The do_test_cipherlist(void) function in ssltest.c skips some cipher checks in all methods after the SSLv2_method due to missing resets of the i counter. Please find a patch below that resolves this bug and also adds support for TLSv1_1_method and TLSv1_2_method
Best Regards
Nick
--------
diff --git a/ssl/ssltest.c b/ssl/ssltest.c
index cebd4e7..84b4838 100755
--- a/ssl/ssltest.c
+++ b/ssl/ssltest.c
@@ -432,6 +432,12 @@ static void sv_usage(void)
#ifndef OPENSSL_NO_TLS1
fprintf(stderr," -tls1 - use TLSv1\n");
#endif
+#ifndef OPENSSL_NO_TLS1
+ fprintf(stderr," -tls1_1 - use TLSv1.1\n");
+#endif
+#ifndef OPENSSL_NO_TLS1_2
+ fprintf(stderr," -tls1_2 - use TLSv1.2\n");
+#endif
fprintf(stderr," -CApath arg - PEM format directory of
CA's\n");
fprintf(stderr," -CAfile arg - PEM format file of CA's\n");
fprintf(stderr," -cert arg - Server certificate file\n");
@@ -590,7 +596,7 @@ int main(int argc, char *argv[])
int badop=0;
int bio_pair=0;
int force=0;
- int tls1=0,ssl2=0,ssl3=0,ret=1;
+ int tls1_2=0,tls1_1=0,tls1=0,ssl2=0,ssl3=0,ret=1;
int client_auth=0;
int server_auth=0,i;
struct app_verify_arg app_verify_arg =
@@ -744,12 +750,26 @@ int main(int argc, char *argv[])
tls1=1;
}
#endif
+#ifndef OPENSSL_NO_SSL2
else if (strcmp(*argv,"-ssl2") == 0)
ssl2=1;
+#endif
+#ifndef OPENSSL_NO_TLS1
else if (strcmp(*argv,"-tls1") == 0)
tls1=1;
+#endif
+#ifndef OPENSSL_NO_TLS1_1
+ else if (strcmp(*argv,"-tls1_1") == 0)
+ tls1_1=1;
+#endif
+#ifndef OPENSSL_NO_TLS1_2
+ else if (strcmp(*argv,"-tls1_2") == 0)
+ tls1_2=1;
+#endif
+#ifndef OPENSSL_NO_SSL3
else if (strcmp(*argv,"-ssl3") == 0)
ssl3=1;
+#endif
else if (strncmp(*argv,"-num",4) == 0)
{
if (--argc < 1) goto bad;
@@ -969,23 +989,36 @@ bad:
}
#endif
-#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
+
if (ssl2)
meth=SSLv2_method();
else
if (tls1)
meth=TLSv1_method();
else
+ if (tls1_1)
+ meth=TLSv1_1_method();
+ else
+ if (tls1_2)
+ meth=TLSv1_2_method();
+ else
if (ssl3)
meth=SSLv3_method();
else
+#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
meth=SSLv23_method();
#else
-#ifdef OPENSSL_NO_SSL2
- meth=SSLv3_method();
+#ifndef OPENSSL_NO_SSL3
+ meth=SSLv3_method();
#else
- meth=SSLv2_method();
+#ifndef OPENSSL_NO_SSL2
+ meth=SSLv2_method();
+#endif
#endif
+ {
+ fprintf(stderr,"No SSL/TLS methods available\n");
+ goto end;
+ }
#endif
c_ctx=SSL_CTX_new(meth);
@@ -2665,8 +2698,10 @@ static int do_test_cipherlist(void)
#ifndef OPENSSL_NO_SSL2
fprintf(stderr, "testing SSLv2 cipher list order: ");
meth = SSLv2_method();
+ i=0;
while ((ci = meth->get_cipher(i++)) != NULL)
{
+ fprintf(stderr,".");
if (tci != NULL)
if (ci->id >= tci->id)
{
@@ -2675,14 +2710,16 @@ static int do_test_cipherlist(void)
}
tci = ci;
}
- fprintf(stderr, "ok\n");
+ fprintf(stderr, " ok\n");
#endif
#ifndef OPENSSL_NO_SSL3
fprintf(stderr, "testing SSLv3 cipher list order: ");
meth = SSLv3_method();
tci = NULL;
+ i=0;
while ((ci = meth->get_cipher(i++)) != NULL)
{
+ fprintf(stderr,".");
if (tci != NULL)
if (ci->id >= tci->id)
{
@@ -2691,14 +2728,52 @@ static int do_test_cipherlist(void)
}
tci = ci;
}
- fprintf(stderr, "ok\n");
+ fprintf(stderr, " ok\n");
#endif
#ifndef OPENSSL_NO_TLS1
fprintf(stderr, "testing TLSv1 cipher list order: ");
meth = TLSv1_method();
tci = NULL;
+ i=0;
+ while ((ci = meth->get_cipher(i++)) != NULL)
+ {
+ fprintf(stderr,".");
+ if (tci != NULL)
+ if (ci->id >= tci->id)
+ {
+ fprintf(stderr,
"failed %lx vs. %lx\n", ci->id, tci->id);
+ return 0;
+ }
+ tci = ci;
+ }
+ fprintf(stderr, " ok\n");
+#endif
+#ifndef OPENSSL_NO_TLS1_1
+ fprintf(stderr, "testing TLSv1.1 cipher list order: ");
+ meth = TLSv1_1_method();
+ tci = NULL;
+ i=0;
+ while ((ci = meth->get_cipher(i++)) != NULL)
+ {
+ fprintf(stderr,".");
+ if (tci != NULL)
+ if (ci->id >= tci->id)
+ {
+ fprintf(stderr,
"failed %lx vs. %lx\n", ci->id, tci->id);
+ return 0;
+ }
+ tci = ci;
+ }
+ fprintf(stderr, " ok\n");
+#endif
+#ifndef OPENSSL_NO_TLS1_2
+ fprintf(stderr, "testing TLSv1.2 cipher list order: ");
+ meth = TLSv1_2_method();
+ tci = NULL;
+ i=0;
while ((ci = meth->get_cipher(i++)) != NULL)
{
+ fprintf(stderr,".");
if (tci != NULL)
if (ci->id >= tci->id)
{
@@ -2707,7 +2782,7 @@ static int do_test_cipherlist(void)
}
tci = ci;
}
- fprintf(stderr, "ok\n");
+ fprintf(stderr, " ok\n");
#endif
return 1;
________________________________
The details of this company are as follows:
G4S Technology Limited, Registered Office: Challenge House, International
Drive, Tewkesbury, Gloucestershire GL20 8UQ, Registered in England No. 2382338.
This communication may contain information which is confidential, personal
and/or privileged.
It is for the exclusive use of the intended recipient(s).
If you are not the intended recipient(s), please note that any distribution,
forwarding, copying or use of this communication or the information in it is
strictly prohibited.
Any personal views expressed in this e-mail are those of the individual sender
and the company does not endorse or accept responsibility for them.
Prior to taking any action based upon this e-mail message, you should seek
appropriate confirmation of its authenticity.
This e-mail has been scanned for all viruses by MessageLabs.
|
The do_test_cipherlist(void) function in ssltest.c skips some cipher checks in all methods after the SSLv2_method due to missing resets of the i counter. Please find a patch below that resolves this bug and also adds support for TLSv1_1_method
and TLSv1_2_method Best Regards Nick -------- diff --git a/ssl/ssltest.c b/ssl/ssltest.c index cebd4e7..84b4838 100755 --- a/ssl/ssltest.c +++ b/ssl/ssltest.c @@ -432,6 +432,12 @@ static void sv_usage(void) #ifndef OPENSSL_NO_TLS1 fprintf(stderr," -tls1 - use TLSv1\n"); #endif +#ifndef OPENSSL_NO_TLS1 + fprintf(stderr," -tls1_1 - use TLSv1.1\n"); +#endif +#ifndef OPENSSL_NO_TLS1_2 + fprintf(stderr," -tls1_2 - use TLSv1.2\n"); +#endif fprintf(stderr," -CApath arg - PEM format directory of CA's\n"); fprintf(stderr," -CAfile arg - PEM format file of CA's\n"); fprintf(stderr," -cert arg - Server certificate file\n"); @@ -590,7 +596,7 @@ int main(int argc, char *argv[]) int badop=0; int bio_pair=0; int force=0; - int tls1=0,ssl2=0,ssl3=0,ret=1; + int tls1_2=0,tls1_1=0,tls1=0,ssl2=0,ssl3=0,ret=1; int client_auth=0; int server_auth=0,i; struct app_verify_arg app_verify_arg = @@ -744,12 +750,26 @@ int main(int argc, char *argv[]) tls1=1; } #endif +#ifndef OPENSSL_NO_SSL2 else if (strcmp(*argv,"-ssl2") == 0) ssl2=1; +#endif +#ifndef OPENSSL_NO_TLS1 else if (strcmp(*argv,"-tls1") == 0) tls1=1; +#endif +#ifndef OPENSSL_NO_TLS1_1 + else if (strcmp(*argv,"-tls1_1") == 0) + tls1_1=1; +#endif +#ifndef OPENSSL_NO_TLS1_2 + else if (strcmp(*argv,"-tls1_2") == 0) + tls1_2=1; +#endif +#ifndef OPENSSL_NO_SSL3 else if (strcmp(*argv,"-ssl3") == 0) ssl3=1; +#endif else if (strncmp(*argv,"-num",4) == 0) { if (--argc < 1) goto bad; @@ -969,23 +989,36 @@ bad: } #endif -#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3) + if (ssl2) meth=SSLv2_method(); else if (tls1) meth=TLSv1_method(); else + if (tls1_1) + meth=TLSv1_1_method(); + else + if (tls1_2) + meth=TLSv1_2_method(); + else if (ssl3) meth=SSLv3_method(); else +#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3) meth=SSLv23_method(); #else -#ifdef OPENSSL_NO_SSL2 - meth=SSLv3_method(); +#ifndef OPENSSL_NO_SSL3 + meth=SSLv3_method(); #else - meth=SSLv2_method(); +#ifndef OPENSSL_NO_SSL2 + meth=SSLv2_method(); +#endif #endif + { + fprintf(stderr,"No SSL/TLS methods available\n"); + goto end; + } #endif c_ctx=SSL_CTX_new(meth); @@ -2665,8 +2698,10 @@ static int do_test_cipherlist(void) #ifndef OPENSSL_NO_SSL2 fprintf(stderr, "testing SSLv2 cipher list order: "); meth = SSLv2_method(); + i=0; while ((ci = meth->get_cipher(i++)) != NULL) { + fprintf(stderr,"."); if (tci != NULL) if (ci->id >= tci->id) { @@ -2675,14 +2710,16 @@ static int do_test_cipherlist(void) } tci = ci; } - fprintf(stderr, "ok\n"); + fprintf(stderr, " ok\n"); #endif #ifndef OPENSSL_NO_SSL3 fprintf(stderr, "testing SSLv3 cipher list order: "); meth = SSLv3_method(); tci = NULL; + i=0; while ((ci = meth->get_cipher(i++)) != NULL) { + fprintf(stderr,"."); if (tci != NULL) if (ci->id >= tci->id) { @@ -2691,14 +2728,52 @@ static int do_test_cipherlist(void) } tci = ci; } - fprintf(stderr, "ok\n"); + fprintf(stderr, " ok\n"); #endif #ifndef OPENSSL_NO_TLS1 fprintf(stderr, "testing TLSv1 cipher list order: "); meth = TLSv1_method(); tci = NULL; + i=0; + while ((ci = meth->get_cipher(i++)) != NULL) + { + fprintf(stderr,"."); + if (tci != NULL) + if (ci->id >= tci->id) + { + fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id); + return 0; + } + tci = ci; + } + fprintf(stderr, " ok\n"); +#endif +#ifndef OPENSSL_NO_TLS1_1 + fprintf(stderr, "testing TLSv1.1 cipher list order: "); + meth = TLSv1_1_method(); + tci = NULL; + i=0; + while ((ci = meth->get_cipher(i++)) != NULL) + { + fprintf(stderr,"."); + if (tci != NULL) + if (ci->id >= tci->id) + { + fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id); + return 0; + } + tci = ci; + } + fprintf(stderr, " ok\n"); +#endif +#ifndef OPENSSL_NO_TLS1_2 + fprintf(stderr, "testing TLSv1.2 cipher list order: "); + meth = TLSv1_2_method(); + tci = NULL; + i=0; while ((ci = meth->get_cipher(i++)) != NULL) { + fprintf(stderr,"."); if (tci != NULL) if (ci->id >= tci->id) { @@ -2707,7 +2782,7 @@ static int do_test_cipherlist(void) } tci = ci; } - fprintf(stderr, "ok\n"); + fprintf(stderr, " ok\n"); #endif return 1; The details of this company are as follows: G4S Technology Limited, Registered Office: Challenge House, International Drive, Tewkesbury, Gloucestershire GL20 8UQ, Registered in England No. 2382338. This communication may contain information which is confidential, personal and/or privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please note that any distribution, forwarding, copying or use of this communication or the information in it is strictly prohibited. Any personal views expressed in this e-mail are those of the individual sender and the company does not endorse or accept responsibility for them. Prior to taking any action based upon this e-mail message, you should seek appropriate confirmation of its authenticity. This e-mail has been scanned for all viruses by MessageLabs. |
