only if PSK key is given */
@@ -1676,8 +1823,33 @@ int main(int argc, char *argv[])
OPENSSL_free(alpn);
}
if (sn_server1 || sn_server2)
SSL_CTX_set_tlsext_servername_callback(s_ctx, servername_cb);
if (sn_server1 || sn_server2) {
if (sni_in_cert_cb)
SSL_CTX_set_cert_cb(s_ctx, cert_cb, NULL);
else
SSL_CTX_set_tlsext_servername_callback(s_ctx, servername_cb);
}
#ifndef OPENSSL_NO_TLSEXT
if (s_ticket1 == 0)
SSL_CTX_set_options(s_ctx, SSL_OP_NO_TICKET);
/* always set the callback */
if (s_ticket1 == 2)
SSL_CTX_set_tlsext_ticket_key_cb(s_ctx, cb_ticket0);
else
SSL_CTX_set_tlsext_ticket_key_cb(s_ctx, cb_ticket1);
if (!s_ticket2)
SSL_CTX_set_options(s_ctx2, SSL_OP_NO_TICKET);
/* always set the callback - this should never be called */
SSL_CTX_set_tlsext_ticket_key_cb(s_ctx2, cb_ticket2);
if (!c_ticket)
SSL_CTX_set_options(c_ctx, SSL_OP_NO_TICKET);
#endif
if (client_sigalgs != NULL)
SSL_CTX_set1_sigalgs_list(c_ctx, client_sigalgs);
c_ssl = SSL_new(c_ctx);
s_ssl = SSL_new(s_ctx);
@@ -1689,9 +1861,9 @@ int main(int argc, char *argv[])
if (c_ssl && c_ssl->kssl_ctx) {
char localhost[MAXHOSTNAMELEN + 2];
if (gethostname(localhost, sizeof localhost - 1) == 0) {
localhost[sizeof localhost - 1] = '\0';
if (strlen(localhost) == sizeof localhost - 1) {
if (gethostname(localhost, sizeof(localhost) - 1) == 0) {
localhost[sizeof(localhost) - 1] = '\0';
if (strlen(localhost) == sizeof(localhost) - 1) {
BIO_printf(bio_err, "localhost name too long\n");
goto end;
}
@@ -1742,6 +1914,10 @@ int main(int argc, char *argv[])
ret = 1;
if (verify_servername(c_ssl, s_ssl) < 0)
ret = 1;
if (verify_ticket(c_ssl) < 0)
ret = 1;
if (verify_server_digest(c_ssl) < 0)
ret = 1;
SSL_free(s_ssl);
SSL_free(c_ssl);
@@ -1865,8 +2041,8 @@ int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count,
if (cw_num > 0) {
/* Write to server. */
if (cw_num > (long)sizeof cbuf)
i = sizeof cbuf;
if (cw_num > (long)sizeof(cbuf))
i = sizeof(cbuf);
else
i = (int)cw_num;
r = BIO_write(c_ssl_bio, cbuf, i);
@@ -1942,8 +2118,8 @@ int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count,
if (sw_num > 0) {
/* Write to client. */
if (sw_num > (long)sizeof sbuf)
i = sizeof sbuf;
if (sw_num > (long)sizeof(sbuf))
i = sizeof(sbuf);
else
i = (int)sw_num;
r = BIO_write(s_ssl_bio, sbuf, i);
@@ -2454,7 +2630,7 @@ static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
char *s, buf[256];
s = X509_NAME_oneline(X509_get_subject_name(ctx->current_cert), buf,
sizeof buf);
sizeof(buf));
if (s != NULL) {
if (ok)
fprintf(stderr, "depth=%d %s\n", ctx->error_depth, buf);