]> git.saurik.com Git - apple/security.git/blobdiff - sslViewer/SSLViewer.c
projects / apple / security.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Security-59306.61.1.tar.gz
[apple/security.git] / sslViewer / SSLViewer.c
diff --git a/sslViewer/SSLViewer.c b/sslViewer/SSLViewer.c
index e00d6e9f6a4abb878a67fff439bf2a8f49b2b990..3cd0381efcfa0ecb22d338efc05f9954c1443e69 100644 (file)
--- a/sslViewer/SSLViewer.c
+++ b/sslViewer/SSLViewer.c
@@ -23,7 +23,7 @@
 #include "utilities/fileIo.h"
 #include "utilities/SecCFWrappers.h"
 #include "utilities/SecIOFormat.h"
 #include "utilities/fileIo.h"
 #include "utilities/SecCFWrappers.h"
 #include "utilities/SecIOFormat.h"
-#include "SecurityTool/print_cert.h"
+#include "SecurityTool/sharedTool/print_cert.h"
 
 #define DEFAULT_GETMSG         "GET"
 #define DEFAULT_PATH           "/"
 
 #define DEFAULT_GETMSG         "GET"
 #define DEFAULT_PATH           "/"
@@ -32,6 +32,7 @@
 #define DEFAULT_HOST                   "www.amazon.com"
 #define DEFAULT_PORT           443
 
 #define DEFAULT_HOST                   "www.amazon.com"
 #define DEFAULT_PORT           443
 
+static const int _maxFileStringSize = 100;
 
 static void usageNorm(char **argv)
 {
 
 static void usageNorm(char **argv)
 {
@@ -57,7 +58,7 @@ static void usageNorm(char **argv)
                                                        " [23t]\n");
        printf("   k=keychain  Contains cert and keys. Optional.\n");
        printf("   l=loopCount Perform loopCount ops (default = 1)\n");
                                                        " [23t]\n");
        printf("   k=keychain  Contains cert and keys. Optional.\n");
        printf("   l=loopCount Perform loopCount ops (default = 1)\n");
-       printf("   P=port      Default = %d\n", DEFAULT_PORT); 
+       printf("   P=port      Default = %d\n", DEFAULT_PORT);
        printf("   p           Pause after each loop\n");
        printf("   q           Quiet/diagnostic mode (site names and errors only)\n");
     printf("   a fileName  Add fileName to list of trusted roots\n");
        printf("   p           Pause after each loop\n");
        printf("   q           Quiet/diagnostic mode (site names and errors only)\n");
     printf("   a fileName  Add fileName to list of trusted roots\n");
@@ -111,7 +112,7 @@ static void usage(char **argv)
        exit(1);
 }
 
        exit(1);
 }
 
-/* 
+/*
  * Arguments to top-level sslPing()
  */
 typedef struct {
  * Arguments to top-level sslPing()
  */
 typedef struct {
@@ -123,18 +124,18 @@ typedef struct {
        const char                              *vfyHostName;           // use this for cert vfy if non-NULL,
                                                                                                //   else use hostName
        unsigned short                  port;
        const char                              *vfyHostName;           // use this for cert vfy if non-NULL,
                                                                                                //   else use hostName
        unsigned short                  port;
-       const char                              *getMsg;                        // e.g., 
-                                                                                               //   "GET / HTTP/1.0\r\n\r\n" 
+       const char                              *getMsg;                        // e.g.,
+                                                                                               //   "GET / HTTP/1.0\r\n\r\n"
        bool                            allowExpired;
        bool                            allowAnyRoot;
        bool                            allowExpiredRoot;
        bool                            disableCertVerify;
        bool                            manualCertVerify;
        bool                            dumpRxData;                     // display server data
        bool                            allowExpired;
        bool                            allowAnyRoot;
        bool                            allowExpiredRoot;
        bool                            disableCertVerify;
        bool                            manualCertVerify;
        bool                            dumpRxData;                     // display server data
-       char                                    cipherRestrict;         // '2', 'd'. etc...; '\0' for 
+       char                                    cipherRestrict;         // '2', 'd'. etc...; '\0' for
                                                                                                //   no restriction
        bool                            keepConnected;
                                                                                                //   no restriction
        bool                            keepConnected;
-       bool                            requireNotify;          // require closure notify 
+       bool                            requireNotify;          // require closure notify
                                                                                                //   in V3 mode
        bool                            resumableEnable;
        bool                            allowHostnameSpoof;
                                                                                                //   in V3 mode
        bool                            resumableEnable;
        bool                            allowHostnameSpoof;
@@ -167,7 +168,7 @@ typedef struct {
 
 static void
 sigpipe(int sig)
 
 static void
 sigpipe(int sig)
-{ 
+{
        fflush(stdin);
        printf("***SIGPIPE***\n");
 }
        fflush(stdin);
        printf("***SIGPIPE***\n");
 }
@@ -191,7 +192,7 @@ static OSStatus sslEvaluateTrust(
                return ortn;
        }
        if(secTrust == NULL) {
                return ortn;
        }
        if(secTrust == NULL) {
-               /* this is the normal case for resumed sessions, in which 
+               /* this is the normal case for resumed sessions, in which
                 * no cert evaluation is performed */
                if(!pargs->silent) {
                        printf("...No SecTrust available - this is a resumed session, right?\n");
                 * no cert evaluation is performed */
                if(!pargs->silent) {
                        printf("...No SecTrust available - this is a resumed session, right?\n");
@@ -205,7 +206,7 @@ static OSStatus sslEvaluateTrust(
     }
 
        SecTrustResultType      secTrustResult;
     }
 
        SecTrustResultType      secTrustResult;
-       ortn = SecTrustEvaluate(secTrust, &secTrustResult);
+       ortn = SecTrustGetTrustResult(secTrust, &secTrustResult); // implicitly does trust evaluate
        if(ortn) {
                printf("\n***Error on SecTrustEvaluate: %d\n", (int)ortn);
                return ortn;
        if(ortn) {
                printf("\n***Error on SecTrustEvaluate: %d\n", (int)ortn);
                return ortn;
@@ -213,31 +214,26 @@ static OSStatus sslEvaluateTrust(
        if(pargs->verbose) {
                const char *res = NULL;
                switch(secTrustResult) {
        if(pargs->verbose) {
                const char *res = NULL;
                switch(secTrustResult) {
-                       case kSecTrustResultInvalid: 
+                       case kSecTrustResultInvalid:
                                res = "kSecTrustResultInvalid"; break;
                                res = "kSecTrustResultInvalid"; break;
-                       case kSecTrustResultProceed: 
+                       case kSecTrustResultProceed:
                                res = "kSecTrustResultProceed"; break;
                                res = "kSecTrustResultProceed"; break;
-#pragma clang diagnostic push
-#pragma clang diagnostic ignored "-Wdeprecated-declarations"
-            case kSecTrustResultConfirm:
-#pragma clang diagnostic pop
-                               res = "kSecTrustResultConfirm"; break;
                        case kSecTrustResultDeny:
                                res = "kSecTrustResultDeny"; break;
                        case kSecTrustResultDeny:
                                res = "kSecTrustResultDeny"; break;
-                       case kSecTrustResultUnspecified: 
+                       case kSecTrustResultUnspecified:
                                res = "kSecTrustResultUnspecified"; break;
                                res = "kSecTrustResultUnspecified"; break;
-                       case kSecTrustResultRecoverableTrustFailure: 
+                       case kSecTrustResultRecoverableTrustFailure:
                                res = "kSecTrustResultRecoverableTrustFailure"; break;
                                res = "kSecTrustResultRecoverableTrustFailure"; break;
-                       case kSecTrustResultFatalTrustFailure: 
+                       case kSecTrustResultFatalTrustFailure:
                                res = "kSecTrustResultFatalTrustFailure"; break;
                                res = "kSecTrustResultFatalTrustFailure"; break;
-                       case kSecTrustResultOtherError: 
+                       case kSecTrustResultOtherError:
                                res = "kSecTrustResultOtherError"; break;
                        default:
                                res = "UNKNOWN"; break;
                }
                printf("\nSecTrustEvaluate(): secTrustResult %s\n", res);
        }
                                res = "kSecTrustResultOtherError"; break;
                        default:
                                res = "UNKNOWN"; break;
                }
                printf("\nSecTrustEvaluate(): secTrustResult %s\n", res);
        }
-       
+
        switch(secTrustResult) {
                case kSecTrustResultUnspecified:
                        /* cert chain valid, no special UserTrust assignments */
        switch(secTrustResult) {
                case kSecTrustResultUnspecified:
                        /* cert chain valid, no special UserTrust assignments */
@@ -245,7 +241,7 @@ static OSStatus sslEvaluateTrust(
                        /* cert chain valid AND user explicitly trusts this */
                        break;
                default:
                        /* cert chain valid AND user explicitly trusts this */
                        break;
                default:
-                       printf("\n***SecTrustEvaluate reported secTrustResult %d\n", 
+                       printf("\n***SecTrustEvaluate reported secTrustResult %d\n",
                                (int)secTrustResult);
                        ortn = errSSLXCertChainInvalid;
                        break;
                                (int)secTrustResult);
                        ortn = errSSLXCertChainInvalid;
                        break;
@@ -277,13 +273,13 @@ static OSStatus sslEvaluateTrust(
 
 /* print reply received from server, safely */
 static void dumpAscii(
 
 /* print reply received from server, safely */
 static void dumpAscii(
-       uint8_t *rcvBuf, 
+       uint8_t *rcvBuf,
        size_t len)
 {
        char *cp = (char *)rcvBuf;
        uint32_t i;
        char c;
        size_t len)
 {
        char *cp = (char *)rcvBuf;
        uint32_t i;
        char c;
-       
+
        for(i=0; i<len; i++) {
                c = *cp++;
                if(c == '\0') {
        for(i=0; i<len; i++) {
                c = *cp++;
                if(c == '\0') {
@@ -319,12 +315,14 @@ alpnFunc(SSLContextRef          ctx,
     printf("[selected ALPN]");
 }
 
     printf("[selected ALPN]");
 }
 
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wdeprecated-declarations"
 
 /*
  * Perform one SSL diagnostic session. Returns nonzero on error. Normally no
 
 /*
  * Perform one SSL diagnostic session. Returns nonzero on error. Normally no
- * output to stdout except initial "connecting to" message, unless there 
- * is a really screwed up error (i.e., something not directly related 
- * to the SSL connection). 
+ * output to stdout except initial "connecting to" message, unless there
+ * is a really screwed up error (i.e., something not directly related
+ * to the SSL connection).
  */
 #define RCV_BUF_SIZE           256
 
  */
 #define RCV_BUF_SIZE           256
 
@@ -340,11 +338,11 @@ static OSStatus sslPing(
     uint8_t             rcvBuf[RCV_BUF_SIZE];
        CFAbsoluteTime          startHandshake;
        CFAbsoluteTime          endHandshake;
     uint8_t             rcvBuf[RCV_BUF_SIZE];
        CFAbsoluteTime          startHandshake;
        CFAbsoluteTime          endHandshake;
-       
+
     pargs->negVersion = kSSLProtocolUnknown;
     pargs->negCipher = SSL_NULL_WITH_NULL_NULL;
     pargs->peerCerts = NULL;
     pargs->negVersion = kSSLProtocolUnknown;
     pargs->negCipher = SSL_NULL_WITH_NULL_NULL;
     pargs->peerCerts = NULL;
-    
+
        /* first make sure requested server is there */
        ortn = MakeServerConnection(pargs->hostName, pargs->port, pargs->nonBlocking,
                &sock, &peerId);
        /* first make sure requested server is there */
        ortn = MakeServerConnection(pargs->hostName, pargs->port, pargs->nonBlocking,
                &sock, &peerId);
@@ -355,8 +353,8 @@ static OSStatus sslPing(
        if(pargs->verbose) {
                printf("...connected to server; starting SecureTransport\n");
        }
        if(pargs->verbose) {
                printf("...connected to server; starting SecureTransport\n");
        }
-       
-       /* 
+
+       /*
         * Set up a SecureTransport session.
         * First the standard calls.
         */
         * Set up a SecureTransport session.
         * First the standard calls.
         */
@@ -364,12 +362,12 @@ static OSStatus sslPing(
        if(ctx == NULL) {
                printf("SSLCreateContext\n");
                goto cleanup;
        if(ctx == NULL) {
                printf("SSLCreateContext\n");
                goto cleanup;
-       } 
+       }
        ortn = SSLSetIOFuncs(ctx, SocketRead, SocketWrite);
        if(ortn) {
                printSslErrStr("SSLSetIOFuncs", ortn);
                goto cleanup;
        ortn = SSLSetIOFuncs(ctx, SocketRead, SocketWrite);
        if(ortn) {
                printSslErrStr("SSLSetIOFuncs", ortn);
                goto cleanup;
-       } 
+       }
        ortn = SSLSetConnection(ctx, (SSLConnectionRef)(intptr_t)sock);
        if(ortn) {
                printSslErrStr("SSLSetConnection", ortn);
        ortn = SSLSetConnection(ctx, (SSLConnectionRef)(intptr_t)sock);
        if(ortn) {
                printSslErrStr("SSLSetConnection", ortn);
@@ -384,7 +382,7 @@ static OSStatus sslPing(
        if(getConn != (SSLConnectionRef)(intptr_t)sock) {
                printf("***SSLGetConnection error\n");
                ortn = errSecParam;
        if(getConn != (SSLConnectionRef)(intptr_t)sock) {
                printf("***SSLGetConnection error\n");
                ortn = errSecParam;
-               goto cleanup; 
+               goto cleanup;
        }
        if(!pargs->allowHostnameSpoof) {
                /* if this isn't set, it isn't checked by AppleX509TP */
        }
        if(!pargs->allowHostnameSpoof) {
                /* if this isn't set, it isn't checked by AppleX509TP */
@@ -399,62 +397,46 @@ static OSStatus sslPing(
                        goto cleanup;
                }
        }
                        goto cleanup;
                }
        }
-       
-       /* 
+
+       /*
         * SecureTransport options.
         * SecureTransport options.
-        */ 
+        */
        if(pargs->acceptedProts) {
        if(pargs->acceptedProts) {
-               ortn = SSLSetProtocolVersionEnabled(ctx, kSSLProtocolAll, false);
                if(ortn) {
                        printSslErrStr("SSLSetProtocolVersionEnabled(all off)", ortn);
                        goto cleanup;
                }
                for(const char *cp = pargs->acceptedProts; *cp; cp++) {
                if(ortn) {
                        printSslErrStr("SSLSetProtocolVersionEnabled(all off)", ortn);
                        goto cleanup;
                }
                for(const char *cp = pargs->acceptedProts; *cp; cp++) {
-                       SSLProtocol prot;
                        switch(*cp) {
                                case '2':
                        switch(*cp) {
                                case '2':
-                                       prot = kSSLProtocol2;
+                    ortn = SSLSetProtocolVersionMax(ctx, kSSLProtocol2);
                                        break;
                                case '3':
                                        break;
                                case '3':
-                                       prot = kSSLProtocol3;
+                    ortn = SSLSetProtocolVersionMax(ctx, kSSLProtocol3);
                                        break;
                                case 't':
                                        break;
                                case 't':
-                                       prot = kTLSProtocol12;
+                    ortn = SSLSetProtocolVersionMax(ctx, kTLSProtocol12);
                                        break;
                                default:
                                        usage(pargs->argv);
                        }
                                        break;
                                default:
                                        usage(pargs->argv);
                        }
-                       ortn = SSLSetProtocolVersionEnabled(ctx, prot, true);
                        if(ortn) {
                        if(ortn) {
-                               printSslErrStr("SSLSetProtocolVersionEnabled", ortn);
+                               printSslErrStr("SSLSetProtocolVersionMax", ortn);
                                goto cleanup;
                        }
                }
                                goto cleanup;
                        }
                }
+       } else {
+        ortn = SSLSetProtocolVersionMax(ctx, pargs->tryVersion);
+        if(ortn) {
+            printSslErrStr("SSLSetProtocolVersionMax", ortn);
+            goto cleanup;
+        }
        }
        }
-       else {
-               ortn = SSLSetProtocolVersion(ctx, pargs->tryVersion);
-               if(ortn) {
-                       printSslErrStr("SSLSetProtocolVersion", ortn);
-                       goto cleanup;
-               } 
-               SSLProtocol getVers;
-               ortn = SSLGetProtocolVersion(ctx, &getVers);
-               if(ortn) {
-                       printSslErrStr("SSLGetProtocolVersion", ortn);
-                       goto cleanup;
-               }
-               if(getVers != pargs->tryVersion) {
-                       printf("***SSLGetProtocolVersion screwup: try %s  get %s\n",
-                               sslGetProtocolVersionString(pargs->tryVersion),
-                               sslGetProtocolVersionString(getVers));
-                       ortn = errSecParam;
-                       goto cleanup;
-               }
-       }
+
        if(pargs->resumableEnable) {
                const void *rtnId = NULL;
                size_t rtnIdLen = 0;
        if(pargs->resumableEnable) {
                const void *rtnId = NULL;
                size_t rtnIdLen = 0;
-               
+
                ortn = SSLSetPeerID(ctx, &peerId, sizeof(PeerSpec));
                if(ortn) {
                        printSslErrStr("SSLSetPeerID", ortn);
                ortn = SSLSetPeerID(ctx, &peerId, sizeof(PeerSpec));
                if(ortn) {
                        printSslErrStr("SSLSetPeerID", ortn);
@@ -556,16 +538,16 @@ static OSStatus sslPing(
     }
 
        /*** end options ***/
     }
 
        /*** end options ***/
-       
+
        if(pargs->verbose) {
                printf("...starting SSL handshake\n");
        }
        startHandshake = CFAbsoluteTimeGetCurrent();
        if(pargs->verbose) {
                printf("...starting SSL handshake\n");
        }
        startHandshake = CFAbsoluteTimeGetCurrent();
-       
+
     do
     {   ortn = SSLHandshake(ctx);
            if((ortn == errSSLWouldBlock) && !pargs->silent) {
     do
     {   ortn = SSLHandshake(ctx);
            if((ortn == errSSLWouldBlock) && !pargs->silent) {
-               /* keep UI responsive */ 
+               /* keep UI responsive */
                sslOutputDot();
            }
     } while (ortn == errSSLWouldBlock);
                sslOutputDot();
            }
     } while (ortn == errSSLWouldBlock);
@@ -581,7 +563,7 @@ static OSStatus sslPing(
                pargs->handshakeTimeTotal += pargs->handshakeTimeOp;
        }
        pargs->numHandshakes++;
                pargs->handshakeTimeTotal += pargs->handshakeTimeOp;
        }
        pargs->numHandshakes++;
-       
+
     ortn = SSLCopyPeerTrust(ctx, &pargs->peerTrust);
     if(ortn) {
         printf("***SSLCopyPeerTrust error %" PRIdOSStatus "\n", ortn);
     ortn = SSLCopyPeerTrust(ctx, &pargs->peerTrust);
     if(ortn) {
         printf("***SSLCopyPeerTrust error %" PRIdOSStatus "\n", ortn);
@@ -593,10 +575,8 @@ static OSStatus sslPing(
        SSLGetNegotiatedCipher(ctx, &pargs->negCipher);
        SSLGetNegotiatedProtocolVersion(ctx, &pargs->negVersion);
        pargs->sessionIDLength = MAX_SESSION_ID_LENGTH;
        SSLGetNegotiatedCipher(ctx, &pargs->negCipher);
        SSLGetNegotiatedProtocolVersion(ctx, &pargs->negVersion);
        pargs->sessionIDLength = MAX_SESSION_ID_LENGTH;
-       SSLGetResumableSessionInfo(ctx, &pargs->sessionWasResumed, pargs->sessionID,
-               &pargs->sessionIDLength);
-
-    {
+       ortn = SSLGetResumableSessionInfo(ctx, &pargs->sessionWasResumed, pargs->sessionID, &pargs->sessionIDLength);
+    if(!ortn) {
                OSStatus certRtn = sslEvaluateTrust(ctx, pargs, &pargs->peerCerts);
 
         if (certRtn && !pargs->manualCertVerify) {
                OSStatus certRtn = sslEvaluateTrust(ctx, pargs, &pargs->peerCerts);
 
         if (certRtn && !pargs->manualCertVerify) {
@@ -608,7 +588,7 @@ static OSStatus sslPing(
                        ortn = certRtn;
                }
        }
                        ortn = certRtn;
                }
        }
-       
+
     if(ortn) {
                if(!pargs->silent) {
                        printf("\n");
     if(ortn) {
                if(!pargs->silent) {
                        printf("\n");
@@ -622,15 +602,15 @@ static OSStatus sslPing(
        length = strlen(pargs->getMsg);
        (void) SSLWrite(ctx, pargs->getMsg, length, &actLen);
 
        length = strlen(pargs->getMsg);
        (void) SSLWrite(ctx, pargs->getMsg, length, &actLen);
 
-       /* 
+       /*
         * Try to snag RCV_BUF_SIZE bytes. Exit if (!keepConnected and we get any data
         * at all), or (keepConnected and err != (none, wouldBlock)).
         */
         * Try to snag RCV_BUF_SIZE bytes. Exit if (!keepConnected and we get any data
         * at all), or (keepConnected and err != (none, wouldBlock)).
         */
-    while (1) {   
+    while (1) {
                actLen = 0;
                if(pargs->dumpRxData) {
                        size_t avail = 0;
                actLen = 0;
                if(pargs->dumpRxData) {
                        size_t avail = 0;
-                       
+
                        ortn = SSLGetBufferedReadSize(ctx, &avail);
                        if(ortn) {
                                printf("***SSLGetBufferedReadSize error\n");
                        ortn = SSLGetBufferedReadSize(ctx, &avail);
                        if(ortn) {
                                printf("***SSLGetBufferedReadSize error\n");
@@ -671,7 +651,7 @@ static OSStatus sslPing(
        SSLGetClientCertificateState(ctx, &pargs->certState);
        SSLGetNegotiatedCipher(ctx, &pargs->negCipher);
        SSLGetNegotiatedProtocolVersion(ctx, &pargs->negVersion);
        SSLGetClientCertificateState(ctx, &pargs->certState);
        SSLGetNegotiatedCipher(ctx, &pargs->negCipher);
        SSLGetNegotiatedProtocolVersion(ctx, &pargs->negVersion);
-       
+
     /* convert normal "shutdown" into zero err rtn */
        if(ortn == errSSLClosedGraceful) {
                ortn = errSecSuccess;
     /* convert normal "shutdown" into zero err rtn */
        if(ortn == errSSLClosedGraceful) {
                ortn = errSecSuccess;
@@ -682,9 +662,12 @@ static OSStatus sslPing(
        }
 cleanup: ;
        /*
        }
 cleanup: ;
        /*
-        * always do close, even on error - to flush outgoing write queue 
+        * always do close, even on error - to flush outgoing write queue
         */
         */
-       OSStatus cerr = SSLClose(ctx);
+       OSStatus cerr = errSecParam;
+       if (ctx) {
+               cerr = SSLClose(ctx);
+       }
        if(ortn == errSecSuccess) {
                ortn = cerr;
        }
        if(ortn == errSecSuccess) {
                ortn = cerr;
        }
@@ -693,7 +676,7 @@ cleanup: ;
        }
        if(ctx) {
            CFRelease(ctx);
        }
        if(ctx) {
            CFRelease(ctx);
-       }    
+       }
        return ortn;
 }
 
        return ortn;
 }
 
@@ -772,6 +755,8 @@ static void showInfo(CFDictionaryRef info) {
 }
 #endif
 
 }
 #endif
 
+#pragma clang diagnostic pop
+
 static void showPeerTrust(SecTrustRef peerTrust, bool verbose) {
 
        if(peerTrust == NULL) {
 static void showPeerTrust(SecTrustRef peerTrust, bool verbose) {
 
        if(peerTrust == NULL) {
@@ -821,7 +806,7 @@ static void showPeerCerts(
        CFIndex numCerts;
        SecCertificateRef certRef;
        CFIndex i;
        CFIndex numCerts;
        SecCertificateRef certRef;
        CFIndex i;
-       
+
        if(peerCerts == NULL) {
                return;
        }
        if(peerCerts == NULL) {
                return;
        }
@@ -842,18 +827,18 @@ static void writePeerCerts(
        CFIndex numCerts;
        SecCertificateRef certRef;
        CFIndex i;
        CFIndex numCerts;
        SecCertificateRef certRef;
        CFIndex i;
-       char fileName[100];
-       
+       char fileName[_maxFileStringSize];
+
        if(peerCerts == NULL) {
                return;
        }
        numCerts = CFArrayGetCount(peerCerts);
        for(i=0; i<numCerts; i++) {
        if(peerCerts == NULL) {
                return;
        }
        numCerts = CFArrayGetCount(peerCerts);
        for(i=0; i<numCerts; i++) {
-               sprintf(fileName, "%s%02d.cer", fileBase, (int)i);
+        snprintf(fileName, _maxFileStringSize, "%s%02d.cer", fileBase, (int)i);
                certRef = (SecCertificateRef)CFArrayGetValueAtIndex(peerCerts, i);
         CFDataRef derCert = SecCertificateCopyData(certRef);
         if (derCert) {
                certRef = (SecCertificateRef)CFArrayGetValueAtIndex(peerCerts, i);
         CFDataRef derCert = SecCertificateCopyData(certRef);
         if (derCert) {
-            writeFile(fileName, CFDataGetBytePtr(derCert),
+            writeFileSizet(fileName, CFDataGetBytePtr(derCert),
                 CFDataGetLength(derCert));
             CFRelease(derCert);
         }
                 CFDataGetLength(derCert));
             CFRelease(derCert);
         }
@@ -884,26 +869,29 @@ static void showSSLResult(
        char                            *fileBase)              // non-NULL: write certs to file
 {
        CFIndex numPeerCerts;
        char                            *fileBase)              // non-NULL: write certs to file
 {
        CFIndex numPeerCerts;
-       
+
        printf("\n");
        printf("\n");
-       
+
        if(pargs->acceptedProts) {
                printf("   Allowed SSL versions   : %s\n", pargs->acceptedProts);
        }
        else {
        if(pargs->acceptedProts) {
                printf("   Allowed SSL versions   : %s\n", pargs->acceptedProts);
        }
        else {
-               printf("   Attempted  SSL version : %s\n", 
+               printf("   Attempted  SSL version : %s\n",
                        sslGetProtocolVersionString(pargs->tryVersion));
        }
                        sslGetProtocolVersionString(pargs->tryVersion));
        }
-       
+
        printf("   Result                 : %s\n", sslGetSSLErrString(err));
        printf("   Result                 : %s\n", sslGetSSLErrString(err));
-       printf("   Negotiated SSL version : %s\n", 
+       printf("   Negotiated SSL version : %s\n",
                sslGetProtocolVersionString(pargs->negVersion));
        printf("   Negotiated CipherSuite : %s\n",
                sslGetCipherSuiteString(pargs->negCipher));
                sslGetProtocolVersionString(pargs->negVersion));
        printf("   Negotiated CipherSuite : %s\n",
                sslGetCipherSuiteString(pargs->negCipher));
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wdeprecated-declarations"
        if(pargs->certState != kSSLClientCertNone) {
                printf("   Client Cert State      : %s\n",
                        sslGetClientCertStateString(pargs->certState));
        }
        if(pargs->certState != kSSLClientCertNone) {
                printf("   Client Cert State      : %s\n",
                        sslGetClientCertStateString(pargs->certState));
        }
+#pragma clang diagnostic pop
        if(pargs->verbose) {
                printf("   Resumed Session        : ");
                if(pargs->sessionWasResumed) {
        if(pargs->verbose) {
                printf("   Resumed Session        : ");
                if(pargs->sessionWasResumed) {
@@ -937,7 +925,7 @@ static void showSSLResult(
                        writePeerCerts(pargs->peerCerts, fileBase);
                }
        }
                        writePeerCerts(pargs->peerCerts, fileBase);
                }
        }
-       
+
        printf("\n");
 }
 
        printf("\n");
 }
 
@@ -986,6 +974,8 @@ static SSLProtocol charToProt(
        char c,                 // 2, 3, t
        char **argv)
 {
        char c,                 // 2, 3, t
        char **argv)
 {
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wdeprecated-declarations"
        switch(c) {
                case '2':
                        return kSSLProtocol2;
        switch(c) {
                case '2':
                        return kSSLProtocol2;
@@ -996,17 +986,16 @@ static SSLProtocol charToProt(
                default:
                        usage(argv);
        }
                default:
                        usage(argv);
        }
-       /* NOT REACHED */
-       return kSSLProtocolUnknown;
+#pragma clang diagnostic pop
 }
 
 int main(int argc, char **argv)
 }
 
 int main(int argc, char **argv)
-{   
+{
     OSStatus            err;
        int                                     arg;
        char                            *argp;
        char                            getMsg[300];
     OSStatus            err;
        int                                     arg;
        char                            *argp;
        char                            getMsg[300];
-       char                            fullFileBase[100];
+       char                            fullFileBase[_maxFileStringSize];
        int                                     ourRtn = 0;                     // exit status - sum of all errors
        unsigned                        loop;
        SecKeychainRef          serverKc = nil;
        int                                     ourRtn = 0;                     // exit status - sum of all errors
        unsigned                        loop;
        SecKeychainRef          serverKc = nil;
@@ -1027,15 +1016,17 @@ int main(int argc, char **argv)
        bool                    doPause = false;
        bool                    pauseFirstLoop = false;
        bool                    verifyProt = false;
        bool                    doPause = false;
        bool                    pauseFirstLoop = false;
        bool                    verifyProt = false;
-       SSLProtocol                     maxProtocol = kTLSProtocol12;   // for verifying negotiated
-                                                                                                               // protocol
        char                            *acceptedProts = NULL;
        char                            *keyChainName = NULL;
        char                            *getMsgSpec = NULL;
        bool                    vfyCertState = false;
        char                            *acceptedProts = NULL;
        char                            *keyChainName = NULL;
        char                            *getMsgSpec = NULL;
        bool                    vfyCertState = false;
-       SSLClientCertificateState expectCertState = kSSLClientCertNone;
        bool                    displayHandshakeTimes = false;
        bool                    completeCertChain = false;
        bool                    displayHandshakeTimes = false;
        bool                    completeCertChain = false;
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wdeprecated-declarations"
+    SSLClientCertificateState expectCertState = kSSLClientCertNone;
+    SSLProtocol            maxProtocol = kTLSProtocol12;    // for verifying negotiated protocol
+#pragma clang diagnostic pop
 
        /* special case - one arg of "h" or "-h" or "hv" */
        if(argc == 2) {
 
        /* special case - one arg of "h" or "-h" or "hv" */
        if(argc == 2) {
@@ -1046,14 +1037,14 @@ int main(int argc, char **argv)
                        usageVerbose(argv);
                }
        }
                        usageVerbose(argv);
                }
        }
-       
+
        /* set up defaults */
        memset(&pargs, 0, sizeof(sslPingArgs));
        pargs.hostName = DEFAULT_HOST;
        pargs.port = DEFAULT_PORT;
        pargs.resumableEnable = true;
        pargs.argv = argv;
        /* set up defaults */
        memset(&pargs, 0, sizeof(sslPingArgs));
        pargs.hostName = DEFAULT_HOST;
        pargs.port = DEFAULT_PORT;
        pargs.resumableEnable = true;
        pargs.argv = argv;
-       
+
        for(arg=1; arg<argc; arg++) {
                argp = argv[arg];
                if(arg == 1) {
        for(arg=1; arg<argc; arg++) {
                argp = argv[arg];
                if(arg == 1) {
@@ -1070,73 +1061,73 @@ int main(int argc, char **argv)
                }
                /* options */
                switch(argp[0]) {
                }
                /* options */
                switch(argp[0]) {
-            case 'Z': {
-                if(++arg == argc)  {
-                    /* requires another arg */
-                    usage(argv);
-                }
-                if (pargs.alpnNames == NULL) {
-                    pargs.alpnNames = CFArrayCreateMutableForCFTypes(NULL);
-                }
-
-                CFDataRef alpn = CFDataCreate(NULL, (const UInt8 *)argv[arg], strlen(argv[arg]));
-                CFArrayAppendValue(pargs.alpnNames, alpn);
-                CFReleaseNull(alpn);
-                break;
-            }
-            case 'W':
-            case 'w': {
-                CFDictionaryRef context = NULL;
-
-                if(++arg == argc)  {
-                    /* requires another arg */
-                    usage(argv);
-                }
-
-                if (argp[0] == 'W') {
-                    context = CFDictionaryCreateForCFTypes(NULL,
-                                                           CFSTR("AppleServerAuthenticationAllowUATAPN"), kCFBooleanTrue,
-                                                           CFSTR("AppleServerAuthenticationAllowUATIDS"), kCFBooleanTrue,
-                                                           CFSTR("AppleServerAuthenticationAllowUATGS"), kCFBooleanTrue,
-                                                           NULL);
-                }
-                const char *verifyName = pargs.hostName;
-
-                if (pargs.policies == NULL) {
-                    pargs.policies = CFArrayCreateMutableForCFTypes(NULL);
-                }
-
-                if (pargs.vfyHostName)
-                    verifyName = pargs.vfyHostName;
-
-                SecPolicyRef policy = NULL;
-                CFStringRef hostname = CFStringCreateWithCString(NULL, verifyName, kCFStringEncodingUTF8);
-
-                if (strcasecmp(argv[arg], "PushLegacy") == 0) {
-                    policy = SecPolicyCreateApplePushServiceLegacy(hostname);
-                } else if (strcasecmp(argv[arg], "Push") == 0) {
-                    policy = SecPolicyCreateApplePushService(hostname, context);
-                } else if (strcasecmp(argv[arg], "IDS") == 0) {
-                    policy = SecPolicyCreateAppleIDSServiceContext(hostname, context);
-                } else if (strcasecmp(argv[arg], "GS") == 0) {
-                    policy = SecPolicyCreateAppleGSService(hostname, context);
-                } else {
-                    printf("unknown policy: %s", argv[arg]);
-                    CFReleaseNull(hostname);
-                    CFReleaseNull(context);
-                    usage(argv);
-                }
-
-                if (policy) {
-                    CFArrayAppendValue(pargs.policies, policy);
-                }
-
-                CFReleaseNull(policy);
-                CFReleaseNull(hostname);
-                CFReleaseNull(context);
-
-                break;
-            }
+      case 'Z': {
+          if(++arg == argc)  {
+              /* requires another arg */
+              usage(argv);
+          }
+          if (pargs.alpnNames == NULL) {
+              pargs.alpnNames = CFArrayCreateMutableForCFTypes(NULL);
+          }
+
+          CFDataRef alpn = CFDataCreate(NULL, (const UInt8 *)argv[arg], strlen(argv[arg]));
+          CFArrayAppendValue(pargs.alpnNames, alpn);
+          CFReleaseNull(alpn);
+          break;
+      }
+      case 'W':
+      case 'w': {
+          CFDictionaryRef context = NULL;
+
+          if(++arg == argc)  {
+              /* requires another arg */
+              usage(argv);
+          }
+
+          if (argp[0] == 'W') {
+              context = CFDictionaryCreateForCFTypes(NULL,
+                                                     CFSTR("AppleServerAuthenticationAllowUATAPN"), kCFBooleanTrue,
+                                                     CFSTR("AppleServerAuthenticationAllowUATIDS"), kCFBooleanTrue,
+                                                     CFSTR("AppleServerAuthenticationAllowUATGS"), kCFBooleanTrue,
+                                                     NULL);
+          }
+          const char *verifyName = pargs.hostName;
+
+          if (pargs.policies == NULL) {
+              pargs.policies = CFArrayCreateMutableForCFTypes(NULL);
+          }
+
+          if (pargs.vfyHostName)
+              verifyName = pargs.vfyHostName;
+
+          SecPolicyRef policy = NULL;
+          CFStringRef hostname = CFStringCreateWithCString(NULL, verifyName, kCFStringEncodingUTF8);
+
+          if (strcasecmp(argv[arg], "PushLegacy") == 0) {
+              policy = SecPolicyCreateApplePushServiceLegacy(hostname);
+          } else if (strcasecmp(argv[arg], "Push") == 0) {
+              policy = SecPolicyCreateApplePushService(hostname, context);
+          } else if (strcasecmp(argv[arg], "IDS") == 0) {
+              policy = SecPolicyCreateAppleIDSServiceContext(hostname, context);
+          } else if (strcasecmp(argv[arg], "GS") == 0) {
+              policy = SecPolicyCreateAppleGSService(hostname, context);
+          } else {
+              printf("unknown policy: %s", argv[arg]);
+              CFReleaseNull(hostname);
+              CFReleaseNull(context);
+              usage(argv);
+          }
+
+          if (policy) {
+              CFArrayAppendValue(pargs.policies, policy);
+          }
+
+          CFReleaseNull(policy);
+          CFReleaseNull(hostname);
+          CFReleaseNull(context);
+
+          break;
+      }
                        case 'e':
                                pargs.allowExpired = true;
                                break;
                        case 'e':
                                pargs.allowExpired = true;
                                break;
@@ -1245,15 +1236,16 @@ int main(int argc, char **argv)
                                doSslV3 = doSslV2 = doTlsV1 = doTlsV11 = doTlsV12 = false;
                                break;
                        case 'l':
                                doSslV3 = doSslV2 = doTlsV1 = doTlsV11 = doTlsV12 = false;
                                break;
                        case 'l':
-                if(++arg == argc)  {
-                    /* requires another arg */
-                    usage(argv);
-                }
-                               loopCount = atoi(argv[arg]);
-                               if(loopCount == 0) {
+        if(++arg == argc)  {
+          /* requires another arg */
+          usage(argv);
+        }
+                               int parsedLoopCount = atoi(argv[arg]);
+                               if (parsedLoopCount <= 0) {
                                        printf("***bad loopCount\n");
                                        usage(argv);
                                }
                                        printf("***bad loopCount\n");
                                        usage(argv);
                                }
+        loopCount = (unsigned) parsedLoopCount;
                                break;
                        case 'P':
                 if(++arg == argc)  {
                                break;
                        case 'P':
                 if(++arg == argc)  {
@@ -1287,6 +1279,8 @@ int main(int argc, char **argv)
                                        usage(argv);
                                }
                                vfyCertState = true;
                                        usage(argv);
                                }
                                vfyCertState = true;
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wdeprecated-declarations"
                                switch(argp[2]) {
                                        case 'n':
                                                expectCertState = kSSLClientCertNone;
                                switch(argp[2]) {
                                        case 'n':
                                                expectCertState = kSSLClientCertNone;
@@ -1303,6 +1297,7 @@ int main(int argc, char **argv)
                                        default:
                                                usage(argv);
                                }
                                        default:
                                                usage(argv);
                                }
+#pragma clang diagnostic pop
                                break;
                        case 'z':
                                pargs.password = &argp[2];
                                break;
                        case 'z':
                                pargs.password = &argp[2];
@@ -1335,17 +1330,15 @@ int main(int argc, char **argv)
                                else {
                                        usage(argv);
                                }
                                else {
                                        usage(argv);
                                }
-                break;
                        default:
                                usage(argv);
                        default:
                                usage(argv);
-                break;
                }
        }
        if(getMsgSpec) {
                pargs.getMsg = getMsgSpec;
        }
        else {
                }
        }
        if(getMsgSpec) {
                pargs.getMsg = getMsgSpec;
        }
        else {
-               sprintf(getMsg, "%s %s %s", 
+               sprintf(getMsg, "%s %s %s",
                        DEFAULT_GETMSG, getPath, DEFAULT_GET_SUFFIX);
                pargs.getMsg = getMsg;
        }
                        DEFAULT_GETMSG, getPath, DEFAULT_GET_SUFFIX);
                pargs.getMsg = getMsg;
        }
@@ -1359,7 +1352,7 @@ int main(int argc, char **argv)
                }
 #ifdef USE_CDSA_CRYPTO
                if(pargs.password) {
                }
 #ifdef USE_CDSA_CRYPTO
                if(pargs.password) {
-                       OSStatus ortn = SecKeychainUnlock(serverKc, 
+                       OSStatus ortn = SecKeychainUnlock(serverKc,
                                strlen(pargs.password), pargs.password, true);
                        if(ortn) {
                                printf("SecKeychainUnlock returned %d\n", (int)ortn);
                                strlen(pargs.password), pargs.password, true);
                        if(ortn) {
                                printf("SecKeychainUnlock returned %d\n", (int)ortn);
@@ -1377,8 +1370,10 @@ int main(int argc, char **argv)
         sigaction(SIGPIPE, &sa, NULL);
     }
 
         sigaction(SIGPIPE, &sa, NULL);
     }
 
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wdeprecated-declarations"
        for(loop=0; loop<loopCount; loop++) {
        for(loop=0; loop<loopCount; loop++) {
-               /* 
+               /*
                 * One pass for each protocol version, skipping any explicit version if
                 * an attempt at a higher version and succeeded in doing so successfully fell
                 * back.
                 * One pass for each protocol version, skipping any explicit version if
                 * an attempt at a higher version and succeeded in doing so successfully fell
                 * back.
@@ -1396,7 +1391,7 @@ int main(int argc, char **argv)
                        }
                        if(!pargs.quiet) {
                                if(fileBase) {
                        }
                        if(!pargs.quiet) {
                                if(fileBase) {
-                                       sprintf(fullFileBase, "%s_v3.1", fileBase);
+                    snprintf(fullFileBase, _maxFileStringSize, "%s_v3.1", fileBase);
                                }
                                showSSLResult(&pargs,
                               err,
                                }
                                showSSLResult(&pargs,
                               err,
@@ -1440,7 +1435,7 @@ int main(int argc, char **argv)
                        pargs.tryVersion = kTLSProtocol11;
                        pargs.acceptedProts = NULL;
                        if(!pargs.silent) {
                        pargs.tryVersion = kTLSProtocol11;
                        pargs.acceptedProts = NULL;
                        if(!pargs.silent) {
-                               printf("Connecting to host %s with TLS V1.1...", pargs.hostName); 
+                               printf("Connecting to host %s with TLS V1.1...", pargs.hostName);
                        }
                        fflush(stdout);
                        err = sslPing(&pargs);
                        }
                        fflush(stdout);
                        err = sslPing(&pargs);
@@ -1449,10 +1444,10 @@ int main(int argc, char **argv)
                        }
                        if(!pargs.quiet) {
                                if(fileBase) {
                        }
                        if(!pargs.quiet) {
                                if(fileBase) {
-                                       sprintf(fullFileBase, "%s_v3.1", fileBase);
+                    snprintf(fullFileBase, _maxFileStringSize, "%s_v3.1", fileBase);
                                }
                                showSSLResult(&pargs,
                                }
                                showSSLResult(&pargs,
-                              err, 
+                              err,
                               displayCerts,
                               fileBase ? fullFileBase : NULL);
                        }
                               displayCerts,
                               fileBase ? fullFileBase : NULL);
                        }
@@ -1484,11 +1479,11 @@ int main(int argc, char **argv)
                                             pargs.certState);
                }
                if(doTlsV1) {
                                             pargs.certState);
                }
                if(doTlsV1) {
-                       pargs.tryVersion = 
+                       pargs.tryVersion =
                                protXOnly ? kTLSProtocol1Only : kTLSProtocol1;
                        pargs.acceptedProts = NULL;
                        if(!pargs.silent) {
                                protXOnly ? kTLSProtocol1Only : kTLSProtocol1;
                        pargs.acceptedProts = NULL;
                        if(!pargs.silent) {
-                               printf("Connecting to host %s with TLS V1...", pargs.hostName); 
+                               printf("Connecting to host %s with TLS V1...", pargs.hostName);
                        }
                        fflush(stdout);
                        err = sslPing(&pargs);
                        }
                        fflush(stdout);
                        err = sslPing(&pargs);
@@ -1497,10 +1492,10 @@ int main(int argc, char **argv)
                        }
                        if(!pargs.quiet) {
                                if(fileBase) {
                        }
                        if(!pargs.quiet) {
                                if(fileBase) {
-                                       sprintf(fullFileBase, "%s_v3.1", fileBase);
+                    snprintf(fullFileBase, _maxFileStringSize, "%s_v3.1", fileBase);
                                }
                                showSSLResult(&pargs,
                                }
                                showSSLResult(&pargs,
-                                       err, 
+                                       err,
                                        displayCerts,
                                        fileBase ? fullFileBase : NULL);
                        }
                                        displayCerts,
                                        fileBase ? fullFileBase : NULL);
                        }
@@ -1530,7 +1525,7 @@ int main(int argc, char **argv)
                        pargs.tryVersion = protXOnly ? kSSLProtocol3Only : kSSLProtocol3;
                        pargs.acceptedProts = NULL;
                        if(!pargs.silent) {
                        pargs.tryVersion = protXOnly ? kSSLProtocol3Only : kSSLProtocol3;
                        pargs.acceptedProts = NULL;
                        if(!pargs.silent) {
-                               printf("Connecting to host %s with SSL V3...", pargs.hostName); 
+                               printf("Connecting to host %s with SSL V3...", pargs.hostName);
                        }
                        fflush(stdout);
                        err = sslPing(&pargs);
                        }
                        fflush(stdout);
                        err = sslPing(&pargs);
@@ -1539,10 +1534,10 @@ int main(int argc, char **argv)
                        }
                        if(!pargs.quiet) {
                                if(fileBase) {
                        }
                        if(!pargs.quiet) {
                                if(fileBase) {
-                                       sprintf(fullFileBase, "%s_v3.0", fileBase);
+                    snprintf(fullFileBase, _maxFileStringSize, "%s_v3.0", fileBase);
                                }
                                showSSLResult(&pargs,
                                }
                                showSSLResult(&pargs,
-                                       err, 
+                                       err,
                                        displayCerts,
                                        fileBase ? fullFileBase : NULL);
                        }
                                        displayCerts,
                                        fileBase ? fullFileBase : NULL);
                        }
@@ -1564,10 +1559,10 @@ int main(int argc, char **argv)
                        ourRtn += verifyClientCertState(vfyCertState, expectCertState,
                                pargs.certState);
                }
                        ourRtn += verifyClientCertState(vfyCertState, expectCertState,
                                pargs.certState);
                }
-               
+
                if(doSslV2) {
                        if(fileBase) {
                if(doSslV2) {
                        if(fileBase) {
-                               sprintf(fullFileBase, "%s_v2", fileBase);
+                snprintf(fullFileBase, _maxFileStringSize, "%s_v2", fileBase);
                        }
                        if(!pargs.silent) {
                                printf("Connecting to host %s with SSL V2...", pargs.hostName);
                        }
                        if(!pargs.silent) {
                                printf("Connecting to host %s with SSL V2...", pargs.hostName);
@@ -1581,10 +1576,10 @@ int main(int argc, char **argv)
                        }
                        if(!pargs.quiet) {
                                if(fileBase) {
                        }
                        if(!pargs.quiet) {
                                if(fileBase) {
-                                       sprintf(fullFileBase, "%s_v2", fileBase);
+                    snprintf(fullFileBase, _maxFileStringSize, "%s_v2", fileBase);
                                }
                                showSSLResult(&pargs,
                                }
                                showSSLResult(&pargs,
-                                       err, 
+                                       err,
                                        displayCerts,
                                        fileBase ? fullFileBase : NULL);
                        }
                                        displayCerts,
                                        fileBase ? fullFileBase : NULL);
                        }
@@ -1600,8 +1595,8 @@ int main(int argc, char **argv)
                }
                if(doProtUnknown) {
                        if(!pargs.silent) {
                }
                if(doProtUnknown) {
                        if(!pargs.silent) {
-                               printf("Connecting to host %s with kSSLProtocolUnknown...", 
-                                       pargs.hostName); 
+                               printf("Connecting to host %s with kSSLProtocolUnknown...",
+                                       pargs.hostName);
                        }
                        fflush(stdout);
                        pargs.tryVersion = kSSLProtocolUnknown;
                        }
                        fflush(stdout);
                        pargs.tryVersion = kSSLProtocolUnknown;
@@ -1612,10 +1607,10 @@ int main(int argc, char **argv)
                        }
                        if(!pargs.quiet) {
                                if(fileBase) {
                        }
                        if(!pargs.quiet) {
                                if(fileBase) {
-                                       sprintf(fullFileBase, "%s_def", fileBase);
+                    snprintf(fullFileBase, _maxFileStringSize, "%s_def", fileBase);
                                }
                                showSSLResult(&pargs,
                                }
                                showSSLResult(&pargs,
-                                       err, 
+                                       err,
                                        displayCerts,
                                        fileBase ? fullFileBase : NULL);
                        }
                                        displayCerts,
                                        fileBase ? fullFileBase : NULL);
                        }
@@ -1625,8 +1620,8 @@ int main(int argc, char **argv)
                        pargs.acceptedProts = acceptedProts;
                        pargs.tryVersion = kSSLProtocolUnknown; // not used
                        if(!pargs.silent) {
                        pargs.acceptedProts = acceptedProts;
                        pargs.tryVersion = kSSLProtocolUnknown; // not used
                        if(!pargs.silent) {
-                               printf("Connecting to host %s with acceptedProts %s...", 
-                                       pargs.hostName, pargs.acceptedProts); 
+                               printf("Connecting to host %s with acceptedProts %s...",
+                                       pargs.hostName, pargs.acceptedProts);
                        }
                        fflush(stdout);
                        err = sslPing(&pargs);
                        }
                        fflush(stdout);
                        err = sslPing(&pargs);
@@ -1635,17 +1630,17 @@ int main(int argc, char **argv)
                        }
                        if(!pargs.quiet) {
                                if(fileBase) {
                        }
                        if(!pargs.quiet) {
                                if(fileBase) {
-                                       sprintf(fullFileBase, "%s_def", fileBase);
+                    snprintf(fullFileBase, _maxFileStringSize, "%s_def", fileBase);
                                }
                                showSSLResult(&pargs,
                                }
                                showSSLResult(&pargs,
-                                       err, 
+                                       err,
                                        displayCerts,
                                        fileBase ? fullFileBase : NULL);
                        }
                        CFReleaseNull(pargs.peerCerts);
                }
                                        displayCerts,
                                        fileBase ? fullFileBase : NULL);
                        }
                        CFReleaseNull(pargs.peerCerts);
                }
-               if(doPause || 
-                     (pauseFirstLoop && 
+               if(doPause ||
+                     (pauseFirstLoop &&
                                 /* pause after first, before last to grab trace */
                         ((loop == 0) || (loop == loopCount - 1))
                          )
                                 /* pause after first, before last to grab trace */
                         ((loop == 0) || (loop == loopCount - 1))
                          )
@@ -1653,12 +1648,14 @@ int main(int argc, char **argv)
                        char resp;
                        fpurge(stdin);
                        printf("a to abort, c to continue: ");
                        char resp;
                        fpurge(stdin);
                        printf("a to abort, c to continue: ");
-                       resp = getchar();
+                       resp = (char) getchar();
                        if(resp == 'a') {
                                break;
                        }
                }
     }  /* main loop */
                        if(resp == 'a') {
                                break;
                        }
                }
     }  /* main loop */
+#pragma clang diagnostic pop
+    
        if(displayHandshakeTimes) {
                CFAbsoluteTime totalTime;
                unsigned numHandshakes;
        if(displayHandshakeTimes) {
                CFAbsoluteTime totalTime;
                unsigned numHandshakes;
@@ -1680,11 +1677,9 @@ int main(int argc, char **argv)
        }
 
     if(ourRtn) {
        }
 
     if(ourRtn) {
-               printf("===%s exiting with %d %s for host %s\n", argv[0], ourRtn, 
+               printf("===%s exiting with %d %s for host %s\n", argv[0], ourRtn,
                        (ourRtn > 1) ? "errors" : "error", pargs.hostName);
        }
     return ourRtn;
 
 }
                        (ourRtn > 1) ? "errors" : "error", pargs.hostName);
        }
     return ourRtn;
 
 }
-
-
mirror of Security