generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Update ssltest certificate handling.

Browse Source 
Use SSL_CONF for certificate handling is ssltest.c, this changes the
behaviour slightly: the -cert and -key options are no longer recognised
and a default certificate file is not used.

This change means that -s_cert and -c_cert can be used mode than once
to support use of multiple certificates.

Reviewed-by: Matt Caswell <matt@openssl.org>
This commit is contained in:
Dr. Stephen Henson 2015-08-26 12:22:39 +01:00
parent cb0585c2cb
commit 6a096889d7
2 changed files with 9 additions and 67 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
test/ssltest.c
View File

@ -204,20 +204,6 @@
# include OPENSSL_UNISTD
#endif
#ifdef OPENSSL_SYS_VMS
# define TEST_SERVER_CERT "SYS$DISK:[-.APPS]SERVER.PEM"
# define TEST_CLIENT_CERT "SYS$DISK:[-.APPS]CLIENT.PEM"
#elif defined(OPENSSL_SYS_WINCE)
# define TEST_SERVER_CERT "\\OpenSSL\\server.pem"
# define TEST_CLIENT_CERT "\\OpenSSL\\client.pem"
#elif defined(OPENSSL_SYS_NETWARE)
# define TEST_SERVER_CERT "\\openssl\\apps\\server.pem"
# define TEST_CLIENT_CERT "\\openssl\\apps\\client.pem"
#else
# define TEST_SERVER_CERT "../apps/server.pem"
# define TEST_CLIENT_CERT "../apps/client.pem"
#endif
/*
* There is really no standard for this, so let's assign something
* only for this test
@ -965,10 +951,6 @@ int main(int argc, char *argv[])
int server_auth = 0, i;
struct app_verify_arg app_verify_arg =
{ APP_CALLBACK_STRING, 0, 0, NULL, NULL };
char *server_cert = TEST_SERVER_CERT;
char *server_key = NULL;
char *client_cert = TEST_CLIENT_CERT;
char *client_key = NULL;
#ifndef OPENSSL_NO_EC
char *named_curve = NULL;
#endif
@ -1043,14 +1025,18 @@ int main(int argc, char *argv[])
}
SSL_CONF_CTX_set_flags(s_cctx,
SSL_CONF_FLAG_CMDLINE | SSL_CONF_FLAG_SERVER);
SSL_CONF_FLAG_CMDLINE | SSL_CONF_FLAG_SERVER |
SSL_CONF_FLAG_CERTIFICATE |
SSL_CONF_FLAG_REQUIRE_PRIVATE);
if (!SSL_CONF_CTX_set1_prefix(s_cctx, "-s_")) {
ERR_print_errors(bio_err);
goto end;
}
SSL_CONF_CTX_set_flags(c_cctx,
SSL_CONF_FLAG_CMDLINE | SSL_CONF_FLAG_CLIENT);
SSL_CONF_FLAG_CMDLINE | SSL_CONF_FLAG_CLIENT |
SSL_CONF_FLAG_CERTIFICATE |
SSL_CONF_FLAG_REQUIRE_PRIVATE);
if (!SSL_CONF_CTX_set1_prefix(c_cctx, "-c_")) {
ERR_print_errors(bio_err);
goto end;
@ -1165,30 +1151,6 @@ int main(int argc, char *argv[])
bytes *= 1024L;
if (argv[0][i - 1] == 'm')
bytes *= 1024L * 1024L;
} else if (strcmp(*argv, "-cert") == 0) {
if (--argc < 1)
goto bad;
server_cert = *(++argv);
} else if (strcmp(*argv, "-s_cert") == 0) {
if (--argc < 1)
goto bad;
server_cert = *(++argv);
} else if (strcmp(*argv, "-key") == 0) {
if (--argc < 1)
goto bad;
server_key = *(++argv);
} else if (strcmp(*argv, "-s_key") == 0) {
if (--argc < 1)
goto bad;
server_key = *(++argv);
} else if (strcmp(*argv, "-c_cert") == 0) {
if (--argc < 1)
goto bad;
client_cert = *(++argv);
} else if (strcmp(*argv, "-c_key") == 0) {
if (--argc < 1)
goto bad;
client_key = *(++argv);
} else if (strcmp(*argv, "-cipher") == 0) {
if (--argc < 1)
goto bad;
@ -1519,26 +1481,6 @@ int main(int argc, char *argv[])
SSL_CTX_set_tmp_rsa_callback(s_ctx, tmp_rsa_cb);
#endif
if (!SSL_CTX_use_certificate_file(s_ctx, server_cert, SSL_FILETYPE_PEM)) {
ERR_print_errors(bio_err);
} else if (!SSL_CTX_use_PrivateKey_file(s_ctx,
(server_key ? server_key :
server_cert),
SSL_FILETYPE_PEM)) {
ERR_print_errors(bio_err);
goto end;
}
if (client_auth) {
if (!SSL_CTX_use_certificate_file(c_ctx, client_cert, SSL_FILETYPE_PEM)
|| !SSL_CTX_use_PrivateKey_file(c_ctx,
(client_key ? client_key : client_cert),
SSL_FILETYPE_PEM)) {
ERR_print_errors(bio_err);
goto end;
}
}
if ((!SSL_CTX_load_verify_locations(s_ctx, CAfile, CApath)) ||
(!SSL_CTX_set_default_verify_paths(s_ctx)) ||
(!SSL_CTX_load_verify_locations(c_ctx, CAfile, CApath)) ||

6
test/testssl
View File

@ -10,7 +10,7 @@ if [ "$2" = "" ]; then
else
cert="$2"
fi
ssltest="../util/shlib_wrap.sh ./ssltest -key $key -cert $cert -c_key $key -c_cert $cert"
ssltest="../util/shlib_wrap.sh ./ssltest -s_key $key -s_cert $cert -c_key $key -c_cert $cert"
if ../util/shlib_wrap.sh ../apps/openssl x509 -in $cert -text -noout | fgrep 'DSA Public Key' >/dev/null; then
dsa_cert=YES
@ -176,13 +176,13 @@ if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then
echo skipping RSA tests
else
echo 'test tls1 with 1024bit RSA, no (EC)DHE, multiple handshakes'
../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -no_dhe -no_ecdhe -num 10 -f -time $extra || exit 1
../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -s_cert ../apps/server2.pem -no_dhe -no_ecdhe -num 10 -f -time $extra || exit 1
if ../util/shlib_wrap.sh ../apps/openssl no-dhparam; then
echo skipping RSA+DHE tests
else
echo test tls1 with 1024bit RSA, 1024bit DHE, multiple handshakes
../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -dhe1024dsa -num 10 -f -time $extra || exit 1
../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -s_cert ../apps/server2.pem -dhe1024dsa -num 10 -f -time $extra || exit 1
fi
fi