void checkVersion() { const char *header = OPENSSL_VERSION_TEXT; unsigned long header_num = OPENSSL_VERSION_NUMBER; const char *library = OpenSSL_version(OPENSSL_VERSION); unsigned long library_num = OpenSSL_version_num(); // If this check fails, we have probably got a header/library mismatch if (strcmp(header,library) != 0 || header_num != library_num) { fprintf(stderr,"Version mismatch:\n"); fprintf(stderr,"Header: %lx: %s\n", header_num, header); fprintf(stderr,"Library: %lx: %s\n", library_num, library); abort(); } }
void print_version(void) { #ifdef OPENSSL_VERSION_NUMBER printf("OPENSSL_VERSION_NUMBER: %#08lx\n", OPENSSL_VERSION_NUMBER); #endif #ifdef LIBRESSL_VERSION_NUMBER printf("LIBRESSL_VERSION_NUMBER: %#08lx\n", LIBRESSL_VERSION_NUMBER); #endif #ifdef LIBRESSL_VERSION_TEXT printf("LIBRESSL_VERSION_TEXT: %s\n", LIBRESSL_VERSION_TEXT); #endif #if OPENSSL_VERSION_NUMBER >= 0x1010000f printf("OpenSSL_version_num: %#08lx\n", OpenSSL_version_num()); printf("OpenSSL_version OPENSSL_VERSION: %s\n", OpenSSL_version(OPENSSL_VERSION)); printf("OpenSSL_version OPENSSL_CFLAGS: %s\n", OpenSSL_version(OPENSSL_CFLAGS)); printf("OpenSSL_version OPENSSL_BUILT_ON: %s\n", OpenSSL_version(OPENSSL_BUILT_ON)); printf("OpenSSL_version OPENSSL_PLATFORM: %s\n", OpenSSL_version(OPENSSL_PLATFORM)); printf("OpenSSL_version OPENSSL_DIR: %s\n", OpenSSL_version(OPENSSL_DIR)); printf("OpenSSL_version OPENSSL_ENGINES_DIR: %s\n", OpenSSL_version(OPENSSL_ENGINES_DIR)); #endif printf("SSLeay: %#08lx\n", SSLeay()); printf("SSLeay_version SSLEAY_VERSION: %s\n", SSLeay_version(SSLEAY_VERSION)); printf("SSLeay_version SSLEAY_CFLAGS: %s\n", SSLeay_version(SSLEAY_CFLAGS)); printf("SSLeay_version SSLEAY_BUILT_ON: %s\n", SSLeay_version(SSLEAY_BUILT_ON)); printf("SSLeay_version SSLEAY_PLATFORM: %s\n", SSLeay_version(SSLEAY_PLATFORM)); printf("SSLeay_version SSLEAY_DIR: %s\n", SSLeay_version(SSLEAY_DIR)); }
int version_main(int argc, char **argv) { int ret = 1, dirty = 0, seed = 0; int cflags = 0, version = 0, date = 0, options = 0, platform = 0, dir = 0; int engdir = 0; char *prog; OPTION_CHOICE o; prog = opt_init(argc, argv, version_options); while ((o = opt_next()) != OPT_EOF) { switch (o) { case OPT_EOF: case OPT_ERR: BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); goto end; case OPT_HELP: opt_help(version_options); ret = 0; goto end; case OPT_B: dirty = date = 1; break; case OPT_D: dirty = dir = 1; break; case OPT_E: dirty = engdir = 1; break; case OPT_F: dirty = cflags = 1; break; case OPT_O: dirty = options = 1; break; case OPT_P: dirty = platform = 1; break; case OPT_R: dirty = seed = 1; break; case OPT_V: dirty = version = 1; break; case OPT_A: seed = cflags = version = date = platform = dir = engdir = 1; break; } } if (!dirty) version = 1; if (version) { if (OpenSSL_version_num() == OPENSSL_VERSION_NUMBER) printf("%s\n", OpenSSL_version(OPENSSL_VERSION)); else printf("%s (Library: %s)\n", OPENSSL_VERSION_TEXT, OpenSSL_version(OPENSSL_VERSION)); } if (date) printf("%s\n", OpenSSL_version(OPENSSL_BUILT_ON)); if (platform) printf("%s\n", OpenSSL_version(OPENSSL_PLATFORM)); if (options) { printf("options: "); printf("%s ", BN_options()); #ifndef OPENSSL_NO_MD2 printf("%s ", MD2_options()); #endif #ifndef OPENSSL_NO_RC4 printf("%s ", RC4_options()); #endif #ifndef OPENSSL_NO_DES printf("%s ", DES_options()); #endif #ifndef OPENSSL_NO_IDEA printf("%s ", IDEA_options()); #endif #ifndef OPENSSL_NO_BF printf("%s ", BF_options()); #endif printf("\n"); } if (cflags) printf("%s\n", OpenSSL_version(OPENSSL_CFLAGS)); if (dir) printf("%s\n", OpenSSL_version(OPENSSL_DIR)); if (engdir) printf("%s\n", OpenSSL_version(OPENSSL_ENGINES_DIR)); if (seed) { printf("Seeding source:"); #ifdef OPENSSL_RAND_SEED_RTDSC printf(" rtdsc"); #endif #ifdef OPENSSL_RAND_SEED_RDCPU printf(" rdrand-hardware"); #endif #ifdef OPENSSL_RAND_SEED_LIBRANDOM printf(" C-library-random"); #endif #ifdef OPENSSL_RAND_SEED_GETRANDOM printf(" getrandom-syscall"); #endif #ifdef OPENSSL_RAND_SEED_DEVRANDOM printf(" random-device"); #endif #ifdef OPENSSL_RAND_SEED_EGD printf(" EGD"); #endif #ifdef OPENSSL_RAND_SEED_NONE printf(" none"); #endif #ifdef OPENSSL_RAND_SEED_OS printf(" os-specific"); #endif printf("\n"); } ret = 0; end: return (ret); }
int version_main(int argc, char **argv) { int ret = 1, dirty = 0; int cflags = 0, version = 0, date = 0, options = 0, platform = 0, dir = 0; char *prog; OPTION_CHOICE o; prog = opt_init(argc, argv, version_options); while ((o = opt_next()) != OPT_EOF) { switch (o) { case OPT_EOF: case OPT_ERR: BIO_printf(bio_err, "%s: Use -help for summary.\n", prog); goto end; case OPT_HELP: opt_help(version_options); ret = 0; goto end; case OPT_B: dirty = date = 1; break; case OPT_D: dirty = dir = 1; break; case OPT_F: dirty = cflags = 1; break; case OPT_O: dirty = options = 1; break; case OPT_P: dirty = platform = 1; break; case OPT_V: dirty = version = 1; break; case OPT_A: cflags = version = date = platform = dir = 1; break; } } if (!dirty) version = 1; if (version) { if (OpenSSL_version_num() == OPENSSL_VERSION_NUMBER) { printf("%s\n", OpenSSL_version(OPENSSL_VERSION)); } else { printf("%s (Library: %s)\n", OPENSSL_VERSION_TEXT, OpenSSL_version(OPENSSL_VERSION)); } } if (date) printf("%s\n", OpenSSL_version(OPENSSL_BUILT_ON)); if (platform) printf("%s\n", OpenSSL_version(OPENSSL_PLATFORM)); if (options) { printf("options: "); printf("%s ", BN_options()); #ifndef OPENSSL_NO_MD2 printf("%s ", MD2_options()); #endif #ifndef OPENSSL_NO_RC4 printf("%s ", RC4_options()); #endif #ifndef OPENSSL_NO_DES printf("%s ", DES_options()); #endif #ifndef OPENSSL_NO_IDEA printf("%s ", idea_options()); #endif #ifndef OPENSSL_NO_BF printf("%s ", BF_options()); #endif printf("\n"); } if (cflags) printf("%s\n", OpenSSL_version(OPENSSL_CFLAGS)); if (dir) printf("%s\n", OpenSSL_version(OPENSSL_DIR)); ret = 0; end: return (ret); }
char *tls_serverid_digest(const TLS_CLIENT_START_PROPS *props, long protomask, const char *ciphers) { EVP_MD_CTX *mdctx; const EVP_MD *md; const char *mdalg; unsigned char md_buf[EVP_MAX_MD_SIZE]; unsigned int md_len; int ok = 1; int i; long sslversion; VSTRING *result; /* * Try to use sha256: our serverid choice should be strong enough to * resist 2nd-preimage attacks with a difficulty comparable to that of * DANE TLSA digests. Failing that, we compute serverid digests with the * default digest, but DANE requires sha256 and sha512, so if we must * fall back to our default digest, DANE support won't be available. We * panic if the fallback algorithm is not available, as it was verified * available in tls_client_init() and must not simply vanish. */ if ((md = EVP_get_digestbyname(mdalg = "sha256")) == 0 && (md = EVP_get_digestbyname(mdalg = props->mdalg)) == 0) msg_panic("digest algorithm \"%s\" not found", mdalg); /* Salt the session lookup key with the OpenSSL runtime version. */ sslversion = OpenSSL_version_num(); mdctx = EVP_MD_CTX_create(); checkok(EVP_DigestInit_ex(mdctx, md, NULL)); digest_string(props->helo ? props->helo : ""); digest_object(&sslversion); digest_object(&protomask); digest_string(ciphers); /* * All we get from the session cache is a single bit telling us whether * the certificate is trusted or not, but we need to know whether the * trust is CA-based (in that case we must do name checks) or whether it * is a direct end-point match. We mustn't confuse the two, so it is * best to process only TA trust in the verify callback and check the EE * trust after. This works since re-used sessions always have access to * the leaf certificate, while only the original session has the leaf and * the full trust chain. * * Only the trust anchor matchlist is hashed into the session key. The end * entity certs are not used to determine whether a certificate is * trusted or not, rather these are rechecked against the leaf cert * outside the verification callback, each time a session is created or * reused. * * Therefore, the security context of the session does not depend on the EE * matching data, which is checked separately each time. So we exclude * the EE part of the DANE structure from the serverid digest. * * If the security level is "dane", we send SNI information to the peer. * This may cause it to respond with a non-default certificate. Since * certificates for sessions with no or different SNI data may not match, * we must include the SNI name in the session id. */ if (props->dane) { digest_dane(props->dane, ta); #if 0 digest_dane(props->dane, ee); /* See above */ #endif digest_string(TLS_DANE_BASED(props->tls_level) ? props->host : ""); } checkok(EVP_DigestFinal_ex(mdctx, md_buf, &md_len)); EVP_MD_CTX_destroy(mdctx); if (!ok) msg_fatal("error computing %s message digest", mdalg); /* Check for OpenSSL contract violation */ if (md_len > EVP_MAX_MD_SIZE) msg_panic("unexpectedly large %s digest size: %u", mdalg, md_len); /* * Append the digest to the serverid. We don't compare this digest to * any user-specified fingerprints. Therefore, we don't need to use a * colon-separated format, which saves space in the TLS session cache and * makes logging of session cache lookup keys more readable. * * This does however duplicate a few lines of code from the digest encoder * for colon-separated cert and pkey fingerprints. If that is a * compelling reason to consolidate, we could use that and append the * result. */ result = vstring_alloc(strlen(props->serverid) + 1 + 2 * md_len); vstring_strcpy(result, props->serverid); VSTRING_ADDCH(result, '&'); for (i = 0; i < md_len; i++) { VSTRING_ADDCH(result, hexcodes[(md_buf[i] & 0xf0) >> 4U]); VSTRING_ADDCH(result, hexcodes[(md_buf[i] & 0x0f)]); } VSTRING_TERMINATE(result); return (vstring_export(result)); }