Lines Matching +full:fips +full:- +full:provider +full:- +full:validation
2 * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
57 #include <openssl/provider.h>
124 *outlen = sizeof(NEXT_PROTO_STRING) - 2; in cb_client_npn()
132 *len = sizeof(NEXT_PROTO_STRING) - 1; in cb_server_npn()
168 if (client_len && (client_len != sizeof(NEXT_PROTO_STRING) - 2 || in verify_npn()
170 return -1; in verify_npn()
171 if (server_len && (server_len != sizeof(NEXT_PROTO_STRING) - 2 || in verify_npn()
173 return -1; in verify_npn()
176 return -1; in verify_npn()
178 return -1; in verify_npn()
180 return -1; in verify_npn()
182 return -1; in verify_npn()
243 return -1; in verify_servername()
247 /*-
272 if (i - start > 255) { in next_protos_parse()
276 out[start] = (unsigned char)(i - start); in next_protos_parse()
377 return -1; in verify_alpn()
426 return -1; in verify_serverinfo()
428 return -1; in verify_serverinfo()
430 return -1; in verify_serverinfo()
434 /*-
436 * 0 - no ClientHello extension or ServerHello response
437 * 1 - ClientHello with "abc", no response
438 * 2 - ClientHello with "abc", empty response
439 * 3 - ClientHello with "abc", "defg" response
523 * custom_ext_0_cli_add_cb returns 0 - the server won't receive a callback
626 fprintf(stderr, " -server_auth - check server certificate\n"); in sv_usage()
627 fprintf(stderr, " -client_auth - do client authentication\n"); in sv_usage()
628 fprintf(stderr, " -v - more output\n"); in sv_usage()
629 fprintf(stderr, " -d - debug output\n"); in sv_usage()
630 fprintf(stderr, " -reuse - use session-id reuse\n"); in sv_usage()
631 fprintf(stderr, " -num <val> - number of connections to perform\n"); in sv_usage()
633 " -bytes <val> - number of bytes to swap between client/server\n"); in sv_usage()
636 " -dhe512 - use 512 bit key for DHE (to test failure)\n"); in sv_usage()
638 " -dhe1024dsa - use 1024 bit key (with 160-bit subprime) for DHE\n"); in sv_usage()
640 " -dhe2048 - use 2048 bit key (safe prime) for DHE (default, no-op)\n"); in sv_usage()
642 " -dhe4096 - use 4096 bit key (safe prime) for DHE\n"); in sv_usage()
644 fprintf(stderr, " -no_dhe - disable DHE\n"); in sv_usage()
646 fprintf(stderr, " -no_ecdhe - disable ECDHE\n"); in sv_usage()
649 fprintf(stderr, " -psk arg - PSK in hex (without 0x)\n"); in sv_usage()
652 fprintf(stderr, " -ssl3 - use SSLv3\n"); in sv_usage()
655 fprintf(stderr, " -tls1 - use TLSv1\n"); in sv_usage()
658 fprintf(stderr, " -tls1_1 - use TLSv1.1\n"); in sv_usage()
661 fprintf(stderr, " -tls1_2 - use TLSv1.2\n"); in sv_usage()
664 fprintf(stderr, " -dtls - use DTLS\n"); in sv_usage()
666 fprintf(stderr, " -dtls1 - use DTLSv1\n"); in sv_usage()
669 fprintf(stderr, " -dtls12 - use DTLSv1.2\n"); in sv_usage()
672 fprintf(stderr, " -CApath arg - PEM format directory of CA's\n"); in sv_usage()
673 fprintf(stderr, " -CAfile arg - PEM format file of CA's\n"); in sv_usage()
674 fprintf(stderr, " -s_cert arg - Server certificate file\n"); in sv_usage()
676 " -s_key arg - Server key file (default: same as -cert)\n"); in sv_usage()
677 fprintf(stderr, " -c_cert arg - Client certificate file\n"); in sv_usage()
679 " -c_key arg - Client key file (default: same as -c_cert)\n"); in sv_usage()
680 fprintf(stderr, " -cipher arg - The TLSv1.2 and below cipher list\n"); in sv_usage()
681 fprintf(stderr, " -ciphersuites arg - The TLSv1.3 ciphersuites\n"); in sv_usage()
682 fprintf(stderr, " -bio_pair - Use BIO pairs\n"); in sv_usage()
683 fprintf(stderr, " -ipv4 - Use IPv4 connection on localhost\n"); in sv_usage()
684 fprintf(stderr, " -ipv6 - Use IPv6 connection on localhost\n"); in sv_usage()
685 fprintf(stderr, " -f - Test even cases that can't work\n"); in sv_usage()
687 " -time - measure processor time used by client and server\n"); in sv_usage()
688 fprintf(stderr, " -zlib - use zlib compression\n"); in sv_usage()
690 fprintf(stderr, " -npn_client - have client side offer NPN\n"); in sv_usage()
691 fprintf(stderr, " -npn_server - have server side offer NPN\n"); in sv_usage()
692 fprintf(stderr, " -npn_server_reject - have server reject NPN\n"); in sv_usage()
694 fprintf(stderr, " -serverinfo_file file - have server use this file\n"); in sv_usage()
695 fprintf(stderr, " -serverinfo_sct - have client offer and expect SCT\n"); in sv_usage()
697 " -serverinfo_tack - have client offer and expect TACK\n"); in sv_usage()
699 " -custom_ext - try various custom extension callbacks\n"); in sv_usage()
700 fprintf(stderr, " -alpn_client <string> - have client side offer ALPN\n"); in sv_usage()
701 fprintf(stderr, " -alpn_server <string> - have server side offer ALPN\n"); in sv_usage()
702 fprintf(stderr, " -alpn_server1 <string> - alias for -alpn_server\n"); in sv_usage()
703 fprintf(stderr, " -alpn_server2 <string> - have server side context 2 offer ALPN\n"); in sv_usage()
705 " -alpn_expected <string> - the ALPN protocol that should be negotiated\n"); in sv_usage()
706 fprintf(stderr, " -server_min_proto <string> - Minimum version the server should support\n"); in sv_usage()
707 fprintf(stderr, " -server_max_proto <string> - Maximum version the server should support\n"); in sv_usage()
708 fprintf(stderr, " -client_min_proto <string> - Minimum version the client should support\n"); in sv_usage()
709 fprintf(stderr, " -client_max_proto <string> - Maximum version the client should support\n"); in sv_usage()
710 …fprintf(stderr, " -should_negotiate <string> - The version that should be negotiated, fail-client … in sv_usage()
712 fprintf(stderr, " -noct - no certificate transparency\n"); in sv_usage()
713 fprintf(stderr, " -requestct - request certificate transparency\n"); in sv_usage()
714 fprintf(stderr, " -requirect - require certificate transparency\n"); in sv_usage()
716 fprintf(stderr, " -sn_client <string> - have client request this servername\n"); in sv_usage()
717 fprintf(stderr, " -sn_server1 <string> - have server context 1 respond to this servername\n"); in sv_usage()
718 fprintf(stderr, " -sn_server2 <string> - have server context 2 respond to this servername\n"); in sv_usage()
719 fprintf(stderr, " -sn_expect1 - expected server 1\n"); in sv_usage()
720 fprintf(stderr, " -sn_expect2 - expected server 2\n"); in sv_usage()
721 fprintf(stderr, " -server_sess_out <file> - Save the server session to a file\n"); in sv_usage()
722 fprintf(stderr, " -server_sess_in <file> - Read the server session from a file\n"); in sv_usage()
723 fprintf(stderr, " -client_sess_out <file> - Save the client session to a file\n"); in sv_usage()
724 fprintf(stderr, " -client_sess_in <file> - Read the client session from a file\n"); in sv_usage()
725 fprintf(stderr, " -should_reuse <number> - The expected state of reusing the session\n"); in sv_usage()
726 fprintf(stderr, " -no_ticket - do not issue TLS session ticket\n"); in sv_usage()
727 fprintf(stderr, " -client_ktls - try to enable client KTLS\n"); in sv_usage()
728 fprintf(stderr, " -server_ktls - try to enable server KTLS\n"); in sv_usage()
729 fprintf(stderr, " -provider <name> - Load the given provider into the library context\n"); in sv_usage()
730 fprintf(stderr, " -config <cnf> - Load the given config file into the library context\n"); in sv_usage()
799 * protocol_from_string - converts a protocol version string to a number
801 * Returns -1 on failure or the version on success
823 return -1; in protocol_from_string()
866 * set_protocol_version - Sets protocol version minimum or maximum
899 int should_reuse = -1; in main()
920 * Disable CT validation by default, because it will interfere with in main()
928 const char *provider = NULL, *config = NULL; in main() local
955 if (!SSL_CONF_CTX_set1_prefix(s_cctx, "-s_")) { in main()
959 if (!SSL_CONF_CTX_set1_prefix(s_cctx2, "-s_")) { in main()
968 if (!SSL_CONF_CTX_set1_prefix(c_cctx, "-c_")) { in main()
973 argc--; in main()
977 if (strcmp(*argv, "-F") == 0) { in main()
979 "not compiled with FIPS support, so exiting without running.\n"); in main()
981 } else if (strcmp(*argv, "-server_auth") == 0) in main()
983 else if (strcmp(*argv, "-client_auth") == 0) in main()
985 else if (strcmp(*argv, "-v") == 0) in main()
987 else if (strcmp(*argv, "-d") == 0) in main()
989 else if (strcmp(*argv, "-reuse") == 0) in main()
991 else if (strcmp(*argv, "-no_dhe") == 0) in main()
996 else if (strcmp(*argv, "-dhe512") == 0) in main()
998 else if (strcmp(*argv, "-dhe1024dsa") == 0) in main()
1000 else if (strcmp(*argv, "-dhe4096") == 0) in main()
1003 else if (strcmp(*argv, "-no_ecdhe") == 0) in main()
1005 else if (strcmp(*argv, "-psk") == 0) { in main()
1006 if (--argc < 1) in main()
1018 else if (strcmp(*argv, "-tls1_2") == 0) { in main()
1020 } else if (strcmp(*argv, "-tls1_1") == 0) { in main()
1022 } else if (strcmp(*argv, "-tls1") == 0) { in main()
1024 } else if (strcmp(*argv, "-ssl3") == 0) { in main()
1026 } else if (strcmp(*argv, "-dtls1") == 0) { in main()
1028 } else if (strcmp(*argv, "-dtls12") == 0) { in main()
1030 } else if (strcmp(*argv, "-dtls") == 0) { in main()
1032 } else if (strncmp(*argv, "-num", 4) == 0) { in main()
1033 if (--argc < 1) in main()
1038 } else if (strcmp(*argv, "-bytes") == 0) { in main()
1039 if (--argc < 1) in main()
1045 if (argv[0][i - 1] == 'k') in main()
1047 if (argv[0][i - 1] == 'm') in main()
1049 } else if (strcmp(*argv, "-cipher") == 0) { in main()
1050 if (--argc < 1) in main()
1053 } else if (strcmp(*argv, "-ciphersuites") == 0) { in main()
1054 if (--argc < 1) in main()
1057 } else if (strcmp(*argv, "-CApath") == 0) { in main()
1058 if (--argc < 1) in main()
1061 } else if (strcmp(*argv, "-CAfile") == 0) { in main()
1062 if (--argc < 1) in main()
1065 } else if (strcmp(*argv, "-bio_pair") == 0) { in main()
1069 else if (strcmp(*argv, "-ipv4") == 0) { in main()
1071 } else if (strcmp(*argv, "-ipv6") == 0) { in main()
1075 else if (strcmp(*argv, "-f") == 0) { in main()
1077 } else if (strcmp(*argv, "-time") == 0) { in main()
1081 else if (strcmp(*argv, "-noct") == 0) { in main()
1084 else if (strcmp(*argv, "-ct") == 0) { in main()
1089 else if (strcmp(*argv, "-zlib") == 0) { in main()
1093 else if (strcmp(*argv, "-app_verify") == 0) { in main()
1097 else if (strcmp(*argv, "-npn_client") == 0) { in main()
1099 } else if (strcmp(*argv, "-npn_server") == 0) { in main()
1101 } else if (strcmp(*argv, "-npn_server_reject") == 0) { in main()
1105 else if (strcmp(*argv, "-serverinfo_sct") == 0) { in main()
1107 } else if (strcmp(*argv, "-serverinfo_tack") == 0) { in main()
1109 } else if (strcmp(*argv, "-serverinfo_file") == 0) { in main()
1110 if (--argc < 1) in main()
1113 } else if (strcmp(*argv, "-custom_ext") == 0) { in main()
1115 } else if (strcmp(*argv, "-alpn_client") == 0) { in main()
1116 if (--argc < 1) in main()
1119 } else if (strcmp(*argv, "-alpn_server") == 0 || in main()
1120 strcmp(*argv, "-alpn_server1") == 0) { in main()
1121 if (--argc < 1) in main()
1124 } else if (strcmp(*argv, "-alpn_server2") == 0) { in main()
1125 if (--argc < 1) in main()
1128 } else if (strcmp(*argv, "-alpn_expected") == 0) { in main()
1129 if (--argc < 1) in main()
1132 } else if (strcmp(*argv, "-server_min_proto") == 0) { in main()
1133 if (--argc < 1) in main()
1136 } else if (strcmp(*argv, "-server_max_proto") == 0) { in main()
1137 if (--argc < 1) in main()
1140 } else if (strcmp(*argv, "-client_min_proto") == 0) { in main()
1141 if (--argc < 1) in main()
1144 } else if (strcmp(*argv, "-client_max_proto") == 0) { in main()
1145 if (--argc < 1) in main()
1148 } else if (strcmp(*argv, "-should_negotiate") == 0) { in main()
1149 if (--argc < 1) in main()
1152 } else if (strcmp(*argv, "-sn_client") == 0) { in main()
1153 if (--argc < 1) in main()
1156 } else if (strcmp(*argv, "-sn_server1") == 0) { in main()
1157 if (--argc < 1) in main()
1160 } else if (strcmp(*argv, "-sn_server2") == 0) { in main()
1161 if (--argc < 1) in main()
1164 } else if (strcmp(*argv, "-sn_expect1") == 0) { in main()
1166 } else if (strcmp(*argv, "-sn_expect2") == 0) { in main()
1168 } else if (strcmp(*argv, "-server_sess_out") == 0) { in main()
1169 if (--argc < 1) in main()
1172 } else if (strcmp(*argv, "-server_sess_in") == 0) { in main()
1173 if (--argc < 1) in main()
1176 } else if (strcmp(*argv, "-client_sess_out") == 0) { in main()
1177 if (--argc < 1) in main()
1180 } else if (strcmp(*argv, "-client_sess_in") == 0) { in main()
1181 if (--argc < 1) in main()
1184 } else if (strcmp(*argv, "-should_reuse") == 0) { in main()
1185 if (--argc < 1) in main()
1188 } else if (strcmp(*argv, "-no_ticket") == 0) { in main()
1190 } else if (strcmp(*argv, "-client_ktls") == 0) { in main()
1192 } else if (strcmp(*argv, "-server_ktls") == 0) { in main()
1194 } else if (strcmp(*argv, "-provider") == 0) { in main()
1195 if (--argc < 1) in main()
1197 provider = *(++argv); in main()
1198 } else if (strcmp(*argv, "-config") == 0) { in main()
1199 if (--argc < 1) in main()
1226 if (rv == -3) in main()
1235 argc--; in main()
1245 … fprintf(stderr, "At most one of -ssl3, -tls1, -tls1_1, -tls1_2, -dtls, -dtls1 or -dtls12 should " in main()
1283 * Testing was requested for a compiled-out protocol (e.g. SSLv3). in main()
1296 fprintf(stderr, "This case cannot work. Use -f to perform " in main()
1297 "the test anyway (and\n-d to see what happens), " in main()
1298 "or add one of -ssl3, -tls1, -tls1_1, -tls1_2, -dtls, -dtls1, -dtls12, -reuse\n" in main()
1305 fprintf(stderr, "Using BIO pair (-bio_pair)\n"); in main()
1310 "Warning: For accurate timings, use more connections (e.g. -num 1000)\n"); in main()
1359 /* We only have ec and dh based built-in groups for TLSv1.3 */ in main()
1382 if (provider != NULL in main()
1383 && !test_get_libctx(&libctx, &defctxnull, config, &thisprov, provider)) in main()
1493 if (rv == -2) { in main()
1619 "Can't have both -npn_server and -npn_server_reject\n"); in main()
1719 BIO_printf(bio_err, "Error parsing -alpn_client argument\n"); in main()
1827 strcmp(should_negotiate, "fail-server") != 0 && in main()
1828 strcmp(should_negotiate, "fail-client") != 0) { in main()
1843 if (should_reuse != -1) { in main()
1875 * CLOCKS_PER_SEC." -- ISO/IEC 9899 in main()
1992 /*- in doit_localhost()
2004 * We have non-blocking behaviour throughout this test program, but in doit_localhost()
2006 * don't have to worry about ..._SHOULD_READ or ..._SHOULD_WRITE -- in doit_localhost()
2021 printf("client waiting in SSL_connect - %s\n", in doit_localhost()
2050 cw_num -= r; in doit_localhost()
2073 cr_num -= r; in doit_localhost()
2082 * -- if each connection lasts for exactly one clock tick, it in doit_localhost()
2086 *c_time += (clock() - c_clock); in doit_localhost()
2100 printf("server waiting in SSL_accept - %s\n", in doit_localhost()
2124 sw_num -= r; in doit_localhost()
2145 sr_num -= r; in doit_localhost()
2149 *s_time += (clock() - s_clock); in doit_localhost()
2204 if (should_negotiate != NULL && strcmp(should_negotiate, "fail-client") == 0) in doit_localhost()
2206 else if (should_negotiate != NULL && strcmp(should_negotiate, "fail-server") == 0) in doit_localhost()
2247 /*- in doit_biopair()
2250 * client: pseudo-I/O for SSL library in doit_biopair()
2258 * server: pseudo-I/O for SSL library in doit_biopair()
2265 * to a non-blocking socketpair (but both endpoints must in doit_biopair()
2283 * We have non-blocking behaviour throughout this test program, but in doit_biopair()
2285 * don't have to worry about ..._SHOULD_READ or ..._SHOULD_WRITE -- in doit_biopair()
2300 printf("client waiting in SSL_connect - %s\n", in doit_biopair()
2329 cw_num -= r; in doit_biopair()
2352 cr_num -= r; in doit_biopair()
2361 * -- if each connection lasts for exactly one clock tick, it in doit_biopair()
2365 *c_time += (clock() - c_clock); in doit_biopair()
2379 printf("server waiting in SSL_accept - %s\n", in doit_biopair()
2403 sw_num -= r; in doit_biopair()
2424 sr_num -= r; in doit_biopair()
2428 *s_time += (clock() - s_clock); in doit_biopair()
2437 * we use the non-copying interface for io1 and the standard in doit_biopair()
2465 * possibly r < num (non-contiguous data) in doit_biopair()
2478 "C->S relaying: %d bytes\n" : in doit_biopair()
2479 "S->C relaying: %d bytes\n", (int)num); in doit_biopair()
2506 --num; /* test restartability even more thoroughly */ in doit_biopair()
2528 "C->S relaying: %d bytes\n" : in doit_biopair()
2529 "S->C relaying: %d bytes\n", (int)num); in doit_biopair()
2579 if (should_negotiate != NULL && strcmp(should_negotiate, "fail-client") == 0) in doit_biopair()
2581 else if (should_negotiate != NULL && strcmp(should_negotiate, "fail-server") == 0) in doit_biopair()
2685 printf("server waiting in SSL_accept - %s\n", in doit()
2691 printf("client waiting in SSL_connect - %s\n", in doit()
2727 cw_num -= i; in doit()
2729 SSL_set_max_send_fragment(c_ssl, max_frag -= 5); in doit()
2753 cr_num -= i; in doit()
2792 sr_num -= i; in doit()
2828 sw_num -= i; in doit()
2834 SSL_set_max_send_fragment(s_ssl, max_frag -= 5); in doit()
2866 if (should_negotiate != NULL && strcmp(should_negotiate, "fail-client") == 0) in doit()
2868 else if (should_negotiate != NULL && strcmp(should_negotiate, "fail-server") == 0) in doit()
2914 if (cb_arg->app_verify) { in app_verify_callback()
2919 printf("Arg is: %s\n", cb_arg->string); in app_verify_callback()