1 files changed, 187 insertions, 37 deletions
diff --git a/src/lib/libssl/src/ssl/ssltest.c b/src/lib/libssl/src/ssl/ssltest.c
index b09c542087..abf214ad7f 100644
--- a/src/lib/libssl/src/ssl/ssltest.c
+++ b/src/lib/libssl/src/ssl/ssltest.c
@@ -113,6 +113,32 @@
 * ECC cipher suite support in OpenSSL originally developed by 
 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
 */
+/* ====================================================================
+ * Copyright 2005 Nokia. All rights reserved.
+ *
+ * The portions of the attached software ("Contribution") is developed by
+ * Nokia Corporation and is licensed pursuant to the OpenSSL open source
+ * license.
+ *
+ * The Contribution, originally written by Mika Kousa and Pasi Eronen of
+ * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
+ * support (see RFC 4279) to OpenSSL.
+ *
+ * No patent licenses or other rights except those expressly stated in
+ * the OpenSSL open source license shall be deemed granted or received
+ * expressly, by implication, estoppel, or otherwise.
+ *
+ * No assurances are provided by Nokia that the Contribution does not
+ * infringe the patent or other intellectual property rights of any third
+ * party or that the license provides you with all the necessary rights
+ * to make use of the Contribution.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
+ * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
+ * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
+ * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
+ * OTHERWISE.
+ */
 #define _BSD_SOURCE 1           /* Or gethostname won't be declared properly
                                   on Linux and GNU platforms. */
@@ -128,8 +154,11 @@
 #define USE_SOCKETS
 #include "e_os.h"
+#ifdef OPENSSL_SYS_VMS
 #define _XOPEN_SOURCE 500       /* Or isascii won't be declared properly on
                                   VMS (at least with DECompHP C).  */
+#endif
 #include <ctype.h>
 #include <openssl/bio.h>
@@ -207,6 +236,16 @@ static DH *get_dh1024(void);
 static DH *get_dh1024dsa(void);
 #endif
+static char *psk_key=NULL; /* by default PSK is not used */
+#ifndef OPENSSL_NO_PSK
+static unsigned int psk_client_callback(SSL *ssl, const char *hint, char *identity,
+        unsigned int max_identity_len, unsigned char *psk,
+        unsigned int max_psk_len);
+static unsigned int psk_server_callback(SSL *ssl, const char *identity, unsigned char *psk,
+        unsigned int max_psk_len);
+#endif
 static BIO *bio_err=NULL;
 static BIO *bio_stdout=NULL;
@@ -229,9 +268,6 @@ static void sv_usage(void)
        {
        fprintf(stderr,"usage: ssltest [args ...]\n");
        fprintf(stderr,"\n");
-#ifdef OPENSSL_FIPS
-        fprintf(stderr,"-F             - run test in FIPS mode\n");
-#endif
        fprintf(stderr," -server_auth  - check server certificate\n");
        fprintf(stderr," -client_auth  - do client authentication\n");
        fprintf(stderr," -proxy        - allow proxy certificates\n");
@@ -250,6 +286,9 @@ static void sv_usage(void)
 #ifndef OPENSSL_NO_ECDH
        fprintf(stderr," -no_ecdhe     - disable ECDHE\n");
 #endif
+#ifndef OPENSSL_NO_PSK
+        fprintf(stderr," -psk arg      - PSK in hex (without 0x)\n");
+#endif
 #ifndef OPENSSL_NO_SSL2
        fprintf(stderr," -ssl2         - use SSLv2\n");
 #endif
@@ -281,7 +320,7 @@ static void sv_usage(void)
 static void print_details(SSL *c_ssl, const char *prefix)
        {
-        SSL_CIPHER *ciph;
+        const SSL_CIPHER *ciph;
        X509 *cert;
                
        ciph=SSL_get_current_cipher(c_ssl);
@@ -386,6 +425,25 @@ static void lock_dbg_cb(int mode, int type, const char *file, int line)
                }
        }
+#ifdef TLSEXT_TYPE_opaque_prf_input
+struct cb_info_st { void *input; size_t len; int ret; };
+struct cb_info_st co1 = { "C", 1, 1 }; /* try to negotiate oqaque PRF input */
+struct cb_info_st co2 = { "C", 1, 2 }; /* insist on oqaque PRF input */
+struct cb_info_st so1 = { "S", 1, 1 }; /* try to negotiate oqaque PRF input */
+struct cb_info_st so2 = { "S", 1, 2 }; /* insist on oqaque PRF input */
+int opaque_prf_input_cb(SSL *ssl, void *peerinput, size_t len, void *arg_)
+        {
+        struct cb_info_st *arg = arg_;
+        if (arg == NULL)
+                return 1;
+        
+        if (!SSL_set_tlsext_opaque_prf_input(ssl, arg->input, arg->len))
+                return 0;
+        return arg->ret;
+        }
+#endif
 int main(int argc, char *argv[])
        {
@@ -407,19 +465,20 @@ int main(int argc, char *argv[])
 #endif
        SSL_CTX *s_ctx=NULL;
        SSL_CTX *c_ctx=NULL;
-        SSL_METHOD *meth=NULL;
+        const SSL_METHOD *meth=NULL;
        SSL *c_ssl,*s_ssl;
        int number=1,reuse=0;
        long bytes=256L;
 #ifndef OPENSSL_NO_DH
        DH *dh;
-        int dhe1024 = 1, dhe1024dsa = 0;
+        int dhe1024 = 0, dhe1024dsa = 0;
 #endif
 #ifndef OPENSSL_NO_ECDH
        EC_KEY *ecdh = NULL;
 #endif
        int no_dhe = 0;
        int no_ecdhe = 0;
+        int no_psk = 0;
        int print_time = 0;
        clock_t s_time = 0, c_time = 0;
        int comp = 0;
@@ -428,15 +487,12 @@ int main(int argc, char *argv[])
 #endif
        STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
        int test_cipherlist = 0;
-#ifdef OPENSSL_FIPS
-        int fips_mode=0;
-#endif
        verbose = 0;
        debug = 0;
        cipher = 0;
-        bio_err=BIO_new_fp(stderr,BIO_NOCLOSE); 
+        bio_err=BIO_new_fp(stderr,BIO_NOCLOSE|BIO_FP_TEXT);     
        CRYPTO_set_locking_callback(lock_dbg_cb);
@@ -455,23 +511,14 @@ int main(int argc, char *argv[])
        RAND_seed(rnd_seed, sizeof rnd_seed);
-        bio_stdout=BIO_new_fp(stdout,BIO_NOCLOSE);
+        bio_stdout=BIO_new_fp(stdout,BIO_NOCLOSE|BIO_FP_TEXT);
        argc--;
        argv++;
        while (argc >= 1)
                {
-                if(!strcmp(*argv,"-F"))
+                if      (strcmp(*argv,"-server_auth") == 0)
-                        {
-#ifdef OPENSSL_FIPS
-                        fips_mode=1;
-#else
-                        fprintf(stderr,"not compiled with FIPS support, so exitting without running.\n");
-                        EXIT(0);
-#endif
-                        }
-                else if (strcmp(*argv,"-server_auth") == 0)
                        server_auth=1;
                else if (strcmp(*argv,"-client_auth") == 0)
                        client_auth=1;
@@ -511,6 +558,20 @@ int main(int argc, char *argv[])
                        no_dhe=1;
                else if (strcmp(*argv,"-no_ecdhe") == 0)
                        no_ecdhe=1;
+                else if (strcmp(*argv,"-psk") == 0)
+                        {
+                        if (--argc < 1) goto bad;
+                        psk_key=*(++argv);
+#ifndef OPENSSL_NO_PSK
+                        if (strspn(psk_key, "abcdefABCDEF1234567890") != strlen(psk_key))
+                                {
+                                BIO_printf(bio_err,"Not a hex number '%s'\n",*argv);
+                                goto bad;
+                                }
+#else
+                        no_psk=1;
+#endif
+                        }
                else if (strcmp(*argv,"-ssl2") == 0)
                        ssl2=1;
                else if (strcmp(*argv,"-tls1") == 0)
@@ -653,20 +714,6 @@ bad:
                EXIT(1);
                }
-#ifdef OPENSSL_FIPS
-        if(fips_mode)
-                {
-                if(!FIPS_mode_set(1))
-                        {
-                        ERR_load_crypto_strings();
-                        ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
-                        EXIT(1);
-                        }
-                else
-                        fprintf(stderr,"*** IN FIPS MODE ***\n");
-                }
-#endif
        if (print_time)
                {
                if (!bio_pair)
@@ -811,6 +858,13 @@ bad:
        SSL_CTX_set_tmp_rsa_callback(s_ctx,tmp_rsa_cb);
 #endif
+#ifdef TLSEXT_TYPE_opaque_prf_input
+        SSL_CTX_set_tlsext_opaque_prf_input_callback(c_ctx, opaque_prf_input_cb);
+        SSL_CTX_set_tlsext_opaque_prf_input_callback(s_ctx, opaque_prf_input_cb);
+        SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(c_ctx, &co1); /* or &co2 or NULL */
+        SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(s_ctx, &so1); /* or &so2 or NULL */
+#endif
        if (!SSL_CTX_use_certificate_file(s_ctx,server_cert,SSL_FILETYPE_PEM))
                {
                ERR_print_errors(bio_err);
@@ -862,6 +916,31 @@ bad:
                SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context, sizeof session_id_context);
        }
+        /* Use PSK only if PSK key is given */
+        if (psk_key != NULL)
+                {
+                /* no_psk is used to avoid putting psk command to openssl tool */
+                if (no_psk)
+                        {
+                        /* if PSK is not compiled in and psk key is
+                         * given, do nothing and exit successfully */
+                        ret=0;
+                        goto end;
+                        }
+#ifndef OPENSSL_NO_PSK
+                SSL_CTX_set_psk_client_callback(c_ctx, psk_client_callback);
+                SSL_CTX_set_psk_server_callback(s_ctx, psk_server_callback);
+                if (debug)
+                        BIO_printf(bio_err,"setting PSK identity hint to s_ctx\n");
+                if (!SSL_CTX_use_psk_identity_hint(s_ctx, "ctx server identity_hint"))
+                        {
+                        BIO_printf(bio_err,"error setting PSK identity hint to s_ctx\n");
+                        ERR_print_errors(bio_err);
+                        goto end;
+                        }
+#endif
+                }
        c_ssl=SSL_new(c_ctx);
        s_ssl=SSL_new(s_ctx);
@@ -938,7 +1017,7 @@ end:
 #endif
        CRYPTO_cleanup_all_ex_data();
        ERR_free_strings();
-        ERR_remove_state(0);
+        ERR_remove_thread_state(NULL);
        EVP_cleanup();
        CRYPTO_mem_leaks(bio_err);
        if (bio_err != NULL) BIO_free(bio_err);
@@ -2088,7 +2167,15 @@ static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg)
                }
 #ifndef OPENSSL_NO_X509_VERIFY
+# ifdef OPENSSL_FIPS
+        if(s->version == TLS1_VERSION)
+                FIPS_allow_md5(1);
+# endif
        ok = X509_verify_cert(ctx);
+# ifdef OPENSSL_FIPS
+        if(s->version == TLS1_VERSION)
+                FIPS_allow_md5(0);
+# endif
 #endif
        if (cb_arg->proxy_auth)
@@ -2257,11 +2344,74 @@ static DH *get_dh1024dsa()
        }
 #endif
+#ifndef OPENSSL_NO_PSK
+/* convert the PSK key (psk_key) in ascii to binary (psk) */
+static int psk_key2bn(const char *pskkey, unsigned char *psk,
+        unsigned int max_psk_len)
+        {
+        int ret;
+        BIGNUM *bn = NULL;
+        ret = BN_hex2bn(&bn, pskkey);
+        if (!ret)
+                {
+                BIO_printf(bio_err,"Could not convert PSK key '%s' to BIGNUM\n", pskkey); 
+                if (bn)
+                        BN_free(bn);
+                return 0;
+                }
+        if (BN_num_bytes(bn) > (int)max_psk_len)
+                {
+                BIO_printf(bio_err,"psk buffer of callback is too small (%d) for key (%d)\n",
+                        max_psk_len, BN_num_bytes(bn));
+                BN_free(bn);
+                return 0;
+                }
+        ret = BN_bn2bin(bn, psk);
+        BN_free(bn);
+        return ret;
+        }
+static unsigned int psk_client_callback(SSL *ssl, const char *hint, char *identity,
+        unsigned int max_identity_len, unsigned char *psk,
+        unsigned int max_psk_len)
+        {
+        int ret;
+        unsigned int psk_len = 0;
+        ret = BIO_snprintf(identity, max_identity_len, "Client_identity");
+        if (ret < 0)
+                goto out_err;
+        if (debug)
+                fprintf(stderr, "client: created identity '%s' len=%d\n", identity, ret);
+        ret = psk_key2bn(psk_key, psk, max_psk_len);
+        if (ret < 0)
+                goto out_err;
+        psk_len = ret;
+out_err:
+        return psk_len;
+        }
+static unsigned int psk_server_callback(SSL *ssl, const char *identity,
+        unsigned char *psk, unsigned int max_psk_len)
+        {
+        unsigned int psk_len=0;
+        if (strcmp(identity, "Client_identity") != 0)
+                {
+                BIO_printf(bio_err, "server: PSK error: client identity not found\n");
+                return 0;
+                }
+        psk_len=psk_key2bn(psk_key, psk, max_psk_len);
+        return psk_len;
+        }
+#endif
 static int do_test_cipherlist(void)
        {
        int i = 0;
        const SSL_METHOD *meth;
-        SSL_CIPHER *ci, *tci = NULL;
+        const SSL_CIPHER *ci, *tci = NULL;
 #ifndef OPENSSL_NO_SSL2
        fprintf(stderr, "testing SSLv2 cipher list order: ");

diff --git a/src/lib/libssl/src/ssl/ssltest.c b/src/lib/libssl/src/ssl/ssltest.c index b09c542087..abf214ad7f 100644 --- a/src/lib/libssl/src/ssl/ssltest.c +++ b/src/lib/libssl/src/ssl/ssltest.c
@@ -113,6 +113,32 @@
113	* ECC cipher suite support in OpenSSL originally developed by	113	* ECC cipher suite support in OpenSSL originally developed by
114	* SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.	114	* SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
115	*/	115	*/
		116	/* ====================================================================
		117	* Copyright 2005 Nokia. All rights reserved.
		118	*
		119	* The portions of the attached software ("Contribution") is developed by
		120	* Nokia Corporation and is licensed pursuant to the OpenSSL open source
		121	* license.
		122	*
		123	* The Contribution, originally written by Mika Kousa and Pasi Eronen of
		124	* Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
		125	* support (see RFC 4279) to OpenSSL.
		126	*
		127	* No patent licenses or other rights except those expressly stated in
		128	* the OpenSSL open source license shall be deemed granted or received
		129	* expressly, by implication, estoppel, or otherwise.
		130	*
		131	* No assurances are provided by Nokia that the Contribution does not
		132	* infringe the patent or other intellectual property rights of any third
		133	* party or that the license provides you with all the necessary rights
		134	* to make use of the Contribution.
		135	*
		136	* THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
		137	* ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
		138	* SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
		139	* OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
		140	* OTHERWISE.
		141	*/
116		142
117	#define _BSD_SOURCE 1 /* Or gethostname won't be declared properly	143	#define _BSD_SOURCE 1 /* Or gethostname won't be declared properly
118	on Linux and GNU platforms. */	144	on Linux and GNU platforms. */
@@ -128,8 +154,11 @@
128	#define USE_SOCKETS	154	#define USE_SOCKETS
129	#include "e_os.h"	155	#include "e_os.h"
130		156
		157	#ifdef OPENSSL_SYS_VMS
131	#define _XOPEN_SOURCE 500 /* Or isascii won't be declared properly on	158	#define _XOPEN_SOURCE 500 /* Or isascii won't be declared properly on
132	VMS (at least with DECompHP C). */	159	VMS (at least with DECompHP C). */
		160	#endif
		161
133	#include <ctype.h>	162	#include <ctype.h>
134		163
135	#include <openssl/bio.h>	164	#include <openssl/bio.h>
@@ -207,6 +236,16 @@ static DH *get_dh1024(void);
207	static DH *get_dh1024dsa(void);	236	static DH *get_dh1024dsa(void);
208	#endif	237	#endif
209		238
		239
		240	static char psk_key=NULL; / by default PSK is not used */
		241	#ifndef OPENSSL_NO_PSK
		242	static unsigned int psk_client_callback(SSL ssl, const char hint, char *identity,
		243	unsigned int max_identity_len, unsigned char *psk,
		244	unsigned int max_psk_len);
		245	static unsigned int psk_server_callback(SSL ssl, const char identity, unsigned char *psk,
		246	unsigned int max_psk_len);
		247	#endif
		248
210	static BIO *bio_err=NULL;	249	static BIO *bio_err=NULL;
211	static BIO *bio_stdout=NULL;	250	static BIO *bio_stdout=NULL;
212		251
@@ -229,9 +268,6 @@ static void sv_usage(void)
229	{	268	{
230	fprintf(stderr,"usage: ssltest [args ...]\n");	269	fprintf(stderr,"usage: ssltest [args ...]\n");
231	fprintf(stderr,"\n");	270	fprintf(stderr,"\n");
232	#ifdef OPENSSL_FIPS
233	fprintf(stderr,"-F - run test in FIPS mode\n");
234	#endif
235	fprintf(stderr," -server_auth - check server certificate\n");	271	fprintf(stderr," -server_auth - check server certificate\n");
236	fprintf(stderr," -client_auth - do client authentication\n");	272	fprintf(stderr," -client_auth - do client authentication\n");
237	fprintf(stderr," -proxy - allow proxy certificates\n");	273	fprintf(stderr," -proxy - allow proxy certificates\n");
@@ -250,6 +286,9 @@ static void sv_usage(void)
250	#ifndef OPENSSL_NO_ECDH	286	#ifndef OPENSSL_NO_ECDH
251	fprintf(stderr," -no_ecdhe - disable ECDHE\n");	287	fprintf(stderr," -no_ecdhe - disable ECDHE\n");
252	#endif	288	#endif
		289	#ifndef OPENSSL_NO_PSK
		290	fprintf(stderr," -psk arg - PSK in hex (without 0x)\n");
		291	#endif
253	#ifndef OPENSSL_NO_SSL2	292	#ifndef OPENSSL_NO_SSL2
254	fprintf(stderr," -ssl2 - use SSLv2\n");	293	fprintf(stderr," -ssl2 - use SSLv2\n");
255	#endif	294	#endif
@@ -281,7 +320,7 @@ static void sv_usage(void)
281		320
282	static void print_details(SSL c_ssl, const char prefix)	321	static void print_details(SSL c_ssl, const char prefix)
283	{	322	{
284	SSL_CIPHER *ciph;	323	const SSL_CIPHER *ciph;
285	X509 *cert;	324	X509 *cert;
286		325
287	ciph=SSL_get_current_cipher(c_ssl);	326	ciph=SSL_get_current_cipher(c_ssl);
@@ -386,6 +425,25 @@ static void lock_dbg_cb(int mode, int type, const char *file, int line)
386	}	425	}
387	}	426	}
388		427
		428	#ifdef TLSEXT_TYPE_opaque_prf_input
		429	struct cb_info_st { void *input; size_t len; int ret; };
		430	struct cb_info_st co1 = { "C", 1, 1 }; /* try to negotiate oqaque PRF input */
		431	struct cb_info_st co2 = { "C", 1, 2 }; /* insist on oqaque PRF input */
		432	struct cb_info_st so1 = { "S", 1, 1 }; /* try to negotiate oqaque PRF input */
		433	struct cb_info_st so2 = { "S", 1, 2 }; /* insist on oqaque PRF input */
		434
		435	int opaque_prf_input_cb(SSL ssl, void peerinput, size_t len, void *arg_)
		436	{
		437	struct cb_info_st *arg = arg_;
		438
		439	if (arg == NULL)
		440	return 1;
		441
		442	if (!SSL_set_tlsext_opaque_prf_input(ssl, arg->input, arg->len))
		443	return 0;
		444	return arg->ret;
		445	}
		446	#endif
389		447
390	int main(int argc, char *argv[])	448	int main(int argc, char *argv[])
391	{	449	{
@@ -407,19 +465,20 @@ int main(int argc, char *argv[])
407	#endif	465	#endif
408	SSL_CTX *s_ctx=NULL;	466	SSL_CTX *s_ctx=NULL;
409	SSL_CTX *c_ctx=NULL;	467	SSL_CTX *c_ctx=NULL;
410	SSL_METHOD *meth=NULL;	468	const SSL_METHOD *meth=NULL;
411	SSL c_ssl,s_ssl;	469	SSL c_ssl,s_ssl;
412	int number=1,reuse=0;	470	int number=1,reuse=0;
413	long bytes=256L;	471	long bytes=256L;
414	#ifndef OPENSSL_NO_DH	472	#ifndef OPENSSL_NO_DH
415	DH *dh;	473	DH *dh;
416	int dhe1024 = 1, dhe1024dsa = 0;	474	int dhe1024 = 0, dhe1024dsa = 0;
417	#endif	475	#endif
418	#ifndef OPENSSL_NO_ECDH	476	#ifndef OPENSSL_NO_ECDH
419	EC_KEY *ecdh = NULL;	477	EC_KEY *ecdh = NULL;
420	#endif	478	#endif
421	int no_dhe = 0;	479	int no_dhe = 0;
422	int no_ecdhe = 0;	480	int no_ecdhe = 0;
		481	int no_psk = 0;
423	int print_time = 0;	482	int print_time = 0;
424	clock_t s_time = 0, c_time = 0;	483	clock_t s_time = 0, c_time = 0;
425	int comp = 0;	484	int comp = 0;
@@ -428,15 +487,12 @@ int main(int argc, char *argv[])
428	#endif	487	#endif
429	STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;	488	STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
430	int test_cipherlist = 0;	489	int test_cipherlist = 0;
431	#ifdef OPENSSL_FIPS
432	int fips_mode=0;
433	#endif
434		490
435	verbose = 0;	491	verbose = 0;
436	debug = 0;	492	debug = 0;
437	cipher = 0;	493	cipher = 0;
438		494
439	bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);	495	bio_err=BIO_new_fp(stderr,BIO_NOCLOSE\|BIO_FP_TEXT);
440		496
441	CRYPTO_set_locking_callback(lock_dbg_cb);	497	CRYPTO_set_locking_callback(lock_dbg_cb);
442		498
@@ -455,23 +511,14 @@ int main(int argc, char *argv[])
455		511
456	RAND_seed(rnd_seed, sizeof rnd_seed);	512	RAND_seed(rnd_seed, sizeof rnd_seed);
457		513
458	bio_stdout=BIO_new_fp(stdout,BIO_NOCLOSE);	514	bio_stdout=BIO_new_fp(stdout,BIO_NOCLOSE\|BIO_FP_TEXT);
459		515
460	argc--;	516	argc--;
461	argv++;	517	argv++;
462		518
463	while (argc >= 1)	519	while (argc >= 1)
464	{	520	{
465	if(!strcmp(*argv,"-F"))	521	if (strcmp(*argv,"-server_auth") == 0)
466	{
467	#ifdef OPENSSL_FIPS
468	fips_mode=1;
469	#else
470	fprintf(stderr,"not compiled with FIPS support, so exitting without running.\n");
471	EXIT(0);
472	#endif
473	}
474	else if (strcmp(*argv,"-server_auth") == 0)
475	server_auth=1;	522	server_auth=1;
476	else if (strcmp(*argv,"-client_auth") == 0)	523	else if (strcmp(*argv,"-client_auth") == 0)
477	client_auth=1;	524	client_auth=1;
@@ -511,6 +558,20 @@ int main(int argc, char *argv[])
511	no_dhe=1;	558	no_dhe=1;
512	else if (strcmp(*argv,"-no_ecdhe") == 0)	559	else if (strcmp(*argv,"-no_ecdhe") == 0)
513	no_ecdhe=1;	560	no_ecdhe=1;
		561	else if (strcmp(*argv,"-psk") == 0)
		562	{
		563	if (--argc < 1) goto bad;
		564	psk_key=*(++argv);
		565	#ifndef OPENSSL_NO_PSK
		566	if (strspn(psk_key, "abcdefABCDEF1234567890") != strlen(psk_key))
		567	{
		568	BIO_printf(bio_err,"Not a hex number '%s'\n",*argv);
		569	goto bad;
		570	}
		571	#else
		572	no_psk=1;
		573	#endif
		574	}
514	else if (strcmp(*argv,"-ssl2") == 0)	575	else if (strcmp(*argv,"-ssl2") == 0)
515	ssl2=1;	576	ssl2=1;
516	else if (strcmp(*argv,"-tls1") == 0)	577	else if (strcmp(*argv,"-tls1") == 0)
@@ -653,20 +714,6 @@ bad:
653	EXIT(1);	714	EXIT(1);
654	}	715	}
655		716
656	#ifdef OPENSSL_FIPS
657	if(fips_mode)
658	{
659	if(!FIPS_mode_set(1))
660	{
661	ERR_load_crypto_strings();
662	ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
663	EXIT(1);
664	}
665	else
666	fprintf(stderr,"* IN FIPS MODE *\n");
667	}
668	#endif
669
670	if (print_time)	717	if (print_time)
671	{	718	{
672	if (!bio_pair)	719	if (!bio_pair)
@@ -811,6 +858,13 @@ bad:
811	SSL_CTX_set_tmp_rsa_callback(s_ctx,tmp_rsa_cb);	858	SSL_CTX_set_tmp_rsa_callback(s_ctx,tmp_rsa_cb);
812	#endif	859	#endif
813		860
		861	#ifdef TLSEXT_TYPE_opaque_prf_input
		862	SSL_CTX_set_tlsext_opaque_prf_input_callback(c_ctx, opaque_prf_input_cb);
		863	SSL_CTX_set_tlsext_opaque_prf_input_callback(s_ctx, opaque_prf_input_cb);
		864	SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(c_ctx, &co1); /* or &co2 or NULL */
		865	SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(s_ctx, &so1); /* or &so2 or NULL */
		866	#endif
		867
814	if (!SSL_CTX_use_certificate_file(s_ctx,server_cert,SSL_FILETYPE_PEM))	868	if (!SSL_CTX_use_certificate_file(s_ctx,server_cert,SSL_FILETYPE_PEM))
815	{	869	{
816	ERR_print_errors(bio_err);	870	ERR_print_errors(bio_err);
@@ -862,6 +916,31 @@ bad:
862	SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context, sizeof session_id_context);	916	SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context, sizeof session_id_context);
863	}	917	}
864		918
		919	/* Use PSK only if PSK key is given */
		920	if (psk_key != NULL)
		921	{
		922	/* no_psk is used to avoid putting psk command to openssl tool */
		923	if (no_psk)
		924	{
		925	/* if PSK is not compiled in and psk key is
		926	* given, do nothing and exit successfully */
		927	ret=0;
		928	goto end;
		929	}
		930	#ifndef OPENSSL_NO_PSK
		931	SSL_CTX_set_psk_client_callback(c_ctx, psk_client_callback);
		932	SSL_CTX_set_psk_server_callback(s_ctx, psk_server_callback);
		933	if (debug)
		934	BIO_printf(bio_err,"setting PSK identity hint to s_ctx\n");
		935	if (!SSL_CTX_use_psk_identity_hint(s_ctx, "ctx server identity_hint"))
		936	{
		937	BIO_printf(bio_err,"error setting PSK identity hint to s_ctx\n");
		938	ERR_print_errors(bio_err);
		939	goto end;
		940	}
		941	#endif
		942	}
		943
865	c_ssl=SSL_new(c_ctx);	944	c_ssl=SSL_new(c_ctx);
866	s_ssl=SSL_new(s_ctx);	945	s_ssl=SSL_new(s_ctx);
867		946
@@ -938,7 +1017,7 @@ end:
938	#endif	1017	#endif
939	CRYPTO_cleanup_all_ex_data();	1018	CRYPTO_cleanup_all_ex_data();
940	ERR_free_strings();	1019	ERR_free_strings();
941	ERR_remove_state(0);	1020	ERR_remove_thread_state(NULL);
942	EVP_cleanup();	1021	EVP_cleanup();
943	CRYPTO_mem_leaks(bio_err);	1022	CRYPTO_mem_leaks(bio_err);
944	if (bio_err != NULL) BIO_free(bio_err);	1023	if (bio_err != NULL) BIO_free(bio_err);
@@ -2088,7 +2167,15 @@ static int MS_CALLBACK app_verify_callback(X509_STORE_CTX ctx, void arg)
2088	}	2167	}
2089		2168
2090	#ifndef OPENSSL_NO_X509_VERIFY	2169	#ifndef OPENSSL_NO_X509_VERIFY
		2170	# ifdef OPENSSL_FIPS
		2171	if(s->version == TLS1_VERSION)
		2172	FIPS_allow_md5(1);
		2173	# endif
2091	ok = X509_verify_cert(ctx);	2174	ok = X509_verify_cert(ctx);
		2175	# ifdef OPENSSL_FIPS
		2176	if(s->version == TLS1_VERSION)
		2177	FIPS_allow_md5(0);
		2178	# endif
2092	#endif	2179	#endif
2093		2180
2094	if (cb_arg->proxy_auth)	2181	if (cb_arg->proxy_auth)
@@ -2257,11 +2344,74 @@ static DH *get_dh1024dsa()
2257	}	2344	}
2258	#endif	2345	#endif
2259		2346
		2347	#ifndef OPENSSL_NO_PSK
		2348	/* convert the PSK key (psk_key) in ascii to binary (psk) */
		2349	static int psk_key2bn(const char pskkey, unsigned char psk,
		2350	unsigned int max_psk_len)
		2351	{
		2352	int ret;
		2353	BIGNUM *bn = NULL;
		2354
		2355	ret = BN_hex2bn(&bn, pskkey);
		2356	if (!ret)
		2357	{
		2358	BIO_printf(bio_err,"Could not convert PSK key '%s' to BIGNUM\n", pskkey);
		2359	if (bn)
		2360	BN_free(bn);
		2361	return 0;
		2362	}
		2363	if (BN_num_bytes(bn) > (int)max_psk_len)
		2364	{
		2365	BIO_printf(bio_err,"psk buffer of callback is too small (%d) for key (%d)\n",
		2366	max_psk_len, BN_num_bytes(bn));
		2367	BN_free(bn);
		2368	return 0;
		2369	}
		2370	ret = BN_bn2bin(bn, psk);
		2371	BN_free(bn);
		2372	return ret;
		2373	}
		2374
		2375	static unsigned int psk_client_callback(SSL ssl, const char hint, char *identity,
		2376	unsigned int max_identity_len, unsigned char *psk,
		2377	unsigned int max_psk_len)
		2378	{
		2379	int ret;
		2380	unsigned int psk_len = 0;
		2381
		2382	ret = BIO_snprintf(identity, max_identity_len, "Client_identity");
		2383	if (ret < 0)
		2384	goto out_err;
		2385	if (debug)
		2386	fprintf(stderr, "client: created identity '%s' len=%d\n", identity, ret);
		2387	ret = psk_key2bn(psk_key, psk, max_psk_len);
		2388	if (ret < 0)
		2389	goto out_err;
		2390	psk_len = ret;
		2391	out_err:
		2392	return psk_len;
		2393	}
		2394
		2395	static unsigned int psk_server_callback(SSL ssl, const char identity,
		2396	unsigned char *psk, unsigned int max_psk_len)
		2397	{
		2398	unsigned int psk_len=0;
		2399
		2400	if (strcmp(identity, "Client_identity") != 0)
		2401	{
		2402	BIO_printf(bio_err, "server: PSK error: client identity not found\n");
		2403	return 0;
		2404	}
		2405	psk_len=psk_key2bn(psk_key, psk, max_psk_len);
		2406	return psk_len;
		2407	}
		2408	#endif
		2409
2260	static int do_test_cipherlist(void)	2410	static int do_test_cipherlist(void)
2261	{	2411	{
2262	int i = 0;	2412	int i = 0;
2263	const SSL_METHOD *meth;	2413	const SSL_METHOD *meth;
2264	SSL_CIPHER ci, tci = NULL;	2414	const SSL_CIPHER ci, tci = NULL;
2265		2415
2266	#ifndef OPENSSL_NO_SSL2	2416	#ifndef OPENSSL_NO_SSL2
2267	fprintf(stderr, "testing SSLv2 cipher list order: ");	2417	fprintf(stderr, "testing SSLv2 cipher list order: ");