Reverting 1.0.2-only changes supporting the prior authz RFC5878-based tests from commit 835d104f46c4448a27844a9309de456c7972a943
This commit is contained in:
Scott Deboy
parent
5a32dd8930
commit
c32ebefaa8
119
ssl/ssltest.c
119
ssl/ssltest.c
@ -836,11 +836,6 @@ static void sv_usage(void)
|
||||
" (default is sect163r2).\n");
|
||||
#endif
|
||||
fprintf(stderr," -test_cipherlist - verifies the order of the ssl cipher lists\n");
|
||||
#ifndef OPENSSL_NO_TLSEXT
|
||||
fprintf(stderr," -server_authz arg - binary authz file for certificate\n");
|
||||
fprintf(stderr," -c_support_proof - indicate client support for server_authz audit proofs\n");
|
||||
fprintf(stderr," -c_require_proof - fail if no audit proof is sent\n");
|
||||
#endif
|
||||
fprintf(stderr," -serverinfo_file file - have server use this file\n");
|
||||
fprintf(stderr," -serverinfo_sct - have client offer and expect SCT\n");
|
||||
fprintf(stderr," -serverinfo_tack - have client offer and expect TACK\n");
|
||||
@ -978,56 +973,6 @@ int opaque_prf_input_cb(SSL *ssl, void *peerinput, size_t len, void *arg_)
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifndef OPENSSL_NO_TLSEXT
|
||||
struct audit_proof_cb_arg_st
|
||||
{
|
||||
unsigned char *expected_proof;
|
||||
size_t expected_proof_length;
|
||||
int require;
|
||||
};
|
||||
|
||||
struct audit_proof_cb_arg_st c_expected = { NULL, 0, 0 };
|
||||
|
||||
static int audit_proof_cb(SSL *s, void *arg)
|
||||
{
|
||||
const unsigned char *proof;
|
||||
size_t proof_len;
|
||||
SSL_SESSION *sess = SSL_get_session(s);
|
||||
struct audit_proof_cb_arg_st *cb_arg = (struct audit_proof_cb_arg_st*)arg;
|
||||
|
||||
proof = SSL_SESSION_get_tlsext_authz_server_audit_proof(sess,
|
||||
&proof_len);
|
||||
if (proof != NULL)
|
||||
{
|
||||
if (proof_len == cb_arg->expected_proof_length &&
|
||||
cb_arg->expected_proof != NULL &&
|
||||
memcmp(proof, cb_arg->expected_proof, proof_len) == 0)
|
||||
{
|
||||
BIO_printf(bio_stdout, "Audit proof OK (%lu bytes).\n",
|
||||
(long)proof_len);
|
||||
return 1;
|
||||
}
|
||||
else
|
||||
{
|
||||
BIO_printf(bio_stdout, "Audit proof mismatch.\n");
|
||||
/* Cause handshake failure. */
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
||||
else /* proof == NULL */
|
||||
{
|
||||
BIO_printf(bio_stdout, "No audit proof found.\n");
|
||||
if (cb_arg->require)
|
||||
{
|
||||
/* Cause handshake failure. */
|
||||
return 0;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
||||
int main(int argc, char *argv[])
|
||||
{
|
||||
char *CApath=NULL,*CAfile=NULL;
|
||||
@ -1079,11 +1024,6 @@ int main(int argc, char *argv[])
|
||||
#ifdef OPENSSL_FIPS
|
||||
int fips_mode=0;
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_TLSEXT
|
||||
char *s_authz_file = NULL;
|
||||
int c_support_proof = 0;
|
||||
int c_require_proof = 0;
|
||||
#endif
|
||||
|
||||
verbose = 0;
|
||||
debug = 0;
|
||||
@ -1302,24 +1242,6 @@ int main(int argc, char *argv[])
|
||||
{
|
||||
test_cipherlist = 1;
|
||||
}
|
||||
#ifndef OPENSSL_NO_TLSEXT
|
||||
else if(strcmp(*argv,"-server_authz") == 0)
|
||||
{
|
||||
if (--argc < 1) goto bad;
|
||||
s_authz_file = *(++argv);
|
||||
tls1 = 1;
|
||||
}
|
||||
else if (strcmp(*argv,"-c_support_proof") == 0)
|
||||
{
|
||||
c_support_proof = 1;
|
||||
tls1 = 1;
|
||||
}
|
||||
else if (strcmp(*argv,"-c_require_proof") == 0)
|
||||
{
|
||||
c_require_proof = 1;
|
||||
tls1 = 1;
|
||||
}
|
||||
#endif
|
||||
else if (strcmp(*argv,"-serverinfo_sct") == 0)
|
||||
{
|
||||
serverinfo_sct = 1;
|
||||
@ -1389,15 +1311,6 @@ bad:
|
||||
"to avoid protocol mismatch.\n");
|
||||
EXIT(1);
|
||||
}
|
||||
if (c_require_proof && s_authz_file == NULL && !force)
|
||||
{
|
||||
fprintf(stderr, "This case cannot work. -c_require_proof "
|
||||
"requires an audit proof, but none was supplied. "
|
||||
"Use -f to perform the test anyway (and\n-d to see "
|
||||
"what happens), or use -server_authz to supply an "
|
||||
"audit proof.\n");
|
||||
EXIT(1);
|
||||
}
|
||||
|
||||
#ifdef OPENSSL_FIPS
|
||||
if(fips_mode)
|
||||
@ -1669,34 +1582,6 @@ bad:
|
||||
SSL_CTX_set_srp_username_callback(s_ctx, ssl_srp_server_param_cb);
|
||||
}
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_TLSEXT
|
||||
if (s_authz_file != NULL)
|
||||
{
|
||||
if(!SSL_CTX_use_authz_file(s_ctx, s_authz_file))
|
||||
{
|
||||
BIO_printf(bio_err, "Unable to set authz data\n");
|
||||
goto end;
|
||||
}
|
||||
}
|
||||
if (c_support_proof || c_require_proof)
|
||||
{
|
||||
size_t proof_length;
|
||||
const unsigned char *proof = SSL_CTX_get_authz_data(s_ctx,
|
||||
TLSEXT_AUTHZDATAFORMAT_audit_proof, &proof_length);
|
||||
if (proof != NULL)
|
||||
{
|
||||
/* Store a local copy. */
|
||||
c_expected.expected_proof = OPENSSL_malloc(proof_length);
|
||||
c_expected.expected_proof_length = proof_length;
|
||||
memcpy(c_expected.expected_proof, proof, proof_length);
|
||||
}
|
||||
c_expected.require = c_require_proof;
|
||||
SSL_CTX_set_tlsext_authz_server_audit_proof_cb(c_ctx,
|
||||
audit_proof_cb);
|
||||
SSL_CTX_set_tlsext_authz_server_audit_proof_cb_arg(c_ctx,
|
||||
&c_expected);
|
||||
}
|
||||
#endif
|
||||
|
||||
if (serverinfo_sct)
|
||||
SSL_CTX_set_custom_cli_ext(c_ctx, SCT_EXT_TYPE, NULL,
|
||||
@ -1849,10 +1734,6 @@ end:
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_ENGINE
|
||||
ENGINE_cleanup();
|
||||
#endif
|
||||
#ifndef OPENSSL_NO_TLSEXT
|
||||
if (c_expected.expected_proof != NULL)
|
||||
OPENSSL_free(c_expected.expected_proof);
|
||||
#endif
|
||||
CRYPTO_cleanup_all_ex_data();
|
||||
ERR_free_strings();
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user