int main(int argc, char *argv[]) { /* enable memory leak checking unless explicitly disabled */ if (!((getenv("OPENSSL_DEBUG_MEMORY") != NULL) && (0 == strcmp(getenv("OPENSSL_DEBUG_MEMORY"), "off")))) { CRYPTO_malloc_debug_init(); CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL); } else { /* OPENSSL_DEBUG_MEMORY=off */ CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0); } CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); ERR_load_crypto_strings(); RAND_seed(rnd_seed, sizeof rnd_seed); /* or BN_generate_prime may fail */ prime_field_tests(); puts(""); char2_field_tests(); /* test the internal curves */ internal_curve_test(); #ifndef OPENSSL_NO_ENGINE ENGINE_cleanup(); #endif CRYPTO_cleanup_all_ex_data(); ERR_free_strings(); ERR_remove_state(0); CRYPTO_mem_leaks_fp(stderr); return 0; }
int main(int argc, char **argv) { int i; testdata *test = test_cases; CRYPTO_malloc_debug_init(); CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL); CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); OpenSSL_add_all_digests(); # ifndef OPENSSL_NO_ENGINE ENGINE_load_builtin_engines(); ENGINE_register_all_digests(); # endif printf("PKCS5_PBKDF2_HMAC() tests "); for (i = 0; test->pass != NULL; i++, test++) { test_p5_pbkdf2(i, "sha1", test, sha1_results[i]); test_p5_pbkdf2(i, "sha256", test, sha256_results[i]); test_p5_pbkdf2(i, "sha512", test, sha512_results[i]); printf("."); } printf(" done\n"); # ifndef OPENSSL_NO_ENGINE ENGINE_cleanup(); # endif EVP_cleanup(); CRYPTO_cleanup_all_ex_data(); ERR_remove_thread_state(NULL); ERR_free_strings(); CRYPTO_mem_leaks_fp(stderr); return 0; }
/* Notice the program will be memory leak, as Mem_lhas is not free, ** and record the user malloc informations. */ int main() { char *p = NULL; int i; BIO *b = NULL; // There are two methods calls debug functions. // 1, build with -DCRYPTO_MDEBUG // 2, CRYPTO_malloc_debug_init(), CRYPTO_set_mem_debug_options() CRYPTO_malloc_debug_init(); CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL); MemCheck_start(); //p = OPENSSL_malloc(4); //p = OPENSSL_remalloc(p, 40); p = OPENSSL_malloc(1024); for(i = 0; i < 1024; i++) memset(&p[i], i, 1); OPENSSL_free(p); b = BIO_new_file("leak.log", "w"); CRYPTO_mem_leaks(b); BIO_free(b); return 0; }
int main(void) { CRYPTO_malloc_debug_init(); CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL); CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); ERR_load_crypto_strings(); /* Load up the software EVP_CIPHER and EVP_MD definitions */ OpenSSL_add_all_ciphers(); OpenSSL_add_all_digests(); if (!test_EVP_DigestSignInit()) { fprintf(stderr, "EVP_DigestSignInit failed\n"); return 1; } if (!test_EVP_DigestVerifyInit()) { fprintf(stderr, "EVP_DigestVerifyInit failed\n"); return 1; } if (!test_d2i_AutoPrivateKey(kExampleRSAKeyDER, sizeof(kExampleRSAKeyDER), EVP_PKEY_RSA)) { fprintf(stderr, "d2i_AutoPrivateKey(kExampleRSAKeyDER) failed\n"); return 1; } if (!test_d2i_AutoPrivateKey (kExampleRSAKeyPKCS8, sizeof(kExampleRSAKeyPKCS8), EVP_PKEY_RSA)) { fprintf(stderr, "d2i_AutoPrivateKey(kExampleRSAKeyPKCS8) failed\n"); return 1; } #ifndef OPENSSL_NO_EC if (!test_d2i_AutoPrivateKey(kExampleECKeyDER, sizeof(kExampleECKeyDER), EVP_PKEY_EC)) { fprintf(stderr, "d2i_AutoPrivateKey(kExampleECKeyDER) failed\n"); return 1; } if (!test_EVP_PKCS82PKEY()) { fprintf(stderr, "test_EVP_PKCS82PKEY failed\n"); return 1; } #endif EVP_cleanup(); CRYPTO_cleanup_all_ex_data(); ERR_remove_thread_state(NULL); ERR_free_strings(); CRYPTO_mem_leaks_fp(stderr); printf("PASS\n"); return 0; }
isc_result_t dst__openssl_init() { isc_result_t result; #ifdef DNS_CRYPTO_LEAKS CRYPTO_malloc_debug_init(); CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL); CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); #endif CRYPTO_set_mem_functions(mem_alloc, mem_realloc, mem_free); nlocks = CRYPTO_num_locks(); locks = mem_alloc(sizeof(isc_mutex_t) * nlocks); if (locks == NULL) return (ISC_R_NOMEMORY); result = isc_mutexblock_init(locks, nlocks); if (result != ISC_R_SUCCESS) goto cleanup_mutexalloc; CRYPTO_set_locking_callback(lock_callback); CRYPTO_set_id_callback(id_callback); rm = mem_alloc(sizeof(RAND_METHOD)); if (rm == NULL) { result = ISC_R_NOMEMORY; goto cleanup_mutexinit; } rm->seed = NULL; rm->bytes = entropy_get; rm->cleanup = NULL; rm->add = entropy_add; rm->pseudorand = entropy_getpseudo; rm->status = entropy_status; #ifdef USE_ENGINE e = ENGINE_new(); if (e == NULL) { result = ISC_R_NOMEMORY; goto cleanup_rm; } ENGINE_set_RAND(e, rm); RAND_set_rand_method(rm); #else RAND_set_rand_method(rm); #endif /* USE_ENGINE */ return (ISC_R_SUCCESS); #ifdef USE_ENGINE cleanup_rm: mem_free(rm); #endif cleanup_mutexinit: CRYPTO_set_locking_callback(NULL); DESTROYMUTEXBLOCK(locks, nlocks); cleanup_mutexalloc: mem_free(locks); return (result); }
int main(void) { int ret = 1; BIO *out; out = BIO_new_fp(stdout, BIO_NOCLOSE); /* enable memory leak checking unless explicitly disabled */ if (!((getenv("OPENSSL_DEBUG_MEMORY") != NULL) && (0 == strcmp(getenv("OPENSSL_DEBUG_MEMORY"), "off")))) { CRYPTO_malloc_debug_init(); CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL); } else { /* OPENSSL_DEBUG_MEMORY=off */ CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0); } CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); ERR_load_crypto_strings(); /* initialize the prng */ RAND_seed(rnd_seed, sizeof(rnd_seed)); /* the tests */ if (!x9_62_tests(out)) goto err; if (!test_builtin(out)) goto err; ret = 0; err: if (ret) BIO_printf(out, "\nECDSA test failed\n"); else BIO_printf(out, "\nECDSA test passed\n"); if (ret) ERR_print_errors(out); CRYPTO_cleanup_all_ex_data(); ERR_remove_state(0); ERR_free_strings(); CRYPTO_mem_leaks(out); if (out != NULL) BIO_free(out); return ret; }
int main(int argc, char **argv) { #ifdef ASYNC_NULL fprintf(stderr, "NULL implementation - skipping async tests\n"); #else CRYPTO_malloc_debug_init(); CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL); CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); if ( !test_ASYNC_init() || !test_ASYNC_start_job() || !test_ASYNC_get_current_job() || !test_ASYNC_get_wait_fd() || !test_ASYNC_block_pause()) { return 1; } #endif printf("PASS\n"); return 0; }
int openssl_main(int Argc, char *Argv[]) #endif { ARGS arg; #define PROG_NAME_SIZE 39 char pname[PROG_NAME_SIZE+1]; FUNCTION f,*fp; MS_STATIC const char *prompt; MS_STATIC char buf[1024]; char *to_free=NULL; int n,i,ret=0; int argc; char **argv,*p; LHASH *prog=NULL; long errline; arg.data=NULL; arg.count=0; if (bio_err == NULL) if ((bio_err=BIO_new(BIO_s_file())) != NULL) #ifdef SYMBIAN BIO_set_fp(bio_err,fp_stderr,BIO_NOCLOSE|BIO_FP_TEXT); #else BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT); #endif if (getenv("OPENSSL_DEBUG_MEMORY") != NULL) /* if not defined, use compiled-in library defaults */ { if (!(0 == strcmp(getenv("OPENSSL_DEBUG_MEMORY"), "off"))) { CRYPTO_malloc_debug_init(); CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL); } else { /* OPENSSL_DEBUG_MEMORY=off */ CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0); } } CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); #if 0 if (getenv("OPENSSL_DEBUG_LOCKING") != NULL) #endif { CRYPTO_set_locking_callback(lock_dbg_cb); } apps_startup(); /* Lets load up our environment a little */ p=getenv("OPENSSL_CONF"); if (p == NULL) p=getenv("SSLEAY_CONF"); if (p == NULL) p=to_free=make_config_name(); default_config_file=p; config=NCONF_new(NULL); i=NCONF_load(config,p,&errline); if (i == 0) { NCONF_free(config); config = NULL; ERR_clear_error(); } prog=prog_init(); /* first check the program name */ program_name(Argv[0],pname,sizeof pname); f.name=pname; fp=(FUNCTION *)lh_retrieve(prog,&f); if (fp != NULL) { Argv[0]=pname; ret=fp->func(Argc,Argv); goto end; } /* ok, now check that there are not arguments, if there are, * run with them, shifting the ssleay off the front */ if (Argc != 1) { Argc--; Argv++; ret=do_cmd(prog,Argc,Argv); if (ret < 0) ret=0; goto end; } /* ok, lets enter the old 'OpenSSL>' mode */ for (;;) { ret=0; p=buf; n=sizeof buf; i=0; for (;;) { p[0]='\0'; if (i++) prompt=">"; else prompt="OpenSSL> "; #ifndef SYMBIAN fputs(prompt,stdout); fflush(stdout); fgets(p,n,stdin); #else fputs(prompt,stdout); fflush(stdout); fgets(p,n,stdin); #endif if (p[0] == '\0') goto end; i=strlen(p); if (i <= 1) break; if (p[i-2] != '\\') break; i-=2; p+=i; n-=i; } if (!chopup_args(&arg,buf,&argc,&argv)) break; ret=do_cmd(prog,argc,argv); if (ret < 0) { ret=0; goto end; } if (ret != 0) BIO_printf(bio_err,"error in %s\n",argv[0]); (void)BIO_flush(bio_err); } BIO_printf(bio_err,"bad exit\n"); ret=1; end: if (to_free) OPENSSL_free(to_free); if (config != NULL) { NCONF_free(config); config=NULL; } if (prog != NULL) lh_free(prog); if (arg.data != NULL) OPENSSL_free(arg.data); apps_shutdown(); CRYPTO_mem_leaks(bio_err); if (bio_err != NULL) { BIO_free(bio_err); bio_err=NULL; } return ret; // OPENSSL_EXIT(ret); }
int main(int Argc, char *Argv[]) { ARGS arg; #define PROG_NAME_SIZE 39 char pname[PROG_NAME_SIZE+1]; FUNCTION f,*fp; MS_STATIC const char *prompt; MS_STATIC char buf[1024]; char *to_free=NULL; int n,i,ret=0; int argc; char **argv,*p; LHASH_OF(FUNCTION) *prog=NULL; long errline; arg.data=NULL; arg.count=0; if (bio_err == NULL) if ((bio_err=BIO_new(BIO_s_file())) != NULL) BIO_set_fp(bio_err,OPENSSL_TYPE__FILE_STDERR,BIO_NOCLOSE|BIO_FP_TEXT); if (TINYCLR_SSL_GETENV("OPENSSL_DEBUG_MEMORY") != NULL) /* if not defined, use compiled-in library defaults */ { if (!(0 == TINYCLR_SSL_STRCMP(TINYCLR_SSL_GETENV("OPENSSL_DEBUG_MEMORY"), "off"))) { CRYPTO_malloc_debug_init(); CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL); } else { /* OPENSSL_DEBUG_MEMORY=off */ CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0); } } CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); #if 0 if (TINYCLR_SSL_GETENV("OPENSSL_DEBUG_LOCKING") != NULL) #endif { CRYPTO_set_locking_callback(lock_dbg_cb); } apps_startup(); /* Lets load up our environment a little */ p=TINYCLR_SSL_GETENV("OPENSSL_CONF"); if (p == NULL) p=TINYCLR_SSL_GETENV("SSLEAY_CONF"); if (p == NULL) p=to_free=make_config_name(); default_config_file=p; config=NCONF_new(NULL); i=NCONF_load(config,p,&errline); if (i == 0) { if (ERR_GET_REASON(ERR_peek_last_error()) == CONF_R_NO_SUCH_FILE) { BIO_printf(bio_err, "WARNING: can't open config file: %s\n",p); ERR_clear_error(); NCONF_free(config); config = NULL; } else { ERR_print_errors(bio_err); NCONF_free(config); TINYCLR_SSL_EXIT(1); } } prog=prog_init(); /* first check the program name */ program_name(Argv[0],pname,sizeof pname); f.name=pname; fp=lh_FUNCTION_retrieve(prog,&f); if (fp != NULL) { Argv[0]=pname; ret=fp->func(Argc,Argv); goto end; } /* ok, now check that there are not arguments, if there are, * run with them, shifting the ssleay off the front */ if (Argc != 1) { Argc--; Argv++; ret=do_cmd(prog,Argc,Argv); if (ret < 0) ret=0; goto end; } /* ok, lets enter the old 'OpenSSL>' mode */ for (;;) { ret=0; p=buf; n=sizeof buf; i=0; for (;;) { p[0]='\0'; if (i++) prompt=">"; else prompt="OpenSSL> "; TINYCLR_SSL_FPUTS(prompt,OPENSSL_TYPE__FILE_STDOUT); TINYCLR_SSL_FFLUSH(OPENSSL_TYPE__FILE_STDOUT); if (!TINYCLR_SSL_FGETS(p,n,OPENSSL_TYPE__FILE_STDIN)) goto end; if (p[0] == '\0') goto end; i=TINYCLR_SSL_STRLEN(p); if (i <= 1) break; if (p[i-2] != '\\') break; i-=2; p+=i; n-=i; } if (!chopup_args(&arg,buf,&argc,&argv)) break; ret=do_cmd(prog,argc,argv); if (ret < 0) { ret=0; goto end; } if (ret != 0) BIO_printf(bio_err,"error in %s\n",argv[0]); (void)BIO_flush(bio_err); } BIO_printf(bio_err,"bad exit\n"); ret=1; end: if (to_free) OPENSSL_free(to_free); if (config != NULL) { NCONF_free(config); config=NULL; } if (prog != NULL) lh_FUNCTION_free(prog); if (arg.data != NULL) OPENSSL_free(arg.data); apps_shutdown(); CRYPTO_mem_leaks(bio_err); if (bio_err != NULL) { BIO_free(bio_err); bio_err=NULL; } OPENSSL_EXIT(ret); }
int main(int argc, char *argv[]) { ENGINE *block[512]; char buf[256]; const char *id, *name; ENGINE *ptr; int loop; int to_return = 1; ENGINE *new_h1 = NULL; ENGINE *new_h2 = NULL; ENGINE *new_h3 = NULL; ENGINE *new_h4 = NULL; /* enable memory leak checking unless explicitly disabled */ if (!((getenv("OPENSSL_DEBUG_MEMORY") != NULL) && (0 == strcmp(getenv("OPENSSL_DEBUG_MEMORY"), "off")))) { CRYPTO_malloc_debug_init(); CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL); } else { /* OPENSSL_DEBUG_MEMORY=off */ CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0); } CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); ERR_load_crypto_strings(); memset(block, 0, 512 * sizeof(ENGINE *)); if(((new_h1 = ENGINE_new()) == NULL) || !ENGINE_set_id(new_h1, "test_id0") || !ENGINE_set_name(new_h1, "First test item") || ((new_h2 = ENGINE_new()) == NULL) || !ENGINE_set_id(new_h2, "test_id1") || !ENGINE_set_name(new_h2, "Second test item") || ((new_h3 = ENGINE_new()) == NULL) || !ENGINE_set_id(new_h3, "test_id2") || !ENGINE_set_name(new_h3, "Third test item") || ((new_h4 = ENGINE_new()) == NULL) || !ENGINE_set_id(new_h4, "test_id3") || !ENGINE_set_name(new_h4, "Fourth test item")) { printf("Couldn't set up test ENGINE structures\n"); goto end; } printf("\nenginetest beginning\n\n"); display_engine_list(); if(!ENGINE_add(new_h1)) { printf("Add failed!\n"); goto end; } display_engine_list(); ptr = ENGINE_get_first(); if(!ENGINE_remove(ptr)) { printf("Remove failed!\n"); goto end; } if (ptr) ENGINE_free(ptr); display_engine_list(); if(!ENGINE_add(new_h3) || !ENGINE_add(new_h2)) { printf("Add failed!\n"); goto end; } display_engine_list(); if(!ENGINE_remove(new_h2)) { printf("Remove failed!\n"); goto end; } display_engine_list(); if(!ENGINE_add(new_h4)) { printf("Add failed!\n"); goto end; } display_engine_list(); if(ENGINE_add(new_h3)) { printf("Add *should* have failed but didn't!\n"); goto end; } else printf("Add that should fail did.\n"); ERR_clear_error(); if(ENGINE_remove(new_h2)) { printf("Remove *should* have failed but didn't!\n"); goto end; } else printf("Remove that should fail did.\n"); ERR_clear_error(); if(!ENGINE_remove(new_h3)) { printf("Remove failed!\n"); goto end; } display_engine_list(); if(!ENGINE_remove(new_h4)) { printf("Remove failed!\n"); goto end; } display_engine_list(); /* Depending on whether there's any hardware support compiled * in, this remove may be destined to fail. */ ptr = ENGINE_get_first(); if(ptr) if(!ENGINE_remove(ptr)) printf("Remove failed!i - probably no hardware " "support present.\n"); if (ptr) ENGINE_free(ptr); display_engine_list(); if(!ENGINE_add(new_h1) || !ENGINE_remove(new_h1)) { printf("Couldn't add and remove to an empty list!\n"); goto end; } else printf("Successfully added and removed to an empty list!\n"); printf("About to beef up the engine-type list\n"); for(loop = 0; loop < 512; loop++) { sprintf(buf, "id%i", loop); id = BUF_strdup(buf); sprintf(buf, "Fake engine type %i", loop); name = BUF_strdup(buf); if(((block[loop] = ENGINE_new()) == NULL) || !ENGINE_set_id(block[loop], id) || !ENGINE_set_name(block[loop], name)) { printf("Couldn't create block of ENGINE structures.\n" "I'll probably also core-dump now, damn.\n"); goto end; } } for(loop = 0; loop < 512; loop++) { if(!ENGINE_add(block[loop])) { printf("\nAdding stopped at %i, (%s,%s)\n", loop, ENGINE_get_id(block[loop]), ENGINE_get_name(block[loop])); goto cleanup_loop; } else printf("."); fflush(stdout); } cleanup_loop: printf("\nAbout to empty the engine-type list\n"); while((ptr = ENGINE_get_first()) != NULL) { if(!ENGINE_remove(ptr)) { printf("\nRemove failed!\n"); goto end; } ENGINE_free(ptr); printf("."); fflush(stdout); } for(loop = 0; loop < 512; loop++) { OPENSSL_free((void *)ENGINE_get_id(block[loop])); OPENSSL_free((void *)ENGINE_get_name(block[loop])); } printf("\nTests completed happily\n"); to_return = 0; end: if(to_return) ERR_print_errors_fp(stderr); if(new_h1) ENGINE_free(new_h1); if(new_h2) ENGINE_free(new_h2); if(new_h3) ENGINE_free(new_h3); if(new_h4) ENGINE_free(new_h4); for(loop = 0; loop < 512; loop++) if(block[loop]) ENGINE_free(block[loop]); ENGINE_cleanup(); CRYPTO_cleanup_all_ex_data(); ERR_free_strings(); ERR_remove_thread_state(NULL); CRYPTO_mem_leaks_fp(stderr); return to_return; }
isc_result_t dst__openssl_init(const char *engine) { isc_result_t result; #ifdef USE_ENGINE ENGINE *re; #else UNUSED(engine); #endif #ifdef DNS_CRYPTO_LEAKS CRYPTO_malloc_debug_init(); CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL); CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); #endif CRYPTO_set_mem_functions(mem_alloc, mem_realloc, mem_free); nlocks = CRYPTO_num_locks(); locks = mem_alloc(sizeof(isc_mutex_t) * nlocks); if (locks == NULL) return (ISC_R_NOMEMORY); result = isc_mutexblock_init(locks, nlocks); if (result != ISC_R_SUCCESS) goto cleanup_mutexalloc; CRYPTO_set_locking_callback(lock_callback); #if OPENSSL_VERSION_NUMBER < 0x10100000L CRYPTO_set_id_callback(id_callback); #endif ERR_load_crypto_strings(); rm = mem_alloc(sizeof(RAND_METHOD)); if (rm == NULL) { result = ISC_R_NOMEMORY; goto cleanup_mutexinit; } rm->seed = NULL; rm->bytes = entropy_get; rm->cleanup = NULL; rm->add = entropy_add; rm->pseudorand = entropy_getpseudo; rm->status = entropy_status; #ifdef USE_ENGINE OPENSSL_config(NULL); if (engine != NULL && *engine == '\0') engine = NULL; if (engine != NULL) { e = ENGINE_by_id(engine); if (e == NULL) { result = DST_R_NOENGINE; goto cleanup_rm; } /* This will init the engine. */ if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) { result = DST_R_NOENGINE; goto cleanup_rm; } } re = ENGINE_get_default_RAND(); if (re == NULL) { re = ENGINE_new(); if (re == NULL) { result = ISC_R_NOMEMORY; goto cleanup_rm; } ENGINE_set_RAND(re, rm); ENGINE_set_default_RAND(re); ENGINE_free(re); } else ENGINE_finish(re); #else RAND_set_rand_method(rm); #endif /* USE_ENGINE */ return (ISC_R_SUCCESS); #ifdef USE_ENGINE cleanup_rm: if (e != NULL) ENGINE_free(e); e = NULL; mem_free(rm); rm = NULL; #endif cleanup_mutexinit: CRYPTO_set_locking_callback(NULL); DESTROYMUTEXBLOCK(locks, nlocks); cleanup_mutexalloc: mem_free(locks); locks = NULL; return (result); }
void mem_debug_begin() { CRYPTO_malloc_debug_init(); CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL); CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); }
int main(int argc, char *argv[]) { FUNCTION f, *fp; LHASH_OF(FUNCTION) *prog = NULL; char **copied_argv = NULL; char *p, *pname; char buf[1024]; const char *prompt; ARGS arg; int first, n, i, ret = 0; arg.argv = NULL; arg.size = 0; /* Set up some of the environment. */ default_config_file = make_config_name(); bio_in = dup_bio_in(FORMAT_TEXT); bio_out = dup_bio_out(FORMAT_TEXT); bio_err = BIO_new_fp(stderr, BIO_NOCLOSE | BIO_FP_TEXT); #if defined( OPENSSL_SYS_VMS) copied_argv = argv = copy_argv(&argc, argv); #endif p = getenv("OPENSSL_DEBUG_MEMORY"); if (p == NULL) /* if not set, use compiled-in default */ ; else if (strcmp(p, "off") != 0) { CRYPTO_malloc_debug_init(); CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL); } else { CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0); } CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); CRYPTO_set_locking_callback(lock_dbg_cb); if (getenv("OPENSSL_FIPS")) { #ifdef OPENSSL_FIPS if (!FIPS_mode_set(1)) { ERR_load_crypto_strings(); ERR_print_errors(bio_err); return 1; } #else BIO_printf(bio_err, "FIPS mode not supported.\n"); return 1; #endif } if (!apps_startup()) goto end; prog = prog_init(); pname = opt_progname(argv[0]); /* first check the program name */ f.name = pname; fp = lh_FUNCTION_retrieve(prog, &f); if (fp != NULL) { argv[0] = pname; ret = fp->func(argc, argv); goto end; } /* If there is stuff on the command line, run with that. */ if (argc != 1) { argc--; argv++; ret = do_cmd(prog, argc, argv); if (ret < 0) ret = 0; goto end; } /* ok, lets enter interactive mode */ for (;;) { ret = 0; /* Read a line, continue reading if line ends with \ */ for (p = buf, n = sizeof buf, i = 0, first = 1; n > 0; first = 0) { prompt = first ? "OpenSSL> " : "> "; p[0] = '\0'; #ifndef READLINE fputs(prompt, stdout); fflush(stdout); if (!fgets(p, n, stdin)) goto end; if (p[0] == '\0') goto end; i = strlen(p); if (i <= 1) break; if (p[i - 2] != '\\') break; i -= 2; p += i; n -= i; #else { extern char *readline(const char *); extern void add_history(const char *cp); char *text; char *text = readline(prompt); if (text == NULL) goto end; i = strlen(text); if (i == 0 || i > n) break; if (text[i - 1] != '\\') { p += strlen(strcpy(p, text)); free(text); add_history(buf); break; } text[i - 1] = '\0'; p += strlen(strcpy(p, text)); free(text); n -= i; } #endif } if (!chopup_args(&arg, buf)) { BIO_printf(bio_err, "Can't parse (no memory?)\n"); break; } ret = do_cmd(prog, arg.argc, arg.argv); if (ret == EXIT_THE_PROGRAM) { ret = 0; goto end; } if (ret != 0) BIO_printf(bio_err, "error in %s\n", arg.argv[0]); (void)BIO_flush(bio_out); (void)BIO_flush(bio_err); } ret = 1; end: OPENSSL_free(copied_argv); OPENSSL_free(default_config_file); NCONF_free(config); config = NULL; lh_FUNCTION_free(prog); OPENSSL_free(arg.argv); BIO_free(bio_in); BIO_free_all(bio_out); apps_shutdown(); CRYPTO_mem_leaks(bio_err); BIO_free(bio_err); return (ret); }
/* * OpenSSL provides SSL, TLS and general purpose cryptography. It wraps the * OpenSSL[https://www.openssl.org/] library. * * = Examples * * All examples assume you have loaded OpenSSL with: * * require 'openssl' * * These examples build atop each other. For example the key created in the * next is used in throughout these examples. * * == Keys * * === Creating a Key * * This example creates a 2048 bit RSA keypair and writes it to the current * directory. * * key = OpenSSL::PKey::RSA.new 2048 * * open 'private_key.pem', 'w' do |io| io.write key.to_pem end * open 'public_key.pem', 'w' do |io| io.write key.public_key.to_pem end * * === Exporting a Key * * Keys saved to disk without encryption are not secure as anyone who gets * ahold of the key may use it unless it is encrypted. In order to securely * export a key you may export it with a pass phrase. * * cipher = OpenSSL::Cipher.new 'AES-128-CBC' * pass_phrase = 'my secure pass phrase goes here' * * key_secure = key.export cipher, pass_phrase * * open 'private.secure.pem', 'w' do |io| * io.write key_secure * end * * OpenSSL::Cipher.ciphers returns a list of available ciphers. * * === Loading a Key * * A key can also be loaded from a file. * * key2 = OpenSSL::PKey::RSA.new File.read 'private_key.pem' * key2.public? # => true * key2.private? # => true * * or * * key3 = OpenSSL::PKey::RSA.new File.read 'public_key.pem' * key3.public? # => true * key3.private? # => false * * === Loading an Encrypted Key * * OpenSSL will prompt you for your pass phrase when loading an encrypted key. * If you will not be able to type in the pass phrase you may provide it when * loading the key: * * key4_pem = File.read 'private.secure.pem' * pass_phrase = 'my secure pass phrase goes here' * key4 = OpenSSL::PKey::RSA.new key4_pem, pass_phrase * * == RSA Encryption * * RSA provides encryption and decryption using the public and private keys. * You can use a variety of padding methods depending upon the intended use of * encrypted data. * * === Encryption & Decryption * * Asymmetric public/private key encryption is slow and victim to attack in * cases where it is used without padding or directly to encrypt larger chunks * of data. Typical use cases for RSA encryption involve "wrapping" a symmetric * key with the public key of the recipient who would "unwrap" that symmetric * key again using their private key. * The following illustrates a simplified example of such a key transport * scheme. It shouldn't be used in practice, though, standardized protocols * should always be preferred. * * wrapped_key = key.public_encrypt key * * A symmetric key encrypted with the public key can only be decrypted with * the corresponding private key of the recipient. * * original_key = key.private_decrypt wrapped_key * * By default PKCS#1 padding will be used, but it is also possible to use * other forms of padding, see PKey::RSA for further details. * * === Signatures * * Using "private_encrypt" to encrypt some data with the private key is * equivalent to applying a digital signature to the data. A verifying * party may validate the signature by comparing the result of decrypting * the signature with "public_decrypt" to the original data. However, * OpenSSL::PKey already has methods "sign" and "verify" that handle * digital signatures in a standardized way - "private_encrypt" and * "public_decrypt" shouldn't be used in practice. * * To sign a document, a cryptographically secure hash of the document is * computed first, which is then signed using the private key. * * digest = OpenSSL::Digest::SHA256.new * signature = key.sign digest, document * * To validate the signature, again a hash of the document is computed and * the signature is decrypted using the public key. The result is then * compared to the hash just computed, if they are equal the signature was * valid. * * digest = OpenSSL::Digest::SHA256.new * if key.verify digest, signature, document * puts 'Valid' * else * puts 'Invalid' * end * * == PBKDF2 Password-based Encryption * * If supported by the underlying OpenSSL version used, Password-based * Encryption should use the features of PKCS5. If not supported or if * required by legacy applications, the older, less secure methods specified * in RFC 2898 are also supported (see below). * * PKCS5 supports PBKDF2 as it was specified in PKCS#5 * v2.0[http://www.rsa.com/rsalabs/node.asp?id=2127]. It still uses a * password, a salt, and additionally a number of iterations that will * slow the key derivation process down. The slower this is, the more work * it requires being able to brute-force the resulting key. * * === Encryption * * The strategy is to first instantiate a Cipher for encryption, and * then to generate a random IV plus a key derived from the password * using PBKDF2. PKCS #5 v2.0 recommends at least 8 bytes for the salt, * the number of iterations largely depends on the hardware being used. * * cipher = OpenSSL::Cipher.new 'AES-128-CBC' * cipher.encrypt * iv = cipher.random_iv * * pwd = 'some hopefully not to easily guessable password' * salt = OpenSSL::Random.random_bytes 16 * iter = 20000 * key_len = cipher.key_len * digest = OpenSSL::Digest::SHA256.new * * key = OpenSSL::PKCS5.pbkdf2_hmac(pwd, salt, iter, key_len, digest) * cipher.key = key * * Now encrypt the data: * * encrypted = cipher.update document * encrypted << cipher.final * * === Decryption * * Use the same steps as before to derive the symmetric AES key, this time * setting the Cipher up for decryption. * * cipher = OpenSSL::Cipher.new 'AES-128-CBC' * cipher.decrypt * cipher.iv = iv # the one generated with #random_iv * * pwd = 'some hopefully not to easily guessable password' * salt = ... # the one generated above * iter = 20000 * key_len = cipher.key_len * digest = OpenSSL::Digest::SHA256.new * * key = OpenSSL::PKCS5.pbkdf2_hmac(pwd, salt, iter, key_len, digest) * cipher.key = key * * Now decrypt the data: * * decrypted = cipher.update encrypted * decrypted << cipher.final * * == PKCS #5 Password-based Encryption * * PKCS #5 is a password-based encryption standard documented at * RFC2898[http://www.ietf.org/rfc/rfc2898.txt]. It allows a short password or * passphrase to be used to create a secure encryption key. If possible, PBKDF2 * as described above should be used if the circumstances allow it. * * PKCS #5 uses a Cipher, a pass phrase and a salt to generate an encryption * key. * * pass_phrase = 'my secure pass phrase goes here' * salt = '8 octets' * * === Encryption * * First set up the cipher for encryption * * encryptor = OpenSSL::Cipher.new 'AES-128-CBC' * encryptor.encrypt * encryptor.pkcs5_keyivgen pass_phrase, salt * * Then pass the data you want to encrypt through * * encrypted = encryptor.update 'top secret document' * encrypted << encryptor.final * * === Decryption * * Use a new Cipher instance set up for decryption * * decryptor = OpenSSL::Cipher.new 'AES-128-CBC' * decryptor.decrypt * decryptor.pkcs5_keyivgen pass_phrase, salt * * Then pass the data you want to decrypt through * * plain = decryptor.update encrypted * plain << decryptor.final * * == X509 Certificates * * === Creating a Certificate * * This example creates a self-signed certificate using an RSA key and a SHA1 * signature. * * key = OpenSSL::PKey::RSA.new 2048 * name = OpenSSL::X509::Name.parse 'CN=nobody/DC=example' * * cert = OpenSSL::X509::Certificate.new * cert.version = 2 * cert.serial = 0 * cert.not_before = Time.now * cert.not_after = Time.now + 3600 * * cert.public_key = key.public_key * cert.subject = name * * === Certificate Extensions * * You can add extensions to the certificate with * OpenSSL::SSL::ExtensionFactory to indicate the purpose of the certificate. * * extension_factory = OpenSSL::X509::ExtensionFactory.new nil, cert * * cert.add_extension \ * extension_factory.create_extension('basicConstraints', 'CA:FALSE', true) * * cert.add_extension \ * extension_factory.create_extension( * 'keyUsage', 'keyEncipherment,dataEncipherment,digitalSignature') * * cert.add_extension \ * extension_factory.create_extension('subjectKeyIdentifier', 'hash') * * The list of supported extensions (and in some cases their possible values) * can be derived from the "objects.h" file in the OpenSSL source code. * * === Signing a Certificate * * To sign a certificate set the issuer and use OpenSSL::X509::Certificate#sign * with a digest algorithm. This creates a self-signed cert because we're using * the same name and key to sign the certificate as was used to create the * certificate. * * cert.issuer = name * cert.sign key, OpenSSL::Digest::SHA1.new * * open 'certificate.pem', 'w' do |io| io.write cert.to_pem end * * === Loading a Certificate * * Like a key, a cert can also be loaded from a file. * * cert2 = OpenSSL::X509::Certificate.new File.read 'certificate.pem' * * === Verifying a Certificate * * Certificate#verify will return true when a certificate was signed with the * given public key. * * raise 'certificate can not be verified' unless cert2.verify key * * == Certificate Authority * * A certificate authority (CA) is a trusted third party that allows you to * verify the ownership of unknown certificates. The CA issues key signatures * that indicate it trusts the user of that key. A user encountering the key * can verify the signature by using the CA's public key. * * === CA Key * * CA keys are valuable, so we encrypt and save it to disk and make sure it is * not readable by other users. * * ca_key = OpenSSL::PKey::RSA.new 2048 * pass_phrase = 'my secure pass phrase goes here' * * cipher = OpenSSL::Cipher.new 'AES-128-CBC' * * open 'ca_key.pem', 'w', 0400 do |io| * io.write ca_key.export(cipher, pass_phrase) * end * * === CA Certificate * * A CA certificate is created the same way we created a certificate above, but * with different extensions. * * ca_name = OpenSSL::X509::Name.parse 'CN=ca/DC=example' * * ca_cert = OpenSSL::X509::Certificate.new * ca_cert.serial = 0 * ca_cert.version = 2 * ca_cert.not_before = Time.now * ca_cert.not_after = Time.now + 86400 * * ca_cert.public_key = ca_key.public_key * ca_cert.subject = ca_name * ca_cert.issuer = ca_name * * extension_factory = OpenSSL::X509::ExtensionFactory.new * extension_factory.subject_certificate = ca_cert * extension_factory.issuer_certificate = ca_cert * * ca_cert.add_extension \ * extension_factory.create_extension('subjectKeyIdentifier', 'hash') * * This extension indicates the CA's key may be used as a CA. * * ca_cert.add_extension \ * extension_factory.create_extension('basicConstraints', 'CA:TRUE', true) * * This extension indicates the CA's key may be used to verify signatures on * both certificates and certificate revocations. * * ca_cert.add_extension \ * extension_factory.create_extension( * 'keyUsage', 'cRLSign,keyCertSign', true) * * Root CA certificates are self-signed. * * ca_cert.sign ca_key, OpenSSL::Digest::SHA1.new * * The CA certificate is saved to disk so it may be distributed to all the * users of the keys this CA will sign. * * open 'ca_cert.pem', 'w' do |io| * io.write ca_cert.to_pem * end * * === Certificate Signing Request * * The CA signs keys through a Certificate Signing Request (CSR). The CSR * contains the information necessary to identify the key. * * csr = OpenSSL::X509::Request.new * csr.version = 0 * csr.subject = name * csr.public_key = key.public_key * csr.sign key, OpenSSL::Digest::SHA1.new * * A CSR is saved to disk and sent to the CA for signing. * * open 'csr.pem', 'w' do |io| * io.write csr.to_pem * end * * === Creating a Certificate from a CSR * * Upon receiving a CSR the CA will verify it before signing it. A minimal * verification would be to check the CSR's signature. * * csr = OpenSSL::X509::Request.new File.read 'csr.pem' * * raise 'CSR can not be verified' unless csr.verify csr.public_key * * After verification a certificate is created, marked for various usages, * signed with the CA key and returned to the requester. * * csr_cert = OpenSSL::X509::Certificate.new * csr_cert.serial = 0 * csr_cert.version = 2 * csr_cert.not_before = Time.now * csr_cert.not_after = Time.now + 600 * * csr_cert.subject = csr.subject * csr_cert.public_key = csr.public_key * csr_cert.issuer = ca_cert.subject * * extension_factory = OpenSSL::X509::ExtensionFactory.new * extension_factory.subject_certificate = csr_cert * extension_factory.issuer_certificate = ca_cert * * csr_cert.add_extension \ * extension_factory.create_extension('basicConstraints', 'CA:FALSE') * * csr_cert.add_extension \ * extension_factory.create_extension( * 'keyUsage', 'keyEncipherment,dataEncipherment,digitalSignature') * * csr_cert.add_extension \ * extension_factory.create_extension('subjectKeyIdentifier', 'hash') * * csr_cert.sign ca_key, OpenSSL::Digest::SHA1.new * * open 'csr_cert.pem', 'w' do |io| * io.write csr_cert.to_pem * end * * == SSL and TLS Connections * * Using our created key and certificate we can create an SSL or TLS connection. * An SSLContext is used to set up an SSL session. * * context = OpenSSL::SSL::SSLContext.new * * === SSL Server * * An SSL server requires the certificate and private key to communicate * securely with its clients: * * context.cert = cert * context.key = key * * Then create an SSLServer with a TCP server socket and the context. Use the * SSLServer like an ordinary TCP server. * * require 'socket' * * tcp_server = TCPServer.new 5000 * ssl_server = OpenSSL::SSL::SSLServer.new tcp_server, context * * loop do * ssl_connection = ssl_server.accept * * data = connection.gets * * response = "I got #{data.dump}" * puts response * * connection.puts "I got #{data.dump}" * connection.close * end * * === SSL client * * An SSL client is created with a TCP socket and the context. * SSLSocket#connect must be called to initiate the SSL handshake and start * encryption. A key and certificate are not required for the client socket. * * Note that SSLSocket#close doesn't close the underlying socket by default. Set * SSLSocket#sync_close to true if you want. * * require 'socket' * * tcp_socket = TCPSocket.new 'localhost', 5000 * ssl_client = OpenSSL::SSL::SSLSocket.new tcp_socket, context * ssl_client.sync_close = true * ssl_client.connect * * ssl_client.puts "hello server!" * puts ssl_client.gets * * ssl_client.close # shutdown the TLS connection and close tcp_socket * * === Peer Verification * * An unverified SSL connection does not provide much security. For enhanced * security the client or server can verify the certificate of its peer. * * The client can be modified to verify the server's certificate against the * certificate authority's certificate: * * context.ca_file = 'ca_cert.pem' * context.verify_mode = OpenSSL::SSL::VERIFY_PEER * * require 'socket' * * tcp_socket = TCPSocket.new 'localhost', 5000 * ssl_client = OpenSSL::SSL::SSLSocket.new tcp_socket, context * ssl_client.connect * * ssl_client.puts "hello server!" * puts ssl_client.gets * * If the server certificate is invalid or <tt>context.ca_file</tt> is not set * when verifying peers an OpenSSL::SSL::SSLError will be raised. * */ void Init_openssl(void) { /* * Init timezone info */ #if 0 tzset(); #endif /* * Init all digests, ciphers */ #if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10100000 if (!OPENSSL_init_ssl(0, NULL)) rb_raise(rb_eRuntimeError, "OPENSSL_init_ssl"); #else OpenSSL_add_ssl_algorithms(); OpenSSL_add_all_algorithms(); ERR_load_crypto_strings(); SSL_load_error_strings(); #endif /* * Init main module */ mOSSL = rb_define_module("OpenSSL"); rb_global_variable(&mOSSL); /* * OpenSSL ruby extension version */ rb_define_const(mOSSL, "VERSION", rb_str_new2(OSSL_VERSION)); /* * Version of OpenSSL the ruby OpenSSL extension was built with */ rb_define_const(mOSSL, "OPENSSL_VERSION", rb_str_new2(OPENSSL_VERSION_TEXT)); /* * Version of OpenSSL the ruby OpenSSL extension is running with */ #if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10100000 rb_define_const(mOSSL, "OPENSSL_LIBRARY_VERSION", rb_str_new2(OpenSSL_version(OPENSSL_VERSION))); #else rb_define_const(mOSSL, "OPENSSL_LIBRARY_VERSION", rb_str_new2(SSLeay_version(SSLEAY_VERSION))); #endif /* * Version number of OpenSSL the ruby OpenSSL extension was built with * (base 16) */ rb_define_const(mOSSL, "OPENSSL_VERSION_NUMBER", INT2NUM(OPENSSL_VERSION_NUMBER)); /* * Boolean indicating whether OpenSSL is FIPS-capable or not */ rb_define_const(mOSSL, "OPENSSL_FIPS", #ifdef OPENSSL_FIPS Qtrue #else Qfalse #endif ); rb_define_module_function(mOSSL, "fips_mode", ossl_fips_mode_get, 0); rb_define_module_function(mOSSL, "fips_mode=", ossl_fips_mode_set, 1); /* * Generic error, * common for all classes under OpenSSL module */ eOSSLError = rb_define_class_under(mOSSL,"OpenSSLError",rb_eStandardError); rb_global_variable(&eOSSLError); /* * Init debug core */ dOSSL = Qfalse; rb_global_variable(&dOSSL); rb_define_module_function(mOSSL, "debug", ossl_debug_get, 0); rb_define_module_function(mOSSL, "debug=", ossl_debug_set, 1); rb_define_module_function(mOSSL, "errors", ossl_get_errors, 0); /* * Get ID of to_der */ ossl_s_to_der = rb_intern("to_der"); #if !defined(HAVE_OPENSSL_110_THREADING_API) Init_ossl_locks(); #endif /* * Init components */ Init_ossl_bn(); Init_ossl_cipher(); Init_ossl_config(); Init_ossl_digest(); Init_ossl_hmac(); Init_ossl_ns_spki(); Init_ossl_pkcs12(); Init_ossl_pkcs7(); Init_ossl_pkey(); Init_ossl_rand(); Init_ossl_ssl(); Init_ossl_x509(); Init_ossl_ocsp(); Init_ossl_engine(); Init_ossl_asn1(); Init_ossl_kdf(); #if defined(OSSL_DEBUG) /* * For debugging Ruby/OpenSSL. Enable only when built with --enable-debug */ #if !defined(LIBRESSL_VERSION_NUMBER) && \ (OPENSSL_VERSION_NUMBER >= 0x10100000 && !defined(OPENSSL_NO_CRYPTO_MDEBUG) || \ defined(CRYPTO_malloc_debug_init)) rb_define_module_function(mOSSL, "mem_check_start", mem_check_start, 0); rb_define_module_function(mOSSL, "print_mem_leaks", print_mem_leaks, 0); #if defined(CRYPTO_malloc_debug_init) /* <= 1.0.2 */ CRYPTO_malloc_debug_init(); #endif #if defined(V_CRYPTO_MDEBUG_ALL) /* <= 1.0.2 */ CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL); #endif #if OPENSSL_VERSION_NUMBER < 0x10100000 /* <= 1.0.2 */ { int i; /* * See crypto/ex_data.c; call def_get_class() immediately to avoid * allocations. 15 is the maximum number that is used as the class index * in OpenSSL 1.0.2. */ for (i = 0; i <= 15; i++) { if (CRYPTO_get_ex_new_index(i, 0, (void *)"ossl-mdebug-dummy", 0, 0, 0) < 0) rb_raise(rb_eRuntimeError, "CRYPTO_get_ex_new_index for " "class index %d failed", i); } } #endif #endif #endif }
int main (int argc, char **argv) { signed char c; int set_fips_return = 0; char file_name[MAX_FILENAME_LEN]; BIO *keyin; BIO *certin; static struct option long_options[] = { { "trustanchor", 1, 0, 0 }, { "srp", 0, 0, 0 }, { "srp-user", 1, 0, 0 }, { "srp-password", 1, 0, 0 }, { "auth-token", 1, 0, 0 }, { "common-name", 1, 0, 0 }, { "pem-output", 0, 0, 0 }, { NULL, 0, NULL, 0 } }; int option_index = 0; int trustanchor = 1; /* default to require a trust anchor */ char *trustanchor_file = NULL; est_http_uid[0] = 0x0; est_http_pwd[0] = 0x0; /* * Set the default common name to put into the Subject field */ strncpy(subj_cn, "127.0.0.1", MAX_CN); memset(csr_file, 0, 1); memset(priv_key_file, 0, 1); memset(client_key_file, 0, 1); memset(client_cert_file, 0, 1); memset(out_dir, 0, 1); while ((c = getopt_long(argc, argv, "?zfvagerx:y:k:s:p:o:c:w:u:h:", long_options, &option_index)) != -1) { switch (c) { case 0: #if 0 printf("option %s", long_options[option_index].name); if (optarg) { printf(" with arg %s", optarg); } printf("\n"); #endif if (!strncmp(long_options[option_index].name, "trustanchor", strlen("trustanchor"))) { if (!strncmp(optarg, "no", strlen("no"))) { trustanchor = 0; } else { trustanchor_file = optarg; } } if (!strncmp(long_options[option_index].name, "srp", strlen("srp"))) { srp = 1; } if (!strncmp(long_options[option_index].name, "srp-user", strlen("srp-user"))) { strncpy(est_srp_uid, optarg, MAX_UID_LEN); } if (!strncmp(long_options[option_index].name, "srp-password", strlen("srp-password"))) { strncpy(est_srp_pwd, optarg, MAX_PWD_LEN); } if (!strncmp(long_options[option_index].name,"auth-token", strlen("auth-token"))) { strncpy(est_auth_token, optarg, MAX_AUTH_TOKEN_LEN); token_auth_mode = 1; } if (!strncmp(long_options[option_index].name, "common-name", strlen("common-name"))) { strncpy(subj_cn, optarg, MAX_CN); } if (!strncmp(long_options[option_index].name, "pem-output", strlen("pem-output"))) { pem_out = 1; } break; case 'v': verbose = 1; break; case 'z': force_pop = 1; break; case 'a': getcsr = 1; break; case 'g': getcert = 1; break; case 'e': enroll = 1; break; case 'r': reenroll = 1; break; case 'u': strncpy(est_http_uid, optarg, MAX_UID_LEN); break; case 'h': strncpy(est_http_pwd, optarg, MAX_PWD_LEN); break; case 's': strncpy(est_server, optarg, MAX_SERVER_LEN); break; case 'x': strncpy(priv_key_file, optarg, MAX_FILENAME_LEN); break; case 'y': strncpy(csr_file, optarg, MAX_FILENAME_LEN); break; case 'k': strncpy(client_key_file, optarg, MAX_FILENAME_LEN); break; case 'c': strncpy(client_cert_file, optarg, MAX_FILENAME_LEN); break; case 'o': strncpy(out_dir, optarg, MAX_FILENAME_LEN); break; case 'p': est_port = atoi(optarg); break; case 'f': /* Turn FIPS on if requested and exit if failure */ set_fips_return = FIPS_mode_set(1); if (!set_fips_return) { printf("\nERROR setting FIPS MODE ON ...\n"); ERR_load_crypto_strings(); ERR_print_errors(BIO_new_fp(stderr, BIO_NOCLOSE)); exit(1); } else { printf("\nRunning EST Sample Client with FIPS MODE = ON\n"); }; break; case 'w': read_timeout = atoi(optarg); if (read_timeout > EST_SSL_READ_TIMEOUT_MAX) { printf("\nMaxium number of seconds to wait is %d, ", EST_SSL_READ_TIMEOUT_MAX); printf("please use a lower value with the -w option\n"); exit(1); } break; default: show_usage_and_exit(); break; } } if (optind < argc) { printf("non-option ARGV-elements: "); while (optind < argc) { printf("%s ", argv[optind++]); } printf("\n"); } argc -= optind; argv += optind; if (est_http_uid[0] && !est_http_pwd[0]) { printf("Error: The password for HTTP authentication must be specified when the HTTP user name is set.\n"); exit(1); } if (csr_file[0] && getcsr) { printf("\nError: The -a option (CSR attributes) does not make sense with a pre-defined CSR\n"); exit(1); } if (csr_file[0] && priv_key_file[0]) { printf("\nError: The -x option (private key for CSR) does not make sense with a pre-defined CSR\n"); exit(1); } if (csr_file[0] && force_pop) { printf("\nError: The -z option (PoP) does not make sense with a pre-defined CSR\n"); exit(1); } if (reenroll & csr_file[0]) { printf("\nError: The -y option (predefined CSRs) does not make sense for re-enrollment\n"); exit(1); } if (verbose) { print_version(); printf("\nUsing EST server %s:%d", est_server, est_port); if (csr_file [0]) { printf("\nUsing CSR file %s", csr_file); } if (priv_key_file [0]) { printf("\nUsing identity private key file %s", priv_key_file); } if (client_cert_file[0]) { printf("\nUsing identity client cert file %s", client_cert_file); } if (client_key_file [0]) { printf("\nUsing identity private key file %s", client_key_file); } } if (enroll && reenroll) { printf("\nThe enroll and reenroll operations can not be used together\n"); exit(1); } if (!out_dir[0]) { printf("\nOutput directory must be specified with -o option\n"); exit(1); } if (trustanchor) { if (!trustanchor_file) { /* * Get the trust anchor filename from the environment var */ if (!getenv("EST_OPENSSL_CACERT")) { printf("\nCACERT file not set, set EST_OPENSSL_CACERT to resolve"); exit(1); } trustanchor_file = getenv("EST_OPENSSL_CACERT"); } /* * Read in the CA certificates */ cacerts_len = read_binary_file(trustanchor_file, &cacerts); if (cacerts_len <= 0) { printf("\nCACERT file could not be read\n"); exit(1); } } /* * Read in the current client certificate */ if (client_cert_file[0]) { certin = BIO_new(BIO_s_file_internal()); if (BIO_read_filename(certin, client_cert_file) <= 0) { printf("\nUnable to read client certificate file %s\n", client_cert_file); exit(1); } /* * This reads the file, which is expected to be PEM encoded. If you're using * DER encoded certs, you would invoke d2i_X509_bio() instead. */ client_cert = PEM_read_bio_X509(certin, NULL, NULL, NULL); if (client_cert == NULL) { printf("\nError while reading PEM encoded client certificate file %s\n", client_cert_file); exit(1); } BIO_free(certin); } /* * Read in the client's private key */ if (client_key_file[0]) { keyin = BIO_new(BIO_s_file_internal()); if (BIO_read_filename(keyin, client_key_file) <= 0) { printf("\nUnable to read client private key file %s\n", client_key_file); exit(1); } /* * This reads in the private key file, which is expected to be a PEM * encoded private key. If using DER encoding, you would invoke * d2i_PrivateKey_bio() instead. */ client_priv_key = PEM_read_bio_PrivateKey(keyin, NULL, NULL, NULL); if (client_priv_key == NULL) { printf("\nError while reading PEM encoded private key file %s\n", client_key_file); ERR_print_errors_fp(stderr); exit(1); } BIO_free(keyin); } est_apps_startup(); #if DEBUG_OSSL_LEAKS CRYPTO_malloc_debug_init(); CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL); CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); #endif if (verbose) { est_init_logger(EST_LOG_LVL_INFO, &test_logger_stdout); est_enable_backtrace(1); } else { est_init_logger(EST_LOG_LVL_ERR, &test_logger_stdout); } if (!priv_key_file[0] && enroll && !csr_file[0]) { printf("\nA private key is required for enrolling. Creating a new RSA key pair since you didn't provide a key using the -x option."); /* * Create a private key that will be used for the * enroll operation. */ new_pkey = generate_private_key(&new_pkey_len); snprintf(file_name, MAX_FILENAME_LEN, "%s/newkey.pem", out_dir); write_binary_file(file_name, new_pkey, new_pkey_len); free(new_pkey); /* * prepare to read it back in to an EVP_PKEY struct */ strncpy(priv_key_file, file_name, MAX_FILENAME_LEN); } if (enroll && !csr_file[0]) { /* Read in the private key file */ priv_key = read_private_key(priv_key_file); } do_operation(); if (priv_key) { EVP_PKEY_free(priv_key); } if (client_priv_key) { EVP_PKEY_free(client_priv_key); } if (client_cert) { X509_free(client_cert); } free(cacerts); if (c_cert_len) { free(c_cert); } if (c_key_len) { free(c_key); } est_apps_shutdown(); #if DEBUG_OSSL_LEAKS BIO *bio_err; bio_err = BIO_new_fp(stderr, BIO_NOCLOSE); CRYPTO_mem_leaks(bio_err); BIO_free(bio_err); #endif printf("\n"); return 0; }
int main(int argc, char *argv[]) { char *CApath=NULL,*CAfile=NULL; int badop=0; int bio_pair=0; int force=0; int tls1=0,ssl2=0,ssl3=0,ret=1; int client_auth=0; int server_auth=0,i; int app_verify=0; char *server_cert=TEST_SERVER_CERT; char *server_key=NULL; char *client_cert=TEST_CLIENT_CERT; char *client_key=NULL; SSL_CTX *s_ctx=NULL; SSL_CTX *c_ctx=NULL; SSL_METHOD *meth=NULL; SSL *c_ssl,*s_ssl; int number=1,reuse=0; long bytes=1L; #ifndef OPENSSL_NO_DH DH *dh; int dhe1024 = 0, dhe1024dsa = 0; #endif int no_dhe = 0; int print_time = 0; clock_t s_time = 0, c_time = 0; int comp = 0; COMP_METHOD *cm = NULL; verbose = 0; debug = 0; cipher = 0; bio_err=BIO_new_fp(stderr,BIO_NOCLOSE); CRYPTO_set_locking_callback(lock_dbg_cb); /* enable memory leak checking unless explicitly disabled */ if (!((getenv("OPENSSL_DEBUG_MEMORY") != NULL) && (0 == strcmp(getenv("OPENSSL_DEBUG_MEMORY"), "off")))) { CRYPTO_malloc_debug_init(); CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL); } else { /* OPENSSL_DEBUG_MEMORY=off */ CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0); } CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); RAND_seed(rnd_seed, sizeof rnd_seed); bio_stdout=BIO_new_fp(stdout,BIO_NOCLOSE); argc--; argv++; while (argc >= 1) { if (strcmp(*argv,"-server_auth") == 0) server_auth=1; else if (strcmp(*argv,"-client_auth") == 0) client_auth=1; else if (strcmp(*argv,"-v") == 0) verbose=1; else if (strcmp(*argv,"-d") == 0) debug=1; else if (strcmp(*argv,"-reuse") == 0) reuse=1; else if (strcmp(*argv,"-dhe1024") == 0) { #ifndef OPENSSL_NO_DH dhe1024=1; #else fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n"); #endif } else if (strcmp(*argv,"-dhe1024dsa") == 0) { #ifndef OPENSSL_NO_DH dhe1024dsa=1; #else fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n"); #endif } else if (strcmp(*argv,"-no_dhe") == 0) no_dhe=1; else if (strcmp(*argv,"-ssl2") == 0) ssl2=1; else if (strcmp(*argv,"-tls1") == 0) tls1=1; else if (strcmp(*argv,"-ssl3") == 0) ssl3=1; else if (strncmp(*argv,"-num",4) == 0) { if (--argc < 1) goto bad; number= atoi(*(++argv)); if (number == 0) number=1; } else if (strcmp(*argv,"-bytes") == 0) { if (--argc < 1) goto bad; bytes= atol(*(++argv)); if (bytes == 0L) bytes=1L; i=strlen(argv[0]); if (argv[0][i-1] == 'k') bytes*=1024L; if (argv[0][i-1] == 'm') bytes*=1024L*1024L; } else if (strcmp(*argv,"-cert") == 0) { if (--argc < 1) goto bad; server_cert= *(++argv); } else if (strcmp(*argv,"-s_cert") == 0) { if (--argc < 1) goto bad; server_cert= *(++argv); } else if (strcmp(*argv,"-key") == 0) { if (--argc < 1) goto bad; server_key= *(++argv); } else if (strcmp(*argv,"-s_key") == 0) { if (--argc < 1) goto bad; server_key= *(++argv); } else if (strcmp(*argv,"-c_cert") == 0) { if (--argc < 1) goto bad; client_cert= *(++argv); } else if (strcmp(*argv,"-c_key") == 0) { if (--argc < 1) goto bad; client_key= *(++argv); } else if (strcmp(*argv,"-cipher") == 0) { if (--argc < 1) goto bad; cipher= *(++argv); } else if (strcmp(*argv,"-CApath") == 0) { if (--argc < 1) goto bad; CApath= *(++argv); } else if (strcmp(*argv,"-CAfile") == 0) { if (--argc < 1) goto bad; CAfile= *(++argv); } else if (strcmp(*argv,"-bio_pair") == 0) { bio_pair = 1; } else if (strcmp(*argv,"-f") == 0) { force = 1; } else if (strcmp(*argv,"-time") == 0) { print_time = 1; } else if (strcmp(*argv,"-zlib") == 0) { comp = COMP_ZLIB; } else if (strcmp(*argv,"-rle") == 0) { comp = COMP_RLE; } else if (strcmp(*argv,"-app_verify") == 0) { app_verify = 1; } else { fprintf(stderr,"unknown option %s\n",*argv); badop=1; break; } argc--; argv++; } if (badop) { bad: sv_usage(); goto end; } if (!ssl2 && !ssl3 && !tls1 && number > 1 && !reuse && !force) { fprintf(stderr, "This case cannot work. Use -f to perform " "the test anyway (and\n-d to see what happens), " "or add one of -ssl2, -ssl3, -tls1, -reuse\n" "to avoid protocol mismatch.\n"); EXIT(1); } if (print_time) { if (!bio_pair) { fprintf(stderr, "Using BIO pair (-bio_pair)\n"); bio_pair = 1; } if (number < 50 && !force) fprintf(stderr, "Warning: For accurate timings, use more connections (e.g. -num 1000)\n"); } /* if (cipher == NULL) cipher=getenv("SSL_CIPHER"); */ SSL_library_init(); SSL_load_error_strings(); if (comp == COMP_ZLIB) cm = COMP_zlib(); if (comp == COMP_RLE) cm = COMP_rle(); if (cm != NULL) { if (cm->type != NID_undef) SSL_COMP_add_compression_method(comp, cm); else { fprintf(stderr, "Warning: %s compression not supported\n", (comp == COMP_RLE ? "rle" : (comp == COMP_ZLIB ? "zlib" : "unknown"))); ERR_print_errors_fp(stderr); } } #if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3) if (ssl2) meth=SSLv2_method(); else if (tls1) meth=TLSv1_method(); else if (ssl3) meth=SSLv3_method(); else meth=SSLv23_method(); #else #ifdef OPENSSL_NO_SSL2 meth=SSLv3_method(); #else meth=SSLv2_method(); #endif #endif c_ctx=SSL_CTX_new(meth); s_ctx=SSL_CTX_new(meth); if ((c_ctx == NULL) || (s_ctx == NULL)) { ERR_print_errors(bio_err); goto end; } if (cipher != NULL) { SSL_CTX_set_cipher_list(c_ctx,cipher); SSL_CTX_set_cipher_list(s_ctx,cipher); } #ifndef OPENSSL_NO_DH if (!no_dhe) { if (dhe1024dsa) { /* use SSL_OP_SINGLE_DH_USE to avoid small subgroup attacks */ SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE); dh=get_dh1024dsa(); } else if (dhe1024) dh=get_dh1024(); else dh=get_dh512(); SSL_CTX_set_tmp_dh(s_ctx,dh); DH_free(dh); } #else (void)no_dhe; #endif #ifndef OPENSSL_NO_RSA SSL_CTX_set_tmp_rsa_callback(s_ctx,tmp_rsa_cb); #endif if (!SSL_CTX_use_certificate_file(s_ctx,server_cert,SSL_FILETYPE_PEM)) { ERR_print_errors(bio_err); } else if (!SSL_CTX_use_PrivateKey_file(s_ctx, (server_key?server_key:server_cert), SSL_FILETYPE_PEM)) { ERR_print_errors(bio_err); goto end; } if (client_auth) { SSL_CTX_use_certificate_file(c_ctx,client_cert, SSL_FILETYPE_PEM); SSL_CTX_use_PrivateKey_file(c_ctx, (client_key?client_key:client_cert), SSL_FILETYPE_PEM); } if ( (!SSL_CTX_load_verify_locations(s_ctx,CAfile,CApath)) || (!SSL_CTX_set_default_verify_paths(s_ctx)) || (!SSL_CTX_load_verify_locations(c_ctx,CAfile,CApath)) || (!SSL_CTX_set_default_verify_paths(c_ctx))) { /* fprintf(stderr,"SSL_load_verify_locations\n"); */ ERR_print_errors(bio_err); /* goto end; */ } if (client_auth) { BIO_printf(bio_err,"client authentication\n"); SSL_CTX_set_verify(s_ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback); if (app_verify) { SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, app_verify_arg); } } if (server_auth) { BIO_printf(bio_err,"server authentication\n"); SSL_CTX_set_verify(c_ctx,SSL_VERIFY_PEER, verify_callback); if (app_verify) { SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, app_verify_arg); } } { int session_id_context = 0; SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context, sizeof session_id_context); } c_ssl=SSL_new(c_ctx); s_ssl=SSL_new(s_ctx); #ifndef OPENSSL_NO_KRB5 if (c_ssl && c_ssl->kssl_ctx) { char localhost[MAXHOSTNAMELEN+2]; if (gethostname(localhost, sizeof localhost-1) == 0) { localhost[sizeof localhost-1]='\0'; if(strlen(localhost) == sizeof localhost-1) { BIO_printf(bio_err,"localhost name too long\n"); goto end; } kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER, localhost); } } #endif /* OPENSSL_NO_KRB5 */ for (i=0; i<number; i++) { if (!reuse) SSL_set_session(c_ssl,NULL); if (bio_pair) ret=doit_biopair(s_ssl,c_ssl,bytes,&s_time,&c_time); else ret=doit(s_ssl,c_ssl,bytes); } if (!verbose) { print_details(c_ssl, ""); } if ((number > 1) || (bytes > 1L)) BIO_printf(bio_stdout, "%d handshakes of %ld bytes done\n",number,bytes); if (print_time) { #ifdef CLOCKS_PER_SEC /* "To determine the time in seconds, the value returned * by the clock function should be divided by the value * of the macro CLOCKS_PER_SEC." * -- ISO/IEC 9899 */ BIO_printf(bio_stdout, "Approximate total server time: %6.2f s\n" "Approximate total client time: %6.2f s\n", (double)s_time/CLOCKS_PER_SEC, (double)c_time/CLOCKS_PER_SEC); #else /* "`CLOCKS_PER_SEC' undeclared (first use this function)" * -- cc on NeXTstep/OpenStep */ BIO_printf(bio_stdout, "Approximate total server time: %6.2f units\n" "Approximate total client time: %6.2f units\n", (double)s_time, (double)c_time); #endif } SSL_free(s_ssl); SSL_free(c_ssl); end: if (s_ctx != NULL) SSL_CTX_free(s_ctx); if (c_ctx != NULL) SSL_CTX_free(c_ctx); if (bio_stdout != NULL) BIO_free(bio_stdout); #ifndef OPENSSL_NO_RSA free_tmp_rsa(); #endif #ifndef OPENSSL_NO_ENGINE ENGINE_cleanup(); #endif CRYPTO_cleanup_all_ex_data(); ERR_free_strings(); ERR_remove_state(0); EVP_cleanup(); CRYPTO_mem_leaks(bio_err); if (bio_err != NULL) BIO_free(bio_err); EXIT(ret); }
int main(int argc, char *argv[]) { BN_CTX *ctx = NULL; BIGNUM *p, *a, *b; EC_GROUP *group; EC_GROUP *P_192 = NULL, *P_224 = NULL, *P_256 = NULL, *P_384 = NULL, *P_521 = NULL; EC_POINT *P, *Q, *R; BIGNUM *x, *y, *z; unsigned char buf[100]; size_t i, len; int k; /* enable memory leak checking unless explicitly disabled */ if (!((getenv("OPENSSL_DEBUG_MEMORY") != NULL) && (0 == strcmp(getenv("OPENSSL_DEBUG_MEMORY"), "off")))) { CRYPTO_malloc_debug_init(); CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL); } else { /* OPENSSL_DEBUG_MEMORY=off */ CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0); } CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); ERR_load_crypto_strings(); #if 1 /* optional */ ctx = BN_CTX_new(); if (!ctx) ABORT; #endif p = BN_new(); a = BN_new(); b = BN_new(); if (!p || !a || !b) ABORT; if (!BN_hex2bn(&p, "17")) ABORT; if (!BN_hex2bn(&a, "1")) ABORT; if (!BN_hex2bn(&b, "1")) ABORT; group = EC_GROUP_new(EC_GFp_mont_method()); /* applications should use EC_GROUP_new_curve_GFp * so that the library gets to choose the EC_METHOD */ if (!group) ABORT; if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) ABORT; { EC_GROUP *tmp; tmp = EC_GROUP_new(EC_GROUP_method_of(group)); if (!tmp) ABORT; if (!EC_GROUP_copy(tmp, group)); EC_GROUP_free(group); group = tmp; } if (!EC_GROUP_get_curve_GFp(group, p, a, b, ctx)) ABORT; fprintf(stdout, "Curve defined by Weierstrass equation\n y^2 = x^3 + a*x + b (mod 0x"); BN_print_fp(stdout, p); fprintf(stdout, ")\n a = 0x"); BN_print_fp(stdout, a); fprintf(stdout, "\n b = 0x"); BN_print_fp(stdout, b); fprintf(stdout, "\n"); P = EC_POINT_new(group); Q = EC_POINT_new(group); R = EC_POINT_new(group); if (!P || !Q || !R) ABORT; if (!EC_POINT_set_to_infinity(group, P)) ABORT; if (!EC_POINT_is_at_infinity(group, P)) ABORT; buf[0] = 0; if (!EC_POINT_oct2point(group, Q, buf, 1, ctx)) ABORT; if (!EC_POINT_add(group, P, P, Q, ctx)) ABORT; if (!EC_POINT_is_at_infinity(group, P)) ABORT; x = BN_new(); y = BN_new(); z = BN_new(); if (!x || !y || !z) ABORT; if (!BN_hex2bn(&x, "D")) ABORT; if (!EC_POINT_set_compressed_coordinates_GFp(group, Q, x, 1, ctx)) ABORT; if (!EC_POINT_is_on_curve(group, Q, ctx)) { if (!EC_POINT_get_affine_coordinates_GFp(group, Q, x, y, ctx)) ABORT; fprintf(stderr, "Point is not on curve: x = 0x"); BN_print_fp(stderr, x); fprintf(stderr, ", y = 0x"); BN_print_fp(stderr, y); fprintf(stderr, "\n"); ABORT; } fprintf(stdout, "A cyclic subgroup:\n"); k = 100; do { if (k-- == 0) ABORT; if (EC_POINT_is_at_infinity(group, P)) fprintf(stdout, " point at infinity\n"); else { if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)) ABORT; fprintf(stdout, " x = 0x"); BN_print_fp(stdout, x); fprintf(stdout, ", y = 0x"); BN_print_fp(stdout, y); fprintf(stdout, "\n"); } if (!EC_POINT_copy(R, P)) ABORT; if (!EC_POINT_add(group, P, P, Q, ctx)) ABORT; #if 0 /* optional */ { EC_POINT *points[3]; points[0] = R; points[1] = Q; points[2] = P; if (!EC_POINTs_make_affine(group, 2, points, ctx)) ABORT; } #endif } while (!EC_POINT_is_at_infinity(group, P)); if (!EC_POINT_add(group, P, Q, R, ctx)) ABORT; if (!EC_POINT_is_at_infinity(group, P)) ABORT; len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_COMPRESSED, buf, sizeof buf, ctx); if (len == 0) ABORT; if (!EC_POINT_oct2point(group, P, buf, len, ctx)) ABORT; if (0 != EC_POINT_cmp(group, P, Q, ctx)) ABORT; fprintf(stdout, "Generator as octect string, compressed form:\n "); for (i = 0; i < len; i++) fprintf(stdout, "%02X", buf[i]); len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_UNCOMPRESSED, buf, sizeof buf, ctx); if (len == 0) ABORT; if (!EC_POINT_oct2point(group, P, buf, len, ctx)) ABORT; if (0 != EC_POINT_cmp(group, P, Q, ctx)) ABORT; fprintf(stdout, "\nGenerator as octect string, uncompressed form:\n "); for (i = 0; i < len; i++) fprintf(stdout, "%02X", buf[i]); len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_HYBRID, buf, sizeof buf, ctx); if (len == 0) ABORT; if (!EC_POINT_oct2point(group, P, buf, len, ctx)) ABORT; if (0 != EC_POINT_cmp(group, P, Q, ctx)) ABORT; fprintf(stdout, "\nGenerator as octect string, hybrid form:\n "); for (i = 0; i < len; i++) fprintf(stdout, "%02X", buf[i]); if (!EC_POINT_get_Jprojective_coordinates_GFp(group, R, x, y, z, ctx)) ABORT; fprintf(stdout, "\nA representation of the inverse of that generator in\nJacobian projective coordinates:\n X = 0x"); BN_print_fp(stdout, x); fprintf(stdout, ", Y = 0x"); BN_print_fp(stdout, y); fprintf(stdout, ", Z = 0x"); BN_print_fp(stdout, z); fprintf(stdout, "\n"); if (!EC_POINT_invert(group, P, ctx)) ABORT; if (0 != EC_POINT_cmp(group, P, R, ctx)) ABORT; /* Curve P-192 (FIPS PUB 186-2, App. 6) */ if (!BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF")) ABORT; if (1 != BN_is_prime(p, BN_prime_checks, 0, ctx, NULL)) ABORT; if (!BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC")) ABORT; if (!BN_hex2bn(&b, "64210519E59C80E70FA7E9AB72243049FEB8DEECC146B9B1")) ABORT; if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) ABORT; if (!BN_hex2bn(&x, "188DA80EB03090F67CBF20EB43A18800F4FF0AFD82FF1012")) ABORT; if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1, ctx)) ABORT; if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT; if (!BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFF99DEF836146BC9B1B4D22831")) ABORT; if (!EC_GROUP_set_generator(group, P, z, BN_value_one())) ABORT; if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)) ABORT; fprintf(stdout, "\nNIST curve P-192 -- Generator:\n x = 0x"); BN_print_fp(stdout, x); fprintf(stdout, "\n y = 0x"); BN_print_fp(stdout, y); fprintf(stdout, "\n"); /* G_y value taken from the standard: */ if (!BN_hex2bn(&z, "07192B95FFC8DA78631011ED6B24CDD573F977A11E794811")) ABORT; if (0 != BN_cmp(y, z)) ABORT; fprintf(stdout, "verify group order ..."); fflush(stdout); if (!EC_GROUP_get_order(group, z, ctx)) ABORT; if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT; if (!EC_POINT_is_at_infinity(group, Q)) ABORT; fprintf(stdout, "."); fflush(stdout); if (!EC_GROUP_precompute_mult(group, ctx)) ABORT; if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT; if (!EC_POINT_is_at_infinity(group, Q)) ABORT; fprintf(stdout, " ok\n"); if (!(P_192 = EC_GROUP_new(EC_GROUP_method_of(group)))) ABORT; if (!EC_GROUP_copy(P_192, group)) ABORT; /* Curve P-224 (FIPS PUB 186-2, App. 6) */ if (!BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000001")) ABORT; if (1 != BN_is_prime(p, BN_prime_checks, 0, ctx, NULL)) ABORT; if (!BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFE")) ABORT; if (!BN_hex2bn(&b, "B4050A850C04B3ABF54132565044B0B7D7BFD8BA270B39432355FFB4")) ABORT; if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) ABORT; if (!BN_hex2bn(&x, "B70E0CBD6BB4BF7F321390B94A03C1D356C21122343280D6115C1D21")) ABORT; if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 0, ctx)) ABORT; if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT; if (!BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2E0B8F03E13DD29455C5C2A3D")) ABORT; if (!EC_GROUP_set_generator(group, P, z, BN_value_one())) ABORT; if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)) ABORT; fprintf(stdout, "\nNIST curve P-224 -- Generator:\n x = 0x"); BN_print_fp(stdout, x); fprintf(stdout, "\n y = 0x"); BN_print_fp(stdout, y); fprintf(stdout, "\n"); /* G_y value taken from the standard: */ if (!BN_hex2bn(&z, "BD376388B5F723FB4C22DFE6CD4375A05A07476444D5819985007E34")) ABORT; if (0 != BN_cmp(y, z)) ABORT; fprintf(stdout, "verify group order ..."); fflush(stdout); if (!EC_GROUP_get_order(group, z, ctx)) ABORT; if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT; if (!EC_POINT_is_at_infinity(group, Q)) ABORT; fprintf(stdout, "."); fflush(stdout); if (!EC_GROUP_precompute_mult(group, ctx)) ABORT; if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT; if (!EC_POINT_is_at_infinity(group, Q)) ABORT; fprintf(stdout, " ok\n"); if (!(P_224 = EC_GROUP_new(EC_GROUP_method_of(group)))) ABORT; if (!EC_GROUP_copy(P_224, group)) ABORT; /* Curve P-256 (FIPS PUB 186-2, App. 6) */ if (!BN_hex2bn(&p, "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF")) ABORT; if (1 != BN_is_prime(p, BN_prime_checks, 0, ctx, NULL)) ABORT; if (!BN_hex2bn(&a, "FFFFFFFF00000001000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFC")) ABORT; if (!BN_hex2bn(&b, "5AC635D8AA3A93E7B3EBBD55769886BC651D06B0CC53B0F63BCE3C3E27D2604B")) ABORT; if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) ABORT; if (!BN_hex2bn(&x, "6B17D1F2E12C4247F8BCE6E563A440F277037D812DEB33A0F4A13945D898C296")) ABORT; if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1, ctx)) ABORT; if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT; if (!BN_hex2bn(&z, "FFFFFFFF00000000FFFFFFFFFFFFFFFFBCE6FAADA7179E" "84F3B9CAC2FC632551")) ABORT; if (!EC_GROUP_set_generator(group, P, z, BN_value_one())) ABORT; if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)) ABORT; fprintf(stdout, "\nNIST curve P-256 -- Generator:\n x = 0x"); BN_print_fp(stdout, x); fprintf(stdout, "\n y = 0x"); BN_print_fp(stdout, y); fprintf(stdout, "\n"); /* G_y value taken from the standard: */ if (!BN_hex2bn(&z, "4FE342E2FE1A7F9B8EE7EB4A7C0F9E162BCE33576B315ECECBB6406837BF51F5")) ABORT; if (0 != BN_cmp(y, z)) ABORT; fprintf(stdout, "verify group order ..."); fflush(stdout); if (!EC_GROUP_get_order(group, z, ctx)) ABORT; if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT; if (!EC_POINT_is_at_infinity(group, Q)) ABORT; fprintf(stdout, "."); fflush(stdout); if (!EC_GROUP_precompute_mult(group, ctx)) ABORT; if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT; if (!EC_POINT_is_at_infinity(group, Q)) ABORT; fprintf(stdout, " ok\n"); if (!(P_256 = EC_GROUP_new(EC_GROUP_method_of(group)))) ABORT; if (!EC_GROUP_copy(P_256, group)) ABORT; /* Curve P-384 (FIPS PUB 186-2, App. 6) */ if (!BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" "FFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFF")) ABORT; if (1 != BN_is_prime(p, BN_prime_checks, 0, ctx, NULL)) ABORT; if (!BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" "FFFFFFFFFFFFFFFFFEFFFFFFFF0000000000000000FFFFFFFC")) ABORT; if (!BN_hex2bn(&b, "B3312FA7E23EE7E4988E056BE3F82D19181D9C6EFE8141" "120314088F5013875AC656398D8A2ED19D2A85C8EDD3EC2AEF")) ABORT; if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) ABORT; if (!BN_hex2bn(&x, "AA87CA22BE8B05378EB1C71EF320AD746E1D3B628BA79B" "9859F741E082542A385502F25DBF55296C3A545E3872760AB7")) ABORT; if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 1, ctx)) ABORT; if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT; if (!BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" "FFC7634D81F4372DDF581A0DB248B0A77AECEC196ACCC52973")) ABORT; if (!EC_GROUP_set_generator(group, P, z, BN_value_one())) ABORT; if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)) ABORT; fprintf(stdout, "\nNIST curve P-384 -- Generator:\n x = 0x"); BN_print_fp(stdout, x); fprintf(stdout, "\n y = 0x"); BN_print_fp(stdout, y); fprintf(stdout, "\n"); /* G_y value taken from the standard: */ if (!BN_hex2bn(&z, "3617DE4A96262C6F5D9E98BF9292DC29F8F41DBD289A14" "7CE9DA3113B5F0B8C00A60B1CE1D7E819D7A431D7C90EA0E5F")) ABORT; if (0 != BN_cmp(y, z)) ABORT; fprintf(stdout, "verify group order ..."); fflush(stdout); if (!EC_GROUP_get_order(group, z, ctx)) ABORT; if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT; if (!EC_POINT_is_at_infinity(group, Q)) ABORT; fprintf(stdout, "."); fflush(stdout); if (!EC_GROUP_precompute_mult(group, ctx)) ABORT; if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT; if (!EC_POINT_is_at_infinity(group, Q)) ABORT; fprintf(stdout, " ok\n"); if (!(P_384 = EC_GROUP_new(EC_GROUP_method_of(group)))) ABORT; if (!EC_GROUP_copy(P_384, group)) ABORT; /* Curve P-521 (FIPS PUB 186-2, App. 6) */ if (!BN_hex2bn(&p, "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" "FFFFFFFFFFFFFFFFFFFFFFFFFFFF")) ABORT; if (1 != BN_is_prime(p, BN_prime_checks, 0, ctx, NULL)) ABORT; if (!BN_hex2bn(&a, "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" "FFFFFFFFFFFFFFFFFFFFFFFFFFFC")) ABORT; if (!BN_hex2bn(&b, "051953EB9618E1C9A1F929A21A0B68540EEA2DA725B99B" "315F3B8B489918EF109E156193951EC7E937B1652C0BD3BB1BF073573" "DF883D2C34F1EF451FD46B503F00")) ABORT; if (!EC_GROUP_set_curve_GFp(group, p, a, b, ctx)) ABORT; if (!BN_hex2bn(&x, "C6858E06B70404E9CD9E3ECB662395B4429C648139053F" "B521F828AF606B4D3DBAA14B5E77EFE75928FE1DC127A2FFA8DE3348B" "3C1856A429BF97E7E31C2E5BD66")) ABORT; if (!EC_POINT_set_compressed_coordinates_GFp(group, P, x, 0, ctx)) ABORT; if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT; if (!BN_hex2bn(&z, "1FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" "FFFFFFFFFFFFFFFFFFFFA51868783BF2F966B7FCC0148F709A5D03BB5" "C9B8899C47AEBB6FB71E91386409")) ABORT; if (!EC_GROUP_set_generator(group, P, z, BN_value_one())) ABORT; if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)) ABORT; fprintf(stdout, "\nNIST curve P-521 -- Generator:\n x = 0x"); BN_print_fp(stdout, x); fprintf(stdout, "\n y = 0x"); BN_print_fp(stdout, y); fprintf(stdout, "\n"); /* G_y value taken from the standard: */ if (!BN_hex2bn(&z, "11839296A789A3BC0045C8A5FB42C7D1BD998F54449579" "B446817AFBD17273E662C97EE72995EF42640C550B9013FAD0761353C" "7086A272C24088BE94769FD16650")) ABORT; if (0 != BN_cmp(y, z)) ABORT; fprintf(stdout, "verify group order ..."); fflush(stdout); if (!EC_GROUP_get_order(group, z, ctx)) ABORT; if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT; if (!EC_POINT_is_at_infinity(group, Q)) ABORT; fprintf(stdout, "."); fflush(stdout); if (!EC_GROUP_precompute_mult(group, ctx)) ABORT; if (!EC_POINT_mul(group, Q, z, NULL, NULL, ctx)) ABORT; if (!EC_POINT_is_at_infinity(group, Q)) ABORT; fprintf(stdout, " ok\n"); if (!(P_521 = EC_GROUP_new(EC_GROUP_method_of(group)))) ABORT; if (!EC_GROUP_copy(P_521, group)) ABORT; /* more tests using the last curve */ if (!EC_POINT_copy(Q, P)) ABORT; if (EC_POINT_is_at_infinity(group, Q)) ABORT; if (!EC_POINT_dbl(group, P, P, ctx)) ABORT; if (!EC_POINT_is_on_curve(group, P, ctx)) ABORT; if (!EC_POINT_invert(group, Q, ctx)) ABORT; /* P = -2Q */ if (!EC_POINT_add(group, R, P, Q, ctx)) ABORT; if (!EC_POINT_add(group, R, R, Q, ctx)) ABORT; if (!EC_POINT_is_at_infinity(group, R)) ABORT; /* R = P + 2Q */ { const EC_POINT *points[3]; const BIGNUM *scalars[3]; if (EC_POINT_is_at_infinity(group, Q)) ABORT; points[0] = Q; points[1] = Q; points[2] = Q; if (!BN_add(y, z, BN_value_one())) ABORT; if (BN_is_odd(y)) ABORT; if (!BN_rshift1(y, y)) ABORT; scalars[0] = y; /* (group order + 1)/2, so y*Q + y*Q = Q */ scalars[1] = y; fprintf(stdout, "combined multiplication ..."); fflush(stdout); /* z is still the group order */ if (!EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx)) ABORT; if (!EC_POINTs_mul(group, R, z, 2, points, scalars, ctx)) ABORT; if (0 != EC_POINT_cmp(group, P, R, ctx)) ABORT; if (0 != EC_POINT_cmp(group, R, Q, ctx)) ABORT; fprintf(stdout, "."); fflush(stdout); if (!BN_pseudo_rand(y, BN_num_bits(y), 0, 0)) ABORT; if (!BN_add(z, z, y)) ABORT; z->neg = 1; scalars[0] = y; scalars[1] = z; /* z = -(order + y) */ if (!EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx)) ABORT; if (!EC_POINT_is_at_infinity(group, P)) ABORT; fprintf(stdout, "."); fflush(stdout); if (!BN_pseudo_rand(x, BN_num_bits(y) - 1, 0, 0)) ABORT; if (!BN_add(z, x, y)) ABORT; z->neg = 1; scalars[0] = x; scalars[1] = y; scalars[2] = z; /* z = -(x+y) */ if (!EC_POINTs_mul(group, P, NULL, 3, points, scalars, ctx)) ABORT; if (!EC_POINT_is_at_infinity(group, P)) ABORT; fprintf(stdout, " ok\n\n"); } #if 0 timings(P_192, 0, ctx); timings(P_192, 1, ctx); timings(P_224, 0, ctx); timings(P_224, 1, ctx); timings(P_256, 0, ctx); timings(P_256, 1, ctx); timings(P_384, 0, ctx); timings(P_384, 1, ctx); timings(P_521, 0, ctx); timings(P_521, 1, ctx); #endif if (ctx) BN_CTX_free(ctx); BN_free(p); BN_free(a); BN_free(b); EC_GROUP_free(group); EC_POINT_free(P); EC_POINT_free(Q); EC_POINT_free(R); BN_free(x); BN_free(y); BN_free(z); if (P_192) EC_GROUP_free(P_192); if (P_224) EC_GROUP_free(P_224); if (P_256) EC_GROUP_free(P_256); if (P_384) EC_GROUP_free(P_384); if (P_521) EC_GROUP_free(P_521); ENGINE_cleanup(); CRYPTO_cleanup_all_ex_data(); ERR_free_strings(); ERR_remove_state(0); CRYPTO_mem_leaks_fp(stderr); return 0; }
int main(int Argc, char *ARGV[]) { ARGS arg; #define PROG_NAME_SIZE 39 char pname[PROG_NAME_SIZE+1]; FUNCTION f,*fp; MS_STATIC const char *prompt; MS_STATIC char buf[1024]; char *to_free=NULL; int n,i,ret=0; int argc; char **argv,*p; LHASH_OF(FUNCTION) *prog=NULL; long errline; #if defined( OPENSSL_SYS_VMS) && (__INITIAL_POINTER_SIZE == 64) /* 2011-03-22 SMS. * If we have 32-bit pointers everywhere, then we're safe, and * we bypass this mess, as on non-VMS systems. (See ARGV, * above.) * Problem 1: Compaq/HP C before V7.3 always used 32-bit * pointers for argv[]. * Fix 1: For a 32-bit argv[], when we're using 64-bit pointers * everywhere else, we always allocate and use a 64-bit * duplicate of argv[]. * Problem 2: Compaq/HP C V7.3 (Alpha, IA64) before ECO1 failed * to NULL-terminate a 64-bit argv[]. (As this was written, the * compiler ECO was available only on IA64.) * Fix 2: Unless advised not to (VMS_TRUST_ARGV), we test a * 64-bit argv[argc] for NULL, and, if necessary, use a * (properly) NULL-terminated (64-bit) duplicate of argv[]. * The same code is used in either case to duplicate argv[]. * Some of these decisions could be handled in preprocessing, * but the code tends to get even uglier, and the penalty for * deciding at compile- or run-time is tiny. */ char **Argv = NULL; int free_Argv = 0; if ((sizeof( _Argv) < 8) /* 32-bit argv[]. */ # if !defined( VMS_TRUST_ARGV) || (_Argv[ Argc] != NULL) /* Untrusted argv[argc] not NULL. */ # endif ) { int i; Argv = OPENSSL_malloc( (Argc+ 1)* sizeof( char *)); if (Argv == NULL) { ret = -1; goto end; } for(i = 0; i < Argc; i++) Argv[i] = _Argv[i]; Argv[ Argc] = NULL; /* Certain NULL termination. */ free_Argv = 1; } else { /* Use the known-good 32-bit argv[] (which needs the * type cast to satisfy the compiler), or the trusted or * tested-good 64-bit argv[] as-is. */ Argv = (char **)_Argv; } #endif /* defined( OPENSSL_SYS_VMS) && (__INITIAL_POINTER_SIZE == 64) */ arg.data=NULL; arg.count=0; if (bio_err == NULL) if ((bio_err=BIO_new(BIO_s_file())) != NULL) BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT); if (getenv("OPENSSL_DEBUG_MEMORY") != NULL) /* if not defined, use compiled-in library defaults */ { if (!(0 == strcmp(getenv("OPENSSL_DEBUG_MEMORY"), "off"))) { CRYPTO_malloc_debug_init(); CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL); } else { /* OPENSSL_DEBUG_MEMORY=off */ CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0); } } CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); #if 0 if (getenv("OPENSSL_DEBUG_LOCKING") != NULL) #endif { CRYPTO_set_locking_callback(lock_dbg_cb); } apps_startup(); /* Lets load up our environment a little */ p=getenv("OPENSSL_CONF"); if (p == NULL) p=getenv("SSLEAY_CONF"); if (p == NULL) p=to_free=make_config_name(); default_config_file=p; config=NCONF_new(NULL); i=NCONF_load(config,p,&errline); if (i == 0) { if (ERR_GET_REASON(ERR_peek_last_error()) == CONF_R_NO_SUCH_FILE) { BIO_printf(bio_err, "WARNING: can't open config file: %s\n",p); ERR_clear_error(); NCONF_free(config); config = NULL; } else { ERR_print_errors(bio_err); NCONF_free(config); exit(1); } } prog=prog_init(); /* first check the program name */ program_name(Argv[0],pname,sizeof pname); f.name=pname; fp=lh_FUNCTION_retrieve(prog,&f); if (fp != NULL) { Argv[0]=pname; ret=fp->func(Argc,Argv); goto end; } /* ok, now check that there are not arguments, if there are, * run with them, shifting the ssleay off the front */ if (Argc != 1) { Argc--; Argv++; ret=do_cmd(prog,Argc,Argv); if (ret < 0) ret=0; goto end; } /* ok, lets enter the old 'OpenSSL>' mode */ for (;;) { ret=0; p=buf; n=sizeof buf; i=0; for (;;) { p[0]='\0'; if (i++) prompt=">"; else prompt="OpenSSL> "; fputs(prompt,stdout); fflush(stdout); if (!fgets(p,n,stdin)) goto end; if (p[0] == '\0') goto end; i=strlen(p); if (i <= 1) break; if (p[i-2] != '\\') break; i-=2; p+=i; n-=i; } if (!chopup_args(&arg,buf,&argc,&argv)) break; ret=do_cmd(prog,argc,argv); if (ret < 0) { ret=0; goto end; } if (ret != 0) BIO_printf(bio_err,"error in %s\n",argv[0]); (void)BIO_flush(bio_err); } BIO_printf(bio_err,"bad exit\n"); ret=1; end: if (to_free) OPENSSL_free(to_free); if (config != NULL) { NCONF_free(config); config=NULL; } if (prog != NULL) lh_FUNCTION_free(prog); if (arg.data != NULL) OPENSSL_free(arg.data); apps_shutdown(); CRYPTO_mem_leaks(bio_err); if (bio_err != NULL) { BIO_free(bio_err); bio_err=NULL; } #if defined( OPENSSL_SYS_VMS) && (__INITIAL_POINTER_SIZE == 64) /* Free any duplicate Argv[] storage. */ if (free_Argv) { OPENSSL_free(Argv); } #endif OPENSSL_EXIT(ret); }
isc_result_t dst__openssl_init() { isc_result_t result; #ifdef USE_ENGINE /* const char *name; */ ENGINE *re; #endif #ifdef DNS_CRYPTO_LEAKS CRYPTO_malloc_debug_init(); CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL); CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); #endif CRYPTO_set_mem_functions(mem_alloc, mem_realloc, mem_free); nlocks = CRYPTO_num_locks(); locks = mem_alloc(sizeof(isc_mutex_t) * nlocks); if (locks == NULL) return (ISC_R_NOMEMORY); result = isc_mutexblock_init(locks, nlocks); if (result != ISC_R_SUCCESS) goto cleanup_mutexalloc; CRYPTO_set_locking_callback(lock_callback); CRYPTO_set_id_callback(id_callback); rm = mem_alloc(sizeof(RAND_METHOD)); if (rm == NULL) { result = ISC_R_NOMEMORY; goto cleanup_mutexinit; } rm->seed = NULL; rm->bytes = entropy_get; rm->cleanup = NULL; rm->add = entropy_add; rm->pseudorand = entropy_getpseudo; rm->status = entropy_status; #ifdef USE_ENGINE OPENSSL_config(NULL); #ifdef USE_PKCS11 #ifndef PKCS11_SO_PATH #define PKCS11_SO_PATH "/usr/local/lib/engines/engine_pkcs11.so" #endif #ifndef PKCS11_MODULE_PATH #define PKCS11_MODULE_PATH "/usr/lib/libpkcs11.so" #endif { /* * to use this to config the PIN, add in openssl.cnf: * - at the beginning: "openssl_conf = openssl_def" * - at any place these sections: * [ openssl_def ] * engines = engine_section * [ engine_section ] * pkcs11 = pkcs11_section * [ pkcs11_section ] * PIN = my___pin */ const char *pre_cmds[] = { "SO_PATH", PKCS11_SO_PATH, "LOAD", NULL, "MODULE_PATH", PKCS11_MODULE_PATH }; const char *post_cmds[] = { /* "PIN", "my___pin" */ }; result = dst__openssl_load_engine("pkcs11", "pkcs11", pre_cmds, 0, post_cmds, /*1*/ 0); if (result != ISC_R_SUCCESS) goto cleanup_rm; } #endif /* USE_PKCS11 */ if (engine_id != NULL) { e = ENGINE_by_id(engine_id); if (e == NULL) { result = ISC_R_NOTFOUND; goto cleanup_rm; } if (!ENGINE_init(e)) { result = ISC_R_FAILURE; ENGINE_free(e); goto cleanup_rm; } ENGINE_set_default(e, ENGINE_METHOD_ALL); ENGINE_free(e); } else { ENGINE_register_all_complete(); for (e = ENGINE_get_first(); e != NULL; e = ENGINE_get_next(e)) { /* * Something weird here. If we call ENGINE_finish() * ENGINE_get_default_RAND() will fail. */ if (ENGINE_init(e)) { if (he == NULL) he = e; } } } re = ENGINE_get_default_RAND(); if (re == NULL) { re = ENGINE_new(); if (re == NULL) { result = ISC_R_NOMEMORY; goto cleanup_rm; } ENGINE_set_RAND(re, rm); ENGINE_set_default_RAND(re); ENGINE_free(re); } else ENGINE_finish(re); #else RAND_set_rand_method(rm); #endif /* USE_ENGINE */ return (ISC_R_SUCCESS); #ifdef USE_ENGINE cleanup_rm: mem_free(rm); #endif cleanup_mutexinit: CRYPTO_set_locking_callback(NULL); DESTROYMUTEXBLOCK(locks, nlocks); cleanup_mutexalloc: mem_free(locks); return (result); }
int main(int argc,char **argv) { const char *szTestFile; FILE *f; if(argc != 2) { fprintf(stderr,"%s <test file>\n",argv[0]); EXIT(1); } CRYPTO_malloc_debug_init(); CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL); CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); szTestFile=argv[1]; f=fopen(szTestFile,"r"); if(!f) { perror(szTestFile); EXIT(2); } /* Load up the software EVP_CIPHER and EVP_MD definitions */ OpenSSL_add_all_ciphers(); OpenSSL_add_all_digests(); #ifndef OPENSSL_NO_ENGINE /* Load all compiled-in ENGINEs */ ENGINE_load_builtin_engines(); #endif #if 0 OPENSSL_config(); #endif #ifndef OPENSSL_NO_ENGINE /* Register all available ENGINE implementations of ciphers and digests. * This could perhaps be changed to "ENGINE_register_all_complete()"? */ ENGINE_register_all_ciphers(); ENGINE_register_all_digests(); /* If we add command-line options, this statement should be switchable. * It'll prevent ENGINEs being ENGINE_init()ialised for cipher/digest use if * they weren't already initialised. */ /* ENGINE_set_cipher_flags(ENGINE_CIPHER_FLAG_NOINIT); */ #endif for( ; ; ) { char line[4096]; char *p; char *cipher; unsigned char *iv,*key,*plaintext,*ciphertext; int encdec; int kn,in,pn,cn; if(!fgets((char *)line,sizeof line,f)) break; if(line[0] == '#' || line[0] == '\n') continue; p=line; cipher=sstrsep(&p,":"); key=ustrsep(&p,":"); iv=ustrsep(&p,":"); plaintext=ustrsep(&p,":"); ciphertext=ustrsep(&p,":"); if (p[-1] == '\n') { p[-1] = '\0'; encdec = -1; } else { encdec = atoi(sstrsep(&p,"\n")); } kn=convert(key); in=convert(iv); pn=convert(plaintext); cn=convert(ciphertext); if(!test_cipher(cipher,key,kn,iv,in,plaintext,pn,ciphertext,cn,encdec) && !test_digest(cipher,plaintext,pn,ciphertext,cn)) { #ifdef OPENSSL_NO_AES if (strstr(cipher, "AES") == cipher) { fprintf(stdout, "Cipher disabled, skipping %s\n", cipher); continue; } #endif #ifdef OPENSSL_NO_DES if (strstr(cipher, "DES") == cipher) { fprintf(stdout, "Cipher disabled, skipping %s\n", cipher); continue; } #endif #ifdef OPENSSL_NO_RC4 if (strstr(cipher, "RC4") == cipher) { fprintf(stdout, "Cipher disabled, skipping %s\n", cipher); continue; } #endif #ifdef OPENSSL_NO_CAMELLIA if (strstr(cipher, "CAMELLIA") == cipher) { fprintf(stdout, "Cipher disabled, skipping %s\n", cipher); continue; } #endif fprintf(stderr,"Can't find %s\n",cipher); EXIT(3); } } #ifndef OPENSSL_NO_ENGINE ENGINE_cleanup(); #endif EVP_cleanup(); CRYPTO_cleanup_all_ex_data(); ERR_remove_state(0); ERR_free_strings(); CRYPTO_mem_leaks_fp(stderr); return 0; }
int main(int argc, char **argv) { static char buf[1024]; char **args = argv + 1; const char *sname = "fipstests.sh"; ARGS arg; int xargc; char **xargv; int lineno = 0, badarg = 0; int nerr = 0, quiet = 0, verbose = 0; int rv; FILE *in = NULL; #ifdef FIPS_ALGVS_MEMCHECK CRYPTO_malloc_debug_init(); OPENSSL_init(); CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL); CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); #endif #if defined(_TMS320C6400_PLUS) SysInit(); #endif #if (defined(__arm__) || defined(__aarch64__)) if (*args && !strcmp(*args, "-noaccel")) { extern unsigned int OPENSSL_armcap_P; OPENSSL_armcap_P=0; args++; argc--; } #endif if (*args && *args[0] != '-') { rv = run_prg(argc - 1, args); #ifdef FIPS_ALGVS_MEMCHECK CRYPTO_mem_leaks_fp(stderr); #endif return rv; } while (!badarg && *args && *args[0] == '-') { if (!strcmp(*args, "-script")) { if (args[1]) { args++; sname = *args; } else badarg = 1; } else if (!strcmp(*args, "-quiet")) quiet = 1; else if (!strcmp(*args, "-verbose")) verbose = 1; else badarg = 1; args++; } if (badarg) { fprintf(stderr, "Error processing arguments\n"); return 1; } in = fopen(sname, "r"); if (!in) { fprintf(stderr, "Error opening script file \"%s\"\n", sname); return 1; } arg.data = NULL; arg.count = 0; while (fgets(buf, sizeof(buf), in)) { lineno++; if (!chopup_args(&arg, buf, &xargc, &xargv)) fprintf(stderr, "Error processing line %d\n", lineno); else { if (!quiet) { int i; int narg = verbose ? xargc : xargc - 2; printf("Running command line:"); for (i = 0; i < narg; i++) printf(" %s", xargv[i]); printf("\n"); } rv = run_prg(xargc, xargv); if (FIPS_module_mode()) FIPS_module_mode_set(0, NULL); if (rv != 0) nerr++; if (rv == -100) fprintf(stderr, "ERROR: Command not found\n"); else if (rv != 0) fprintf(stderr, "ERROR: returned %d\n", rv); else if (verbose) printf("\tCommand run successfully\n"); } } if (!quiet) printf("Completed with %d errors\n", nerr); if (arg.data) OPENSSL_free(arg.data); fclose(in); #ifdef FIPS_ALGVS_MEMCHECK CRYPTO_mem_leaks_fp(stderr); #endif if (nerr == 0) return 0; return 1; }
int main(int argc, char *argv[]) { BIO *err; int testresult = 0; int currtest = 0; SSL_library_init(); SSL_load_error_strings(); err = BIO_new_fp(stderr, BIO_NOCLOSE | BIO_FP_TEXT); CRYPTO_malloc_debug_init(); CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL); CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); confctx = SSL_CONF_CTX_new(); ctx = SSL_CTX_new(SSLv23_method()); ssl = SSL_new(ctx); if (confctx == NULL || ctx == NULL) goto end; SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE | SSL_CONF_FLAG_CLIENT | SSL_CONF_FLAG_SERVER); /* * For each test set up an SSL_CTX and SSL and see whether SSLv2 is enabled * as expected after various SSL_CONF_cmd("Protocol", ...) calls. */ for (currtest = 0; currtest < TOTAL_NUM_TESTS; currtest++) { BIO_printf(err, "SSLv2 CONF Test number %d\n", currtest); if (currtest == TEST_SSL_CTX) SSL_CONF_CTX_set_ssl_ctx(confctx, ctx); else SSL_CONF_CTX_set_ssl(confctx, ssl); /* SSLv2 should be off by default */ if (!checksslv2(currtest, SSLV2OFF)) { BIO_printf(err, "SSLv2 CONF Test: Off by default test FAIL\n"); goto end; } if (SSL_CONF_cmd(confctx, "Protocol", "ALL") != 2 || !SSL_CONF_CTX_finish(confctx)) { BIO_printf(err, "SSLv2 CONF Test: SSL_CONF command FAIL\n"); goto end; } /* Should still be off even after ALL Protocols on */ if (!checksslv2(currtest, SSLV2OFF)) { BIO_printf(err, "SSLv2 CONF Test: Off after config #1 FAIL\n"); goto end; } if (SSL_CONF_cmd(confctx, "Protocol", "SSLv2") != 2 || !SSL_CONF_CTX_finish(confctx)) { BIO_printf(err, "SSLv2 CONF Test: SSL_CONF command FAIL\n"); goto end; } /* Should still be off even if explicitly asked for */ if (!checksslv2(currtest, SSLV2OFF)) { BIO_printf(err, "SSLv2 CONF Test: Off after config #2 FAIL\n"); goto end; } if (SSL_CONF_cmd(confctx, "Protocol", "-SSLv2") != 2 || !SSL_CONF_CTX_finish(confctx)) { BIO_printf(err, "SSLv2 CONF Test: SSL_CONF command FAIL\n");; goto end; } if (!checksslv2(currtest, SSLV2OFF)) { BIO_printf(err, "SSLv2 CONF Test: Off after config #3 FAIL\n"); goto end; } if (currtest == TEST_SSL_CTX) SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2); else SSL_clear_options(ssl, SSL_OP_NO_SSLv2); if (!checksslv2(currtest, SSLV2ON)) { BIO_printf(err, "SSLv2 CONF Test: On after clear FAIL\n"); goto end; } if (SSL_CONF_cmd(confctx, "Protocol", "ALL") != 2 || !SSL_CONF_CTX_finish(confctx)) { BIO_printf(err, "SSLv2 CONF Test: SSL_CONF command FAIL\n"); goto end; } /* Option has been cleared and config says have SSLv2 so should be on */ if (!checksslv2(currtest, SSLV2ON)) { BIO_printf(err, "SSLv2 CONF Test: On after config #1 FAIL\n"); goto end; } if (SSL_CONF_cmd(confctx, "Protocol", "SSLv2") != 2 || !SSL_CONF_CTX_finish(confctx)) { BIO_printf(err, "SSLv2 CONF Test: SSL_CONF command FAIL\n"); goto end; } /* Option has been cleared and config says have SSLv2 so should be on */ if (!checksslv2(currtest, SSLV2ON)) { BIO_printf(err, "SSLv2 CONF Test: On after config #2 FAIL\n"); goto end; } if (SSL_CONF_cmd(confctx, "Protocol", "-SSLv2") != 2 || !SSL_CONF_CTX_finish(confctx)) { BIO_printf(err, "SSLv2 CONF Test: SSL_CONF command FAIL\n"); goto end; } /* Option has been cleared but config says no SSLv2 so should be off */ if (!checksslv2(currtest, SSLV2OFF)) { BIO_printf(err, "SSLv2 CONF Test: Off after config #4 FAIL\n"); goto end; } } testresult = 1; end: SSL_free(ssl); SSL_CTX_free(ctx); SSL_CONF_CTX_free(confctx); if (!testresult) { printf("SSLv2 CONF test: FAILED (Test %d)\n", currtest); ERR_print_errors(err); } else { printf("SSLv2 CONF test: PASSED\n"); } ERR_free_strings(); ERR_remove_thread_state(NULL); EVP_cleanup(); CRYPTO_cleanup_all_ex_data(); CRYPTO_mem_leaks(err); BIO_free(err); return testresult ? EXIT_SUCCESS : EXIT_FAILURE; }
int main(int argc, char *argv[]) { SSL_CTX *ctx; SSL *con; BIO *rbio; BIO *wbio; BIO *err; long len; unsigned char *data; unsigned char *dataend; char *dummytick = "Hello World!"; unsigned int tmplen; unsigned int type; unsigned int size; int testresult = 0; int currtest = 0; SSL_library_init(); SSL_load_error_strings(); err = BIO_new_fp(stderr, BIO_NOCLOSE | BIO_FP_TEXT); CRYPTO_malloc_debug_init(); CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL); CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); /* * For each test set up an SSL_CTX and SSL and see what ClientHello gets * produced when we try to connect */ for (; currtest < TOTAL_NUM_TESTS; currtest++) { testresult = 0; if (currtest == TEST_SET_SESSION_TICK_DATA_TLS_1_2) { ctx = SSL_CTX_new(TLSv1_2_method()); } else { ctx = SSL_CTX_new(SSLv23_method()); } con = SSL_new(ctx); rbio = BIO_new(BIO_s_mem()); wbio = BIO_new(BIO_s_mem()); SSL_set_bio(con, rbio, wbio); SSL_set_connect_state(con); if (currtest == TEST_SET_SESSION_TICK_DATA_TLS_1_2 || currtest == TEST_SET_SESSION_TICK_DATA_VER_NEG) { if (!SSL_set_session_ticket_ext(con, dummytick, strlen(dummytick))) goto end; } if (SSL_connect(con) > 0) { /* This shouldn't succeed because we don't have a server! */ goto end; } len = BIO_get_mem_data(wbio, (char **)&data); dataend = data + len; /* Skip the record header */ data += SSL3_RT_HEADER_LENGTH; /* Skip the handshake message header */ data += SSL3_HM_HEADER_LENGTH; /* Skip client version and random */ data += CLIENT_VERSION_LEN + SSL3_RANDOM_SIZE; if (data + SESSION_ID_LEN_LEN > dataend) goto end; /* Skip session id */ tmplen = *data; data += SESSION_ID_LEN_LEN + tmplen; if (data + CIPHERS_LEN_LEN > dataend) goto end; /* Skip ciphers */ tmplen = ((*data) << 8) | *(data + 1); data += CIPHERS_LEN_LEN + tmplen; if (data + COMPRESSION_LEN_LEN > dataend) goto end; /* Skip compression */ tmplen = *data; data += COMPRESSION_LEN_LEN + tmplen; if (data + EXTENSIONS_LEN_LEN > dataend) goto end; /* Extensions len */ tmplen = ((*data) << 8) | *(data + 1); data += EXTENSIONS_LEN_LEN; if (data + tmplen > dataend) goto end; /* Loop through all extensions */ while (tmplen > EXTENSION_TYPE_LEN + EXTENSION_SIZE_LEN) { type = ((*data) << 8) | *(data + 1); data += EXTENSION_TYPE_LEN; size = ((*data) << 8) | *(data + 1); data += EXTENSION_SIZE_LEN; if (data + size > dataend) goto end; if (type == TLSEXT_TYPE_session_ticket) { if (currtest == TEST_SET_SESSION_TICK_DATA_TLS_1_2 || currtest == TEST_SET_SESSION_TICK_DATA_VER_NEG) { if (size == strlen(dummytick) && memcmp(data, dummytick, size) == 0) { /* Ticket data is as we expected */ testresult = 1; } else { printf("Received session ticket is not as expected\n"); } break; } } tmplen -= EXTENSION_TYPE_LEN + EXTENSION_SIZE_LEN + size; data += size; } end: SSL_free(con); SSL_CTX_free(ctx); if (!testresult) { printf("ClientHello test: FAILED (Test %d)\n", currtest); break; } } ERR_free_strings(); ERR_remove_thread_state(NULL); EVP_cleanup(); CRYPTO_cleanup_all_ex_data(); CRYPTO_mem_leaks(err); return testresult?0:1; }