diff options
Diffstat (limited to 'ssl/ssltest.c')
-rw-r--r-- | ssl/ssltest.c | 77 |
1 files changed, 58 insertions, 19 deletions
diff --git a/ssl/ssltest.c b/ssl/ssltest.c index 4f80be8..0888956 100644 --- a/ssl/ssltest.c +++ b/ssl/ssltest.c @@ -345,7 +345,7 @@ static void sv_usage(void) #ifndef OPENSSL_NO_SSL2 fprintf(stderr," -ssl2 - use SSLv2\n"); #endif -#ifndef OPENSSL_NO_SSL3 +#ifndef OPENSSL_NO_SSL3_METHOD fprintf(stderr," -ssl3 - use SSLv3\n"); #endif #ifndef OPENSSL_NO_TLS1 @@ -368,7 +368,9 @@ static void sv_usage(void) " Use \"openssl ecparam -list_curves\" for all names\n" \ " (default is sect163r2).\n"); #endif - fprintf(stderr," -test_cipherlist - verifies the order of the ssl cipher lists\n"); + fprintf(stderr," -test_cipherlist - Verifies the order of the ssl cipher lists.\n" + " When this option is requested, the cipherlist\n" + " tests are run instead of handshake tests.\n"); } static void print_details(SSL *c_ssl, const char *prefix) @@ -549,6 +551,7 @@ int main(int argc, char *argv[]) #ifdef OPENSSL_FIPS int fips_mode=0; #endif + int no_protocol = 0; verbose = 0; debug = 0; @@ -658,11 +661,26 @@ int main(int argc, char *argv[]) } #endif else if (strcmp(*argv,"-ssl2") == 0) - ssl2=1; + { +#ifdef OPENSSL_NO_SSL2 + no_protocol = 1; +#endif + ssl2 = 1; + } else if (strcmp(*argv,"-tls1") == 0) - tls1=1; + { +#ifdef OPENSSL_NO_TLS1 + no_protocol = 1; +#endif + tls1 = 1; + } else if (strcmp(*argv,"-ssl3") == 0) - ssl3=1; + { +#ifdef OPENSSL_NO_SSL3_METHOD + no_protocol = 1; +#endif + ssl3 = 1; + } else if (strncmp(*argv,"-num",4) == 0) { if (--argc < 1) goto bad; @@ -781,15 +799,41 @@ bad: goto end; } + /* + * test_cipherlist prevails over protocol switch: we test the cipherlist + * for all enabled protocols. + */ if (test_cipherlist == 1) { /* ensure that the cipher list are correctly sorted and exit */ + fprintf(stdout, "Testing cipherlist order only. Ignoring all " + "other options.\n"); if (do_test_cipherlist() == 0) EXIT(1); ret = 0; goto end; } + if (ssl2 + ssl3 + tls1 > 1) + { + fprintf(stderr, "At most one of -ssl2, -ssl3, or -tls1 should " + "be requested.\n"); + EXIT(1); + } + + /* + * Testing was requested for a compiled-out protocol (e.g. SSLv2). + * Ideally, we would error out, but the generic test wrapper can't know + * when to expect failure. So we do nothing and return success. + */ + if (no_protocol) + { + fprintf(stderr, "Testing was requested for a disabled protocol. " + "Skipping tests.\n"); + ret = 0; + goto end; + } + if (!ssl2 && !ssl3 && !tls1 && number > 1 && !reuse && !force) { fprintf(stderr, "This case cannot work. Use -f to perform " @@ -868,30 +912,25 @@ bad: } #endif -#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3) +/* At this point, ssl2/ssl3/tls1 is only set if the protocol is available. + * (Otherwise we exit early.) + * However the compiler doesn't know this, so we ifdef. */ +#ifndef OPENSSL_NO_SSL2 if (ssl2) meth=SSLv2_method(); - else - if (tls1) - meth=TLSv1_method(); else +#endif +#ifndef OPENSSL_NO_SSL3 if (ssl3) meth=SSLv3_method(); else - meth=SSLv23_method(); -#else -#ifdef OPENSSL_NO_SSL2 +#endif +#ifndef OPENSSL_NO_TLS1 if (tls1) meth=TLSv1_method(); else - if (ssl3) - meth=SSLv3_method(); - else - meth=SSLv23_method(); -#else - meth=SSLv2_method(); -#endif #endif + meth=SSLv23_method(); c_ctx=SSL_CTX_new(meth); s_ctx=SSL_CTX_new(meth); |