#include "utilities/fileIo.h"
#include "utilities/SecCFWrappers.h"
#include "utilities/SecIOFormat.h"
-#include "SecurityTool/print_cert.h"
+#include "SecurityTool/sharedTool/print_cert.h"
#define DEFAULT_GETMSG "GET"
#define DEFAULT_PATH "/"
#define DEFAULT_HOST "www.amazon.com"
#define DEFAULT_PORT 443
+static const int _maxFileStringSize = 100;
static void usageNorm(char **argv)
{
" [23t]\n");
printf(" k=keychain Contains cert and keys. Optional.\n");
printf(" l=loopCount Perform loopCount ops (default = 1)\n");
- printf(" P=port Default = %d\n", DEFAULT_PORT);
+ printf(" P=port Default = %d\n", DEFAULT_PORT);
printf(" p Pause after each loop\n");
printf(" q Quiet/diagnostic mode (site names and errors only)\n");
printf(" a fileName Add fileName to list of trusted roots\n");
exit(1);
}
-/*
+/*
* Arguments to top-level sslPing()
*/
typedef struct {
const char *vfyHostName; // use this for cert vfy if non-NULL,
// else use hostName
unsigned short port;
- const char *getMsg; // e.g.,
- // "GET / HTTP/1.0\r\n\r\n"
+ const char *getMsg; // e.g.,
+ // "GET / HTTP/1.0\r\n\r\n"
bool allowExpired;
bool allowAnyRoot;
bool allowExpiredRoot;
bool disableCertVerify;
bool manualCertVerify;
bool dumpRxData; // display server data
- char cipherRestrict; // '2', 'd'. etc...; '\0' for
+ char cipherRestrict; // '2', 'd'. etc...; '\0' for
// no restriction
bool keepConnected;
- bool requireNotify; // require closure notify
+ bool requireNotify; // require closure notify
// in V3 mode
bool resumableEnable;
bool allowHostnameSpoof;
static void
sigpipe(int sig)
-{
+{
fflush(stdin);
printf("***SIGPIPE***\n");
}
return ortn;
}
if(secTrust == NULL) {
- /* this is the normal case for resumed sessions, in which
+ /* this is the normal case for resumed sessions, in which
* no cert evaluation is performed */
if(!pargs->silent) {
printf("...No SecTrust available - this is a resumed session, right?\n");
}
SecTrustResultType secTrustResult;
- ortn = SecTrustEvaluate(secTrust, &secTrustResult);
+ ortn = SecTrustGetTrustResult(secTrust, &secTrustResult); // implicitly does trust evaluate
if(ortn) {
printf("\n***Error on SecTrustEvaluate: %d\n", (int)ortn);
return ortn;
if(pargs->verbose) {
const char *res = NULL;
switch(secTrustResult) {
- case kSecTrustResultInvalid:
+ case kSecTrustResultInvalid:
res = "kSecTrustResultInvalid"; break;
- case kSecTrustResultProceed:
+ case kSecTrustResultProceed:
res = "kSecTrustResultProceed"; break;
-#pragma clang diagnostic push
-#pragma clang diagnostic ignored "-Wdeprecated-declarations"
- case kSecTrustResultConfirm:
-#pragma clang diagnostic pop
- res = "kSecTrustResultConfirm"; break;
case kSecTrustResultDeny:
res = "kSecTrustResultDeny"; break;
- case kSecTrustResultUnspecified:
+ case kSecTrustResultUnspecified:
res = "kSecTrustResultUnspecified"; break;
- case kSecTrustResultRecoverableTrustFailure:
+ case kSecTrustResultRecoverableTrustFailure:
res = "kSecTrustResultRecoverableTrustFailure"; break;
- case kSecTrustResultFatalTrustFailure:
+ case kSecTrustResultFatalTrustFailure:
res = "kSecTrustResultFatalTrustFailure"; break;
- case kSecTrustResultOtherError:
+ case kSecTrustResultOtherError:
res = "kSecTrustResultOtherError"; break;
default:
res = "UNKNOWN"; break;
}
printf("\nSecTrustEvaluate(): secTrustResult %s\n", res);
}
-
+
switch(secTrustResult) {
case kSecTrustResultUnspecified:
/* cert chain valid, no special UserTrust assignments */
/* cert chain valid AND user explicitly trusts this */
break;
default:
- printf("\n***SecTrustEvaluate reported secTrustResult %d\n",
+ printf("\n***SecTrustEvaluate reported secTrustResult %d\n",
(int)secTrustResult);
ortn = errSSLXCertChainInvalid;
break;
/* print reply received from server, safely */
static void dumpAscii(
- uint8_t *rcvBuf,
+ uint8_t *rcvBuf,
size_t len)
{
char *cp = (char *)rcvBuf;
uint32_t i;
char c;
-
+
for(i=0; i<len; i++) {
c = *cp++;
if(c == '\0') {
printf("[selected ALPN]");
}
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wdeprecated-declarations"
/*
* Perform one SSL diagnostic session. Returns nonzero on error. Normally no
- * output to stdout except initial "connecting to" message, unless there
- * is a really screwed up error (i.e., something not directly related
- * to the SSL connection).
+ * output to stdout except initial "connecting to" message, unless there
+ * is a really screwed up error (i.e., something not directly related
+ * to the SSL connection).
*/
#define RCV_BUF_SIZE 256
uint8_t rcvBuf[RCV_BUF_SIZE];
CFAbsoluteTime startHandshake;
CFAbsoluteTime endHandshake;
-
+
pargs->negVersion = kSSLProtocolUnknown;
pargs->negCipher = SSL_NULL_WITH_NULL_NULL;
pargs->peerCerts = NULL;
-
+
/* first make sure requested server is there */
ortn = MakeServerConnection(pargs->hostName, pargs->port, pargs->nonBlocking,
&sock, &peerId);
if(pargs->verbose) {
printf("...connected to server; starting SecureTransport\n");
}
-
- /*
+
+ /*
* Set up a SecureTransport session.
* First the standard calls.
*/
if(ctx == NULL) {
printf("SSLCreateContext\n");
goto cleanup;
- }
+ }
ortn = SSLSetIOFuncs(ctx, SocketRead, SocketWrite);
if(ortn) {
printSslErrStr("SSLSetIOFuncs", ortn);
goto cleanup;
- }
+ }
ortn = SSLSetConnection(ctx, (SSLConnectionRef)(intptr_t)sock);
if(ortn) {
printSslErrStr("SSLSetConnection", ortn);
if(getConn != (SSLConnectionRef)(intptr_t)sock) {
printf("***SSLGetConnection error\n");
ortn = errSecParam;
- goto cleanup;
+ goto cleanup;
}
if(!pargs->allowHostnameSpoof) {
/* if this isn't set, it isn't checked by AppleX509TP */
goto cleanup;
}
}
-
- /*
+
+ /*
* SecureTransport options.
- */
+ */
if(pargs->acceptedProts) {
- ortn = SSLSetProtocolVersionEnabled(ctx, kSSLProtocolAll, false);
if(ortn) {
printSslErrStr("SSLSetProtocolVersionEnabled(all off)", ortn);
goto cleanup;
}
for(const char *cp = pargs->acceptedProts; *cp; cp++) {
- SSLProtocol prot;
switch(*cp) {
case '2':
- prot = kSSLProtocol2;
+ ortn = SSLSetProtocolVersionMax(ctx, kSSLProtocol2);
break;
case '3':
- prot = kSSLProtocol3;
+ ortn = SSLSetProtocolVersionMax(ctx, kSSLProtocol3);
break;
case 't':
- prot = kTLSProtocol12;
+ ortn = SSLSetProtocolVersionMax(ctx, kTLSProtocol12);
break;
default:
usage(pargs->argv);
}
- ortn = SSLSetProtocolVersionEnabled(ctx, prot, true);
if(ortn) {
- printSslErrStr("SSLSetProtocolVersionEnabled", ortn);
+ printSslErrStr("SSLSetProtocolVersionMax", ortn);
goto cleanup;
}
}
+ } else {
+ ortn = SSLSetProtocolVersionMax(ctx, pargs->tryVersion);
+ if(ortn) {
+ printSslErrStr("SSLSetProtocolVersionMax", ortn);
+ goto cleanup;
+ }
}
- else {
- ortn = SSLSetProtocolVersion(ctx, pargs->tryVersion);
- if(ortn) {
- printSslErrStr("SSLSetProtocolVersion", ortn);
- goto cleanup;
- }
- SSLProtocol getVers;
- ortn = SSLGetProtocolVersion(ctx, &getVers);
- if(ortn) {
- printSslErrStr("SSLGetProtocolVersion", ortn);
- goto cleanup;
- }
- if(getVers != pargs->tryVersion) {
- printf("***SSLGetProtocolVersion screwup: try %s get %s\n",
- sslGetProtocolVersionString(pargs->tryVersion),
- sslGetProtocolVersionString(getVers));
- ortn = errSecParam;
- goto cleanup;
- }
- }
+
if(pargs->resumableEnable) {
const void *rtnId = NULL;
size_t rtnIdLen = 0;
-
+
ortn = SSLSetPeerID(ctx, &peerId, sizeof(PeerSpec));
if(ortn) {
printSslErrStr("SSLSetPeerID", ortn);
}
/*** end options ***/
-
+
if(pargs->verbose) {
printf("...starting SSL handshake\n");
}
startHandshake = CFAbsoluteTimeGetCurrent();
-
+
do
{ ortn = SSLHandshake(ctx);
if((ortn == errSSLWouldBlock) && !pargs->silent) {
- /* keep UI responsive */
+ /* keep UI responsive */
sslOutputDot();
}
} while (ortn == errSSLWouldBlock);
pargs->handshakeTimeTotal += pargs->handshakeTimeOp;
}
pargs->numHandshakes++;
-
+
ortn = SSLCopyPeerTrust(ctx, &pargs->peerTrust);
if(ortn) {
printf("***SSLCopyPeerTrust error %" PRIdOSStatus "\n", ortn);
SSLGetNegotiatedCipher(ctx, &pargs->negCipher);
SSLGetNegotiatedProtocolVersion(ctx, &pargs->negVersion);
pargs->sessionIDLength = MAX_SESSION_ID_LENGTH;
- SSLGetResumableSessionInfo(ctx, &pargs->sessionWasResumed, pargs->sessionID,
- &pargs->sessionIDLength);
-
- {
+ ortn = SSLGetResumableSessionInfo(ctx, &pargs->sessionWasResumed, pargs->sessionID, &pargs->sessionIDLength);
+ if(!ortn) {
OSStatus certRtn = sslEvaluateTrust(ctx, pargs, &pargs->peerCerts);
if (certRtn && !pargs->manualCertVerify) {
ortn = certRtn;
}
}
-
+
if(ortn) {
if(!pargs->silent) {
printf("\n");
length = strlen(pargs->getMsg);
(void) SSLWrite(ctx, pargs->getMsg, length, &actLen);
- /*
+ /*
* Try to snag RCV_BUF_SIZE bytes. Exit if (!keepConnected and we get any data
* at all), or (keepConnected and err != (none, wouldBlock)).
*/
- while (1) {
+ while (1) {
actLen = 0;
if(pargs->dumpRxData) {
size_t avail = 0;
-
+
ortn = SSLGetBufferedReadSize(ctx, &avail);
if(ortn) {
printf("***SSLGetBufferedReadSize error\n");
SSLGetClientCertificateState(ctx, &pargs->certState);
SSLGetNegotiatedCipher(ctx, &pargs->negCipher);
SSLGetNegotiatedProtocolVersion(ctx, &pargs->negVersion);
-
+
/* convert normal "shutdown" into zero err rtn */
if(ortn == errSSLClosedGraceful) {
ortn = errSecSuccess;
}
cleanup: ;
/*
- * always do close, even on error - to flush outgoing write queue
+ * always do close, even on error - to flush outgoing write queue
*/
- OSStatus cerr = SSLClose(ctx);
+ OSStatus cerr = errSecParam;
+ if (ctx) {
+ cerr = SSLClose(ctx);
+ }
if(ortn == errSecSuccess) {
ortn = cerr;
}
}
if(ctx) {
CFRelease(ctx);
- }
+ }
return ortn;
}
}
#endif
+#pragma clang diagnostic pop
+
static void showPeerTrust(SecTrustRef peerTrust, bool verbose) {
if(peerTrust == NULL) {
CFIndex numCerts;
SecCertificateRef certRef;
CFIndex i;
-
+
if(peerCerts == NULL) {
return;
}
CFIndex numCerts;
SecCertificateRef certRef;
CFIndex i;
- char fileName[100];
-
+ char fileName[_maxFileStringSize];
+
if(peerCerts == NULL) {
return;
}
numCerts = CFArrayGetCount(peerCerts);
for(i=0; i<numCerts; i++) {
- sprintf(fileName, "%s%02d.cer", fileBase, (int)i);
+ snprintf(fileName, _maxFileStringSize, "%s%02d.cer", fileBase, (int)i);
certRef = (SecCertificateRef)CFArrayGetValueAtIndex(peerCerts, i);
CFDataRef derCert = SecCertificateCopyData(certRef);
if (derCert) {
- writeFile(fileName, CFDataGetBytePtr(derCert),
+ writeFileSizet(fileName, CFDataGetBytePtr(derCert),
CFDataGetLength(derCert));
CFRelease(derCert);
}
char *fileBase) // non-NULL: write certs to file
{
CFIndex numPeerCerts;
-
+
printf("\n");
-
+
if(pargs->acceptedProts) {
printf(" Allowed SSL versions : %s\n", pargs->acceptedProts);
}
else {
- printf(" Attempted SSL version : %s\n",
+ printf(" Attempted SSL version : %s\n",
sslGetProtocolVersionString(pargs->tryVersion));
}
-
+
printf(" Result : %s\n", sslGetSSLErrString(err));
- printf(" Negotiated SSL version : %s\n",
+ printf(" Negotiated SSL version : %s\n",
sslGetProtocolVersionString(pargs->negVersion));
printf(" Negotiated CipherSuite : %s\n",
sslGetCipherSuiteString(pargs->negCipher));
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wdeprecated-declarations"
if(pargs->certState != kSSLClientCertNone) {
printf(" Client Cert State : %s\n",
sslGetClientCertStateString(pargs->certState));
}
+#pragma clang diagnostic pop
if(pargs->verbose) {
printf(" Resumed Session : ");
if(pargs->sessionWasResumed) {
writePeerCerts(pargs->peerCerts, fileBase);
}
}
-
+
printf("\n");
}
char c, // 2, 3, t
char **argv)
{
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wdeprecated-declarations"
switch(c) {
case '2':
return kSSLProtocol2;
default:
usage(argv);
}
- /* NOT REACHED */
- return kSSLProtocolUnknown;
+#pragma clang diagnostic pop
}
int main(int argc, char **argv)
-{
+{
OSStatus err;
int arg;
char *argp;
char getMsg[300];
- char fullFileBase[100];
+ char fullFileBase[_maxFileStringSize];
int ourRtn = 0; // exit status - sum of all errors
unsigned loop;
SecKeychainRef serverKc = nil;
bool doPause = false;
bool pauseFirstLoop = false;
bool verifyProt = false;
- SSLProtocol maxProtocol = kTLSProtocol12; // for verifying negotiated
- // protocol
char *acceptedProts = NULL;
char *keyChainName = NULL;
char *getMsgSpec = NULL;
bool vfyCertState = false;
- SSLClientCertificateState expectCertState = kSSLClientCertNone;
bool displayHandshakeTimes = false;
bool completeCertChain = false;
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wdeprecated-declarations"
+ SSLClientCertificateState expectCertState = kSSLClientCertNone;
+ SSLProtocol maxProtocol = kTLSProtocol12; // for verifying negotiated protocol
+#pragma clang diagnostic pop
/* special case - one arg of "h" or "-h" or "hv" */
if(argc == 2) {
usageVerbose(argv);
}
}
-
+
/* set up defaults */
memset(&pargs, 0, sizeof(sslPingArgs));
pargs.hostName = DEFAULT_HOST;
pargs.port = DEFAULT_PORT;
pargs.resumableEnable = true;
pargs.argv = argv;
-
+
for(arg=1; arg<argc; arg++) {
argp = argv[arg];
if(arg == 1) {
}
/* options */
switch(argp[0]) {
- case 'Z': {
- if(++arg == argc) {
- /* requires another arg */
- usage(argv);
- }
- if (pargs.alpnNames == NULL) {
- pargs.alpnNames = CFArrayCreateMutableForCFTypes(NULL);
- }
-
- CFDataRef alpn = CFDataCreate(NULL, (const UInt8 *)argv[arg], strlen(argv[arg]));
- CFArrayAppendValue(pargs.alpnNames, alpn);
- CFReleaseNull(alpn);
- break;
- }
- case 'W':
- case 'w': {
- CFDictionaryRef context = NULL;
-
- if(++arg == argc) {
- /* requires another arg */
- usage(argv);
- }
-
- if (argp[0] == 'W') {
- context = CFDictionaryCreateForCFTypes(NULL,
- CFSTR("AppleServerAuthenticationAllowUATAPN"), kCFBooleanTrue,
- CFSTR("AppleServerAuthenticationAllowUATIDS"), kCFBooleanTrue,
- CFSTR("AppleServerAuthenticationAllowUATGS"), kCFBooleanTrue,
- NULL);
- }
- const char *verifyName = pargs.hostName;
-
- if (pargs.policies == NULL) {
- pargs.policies = CFArrayCreateMutableForCFTypes(NULL);
- }
-
- if (pargs.vfyHostName)
- verifyName = pargs.vfyHostName;
-
- SecPolicyRef policy = NULL;
- CFStringRef hostname = CFStringCreateWithCString(NULL, verifyName, kCFStringEncodingUTF8);
-
- if (strcasecmp(argv[arg], "PushLegacy") == 0) {
- policy = SecPolicyCreateApplePushServiceLegacy(hostname);
- } else if (strcasecmp(argv[arg], "Push") == 0) {
- policy = SecPolicyCreateApplePushService(hostname, context);
- } else if (strcasecmp(argv[arg], "IDS") == 0) {
- policy = SecPolicyCreateAppleIDSServiceContext(hostname, context);
- } else if (strcasecmp(argv[arg], "GS") == 0) {
- policy = SecPolicyCreateAppleGSService(hostname, context);
- } else {
- printf("unknown policy: %s", argv[arg]);
- CFReleaseNull(hostname);
- CFReleaseNull(context);
- usage(argv);
- }
-
- if (policy) {
- CFArrayAppendValue(pargs.policies, policy);
- }
-
- CFReleaseNull(policy);
- CFReleaseNull(hostname);
- CFReleaseNull(context);
-
- break;
- }
+ case 'Z': {
+ if(++arg == argc) {
+ /* requires another arg */
+ usage(argv);
+ }
+ if (pargs.alpnNames == NULL) {
+ pargs.alpnNames = CFArrayCreateMutableForCFTypes(NULL);
+ }
+
+ CFDataRef alpn = CFDataCreate(NULL, (const UInt8 *)argv[arg], strlen(argv[arg]));
+ CFArrayAppendValue(pargs.alpnNames, alpn);
+ CFReleaseNull(alpn);
+ break;
+ }
+ case 'W':
+ case 'w': {
+ CFDictionaryRef context = NULL;
+
+ if(++arg == argc) {
+ /* requires another arg */
+ usage(argv);
+ }
+
+ if (argp[0] == 'W') {
+ context = CFDictionaryCreateForCFTypes(NULL,
+ CFSTR("AppleServerAuthenticationAllowUATAPN"), kCFBooleanTrue,
+ CFSTR("AppleServerAuthenticationAllowUATIDS"), kCFBooleanTrue,
+ CFSTR("AppleServerAuthenticationAllowUATGS"), kCFBooleanTrue,
+ NULL);
+ }
+ const char *verifyName = pargs.hostName;
+
+ if (pargs.policies == NULL) {
+ pargs.policies = CFArrayCreateMutableForCFTypes(NULL);
+ }
+
+ if (pargs.vfyHostName)
+ verifyName = pargs.vfyHostName;
+
+ SecPolicyRef policy = NULL;
+ CFStringRef hostname = CFStringCreateWithCString(NULL, verifyName, kCFStringEncodingUTF8);
+
+ if (strcasecmp(argv[arg], "PushLegacy") == 0) {
+ policy = SecPolicyCreateApplePushServiceLegacy(hostname);
+ } else if (strcasecmp(argv[arg], "Push") == 0) {
+ policy = SecPolicyCreateApplePushService(hostname, context);
+ } else if (strcasecmp(argv[arg], "IDS") == 0) {
+ policy = SecPolicyCreateAppleIDSServiceContext(hostname, context);
+ } else if (strcasecmp(argv[arg], "GS") == 0) {
+ policy = SecPolicyCreateAppleGSService(hostname, context);
+ } else {
+ printf("unknown policy: %s", argv[arg]);
+ CFReleaseNull(hostname);
+ CFReleaseNull(context);
+ usage(argv);
+ }
+
+ if (policy) {
+ CFArrayAppendValue(pargs.policies, policy);
+ }
+
+ CFReleaseNull(policy);
+ CFReleaseNull(hostname);
+ CFReleaseNull(context);
+
+ break;
+ }
case 'e':
pargs.allowExpired = true;
break;
doSslV3 = doSslV2 = doTlsV1 = doTlsV11 = doTlsV12 = false;
break;
case 'l':
- if(++arg == argc) {
- /* requires another arg */
- usage(argv);
- }
- loopCount = atoi(argv[arg]);
- if(loopCount == 0) {
+ if(++arg == argc) {
+ /* requires another arg */
+ usage(argv);
+ }
+ int parsedLoopCount = atoi(argv[arg]);
+ if (parsedLoopCount <= 0) {
printf("***bad loopCount\n");
usage(argv);
}
+ loopCount = (unsigned) parsedLoopCount;
break;
case 'P':
if(++arg == argc) {
usage(argv);
}
vfyCertState = true;
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wdeprecated-declarations"
switch(argp[2]) {
case 'n':
expectCertState = kSSLClientCertNone;
default:
usage(argv);
}
+#pragma clang diagnostic pop
break;
case 'z':
pargs.password = &argp[2];
else {
usage(argv);
}
- break;
default:
usage(argv);
- break;
}
}
if(getMsgSpec) {
pargs.getMsg = getMsgSpec;
}
else {
- sprintf(getMsg, "%s %s %s",
+ sprintf(getMsg, "%s %s %s",
DEFAULT_GETMSG, getPath, DEFAULT_GET_SUFFIX);
pargs.getMsg = getMsg;
}
}
#ifdef USE_CDSA_CRYPTO
if(pargs.password) {
- OSStatus ortn = SecKeychainUnlock(serverKc,
+ OSStatus ortn = SecKeychainUnlock(serverKc,
strlen(pargs.password), pargs.password, true);
if(ortn) {
printf("SecKeychainUnlock returned %d\n", (int)ortn);
sigaction(SIGPIPE, &sa, NULL);
}
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wdeprecated-declarations"
for(loop=0; loop<loopCount; loop++) {
- /*
+ /*
* One pass for each protocol version, skipping any explicit version if
* an attempt at a higher version and succeeded in doing so successfully fell
* back.
}
if(!pargs.quiet) {
if(fileBase) {
- sprintf(fullFileBase, "%s_v3.1", fileBase);
+ snprintf(fullFileBase, _maxFileStringSize, "%s_v3.1", fileBase);
}
showSSLResult(&pargs,
err,
pargs.tryVersion = kTLSProtocol11;
pargs.acceptedProts = NULL;
if(!pargs.silent) {
- printf("Connecting to host %s with TLS V1.1...", pargs.hostName);
+ printf("Connecting to host %s with TLS V1.1...", pargs.hostName);
}
fflush(stdout);
err = sslPing(&pargs);
}
if(!pargs.quiet) {
if(fileBase) {
- sprintf(fullFileBase, "%s_v3.1", fileBase);
+ snprintf(fullFileBase, _maxFileStringSize, "%s_v3.1", fileBase);
}
showSSLResult(&pargs,
- err,
+ err,
displayCerts,
fileBase ? fullFileBase : NULL);
}
pargs.certState);
}
if(doTlsV1) {
- pargs.tryVersion =
+ pargs.tryVersion =
protXOnly ? kTLSProtocol1Only : kTLSProtocol1;
pargs.acceptedProts = NULL;
if(!pargs.silent) {
- printf("Connecting to host %s with TLS V1...", pargs.hostName);
+ printf("Connecting to host %s with TLS V1...", pargs.hostName);
}
fflush(stdout);
err = sslPing(&pargs);
}
if(!pargs.quiet) {
if(fileBase) {
- sprintf(fullFileBase, "%s_v3.1", fileBase);
+ snprintf(fullFileBase, _maxFileStringSize, "%s_v3.1", fileBase);
}
showSSLResult(&pargs,
- err,
+ err,
displayCerts,
fileBase ? fullFileBase : NULL);
}
pargs.tryVersion = protXOnly ? kSSLProtocol3Only : kSSLProtocol3;
pargs.acceptedProts = NULL;
if(!pargs.silent) {
- printf("Connecting to host %s with SSL V3...", pargs.hostName);
+ printf("Connecting to host %s with SSL V3...", pargs.hostName);
}
fflush(stdout);
err = sslPing(&pargs);
}
if(!pargs.quiet) {
if(fileBase) {
- sprintf(fullFileBase, "%s_v3.0", fileBase);
+ snprintf(fullFileBase, _maxFileStringSize, "%s_v3.0", fileBase);
}
showSSLResult(&pargs,
- err,
+ err,
displayCerts,
fileBase ? fullFileBase : NULL);
}
ourRtn += verifyClientCertState(vfyCertState, expectCertState,
pargs.certState);
}
-
+
if(doSslV2) {
if(fileBase) {
- sprintf(fullFileBase, "%s_v2", fileBase);
+ snprintf(fullFileBase, _maxFileStringSize, "%s_v2", fileBase);
}
if(!pargs.silent) {
printf("Connecting to host %s with SSL V2...", pargs.hostName);
}
if(!pargs.quiet) {
if(fileBase) {
- sprintf(fullFileBase, "%s_v2", fileBase);
+ snprintf(fullFileBase, _maxFileStringSize, "%s_v2", fileBase);
}
showSSLResult(&pargs,
- err,
+ err,
displayCerts,
fileBase ? fullFileBase : NULL);
}
}
if(doProtUnknown) {
if(!pargs.silent) {
- printf("Connecting to host %s with kSSLProtocolUnknown...",
- pargs.hostName);
+ printf("Connecting to host %s with kSSLProtocolUnknown...",
+ pargs.hostName);
}
fflush(stdout);
pargs.tryVersion = kSSLProtocolUnknown;
}
if(!pargs.quiet) {
if(fileBase) {
- sprintf(fullFileBase, "%s_def", fileBase);
+ snprintf(fullFileBase, _maxFileStringSize, "%s_def", fileBase);
}
showSSLResult(&pargs,
- err,
+ err,
displayCerts,
fileBase ? fullFileBase : NULL);
}
pargs.acceptedProts = acceptedProts;
pargs.tryVersion = kSSLProtocolUnknown; // not used
if(!pargs.silent) {
- printf("Connecting to host %s with acceptedProts %s...",
- pargs.hostName, pargs.acceptedProts);
+ printf("Connecting to host %s with acceptedProts %s...",
+ pargs.hostName, pargs.acceptedProts);
}
fflush(stdout);
err = sslPing(&pargs);
}
if(!pargs.quiet) {
if(fileBase) {
- sprintf(fullFileBase, "%s_def", fileBase);
+ snprintf(fullFileBase, _maxFileStringSize, "%s_def", fileBase);
}
showSSLResult(&pargs,
- err,
+ err,
displayCerts,
fileBase ? fullFileBase : NULL);
}
CFReleaseNull(pargs.peerCerts);
}
- if(doPause ||
- (pauseFirstLoop &&
+ if(doPause ||
+ (pauseFirstLoop &&
/* pause after first, before last to grab trace */
((loop == 0) || (loop == loopCount - 1))
)
char resp;
fpurge(stdin);
printf("a to abort, c to continue: ");
- resp = getchar();
+ resp = (char) getchar();
if(resp == 'a') {
break;
}
}
} /* main loop */
+#pragma clang diagnostic pop
+
if(displayHandshakeTimes) {
CFAbsoluteTime totalTime;
unsigned numHandshakes;
}
if(ourRtn) {
- printf("===%s exiting with %d %s for host %s\n", argv[0], ourRtn,
+ printf("===%s exiting with %d %s for host %s\n", argv[0], ourRtn,
(ourRtn > 1) ? "errors" : "error", pargs.hostName);
}
return ourRtn;
}
-
-
projects / apple / security.git / blobdiff