void checkVersion()
{
const char *header = OPENSSL_VERSION_TEXT;
unsigned long header_num = OPENSSL_VERSION_NUMBER;
const char *library = OpenSSL_version(OPENSSL_VERSION);
unsigned long library_num = OpenSSL_version_num();
// If this check fails, we have probably got a header/library mismatch
if (strcmp(header,library) != 0 || header_num != library_num) {
fprintf(stderr,"Version mismatch:\n");
fprintf(stderr,"Header: %lx: %s\n", header_num, header);
fprintf(stderr,"Library: %lx: %s\n", library_num, library);
abort();
}
}
void
print_version(void)
{
#ifdef OPENSSL_VERSION_NUMBER
printf("OPENSSL_VERSION_NUMBER: %#08lx\n", OPENSSL_VERSION_NUMBER);
#endif
#ifdef LIBRESSL_VERSION_NUMBER
printf("LIBRESSL_VERSION_NUMBER: %#08lx\n", LIBRESSL_VERSION_NUMBER);
#endif
#ifdef LIBRESSL_VERSION_TEXT
printf("LIBRESSL_VERSION_TEXT: %s\n", LIBRESSL_VERSION_TEXT);
#endif
#if OPENSSL_VERSION_NUMBER >= 0x1010000f
printf("OpenSSL_version_num: %#08lx\n", OpenSSL_version_num());
printf("OpenSSL_version OPENSSL_VERSION: %s\n",
OpenSSL_version(OPENSSL_VERSION));
printf("OpenSSL_version OPENSSL_CFLAGS: %s\n",
OpenSSL_version(OPENSSL_CFLAGS));
printf("OpenSSL_version OPENSSL_BUILT_ON: %s\n",
OpenSSL_version(OPENSSL_BUILT_ON));
printf("OpenSSL_version OPENSSL_PLATFORM: %s\n",
OpenSSL_version(OPENSSL_PLATFORM));
printf("OpenSSL_version OPENSSL_DIR: %s\n",
OpenSSL_version(OPENSSL_DIR));
printf("OpenSSL_version OPENSSL_ENGINES_DIR: %s\n",
OpenSSL_version(OPENSSL_ENGINES_DIR));
#endif
printf("SSLeay: %#08lx\n", SSLeay());
printf("SSLeay_version SSLEAY_VERSION: %s\n",
SSLeay_version(SSLEAY_VERSION));
printf("SSLeay_version SSLEAY_CFLAGS: %s\n",
SSLeay_version(SSLEAY_CFLAGS));
printf("SSLeay_version SSLEAY_BUILT_ON: %s\n",
SSLeay_version(SSLEAY_BUILT_ON));
printf("SSLeay_version SSLEAY_PLATFORM: %s\n",
SSLeay_version(SSLEAY_PLATFORM));
printf("SSLeay_version SSLEAY_DIR: %s\n",
SSLeay_version(SSLEAY_DIR));
}
int version_main(int argc, char **argv)
{
int ret = 1, dirty = 0, seed = 0;
int cflags = 0, version = 0, date = 0, options = 0, platform = 0, dir = 0;
int engdir = 0;
char *prog;
OPTION_CHOICE o;
prog = opt_init(argc, argv, version_options);
while ((o = opt_next()) != OPT_EOF) {
switch (o) {
case OPT_EOF:
case OPT_ERR:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
opt_help(version_options);
ret = 0;
goto end;
case OPT_B:
dirty = date = 1;
break;
case OPT_D:
dirty = dir = 1;
break;
case OPT_E:
dirty = engdir = 1;
break;
case OPT_F:
dirty = cflags = 1;
break;
case OPT_O:
dirty = options = 1;
break;
case OPT_P:
dirty = platform = 1;
break;
case OPT_R:
dirty = seed = 1;
break;
case OPT_V:
dirty = version = 1;
break;
case OPT_A:
seed = cflags = version = date = platform = dir = engdir = 1;
break;
}
}
if (!dirty)
version = 1;
if (version) {
if (OpenSSL_version_num() == OPENSSL_VERSION_NUMBER)
printf("%s\n", OpenSSL_version(OPENSSL_VERSION));
else
printf("%s (Library: %s)\n",
OPENSSL_VERSION_TEXT, OpenSSL_version(OPENSSL_VERSION));
}
if (date)
printf("%s\n", OpenSSL_version(OPENSSL_BUILT_ON));
if (platform)
printf("%s\n", OpenSSL_version(OPENSSL_PLATFORM));
if (options) {
printf("options: ");
printf("%s ", BN_options());
#ifndef OPENSSL_NO_MD2
printf("%s ", MD2_options());
#endif
#ifndef OPENSSL_NO_RC4
printf("%s ", RC4_options());
#endif
#ifndef OPENSSL_NO_DES
printf("%s ", DES_options());
#endif
#ifndef OPENSSL_NO_IDEA
printf("%s ", IDEA_options());
#endif
#ifndef OPENSSL_NO_BF
printf("%s ", BF_options());
#endif
printf("\n");
}
if (cflags)
printf("%s\n", OpenSSL_version(OPENSSL_CFLAGS));
if (dir)
printf("%s\n", OpenSSL_version(OPENSSL_DIR));
if (engdir)
printf("%s\n", OpenSSL_version(OPENSSL_ENGINES_DIR));
if (seed) {
printf("Seeding source:");
#ifdef OPENSSL_RAND_SEED_RTDSC
printf(" rtdsc");
#endif
#ifdef OPENSSL_RAND_SEED_RDCPU
printf(" rdrand-hardware");
#endif
#ifdef OPENSSL_RAND_SEED_LIBRANDOM
printf(" C-library-random");
#endif
#ifdef OPENSSL_RAND_SEED_GETRANDOM
printf(" getrandom-syscall");
#endif
#ifdef OPENSSL_RAND_SEED_DEVRANDOM
printf(" random-device");
#endif
#ifdef OPENSSL_RAND_SEED_EGD
printf(" EGD");
#endif
#ifdef OPENSSL_RAND_SEED_NONE
printf(" none");
#endif
#ifdef OPENSSL_RAND_SEED_OS
printf(" os-specific");
#endif
printf("\n");
}
ret = 0;
end:
return (ret);
}
int version_main(int argc, char **argv)
{
int ret = 1, dirty = 0;
int cflags = 0, version = 0, date = 0, options = 0, platform = 0, dir = 0;
char *prog;
OPTION_CHOICE o;
prog = opt_init(argc, argv, version_options);
while ((o = opt_next()) != OPT_EOF) {
switch (o) {
case OPT_EOF:
case OPT_ERR:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
opt_help(version_options);
ret = 0;
goto end;
case OPT_B:
dirty = date = 1;
break;
case OPT_D:
dirty = dir = 1;
break;
case OPT_F:
dirty = cflags = 1;
break;
case OPT_O:
dirty = options = 1;
break;
case OPT_P:
dirty = platform = 1;
break;
case OPT_V:
dirty = version = 1;
break;
case OPT_A:
cflags = version = date = platform = dir = 1;
break;
}
}
if (!dirty)
version = 1;
if (version) {
if (OpenSSL_version_num() == OPENSSL_VERSION_NUMBER) {
printf("%s\n", OpenSSL_version(OPENSSL_VERSION));
} else {
printf("%s (Library: %s)\n",
OPENSSL_VERSION_TEXT, OpenSSL_version(OPENSSL_VERSION));
}
}
if (date)
printf("%s\n", OpenSSL_version(OPENSSL_BUILT_ON));
if (platform)
printf("%s\n", OpenSSL_version(OPENSSL_PLATFORM));
if (options) {
printf("options: ");
printf("%s ", BN_options());
#ifndef OPENSSL_NO_MD2
printf("%s ", MD2_options());
#endif
#ifndef OPENSSL_NO_RC4
printf("%s ", RC4_options());
#endif
#ifndef OPENSSL_NO_DES
printf("%s ", DES_options());
#endif
#ifndef OPENSSL_NO_IDEA
printf("%s ", idea_options());
#endif
#ifndef OPENSSL_NO_BF
printf("%s ", BF_options());
#endif
printf("\n");
}
if (cflags)
printf("%s\n", OpenSSL_version(OPENSSL_CFLAGS));
if (dir)
printf("%s\n", OpenSSL_version(OPENSSL_DIR));
ret = 0;
end:
return (ret);
}
char *tls_serverid_digest(const TLS_CLIENT_START_PROPS *props, long protomask,
const char *ciphers)
{
EVP_MD_CTX *mdctx;
const EVP_MD *md;
const char *mdalg;
unsigned char md_buf[EVP_MAX_MD_SIZE];
unsigned int md_len;
int ok = 1;
int i;
long sslversion;
VSTRING *result;
/*
* Try to use sha256: our serverid choice should be strong enough to
* resist 2nd-preimage attacks with a difficulty comparable to that of
* DANE TLSA digests. Failing that, we compute serverid digests with the
* default digest, but DANE requires sha256 and sha512, so if we must
* fall back to our default digest, DANE support won't be available. We
* panic if the fallback algorithm is not available, as it was verified
* available in tls_client_init() and must not simply vanish.
*/
if ((md = EVP_get_digestbyname(mdalg = "sha256")) == 0
&& (md = EVP_get_digestbyname(mdalg = props->mdalg)) == 0)
msg_panic("digest algorithm \"%s\" not found", mdalg);
/* Salt the session lookup key with the OpenSSL runtime version. */
sslversion = OpenSSL_version_num();
mdctx = EVP_MD_CTX_create();
checkok(EVP_DigestInit_ex(mdctx, md, NULL));
digest_string(props->helo ? props->helo : "");
digest_object(&sslversion);
digest_object(&protomask);
digest_string(ciphers);
/*
* All we get from the session cache is a single bit telling us whether
* the certificate is trusted or not, but we need to know whether the
* trust is CA-based (in that case we must do name checks) or whether it
* is a direct end-point match. We mustn't confuse the two, so it is
* best to process only TA trust in the verify callback and check the EE
* trust after. This works since re-used sessions always have access to
* the leaf certificate, while only the original session has the leaf and
* the full trust chain.
*
* Only the trust anchor matchlist is hashed into the session key. The end
* entity certs are not used to determine whether a certificate is
* trusted or not, rather these are rechecked against the leaf cert
* outside the verification callback, each time a session is created or
* reused.
*
* Therefore, the security context of the session does not depend on the EE
* matching data, which is checked separately each time. So we exclude
* the EE part of the DANE structure from the serverid digest.
*
* If the security level is "dane", we send SNI information to the peer.
* This may cause it to respond with a non-default certificate. Since
* certificates for sessions with no or different SNI data may not match,
* we must include the SNI name in the session id.
*/
if (props->dane) {
digest_dane(props->dane, ta);
#if 0
digest_dane(props->dane, ee); /* See above */
#endif
digest_string(TLS_DANE_BASED(props->tls_level) ? props->host : "");
}
checkok(EVP_DigestFinal_ex(mdctx, md_buf, &md_len));
EVP_MD_CTX_destroy(mdctx);
if (!ok)
msg_fatal("error computing %s message digest", mdalg);
/* Check for OpenSSL contract violation */
if (md_len > EVP_MAX_MD_SIZE)
msg_panic("unexpectedly large %s digest size: %u", mdalg, md_len);
/*
* Append the digest to the serverid. We don't compare this digest to
* any user-specified fingerprints. Therefore, we don't need to use a
* colon-separated format, which saves space in the TLS session cache and
* makes logging of session cache lookup keys more readable.
*
* This does however duplicate a few lines of code from the digest encoder
* for colon-separated cert and pkey fingerprints. If that is a
* compelling reason to consolidate, we could use that and append the
* result.
*/
result = vstring_alloc(strlen(props->serverid) + 1 + 2 * md_len);
vstring_strcpy(result, props->serverid);
VSTRING_ADDCH(result, '&');
for (i = 0; i < md_len; i++) {
VSTRING_ADDCH(result, hexcodes[(md_buf[i] & 0xf0) >> 4U]);
VSTRING_ADDCH(result, hexcodes[(md_buf[i] & 0x0f)]);
}
VSTRING_TERMINATE(result);
return (vstring_export(result));
}
