Fix ssltest logic when some protocols are compiled out.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Geoff Thorpe <geoff@openssl.org>
This commit is contained in:
Emilia Kasper
2014-10-27 16:25:17 +01:00
parent 14e14bf696
commit fd28a41ec8

View File

@@ -799,7 +799,9 @@ static void sv_usage(void)
" Use \"openssl ecparam -list_curves\" for all names\n" \ " Use \"openssl ecparam -list_curves\" for all names\n" \
" (default is sect163r2).\n"); " (default is sect163r2).\n");
#endif #endif
fprintf(stderr," -test_cipherlist - verifies the order of the ssl cipher lists\n"); fprintf(stderr," -test_cipherlist - Verifies the order of the ssl cipher lists.\n"
" When this option is requested, the cipherlist\n"
" tests are run instead of handshake tests.\n");
#ifndef OPENSSL_NO_NEXTPROTONEG #ifndef OPENSSL_NO_NEXTPROTONEG
fprintf(stderr," -npn_client - have client side offer NPN\n"); fprintf(stderr," -npn_client - have client side offer NPN\n");
fprintf(stderr," -npn_server - have server side offer NPN\n"); fprintf(stderr," -npn_server - have server side offer NPN\n");
@@ -992,6 +994,7 @@ int main(int argc, char *argv[])
#ifdef OPENSSL_FIPS #ifdef OPENSSL_FIPS
int fips_mode=0; int fips_mode=0;
#endif #endif
int no_protocol = 0;
verbose = 0; verbose = 0;
debug = 0; debug = 0;
@@ -1101,11 +1104,26 @@ int main(int argc, char *argv[])
} }
#endif #endif
else if (strcmp(*argv,"-ssl2") == 0) else if (strcmp(*argv,"-ssl2") == 0)
{
#ifdef OPENSSL_NO_SSL2
no_protocol = 1;
#endif
ssl2 = 1; ssl2 = 1;
}
else if (strcmp(*argv,"-tls1") == 0) else if (strcmp(*argv,"-tls1") == 0)
{
#ifdef OPENSSL_NO_TLS1
no_protocol = 1;
#endif
tls1 = 1; tls1 = 1;
}
else if (strcmp(*argv,"-ssl3") == 0) else if (strcmp(*argv,"-ssl3") == 0)
{
#ifdef OPENSSL_NO_SSL3
no_protocol = 1;
#endif
ssl3 = 1; ssl3 = 1;
}
else if (strncmp(*argv,"-num",4) == 0) else if (strncmp(*argv,"-num",4) == 0)
{ {
if (--argc < 1) goto bad; if (--argc < 1) goto bad;
@@ -1272,15 +1290,41 @@ bad:
goto end; goto end;
} }
/*
* test_cipherlist prevails over protocol switch: we test the cipherlist
* for all enabled protocols.
*/
if (test_cipherlist == 1) if (test_cipherlist == 1)
{ {
/* ensure that the cipher list are correctly sorted and exit */ /* ensure that the cipher list are correctly sorted and exit */
fprintf(stdout, "Testing cipherlist order only. Ignoring all "
"other options.\n");
if (do_test_cipherlist() == 0) if (do_test_cipherlist() == 0)
EXIT(1); EXIT(1);
ret = 0; ret = 0;
goto end; goto end;
} }
if (ssl2 + ssl3 + tls1 > 1)
{
fprintf(stderr, "At most one of -ssl2, -ssl3, or -tls1 should "
"be requested.\n");
EXIT(1);
}
/*
* Testing was requested for a compiled-out protocol (e.g. SSLv2).
* Ideally, we would error out, but the generic test wrapper can't know
* when to expect failure. So we do nothing and return success.
*/
if (no_protocol)
{
fprintf(stderr, "Testing was requested for a disabled protocol. "
"Skipping tests.\n");
ret = 0;
goto end;
}
if (!ssl2 && !ssl3 && !tls1 && number > 1 && !reuse && !force) if (!ssl2 && !ssl3 && !tls1 && number > 1 && !reuse && !force)
{ {
fprintf(stderr, "This case cannot work. Use -f to perform " fprintf(stderr, "This case cannot work. Use -f to perform "
@@ -1359,30 +1403,25 @@ bad:
} }
#endif #endif
#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3) /* At this point, ssl2/ssl3/tls1 is only set if the protocol is available.
* (Otherwise we exit early.)
* However the compiler doesn't know this, so we ifdef. */
#ifndef OPENSSL_NO_SSL2
if (ssl2) if (ssl2)
meth=SSLv2_method(); meth=SSLv2_method();
else else
if (tls1) #endif
meth=TLSv1_method(); #ifndef OPENSSL_NO_SSL3
else
if (ssl3) if (ssl3)
meth=SSLv3_method(); meth=SSLv3_method();
else else
meth=SSLv23_method(); #endif
#else #ifndef OPENSSL_NO_TLS1
#ifdef OPENSSL_NO_SSL2
if (tls1) if (tls1)
meth=TLSv1_method(); meth=TLSv1_method();
else else
if (ssl3) #endif
meth=SSLv3_method();
else
meth=SSLv23_method(); meth=SSLv23_method();
#else
meth=SSLv2_method();
#endif
#endif
c_ctx=SSL_CTX_new(meth); c_ctx=SSL_CTX_new(meth);
s_ctx=SSL_CTX_new(meth); s_ctx=SSL_CTX_new(meth);