Extends s_client to allow a basic CT policy to be enabled
Reviewed-by: Ben Laurie <ben@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
diff --git a/test/ssltest.c b/test/ssltest.c
index f65358a..da9391a 100644
--- a/test/ssltest.c
+++ b/test/ssltest.c
@@ -187,6 +187,9 @@
# include <openssl/srp.h>
#endif
#include <openssl/bn.h>
+#ifndef OPENSSL_NO_CT
+# include <openssl/ct.h>
+#endif
#include "../ssl/ssl_locl.h"
@@ -493,8 +496,6 @@
return -1;
}
-#define SCT_EXT_TYPE 18
-
/*
* WARNING : below extension types are *NOT* IETF assigned, and could
* conflict if these types are reassigned and handled specially by OpenSSL
@@ -529,7 +530,7 @@
const unsigned char *in, size_t inlen,
int *al, void *arg)
{
- if (ext_type == SCT_EXT_TYPE)
+ if (ext_type == TLSEXT_TYPE_signed_certificate_timestamp)
serverinfo_sct_seen++;
else if (ext_type == TACK_EXT_TYPE)
serverinfo_tack_seen++;
@@ -838,6 +839,11 @@
fprintf(stderr, " -client_min_proto <string> - Minimum version the client should support\n");
fprintf(stderr, " -client_max_proto <string> - Maximum version the client should support\n");
fprintf(stderr, " -should_negotiate <string> - The version that should be negotiated, fail-client or fail-server\n");
+#ifndef OPENSSL_NO_CT
+ fprintf(stderr, " -noct - no certificate transparency\n");
+ fprintf(stderr, " -requestct - request certificate transparency\n");
+ fprintf(stderr, " -requirect - require certificate transparency\n");
+#endif
}
static void print_key_details(BIO *out, EVP_PKEY *key)
@@ -1057,6 +1063,14 @@
#endif
int no_protocol;
+#ifndef OPENSSL_NO_CT
+ /*
+ * Disable CT validation by default, because it will interfere with
+ * anything using custom extension handlers to deal with SCT extensions.
+ */
+ ct_validation_cb ct_validation = NULL;
+#endif
+
SSL_CONF_CTX *s_cctx = NULL, *c_cctx = NULL;
STACK_OF(OPENSSL_STRING) *conf_args = NULL;
char *arg = NULL, *argn = NULL;
@@ -1229,6 +1243,17 @@
} else if (strcmp(*argv, "-time") == 0) {
print_time = 1;
}
+#ifndef OPENSSL_NO_CT
+ else if (strcmp(*argv, "-noct") == 0) {
+ ct_validation = NULL;
+ }
+ else if (strcmp(*argv, "-requestct") == 0) {
+ ct_validation = CT_verify_no_bad_scts;
+ }
+ else if (strcmp(*argv, "-requirect") == 0) {
+ ct_validation = CT_verify_at_least_one_good_sct;
+ }
+#endif
#ifndef OPENSSL_NO_COMP
else if (strcmp(*argv, "-zlib") == 0) {
comp = COMP_ZLIB;
@@ -1512,6 +1537,13 @@
}
}
+#ifndef OPENSSL_NO_CT
+ if (!SSL_CTX_set_ct_validation_callback(c_ctx, ct_validation, NULL)) {
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+#endif
+
/* Process SSL_CONF arguments */
SSL_CONF_CTX_set_ssl_ctx(c_cctx, c_ctx);
SSL_CONF_CTX_set_ssl_ctx(s_cctx, s_ctx);
@@ -1586,15 +1618,18 @@
if ((!SSL_CTX_load_verify_locations(s_ctx, CAfile, CApath)) ||
(!SSL_CTX_set_default_verify_paths(s_ctx)) ||
- (!SSL_CTX_set_default_ctlog_list_file(s_ctx)) ||
(!SSL_CTX_load_verify_locations(c_ctx, CAfile, CApath)) ||
- (!SSL_CTX_set_default_verify_paths(c_ctx)) ||
- (!SSL_CTX_set_default_ctlog_list_file(c_ctx))) {
+ (!SSL_CTX_set_default_verify_paths(c_ctx))) {
/* fprintf(stderr,"SSL_load_verify_locations\n"); */
ERR_print_errors(bio_err);
/* goto end; */
}
+ if (!SSL_CTX_set_default_ctlog_list_file(s_ctx) ||
+ !SSL_CTX_set_default_ctlog_list_file(c_ctx)) {
+ ERR_print_errors(bio_err);
+ }
+
if (client_auth) {
printf("client authentication\n");
SSL_CTX_set_verify(s_ctx,
@@ -1684,9 +1719,10 @@
#endif
if (serverinfo_sct) {
- if (!SSL_CTX_add_client_custom_ext(c_ctx, SCT_EXT_TYPE,
- NULL, NULL, NULL,
- serverinfo_cli_parse_cb, NULL)) {
+ if (!SSL_CTX_add_client_custom_ext(c_ctx,
+ TLSEXT_TYPE_signed_certificate_timestamp,
+ NULL, NULL, NULL,
+ serverinfo_cli_parse_cb, NULL)) {
BIO_printf(bio_err, "Error adding SCT extension\n");
goto end;
}
