OLD | NEW |
1 commit 704cdddfa1c59066a53ecab46c5bfb7238a7a54d | 1 diff -uarp openssl-1.0.0.orig/apps/s_client.c openssl-1.0.0/apps/s_client.c |
2 Author: Adam Langley <agl@chromium.org> | 2 --- openssl-1.0.0.orig/apps/s_client.c» 2009-12-16 15:28:28.000000000 -0500 |
3 Date: Thu Nov 4 16:03:41 2010 -0400 | 3 +++ openssl-1.0.0/apps/s_client.c» 2010-04-21 14:39:49.000000000 -0400 |
4 | |
5 handshake_cutthrough.patch | |
6 | |
7 diff --git a/apps/s_client.c b/apps/s_client.c | |
8 index 2f743f0..c071658 100644 | |
9 --- a/apps/s_client.c | |
10 +++ b/apps/s_client.c | |
11 @@ -248,6 +248,7 @@ static void sc_usage(void) | 4 @@ -248,6 +248,7 @@ static void sc_usage(void) |
12 BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions
received\n"); | 5 BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions
received\n"); |
13 BIO_printf(bio_err," -status - request certificate status from
server\n"); | 6 BIO_printf(bio_err," -status - request certificate status from
server\n"); |
14 BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis sessi
on tickets\n"); | 7 BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis sessi
on tickets\n"); |
15 + BIO_printf(bio_err," -cutthrough - enable 1-RTT full-handshake for
strong ciphers\n"); | 8 + BIO_printf(bio_err," -cutthrough - enable 1-RTT full-handshake for
strong ciphers\n"); |
16 #endif | 9 #endif |
17 BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renego
tiation (dangerous)\n"); | |
18 } | 10 } |
19 @@ -305,6 +306,7 @@ int MAIN(int argc, char **argv) | 11 |
| 12 @@ -304,6 +305,7 @@ int MAIN(int argc, char **argv) |
20 EVP_PKEY *key = NULL; | 13 EVP_PKEY *key = NULL; |
21 char *CApath=NULL,*CAfile=NULL,*cipher=NULL; | 14 char *CApath=NULL,*CAfile=NULL,*cipher=NULL; |
22 int reconnect=0,badop=0,verify=SSL_VERIFY_NONE,bugs=0; | 15 int reconnect=0,badop=0,verify=SSL_VERIFY_NONE,bugs=0; |
23 + int cutthrough=0; | 16 + int cutthrough=0; |
24 int crlf=0; | 17 int crlf=0; |
25 int write_tty,read_tty,write_ssl,read_ssl,tty_on,ssl_pending; | 18 int write_tty,read_tty,write_ssl,read_ssl,tty_on,ssl_pending; |
26 SSL_CTX *ctx=NULL; | 19 SSL_CTX *ctx=NULL; |
27 @@ -535,6 +537,8 @@ int MAIN(int argc, char **argv) | 20 @@ -533,6 +535,8 @@ int MAIN(int argc, char **argv) |
28 else if (strcmp(*argv,"-no_ticket") == 0) | 21 else if (strcmp(*argv,"-no_ticket") == 0) |
29 { off|=SSL_OP_NO_TICKET; } | 22 { off|=SSL_OP_NO_TICKET; } |
30 #endif | 23 #endif |
31 + else if (strcmp(*argv,"-cutthrough") == 0) | 24 + else if (strcmp(*argv,"-cutthrough") == 0) |
32 + cutthrough=1; | 25 + cutthrough=1; |
33 else if (strcmp(*argv,"-serverpref") == 0) | 26 else if (strcmp(*argv,"-serverpref") == 0) |
34 off|=SSL_OP_CIPHER_SERVER_PREFERENCE; | 27 off|=SSL_OP_CIPHER_SERVER_PREFERENCE; |
35 » » else if (strcmp(*argv,"-legacy_renegotiation") == 0) | 28 » » else if»(strcmp(*argv,"-cipher") == 0) |
36 @@ -725,6 +729,15 @@ bad: | 29 @@ -714,6 +718,15 @@ bad: |
37 */ | 30 */ |
38 if (sock_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1); | 31 if (sock_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1); |
39 | 32 |
40 + /* Enable handshake cutthrough for client connections using | 33 + /* Enable handshake cutthrough for client connections using |
41 + * strong ciphers. */ | 34 + * strong ciphers. */ |
42 + if (cutthrough) | 35 + if (cutthrough) |
43 + { | 36 + { |
44 + int ssl_mode = SSL_CTX_get_mode(ctx); | 37 + int ssl_mode = SSL_CTX_get_mode(ctx); |
45 + ssl_mode |= SSL_MODE_HANDSHAKE_CUTTHROUGH; | 38 + ssl_mode |= SSL_MODE_HANDSHAKE_CUTTHROUGH; |
46 + SSL_CTX_set_mode(ctx, ssl_mode); | 39 + SSL_CTX_set_mode(ctx, ssl_mode); |
47 + } | 40 + } |
48 + | 41 + |
49 if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback); | 42 if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback); |
50 if (cipher != NULL) | 43 if (cipher != NULL) |
51 if(!SSL_CTX_set_cipher_list(ctx,cipher)) { | 44 if(!SSL_CTX_set_cipher_list(ctx,cipher)) { |
52 diff --git a/ssl/s3_clnt.c b/ssl/s3_clnt.c | 45 diff -uarp openssl-1.0.0.orig/ssl/s3_clnt.c openssl-1.0.0/ssl/s3_clnt.c |
53 index e5138b6..6173dbe 100644 | 46 --- openssl-1.0.0.orig/ssl/s3_clnt.c» 2010-02-27 19:24:24.000000000 -0500 |
54 --- a/ssl/s3_clnt.c | 47 +++ openssl-1.0.0/ssl/s3_clnt.c»2010-04-21 14:39:49.000000000 -0400 |
55 +++ b/ssl/s3_clnt.c | 48 @@ -186,6 +186,18 @@ int ssl3_connect(SSL *s) |
56 @@ -182,6 +182,11 @@ int ssl3_connect(SSL *s) | |
57 | 49 |
58 s->in_handshake++; | 50 s->in_handshake++; |
59 if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); | 51 if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); |
| 52 +#if 0 /* Send app data in separate packet, otherwise, some particular site |
| 53 + * (only one site so far) closes the socket. |
| 54 + * Note: there is a very small chance that two TCP packets |
| 55 + * could be arriving at server combined into a single TCP packet, |
| 56 + * then trigger that site to break. We haven't encounter that though. |
| 57 + */ |
60 + if (SSL_get_mode(s) & SSL_MODE_HANDSHAKE_CUTTHROUGH) | 58 + if (SSL_get_mode(s) & SSL_MODE_HANDSHAKE_CUTTHROUGH) |
61 + { | 59 + { |
62 + /* Send app data along with CCS/Finished */ | 60 + /* Send app data along with CCS/Finished */ |
63 + s->s3->flags |= SSL3_FLAGS_DELAY_CLIENT_FINISHED; | 61 + s->s3->flags |= SSL3_FLAGS_DELAY_CLIENT_FINISHED; |
64 + } | 62 + } |
| 63 +#endif |
65 | 64 |
66 for (;;) | 65 for (;;) |
67 { | 66 { |
68 @@ -450,14 +455,31 @@ int ssl3_connect(SSL *s) | 67 @@ -454,14 +468,31 @@ int ssl3_connect(SSL *s) |
69 } | 68 } |
70 else | 69 else |
71 { | 70 { |
72 -#ifndef OPENSSL_NO_TLSEXT | 71 -#ifndef OPENSSL_NO_TLSEXT |
73 - /* Allow NewSessionTicket if ticket expected */ | 72 - /* Allow NewSessionTicket if ticket expected */ |
74 - if (s->tlsext_ticket_expected) | 73 - if (s->tlsext_ticket_expected) |
75 - s->s3->tmp.next_state=SSL3_ST_CR_SESSION
_TICKET_A; | 74 - s->s3->tmp.next_state=SSL3_ST_CR_SESSION
_TICKET_A; |
76 + if ((SSL_get_mode(s) & SSL_MODE_HANDSHAKE_CUTTHR
OUGH) && SSL_get_cipher_bits(s, NULL) >= 128 | 75 + if ((SSL_get_mode(s) & SSL_MODE_HANDSHAKE_CUTTHR
OUGH) && SSL_get_cipher_bits(s, NULL) >= 128 |
77 + && s->s3->previous_server_finished_len == 0
/* no cutthrough on renegotiation (would complicate the state machine) */ | 76 + && s->s3->previous_server_finished_len == 0
/* no cutthrough on renegotiation (would complicate the state machine) */ |
78 + ) | 77 + ) |
(...skipping 17 matching lines...) Expand all Loading... |
96 + s->s3->tmp.next_state=SSL3_ST_CR
_SESSION_TICKET_A; | 95 + s->s3->tmp.next_state=SSL3_ST_CR
_SESSION_TICKET_A; |
97 + else | 96 + else |
98 #endif | 97 #endif |
99 - | 98 - |
100 - s->s3->tmp.next_state=SSL3_ST_CR_FINISHED_A; | 99 - s->s3->tmp.next_state=SSL3_ST_CR_FINISHED_A; |
101 + s->s3->tmp.next_state=SSL3_ST_CR
_FINISHED_A; | 100 + s->s3->tmp.next_state=SSL3_ST_CR
_FINISHED_A; |
102 + } | 101 + } |
103 } | 102 } |
104 s->init_num=0; | 103 s->init_num=0; |
105 break; | 104 break; |
106 @@ -505,6 +527,24 @@ int ssl3_connect(SSL *s) | 105 @@ -512,6 +541,24 @@ int ssl3_connect(SSL *s) |
107 s->state=s->s3->tmp.next_state; | 106 s->state=s->s3->tmp.next_state; |
108 break; | 107 break; |
109 | 108 |
110 + case SSL3_ST_CUTTHROUGH_COMPLETE: | 109 + case SSL3_ST_CUTTHROUGH_COMPLETE: |
111 +#ifndef OPENSSL_NO_TLSEXT | 110 +#ifndef OPENSSL_NO_TLSEXT |
112 + /* Allow NewSessionTicket if ticket expected */ | 111 + /* Allow NewSessionTicket if ticket expected */ |
113 + if (s->tlsext_ticket_expected) | 112 + if (s->tlsext_ticket_expected) |
114 + s->state=SSL3_ST_CR_SESSION_TICKET_A; | 113 + s->state=SSL3_ST_CR_SESSION_TICKET_A; |
115 + else | 114 + else |
116 +#endif | 115 +#endif |
117 + s->state=SSL3_ST_CR_FINISHED_A; | 116 + s->state=SSL3_ST_CR_FINISHED_A; |
118 + | 117 + |
119 + /* SSL_write() will take care of flushing buffered data
if | 118 + /* SSL_write() will take care of flushing buffered data
if |
120 + * DELAY_CLIENT_FINISHED is set. | 119 + * DELAY_CLIENT_FINISHED is set. |
121 + */ | 120 + */ |
122 + if (!(s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED)) | 121 + if (!(s->s3->flags & SSL3_FLAGS_DELAY_CLIENT_FINISHED)) |
123 + ssl_free_wbio_buffer(s); | 122 + ssl_free_wbio_buffer(s); |
124 + ret = 1; | 123 + ret = 1; |
125 + goto end; | 124 + goto end; |
126 + /* break; */ | 125 + /* break; */ |
127 + | 126 + |
128 case SSL_ST_OK: | 127 case SSL_ST_OK: |
129 /* clean a few things up */ | 128 /* clean a few things up */ |
130 ssl3_cleanup_key_block(s); | 129 ssl3_cleanup_key_block(s); |
131 diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c | 130 diff -uarp openssl-1.0.0.orig/ssl/s3_lib.c openssl-1.0.0/ssl/s3_lib.c |
132 index 8fa4ab0..2c44bde 100644 | 131 -- openssl-1.0.0.orig/ssl/s3_lib.c 2009-10-16 11:24:19.000000000 -0400 |
133 --- a/ssl/s3_lib.c | 132 +++ openssl-1.0.0/ssl/s3_lib.c 2010-04-21 14:39:49.000000000 -0400 |
134 +++ b/ssl/s3_lib.c | 133 @@ -2551,9 +2551,22 @@ int ssl3_write(SSL *s, const void *buf, |
135 @@ -2566,9 +2566,22 @@ int ssl3_write(SSL *s, const void *buf, int len) | |
136 | 134 |
137 static int ssl3_read_internal(SSL *s, void *buf, int len, int peek) | 135 static int ssl3_read_internal(SSL *s, void *buf, int len, int peek) |
138 { | 136 { |
139 - int ret; | 137 - int ret; |
140 + int n,ret; | 138 + int n,ret; |
141 | 139 |
142 clear_sys_error(); | 140 clear_sys_error(); |
143 + if ((s->s3->flags & SSL3_FLAGS_POP_BUFFER) && (s->wbio == s->bbio)) | 141 + if ((s->s3->flags & SSL3_FLAGS_POP_BUFFER) && (s->wbio == s->bbio)) |
144 + { | 142 + { |
145 + /* Deal with an application that calls SSL_read() when handshake
data | 143 + /* Deal with an application that calls SSL_read() when handshake
data |
146 + » » * is yet to be written. | 144 +» » * is yet to be written. |
147 + » » */ | 145 +» » */ |
148 + if (BIO_wpending(s->wbio) > 0) | 146 + if (BIO_wpending(s->wbio) > 0) |
149 + { | 147 + { |
150 + s->rwstate=SSL_WRITING; | 148 + s->rwstate=SSL_WRITING; |
151 + n=BIO_flush(s->wbio); | 149 + n=BIO_flush(s->wbio); |
152 + if (n <= 0) return(n); | 150 + if (n <= 0) return(n); |
153 + s->rwstate=SSL_NOTHING; | 151 + s->rwstate=SSL_NOTHING; |
154 + } | 152 + } |
155 + } | 153 + } |
156 if (s->s3->renegotiate) ssl3_renegotiate_check(s); | 154 if (s->s3->renegotiate) ssl3_renegotiate_check(s); |
157 s->s3->in_read_app_data=1; | 155 s->s3->in_read_app_data=1; |
158 ret=s->method->ssl_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len,peek); | 156 ret=s->method->ssl_read_bytes(s,SSL3_RT_APPLICATION_DATA,buf,len,peek); |
159 diff --git a/ssl/ssl.h b/ssl/ssl.h | 157 diff -uarp openssl-1.0.0.orig/ssl/ssl.h openssl-1.0.0/ssl/ssl.h |
160 index 7d4e46e..9ab9495 100644 | 158 --- openssl-1.0.0.orig/ssl/ssl.h» 2010-01-06 12:37:38.000000000 -0500 |
161 --- a/ssl/ssl.h | 159 +++ openssl-1.0.0/ssl/ssl.h» 2010-04-21 16:57:49.000000000 -0400 |
162 +++ b/ssl/ssl.h | 160 @@ -605,6 +605,10 @@ typedef struct ssl_session_st |
163 @@ -560,7 +560,10 @@ typedef struct ssl_session_st | 161 /* Use small read and write buffers: (a) lazy allocate read buffers for |
164 #define SSL_MODE_AUTO_RETRY 0x00000004L | 162 * large incoming records, and (b) limit the size of outgoing records. */ |
165 /* Don't attempt to automatically build certificate chain */ | 163 #define SSL_MODE_SMALL_BUFFERS 0x00000020L |
166 #define SSL_MODE_NO_AUTO_CHAIN 0x00000008L | |
167 - | |
168 +/* When set, clients may send application data before receipt of CCS | 164 +/* When set, clients may send application data before receipt of CCS |
169 + * and Finished. This mode enables full-handshakes to 'complete' in | 165 + * and Finished. This mode enables full-handshakes to 'complete' in |
170 + * one RTT. */ | 166 + * one RTT. */ |
171 +#define SSL_MODE_HANDSHAKE_CUTTHROUGH 0x00000020L | 167 +#define SSL_MODE_HANDSHAKE_CUTTHROUGH 0x00000040L |
172 | 168 |
173 /* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value, | 169 /* Note: SSL[_CTX]_set_{options,mode} use |= op on the previous value, |
174 * they cannot be used to clear bits. */ | 170 * they cannot be used to clear bits. */ |
175 @@ -1111,10 +1114,12 @@ extern "C" { | 171 @@ -1097,10 +1101,12 @@ extern "C" { |
176 /* Is the SSL_connection established? */ | 172 /* Is the SSL_connection established? */ |
177 #define SSL_get_state(a) SSL_state(a) | 173 #define SSL_get_state(a) SSL_state(a) |
178 #define SSL_is_init_finished(a) (SSL_state(a) == SSL_ST_OK) | 174 #define SSL_is_init_finished(a) (SSL_state(a) == SSL_ST_OK) |
179 -#define SSL_in_init(a) (SSL_state(a)&SSL_ST_INIT) | 175 -#define SSL_in_init(a) (SSL_state(a)&SSL_ST_INIT) |
180 +#define SSL_in_init(a) ((SSL_state(a)&SSL_ST_INIT) && \ | 176 +#define SSL_in_init(a) ((SSL_state(a)&SSL_ST_INIT) && \ |
181 + !SSL_cutthrough_complete(a)) | 177 + !SSL_cutthrough_complete(a)) |
182 #define SSL_in_before(a) (SSL_state(a)&SSL_ST_BEFORE) | 178 #define SSL_in_before(a) (SSL_state(a)&SSL_ST_BEFORE) |
183 #define SSL_in_connect_init(a) (SSL_state(a)&SSL_ST_CONNECT) | 179 #define SSL_in_connect_init(a) (SSL_state(a)&SSL_ST_CONNECT) |
184 #define SSL_in_accept_init(a) (SSL_state(a)&SSL_ST_ACCEPT) | 180 #define SSL_in_accept_init(a) (SSL_state(a)&SSL_ST_ACCEPT) |
185 +int SSL_cutthrough_complete(const SSL *s); | 181 +int SSL_cutthrough_complete(const SSL *s); |
186 | 182 |
187 /* The following 2 states are kept in ssl->rstate when reads fail, | 183 /* The following 2 states are kept in ssl->rstate when reads fail, |
188 * you should not need these */ | 184 * you should not need these */ |
189 diff --git a/ssl/ssl3.h b/ssl/ssl3.h | 185 Only in openssl-1.0.0/ssl: ssl.h.orig |
190 index 2f579c2..afbdd70 100644 | 186 diff -uarp openssl-1.0.0.orig/ssl/ssl3.h openssl-1.0.0/ssl/ssl3.h |
191 --- a/ssl/ssl3.h | 187 -- openssl-1.0.0.orig/ssl/ssl3.h» 2010-01-06 12:37:38.000000000 -0500 |
192 +++ b/ssl/ssl3.h | 188 +++ openssl-1.0.0/ssl/ssl3.h» 2010-04-21 14:39:49.000000000 -0400 |
193 @@ -456,6 +456,7 @@ typedef struct ssl3_state_st | 189 @@ -456,6 +456,7 @@ typedef struct ssl3_state_st |
194 /*client */ | 190 /*client */ |
195 /* extra state */ | 191 /* extra state */ |
196 #define SSL3_ST_CW_FLUSH (0x100|SSL_ST_CONNECT) | 192 #define SSL3_ST_CW_FLUSH (0x100|SSL_ST_CONNECT) |
197 +#define SSL3_ST_CUTTHROUGH_COMPLETE (0x101|SSL_ST_CONNECT) | 193 +#define SSL3_ST_CUTTHROUGH_COMPLETE» (0x101|SSL_ST_CONNECT) |
198 /* write to server */ | 194 /* write to server */ |
199 #define SSL3_ST_CW_CLNT_HELLO_A (0x110|SSL_ST_CONNECT) | 195 #define SSL3_ST_CW_CLNT_HELLO_A (0x110|SSL_ST_CONNECT) |
200 #define SSL3_ST_CW_CLNT_HELLO_B (0x111|SSL_ST_CONNECT) | 196 #define SSL3_ST_CW_CLNT_HELLO_B (0x111|SSL_ST_CONNECT) |
201 diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c | 197 diff -uarp openssl-1.0.0.orig/ssl/ssl_lib.c openssl-1.0.0/ssl/ssl_lib.c |
202 index 15650da..96e056d 100644 | 198 --- openssl-1.0.0.orig/ssl/ssl_lib.c» 2010-02-17 14:43:46.000000000 -0500 |
203 --- a/ssl/ssl_lib.c | 199 +++ openssl-1.0.0/ssl/ssl_lib.c»2010-04-21 17:02:45.000000000 -0400 |
204 +++ b/ssl/ssl_lib.c | 200 @@ -3031,6 +3031,19 @@ void SSL_set_msg_callback(SSL *ssl, void |
205 @@ -2752,7 +2752,18 @@ void SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_
p, int version, int con | |
206 SSL_callback_ctrl(ssl, SSL_CTRL_SET_MSG_CALLBACK, (void (*)(void))cb); | 201 SSL_callback_ctrl(ssl, SSL_CTRL_SET_MSG_CALLBACK, (void (*)(void))cb); |
207 } | 202 } |
208 | 203 |
209 - | |
210 +int SSL_cutthrough_complete(const SSL *s) | 204 +int SSL_cutthrough_complete(const SSL *s) |
211 + { | 205 + { |
212 + return (!s->server && /* cutthrough only applies to clie
nts */ | 206 + return (!s->server && /* cutthrough only applies to clie
nts */ |
213 + !s->hit && /* full-handshake */ | 207 + !s->hit && /* full-handshake */ |
214 + s->version >= SSL3_VERSION && | 208 + s->version >= SSL3_VERSION && |
215 + s->s3->in_read_app_data == 0 && /* cutthrough only applies to
write() */ | 209 + s->s3->in_read_app_data == 0 && /* cutthrough only applies to
write() */ |
216 + (SSL_get_mode((SSL*)s) & SSL_MODE_HANDSHAKE_CUTTHROUGH) && /* c
utthrough enabled */ | 210 + (SSL_get_mode((SSL*)s) & SSL_MODE_HANDSHAKE_CUTTHROUGH) && /* c
utthrough enabled */ |
217 + SSL_get_cipher_bits(s, NULL) >= 128 && /* s
trong cipher choosen */ | 211 + SSL_get_cipher_bits(s, NULL) >= 128 && /* s
trong cipher choosen */ |
218 + s->s3->previous_server_finished_len == 0 && /* n
ot a renegotiation handshake */ | 212 + s->s3->previous_server_finished_len == 0 && /* n
ot a renegotiation handshake */ |
219 + (s->state == SSL3_ST_CR_SESSION_TICKET_A || /* r
eady to write app-data*/ | 213 + (s->state == SSL3_ST_CR_SESSION_TICKET_A || /* r
eady to write app-data*/ |
220 + s->state == SSL3_ST_CR_FINISHED_A)); | 214 + s->state == SSL3_ST_CR_FINISHED_A)); |
221 + } | 215 + } |
222 | 216 + |
223 #if defined(_WINDLL) && defined(OPENSSL_SYS_WIN16) | 217 /* Allocates new EVP_MD_CTX and sets pointer to it into given pointer |
224 #include "../crypto/bio/bss_file.c" | 218 * vairable, freeing EVP_MD_CTX previously stored in that variable, if |
225 diff --git a/ssl/ssltest.c b/ssl/ssltest.c | 219 * any. If EVP_MD pointer is passed, initializes ctx with this md |
226 index b09c542..6ddd0aa 100644 | 220 diff -uarp openssl-1.0.0.orig/ssl/ssltest.c openssl-1.0.0/ssl/ssltest.c |
227 --- a/ssl/ssltest.c | 221 --- openssl-1.0.0.orig/ssl/ssltest.c» 2010-01-24 11:57:38.000000000 -0500 |
228 +++ b/ssl/ssltest.c | 222 +++ openssl-1.0.0/ssl/ssltest.c»2010-04-21 17:06:35.000000000 -0400 |
229 @@ -277,6 +277,7 @@ static void sv_usage(void) | 223 @@ -279,6 +279,7 @@ static void sv_usage(void) |
230 » " (default is sect163r2).\n"); | |
231 #endif | |
232 fprintf(stderr," -test_cipherlist - verifies the order of the ssl cipher
lists\n"); | 224 fprintf(stderr," -test_cipherlist - verifies the order of the ssl cipher
lists\n"); |
233 +» fprintf(stderr," -cutthrough - enable 1-RTT full-handshake for str
ong ciphers\n"); | 225 » fprintf(stderr," -c_small_records - enable client side use of small SSL
record buffers\n"); |
| 226 » fprintf(stderr," -s_small_records - enable server side use of small SSL
record buffers\n"); |
| 227 +» fprintf(stderr," -cutthrough - enable 1-RTT full-handshake for stro
ng ciphers\n"); |
234 } | 228 } |
235 | 229 |
236 static void print_details(SSL *c_ssl, const char *prefix) | 230 static void print_details(SSL *c_ssl, const char *prefix) |
237 @@ -431,6 +432,8 @@ int main(int argc, char *argv[]) | 231 @@ -436,6 +437,7 @@ int main(int argc, char *argv[]) |
238 #ifdef OPENSSL_FIPS | 232 » int ssl_mode = 0; |
239 » int fips_mode=0; | 233 » int c_small_records=0; |
240 #endif | 234 » int s_small_records=0; |
241 +» int ssl_mode = 0; | |
242 + int cutthrough = 0; | 235 + int cutthrough = 0; |
243 | 236 |
244 verbose = 0; | 237 verbose = 0; |
245 debug = 0; | 238 debug = 0; |
246 @@ -619,6 +622,10 @@ int main(int argc, char *argv[]) | 239 @@ -632,6 +634,10 @@ int main(int argc, char *argv[]) |
247 { | 240 { |
248 » » » test_cipherlist = 1; | 241 » » » s_small_records = 1; |
249 } | 242 } |
250 + else if (strcmp(*argv, "-cutthrough") == 0) | 243 + else if (strcmp(*argv, "-cutthrough") == 0) |
251 + { | 244 + { |
252 + cutthrough = 1; | 245 + cutthrough = 1; |
253 + } | 246 + } |
254 else | 247 else |
255 { | 248 { |
256 fprintf(stderr,"unknown option %s\n",*argv); | 249 fprintf(stderr,"unknown option %s\n",*argv); |
257 @@ -754,6 +761,13 @@ bad: | 250 @@ -782,6 +788,13 @@ bad: |
258 » » SSL_CTX_set_cipher_list(c_ctx,cipher); | 251 » » ssl_mode |= SSL_MODE_SMALL_BUFFERS; |
259 » » SSL_CTX_set_cipher_list(s_ctx,cipher); | 252 » » SSL_CTX_set_mode(s_ctx, ssl_mode); |
260 } | 253 } |
261 + ssl_mode = 0; | 254 + ssl_mode = 0; |
262 + if (cutthrough) | 255 + if (cutthrough) |
263 + { | 256 + { |
264 + ssl_mode = SSL_CTX_get_mode(c_ctx); | 257 + ssl_mode = SSL_CTX_get_mode(c_ctx); |
265 + ssl_mode = SSL_MODE_HANDSHAKE_CUTTHROUGH; | 258 + ssl_mode = SSL_MODE_HANDSHAKE_CUTTHROUGH; |
266 + SSL_CTX_set_mode(c_ctx, ssl_mode); | 259 + SSL_CTX_set_mode(c_ctx, ssl_mode); |
267 + } | 260 + } |
268 | 261 |
269 #ifndef OPENSSL_NO_DH | 262 #ifndef OPENSSL_NO_DH |
270 if (!no_dhe) | 263 if (!no_dhe) |
271 diff --git a/test/testssl b/test/testssl | 264 diff -uarp openssl-1.0.0.orig/test/testssl openssl-1.0.0/test/testssl |
272 index 8ac90ae..c0c1c1c 100644 | 265 --- openssl-1.0.0.orig/test/testssl» 2006-03-10 18:06:27.000000000 -0500 |
273 --- a/test/testssl | 266 +++ openssl-1.0.0/test/testssl» 2010-04-21 16:50:13.000000000 -0400 |
274 +++ b/test/testssl | 267 @@ -79,6 +79,8 @@ $ssltest -server_auth -client_auth -s_sm |
275 @@ -70,6 +70,9 @@ $ssltest -client_auth $CA $extra || exit 1 | 268 echo test sslv2/sslv3 with both client and server authentication and small clie
nt and server buffers |
276 echo test sslv2/sslv3 with both client and server authentication | 269 $ssltest -server_auth -client_auth -c_small_records -s_small_records $CA $extra
|| exit 1 |
277 $ssltest -server_auth -client_auth $CA $extra || exit 1 | |
278 | 270 |
279 +echo test sslv2/sslv3 with both client and server authentication and handshake
cutthrough | 271 +echo test sslv2/sslv3 with both client and server authentication and handshake
cutthrough |
280 +$ssltest -server_auth -client_auth -cutthrough $CA $extra || exit 1 | 272 +$ssltest -server_auth -client_auth -cutthrough $CA $extra || exit 1 |
281 + | 273 |
282 echo test sslv2 via BIO pair | 274 echo test sslv2 via BIO pair |
283 $ssltest -bio_pair -ssl2 $extra || exit 1 | 275 $ssltest -bio_pair -ssl2 $extra || exit 1 |
284 | |
OLD | NEW |