diff options
author | Rob Percival <robpercival@google.com> | 2016-03-02 13:34:05 +0000 |
---|---|---|
committer | Rich Salz <rsalz@openssl.org> | 2016-03-04 10:50:10 -0500 |
commit | dd696a55a2554cc8c89dd64f7e1171ce211dfc5c (patch) | |
tree | fe2299f0f9f213f0e07179fe1548b2be1a745c87 /test/ssltest.c | |
parent | 98d8ddd25474b954d52f01086fcc2536965d015b (diff) | |
download | openssl-dd696a55a2554cc8c89dd64f7e1171ce211dfc5c.zip openssl-dd696a55a2554cc8c89dd64f7e1171ce211dfc5c.tar.gz openssl-dd696a55a2554cc8c89dd64f7e1171ce211dfc5c.tar.bz2 |
Extends s_client to allow a basic CT policy to be enabled
Reviewed-by: Ben Laurie <ben@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Diffstat (limited to 'test/ssltest.c')
-rw-r--r-- | test/ssltest.c | 54 |
1 files changed, 45 insertions, 9 deletions
diff --git a/test/ssltest.c b/test/ssltest.c index f65358a..da9391a 100644 --- a/test/ssltest.c +++ b/test/ssltest.c @@ -187,6 +187,9 @@ # include <openssl/srp.h> #endif #include <openssl/bn.h> +#ifndef OPENSSL_NO_CT +# include <openssl/ct.h> +#endif #include "../ssl/ssl_locl.h" @@ -493,8 +496,6 @@ static int verify_alpn(SSL *client, SSL *server) return -1; } -#define SCT_EXT_TYPE 18 - /* * WARNING : below extension types are *NOT* IETF assigned, and could * conflict if these types are reassigned and handled specially by OpenSSL @@ -529,7 +530,7 @@ static int serverinfo_cli_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in, size_t inlen, int *al, void *arg) { - if (ext_type == SCT_EXT_TYPE) + if (ext_type == TLSEXT_TYPE_signed_certificate_timestamp) serverinfo_sct_seen++; else if (ext_type == TACK_EXT_TYPE) serverinfo_tack_seen++; @@ -838,6 +839,11 @@ static void sv_usage(void) fprintf(stderr, " -client_min_proto <string> - Minimum version the client should support\n"); fprintf(stderr, " -client_max_proto <string> - Maximum version the client should support\n"); fprintf(stderr, " -should_negotiate <string> - The version that should be negotiated, fail-client or fail-server\n"); +#ifndef OPENSSL_NO_CT + fprintf(stderr, " -noct - no certificate transparency\n"); + fprintf(stderr, " -requestct - request certificate transparency\n"); + fprintf(stderr, " -requirect - require certificate transparency\n"); +#endif } static void print_key_details(BIO *out, EVP_PKEY *key) @@ -1057,6 +1063,14 @@ int main(int argc, char *argv[]) #endif int no_protocol; +#ifndef OPENSSL_NO_CT + /* + * Disable CT validation by default, because it will interfere with + * anything using custom extension handlers to deal with SCT extensions. + */ + ct_validation_cb ct_validation = NULL; +#endif + SSL_CONF_CTX *s_cctx = NULL, *c_cctx = NULL; STACK_OF(OPENSSL_STRING) *conf_args = NULL; char *arg = NULL, *argn = NULL; @@ -1229,6 +1243,17 @@ int main(int argc, char *argv[]) } else if (strcmp(*argv, "-time") == 0) { print_time = 1; } +#ifndef OPENSSL_NO_CT + else if (strcmp(*argv, "-noct") == 0) { + ct_validation = NULL; + } + else if (strcmp(*argv, "-requestct") == 0) { + ct_validation = CT_verify_no_bad_scts; + } + else if (strcmp(*argv, "-requirect") == 0) { + ct_validation = CT_verify_at_least_one_good_sct; + } +#endif #ifndef OPENSSL_NO_COMP else if (strcmp(*argv, "-zlib") == 0) { comp = COMP_ZLIB; @@ -1512,6 +1537,13 @@ int main(int argc, char *argv[]) } } +#ifndef OPENSSL_NO_CT + if (!SSL_CTX_set_ct_validation_callback(c_ctx, ct_validation, NULL)) { + ERR_print_errors(bio_err); + goto end; + } +#endif + /* Process SSL_CONF arguments */ SSL_CONF_CTX_set_ssl_ctx(c_cctx, c_ctx); SSL_CONF_CTX_set_ssl_ctx(s_cctx, s_ctx); @@ -1586,15 +1618,18 @@ int main(int argc, char *argv[]) if ((!SSL_CTX_load_verify_locations(s_ctx, CAfile, CApath)) || (!SSL_CTX_set_default_verify_paths(s_ctx)) || - (!SSL_CTX_set_default_ctlog_list_file(s_ctx)) || (!SSL_CTX_load_verify_locations(c_ctx, CAfile, CApath)) || - (!SSL_CTX_set_default_verify_paths(c_ctx)) || - (!SSL_CTX_set_default_ctlog_list_file(c_ctx))) { + (!SSL_CTX_set_default_verify_paths(c_ctx))) { /* fprintf(stderr,"SSL_load_verify_locations\n"); */ ERR_print_errors(bio_err); /* goto end; */ } + if (!SSL_CTX_set_default_ctlog_list_file(s_ctx) || + !SSL_CTX_set_default_ctlog_list_file(c_ctx)) { + ERR_print_errors(bio_err); + } + if (client_auth) { printf("client authentication\n"); SSL_CTX_set_verify(s_ctx, @@ -1684,9 +1719,10 @@ int main(int argc, char *argv[]) #endif if (serverinfo_sct) { - if (!SSL_CTX_add_client_custom_ext(c_ctx, SCT_EXT_TYPE, - NULL, NULL, NULL, - serverinfo_cli_parse_cb, NULL)) { + if (!SSL_CTX_add_client_custom_ext(c_ctx, + TLSEXT_TYPE_signed_certificate_timestamp, + NULL, NULL, NULL, + serverinfo_cli_parse_cb, NULL)) { BIO_printf(bio_err, "Error adding SCT extension\n"); goto end; } |