1 files changed, 187 insertions, 37 deletions
diff --git a/src/lib/libssl/src/ssl/ssltest.c b/src/lib/libssl/src/ssl/ssltest.c
index 5e666aedea..1d8ba372bc 100644
--- a/src/lib/libssl/src/ssl/ssltest.c
+++ b/src/lib/libssl/src/ssl/ssltest.c
@@ -113,6 +113,32 @@
 * ECC cipher suite support in OpenSSL originally developed by 
 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
 */
+/* ====================================================================
+ * Copyright 2005 Nokia. All rights reserved.
+ *
+ * The portions of the attached software ("Contribution") is developed by
+ * Nokia Corporation and is licensed pursuant to the OpenSSL open source
+ * license.
+ *
+ * The Contribution, originally written by Mika Kousa and Pasi Eronen of
+ * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
+ * support (see RFC 4279) to OpenSSL.
+ *
+ * No patent licenses or other rights except those expressly stated in
+ * the OpenSSL open source license shall be deemed granted or received
+ * expressly, by implication, estoppel, or otherwise.
+ *
+ * No assurances are provided by Nokia that the Contribution does not
+ * infringe the patent or other intellectual property rights of any third
+ * party or that the license provides you with all the necessary rights
+ * to make use of the Contribution.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
+ * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
+ * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
+ * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
+ * OTHERWISE.
+ */
 #define _BSD_SOURCE 1           /* Or gethostname won't be declared properly
                                   on Linux and GNU platforms. */
@@ -130,8 +156,11 @@
 #define USE_SOCKETS
 #include "e_os.h"
+#ifdef OPENSSL_SYS_VMS
 #define _XOPEN_SOURCE 500       /* Or isascii won't be declared properly on
                                   VMS (at least with DECompHP C).  */
+#endif
 #include <ctype.h>
 #include <openssl/bio.h>
@@ -209,6 +238,16 @@ static DH *get_dh1024(void);
 static DH *get_dh1024dsa(void);
 #endif
+static char *psk_key=NULL; /* by default PSK is not used */
+#ifndef OPENSSL_NO_PSK
+static unsigned int psk_client_callback(SSL *ssl, const char *hint, char *identity,
+        unsigned int max_identity_len, unsigned char *psk,
+        unsigned int max_psk_len);
+static unsigned int psk_server_callback(SSL *ssl, const char *identity, unsigned char *psk,
+        unsigned int max_psk_len);
+#endif
 static BIO *bio_err=NULL;
 static BIO *bio_stdout=NULL;
@@ -231,9 +270,6 @@ static void sv_usage(void)
        {
        fprintf(stderr,"usage: ssltest [args ...]\n");
        fprintf(stderr,"\n");
-#ifdef OPENSSL_FIPS
-        fprintf(stderr,"-F             - run test in FIPS mode\n");
-#endif
        fprintf(stderr," -server_auth  - check server certificate\n");
        fprintf(stderr," -client_auth  - do client authentication\n");
        fprintf(stderr," -proxy        - allow proxy certificates\n");
@@ -252,6 +288,9 @@ static void sv_usage(void)
 #ifndef OPENSSL_NO_ECDH
        fprintf(stderr," -no_ecdhe     - disable ECDHE\n");
 #endif
+#ifndef OPENSSL_NO_PSK
+        fprintf(stderr," -psk arg      - PSK in hex (without 0x)\n");
+#endif
 #ifndef OPENSSL_NO_SSL2
        fprintf(stderr," -ssl2         - use SSLv2\n");
 #endif
@@ -283,7 +322,7 @@ static void sv_usage(void)
 static void print_details(SSL *c_ssl, const char *prefix)
        {
-        SSL_CIPHER *ciph;
+        const SSL_CIPHER *ciph;
        X509 *cert;
                
        ciph=SSL_get_current_cipher(c_ssl);
@@ -388,6 +427,25 @@ static void lock_dbg_cb(int mode, int type, const char *file, int line)
                }
        }
+#ifdef TLSEXT_TYPE_opaque_prf_input
+struct cb_info_st { void *input; size_t len; int ret; };
+struct cb_info_st co1 = { "C", 1, 1 }; /* try to negotiate oqaque PRF input */
+struct cb_info_st co2 = { "C", 1, 2 }; /* insist on oqaque PRF input */
+struct cb_info_st so1 = { "S", 1, 1 }; /* try to negotiate oqaque PRF input */
+struct cb_info_st so2 = { "S", 1, 2 }; /* insist on oqaque PRF input */
+int opaque_prf_input_cb(SSL *ssl, void *peerinput, size_t len, void *arg_)
+        {
+        struct cb_info_st *arg = arg_;
+        if (arg == NULL)
+                return 1;
+        
+        if (!SSL_set_tlsext_opaque_prf_input(ssl, arg->input, arg->len))
+                return 0;
+        return arg->ret;
+        }
+#endif
 int main(int argc, char *argv[])
        {
@@ -409,19 +467,20 @@ int main(int argc, char *argv[])
 #endif
        SSL_CTX *s_ctx=NULL;
        SSL_CTX *c_ctx=NULL;
-        SSL_METHOD *meth=NULL;
+        const SSL_METHOD *meth=NULL;
        SSL *c_ssl,*s_ssl;
        int number=1,reuse=0;
        long bytes=256L;
 #ifndef OPENSSL_NO_DH
        DH *dh;
-        int dhe1024 = 1, dhe1024dsa = 0;
+        int dhe1024 = 0, dhe1024dsa = 0;
 #endif
 #ifndef OPENSSL_NO_ECDH
        EC_KEY *ecdh = NULL;
 #endif
        int no_dhe = 0;
        int no_ecdhe = 0;
+        int no_psk = 0;
        int print_time = 0;
        clock_t s_time = 0, c_time = 0;
        int comp = 0;
@@ -430,15 +489,12 @@ int main(int argc, char *argv[])
 #endif
        STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
        int test_cipherlist = 0;
-#ifdef OPENSSL_FIPS
-        int fips_mode=0;
-#endif
        verbose = 0;
        debug = 0;
        cipher = 0;
-        bio_err=BIO_new_fp(stderr,BIO_NOCLOSE); 
+        bio_err=BIO_new_fp(stderr,BIO_NOCLOSE|BIO_FP_TEXT);     
        CRYPTO_set_locking_callback(lock_dbg_cb);
@@ -457,23 +513,14 @@ int main(int argc, char *argv[])
        RAND_seed(rnd_seed, sizeof rnd_seed);
-        bio_stdout=BIO_new_fp(stdout,BIO_NOCLOSE);
+        bio_stdout=BIO_new_fp(stdout,BIO_NOCLOSE|BIO_FP_TEXT);
        argc--;
        argv++;
        while (argc >= 1)
                {
-                if(!strcmp(*argv,"-F"))
+                if      (strcmp(*argv,"-server_auth") == 0)
-                        {
-#ifdef OPENSSL_FIPS
-                        fips_mode=1;
-#else
-                        fprintf(stderr,"not compiled with FIPS support, so exitting without running.\n");
-                        EXIT(0);
-#endif
-                        }
-                else if (strcmp(*argv,"-server_auth") == 0)
                        server_auth=1;
                else if (strcmp(*argv,"-client_auth") == 0)
                        client_auth=1;
@@ -513,6 +560,20 @@ int main(int argc, char *argv[])
                        no_dhe=1;
                else if (strcmp(*argv,"-no_ecdhe") == 0)
                        no_ecdhe=1;
+                else if (strcmp(*argv,"-psk") == 0)
+                        {
+                        if (--argc < 1) goto bad;
+                        psk_key=*(++argv);
+#ifndef OPENSSL_NO_PSK
+                        if (strspn(psk_key, "abcdefABCDEF1234567890") != strlen(psk_key))
+                                {
+                                BIO_printf(bio_err,"Not a hex number '%s'\n",*argv);
+                                goto bad;
+                                }
+#else
+                        no_psk=1;
+#endif
+                        }
                else if (strcmp(*argv,"-ssl2") == 0)
                        ssl2=1;
                else if (strcmp(*argv,"-tls1") == 0)
@@ -655,20 +716,6 @@ bad:
                EXIT(1);
                }
-#ifdef OPENSSL_FIPS
-        if(fips_mode)
-                {
-                if(!FIPS_mode_set(1))
-                        {
-                        ERR_load_crypto_strings();
-                        ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
-                        EXIT(1);
-                        }
-                else
-                        fprintf(stderr,"*** IN FIPS MODE ***\n");
-                }
-#endif
        if (print_time)
                {
                if (!bio_pair)
@@ -813,6 +860,13 @@ bad:
        SSL_CTX_set_tmp_rsa_callback(s_ctx,tmp_rsa_cb);
 #endif
+#ifdef TLSEXT_TYPE_opaque_prf_input
+        SSL_CTX_set_tlsext_opaque_prf_input_callback(c_ctx, opaque_prf_input_cb);
+        SSL_CTX_set_tlsext_opaque_prf_input_callback(s_ctx, opaque_prf_input_cb);
+        SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(c_ctx, &co1); /* or &co2 or NULL */
+        SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(s_ctx, &so1); /* or &so2 or NULL */
+#endif
        if (!SSL_CTX_use_certificate_file(s_ctx,server_cert,SSL_FILETYPE_PEM))
                {
                ERR_print_errors(bio_err);
@@ -864,6 +918,31 @@ bad:
                SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context, sizeof session_id_context);
        }
+        /* Use PSK only if PSK key is given */
+        if (psk_key != NULL)
+                {
+                /* no_psk is used to avoid putting psk command to openssl tool */
+                if (no_psk)
+                        {
+                        /* if PSK is not compiled in and psk key is
+                         * given, do nothing and exit successfully */
+                        ret=0;
+                        goto end;
+                        }
+#ifndef OPENSSL_NO_PSK
+                SSL_CTX_set_psk_client_callback(c_ctx, psk_client_callback);
+                SSL_CTX_set_psk_server_callback(s_ctx, psk_server_callback);
+                if (debug)
+                        BIO_printf(bio_err,"setting PSK identity hint to s_ctx\n");
+                if (!SSL_CTX_use_psk_identity_hint(s_ctx, "ctx server identity_hint"))
+                        {
+                        BIO_printf(bio_err,"error setting PSK identity hint to s_ctx\n");
+                        ERR_print_errors(bio_err);
+                        goto end;
+                        }
+#endif
+                }
        c_ssl=SSL_new(c_ctx);
        s_ssl=SSL_new(s_ctx);
@@ -940,7 +1019,7 @@ end:
 #endif
        CRYPTO_cleanup_all_ex_data();
        ERR_free_strings();
-        ERR_remove_state(0);
+        ERR_remove_thread_state(NULL);
        EVP_cleanup();
        CRYPTO_mem_leaks(bio_err);
        if (bio_err != NULL) BIO_free(bio_err);
@@ -2090,7 +2169,15 @@ static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg)
                }
 #ifndef OPENSSL_NO_X509_VERIFY
+# ifdef OPENSSL_FIPS
+        if(s->version == TLS1_VERSION)
+                FIPS_allow_md5(1);
+# endif
        ok = X509_verify_cert(ctx);
+# ifdef OPENSSL_FIPS
+        if(s->version == TLS1_VERSION)
+                FIPS_allow_md5(0);
+# endif
 #endif
        if (cb_arg->proxy_auth)
@@ -2259,11 +2346,74 @@ static DH *get_dh1024dsa()
        }
 #endif
+#ifndef OPENSSL_NO_PSK
+/* convert the PSK key (psk_key) in ascii to binary (psk) */
+static int psk_key2bn(const char *pskkey, unsigned char *psk,
+        unsigned int max_psk_len)
+        {
+        int ret;
+        BIGNUM *bn = NULL;
+        ret = BN_hex2bn(&bn, pskkey);
+        if (!ret)
+                {
+                BIO_printf(bio_err,"Could not convert PSK key '%s' to BIGNUM\n", pskkey); 
+                if (bn)
+                        BN_free(bn);
+                return 0;
+                }
+        if (BN_num_bytes(bn) > (int)max_psk_len)
+                {
+                BIO_printf(bio_err,"psk buffer of callback is too small (%d) for key (%d)\n",
+                        max_psk_len, BN_num_bytes(bn));
+                BN_free(bn);
+                return 0;
+                }
+        ret = BN_bn2bin(bn, psk);
+        BN_free(bn);
+        return ret;
+        }
+static unsigned int psk_client_callback(SSL *ssl, const char *hint, char *identity,
+        unsigned int max_identity_len, unsigned char *psk,
+        unsigned int max_psk_len)
+        {
+        int ret;
+        unsigned int psk_len = 0;
+        ret = BIO_snprintf(identity, max_identity_len, "Client_identity");
+        if (ret < 0)
+                goto out_err;
+        if (debug)
+                fprintf(stderr, "client: created identity '%s' len=%d\n", identity, ret);
+        ret = psk_key2bn(psk_key, psk, max_psk_len);
+        if (ret < 0)
+                goto out_err;
+        psk_len = ret;
+out_err:
+        return psk_len;
+        }
+static unsigned int psk_server_callback(SSL *ssl, const char *identity,
+        unsigned char *psk, unsigned int max_psk_len)
+        {
+        unsigned int psk_len=0;
+        if (strcmp(identity, "Client_identity") != 0)
+                {
+                BIO_printf(bio_err, "server: PSK error: client identity not found\n");
+                return 0;
+                }
+        psk_len=psk_key2bn(psk_key, psk, max_psk_len);
+        return psk_len;
+        }
+#endif
 static int do_test_cipherlist(void)
        {
        int i = 0;
        const SSL_METHOD *meth;
-        SSL_CIPHER *ci, *tci = NULL;
+        const SSL_CIPHER *ci, *tci = NULL;
 #ifndef OPENSSL_NO_SSL2
        fprintf(stderr, "testing SSLv2 cipher list order: ");

diff --git a/src/lib/libssl/src/ssl/ssltest.c b/src/lib/libssl/src/ssl/ssltest.c index 5e666aedea..1d8ba372bc 100644 --- a/src/lib/libssl/src/ssl/ssltest.c +++ b/src/lib/libssl/src/ssl/ssltest.c
@@ -113,6 +113,32 @@
113	* ECC cipher suite support in OpenSSL originally developed by	113	* ECC cipher suite support in OpenSSL originally developed by
114	* SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.	114	* SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
115	*/	115	*/
		116	/* ====================================================================
		117	* Copyright 2005 Nokia. All rights reserved.
		118	*
		119	* The portions of the attached software ("Contribution") is developed by
		120	* Nokia Corporation and is licensed pursuant to the OpenSSL open source
		121	* license.
		122	*
		123	* The Contribution, originally written by Mika Kousa and Pasi Eronen of
		124	* Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
		125	* support (see RFC 4279) to OpenSSL.
		126	*
		127	* No patent licenses or other rights except those expressly stated in
		128	* the OpenSSL open source license shall be deemed granted or received
		129	* expressly, by implication, estoppel, or otherwise.
		130	*
		131	* No assurances are provided by Nokia that the Contribution does not
		132	* infringe the patent or other intellectual property rights of any third
		133	* party or that the license provides you with all the necessary rights
		134	* to make use of the Contribution.
		135	*
		136	* THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
		137	* ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
		138	* SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
		139	* OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
		140	* OTHERWISE.
		141	*/
116		142
117	#define _BSD_SOURCE 1 /* Or gethostname won't be declared properly	143	#define _BSD_SOURCE 1 /* Or gethostname won't be declared properly
118	on Linux and GNU platforms. */	144	on Linux and GNU platforms. */
@@ -130,8 +156,11 @@
130	#define USE_SOCKETS	156	#define USE_SOCKETS
131	#include "e_os.h"	157	#include "e_os.h"
132		158
		159	#ifdef OPENSSL_SYS_VMS
133	#define _XOPEN_SOURCE 500 /* Or isascii won't be declared properly on	160	#define _XOPEN_SOURCE 500 /* Or isascii won't be declared properly on
134	VMS (at least with DECompHP C). */	161	VMS (at least with DECompHP C). */
		162	#endif
		163
135	#include <ctype.h>	164	#include <ctype.h>
136		165
137	#include <openssl/bio.h>	166	#include <openssl/bio.h>
@@ -209,6 +238,16 @@ static DH *get_dh1024(void);
209	static DH *get_dh1024dsa(void);	238	static DH *get_dh1024dsa(void);
210	#endif	239	#endif
211		240
		241
		242	static char psk_key=NULL; / by default PSK is not used */
		243	#ifndef OPENSSL_NO_PSK
		244	static unsigned int psk_client_callback(SSL ssl, const char hint, char *identity,
		245	unsigned int max_identity_len, unsigned char *psk,
		246	unsigned int max_psk_len);
		247	static unsigned int psk_server_callback(SSL ssl, const char identity, unsigned char *psk,
		248	unsigned int max_psk_len);
		249	#endif
		250
212	static BIO *bio_err=NULL;	251	static BIO *bio_err=NULL;
213	static BIO *bio_stdout=NULL;	252	static BIO *bio_stdout=NULL;
214		253
@@ -231,9 +270,6 @@ static void sv_usage(void)
231	{	270	{
232	fprintf(stderr,"usage: ssltest [args ...]\n");	271	fprintf(stderr,"usage: ssltest [args ...]\n");
233	fprintf(stderr,"\n");	272	fprintf(stderr,"\n");
234	#ifdef OPENSSL_FIPS
235	fprintf(stderr,"-F - run test in FIPS mode\n");
236	#endif
237	fprintf(stderr," -server_auth - check server certificate\n");	273	fprintf(stderr," -server_auth - check server certificate\n");
238	fprintf(stderr," -client_auth - do client authentication\n");	274	fprintf(stderr," -client_auth - do client authentication\n");
239	fprintf(stderr," -proxy - allow proxy certificates\n");	275	fprintf(stderr," -proxy - allow proxy certificates\n");
@@ -252,6 +288,9 @@ static void sv_usage(void)
252	#ifndef OPENSSL_NO_ECDH	288	#ifndef OPENSSL_NO_ECDH
253	fprintf(stderr," -no_ecdhe - disable ECDHE\n");	289	fprintf(stderr," -no_ecdhe - disable ECDHE\n");
254	#endif	290	#endif
		291	#ifndef OPENSSL_NO_PSK
		292	fprintf(stderr," -psk arg - PSK in hex (without 0x)\n");
		293	#endif
255	#ifndef OPENSSL_NO_SSL2	294	#ifndef OPENSSL_NO_SSL2
256	fprintf(stderr," -ssl2 - use SSLv2\n");	295	fprintf(stderr," -ssl2 - use SSLv2\n");
257	#endif	296	#endif
@@ -283,7 +322,7 @@ static void sv_usage(void)
283		322
284	static void print_details(SSL c_ssl, const char prefix)	323	static void print_details(SSL c_ssl, const char prefix)
285	{	324	{
286	SSL_CIPHER *ciph;	325	const SSL_CIPHER *ciph;
287	X509 *cert;	326	X509 *cert;
288		327
289	ciph=SSL_get_current_cipher(c_ssl);	328	ciph=SSL_get_current_cipher(c_ssl);
@@ -388,6 +427,25 @@ static void lock_dbg_cb(int mode, int type, const char *file, int line)
388	}	427	}
389	}	428	}
390		429
		430	#ifdef TLSEXT_TYPE_opaque_prf_input
		431	struct cb_info_st { void *input; size_t len; int ret; };
		432	struct cb_info_st co1 = { "C", 1, 1 }; /* try to negotiate oqaque PRF input */
		433	struct cb_info_st co2 = { "C", 1, 2 }; /* insist on oqaque PRF input */
		434	struct cb_info_st so1 = { "S", 1, 1 }; /* try to negotiate oqaque PRF input */
		435	struct cb_info_st so2 = { "S", 1, 2 }; /* insist on oqaque PRF input */
		436
		437	int opaque_prf_input_cb(SSL ssl, void peerinput, size_t len, void *arg_)
		438	{
		439	struct cb_info_st *arg = arg_;
		440
		441	if (arg == NULL)
		442	return 1;
		443
		444	if (!SSL_set_tlsext_opaque_prf_input(ssl, arg->input, arg->len))
		445	return 0;
		446	return arg->ret;
		447	}
		448	#endif
391		449
392	int main(int argc, char *argv[])	450	int main(int argc, char *argv[])
393	{	451	{
@@ -409,19 +467,20 @@ int main(int argc, char *argv[])
409	#endif	467	#endif
410	SSL_CTX *s_ctx=NULL;	468	SSL_CTX *s_ctx=NULL;
411	SSL_CTX *c_ctx=NULL;	469	SSL_CTX *c_ctx=NULL;
412	SSL_METHOD *meth=NULL;	470	const SSL_METHOD *meth=NULL;
413	SSL c_ssl,s_ssl;	471	SSL c_ssl,s_ssl;
414	int number=1,reuse=0;	472	int number=1,reuse=0;
415	long bytes=256L;	473	long bytes=256L;
416	#ifndef OPENSSL_NO_DH	474	#ifndef OPENSSL_NO_DH
417	DH *dh;	475	DH *dh;
418	int dhe1024 = 1, dhe1024dsa = 0;	476	int dhe1024 = 0, dhe1024dsa = 0;
419	#endif	477	#endif
420	#ifndef OPENSSL_NO_ECDH	478	#ifndef OPENSSL_NO_ECDH
421	EC_KEY *ecdh = NULL;	479	EC_KEY *ecdh = NULL;
422	#endif	480	#endif
423	int no_dhe = 0;	481	int no_dhe = 0;
424	int no_ecdhe = 0;	482	int no_ecdhe = 0;
		483	int no_psk = 0;
425	int print_time = 0;	484	int print_time = 0;
426	clock_t s_time = 0, c_time = 0;	485	clock_t s_time = 0, c_time = 0;
427	int comp = 0;	486	int comp = 0;
@@ -430,15 +489,12 @@ int main(int argc, char *argv[])
430	#endif	489	#endif
431	STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;	490	STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
432	int test_cipherlist = 0;	491	int test_cipherlist = 0;
433	#ifdef OPENSSL_FIPS
434	int fips_mode=0;
435	#endif
436		492
437	verbose = 0;	493	verbose = 0;
438	debug = 0;	494	debug = 0;
439	cipher = 0;	495	cipher = 0;
440		496
441	bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);	497	bio_err=BIO_new_fp(stderr,BIO_NOCLOSE\|BIO_FP_TEXT);
442		498
443	CRYPTO_set_locking_callback(lock_dbg_cb);	499	CRYPTO_set_locking_callback(lock_dbg_cb);
444		500
@@ -457,23 +513,14 @@ int main(int argc, char *argv[])
457		513
458	RAND_seed(rnd_seed, sizeof rnd_seed);	514	RAND_seed(rnd_seed, sizeof rnd_seed);
459		515
460	bio_stdout=BIO_new_fp(stdout,BIO_NOCLOSE);	516	bio_stdout=BIO_new_fp(stdout,BIO_NOCLOSE\|BIO_FP_TEXT);
461		517
462	argc--;	518	argc--;
463	argv++;	519	argv++;
464		520
465	while (argc >= 1)	521	while (argc >= 1)
466	{	522	{
467	if(!strcmp(*argv,"-F"))	523	if (strcmp(*argv,"-server_auth") == 0)
468	{
469	#ifdef OPENSSL_FIPS
470	fips_mode=1;
471	#else
472	fprintf(stderr,"not compiled with FIPS support, so exitting without running.\n");
473	EXIT(0);
474	#endif
475	}
476	else if (strcmp(*argv,"-server_auth") == 0)
477	server_auth=1;	524	server_auth=1;
478	else if (strcmp(*argv,"-client_auth") == 0)	525	else if (strcmp(*argv,"-client_auth") == 0)
479	client_auth=1;	526	client_auth=1;
@@ -513,6 +560,20 @@ int main(int argc, char *argv[])
513	no_dhe=1;	560	no_dhe=1;
514	else if (strcmp(*argv,"-no_ecdhe") == 0)	561	else if (strcmp(*argv,"-no_ecdhe") == 0)
515	no_ecdhe=1;	562	no_ecdhe=1;
		563	else if (strcmp(*argv,"-psk") == 0)
		564	{
		565	if (--argc < 1) goto bad;
		566	psk_key=*(++argv);
		567	#ifndef OPENSSL_NO_PSK
		568	if (strspn(psk_key, "abcdefABCDEF1234567890") != strlen(psk_key))
		569	{
		570	BIO_printf(bio_err,"Not a hex number '%s'\n",*argv);
		571	goto bad;
		572	}
		573	#else
		574	no_psk=1;
		575	#endif
		576	}
516	else if (strcmp(*argv,"-ssl2") == 0)	577	else if (strcmp(*argv,"-ssl2") == 0)
517	ssl2=1;	578	ssl2=1;
518	else if (strcmp(*argv,"-tls1") == 0)	579	else if (strcmp(*argv,"-tls1") == 0)
@@ -655,20 +716,6 @@ bad:
655	EXIT(1);	716	EXIT(1);
656	}	717	}
657		718
658	#ifdef OPENSSL_FIPS
659	if(fips_mode)
660	{
661	if(!FIPS_mode_set(1))
662	{
663	ERR_load_crypto_strings();
664	ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
665	EXIT(1);
666	}
667	else
668	fprintf(stderr,"* IN FIPS MODE *\n");
669	}
670	#endif
671
672	if (print_time)	719	if (print_time)
673	{	720	{
674	if (!bio_pair)	721	if (!bio_pair)
@@ -813,6 +860,13 @@ bad:
813	SSL_CTX_set_tmp_rsa_callback(s_ctx,tmp_rsa_cb);	860	SSL_CTX_set_tmp_rsa_callback(s_ctx,tmp_rsa_cb);
814	#endif	861	#endif
815		862
		863	#ifdef TLSEXT_TYPE_opaque_prf_input
		864	SSL_CTX_set_tlsext_opaque_prf_input_callback(c_ctx, opaque_prf_input_cb);
		865	SSL_CTX_set_tlsext_opaque_prf_input_callback(s_ctx, opaque_prf_input_cb);
		866	SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(c_ctx, &co1); /* or &co2 or NULL */
		867	SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(s_ctx, &so1); /* or &so2 or NULL */
		868	#endif
		869
816	if (!SSL_CTX_use_certificate_file(s_ctx,server_cert,SSL_FILETYPE_PEM))	870	if (!SSL_CTX_use_certificate_file(s_ctx,server_cert,SSL_FILETYPE_PEM))
817	{	871	{
818	ERR_print_errors(bio_err);	872	ERR_print_errors(bio_err);
@@ -864,6 +918,31 @@ bad:
864	SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context, sizeof session_id_context);	918	SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context, sizeof session_id_context);
865	}	919	}
866		920
		921	/* Use PSK only if PSK key is given */
		922	if (psk_key != NULL)
		923	{
		924	/* no_psk is used to avoid putting psk command to openssl tool */
		925	if (no_psk)
		926	{
		927	/* if PSK is not compiled in and psk key is
		928	* given, do nothing and exit successfully */
		929	ret=0;
		930	goto end;
		931	}
		932	#ifndef OPENSSL_NO_PSK
		933	SSL_CTX_set_psk_client_callback(c_ctx, psk_client_callback);
		934	SSL_CTX_set_psk_server_callback(s_ctx, psk_server_callback);
		935	if (debug)
		936	BIO_printf(bio_err,"setting PSK identity hint to s_ctx\n");
		937	if (!SSL_CTX_use_psk_identity_hint(s_ctx, "ctx server identity_hint"))
		938	{
		939	BIO_printf(bio_err,"error setting PSK identity hint to s_ctx\n");
		940	ERR_print_errors(bio_err);
		941	goto end;
		942	}
		943	#endif
		944	}
		945
867	c_ssl=SSL_new(c_ctx);	946	c_ssl=SSL_new(c_ctx);
868	s_ssl=SSL_new(s_ctx);	947	s_ssl=SSL_new(s_ctx);
869		948
@@ -940,7 +1019,7 @@ end:
940	#endif	1019	#endif
941	CRYPTO_cleanup_all_ex_data();	1020	CRYPTO_cleanup_all_ex_data();
942	ERR_free_strings();	1021	ERR_free_strings();
943	ERR_remove_state(0);	1022	ERR_remove_thread_state(NULL);
944	EVP_cleanup();	1023	EVP_cleanup();
945	CRYPTO_mem_leaks(bio_err);	1024	CRYPTO_mem_leaks(bio_err);
946	if (bio_err != NULL) BIO_free(bio_err);	1025	if (bio_err != NULL) BIO_free(bio_err);
@@ -2090,7 +2169,15 @@ static int MS_CALLBACK app_verify_callback(X509_STORE_CTX ctx, void arg)
2090	}	2169	}
2091		2170
2092	#ifndef OPENSSL_NO_X509_VERIFY	2171	#ifndef OPENSSL_NO_X509_VERIFY
		2172	# ifdef OPENSSL_FIPS
		2173	if(s->version == TLS1_VERSION)
		2174	FIPS_allow_md5(1);
		2175	# endif
2093	ok = X509_verify_cert(ctx);	2176	ok = X509_verify_cert(ctx);
		2177	# ifdef OPENSSL_FIPS
		2178	if(s->version == TLS1_VERSION)
		2179	FIPS_allow_md5(0);
		2180	# endif
2094	#endif	2181	#endif
2095		2182
2096	if (cb_arg->proxy_auth)	2183	if (cb_arg->proxy_auth)
@@ -2259,11 +2346,74 @@ static DH *get_dh1024dsa()
2259	}	2346	}
2260	#endif	2347	#endif
2261		2348
		2349	#ifndef OPENSSL_NO_PSK
		2350	/* convert the PSK key (psk_key) in ascii to binary (psk) */
		2351	static int psk_key2bn(const char pskkey, unsigned char psk,
		2352	unsigned int max_psk_len)
		2353	{
		2354	int ret;
		2355	BIGNUM *bn = NULL;
		2356
		2357	ret = BN_hex2bn(&bn, pskkey);
		2358	if (!ret)
		2359	{
		2360	BIO_printf(bio_err,"Could not convert PSK key '%s' to BIGNUM\n", pskkey);
		2361	if (bn)
		2362	BN_free(bn);
		2363	return 0;
		2364	}
		2365	if (BN_num_bytes(bn) > (int)max_psk_len)
		2366	{
		2367	BIO_printf(bio_err,"psk buffer of callback is too small (%d) for key (%d)\n",
		2368	max_psk_len, BN_num_bytes(bn));
		2369	BN_free(bn);
		2370	return 0;
		2371	}
		2372	ret = BN_bn2bin(bn, psk);
		2373	BN_free(bn);
		2374	return ret;
		2375	}
		2376
		2377	static unsigned int psk_client_callback(SSL ssl, const char hint, char *identity,
		2378	unsigned int max_identity_len, unsigned char *psk,
		2379	unsigned int max_psk_len)
		2380	{
		2381	int ret;
		2382	unsigned int psk_len = 0;
		2383
		2384	ret = BIO_snprintf(identity, max_identity_len, "Client_identity");
		2385	if (ret < 0)
		2386	goto out_err;
		2387	if (debug)
		2388	fprintf(stderr, "client: created identity '%s' len=%d\n", identity, ret);
		2389	ret = psk_key2bn(psk_key, psk, max_psk_len);
		2390	if (ret < 0)
		2391	goto out_err;
		2392	psk_len = ret;
		2393	out_err:
		2394	return psk_len;
		2395	}
		2396
		2397	static unsigned int psk_server_callback(SSL ssl, const char identity,
		2398	unsigned char *psk, unsigned int max_psk_len)
		2399	{
		2400	unsigned int psk_len=0;
		2401
		2402	if (strcmp(identity, "Client_identity") != 0)
		2403	{
		2404	BIO_printf(bio_err, "server: PSK error: client identity not found\n");
		2405	return 0;
		2406	}
		2407	psk_len=psk_key2bn(psk_key, psk, max_psk_len);
		2408	return psk_len;
		2409	}
		2410	#endif
		2411
2262	static int do_test_cipherlist(void)	2412	static int do_test_cipherlist(void)
2263	{	2413	{
2264	int i = 0;	2414	int i = 0;
2265	const SSL_METHOD *meth;	2415	const SSL_METHOD *meth;
2266	SSL_CIPHER ci, tci = NULL;	2416	const SSL_CIPHER ci, tci = NULL;
2267		2417
2268	#ifndef OPENSSL_NO_SSL2	2418	#ifndef OPENSSL_NO_SSL2
2269	fprintf(stderr, "testing SSLv2 cipher list order: ");	2419	fprintf(stderr, "testing SSLv2 cipher list order: ");