/*
* Configure callbacks and other properties that can't be set directly
* in the server/client CONF.
*/
static void configure_handshake_ctx(SSL_CTX *server_ctx, SSL_CTX *server2_ctx,
SSL_CTX *client_ctx,
const SSL_TEST_CTX *test_ctx,
CTX_DATA *server_ctx_data,
CTX_DATA *server2_ctx_data,
CTX_DATA *client_ctx_data)
{
unsigned char *ticket_keys;
size_t ticket_key_len;
switch (test_ctx->client_verify_callback) {
case SSL_TEST_VERIFY_ACCEPT_ALL:
SSL_CTX_set_cert_verify_callback(client_ctx, &verify_accept_cb,
NULL);
break;
case SSL_TEST_VERIFY_REJECT_ALL:
SSL_CTX_set_cert_verify_callback(client_ctx, &verify_reject_cb,
NULL);
break;
default:
break;
}
/* link the two contexts for SNI purposes */
switch (test_ctx->servername_callback) {
case SSL_TEST_SERVERNAME_IGNORE_MISMATCH:
SSL_CTX_set_tlsext_servername_callback(server_ctx, servername_ignore_cb);
SSL_CTX_set_tlsext_servername_arg(server_ctx, server2_ctx);
break;
case SSL_TEST_SERVERNAME_REJECT_MISMATCH:
SSL_CTX_set_tlsext_servername_callback(server_ctx, servername_reject_cb);
SSL_CTX_set_tlsext_servername_arg(server_ctx, server2_ctx);
break;
default:
break;
}
/*
* The initial_ctx/session_ctx always handles the encrypt/decrypt of the
* session ticket. This ticket_key callback is assigned to the second
* session (assigned via SNI), and should never be invoked
*/
if (server2_ctx != NULL)
SSL_CTX_set_tlsext_ticket_key_cb(server2_ctx,
do_not_call_session_ticket_cb);
if (test_ctx->session_ticket_expected == SSL_TEST_SESSION_TICKET_BROKEN) {
SSL_CTX_set_tlsext_ticket_key_cb(server_ctx, broken_session_ticket_cb);
}
if (test_ctx->server_npn_protocols != NULL) {
parse_protos(test_ctx->server_npn_protocols,
&server_ctx_data->npn_protocols,
&server_ctx_data->npn_protocols_len);
SSL_CTX_set_next_protos_advertised_cb(server_ctx, server_npn_cb,
server_ctx_data);
}
if (test_ctx->server2_npn_protocols != NULL) {
parse_protos(test_ctx->server2_npn_protocols,
&server2_ctx_data->npn_protocols,
&server2_ctx_data->npn_protocols_len);
OPENSSL_assert(server2_ctx != NULL);
SSL_CTX_set_next_protos_advertised_cb(server2_ctx, server_npn_cb,
server2_ctx_data);
}
if (test_ctx->client_npn_protocols != NULL) {
parse_protos(test_ctx->client_npn_protocols,
&client_ctx_data->npn_protocols,
&client_ctx_data->npn_protocols_len);
SSL_CTX_set_next_proto_select_cb(client_ctx, client_npn_cb,
client_ctx_data);
}
if (test_ctx->server_alpn_protocols != NULL) {
parse_protos(test_ctx->server_alpn_protocols,
&server_ctx_data->alpn_protocols,
&server_ctx_data->alpn_protocols_len);
SSL_CTX_set_alpn_select_cb(server_ctx, server_alpn_cb, server_ctx_data);
}
if (test_ctx->server2_alpn_protocols != NULL) {
OPENSSL_assert(server2_ctx != NULL);
parse_protos(test_ctx->server2_alpn_protocols,
&server2_ctx_data->alpn_protocols,
&server2_ctx_data->alpn_protocols_len);
SSL_CTX_set_alpn_select_cb(server2_ctx, server_alpn_cb, server2_ctx_data);
}
if (test_ctx->client_alpn_protocols != NULL) {
unsigned char *alpn_protos = NULL;
size_t alpn_protos_len;
parse_protos(test_ctx->client_alpn_protocols,
&alpn_protos, &alpn_protos_len);
/* Reversed return value convention... */
OPENSSL_assert(SSL_CTX_set_alpn_protos(client_ctx, alpn_protos,
alpn_protos_len) == 0);
OPENSSL_free(alpn_protos);
}
/*
* Use fixed session ticket keys so that we can decrypt a ticket created with
* one CTX in another CTX. Don't address server2 for the moment.
*/
ticket_key_len = SSL_CTX_set_tlsext_ticket_keys(server_ctx, NULL, 0);
ticket_keys = OPENSSL_zalloc(ticket_key_len);
OPENSSL_assert(ticket_keys != NULL);
OPENSSL_assert(SSL_CTX_set_tlsext_ticket_keys(server_ctx, ticket_keys,
ticket_key_len) == 1);
OPENSSL_free(ticket_keys);
}
int
run_sockstat(int argc, char *argv[])
{
int protos_defined = -1;
int o, i;
opt_j = -1;
while ((o = getopt(argc, argv, "46cj:Llp:P:uv")) != -1)
switch (o) {
case '4':
opt_4 = 1;
break;
case '6':
opt_6 = 1;
break;
case 'c':
opt_c = 1;
break;
case 'j':
opt_j = atoi(optarg);
break;
case 'L':
opt_L = 1;
break;
case 'l':
opt_l = 1;
break;
case 'p':
parse_ports(optarg);
break;
case 'P':
protos_defined = parse_protos(optarg);
break;
case 'u':
opt_u = 1;
break;
case 'v':
++opt_v;
break;
default:
usage();
}
argc -= optind;
argv += optind;
if (argc > 0)
usage();
if ((!opt_4 && !opt_6) && protos_defined != -1)
opt_4 = opt_6 = 1;
if (!opt_4 && !opt_6 && !opt_u)
opt_4 = opt_6 = opt_u = 1;
if ((opt_4 || opt_6) && protos_defined == -1)
protos_defined = set_default_protos();
if (!opt_c && !opt_l)
opt_c = opt_l = 1;
if (opt_4 || opt_6) {
for (i = 0; i < protos_defined; i++)
gather_inet(protos[i]);
}
if (opt_u || (protos_defined == -1 && !opt_4 && !opt_6)) {
gather_unix(SOCK_STREAM);
gather_unix(SOCK_DGRAM);
}
getfiles();
display();
return 0;
}
/*
* Configure callbacks and other properties that can't be set directly
* in the server/client CONF.
*/
static void configure_handshake_ctx(SSL_CTX *server_ctx, SSL_CTX *server2_ctx,
SSL_CTX *client_ctx,
const SSL_TEST_CTX *test,
const SSL_TEST_EXTRA_CONF *extra,
CTX_DATA *server_ctx_data,
CTX_DATA *server2_ctx_data,
CTX_DATA *client_ctx_data)
{
unsigned char *ticket_keys;
size_t ticket_key_len;
TEST_check(SSL_CTX_set_max_send_fragment(server_ctx,
test->max_fragment_size) == 1);
if (server2_ctx != NULL) {
TEST_check(SSL_CTX_set_max_send_fragment(server2_ctx,
test->max_fragment_size) == 1);
}
TEST_check(SSL_CTX_set_max_send_fragment(client_ctx,
test->max_fragment_size) == 1);
switch (extra->client.verify_callback) {
case SSL_TEST_VERIFY_ACCEPT_ALL:
SSL_CTX_set_cert_verify_callback(client_ctx, &verify_accept_cb,
NULL);
break;
case SSL_TEST_VERIFY_REJECT_ALL:
SSL_CTX_set_cert_verify_callback(client_ctx, &verify_reject_cb,
NULL);
break;
default:
break;
}
/* link the two contexts for SNI purposes */
switch (extra->server.servername_callback) {
case SSL_TEST_SERVERNAME_IGNORE_MISMATCH:
SSL_CTX_set_tlsext_servername_callback(server_ctx, servername_ignore_cb);
SSL_CTX_set_tlsext_servername_arg(server_ctx, server2_ctx);
break;
case SSL_TEST_SERVERNAME_REJECT_MISMATCH:
SSL_CTX_set_tlsext_servername_callback(server_ctx, servername_reject_cb);
SSL_CTX_set_tlsext_servername_arg(server_ctx, server2_ctx);
break;
default:
break;
}
/*
* The initial_ctx/session_ctx always handles the encrypt/decrypt of the
* session ticket. This ticket_key callback is assigned to the second
* session (assigned via SNI), and should never be invoked
*/
if (server2_ctx != NULL)
SSL_CTX_set_tlsext_ticket_key_cb(server2_ctx,
do_not_call_session_ticket_cb);
if (extra->server.broken_session_ticket) {
SSL_CTX_set_tlsext_ticket_key_cb(server_ctx, broken_session_ticket_cb);
}
#ifndef OPENSSL_NO_NEXTPROTONEG
if (extra->server.npn_protocols != NULL) {
parse_protos(extra->server.npn_protocols,
&server_ctx_data->npn_protocols,
&server_ctx_data->npn_protocols_len);
SSL_CTX_set_next_protos_advertised_cb(server_ctx, server_npn_cb,
server_ctx_data);
}
if (extra->server2.npn_protocols != NULL) {
parse_protos(extra->server2.npn_protocols,
&server2_ctx_data->npn_protocols,
&server2_ctx_data->npn_protocols_len);
TEST_check(server2_ctx != NULL);
SSL_CTX_set_next_protos_advertised_cb(server2_ctx, server_npn_cb,
server2_ctx_data);
}
if (extra->client.npn_protocols != NULL) {
parse_protos(extra->client.npn_protocols,
&client_ctx_data->npn_protocols,
&client_ctx_data->npn_protocols_len);
SSL_CTX_set_next_proto_select_cb(client_ctx, client_npn_cb,
client_ctx_data);
}
#endif
if (extra->server.alpn_protocols != NULL) {
parse_protos(extra->server.alpn_protocols,
&server_ctx_data->alpn_protocols,
&server_ctx_data->alpn_protocols_len);
SSL_CTX_set_alpn_select_cb(server_ctx, server_alpn_cb, server_ctx_data);
}
if (extra->server2.alpn_protocols != NULL) {
TEST_check(server2_ctx != NULL);
parse_protos(extra->server2.alpn_protocols,
&server2_ctx_data->alpn_protocols,
&server2_ctx_data->alpn_protocols_len);
SSL_CTX_set_alpn_select_cb(server2_ctx, server_alpn_cb, server2_ctx_data);
}
if (extra->client.alpn_protocols != NULL) {
unsigned char *alpn_protos = NULL;
size_t alpn_protos_len;
parse_protos(extra->client.alpn_protocols,
&alpn_protos, &alpn_protos_len);
/* Reversed return value convention... */
TEST_check(SSL_CTX_set_alpn_protos(client_ctx, alpn_protos,
alpn_protos_len) == 0);
OPENSSL_free(alpn_protos);
}
/*
* Use fixed session ticket keys so that we can decrypt a ticket created with
* one CTX in another CTX. Don't address server2 for the moment.
*/
ticket_key_len = SSL_CTX_set_tlsext_ticket_keys(server_ctx, NULL, 0);
ticket_keys = OPENSSL_zalloc(ticket_key_len);
TEST_check(ticket_keys != NULL);
TEST_check(SSL_CTX_set_tlsext_ticket_keys(server_ctx, ticket_keys,
ticket_key_len) == 1);
OPENSSL_free(ticket_keys);
/* The default log list includes EC keys, so CT can't work without EC. */
#if !defined(OPENSSL_NO_CT) && !defined(OPENSSL_NO_EC)
TEST_check(SSL_CTX_set_default_ctlog_list_file(client_ctx));
switch (extra->client.ct_validation) {
case SSL_TEST_CT_VALIDATION_PERMISSIVE:
TEST_check(SSL_CTX_enable_ct(client_ctx, SSL_CT_VALIDATION_PERMISSIVE));
break;
case SSL_TEST_CT_VALIDATION_STRICT:
TEST_check(SSL_CTX_enable_ct(client_ctx, SSL_CT_VALIDATION_STRICT));
break;
case SSL_TEST_CT_VALIDATION_NONE:
break;
}
#endif
}
