- Renamed include directory to polarssl
diff --git a/programs/Makefile b/programs/Makefile
new file mode 100644
index 0000000..5771a57
--- /dev/null
+++ b/programs/Makefile
@@ -0,0 +1,97 @@
+
+# To compile on SunOS: add "-lsocket -lnsl" to LDFLAGS
+# To compile on MinGW: add "-lws2_32" to LDFLAGS
+
+CFLAGS = -I../include -D_FILE_OFFSET_BITS=64
+OFLAGS = -O
+LDFLAGS = -L../library -lxyssl
+
+APPS = aes/aescrypt2 hash/hello \
+ hash/md5sum hash/sha1sum \
+ hash/sha2sum pkey/dh_client \
+ pkey/dh_genprime pkey/dh_server \
+ pkey/mpi_demo pkey/rsa_genkey \
+ pkey/rsa_sign pkey/rsa_verify \
+ ssl/ssl_client1 ssl/ssl_client2 \
+ ssl/ssl_server test/benchmark \
+ test/selftest test/ssl_test
+
+.SILENT:
+
+all: $(APPS)
+
+aes/aescrypt2: aes/aescrypt2.c ../library/libxyssl.a
+ echo " CC aes/aescrypt2.c"
+ $(CC) $(CFLAGS) $(OFLAGS) aes/aescrypt2.c $(LDFLAGS) -o $@
+
+hash/hello: hash/hello.c ../library/libxyssl.a
+ echo " CC hash/hello.c"
+ $(CC) $(CFLAGS) $(OFLAGS) hash/hello.c $(LDFLAGS) -o $@
+
+hash/md5sum: hash/md5sum.c ../library/libxyssl.a
+ echo " CC hash/md5sum.c"
+ $(CC) $(CFLAGS) $(OFLAGS) hash/md5sum.c $(LDFLAGS) -o $@
+
+hash/sha1sum: hash/sha1sum.c ../library/libxyssl.a
+ echo " CC hash/sha1sum.c"
+ $(CC) $(CFLAGS) $(OFLAGS) hash/sha1sum.c $(LDFLAGS) -o $@
+
+hash/sha2sum: hash/sha2sum.c ../library/libxyssl.a
+ echo " CC hash/sha2sum.c"
+ $(CC) $(CFLAGS) $(OFLAGS) hash/sha2sum.c $(LDFLAGS) -o $@
+
+pkey/dh_client: pkey/dh_client.c ../library/libxyssl.a
+ echo " CC pkey/dh_client.c"
+ $(CC) $(CFLAGS) $(OFLAGS) pkey/dh_client.c $(LDFLAGS) -o $@
+
+pkey/dh_genprime: pkey/dh_genprime.c ../library/libxyssl.a
+ echo " CC pkey/dh_genprime.c"
+ $(CC) $(CFLAGS) $(OFLAGS) pkey/dh_genprime.c $(LDFLAGS) -o $@
+
+pkey/dh_server: pkey/dh_server.c ../library/libxyssl.a
+ echo " CC pkey/dh_server.c"
+ $(CC) $(CFLAGS) $(OFLAGS) pkey/dh_server.c $(LDFLAGS) -o $@
+
+pkey/mpi_demo: pkey/mpi_demo.c ../library/libxyssl.a
+ echo " CC pkey/mpi_demo.c"
+ $(CC) $(CFLAGS) $(OFLAGS) pkey/mpi_demo.c $(LDFLAGS) -o $@
+
+pkey/rsa_genkey: pkey/rsa_genkey.c ../library/libxyssl.a
+ echo " CC pkey/rsa_genkey.c"
+ $(CC) $(CFLAGS) $(OFLAGS) pkey/rsa_genkey.c $(LDFLAGS) -o $@
+
+pkey/rsa_sign: pkey/rsa_sign.c ../library/libxyssl.a
+ echo " CC pkey/rsa_sign.c"
+ $(CC) $(CFLAGS) $(OFLAGS) pkey/rsa_sign.c $(LDFLAGS) -o $@
+
+pkey/rsa_verify: pkey/rsa_verify.c ../library/libxyssl.a
+ echo " CC pkey/rsa_verify.c"
+ $(CC) $(CFLAGS) $(OFLAGS) pkey/rsa_verify.c $(LDFLAGS) -o $@
+
+ssl/ssl_client1: ssl/ssl_client1.c ../library/libxyssl.a
+ echo " CC ssl/ssl_client1.c"
+ $(CC) $(CFLAGS) $(OFLAGS) ssl/ssl_client1.c $(LDFLAGS) -o $@
+
+ssl/ssl_client2: ssl/ssl_client2.c ../library/libxyssl.a
+ echo " CC ssl/ssl_client2.c"
+ $(CC) $(CFLAGS) $(OFLAGS) ssl/ssl_client2.c $(LDFLAGS) -o $@
+
+ssl/ssl_server: ssl/ssl_server.c ../library/libxyssl.a
+ echo " CC ssl/ssl_server.c"
+ $(CC) $(CFLAGS) $(OFLAGS) ssl/ssl_server.c $(LDFLAGS) -o $@
+
+test/benchmark: test/benchmark.c ../library/libxyssl.a
+ echo " CC test/benchmark.c"
+ $(CC) $(CFLAGS) $(OFLAGS) test/benchmark.c $(LDFLAGS) -o $@
+
+test/selftest: test/selftest.c ../library/libxyssl.a
+ echo " CC test/selftest.c"
+ $(CC) $(CFLAGS) $(OFLAGS) test/selftest.c $(LDFLAGS) -o $@
+
+test/ssl_test: test/ssl_test.c ../library/libxyssl.a
+ echo " CC test/ssl_test.c"
+ $(CC) $(CFLAGS) $(OFLAGS) test/ssl_test.c $(LDFLAGS) -o $@
+
+clean:
+ rm -f $(APPS)
+
diff --git a/programs/aes/aescrypt2.c b/programs/aes/aescrypt2.c
new file mode 100644
index 0000000..3d9c06d
--- /dev/null
+++ b/programs/aes/aescrypt2.c
@@ -0,0 +1,396 @@
+/*
+ * AES-256 file encryption program
+ *
+ * Copyright (C) 2006-2007 Christophe Devine
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#ifndef _CRT_SECURE_NO_DEPRECATE
+#define _CRT_SECURE_NO_DEPRECATE 1
+#endif
+
+#if defined(WIN32)
+#include <windows.h>
+#include <io.h>
+#else
+#include <sys/types.h>
+#include <unistd.h>
+#endif
+
+#include <string.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <time.h>
+
+#include "xyssl/aes.h"
+#include "xyssl/sha2.h"
+
+#define MODE_ENCRYPT 0
+#define MODE_DECRYPT 1
+
+#define USAGE \
+ "\n aescrypt2 <mode> <input filename> <output filename> <key>\n" \
+ "\n <mode>: 0 = encrypt, 1 = decrypt\n" \
+ "\n example: aescrypt2 0 file file.aes hex:E76B2413958B00E193\n" \
+ "\n"
+
+int main( int argc, char *argv[] )
+{
+ int ret = 1, i, n;
+ int keylen, mode, lastn;
+ FILE *fkey, *fin, *fout;
+
+ char *p;
+ unsigned char IV[16];
+ unsigned char key[512];
+ unsigned char digest[32];
+ unsigned char buffer[1024];
+
+ aes_context aes_ctx;
+ sha2_context sha_ctx;
+
+#if defined(WIN32)
+ LARGE_INTEGER li_size;
+ __int64 filesize, offset;
+#else
+ off_t filesize, offset;
+#endif
+
+ /*
+ * Parse the command-line arguments.
+ */
+ if( argc != 5 )
+ {
+ printf( USAGE );
+
+#if defined(WIN32)
+ printf( "\n Press Enter to exit this program.\n" );
+ fflush( stdout ); getchar();
+#endif
+
+ goto exit;
+ }
+
+ mode = atoi( argv[1] );
+
+ if( mode != MODE_ENCRYPT && mode != MODE_DECRYPT )
+ {
+ fprintf( stderr, "invalide operation mode\n" );
+ goto exit;
+ }
+
+ if( strcmp( argv[2], argv[3] ) == 0 )
+ {
+ fprintf( stderr, "input and output filenames must differ\n" );
+ goto exit;
+ }
+
+ if( ( fin = fopen( argv[2], "rb" ) ) == NULL )
+ {
+ fprintf( stderr, "fopen(%s,rb) failed\n", argv[2] );
+ goto exit;
+ }
+
+ if( ( fout = fopen( argv[3], "wb+" ) ) == NULL )
+ {
+ fprintf( stderr, "fopen(%s,wb+) failed\n", argv[3] );
+ goto exit;
+ }
+
+ /*
+ * Read the secret key and clean the command line.
+ */
+ if( ( fkey = fopen( argv[4], "rb" ) ) != NULL )
+ {
+ keylen = fread( key, 1, sizeof( key ), fkey );
+ fclose( fkey );
+ }
+ else
+ {
+ if( memcmp( argv[4], "hex:", 4 ) == 0 )
+ {
+ p = &argv[4][4];
+ keylen = 0;
+
+ while( sscanf( p, "%02X", &n ) > 0 &&
+ keylen < (int) sizeof( key ) )
+ {
+ key[keylen++] = (unsigned char) n;
+ p += 2;
+ }
+ }
+ else
+ {
+ keylen = strlen( argv[4] );
+
+ if( keylen > (int) sizeof( key ) )
+ keylen = (int) sizeof( key );
+
+ memcpy( key, argv[4], keylen );
+ }
+ }
+
+ memset( argv[4], 0, strlen( argv[4] ) );
+
+#if defined(WIN32)
+ /*
+ * Support large files (> 2Gb) on Win32
+ */
+ li_size.QuadPart = 0;
+ li_size.LowPart =
+ SetFilePointer( (HANDLE) _get_osfhandle( _fileno( fin ) ),
+ li_size.LowPart, &li_size.HighPart, FILE_END );
+
+ if( li_size.LowPart == 0xFFFFFFFF && GetLastError() != NO_ERROR )
+ {
+ fprintf( stderr, "SetFilePointer(0,FILE_END) failed\n" );
+ goto exit;
+ }
+
+ filesize = li_size.QuadPart;
+#else
+ if( ( filesize = lseek( fileno( fin ), 0, SEEK_END ) ) < 0 )
+ {
+ perror( "lseek" );
+ goto exit;
+ }
+#endif
+
+ if( fseek( fin, 0, SEEK_SET ) < 0 )
+ {
+ fprintf( stderr, "fseek(0,SEEK_SET) failed\n" );
+ goto exit;
+ }
+
+ if( mode == MODE_ENCRYPT )
+ {
+ /*
+ * Generate the initialization vector as:
+ * IV = SHA-256( filesize || filename )[0..15]
+ */
+ for( i = 0; i < 8; i++ )
+ buffer[i] = (unsigned char)( filesize >> ( i << 3 ) );
+
+ p = argv[2];
+
+ sha2_starts( &sha_ctx, 0 );
+ sha2_update( &sha_ctx, buffer, 8 );
+ sha2_update( &sha_ctx, (unsigned char *) p, strlen( p ) );
+ sha2_finish( &sha_ctx, digest );
+
+ memcpy( IV, digest, 16 );
+
+ /*
+ * The last four bits in the IV are actually used
+ * to store the file size modulo the AES block size.
+ */
+ lastn = (int)( filesize & 0x0F );
+
+ IV[15] = (unsigned char)
+ ( ( IV[15] & 0xF0 ) | lastn );
+
+ /*
+ * Append the IV at the beginning of the output.
+ */
+ if( fwrite( IV, 1, 16, fout ) != 16 )
+ {
+ fprintf( stderr, "fwrite(%d bytes) failed\n", 16 );
+ goto exit;
+ }
+
+ /*
+ * Hash the IV and the secret key together 8192 times
+ * using the result to setup the AES context and HMAC.
+ */
+ memset( digest, 0, 32 );
+ memcpy( digest, IV, 16 );
+
+ for( i = 0; i < 8192; i++ )
+ {
+ sha2_starts( &sha_ctx, 0 );
+ sha2_update( &sha_ctx, digest, 32 );
+ sha2_update( &sha_ctx, key, keylen );
+ sha2_finish( &sha_ctx, digest );
+ }
+
+ memset( key, 0, sizeof( key ) );
+ aes_setkey_enc( &aes_ctx, digest, 256 );
+ sha2_hmac_starts( &sha_ctx, digest, 32, 0 );
+
+ /*
+ * Encrypt and write the ciphertext.
+ */
+ for( offset = 0; offset < filesize; offset += 16 )
+ {
+ n = ( filesize - offset > 16 ) ? 16 : (int)
+ ( filesize - offset );
+
+ if( fread( buffer, 1, n, fin ) != (size_t) n )
+ {
+ fprintf( stderr, "fread(%d bytes) failed\n", n );
+ goto exit;
+ }
+
+ for( i = 0; i < 16; i++ )
+ buffer[i] = (unsigned char)( buffer[i] ^ IV[i] );
+
+ aes_crypt_ecb( &aes_ctx, AES_ENCRYPT, buffer, buffer );
+ sha2_hmac_update( &sha_ctx, buffer, 16 );
+
+ if( fwrite( buffer, 1, 16, fout ) != 16 )
+ {
+ fprintf( stderr, "fwrite(%d bytes) failed\n", 16 );
+ goto exit;
+ }
+
+ memcpy( IV, buffer, 16 );
+ }
+
+ /*
+ * Finally write the HMAC.
+ */
+ sha2_hmac_finish( &sha_ctx, digest );
+
+ if( fwrite( digest, 1, 32, fout ) != 32 )
+ {
+ fprintf( stderr, "fwrite(%d bytes) failed\n", 16 );
+ goto exit;
+ }
+ }
+
+ if( mode == MODE_DECRYPT )
+ {
+ unsigned char tmp[16];
+
+ /*
+ * The encrypted file must be structured as follows:
+ *
+ * 00 .. 15 Initialization Vector
+ * 16 .. 31 AES Encrypted Block #1
+ * ..
+ * N*16 .. (N+1)*16 - 1 AES Encrypted Block #N
+ * (N+1)*16 .. (N+1)*16 + 32 HMAC-SHA-256(ciphertext)
+ */
+ if( filesize < 48 )
+ {
+ fprintf( stderr, "File too short to be encrypted.\n" );
+ goto exit;
+ }
+
+ if( ( filesize & 0x0F ) != 0 )
+ {
+ fprintf( stderr, "File size not a multiple of 16.\n" );
+ goto exit;
+ }
+
+ /*
+ * Substract the IV + HMAC length.
+ */
+ filesize -= ( 16 + 32 );
+
+ /*
+ * Read the IV and original filesize modulo 16.
+ */
+ if( fread( buffer, 1, 16, fin ) != 16 )
+ {
+ fprintf( stderr, "fread(%d bytes) failed\n", 16 );
+ goto exit;
+ }
+
+ memcpy( IV, buffer, 16 );
+ lastn = IV[15] & 0x0F;
+
+ /*
+ * Hash the IV and the secret key together 8192 times
+ * using the result to setup the AES context and HMAC.
+ */
+ memset( digest, 0, 32 );
+ memcpy( digest, IV, 16 );
+
+ for( i = 0; i < 8192; i++ )
+ {
+ sha2_starts( &sha_ctx, 0 );
+ sha2_update( &sha_ctx, digest, 32 );
+ sha2_update( &sha_ctx, key, keylen );
+ sha2_finish( &sha_ctx, digest );
+ }
+
+ memset( key, 0, sizeof( key ) );
+ aes_setkey_dec( &aes_ctx, digest, 256 );
+ sha2_hmac_starts( &sha_ctx, digest, 32, 0 );
+
+ /*
+ * Decrypt and write the plaintext.
+ */
+ for( offset = 0; offset < filesize; offset += 16 )
+ {
+ if( fread( buffer, 1, 16, fin ) != 16 )
+ {
+ fprintf( stderr, "fread(%d bytes) failed\n", 16 );
+ goto exit;
+ }
+
+ memcpy( tmp, buffer, 16 );
+
+ sha2_hmac_update( &sha_ctx, buffer, 16 );
+ aes_crypt_ecb( &aes_ctx, AES_DECRYPT, buffer, buffer );
+
+ for( i = 0; i < 16; i++ )
+ buffer[i] = (unsigned char)( buffer[i] ^ IV[i] );
+
+ memcpy( IV, tmp, 16 );
+
+ n = ( lastn > 0 && offset == filesize - 16 )
+ ? lastn : 16;
+
+ if( fwrite( buffer, 1, n, fout ) != (size_t) n )
+ {
+ fprintf( stderr, "fwrite(%d bytes) failed\n", n );
+ goto exit;
+ }
+ }
+
+ /*
+ * Verify the message authentication code.
+ */
+ sha2_hmac_finish( &sha_ctx, digest );
+
+ if( fread( buffer, 1, 32, fin ) != 32 )
+ {
+ fprintf( stderr, "fread(%d bytes) failed\n", 32 );
+ goto exit;
+ }
+
+ if( memcmp( digest, buffer, 32 ) != 0 )
+ {
+ fprintf( stderr, "HMAC check failed: wrong key, "
+ "or file corrupted.\n" );
+ goto exit;
+ }
+ }
+
+ ret = 0;
+
+exit:
+
+ memset( buffer, 0, sizeof( buffer ) );
+ memset( digest, 0, sizeof( digest ) );
+
+ memset( &aes_ctx, 0, sizeof( aes_context ) );
+ memset( &sha_ctx, 0, sizeof( sha2_context ) );
+
+ return( ret );
+}
diff --git a/programs/hash/hello.c b/programs/hash/hello.c
new file mode 100644
index 0000000..12e0167
--- /dev/null
+++ b/programs/hash/hello.c
@@ -0,0 +1,50 @@
+/*
+ * Classic "Hello, world" demonstration program
+ *
+ * Copyright (C) 2006-2007 Christophe Devine
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#ifndef _CRT_SECURE_NO_DEPRECATE
+#define _CRT_SECURE_NO_DEPRECATE 1
+#endif
+
+#include <stdio.h>
+
+#include "xyssl/md5.h"
+
+int main( void )
+{
+ int i;
+ unsigned char digest[16];
+ char str[] = "Hello, world!";
+
+ printf( "\n MD5('%s') = ", str );
+
+ md5( (unsigned char *) str, 13, digest );
+
+ for( i = 0; i < 16; i++ )
+ printf( "%02x", digest[i] );
+
+ printf( "\n\n" );
+
+#ifdef WIN32
+ printf( " Press Enter to exit this program.\n" );
+ fflush( stdout ); getchar();
+#endif
+
+ return( 0 );
+}
diff --git a/programs/hash/md5sum.c b/programs/hash/md5sum.c
new file mode 100644
index 0000000..10e9a71
--- /dev/null
+++ b/programs/hash/md5sum.c
@@ -0,0 +1,156 @@
+/*
+ * md5sum demonstration program
+ *
+ * Copyright (C) 2006-2007 Christophe Devine
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#ifndef _CRT_SECURE_NO_DEPRECATE
+#define _CRT_SECURE_NO_DEPRECATE 1
+#endif
+
+#include <string.h>
+#include <stdio.h>
+
+#include "xyssl/md5.h"
+
+static int md5_wrapper( char *filename, unsigned char *sum )
+{
+ int ret = md5_file( filename, sum );
+
+ if( ret == 1 )
+ fprintf( stderr, "failed to open: %s\n", filename );
+
+ if( ret == 2 )
+ fprintf( stderr, "failed to read: %s\n", filename );
+
+ return( ret );
+}
+
+static int md5_print( char *filename )
+{
+ int i;
+ unsigned char sum[16];
+
+ if( md5_wrapper( filename, sum ) != 0 )
+ return( 1 );
+
+ for( i = 0; i < 16; i++ )
+ printf( "%02x", sum[i] );
+
+ printf( " %s\n", filename );
+ return( 0 );
+}
+
+static int md5_check( char *filename )
+{
+ int i;
+ size_t n;
+ FILE *f;
+ int nb_err1, nb_err2;
+ int nb_tot1, nb_tot2;
+ unsigned char sum[16];
+ char buf[33], line[1024];
+
+ if( ( f = fopen( filename, "rb" ) ) == NULL )
+ {
+ printf( "failed to open: %s\n", filename );
+ return( 1 );
+ }
+
+ nb_err1 = nb_err2 = 0;
+ nb_tot1 = nb_tot2 = 0;
+
+ memset( line, 0, sizeof( line ) );
+
+ n = sizeof( line );
+
+ while( fgets( line, n - 1, f ) != NULL )
+ {
+ n = strlen( line );
+
+ if( n < 36 )
+ continue;
+
+ if( line[32] != ' ' || line[33] != ' ' )
+ continue;
+
+ if( line[n - 1] == '\n' ) { n--; line[n] = '\0'; }
+ if( line[n - 1] == '\r' ) { n--; line[n] = '\0'; }
+
+ nb_tot1++;
+
+ if( md5_wrapper( line + 34, sum ) != 0 )
+ {
+ nb_err1++;
+ continue;
+ }
+
+ nb_tot2++;
+
+ for( i = 0; i < 16; i++ )
+ sprintf( buf + i * 2, "%02x", sum[i] );
+
+ if( memcmp( line, buf, 32 ) != 0 )
+ {
+ nb_err2++;
+ fprintf( stderr, "wrong checksum: %s\n", line + 34 );
+ }
+
+ n = sizeof( line );
+ }
+
+ if( nb_err1 != 0 )
+ {
+ printf( "WARNING: %d (out of %d) input files could "
+ "not be read\n", nb_err1, nb_tot1 );
+ }
+
+ if( nb_err2 != 0 )
+ {
+ printf( "WARNING: %d (out of %d) computed checksums did "
+ "not match\n", nb_err2, nb_tot2 );
+ }
+
+ return( nb_err1 != 0 || nb_err2 != 0 );
+}
+
+int main( int argc, char *argv[] )
+{
+ int ret, i;
+
+ if( argc == 1 )
+ {
+ printf( "print mode: md5sum <file> <file> ...\n" );
+ printf( "check mode: md5sum -c <checksum file>\n" );
+
+#ifdef WIN32
+ printf( "\n Press Enter to exit this program.\n" );
+ fflush( stdout ); getchar();
+#endif
+
+ return( 1 );
+ }
+
+ if( argc == 3 && strcmp( "-c", argv[1] ) == 0 )
+ return( md5_check( argv[2] ) );
+
+ ret = 0;
+ for( i = 1; i < argc; i++ )
+ ret |= md5_print( argv[i] );
+
+ return( ret );
+}
diff --git a/programs/hash/sha1sum.c b/programs/hash/sha1sum.c
new file mode 100644
index 0000000..33c3142
--- /dev/null
+++ b/programs/hash/sha1sum.c
@@ -0,0 +1,156 @@
+/*
+ * sha1sum demonstration program
+ *
+ * Copyright (C) 2006-2007 Christophe Devine
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#ifndef _CRT_SECURE_NO_DEPRECATE
+#define _CRT_SECURE_NO_DEPRECATE 1
+#endif
+
+#include <string.h>
+#include <stdio.h>
+
+#include "xyssl/sha1.h"
+
+static int sha1_wrapper( char *filename, unsigned char *sum )
+{
+ int ret = sha1_file( filename, sum );
+
+ if( ret == 1 )
+ fprintf( stderr, "failed to open: %s\n", filename );
+
+ if( ret == 2 )
+ fprintf( stderr, "failed to read: %s\n", filename );
+
+ return( ret );
+}
+
+static int sha1_print( char *filename )
+{
+ int i;
+ unsigned char sum[20];
+
+ if( sha1_wrapper( filename, sum ) != 0 )
+ return( 1 );
+
+ for( i = 0; i < 20; i++ )
+ printf( "%02x", sum[i] );
+
+ printf( " %s\n", filename );
+ return( 0 );
+}
+
+static int sha1_check( char *filename )
+{
+ int i;
+ size_t n;
+ FILE *f;
+ int nb_err1, nb_err2;
+ int nb_tot1, nb_tot2;
+ unsigned char sum[20];
+ char buf[41], line[1024];
+
+ if( ( f = fopen( filename, "rb" ) ) == NULL )
+ {
+ printf( "failed to open: %s\n", filename );
+ return( 1 );
+ }
+
+ nb_err1 = nb_err2 = 0;
+ nb_tot1 = nb_tot2 = 0;
+
+ memset( line, 0, sizeof( line ) );
+
+ n = sizeof( line );
+
+ while( fgets( line, n - 1, f ) != NULL )
+ {
+ n = strlen( line );
+
+ if( n < 44 )
+ continue;
+
+ if( line[40] != ' ' || line[41] != ' ' )
+ continue;
+
+ if( line[n - 1] == '\n' ) { n--; line[n] = '\0'; }
+ if( line[n - 1] == '\r' ) { n--; line[n] = '\0'; }
+
+ nb_tot1++;
+
+ if( sha1_wrapper( line + 42, sum ) != 0 )
+ {
+ nb_err1++;
+ continue;
+ }
+
+ nb_tot2++;
+
+ for( i = 0; i < 20; i++ )
+ sprintf( buf + i * 2, "%02x", sum[i] );
+
+ if( memcmp( line, buf, 40 ) != 0 )
+ {
+ nb_err2++;
+ fprintf( stderr, "wrong checksum: %s\n", line + 42 );
+ }
+
+ n = sizeof( line );
+ }
+
+ if( nb_err1 != 0 )
+ {
+ printf( "WARNING: %d (out of %d) input files could "
+ "not be read\n", nb_err1, nb_tot1 );
+ }
+
+ if( nb_err2 != 0 )
+ {
+ printf( "WARNING: %d (out of %d) computed checksums did "
+ "not match\n", nb_err2, nb_tot2 );
+ }
+
+ return( nb_err1 != 0 || nb_err2 != 0 );
+}
+
+int main( int argc, char *argv[] )
+{
+ int ret, i;
+
+ if( argc == 1 )
+ {
+ printf( "print mode: sha1sum <file> <file> ...\n" );
+ printf( "check mode: sha1sum -c <checksum file>\n" );
+
+#ifdef WIN32
+ printf( "\n Press Enter to exit this program.\n" );
+ fflush( stdout ); getchar();
+#endif
+
+ return( 1 );
+ }
+
+ if( argc == 3 && strcmp( "-c", argv[1] ) == 0 )
+ return( sha1_check( argv[2] ) );
+
+ ret = 0;
+ for( i = 1; i < argc; i++ )
+ ret |= sha1_print( argv[i] );
+
+ return( ret );
+}
diff --git a/programs/hash/sha2sum.c b/programs/hash/sha2sum.c
new file mode 100644
index 0000000..c0d42a8
--- /dev/null
+++ b/programs/hash/sha2sum.c
@@ -0,0 +1,156 @@
+/*
+ * sha2sum demonstration program
+ *
+ * Copyright (C) 2006-2007 Christophe Devine
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#ifndef _CRT_SECURE_NO_DEPRECATE
+#define _CRT_SECURE_NO_DEPRECATE 1
+#endif
+
+#include <string.h>
+#include <stdio.h>
+
+#include "xyssl/sha2.h"
+
+static int sha2_wrapper( char *filename, unsigned char *sum )
+{
+ int ret = sha2_file( filename, sum, 0 );
+
+ if( ret == 1 )
+ fprintf( stderr, "failed to open: %s\n", filename );
+
+ if( ret == 2 )
+ fprintf( stderr, "failed to read: %s\n", filename );
+
+ return( ret );
+}
+
+static int sha2_print( char *filename )
+{
+ int i;
+ unsigned char sum[32];
+
+ if( sha2_wrapper( filename, sum ) != 0 )
+ return( 1 );
+
+ for( i = 0; i < 32; i++ )
+ printf( "%02x", sum[i] );
+
+ printf( " %s\n", filename );
+ return( 0 );
+}
+
+static int sha2_check( char *filename )
+{
+ int i;
+ size_t n;
+ FILE *f;
+ int nb_err1, nb_err2;
+ int nb_tot1, nb_tot2;
+ unsigned char sum[32];
+ char buf[65], line[1024];
+
+ if( ( f = fopen( filename, "rb" ) ) == NULL )
+ {
+ printf( "failed to open: %s\n", filename );
+ return( 1 );
+ }
+
+ nb_err1 = nb_err2 = 0;
+ nb_tot1 = nb_tot2 = 0;
+
+ memset( line, 0, sizeof( line ) );
+
+ n = sizeof( line );
+
+ while( fgets( line, n - 1, f ) != NULL )
+ {
+ n = strlen( line );
+
+ if( n < 68 )
+ continue;
+
+ if( line[64] != ' ' || line[65] != ' ' )
+ continue;
+
+ if( line[n - 1] == '\n' ) { n--; line[n] = '\0'; }
+ if( line[n - 1] == '\r' ) { n--; line[n] = '\0'; }
+
+ nb_tot1++;
+
+ if( sha2_wrapper( line + 66, sum ) != 0 )
+ {
+ nb_err1++;
+ continue;
+ }
+
+ nb_tot2++;
+
+ for( i = 0; i < 32; i++ )
+ sprintf( buf + i * 2, "%02x", sum[i] );
+
+ if( memcmp( line, buf, 64 ) != 0 )
+ {
+ nb_err2++;
+ fprintf( stderr, "wrong checksum: %s\n", line + 66 );
+ }
+
+ n = sizeof( line );
+ }
+
+ if( nb_err1 != 0 )
+ {
+ printf( "WARNING: %d (out of %d) input files could "
+ "not be read\n", nb_err1, nb_tot1 );
+ }
+
+ if( nb_err2 != 0 )
+ {
+ printf( "WARNING: %d (out of %d) computed checksums did "
+ "not match\n", nb_err2, nb_tot2 );
+ }
+
+ return( nb_err1 != 0 || nb_err2 != 0 );
+}
+
+int main( int argc, char *argv[] )
+{
+ int ret, i;
+
+ if( argc == 1 )
+ {
+ printf( "print mode: sha2sum <file> <file> ...\n" );
+ printf( "check mode: sha2sum -c <checksum file>\n" );
+
+#ifdef WIN32
+ printf( "\n Press Enter to exit this program.\n" );
+ fflush( stdout ); getchar();
+#endif
+
+ return( 1 );
+ }
+
+ if( argc == 3 && strcmp( "-c", argv[1] ) == 0 )
+ return( sha2_check( argv[2] ) );
+
+ ret = 0;
+ for( i = 1; i < argc; i++ )
+ ret |= sha2_print( argv[i] );
+
+ return( ret );
+}
diff --git a/programs/pkey/dh_client.c b/programs/pkey/dh_client.c
new file mode 100644
index 0000000..2122078
--- /dev/null
+++ b/programs/pkey/dh_client.c
@@ -0,0 +1,249 @@
+/*
+ * Diffie-Hellman-Merkle key exchange (client side)
+ *
+ * Copyright (C) 2006-2007 Christophe Devine
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#ifndef _CRT_SECURE_NO_DEPRECATE
+#define _CRT_SECURE_NO_DEPRECATE 1
+#endif
+
+#include <string.h>
+#include <stdio.h>
+
+#include "xyssl/net.h"
+#include "xyssl/aes.h"
+#include "xyssl/dhm.h"
+#include "xyssl/rsa.h"
+#include "xyssl/sha1.h"
+#include "xyssl/havege.h"
+
+#define SERVER_NAME "localhost"
+#define SERVER_PORT 11999
+
+int main( void )
+{
+ FILE *f;
+
+ int ret, n, buflen;
+ int server_fd = -1;
+
+ unsigned char *p, *end;
+ unsigned char buf[1024];
+ unsigned char hash[20];
+
+ havege_state hs;
+ rsa_context rsa;
+ dhm_context dhm;
+ aes_context aes;
+
+ memset( &rsa, 0, sizeof( rsa ) );
+ memset( &dhm, 0, sizeof( dhm ) );
+
+ /*
+ * 1. Setup the RNG
+ */
+ printf( "\n . Seeding the random number generator" );
+ fflush( stdout );
+
+ havege_init( &hs );
+
+ /*
+ * 2. Read the server's public RSA key
+ */
+ printf( "\n . Reading public key from rsa_pub.txt" );
+ fflush( stdout );
+
+ if( ( f = fopen( "rsa_pub.txt", "rb" ) ) == NULL )
+ {
+ ret = 1;
+ printf( " failed\n ! Could not open rsa_pub.txt\n" \
+ " ! Please run rsa_genkey first\n\n" );
+ goto exit;
+ }
+
+ rsa_init( &rsa, RSA_PKCS_V15, 0, NULL, NULL );
+
+ if( ( ret = mpi_read_file( &rsa.N, 16, f ) ) != 0 ||
+ ( ret = mpi_read_file( &rsa.E, 16, f ) ) != 0 )
+ {
+ printf( " failed\n ! mpi_read_file returned %d\n\n", ret );
+ goto exit;
+ }
+
+ rsa.len = ( mpi_msb( &rsa.N ) + 7 ) >> 3;
+
+ fclose( f );
+
+ /*
+ * 3. Initiate the connection
+ */
+ printf( "\n . Connecting to tcp/%s/%d", SERVER_NAME,
+ SERVER_PORT );
+ fflush( stdout );
+
+ if( ( ret = net_connect( &server_fd, SERVER_NAME,
+ SERVER_PORT ) ) != 0 )
+ {
+ printf( " failed\n ! net_connect returned %d\n\n", ret );
+ goto exit;
+ }
+
+ /*
+ * 4a. First get the buffer length
+ */
+ printf( "\n . Receiving the server's DH parameters" );
+ fflush( stdout );
+
+ memset( buf, 0, sizeof( buf ) );
+
+ if( ( ret = net_recv( &server_fd, buf, 2 ) ) != 2 )
+ {
+ printf( " failed\n ! net_recv returned %d\n\n", ret );
+ goto exit;
+ }
+
+ n = buflen = ( buf[0] << 8 ) | buf[1];
+ if( buflen < 1 || buflen > (int) sizeof( buf ) )
+ {
+ printf( " failed\n ! Got an invalid buffer length\n\n" );
+ goto exit;
+ }
+
+ /*
+ * 4b. Get the DHM parameters: P, G and Ys = G^Xs mod P
+ */
+ memset( buf, 0, sizeof( buf ) );
+
+ if( ( ret = net_recv( &server_fd, buf, n ) ) != n )
+ {
+ printf( " failed\n ! net_recv returned %d\n\n", ret );
+ goto exit;
+ }
+
+ p = buf, end = buf + buflen;
+
+ if( ( ret = dhm_read_params( &dhm, &p, end ) ) != 0 )
+ {
+ printf( " failed\n ! dhm_read_params returned %d\n\n", ret );
+ goto exit;
+ }
+
+ if( dhm.len < 64 || dhm.len > 256 )
+ {
+ ret = 1;
+ printf( " failed\n ! Invalid DHM modulus size\n\n" );
+ goto exit;
+ }
+
+ /*
+ * 5. Check that the server's RSA signature matches
+ * the SHA-1 hash of (P,G,Ys)
+ */
+ printf( "\n . Verifying the server's RSA signature" );
+ fflush( stdout );
+
+ if( ( n = (int)( end - p ) ) != rsa.len )
+ {
+ ret = 1;
+ printf( " failed\n ! Invalid RSA signature size\n\n" );
+ goto exit;
+ }
+
+ sha1( buf, (int)( p - 2 - buf ), hash );
+
+ if( ( ret = rsa_pkcs1_verify( &rsa, RSA_PUBLIC, RSA_SHA1,
+ 0, hash, p ) ) != 0 )
+ {
+ printf( " failed\n ! rsa_pkcs1_verify returned %d\n\n", ret );
+ goto exit;
+ }
+
+ /*
+ * 6. Send our public value: Yc = G ^ Xc mod P
+ */
+ printf( "\n . Sending own public value to server" );
+ fflush( stdout );
+
+ n = dhm.len;
+ if( ( ret = dhm_make_public( &dhm, 256, buf, n,
+ havege_rand, &hs ) ) != 0 )
+ {
+ printf( " failed\n ! dhm_make_public returned %d\n\n", ret );
+ goto exit;
+ }
+
+ if( ( ret = net_send( &server_fd, buf, n ) ) != n )
+ {
+ printf( " failed\n ! net_send returned %d\n\n", ret );
+ goto exit;
+ }
+
+ /*
+ * 7. Derive the shared secret: K = Ys ^ Xc mod P
+ */
+ printf( "\n . Shared secret: " );
+ fflush( stdout );
+
+ n = dhm.len;
+ if( ( ret = dhm_calc_secret( &dhm, buf, &n ) ) != 0 )
+ {
+ printf( " failed\n ! dhm_calc_secret returned %d\n\n", ret );
+ goto exit;
+ }
+
+ for( n = 0; n < 16; n++ )
+ printf( "%02x", buf[n] );
+
+ /*
+ * 8. Setup the AES-256 decryption key
+ *
+ * This is an overly simplified example; best practice is
+ * to hash the shared secret with a random value to derive
+ * the keying material for the encryption/decryption keys,
+ * IVs and MACs.
+ */
+ printf( "...\n . Receiving and decrypting the ciphertext" );
+ fflush( stdout );
+
+ aes_setkey_dec( &aes, buf, 256 );
+
+ memset( buf, 0, sizeof( buf ) );
+
+ if( ( ret = net_recv( &server_fd, buf, 16 ) ) != 16 )
+ {
+ printf( " failed\n ! net_recv returned %d\n\n", ret );
+ goto exit;
+ }
+
+ aes_crypt_ecb( &aes, AES_DECRYPT, buf, buf );
+ buf[16] = '\0';
+ printf( "\n . Plaintext is \"%s\"\n\n", (char *) buf );
+
+exit:
+
+ net_close( server_fd );
+ rsa_free( &rsa );
+ dhm_free( &dhm );
+
+#ifdef WIN32
+ printf( " + Press Enter to exit this program.\n" );
+ fflush( stdout ); getchar();
+#endif
+
+ return( ret );
+}
diff --git a/programs/pkey/dh_genprime.c b/programs/pkey/dh_genprime.c
new file mode 100644
index 0000000..09d9b1d
--- /dev/null
+++ b/programs/pkey/dh_genprime.c
@@ -0,0 +1,122 @@
+/*
+ * Diffie-Hellman-Merkle key exchange (prime generation)
+ *
+ * Copyright (C) 2006-2007 Christophe Devine
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#ifndef _CRT_SECURE_NO_DEPRECATE
+#define _CRT_SECURE_NO_DEPRECATE 1
+#endif
+
+#include <stdio.h>
+
+#include "xyssl/bignum.h"
+#include "xyssl/config.h"
+#include "xyssl/havege.h"
+
+/*
+ * Note: G = 4 is always a quadratic residue mod P,
+ * so it is a generator of order Q (with P = 2*Q+1).
+ */
+#define DH_P_SIZE 1024
+#define GENERATOR "4"
+
+int main( void )
+{
+ int ret = 1;
+
+#if defined(XYSSL_GENPRIME)
+ mpi G, P, Q;
+ havege_state hs;
+ FILE *fout;
+
+ mpi_init( &G, &P, &Q, NULL );
+ mpi_read_string( &G, 10, GENERATOR );
+
+ printf( "\n . Seeding the random number generator..." );
+ fflush( stdout );
+
+ havege_init( &hs );
+
+ printf( " ok\n . Generating the modulus, please wait..." );
+ fflush( stdout );
+
+ /*
+ * This can take a long time...
+ */
+ if( ( ret = mpi_gen_prime( &P, DH_P_SIZE, 1,
+ havege_rand, &hs ) ) != 0 )
+ {
+ printf( " failed\n ! mpi_gen_prime returned %d\n\n", ret );
+ goto exit;
+ }
+
+ printf( " ok\n . Verifying that Q = (P-1)/2 is prime..." );
+ fflush( stdout );
+
+ if( ( ret = mpi_sub_int( &Q, &P, 1 ) ) != 0 )
+ {
+ printf( " failed\n ! mpi_sub_int returned %d\n\n", ret );
+ goto exit;
+ }
+
+ if( ( ret = mpi_div_int( &Q, NULL, &Q, 2 ) ) != 0 )
+ {
+ printf( " failed\n ! mpi_div_int returned %d\n\n", ret );
+ goto exit;
+ }
+
+ if( ( ret = mpi_is_prime( &Q, havege_rand, &hs ) ) != 0 )
+ {
+ printf( " failed\n ! mpi_is_prime returned %d\n\n", ret );
+ goto exit;
+ }
+
+ printf( " ok\n . Exporting the value in dh_prime.txt..." );
+ fflush( stdout );
+
+ if( ( fout = fopen( "dh_prime.txt", "wb+" ) ) == NULL )
+ {
+ ret = 1;
+ printf( " failed\n ! Could not create dh_prime.txt\n\n" );
+ goto exit;
+ }
+
+ if( ( ret = mpi_write_file( "P = ", &P, 16, fout ) != 0 ) ||
+ ( ret = mpi_write_file( "G = ", &G, 16, fout ) != 0 ) )
+ {
+ printf( " failed\n ! mpi_write_file returned %d\n\n", ret );
+ goto exit;
+ }
+
+ printf( " ok\n\n" );
+ fclose( fout );
+
+exit:
+
+ mpi_free( &Q, &P, &G, NULL );
+#else
+ printf( "\n ! Prime-number generation is not available.\n\n" );
+#endif
+
+#ifdef WIN32
+ printf( " Press Enter to exit this program.\n" );
+ fflush( stdout ); getchar();
+#endif
+
+ return( ret );
+}
diff --git a/programs/pkey/dh_prime.txt b/programs/pkey/dh_prime.txt
new file mode 100644
index 0000000..e62c279
--- /dev/null
+++ b/programs/pkey/dh_prime.txt
@@ -0,0 +1,2 @@
+P = C3CF8BCFD9E88B0CC35EC526F3D63FA001DC9392E6CA81F3B414173955C582758B52038FAFBF402B8C29DC32F5231B0D2E25B252850C7DCDBFF46D0E7989E51DEA07A53BCF7947D4C95EBA28F9CBAFB0267EC3BCF57B15A49964236B56773851D6621E546F410D504F13827218CD14A1FDB69522DC72DD67D880E51B2E00894F
+G = 04
diff --git a/programs/pkey/dh_server.c b/programs/pkey/dh_server.c
new file mode 100644
index 0000000..4990dcf
--- /dev/null
+++ b/programs/pkey/dh_server.c
@@ -0,0 +1,252 @@
+/*
+ * Diffie-Hellman-Merkle key exchange (server side)
+ *
+ * Copyright (C) 2006-2007 Christophe Devine
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#ifndef _CRT_SECURE_NO_DEPRECATE
+#define _CRT_SECURE_NO_DEPRECATE 1
+#endif
+
+#include <string.h>
+#include <stdio.h>
+
+#include "xyssl/net.h"
+#include "xyssl/aes.h"
+#include "xyssl/dhm.h"
+#include "xyssl/rsa.h"
+#include "xyssl/sha1.h"
+#include "xyssl/havege.h"
+
+#define SERVER_PORT 11999
+#define PLAINTEXT "==Hello there!=="
+
+int main( void )
+{
+ FILE *f;
+
+ int ret, n, buflen;
+ int listen_fd = -1;
+ int client_fd = -1;
+
+ unsigned char buf[1024];
+ unsigned char hash[20];
+ unsigned char buf2[2];
+
+ havege_state hs;
+ rsa_context rsa;
+ dhm_context dhm;
+ aes_context aes;
+
+ memset( &rsa, 0, sizeof( rsa ) );
+ memset( &dhm, 0, sizeof( dhm ) );
+
+ /*
+ * 1. Setup the RNG
+ */
+ printf( "\n . Seeding the random number generator" );
+ fflush( stdout );
+
+ havege_init( &hs );
+
+ /*
+ * 2a. Read the server's private RSA key
+ */
+ printf( "\n . Reading private key from rsa_priv.txt" );
+ fflush( stdout );
+
+ if( ( f = fopen( "rsa_priv.txt", "rb" ) ) == NULL )
+ {
+ ret = 1;
+ printf( " failed\n ! Could not open rsa_priv.txt\n" \
+ " ! Please run rsa_genkey first\n\n" );
+ goto exit;
+ }
+
+ rsa_init( &rsa, RSA_PKCS_V15, 0, NULL, NULL );
+
+ if( ( ret = mpi_read_file( &rsa.N , 16, f ) ) != 0 ||
+ ( ret = mpi_read_file( &rsa.E , 16, f ) ) != 0 ||
+ ( ret = mpi_read_file( &rsa.D , 16, f ) ) != 0 ||
+ ( ret = mpi_read_file( &rsa.P , 16, f ) ) != 0 ||
+ ( ret = mpi_read_file( &rsa.Q , 16, f ) ) != 0 ||
+ ( ret = mpi_read_file( &rsa.DP, 16, f ) ) != 0 ||
+ ( ret = mpi_read_file( &rsa.DQ, 16, f ) ) != 0 ||
+ ( ret = mpi_read_file( &rsa.QP, 16, f ) ) != 0 )
+ {
+ printf( " failed\n ! mpi_read_file returned %d\n\n", ret );
+ goto exit;
+ }
+
+ rsa.len = ( mpi_msb( &rsa.N ) + 7 ) >> 3;
+
+ fclose( f );
+
+ /*
+ * 2b. Get the DHM modulus and generator
+ */
+ printf( "\n . Reading DH parameters from dh_prime.txt" );
+ fflush( stdout );
+
+ if( ( f = fopen( "dh_prime.txt", "rb" ) ) == NULL )
+ {
+ ret = 1;
+ printf( " failed\n ! Could not open dh_prime.txt\n" \
+ " ! Please run dh_genprime first\n\n" );
+ goto exit;
+ }
+
+ if( mpi_read_file( &dhm.P, 16, f ) != 0 ||
+ mpi_read_file( &dhm.G, 16, f ) != 0 )
+ {
+ printf( " failed\n ! Invalid DH parameter file\n\n" );
+ goto exit;
+ }
+
+ fclose( f );
+
+ /*
+ * 3. Wait for a client to connect
+ */
+ printf( "\n . Waiting for a remote connection" );
+ fflush( stdout );
+
+ if( ( ret = net_bind( &listen_fd, NULL, SERVER_PORT ) ) != 0 )
+ {
+ printf( " failed\n ! net_bind returned %d\n\n", ret );
+ goto exit;
+ }
+
+ if( ( ret = net_accept( listen_fd, &client_fd, NULL ) ) != 0 )
+ {
+ printf( " failed\n ! net_accept returned %d\n\n", ret );
+ goto exit;
+ }
+
+ /*
+ * 4. Setup the DH parameters (P,G,Ys)
+ */
+ printf( "\n . Sending the server's DH parameters" );
+ fflush( stdout );
+
+ memset( buf, 0, sizeof( buf ) );
+
+ if( ( ret = dhm_make_params( &dhm, 256, buf, &n,
+ havege_rand, &hs ) ) != 0 )
+ {
+ printf( " failed\n ! dhm_make_params returned %d\n\n", ret );
+ goto exit;
+ }
+
+ /*
+ * 5. Sign the parameters and send them
+ */
+ sha1( buf, n, hash );
+
+ buf[n ] = (unsigned char)( rsa.len >> 8 );
+ buf[n + 1] = (unsigned char)( rsa.len );
+
+ if( ( ret = rsa_pkcs1_sign( &rsa, RSA_PRIVATE, RSA_SHA1,
+ 0, hash, buf + n + 2 ) ) != 0 )
+ {
+ printf( " failed\n ! rsa_pkcs1_sign returned %d\n\n", ret );
+ goto exit;
+ }
+
+ buflen = n + 2 + rsa.len;
+ buf2[0] = (unsigned char)( buflen >> 8 );
+ buf2[1] = (unsigned char)( buflen );
+
+ if( ( ret = net_send( &client_fd, buf2, 2 ) ) != 2 ||
+ ( ret = net_send( &client_fd, buf, buflen ) ) != buflen )
+ {
+ printf( " failed\n ! net_send returned %d\n\n", ret );
+ goto exit;
+ }
+
+ /*
+ * 6. Get the client's public value: Yc = G ^ Xc mod P
+ */
+ printf( "\n . Receiving the client's public value" );
+ fflush( stdout );
+
+ memset( buf, 0, sizeof( buf ) );
+ n = dhm.len;
+
+ if( ( ret = net_recv( &client_fd, buf, n ) ) != n )
+ {
+ printf( " failed\n ! net_recv returned %d\n\n", ret );
+ goto exit;
+ }
+
+ if( ( ret = dhm_read_public( &dhm, buf, dhm.len ) ) != 0 )
+ {
+ printf( " failed\n ! dhm_read_public returned %d\n\n", ret );
+ goto exit;
+ }
+
+ /*
+ * 7. Derive the shared secret: K = Ys ^ Xc mod P
+ */
+ printf( "\n . Shared secret: " );
+ fflush( stdout );
+
+ if( ( ret = dhm_calc_secret( &dhm, buf, &n ) ) != 0 )
+ {
+ printf( " failed\n ! dhm_calc_secret returned %d\n\n", ret );
+ goto exit;
+ }
+
+ for( n = 0; n < 16; n++ )
+ printf( "%02x", buf[n] );
+
+ /*
+ * 8. Setup the AES-256 encryption key
+ *
+ * This is an overly simplified example; best practice is
+ * to hash the shared secret with a random value to derive
+ * the keying material for the encryption/decryption keys
+ * and MACs.
+ */
+ printf( "...\n . Encrypting and sending the ciphertext" );
+ fflush( stdout );
+
+ aes_setkey_enc( &aes, buf, 256 );
+ memcpy( buf, PLAINTEXT, 16 );
+ aes_crypt_ecb( &aes, AES_ENCRYPT, buf, buf );
+
+ if( ( ret = net_send( &client_fd, buf, 16 ) ) != 16 )
+ {
+ printf( " failed\n ! net_send returned %d\n\n", ret );
+ goto exit;
+ }
+
+ printf( "\n\n" );
+
+exit:
+
+ net_close( client_fd );
+ rsa_free( &rsa );
+ dhm_free( &dhm );
+
+#ifdef WIN32
+ printf( " + Press Enter to exit this program.\n" );
+ fflush( stdout ); getchar();
+#endif
+
+ return( ret );
+}
diff --git a/programs/pkey/mpi_demo.c b/programs/pkey/mpi_demo.c
new file mode 100644
index 0000000..699fa5a
--- /dev/null
+++ b/programs/pkey/mpi_demo.c
@@ -0,0 +1,76 @@
+/*
+ * Simple MPI demonstration program
+ *
+ * Copyright (C) 2006-2007 Christophe Devine
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#ifndef _CRT_SECURE_NO_DEPRECATE
+#define _CRT_SECURE_NO_DEPRECATE 1
+#endif
+
+#include <stdio.h>
+
+#include "xyssl/bignum.h"
+
+int main( void )
+{
+ mpi E, P, Q, N, H, D, X, Y, Z;
+
+ mpi_init( &E, &P, &Q, &N, &H,
+ &D, &X, &Y, &Z, NULL );
+
+ mpi_read_string( &P, 10, "2789" );
+ mpi_read_string( &Q, 10, "3203" );
+ mpi_read_string( &E, 10, "257" );
+ mpi_mul_mpi( &N, &P, &Q );
+
+ printf( "\n Public key:\n\n" );
+ mpi_write_file( " N = ", &N, 10, NULL );
+ mpi_write_file( " E = ", &E, 10, NULL );
+
+ printf( "\n Private key:\n\n" );
+ mpi_write_file( " P = ", &P, 10, NULL );
+ mpi_write_file( " Q = ", &Q, 10, NULL );
+
+ mpi_sub_int( &P, &P, 1 );
+ mpi_sub_int( &Q, &Q, 1 );
+ mpi_mul_mpi( &H, &P, &Q );
+ mpi_inv_mod( &D, &E, &H );
+
+ mpi_write_file( " D = E^-1 mod (P-1)*(Q-1) = ",
+ &D, 10, NULL );
+
+ mpi_read_string( &X, 10, "55555" );
+ mpi_exp_mod( &Y, &X, &E, &N, NULL );
+ mpi_exp_mod( &Z, &Y, &D, &N, NULL );
+
+ printf( "\n RSA operation:\n\n" );
+ mpi_write_file( " X (plaintext) = ", &X, 10, NULL );
+ mpi_write_file( " Y (ciphertext) = X^E mod N = ", &Y, 10, NULL );
+ mpi_write_file( " Z (decrypted) = Y^D mod N = ", &Z, 10, NULL );
+ printf( "\n" );
+
+ mpi_free( &Z, &Y, &X, &D, &H,
+ &N, &Q, &P, &E, NULL );
+
+#ifdef WIN32
+ printf( " Press Enter to exit this program.\n" );
+ fflush( stdout ); getchar();
+#endif
+
+ return( 0 );
+}
diff --git a/programs/pkey/rsa_genkey.c b/programs/pkey/rsa_genkey.c
new file mode 100644
index 0000000..0619f15
--- /dev/null
+++ b/programs/pkey/rsa_genkey.c
@@ -0,0 +1,130 @@
+/*
+ * Example RSA key generation program
+ *
+ * Copyright (C) 2006-2007 Christophe Devine
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#ifndef _CRT_SECURE_NO_DEPRECATE
+#define _CRT_SECURE_NO_DEPRECATE 1
+#endif
+
+#include <stdio.h>
+
+#include "xyssl/havege.h"
+#include "xyssl/bignum.h"
+#include "xyssl/x509.h"
+#include "xyssl/rsa.h"
+
+#define KEY_SIZE 1024
+#define EXPONENT 65537
+
+int main( void )
+{
+ int ret;
+ rsa_context rsa;
+ havege_state hs;
+ FILE *fpub = NULL;
+ FILE *fpriv = NULL;
+ x509_raw cert;
+
+ printf( "\n . Seeding the random number generator..." );
+ fflush( stdout );
+
+ havege_init( &hs );
+
+ printf( " ok\n . Generating the RSA key [ %d-bit ]...", KEY_SIZE );
+ fflush( stdout );
+
+ rsa_init( &rsa, RSA_PKCS_V15, 0, havege_rand, &hs );
+
+ if( ( ret = rsa_gen_key( &rsa, KEY_SIZE, EXPONENT ) ) != 0 )
+ {
+ printf( " failed\n ! rsa_gen_key returned %d\n\n", ret );
+ goto exit;
+ }
+
+ printf( " ok\n . Exporting the public key in rsa_pub.txt...." );
+ fflush( stdout );
+
+ if( ( fpub = fopen( "rsa_pub.txt", "wb+" ) ) == NULL )
+ {
+ printf( " failed\n ! could not open rsa_pub.txt for writing\n\n" );
+ ret = 1;
+ goto exit;
+ }
+
+ if( ( ret = mpi_write_file( "N = ", &rsa.N, 16, fpub ) ) != 0 ||
+ ( ret = mpi_write_file( "E = ", &rsa.E, 16, fpub ) ) != 0 )
+ {
+ printf( " failed\n ! mpi_write_file returned %d\n\n", ret );
+ goto exit;
+ }
+
+ printf( " ok\n . Exporting the private key in rsa_priv.txt..." );
+ fflush( stdout );
+
+ if( ( fpriv = fopen( "rsa_priv.txt", "wb+" ) ) == NULL )
+ {
+ printf( " failed\n ! could not open rsa_priv.txt for writing\n" );
+ ret = 1;
+ goto exit;
+ }
+
+ if( ( ret = mpi_write_file( "N = " , &rsa.N , 16, fpriv ) ) != 0 ||
+ ( ret = mpi_write_file( "E = " , &rsa.E , 16, fpriv ) ) != 0 ||
+ ( ret = mpi_write_file( "D = " , &rsa.D , 16, fpriv ) ) != 0 ||
+ ( ret = mpi_write_file( "P = " , &rsa.P , 16, fpriv ) ) != 0 ||
+ ( ret = mpi_write_file( "Q = " , &rsa.Q , 16, fpriv ) ) != 0 ||
+ ( ret = mpi_write_file( "DP = ", &rsa.DP, 16, fpriv ) ) != 0 ||
+ ( ret = mpi_write_file( "DQ = ", &rsa.DQ, 16, fpriv ) ) != 0 ||
+ ( ret = mpi_write_file( "QP = ", &rsa.QP, 16, fpriv ) ) != 0 )
+ {
+ printf( " failed\n ! mpi_write_file returned %d\n\n", ret );
+ goto exit;
+ }
+/*
+ printf( " ok\n . Generating the certificate..." );
+
+ x509write_init_raw( &cert );
+ x509write_add_pubkey( &cert, &rsa );
+ x509write_add_subject( &cert, "CN='localhost'" );
+ x509write_add_validity( &cert, "2007-09-06 17:00:32",
+ "2010-09-06 17:00:32" );
+ x509write_create_selfsign( &cert, &rsa );
+ x509write_crtfile( &cert, "cert.der", X509_OUTPUT_DER );
+ x509write_crtfile( &cert, "cert.pem", X509_OUTPUT_PEM );
+ x509write_free_raw( &cert );
+*/
+ printf( " ok\n\n" );
+
+exit:
+
+ if( fpub != NULL )
+ fclose( fpub );
+
+ if( fpriv != NULL )
+ fclose( fpriv );
+
+ rsa_free( &rsa );
+
+#ifdef WIN32
+ printf( " Press Enter to exit this program.\n" );
+ fflush( stdout ); getchar();
+#endif
+
+ return( ret );
+}
diff --git a/programs/pkey/rsa_priv.txt b/programs/pkey/rsa_priv.txt
new file mode 100644
index 0000000..06b2e4d
--- /dev/null
+++ b/programs/pkey/rsa_priv.txt
@@ -0,0 +1,8 @@
+N = 807E3526556FADF8D4CA64074ADA36862646D5ECB24E363821306588722AF2B58058CFB88E8C0BEA5C7084F3055D232F110E59C8837A0D132A4B907E91DB4A4924134A85E7445935E55A772C0B72E12C94501D9DF66B71BA030F842531721AEF43AE48F9505BF7504CDEEA3CAA6F94530835648D770AE2E6C628DD484D10AA57
+E = 010001
+D = 56B3D2AD612D10993D0CAC5E7755B340E6071A46B3322F47C4AD6175A683F06E2482C8F761C88229CBE268F38B0503BEB8A59453C6D3CE8AC6196310E4DEB1CA939DF7F7EE26C4697EEDD1E5122795BFC83861DE2E3EC9E3E84F42B3A9DD25EB09B30FDDFFACCE5091493BC5577530CE9CD9C8BA244EC5FD3DF91BCECFD73961
+P = F8DAD6A5651CED9011D979A076D70C4FBD095AAE2E53EF51415832C63AD61618F0BB369F29D1363345FE481FE6C28F0830FE33A1C41F8743A4E02DD682A2E099
+Q = 842EABF3171F972DE7D6B571B70F969F8F1C305851785BB042CDAE3B794014659A744EA7D16D881B7168463CEEAF52BA0F78755BBE89CFE1361076CE3E20886F
+DP = B1C694047FE1548CD1538D21E703E595A933DF86032E8F0E7B21E8D3D8004CB4F074ADA6B296F4A35863395F20D8E8992F76C9A7CC95C169BF852EF9C9455631
+DQ = 143C54E49D289FEB4E2FC78D461A23D3FF83B03F0511E8EF7DFAA0EEC7EC3073318716B7884F3D63FE239985208144A7E950669F09F76D14AC432EFCF9F3DF0F
+QP = C2F98F412476BDA2B14F5882D929090C62BB24ED74E8B78A3BE287EABDB3FADC445D041F1DE04EBE2D39A8913DAF03C23FF632D1B3FB6CCBDD65B2A576F127F5
diff --git a/programs/pkey/rsa_pub.txt b/programs/pkey/rsa_pub.txt
new file mode 100644
index 0000000..dddb25c
--- /dev/null
+++ b/programs/pkey/rsa_pub.txt
@@ -0,0 +1,2 @@
+N = 807E3526556FADF8D4CA64074ADA36862646D5ECB24E363821306588722AF2B58058CFB88E8C0BEA5C7084F3055D232F110E59C8837A0D132A4B907E91DB4A4924134A85E7445935E55A772C0B72E12C94501D9DF66B71BA030F842531721AEF43AE48F9505BF7504CDEEA3CAA6F94530835648D770AE2E6C628DD484D10AA57
+E = 010001
diff --git a/programs/pkey/rsa_sign.c b/programs/pkey/rsa_sign.c
new file mode 100644
index 0000000..0e7077e
--- /dev/null
+++ b/programs/pkey/rsa_sign.c
@@ -0,0 +1,130 @@
+/*
+ * RSA/SHA-1 signature creation program
+ *
+ * Copyright (C) 2006-2007 Christophe Devine
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#ifndef _CRT_SECURE_NO_DEPRECATE
+#define _CRT_SECURE_NO_DEPRECATE 1
+#endif
+
+#include <string.h>
+#include <stdio.h>
+
+#include "xyssl/rsa.h"
+#include "xyssl/sha1.h"
+
+int main( int argc, char *argv[] )
+{
+ FILE *f;
+ int ret, i;
+ rsa_context rsa;
+ unsigned char hash[20];
+ unsigned char buf[512];
+
+ ret = 1;
+
+ if( argc != 2 )
+ {
+ printf( "usage: rsa_sign <filename>\n" );
+
+#ifdef WIN32
+ printf( "\n" );
+#endif
+
+ goto exit;
+ }
+
+ printf( "\n . Reading private key from rsa_priv.txt" );
+ fflush( stdout );
+
+ if( ( f = fopen( "rsa_priv.txt", "rb" ) ) == NULL )
+ {
+ ret = 1;
+ printf( " failed\n ! Could not open rsa_priv.txt\n" \
+ " ! Please run rsa_genkey first\n\n" );
+ goto exit;
+ }
+
+ rsa_init( &rsa, RSA_PKCS_V15, 0, NULL, NULL );
+
+ if( ( ret = mpi_read_file( &rsa.N , 16, f ) ) != 0 ||
+ ( ret = mpi_read_file( &rsa.E , 16, f ) ) != 0 ||
+ ( ret = mpi_read_file( &rsa.D , 16, f ) ) != 0 ||
+ ( ret = mpi_read_file( &rsa.P , 16, f ) ) != 0 ||
+ ( ret = mpi_read_file( &rsa.Q , 16, f ) ) != 0 ||
+ ( ret = mpi_read_file( &rsa.DP, 16, f ) ) != 0 ||
+ ( ret = mpi_read_file( &rsa.DQ, 16, f ) ) != 0 ||
+ ( ret = mpi_read_file( &rsa.QP, 16, f ) ) != 0 )
+ {
+ printf( " failed\n ! mpi_read_file returned %d\n\n", ret );
+ goto exit;
+ }
+
+ rsa.len = ( mpi_msb( &rsa.N ) + 7 ) >> 3;
+
+ fclose( f );
+
+ /*
+ * Compute the SHA-1 hash of the input file,
+ * then calculate the RSA signature of the hash.
+ */
+ printf( "\n . Generating the RSA/SHA-1 signature" );
+ fflush( stdout );
+
+ if( ( ret = sha1_file( argv[1], hash ) ) != 0 )
+ {
+ printf( " failed\n ! Could not open or read %s\n\n", argv[1] );
+ goto exit;
+ }
+
+ if( ( ret = rsa_pkcs1_sign( &rsa, RSA_PRIVATE, RSA_SHA1,
+ 20, hash, buf ) ) != 0 )
+ {
+ printf( " failed\n ! rsa_pkcs1_sign returned %d\n\n", ret );
+ goto exit;
+ }
+
+ /*
+ * Write the signature into <filename>-sig.txt
+ */
+ memcpy( argv[1] + strlen( argv[1] ), ".sig", 5 );
+
+ if( ( f = fopen( argv[1], "wb+" ) ) == NULL )
+ {
+ ret = 1;
+ printf( " failed\n ! Could not create %s\n\n", argv[1] );
+ goto exit;
+ }
+
+ for( i = 0; i < rsa.len; i++ )
+ fprintf( f, "%02X%s", buf[i],
+ ( i + 1 ) % 16 == 0 ? "\r\n" : " " );
+
+ fclose( f );
+
+ printf( "\n . Done (created \"%s\")\n\n", argv[1] );
+
+exit:
+
+#ifdef WIN32
+ printf( " + Press Enter to exit this program.\n" );
+ fflush( stdout ); getchar();
+#endif
+
+ return( ret );
+}
diff --git a/programs/pkey/rsa_verify.c b/programs/pkey/rsa_verify.c
new file mode 100644
index 0000000..aacc664
--- /dev/null
+++ b/programs/pkey/rsa_verify.c
@@ -0,0 +1,133 @@
+/*
+ * RSA/SHA-1 signature verification program
+ *
+ * Copyright (C) 2006-2007 Christophe Devine
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#ifndef _CRT_SECURE_NO_DEPRECATE
+#define _CRT_SECURE_NO_DEPRECATE 1
+#endif
+
+#include <string.h>
+#include <stdio.h>
+
+#include "xyssl/rsa.h"
+#include "xyssl/sha1.h"
+
+int main( int argc, char *argv[] )
+{
+ FILE *f;
+ int ret, i, c;
+ rsa_context rsa;
+ unsigned char hash[20];
+ unsigned char buf[512];
+
+ ret = 1;
+ if( argc != 2 )
+ {
+ printf( "usage: rsa_verify <filename>\n" );
+
+#ifdef WIN32
+ printf( "\n" );
+#endif
+
+ goto exit;
+ }
+
+ printf( "\n . Reading public key from rsa_pub.txt" );
+ fflush( stdout );
+
+ if( ( f = fopen( "rsa_pub.txt", "rb" ) ) == NULL )
+ {
+ printf( " failed\n ! Could not open rsa_pub.txt\n" \
+ " ! Please run rsa_genkey first\n\n" );
+ goto exit;
+ }
+
+ rsa_init( &rsa, RSA_PKCS_V15, 0, NULL, NULL );
+
+ if( ( ret = mpi_read_file( &rsa.N, 16, f ) ) != 0 ||
+ ( ret = mpi_read_file( &rsa.E, 16, f ) ) != 0 )
+ {
+ printf( " failed\n ! mpi_read_file returned %d\n\n", ret );
+ goto exit;
+ }
+
+ rsa.len = ( mpi_msb( &rsa.N ) + 7 ) >> 3;
+
+ fclose( f );
+
+ /*
+ * Extract the RSA signature from the text file
+ */
+ ret = 1;
+ i = strlen( argv[1] );
+ memcpy( argv[1] + i, ".sig", 5 );
+
+ if( ( f = fopen( argv[1], "rb" ) ) == NULL )
+ {
+ printf( "\n ! Could not open %s\n\n", argv[1] );
+ goto exit;
+ }
+
+ argv[1][i] = '\0', i = 0;
+
+ while( fscanf( f, "%02X", &c ) > 0 &&
+ i < (int) sizeof( buf ) )
+ buf[i++] = (unsigned char) c;
+
+ fclose( f );
+
+ if( i != rsa.len )
+ {
+ printf( "\n ! Invalid RSA signature format\n\n" );
+ goto exit;
+ }
+
+ /*
+ * Compute the SHA-1 hash of the input file and compare
+ * it with the hash decrypted from the RSA signature.
+ */
+ printf( "\n . Verifying the RSA/SHA-1 signature" );
+ fflush( stdout );
+
+ if( ( ret = sha1_file( argv[1], hash ) ) != 0 )
+ {
+ printf( " failed\n ! Could not open or read %s\n\n", argv[1] );
+ goto exit;
+ }
+
+ if( ( ret = rsa_pkcs1_verify( &rsa, RSA_PUBLIC, RSA_SHA1,
+ 20, hash, buf ) ) != 0 )
+ {
+ printf( " failed\n ! rsa_pkcs1_verify returned %d\n\n", ret );
+ goto exit;
+ }
+
+ printf( "\n . OK (the decrypted SHA-1 hash matches)\n\n" );
+
+ ret = 0;
+
+exit:
+
+#ifdef WIN32
+ printf( " + Press Enter to exit this program.\n" );
+ fflush( stdout ); getchar();
+#endif
+
+ return( ret );
+}
diff --git a/programs/ssl/CA-HOWTO.txt b/programs/ssl/CA-HOWTO.txt
new file mode 100644
index 0000000..6f05211
--- /dev/null
+++ b/programs/ssl/CA-HOWTO.txt
@@ -0,0 +1,144 @@
+
+
+
+ How to setup your own Certificate Authority
+ ===========================================
+
+
+Note: this howto requires the openssl binary, as well as classic
+UNIX tools (cat, touch, echo). If you use Windows, please consider
+installing Cygwin -- see http://cygwin.com/
+
+
+ 1. Configure OpenSSL
+ --------------------
+
+First of all, create sslconf.txt in the current directory
+(a basic example is provided at the end of this file).
+
+cat > sslconf.txt <<"EOF"
+[paste contents here]
+EOF
+
+Then you need to create the database and a starting serial number:
+
+touch index
+echo "01" > serial
+mkdir newcerts
+
+
+ 2. Generate the CA certificate
+ ------------------------------
+
+openssl req -config sslconf.txt -days 3653 -x509 -newkey rsa:2048 \
+ -set_serial 0 -text -keyout test-ca.key -out test-ca.crt
+
+
+ 3. Generate the private keys and certificate requests
+ -----------------------------------------------------
+
+openssl genrsa -out server1.key 2048
+openssl genrsa -out server2.key 2048
+openssl genrsa -out client1.key 2048
+openssl genrsa -out client2.key 2048
+
+openssl req -config sslconf.txt -new -key server1.key -out server1.req
+openssl req -config sslconf.txt -new -key server2.key -out server2.req
+openssl req -config sslconf.txt -new -key client1.key -out client1.req
+openssl req -config sslconf.txt -new -key client2.key -out client2.req
+
+
+ 4. Issue and sign the certificates
+ ----------------------------------
+
+openssl ca -config sslconf.txt -in server1.req -out server1.crt
+openssl ca -config sslconf.txt -in server2.req -out server2.crt
+openssl ca -config sslconf.txt -in client1.req -out client1.crt
+openssl ca -config sslconf.txt -in client2.req -out client2.crt
+
+
+ 5. To revoke a certificate and update the CRL
+ ---------------------------------------------
+
+openssl ca -config sslconf.txt -revoke server1.crt
+openssl ca -config sslconf.txt -revoke client1.crt
+openssl ca -config sslconf.txt -gencrl -out crl.pem
+
+
+ 6. To display a certificate and verify its validity
+ ---------------------------------------------------
+
+openssl x509 -in server2.crt -text -noout
+cat test-ca.crt crl.pem > ca_crl.pem
+openssl verify -CAfile ca_crl.pem -crl_check server2.crt
+rm ca_crl.pem
+
+
+ 7. To export a certificate into a .pfx file
+ -------------------------------------------
+
+openssl pkcs12 -export -in client2.crt -inkey client2.key \
+ -out client2.pfx
+
+
+##================================================================
+##============== Example OpenSSL configuration file ==============
+##================================================================
+
+# References:
+#
+# /etc/ssl/openssl.conf
+# http://www.openssl.org/docs/apps/config.html
+# http://www.openssl.org/docs/apps/x509v3_config.html
+
+[ ca ]
+default_ca = my_ca
+
+[ my_ca ]
+certificate = test-ca.crt
+private_key = test-ca.key
+database = index
+serial = serial
+
+new_certs_dir = newcerts
+default_crl_days = 60
+default_days = 730
+default_md = sha1
+policy = my_policy
+x509_extensions = v3_usr
+
+[ my_policy ]
+countryName = optional
+stateOrProvinceName = optional
+organizationName = match
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+[ req ]
+distinguished_name = my_req_dn
+x509_extensions = v3_ca
+
+[ my_req_dn ]
+countryName = Country Name..............
+countryName_min = 2
+countryName_max = 2
+stateOrProvinceName = State or Province Name....
+localityName = Locality Name.............
+0.organizationName = Organization Name.........
+organizationalUnitName = Org. Unit Name............
+commonName = Common Name (required)....
+commonName_max = 64
+emailAddress = Email Address.............
+emailAddress_max = 64
+
+[ v3_ca ]
+basicConstraints = CA:TRUE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+
+[ v3_usr ]
+basicConstraints = CA:FALSE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
+
diff --git a/programs/ssl/ssl_client1.c b/programs/ssl/ssl_client1.c
new file mode 100644
index 0000000..e752d87
--- /dev/null
+++ b/programs/ssl/ssl_client1.c
@@ -0,0 +1,172 @@
+/*
+ * SSL client demonstration program
+ *
+ * Copyright (C) 2006-2007 Christophe Devine
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#ifndef _CRT_SECURE_NO_DEPRECATE
+#define _CRT_SECURE_NO_DEPRECATE 1
+#endif
+
+#include <string.h>
+#include <stdio.h>
+
+#include "xyssl/net.h"
+#include "xyssl/ssl.h"
+#include "xyssl/havege.h"
+
+#define SERVER_PORT 443
+/*
+#define SERVER_NAME "localhost"
+#define GET_REQUEST "GET / HTTP/1.0\r\n\r\n"
+*/
+#define SERVER_NAME "xyssl.org"
+#define GET_REQUEST \
+ "GET /hello/ HTTP/1.1\r\n" \
+ "Host: xyssl.org\r\n\r\n"
+
+#define DEBUG_LEVEL 0
+
+void my_debug( void *ctx, int level, char *str )
+{
+ if( level < DEBUG_LEVEL )
+ {
+ fprintf( (FILE *) ctx, "%s", str );
+ fflush( (FILE *) ctx );
+ }
+}
+
+int main( void )
+{
+ int ret, len, server_fd;
+ unsigned char buf[1024];
+ havege_state hs;
+ ssl_context ssl;
+ ssl_session ssn;
+
+ /*
+ * 0. Initialize the RNG and the session data
+ */
+ havege_init( &hs );
+ memset( &ssn, 0, sizeof( ssl_session ) );
+
+ /*
+ * 1. Start the connection
+ */
+ printf( "\n . Connecting to tcp/%s/%4d...", SERVER_NAME,
+ SERVER_PORT );
+ fflush( stdout );
+
+ if( ( ret = net_connect( &server_fd, SERVER_NAME,
+ SERVER_PORT ) ) != 0 )
+ {
+ printf( " failed\n ! net_connect returned %d\n\n", ret );
+ goto exit;
+ }
+
+ printf( " ok\n" );
+
+ /*
+ * 2. Setup stuff
+ */
+ printf( " . Setting up the SSL/TLS structure..." );
+ fflush( stdout );
+
+ if( ( ret = ssl_init( &ssl ) ) != 0 )
+ {
+ printf( " failed\n ! ssl_init returned %d\n\n", ret );
+ goto exit;
+ }
+
+ printf( " ok\n" );
+
+ ssl_set_endpoint( &ssl, SSL_IS_CLIENT );
+ ssl_set_authmode( &ssl, SSL_VERIFY_NONE );
+
+ ssl_set_rng( &ssl, havege_rand, &hs );
+ ssl_set_dbg( &ssl, my_debug, stdout );
+ ssl_set_bio( &ssl, net_recv, &server_fd,
+ net_send, &server_fd );
+
+ ssl_set_ciphers( &ssl, ssl_default_ciphers );
+ ssl_set_session( &ssl, 1, 600, &ssn );
+
+ /*
+ * 3. Write the GET request
+ */
+ printf( " > Write to server:" );
+ fflush( stdout );
+
+ len = sprintf( (char *) buf, GET_REQUEST );
+
+ while( ( ret = ssl_write( &ssl, buf, len ) ) <= 0 )
+ {
+ if( ret != XYSSL_ERR_NET_TRY_AGAIN )
+ {
+ printf( " failed\n ! ssl_write returned %d\n\n", ret );
+ goto exit;
+ }
+ }
+
+ len = ret;
+ printf( " %d bytes written\n\n%s", len, (char *) buf );
+
+ /*
+ * 7. Read the HTTP response
+ */
+ printf( " < Read from server:" );
+ fflush( stdout );
+
+ do
+ {
+ len = sizeof( buf ) - 1;
+ memset( buf, 0, sizeof( buf ) );
+ ret = ssl_read( &ssl, buf, len );
+
+ if( ret == XYSSL_ERR_NET_TRY_AGAIN )
+ continue;
+
+ if( ret == XYSSL_ERR_SSL_PEER_CLOSE_NOTIFY )
+ break;
+
+ if( ret <= 0 )
+ {
+ printf( "failed\n ! ssl_read returned %d\n\n", ret );
+ break;
+ }
+
+ len = ret;
+ printf( " %d bytes read\n\n%s", len, (char *) buf );
+ }
+ while( 0 );
+
+ ssl_close_notify( &ssl );
+
+exit:
+
+ net_close( server_fd );
+ ssl_free( &ssl );
+
+ memset( &ssl, 0, sizeof( ssl ) );
+
+#ifdef WIN32
+ printf( " + Press Enter to exit this program.\n" );
+ fflush( stdout ); getchar();
+#endif
+
+ return( ret );
+}
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
new file mode 100644
index 0000000..a19c37b
--- /dev/null
+++ b/programs/ssl/ssl_client2.c
@@ -0,0 +1,283 @@
+/*
+ * SSL client with certificate authentication
+ *
+ * Copyright (C) 2006-2007 Christophe Devine
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#ifndef _CRT_SECURE_NO_DEPRECATE
+#define _CRT_SECURE_NO_DEPRECATE 1
+#endif
+
+#include <string.h>
+#include <stdio.h>
+
+#include "xyssl/net.h"
+#include "xyssl/ssl.h"
+#include "xyssl/havege.h"
+#include "xyssl/certs.h"
+#include "xyssl/x509.h"
+
+#define SERVER_PORT 443
+/*
+#define SERVER_NAME "localhost"
+#define GET_REQUEST "GET / HTTP/1.0\r\n\r\n"
+*/
+#define SERVER_NAME "xyssl.org"
+#define GET_REQUEST \
+ "GET /hello/ HTTP/1.1\r\n" \
+ "Host: xyssl.org\r\n\r\n"
+
+#define DEBUG_LEVEL 0
+
+void my_debug( void *ctx, int level, char *str )
+{
+ if( level < DEBUG_LEVEL )
+ {
+ fprintf( (FILE *) ctx, "%s", str );
+ fflush( (FILE *) ctx );
+ }
+}
+
+int main( void )
+{
+ int ret, len, server_fd;
+ unsigned char buf[1024];
+ havege_state hs;
+ ssl_context ssl;
+ ssl_session ssn;
+ x509_cert cacert;
+ x509_cert clicert;
+ rsa_context rsa;
+
+ /*
+ * 0. Initialize the RNG and the session data
+ */
+ havege_init( &hs );
+ memset( &ssn, 0, sizeof( ssl_session ) );
+
+ /*
+ * 1.1. Load the trusted CA
+ */
+ printf( "\n . Loading the CA root certificate ..." );
+ fflush( stdout );
+
+ memset( &cacert, 0, sizeof( x509_cert ) );
+
+ /*
+ * Alternatively, you may load the CA certificates from a .pem or
+ * .crt file by calling x509parse_crtfile( &cacert, "myca.crt" ).
+ */
+ ret = x509parse_crt( &cacert, (unsigned char *) xyssl_ca_crt,
+ strlen( xyssl_ca_crt ) );
+ if( ret != 0 )
+ {
+ printf( " failed\n ! x509parse_crt returned %d\n\n", ret );
+ goto exit;
+ }
+
+ printf( " ok\n" );
+
+ /*
+ * 1.2. Load own certificate and private key
+ *
+ * (can be skipped if client authentication is not required)
+ */
+ printf( " . Loading the client cert. and key..." );
+ fflush( stdout );
+
+ memset( &clicert, 0, sizeof( x509_cert ) );
+
+ ret = x509parse_crt( &clicert, (unsigned char *) test_cli_crt,
+ strlen( test_cli_crt ) );
+ if( ret != 0 )
+ {
+ printf( " failed\n ! x509parse_crt returned %d\n\n", ret );
+ goto exit;
+ }
+
+ ret = x509parse_key( &rsa, (unsigned char *) test_cli_key,
+ strlen( test_cli_key ), NULL, 0 );
+ if( ret != 0 )
+ {
+ printf( " failed\n ! x509parse_key returned %d\n\n", ret );
+ goto exit;
+ }
+
+ printf( " ok\n" );
+
+ /*
+ * 2. Start the connection
+ */
+ printf( " . Connecting to tcp/%s/%-4d...", SERVER_NAME,
+ SERVER_PORT );
+ fflush( stdout );
+
+ if( ( ret = net_connect( &server_fd, SERVER_NAME,
+ SERVER_PORT ) ) != 0 )
+ {
+ printf( " failed\n ! net_connect returned %d\n\n", ret );
+ goto exit;
+ }
+
+ printf( " ok\n" );
+
+ /*
+ * 3. Setup stuff
+ */
+ printf( " . Setting up the SSL/TLS structure..." );
+ fflush( stdout );
+
+ havege_init( &hs );
+
+ if( ( ret = ssl_init( &ssl ) ) != 0 )
+ {
+ printf( " failed\n ! ssl_init returned %d\n\n", ret );
+ goto exit;
+ }
+
+ printf( " ok\n" );
+
+ ssl_set_endpoint( &ssl, SSL_IS_CLIENT );
+ ssl_set_authmode( &ssl, SSL_VERIFY_OPTIONAL );
+
+ ssl_set_rng( &ssl, havege_rand, &hs );
+ ssl_set_bio( &ssl, net_recv, &server_fd,
+ net_send, &server_fd );
+
+ ssl_set_ciphers( &ssl, ssl_default_ciphers );
+ ssl_set_session( &ssl, 1, 600, &ssn );
+
+ ssl_set_ca_chain( &ssl, &cacert, SERVER_NAME );
+ ssl_set_own_cert( &ssl, &clicert, &rsa );
+
+ ssl_set_hostname( &ssl, SERVER_NAME );
+
+ /*
+ * 4. Handshake
+ */
+ printf( " . Performing the SSL/TLS handshake..." );
+ fflush( stdout );
+
+ while( ( ret = ssl_handshake( &ssl ) ) != 0 )
+ {
+ if( ret != XYSSL_ERR_NET_TRY_AGAIN )
+ {
+ printf( " failed\n ! ssl_handshake returned %d\n\n", ret );
+ goto exit;
+ }
+ }
+
+ printf( " ok\n [ Cipher is %s ]\n",
+ ssl_get_cipher( &ssl ) );
+
+ /*
+ * 5. Verify the server certificate
+ */
+ printf( " . Verifying peer X.509 certificate..." );
+
+ if( ( ret = ssl_get_verify_result( &ssl ) ) != 0 )
+ {
+ printf( " failed\n" );
+
+ if( ( ret & BADCERT_EXPIRED ) != 0 )
+ printf( " ! server certificate has expired\n" );
+
+ if( ( ret & BADCERT_REVOKED ) != 0 )
+ printf( " ! server certificate has been revoked\n" );
+
+ if( ( ret & BADCERT_CN_MISMATCH ) != 0 )
+ printf( " ! CN mismatch (expected CN=%s)\n", SERVER_NAME );
+
+ if( ( ret & BADCERT_NOT_TRUSTED ) != 0 )
+ printf( " ! self-signed or not signed by a trusted CA\n" );
+
+ printf( "\n" );
+ }
+ else
+ printf( " ok\n" );
+
+ printf( " . Peer certificate information ...\n" );
+ printf( x509parse_cert_info( " ", ssl.peer_cert ) );
+
+ /*
+ * 6. Write the GET request
+ */
+ printf( " > Write to server:" );
+ fflush( stdout );
+
+ len = sprintf( (char *) buf, GET_REQUEST );
+
+ while( ( ret = ssl_write( &ssl, buf, len ) ) <= 0 )
+ {
+ if( ret != XYSSL_ERR_NET_TRY_AGAIN )
+ {
+ printf( " failed\n ! ssl_write returned %d\n\n", ret );
+ goto exit;
+ }
+ }
+
+ len = ret;
+ printf( " %d bytes written\n\n%s", len, (char *) buf );
+
+ /*
+ * 7. Read the HTTP response
+ */
+ printf( " < Read from server:" );
+ fflush( stdout );
+
+ do
+ {
+ len = sizeof( buf ) - 1;
+ memset( buf, 0, sizeof( buf ) );
+ ret = ssl_read( &ssl, buf, len );
+
+ if( ret == XYSSL_ERR_NET_TRY_AGAIN )
+ continue;
+
+ if( ret == XYSSL_ERR_SSL_PEER_CLOSE_NOTIFY )
+ break;
+
+ if( ret <= 0 )
+ {
+ printf( "failed\n ! ssl_read returned %d\n\n", ret );
+ break;
+ }
+
+ len = ret;
+ printf( " %d bytes read\n\n%s", len, (char *) buf );
+ }
+ while( 0 );
+
+ ssl_close_notify( &ssl );
+
+exit:
+
+ net_close( server_fd );
+ x509_free( &clicert );
+ x509_free( &cacert );
+ rsa_free( &rsa );
+ ssl_free( &ssl );
+
+ memset( &ssl, 0, sizeof( ssl ) );
+
+#ifdef WIN32
+ printf( " + Press Enter to exit this program.\n" );
+ fflush( stdout ); getchar();
+#endif
+
+ return( ret );
+}
diff --git a/programs/ssl/ssl_server.c b/programs/ssl/ssl_server.c
new file mode 100644
index 0000000..565fed2
--- /dev/null
+++ b/programs/ssl/ssl_server.c
@@ -0,0 +1,399 @@
+/*
+ * SSL server demonstration program
+ *
+ * Copyright (C) 2006-2007 Christophe Devine
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#ifndef _CRT_SECURE_NO_DEPRECATE
+#define _CRT_SECURE_NO_DEPRECATE 1
+#endif
+
+#ifdef WIN32
+#include <windows.h>
+#endif
+
+#include <string.h>
+#include <stdlib.h>
+#include <stdio.h>
+
+#include "xyssl/havege.h"
+#include "xyssl/certs.h"
+#include "xyssl/x509.h"
+#include "xyssl/ssl.h"
+#include "xyssl/net.h"
+
+#define HTTP_RESPONSE \
+ "HTTP/1.0 200 OK\r\nContent-Type: text/html\r\n\r\n" \
+ "<h2><p><center>Successful connection using: %s\r\n"
+
+/*
+ * Computing a "safe" DH-1024 prime can take a very
+ * long time, so a precomputed value is provided below.
+ * You may run dh_genprime to generate a new value.
+ */
+char *my_dhm_P =
+ "E4004C1F94182000103D883A448B3F80" \
+ "2CE4B44A83301270002C20D0321CFD00" \
+ "11CCEF784C26A400F43DFB901BCA7538" \
+ "F2C6B176001CF5A0FD16D2C48B1D0C1C" \
+ "F6AC8E1DA6BCC3B4E1F96B0564965300" \
+ "FFA1D0B601EB2800F489AA512C4B248C" \
+ "01F76949A60BB7F00A40B1EAB64BDD48" \
+ "E8A700D60B7F1200FA8E77B0A979DABF";
+
+char *my_dhm_G = "4";
+
+/*
+ * Sorted by order of preference
+ */
+int my_ciphers[] =
+{
+ SSL_EDH_RSA_AES_256_SHA,
+ SSL_EDH_RSA_DES_168_SHA,
+ SSL_RSA_AES_256_SHA,
+ SSL_RSA_AES_128_SHA,
+ SSL_RSA_DES_168_SHA,
+ SSL_RSA_RC4_128_SHA,
+ SSL_RSA_RC4_128_MD5,
+ 0
+};
+
+#define DEBUG_LEVEL 0
+
+void my_debug( void *ctx, int level, char *str )
+{
+ if( level < DEBUG_LEVEL )
+ {
+ fprintf( (FILE *) ctx, "%s", str );
+ fflush( (FILE *) ctx );
+ }
+}
+
+/*
+ * These session callbacks use a simple chained list
+ * to store and retrieve the session information.
+ */
+ssl_session *s_list_1st = NULL;
+ssl_session *cur, *prv;
+
+static int my_get_session( ssl_context *ssl )
+{
+ time_t t = time( NULL );
+
+ if( ssl->resume == 0 )
+ return( 1 );
+
+ cur = s_list_1st;
+ prv = NULL;
+
+ while( cur != NULL )
+ {
+ prv = cur;
+ cur = cur->next;
+
+ if( ssl->timeout != 0 && t - prv->start > ssl->timeout )
+ continue;
+
+ if( ssl->session->cipher != prv->cipher ||
+ ssl->session->length != prv->length )
+ continue;
+
+ if( memcmp( ssl->session->id, prv->id, prv->length ) != 0 )
+ continue;
+
+ memcpy( ssl->session->master, prv->master, 48 );
+ return( 0 );
+ }
+
+ return( 1 );
+}
+
+static int my_set_session( ssl_context *ssl )
+{
+ time_t t = time( NULL );
+
+ cur = s_list_1st;
+ prv = NULL;
+
+ while( cur != NULL )
+ {
+ if( ssl->timeout != 0 && t - cur->start > ssl->timeout )
+ break; /* expired, reuse this slot */
+
+ if( memcmp( ssl->session->id, cur->id, cur->length ) == 0 )
+ break; /* client reconnected */
+
+ prv = cur;
+ cur = cur->next;
+ }
+
+ if( cur == NULL )
+ {
+ cur = (ssl_session *) malloc( sizeof( ssl_session ) );
+ if( cur == NULL )
+ return( 1 );
+
+ if( prv == NULL )
+ s_list_1st = cur;
+ else prv->next = cur;
+ }
+
+ memcpy( cur, ssl->session, sizeof( ssl_session ) );
+
+ return( 0 );
+}
+
+int main( void )
+{
+ int ret, len;
+ int listen_fd;
+ int client_fd;
+ unsigned char buf[1024];
+
+ havege_state hs;
+ ssl_context ssl;
+ ssl_session ssn;
+ x509_cert srvcert;
+ rsa_context rsa;
+
+ /*
+ * 1. Load the certificates and private RSA key
+ */
+ printf( "\n . Loading the server cert. and key..." );
+ fflush( stdout );
+
+ memset( &srvcert, 0, sizeof( x509_cert ) );
+
+ /*
+ * This demonstration program uses embedded test certificates.
+ * Instead, you may want to use x509parse_crtfile() to read the
+ * server and CA certificates, as well as x509parse_keyfile().
+ */
+ ret = x509parse_crt( &srvcert, (unsigned char *) test_srv_crt,
+ strlen( test_srv_crt ) );
+ if( ret != 0 )
+ {
+ printf( " failed\n ! x509parse_crt returned %d\n\n", ret );
+ goto exit;
+ }
+
+ ret = x509parse_crt( &srvcert, (unsigned char *) test_ca_crt,
+ strlen( test_ca_crt ) );
+ if( ret != 0 )
+ {
+ printf( " failed\n ! x509parse_crt returned %d\n\n", ret );
+ goto exit;
+ }
+
+ ret = x509parse_key( &rsa, (unsigned char *) test_srv_key,
+ strlen( test_srv_key ), NULL, 0 );
+ if( ret != 0 )
+ {
+ printf( " failed\n ! x509parse_key returned %d\n\n", ret );
+ goto exit;
+ }
+
+ printf( " ok\n" );
+
+ /*
+ * 2. Setup the listening TCP socket
+ */
+ printf( " . Bind on https://localhost:4433/ ..." );
+ fflush( stdout );
+
+ if( ( ret = net_bind( &listen_fd, NULL, 4433 ) ) != 0 )
+ {
+ printf( " failed\n ! net_bind returned %d\n\n", ret );
+ goto exit;
+ }
+
+ printf( " ok\n" );
+
+ /*
+ * 3. Wait until a client connects
+ */
+#ifdef WIN32
+ ShellExecute( NULL, "open", "https://localhost:4433/",
+ NULL, NULL, SW_SHOWNORMAL );
+#endif
+
+ client_fd = -1;
+ memset( &ssl, 0, sizeof( ssl ) );
+
+accept:
+
+ net_close( client_fd );
+ ssl_free( &ssl );
+
+ printf( " . Waiting for a remote connection ..." );
+ fflush( stdout );
+
+ if( ( ret = net_accept( listen_fd, &client_fd, NULL ) ) != 0 )
+ {
+ printf( " failed\n ! net_accept returned %d\n\n", ret );
+ goto exit;
+ }
+
+ printf( " ok\n" );
+
+ /*
+ * 4. Setup stuff
+ */
+ printf( " . Setting up the RNG and SSL data...." );
+ fflush( stdout );
+
+ havege_init( &hs );
+
+ if( ( ret = ssl_init( &ssl ) ) != 0 )
+ {
+ printf( " failed\n ! ssl_init returned %d\n\n", ret );
+ goto accept;
+ }
+
+ printf( " ok\n" );
+
+ ssl_set_endpoint( &ssl, SSL_IS_SERVER );
+ ssl_set_authmode( &ssl, SSL_VERIFY_NONE );
+
+ ssl_set_rng( &ssl, havege_rand, &hs );
+ ssl_set_dbg( &ssl, my_debug, stdout );
+ ssl_set_bio( &ssl, net_recv, &client_fd,
+ net_send, &client_fd );
+ ssl_set_scb( &ssl, my_get_session,
+ my_set_session );
+
+ ssl_set_ciphers( &ssl, my_ciphers );
+ ssl_set_session( &ssl, 1, 0, &ssn );
+
+ memset( &ssn, 0, sizeof( ssl_session ) );
+
+ ssl_set_ca_chain( &ssl, srvcert.next, NULL );
+ ssl_set_own_cert( &ssl, &srvcert, &rsa );
+ ssl_set_dh_param( &ssl, my_dhm_P, my_dhm_G );
+
+ /*
+ * 5. Handshake
+ */
+ printf( " . Performing the SSL/TLS handshake..." );
+ fflush( stdout );
+
+ while( ( ret = ssl_handshake( &ssl ) ) != 0 )
+ {
+ if( ret != XYSSL_ERR_NET_TRY_AGAIN )
+ {
+ printf( " failed\n ! ssl_handshake returned %d\n\n", ret );
+ goto accept;
+ }
+ }
+
+ printf( " ok\n" );
+
+ /*
+ * 6. Read the HTTP Request
+ */
+ printf( " < Read from client:" );
+ fflush( stdout );
+
+ do
+ {
+ len = sizeof( buf ) - 1;
+ memset( buf, 0, sizeof( buf ) );
+ ret = ssl_read( &ssl, buf, len );
+
+ if( ret == XYSSL_ERR_NET_TRY_AGAIN )
+ continue;
+
+ if( ret <= 0 )
+ {
+ switch( ret )
+ {
+ case XYSSL_ERR_SSL_PEER_CLOSE_NOTIFY:
+ printf( " connection was closed gracefully\n" );
+ break;
+
+ case XYSSL_ERR_NET_CONN_RESET:
+ printf( " connection was reset by peer\n" );
+ break;
+
+ default:
+ printf( " ssl_read returned %d\n", ret );
+ break;
+ }
+
+ break;
+ }
+
+ len = ret;
+ printf( " %d bytes read\n\n%s", len, (char *) buf );
+ }
+ while( 0 );
+
+ /*
+ * 7. Write the 200 Response
+ */
+ printf( " > Write to client:" );
+ fflush( stdout );
+
+ len = sprintf( (char *) buf, HTTP_RESPONSE,
+ ssl_get_cipher( &ssl ) );
+
+ while( ( ret = ssl_write( &ssl, buf, len ) ) <= 0 )
+ {
+ if( ret == XYSSL_ERR_NET_CONN_RESET )
+ {
+ printf( " failed\n ! peer closed the connection\n\n" );
+ goto accept;
+ }
+
+ if( ret != XYSSL_ERR_NET_TRY_AGAIN )
+ {
+ printf( " failed\n ! ssl_write returned %d\n\n", ret );
+ goto exit;
+ }
+ }
+
+ len = ret;
+ printf( " %d bytes written\n\n%s\n", len, (char *) buf );
+
+ ssl_close_notify( &ssl );
+ goto accept;
+
+exit:
+
+ net_close( client_fd );
+ x509_free( &srvcert );
+ rsa_free( &rsa );
+ ssl_free( &ssl );
+
+ cur = s_list_1st;
+ while( cur != NULL )
+ {
+ prv = cur;
+ cur = cur->next;
+ memset( prv, 0, sizeof( ssl_session ) );
+ free( prv );
+ }
+
+ memset( &ssl, 0, sizeof( ssl_context ) );
+
+#ifdef WIN32
+ printf( " Press Enter to exit this program.\n" );
+ fflush( stdout ); getchar();
+#endif
+
+ return( ret );
+}
diff --git a/programs/ssl/test-ca/client1.crt b/programs/ssl/test-ca/client1.crt
new file mode 100644
index 0000000..679bbea
--- /dev/null
+++ b/programs/ssl/test-ca/client1.crt
@@ -0,0 +1,76 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 3 (0x3)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: O=XySSL, CN=XySSL Test CA
+ Validity
+ Not Before: Nov 29 19:50:42 2007 GMT
+ Not After : Nov 28 19:50:42 2009 GMT
+ Subject: O=XySSL, CN=Test User 1
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:a7:2b:e9:c3:d5:68:7c:e7:4b:23:20:31:c8:0e:
+ be:9f:c8:e6:b6:a7:09:c5:59:67:ab:6d:e9:f3:7e:
+ b2:e7:3b:1c:99:28:33:e0:b8:e9:8b:ee:45:a3:de:
+ 91:f8:03:59:34:f1:b6:e0:b3:62:33:45:87:64:8e:
+ 59:d3:34:4f:f9:fb:3c:64:53:a2:f2:53:20:97:a3:
+ 2b:fe:6d:c4:f3:38:83:02:92:c8:cb:8f:9e:d9:d3:
+ 5e:87:36:ec:17:b3:50:5b:68:b7:03:04:e2:90:2f:
+ d4:0e:48:40:b1:ad:11:28:de:8a:a9:4c:df:20:05:
+ 47:8a:ef:ba:24:09:fa:ec:f6:d4:f1:0f:a1:31:b7:
+ f0:54:d5:d5:23:19:1e:41:6d:b7:96:17:81:ff:b3:
+ 1e:83:92:76:4b:7c:ce:b1:8f:18:b0:69:20:60:f9:
+ 41:8b:04:ae:89:84:a8:20:48:ae:f3:1f:50:ec:1c:
+ 61:97:bd:81:50:54:61:5d:23:c3:c2:84:ed:19:1b:
+ ee:0f:22:38:28:de:51:04:41:6d:e1:82:43:76:e7:
+ 7b:40:fd:84:ea:9e:e8:d8:da:c2:72:c4:31:c6:b0:
+ ca:ce:ac:7b:5c:fa:43:15:5f:41:1c:21:be:dc:96:
+ 95:d6:77:16:ef:1d:51:8d:10:65:aa:f5:9e:f8:47:
+ 6a:41
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ X509v3 Subject Key Identifier:
+ F2:C4:96:02:CF:BF:C1:AA:B0:D2:1A:DA:E7:F3:4B:2C:5D:D1:DF:14
+ X509v3 Authority Key Identifier:
+ keyid:F2:67:B1:5D:5F:51:5E:DA:51:89:E9:D9:E9:6B:CA:8B:AF:A5:2E:69
+
+ Signature Algorithm: sha1WithRSAEncryption
+ ca:29:3f:44:90:8d:9c:c6:0d:f9:e2:a9:50:d8:e5:d6:0a:e0:
+ be:6e:48:fb:e8:7a:f4:5f:50:dc:6b:d1:76:a5:f9:88:91:96:
+ 62:e5:66:89:da:eb:17:01:f7:d0:d2:f7:3b:35:78:dd:80:45:
+ d0:64:32:13:67:20:a8:fc:d8:62:e1:44:d4:ae:41:37:2e:e7:
+ 63:94:37:66:61:3b:38:e9:7d:8a:b6:18:d4:b7:2c:59:ea:46:
+ a0:ed:ab:84:79:04:be:da:0f:9e:2d:68:34:a0:06:63:fa:33:
+ 61:bc:8a:00:07:62:c3:81:11:0d:28:d9:80:8f:51:a2:db:be:
+ 23:16:a4:37:65:18:72:34:17:c2:a9:63:e3:5f:f4:0e:7c:58:
+ 5e:e4:a5:44:8f:6b:23:ba:18:4e:e3:0c:25:2a:86:ee:5d:c2:
+ a2:e7:92:8d:a8:84:77:ef:b5:9c:af:2c:53:5d:4c:1b:eb:96:
+ a4:56:27:f5:bf:cb:82:91:51:6e:8a:f4:49:6a:84:39:44:a3:
+ 23:7e:d0:83:ce:2b:4a:5f:18:1b:d1:1f:74:14:6f:91:da:1a:
+ ee:95:1d:ee:c7:9e:77:a2:df:1c:22:72:c2:08:bc:98:60:a0:
+ d6:5f:eb:d8:e8:ad:b3:f5:05:c4:1a:9b:a9:8d:29:83:7e:26:
+ 62:fa:e3:79
+-----BEGIN CERTIFICATE-----
+MIIDFjCCAf6gAwIBAgIBAzANBgkqhkiG9w0BAQUFADAoMQ4wDAYDVQQKEwVYeVNT
+TDEWMBQGA1UEAxMNWHlTU0wgVGVzdCBDQTAeFw0wNzExMjkxOTUwNDJaFw0wOTEx
+MjgxOTUwNDJaMCYxDjAMBgNVBAoTBVh5U1NMMRQwEgYDVQQDEwtUZXN0IFVzZXIg
+MTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKcr6cPVaHznSyMgMcgO
+vp/I5ranCcVZZ6tt6fN+suc7HJkoM+C46YvuRaPekfgDWTTxtuCzYjNFh2SOWdM0
+T/n7PGRTovJTIJejK/5txPM4gwKSyMuPntnTXoc27BezUFtotwME4pAv1A5IQLGt
+ESjeiqlM3yAFR4rvuiQJ+uz21PEPoTG38FTV1SMZHkFtt5YXgf+zHoOSdkt8zrGP
+GLBpIGD5QYsEromEqCBIrvMfUOwcYZe9gVBUYV0jw8KE7Rkb7g8iOCjeUQRBbeGC
+Q3bne0D9hOqe6NjawnLEMcawys6se1z6QxVfQRwhvtyWldZ3Fu8dUY0QZar1nvhH
+akECAwEAAaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQU8sSWAs+/waqw0hra5/NL
+LF3R3xQwHwYDVR0jBBgwFoAU8mexXV9RXtpRienZ6WvKi6+lLmkwDQYJKoZIhvcN
+AQEFBQADggEBAMopP0SQjZzGDfniqVDY5dYK4L5uSPvoevRfUNxr0Xal+YiRlmLl
+Zona6xcB99DS9zs1eN2ARdBkMhNnIKj82GLhRNSuQTcu52OUN2ZhOzjpfYq2GNS3
+LFnqRqDtq4R5BL7aD54taDSgBmP6M2G8igAHYsOBEQ0o2YCPUaLbviMWpDdlGHI0
+F8KpY+Nf9A58WF7kpUSPayO6GE7jDCUqhu5dwqLnko2ohHfvtZyvLFNdTBvrlqRW
+J/W/y4KRUW6K9ElqhDlEoyN+0IPOK0pfGBvRH3QUb5HaGu6VHe7Hnnei3xwicsII
+vJhgoNZf69jorbP1BcQam6mNKYN+JmL643k=
+-----END CERTIFICATE-----
diff --git a/programs/ssl/test-ca/client1.key b/programs/ssl/test-ca/client1.key
new file mode 100644
index 0000000..1b78404
--- /dev/null
+++ b/programs/ssl/test-ca/client1.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEApyvpw9VofOdLIyAxyA6+n8jmtqcJxVlnq23p836y5zscmSgz
+4Ljpi+5Fo96R+ANZNPG24LNiM0WHZI5Z0zRP+fs8ZFOi8lMgl6Mr/m3E8ziDApLI
+y4+e2dNehzbsF7NQW2i3AwTikC/UDkhAsa0RKN6KqUzfIAVHiu+6JAn67PbU8Q+h
+MbfwVNXVIxkeQW23lheB/7Meg5J2S3zOsY8YsGkgYPlBiwSuiYSoIEiu8x9Q7Bxh
+l72BUFRhXSPDwoTtGRvuDyI4KN5RBEFt4YJDdud7QP2E6p7o2NrCcsQxxrDKzqx7
+XPpDFV9BHCG+3JaV1ncW7x1RjRBlqvWe+EdqQQIDAQABAoIBAQCmgiHUMnNhvYtk
+kEOlbbJHOvc6RQSBcjzFTrRxGOifUox4rMeHdQcCnrD0uNMRglxPVNb/1wzf3sgt
+y3AC458pcinEEF5EGbJj913xjWpXjBlJ7eRchVAGzPbhnT3pmWxXr+Rh+HKmhU0l
+cKgnkSd/WrIoUW4I2dlZtM/l557seI3Mz34MdWfPgMRdHUFhOa0iJakHtYt1/o4/
+adxjoIdwAjerru0g918frKb3vi13ir67UMrh/A0uUPsVMi/hSZvuT0c2C+Kd+xtH
+e0ttWZ6x8eBEzsimghz2YuaQs4OyPwZHP0unRRpN+Am453b2VjnKPF/S2qFCNOMq
+jWnxyKrBAoGBANx93if4pTTwYeQop4EtYWmfr2OEX9syZzIbv4i1cPQTQo7stDGA
+wX32ytFYvQwm7GZmmHp1buPrfOrYgmD5T29wfjETNqttKxzmJ+aXa30t7UnTH04H
+NCU7O4xAVrFcNeZ4+7o6CwbjHKzflaJXeWlkl/X8hWXUiMAGz6nOKcfpAoGBAMIX
+1cCRTYqfM804Yql1F23b2nX8fFy6VqbWk/ViFWKwamdn0+C3ffLuULnK0s6Xya3G
+/6Ecr/6/+H+KlSNRhenOHHasdhA02QwlEgHFXHG53NSCLLTXjf/LAUNyOvjlnL8P
+tWDqBOWJg4M9aMvsxdv7ALPa/pd7d7kodDvccXCZAoGAI16pkX3oeoqJGYGQBT/T
+XY85Ilysx8vZFAexfOumN/ES/zxnV32RDHTXaiezA80GpRKWKSbHaBZxjna2y3mS
+zYydIaA0Z+F2RgeBpRLrMkR4yRvt7KVpLwPGdKQphAAHwXXs453GAQ/TnMOtDEK9
+/jMd0V71wzUJzswI6fNhbmkCgYByIiX16PvaCigiA4gw8cPnPCNIwkI3HPQbg47Z
++uVsdST8zZdQS1Zq5izeNCCmj6du4tgrW306ppRwG4P7ktLWW/ds6Zk7ingfpiTi
+mbX0wkDTTgEQDrlXs354tNFsz0jPKWOVK8fZWnXVVOUtFXx8ESuml56iYV5TqTBA
+iy7B8QKBgFrmftKKVycQ3EofuhVz2TlxBK+SLnhjNyGyLm6mIgyn09g837ObxMkC
+s/zkUNoZVEW1qcFg10yyqB5F5r94h1qwyTRFPQoBHU88JHMBAkyWMy3yR9z/ca+r
+AzK+oYwtRcRsLdWaMN+nHkJESRZg8QPvT6YJlvRHMEExYndqovRJ
+-----END RSA PRIVATE KEY-----
diff --git a/programs/ssl/test-ca/client2.crt b/programs/ssl/test-ca/client2.crt
new file mode 100644
index 0000000..14a90ca
--- /dev/null
+++ b/programs/ssl/test-ca/client2.crt
@@ -0,0 +1,76 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 4 (0x4)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: O=XySSL, CN=XySSL Test CA
+ Validity
+ Not Before: Nov 29 19:50:48 2007 GMT
+ Not After : Nov 28 19:50:48 2009 GMT
+ Subject: O=XySSL, CN=Test User 2
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:e5:7b:e1:94:06:e5:dd:20:0a:0d:6a:4f:9e:2c:
+ 43:ea:74:f8:af:90:ab:60:7e:45:17:27:d9:1b:1d:
+ 90:44:97:42:45:67:22:32:d5:eb:97:4e:76:ef:45:
+ 99:3f:80:29:c5:45:94:7d:43:c0:0b:01:bd:ac:9c:
+ 9d:cf:ff:3f:ea:1e:04:1c:2a:70:94:ff:6b:d1:63:
+ 6f:cd:b0:5f:1d:bf:d6:45:f2:e1:32:17:18:87:b4:
+ 79:39:52:01:23:50:5d:8d:10:89:02:c7:e8:a8:67:
+ a5:14:41:0f:1a:d7:25:2b:91:f8:6a:c6:5d:e3:b0:
+ fe:30:7c:47:56:95:93:e1:e8:e4:74:e5:1f:bf:00:
+ 32:49:8e:f7:1d:29:07:68:4c:8e:ca:6f:84:96:37:
+ 37:3d:ee:92:1d:15:b3:18:30:ef:a0:46:b1:6e:7b:
+ ec:d4:a6:27:8d:11:f9:35:31:9c:91:04:c8:e2:8a:
+ ac:4f:cb:b4:49:b0:92:2b:82:59:4e:69:00:62:51:
+ 4f:5d:10:72:54:03:5c:24:39:8a:fb:39:6b:c1:da:
+ 84:10:15:c3:04:cb:31:26:91:b8:0a:b1:b5:32:69:
+ ec:0f:64:a7:51:53:dc:64:13:b1:c2:ec:fc:55:0a:
+ d8:f5:22:e7:c4:d9:4f:73:8d:85:b6:cc:8b:2a:51:
+ 76:e3
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ X509v3 Subject Key Identifier:
+ 72:A9:55:09:13:A6:61:1E:1D:9F:00:BA:AF:93:D9:8D:69:86:1D:20
+ X509v3 Authority Key Identifier:
+ keyid:F2:67:B1:5D:5F:51:5E:DA:51:89:E9:D9:E9:6B:CA:8B:AF:A5:2E:69
+
+ Signature Algorithm: sha1WithRSAEncryption
+ 68:32:9c:c5:ea:15:03:a3:2a:5b:e0:3b:ef:02:72:72:5e:5f:
+ 57:b3:32:1f:a8:46:93:33:38:75:92:5f:41:e3:99:97:3a:f2:
+ 0d:7d:2b:71:81:31:a7:ff:15:28:e8:f1:fe:d4:c1:83:2b:0b:
+ 1a:1b:6c:b3:81:01:e1:4c:77:51:8b:09:2d:7f:da:52:2c:f5:
+ 9e:38:a7:59:b8:cc:dc:f5:42:d4:3f:7f:22:96:7e:4a:89:f0:
+ cc:6e:77:f0:ee:79:d3:82:20:7a:0c:17:e2:c8:14:77:81:cd:
+ bf:34:27:76:7c:c2:eb:4f:93:dd:0a:a3:ee:2e:b9:f6:8a:d2:
+ 7f:0b:f0:69:0f:90:05:6e:d6:ca:23:91:6d:38:68:28:2b:c7:
+ 2d:99:17:c7:2a:1b:a6:1b:78:ea:68:56:cb:2e:83:d4:98:54:
+ 1f:a5:77:cd:88:59:9c:bd:a2:88:70:4e:f4:68:f0:0e:70:45:
+ 9c:c0:ef:d4:48:f0:14:cc:24:b5:47:40:08:07:2f:df:78:0b:
+ 0b:50:f6:49:85:41:8c:48:12:78:3a:67:67:d9:82:09:0f:54:
+ a5:fe:14:7c:d4:21:60:a2:45:2b:ea:97:df:38:cc:f5:5a:cd:
+ 4d:62:5a:a1:cf:51:cb:93:36:2e:c7:17:ec:77:89:06:f2:c9:
+ 55:70:96:f3
+-----BEGIN CERTIFICATE-----
+MIIDFjCCAf6gAwIBAgIBBDANBgkqhkiG9w0BAQUFADAoMQ4wDAYDVQQKEwVYeVNT
+TDEWMBQGA1UEAxMNWHlTU0wgVGVzdCBDQTAeFw0wNzExMjkxOTUwNDhaFw0wOTEx
+MjgxOTUwNDhaMCYxDjAMBgNVBAoTBVh5U1NMMRQwEgYDVQQDEwtUZXN0IFVzZXIg
+MjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOV74ZQG5d0gCg1qT54s
+Q+p0+K+Qq2B+RRcn2RsdkESXQkVnIjLV65dOdu9FmT+AKcVFlH1DwAsBvaycnc//
+P+oeBBwqcJT/a9Fjb82wXx2/1kXy4TIXGIe0eTlSASNQXY0QiQLH6KhnpRRBDxrX
+JSuR+GrGXeOw/jB8R1aVk+Ho5HTlH78AMkmO9x0pB2hMjspvhJY3Nz3ukh0Vsxgw
+76BGsW577NSmJ40R+TUxnJEEyOKKrE/LtEmwkiuCWU5pAGJRT10QclQDXCQ5ivs5
+a8HahBAVwwTLMSaRuAqxtTJp7A9kp1FT3GQTscLs/FUK2PUi58TZT3ONhbbMiypR
+duMCAwEAAaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQUcqlVCROmYR4dnwC6r5PZ
+jWmGHSAwHwYDVR0jBBgwFoAU8mexXV9RXtpRienZ6WvKi6+lLmkwDQYJKoZIhvcN
+AQEFBQADggEBAGgynMXqFQOjKlvgO+8CcnJeX1ezMh+oRpMzOHWSX0HjmZc68g19
+K3GBMaf/FSjo8f7UwYMrCxobbLOBAeFMd1GLCS1/2lIs9Z44p1m4zNz1QtQ/fyKW
+fkqJ8Mxud/DuedOCIHoMF+LIFHeBzb80J3Z8wutPk90Ko+4uufaK0n8L8GkPkAVu
+1sojkW04aCgrxy2ZF8cqG6YbeOpoVssug9SYVB+ld82IWZy9oohwTvRo8A5wRZzA
+79RI8BTMJLVHQAgHL994CwtQ9kmFQYxIEng6Z2fZggkPVKX+FHzUIWCiRSvql984
+zPVazU1iWqHPUcuTNi7HF+x3iQbyyVVwlvM=
+-----END CERTIFICATE-----
diff --git a/programs/ssl/test-ca/client2.key b/programs/ssl/test-ca/client2.key
new file mode 100644
index 0000000..8696e10
--- /dev/null
+++ b/programs/ssl/test-ca/client2.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpQIBAAKCAQEA5XvhlAbl3SAKDWpPnixD6nT4r5CrYH5FFyfZGx2QRJdCRWci
+MtXrl05270WZP4ApxUWUfUPACwG9rJydz/8/6h4EHCpwlP9r0WNvzbBfHb/WRfLh
+MhcYh7R5OVIBI1BdjRCJAsfoqGelFEEPGtclK5H4asZd47D+MHxHVpWT4ejkdOUf
+vwAySY73HSkHaEyOym+Eljc3Pe6SHRWzGDDvoEaxbnvs1KYnjRH5NTGckQTI4oqs
+T8u0SbCSK4JZTmkAYlFPXRByVANcJDmK+zlrwdqEEBXDBMsxJpG4CrG1MmnsD2Sn
+UVPcZBOxwuz8VQrY9SLnxNlPc42FtsyLKlF24wIDAQABAoIBAENov1uPJyhsR+em
+6dpJoG2XjJFtypmencbugpyvc3higioG4InUQs8AUnl4lUqM6Dg1dyfQpfHVwhSZ
+MNYvYWPxCz4GzWlHGjG4ptfhzh7cAiIr9TCUjjUWs2E+EG2CJujQCZ8Sf+ov/9LS
+RZCZ0CZbS4B54oyGqjQt3Xq2l2kNRODdKbaSK3zZWp9nMNyu0iUpmAtgh6FliARI
+pPr7oUHNxnmkF5JHyLFaGBtr33FZnmh8q9/gGnqEujkd6ynNwERCDVBZiBolVoCm
+sIoC5kBZjaY//I+0dZoBqDsSOGUupdICiy1dHeC8Nc0GIX79pVLNLabCeQbxxOBg
+QTN25FECgYEA8vnRvr6Hq53otreRO5RWFRnpGC0QS+nZArLxuva33IK5srN8CBbD
+qMyszUiG7URHtQudvG9uno2X8fZmvRxRp42NTo3xCUX6HQmbo7o2B1RvQnJ/k+NF
+A9IjqWS0jzneKo7jpoRhKPVolubADGZh7E9IRF+I0ajyOatv6eOB0RkCgYEA8cjr
+9Lg80TSiY4v1z0KzFVRmYsUj2OlkYqSF9XMTIQGO2mGn8ApDh/OzpnxCSK0RjLeR
+WUu3/6pCxUjM4ddOi81hiX51gkx6TC0SZ5jXPUm+NZVfkln8uYmvXE/4qSMZVvnl
+iJnhOV8wNfwhriHQv22+OkoDD1Ul5Cv0GZZim1sCgYEA8BDEm6HEilvKwj080ZEO
+PGsNU0WzBE5Yi8Ih9IgvwT+oGlgcBCH5z53qXil6ppMABnEjuDqhISblKbw6Zj7E
+rre9FhBIRtFM/cOwc2RYXYWfKBfY1VWHqu7FLWjCvYB/ca0cYDoLhVxzqiTzO00t
+Ez6COIvrsrsqGLC6Mm0GpoECgYEA22QQTtdaQA69hwx5uF5yd1lFKjxuAaYNs8BL
+2WNYqStrv1a7dwEpM9R7YAcCckWwVfo/hkJBrFiHC9K6LfcbS5nJ9mPsJpZUpoiD
+WcODExa15JMszHSg8I4xs9bQ8FBr7tMEZwYSKufnrCSjPwlqDDl9UhDUY/ZEUp1b
+elhOE18CgYEAprkUGSy8JHB/Y23U/DUEfHLvUy9W1HjOYXe/SOL+z3TQV3vg/FVr
+VJJ+PIUoSaHkCm9Vm5J4uZaRf5NhajgLPKiIDxvR6oeeU7kC4Pi55voJ6spnCS0+
+xp7hjCLiFeWNqNlF9y6YCmaEM+ULVfw5WerNeeZs36T6iVu5CIiVgsY=
+-----END RSA PRIVATE KEY-----
diff --git a/programs/ssl/test-ca/client2.pfx b/programs/ssl/test-ca/client2.pfx
new file mode 100644
index 0000000..9d7c25c
--- /dev/null
+++ b/programs/ssl/test-ca/client2.pfx
Binary files differ
diff --git a/programs/ssl/test-ca/crl.pem b/programs/ssl/test-ca/crl.pem
new file mode 100644
index 0000000..87b42ba
--- /dev/null
+++ b/programs/ssl/test-ca/crl.pem
@@ -0,0 +1,11 @@
+-----BEGIN X509 CRL-----
+MIIBmDCBgTANBgkqhkiG9w0BAQUFADAoMQ4wDAYDVQQKEwVYeVNTTDEWMBQGA1UE
+AxMNWHlTU0wgVGVzdCBDQRcNMDcxMTI5MTk1MTA4WhcNMDgwMTI4MTk1MTA4WjAo
+MBICAQEXDTA3MTEyOTE5NTA1N1owEgIBAxcNMDcxMTI5MTk1MTAxWjANBgkqhkiG
+9w0BAQUFAAOCAQEATos7dzWxTxm51ZbI48LRseHgz/976mt/E1UZ5WoeoFMmW9qG
+oGmRexrfgzABz1s0S+fjunSibH5lPN4WLTTQ5vY/wzbLFE/ysXMB82b7EVf0fdVC
+9V1805XVOfSr5CBYTdTk1XQ8/ihKHi+TEJMGgXjC4V09qVrKVXO3dmD71MAr4Bcv
+n9ZSWnXuAIELyGfZaHrPjQf9cGc1awsFfdBbkmFrEOuL3Q7oKLae2oENknSWcMhy
+cJTkQuzNI2HwCzR2U1TA4YUrPuNTLaQ58FiI0hEFjTjtgreMirqn9LROJjKzb/xs
+Afi6pbrGefpkTZEZsnbvXxCKcej1tRYjCfgoIQ==
+-----END X509 CRL-----
diff --git a/programs/ssl/test-ca/index b/programs/ssl/test-ca/index
new file mode 100644
index 0000000..f14f2ef
--- /dev/null
+++ b/programs/ssl/test-ca/index
@@ -0,0 +1,4 @@
+R 091128195030Z 071129195057Z 01 unknown /O=XySSL/CN=server1.test
+V 091128195038Z 02 unknown /O=XySSL/CN=localhost
+R 091128195042Z 071129195101Z 03 unknown /O=XySSL/CN=Test User 1
+V 091128195048Z 04 unknown /O=XySSL/CN=Test User 2
diff --git a/programs/ssl/test-ca/index.attr b/programs/ssl/test-ca/index.attr
new file mode 100644
index 0000000..3a7e39e
--- /dev/null
+++ b/programs/ssl/test-ca/index.attr
@@ -0,0 +1 @@
+unique_subject = no
diff --git a/programs/ssl/test-ca/newcerts/01.pem b/programs/ssl/test-ca/newcerts/01.pem
new file mode 100644
index 0000000..fb7dcd4
--- /dev/null
+++ b/programs/ssl/test-ca/newcerts/01.pem
@@ -0,0 +1,76 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 1 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: O=XySSL, CN=XySSL Test CA
+ Validity
+ Not Before: Nov 29 19:50:30 2007 GMT
+ Not After : Nov 28 19:50:30 2009 GMT
+ Subject: O=XySSL, CN=server1.test
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:c6:ca:48:5e:2b:f2:79:4b:32:0c:38:01:e1:4c:
+ 1c:d1:24:bb:ea:de:b8:2f:fb:7a:01:da:4b:3c:13:
+ 0b:d1:12:c0:69:dc:f3:37:2b:fd:b7:a3:b7:49:f2:
+ 57:c2:6d:f8:be:90:f6:7e:fa:80:37:89:17:b8:4c:
+ 85:22:36:f4:36:51:9f:91:6b:48:01:9e:bb:e6:8e:
+ 99:be:ab:45:01:c2:6f:f0:0f:ad:22:ba:83:06:38:
+ aa:b2:3c:e7:f4:aa:c9:32:30:32:db:1c:1a:96:87:
+ eb:2f:53:0d:97:2d:75:3c:bc:75:74:e5:04:51:67:
+ 4e:4e:81:d0:00:4c:ff:47:e7:c3:ca:1f:5d:1c:65:
+ 00:89:0b:d2:78:a5:d3:d2:8f:5c:f8:fe:e5:54:9d:
+ 64:83:bc:12:dc:38:cc:b4:68:3e:2b:c6:b9:d0:ef:
+ b1:e8:bc:cf:5a:b5:b3:1f:47:0a:b1:0f:79:06:97:
+ 73:3b:75:f0:6e:26:1d:36:88:4a:e9:64:b6:e6:58:
+ f8:92:12:a6:7c:08:cc:7b:69:47:6e:c6:65:ae:d8:
+ 31:39:30:3d:ca:0a:4b:2c:c2:01:3e:e9:05:c6:6e:
+ 1f:ce:38:21:22:f4:f5:00:1e:18:0e:d5:48:1a:6e:
+ d5:22:82:af:be:09:a7:47:03:0b:d3:4d:52:5e:34:
+ d1:15
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ X509v3 Subject Key Identifier:
+ F7:AB:E7:C0:58:5F:E0:01:C5:A4:26:83:44:CC:1E:7A:91:C9:44:65
+ X509v3 Authority Key Identifier:
+ keyid:F2:67:B1:5D:5F:51:5E:DA:51:89:E9:D9:E9:6B:CA:8B:AF:A5:2E:69
+
+ Signature Algorithm: sha1WithRSAEncryption
+ 06:9b:8d:63:8c:bb:8a:2b:1a:87:ae:3a:27:34:bc:24:60:f0:
+ 95:12:0e:f5:4c:e6:e4:1f:bd:e2:83:a3:d4:1e:dd:ed:8e:c1:
+ 93:bc:e6:20:96:34:65:73:ac:bb:85:64:54:49:53:82:da:27:
+ 8d:86:e5:a3:12:a5:b6:8e:c6:40:87:0b:1a:a4:02:fe:47:a9:
+ bf:36:39:b1:54:a7:63:1f:92:b2:1a:4f:9e:05:98:e6:f5:b1:
+ 16:fb:47:bb:57:1f:31:35:8e:f8:36:d1:36:48:6a:25:c8:0e:
+ 1c:3d:02:90:cd:cd:1e:68:d2:af:09:e2:69:51:ce:3a:11:67:
+ 20:40:44:c9:9a:4d:9c:3c:af:07:22:dc:99:77:71:40:46:d7:
+ fe:3c:00:30:fc:67:50:89:73:aa:04:4c:ef:e2:44:c1:2e:88:
+ 83:89:83:80:47:88:47:ca:1b:db:67:7e:e7:a8:0a:54:b8:72:
+ f4:96:3f:eb:c1:ba:21:c1:fe:07:eb:ce:4d:b0:80:d6:d9:cf:
+ 2d:e9:8e:c2:2f:6f:cc:8b:a9:13:fd:48:50:5e:2f:86:cd:9e:
+ 8b:ad:16:7f:69:ab:b7:7b:7f:c6:d8:49:f8:06:d0:8a:37:71:
+ 75:d8:4f:3f:02:29:3e:9e:29:cc:f6:e7:c3:10:42:77:6c:34:
+ 63:f3:be:57
+-----BEGIN CERTIFICATE-----
+MIIDFzCCAf+gAwIBAgIBATANBgkqhkiG9w0BAQUFADAoMQ4wDAYDVQQKEwVYeVNT
+TDEWMBQGA1UEAxMNWHlTU0wgVGVzdCBDQTAeFw0wNzExMjkxOTUwMzBaFw0wOTEx
+MjgxOTUwMzBaMCcxDjAMBgNVBAoTBVh5U1NMMRUwEwYDVQQDEwxzZXJ2ZXIxLnRl
+c3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDGykheK/J5SzIMOAHh
+TBzRJLvq3rgv+3oB2ks8EwvREsBp3PM3K/23o7dJ8lfCbfi+kPZ++oA3iRe4TIUi
+NvQ2UZ+Ra0gBnrvmjpm+q0UBwm/wD60iuoMGOKqyPOf0qskyMDLbHBqWh+svUw2X
+LXU8vHV05QRRZ05OgdAATP9H58PKH10cZQCJC9J4pdPSj1z4/uVUnWSDvBLcOMy0
+aD4rxrnQ77HovM9atbMfRwqxD3kGl3M7dfBuJh02iErpZLbmWPiSEqZ8CMx7aUdu
+xmWu2DE5MD3KCksswgE+6QXGbh/OOCEi9PUAHhgO1UgabtUigq++CadHAwvTTVJe
+NNEVAgMBAAGjTTBLMAkGA1UdEwQCMAAwHQYDVR0OBBYEFPer58BYX+ABxaQmg0TM
+HnqRyURlMB8GA1UdIwQYMBaAFPJnsV1fUV7aUYnp2elryouvpS5pMA0GCSqGSIb3
+DQEBBQUAA4IBAQAGm41jjLuKKxqHrjonNLwkYPCVEg71TObkH73ig6PUHt3tjsGT
+vOYgljRlc6y7hWRUSVOC2ieNhuWjEqW2jsZAhwsapAL+R6m/NjmxVKdjH5KyGk+e
+BZjm9bEW+0e7Vx8xNY74NtE2SGolyA4cPQKQzc0eaNKvCeJpUc46EWcgQETJmk2c
+PK8HItyZd3FARtf+PAAw/GdQiXOqBEzv4kTBLoiDiYOAR4hHyhvbZ37nqApUuHL0
+lj/rwbohwf4H685NsIDW2c8t6Y7CL2/Mi6kT/UhQXi+GzZ6LrRZ/aau3e3/G2En4
+BtCKN3F12E8/Aik+ninM9ufDEEJ3bDRj875X
+-----END CERTIFICATE-----
diff --git a/programs/ssl/test-ca/newcerts/02.pem b/programs/ssl/test-ca/newcerts/02.pem
new file mode 100644
index 0000000..72b06f7
--- /dev/null
+++ b/programs/ssl/test-ca/newcerts/02.pem
@@ -0,0 +1,76 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 2 (0x2)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: O=XySSL, CN=XySSL Test CA
+ Validity
+ Not Before: Nov 29 19:50:38 2007 GMT
+ Not After : Nov 28 19:50:38 2009 GMT
+ Subject: O=XySSL, CN=localhost
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:cc:d4:56:38:49:e6:d6:7f:50:e7:d2:05:c8:99:
+ 25:32:45:71:dd:1c:e1:72:3d:68:94:c0:68:e2:2e:
+ 95:94:87:03:5b:fc:70:69:c4:b3:a0:94:e6:71:02:
+ 18:b1:00:5b:bd:90:ee:08:d0:cd:33:d2:fb:5e:ca:
+ d6:c2:58:ed:f0:51:b7:54:ac:a4:99:22:8b:a3:07:
+ bb:d7:41:14:de:0a:5a:92:9d:2d:08:1c:5f:bf:9b:
+ dc:02:bb:c2:ca:06:b8:f2:8d:04:67:52:ca:9c:3a:
+ 15:a3:ba:30:2f:51:07:4d:8c:69:5c:8c:9f:41:56:
+ 03:ca:b4:88:b8:ce:0f:f0:28:67:19:dd:4c:96:64:
+ 8d:1c:07:b2:c6:cb:58:bf:d9:2b:42:39:ed:28:80:
+ 30:61:23:0e:95:d7:27:11:6f:7e:bc:bc:7b:73:01:
+ c3:9a:56:fb:e6:ae:88:a8:96:5a:0f:bb:a5:b1:9d:
+ d5:4a:74:00:26:68:08:3d:67:92:49:58:ab:e2:6a:
+ 00:45:83:3b:e1:e3:e6:c7:2c:c0:40:b9:ca:68:0b:
+ a4:8f:ba:6d:53:af:6f:7a:57:84:4f:d8:b0:ae:0c:
+ ce:23:1b:25:32:13:b6:3a:97:74:ca:af:2c:96:76:
+ 34:b2:24:6e:39:45:13:ec:be:16:db:b8:41:71:06:
+ 00:ed
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ X509v3 Subject Key Identifier:
+ B1:B0:EA:31:9D:5C:4F:00:7F:CD:0D:1F:78:A9:18:5D:96:DE:AA:B1
+ X509v3 Authority Key Identifier:
+ keyid:F2:67:B1:5D:5F:51:5E:DA:51:89:E9:D9:E9:6B:CA:8B:AF:A5:2E:69
+
+ Signature Algorithm: sha1WithRSAEncryption
+ 2b:9f:5d:f7:8c:42:89:45:d9:19:6f:d1:87:71:c7:74:ec:13:
+ c1:c3:7d:51:b5:6d:c3:f8:f4:cc:8a:d5:3b:ee:59:0e:0b:b8:
+ bf:7f:a3:4a:69:cb:ea:54:fc:58:98:34:05:0a:62:aa:73:61:
+ f2:15:8c:20:93:61:0b:9f:fd:64:d1:7d:87:b3:e5:43:1b:71:
+ 36:b4:4c:b1:19:38:04:35:e7:f6:52:e5:3c:d0:a5:2d:55:99:
+ 9e:5b:df:d5:60:6c:59:ac:e4:f7:4e:f7:55:ce:da:1c:9c:5e:
+ 35:a8:d5:41:47:09:e0:df:7d:75:7e:8e:41:2c:93:34:bf:d2:
+ 5e:5b:15:15:05:02:4d:24:1e:c4:5b:03:52:ab:0a:ac:6d:72:
+ 00:3c:de:f9:0f:84:73:dc:b2:e6:52:6c:82:af:26:97:5a:58:
+ 50:89:a3:c7:d9:5d:a5:8a:3c:e0:e8:3e:63:eb:4f:ff:fd:45:
+ b2:ec:a1:fb:45:03:0f:37:d0:a1:8d:42:bf:23:91:66:2e:09:
+ 61:18:3e:5b:e7:b7:e4:6e:e0:2d:88:0d:c2:2a:e6:19:fa:35:
+ 05:0d:8b:a4:f3:fb:05:54:98:87:66:5a:a2:f3:56:b5:39:7c:
+ 1c:28:50:06:4a:3c:60:5a:e8:ec:19:4e:7e:cd:b1:56:5e:a3:
+ 4d:f8:6c:72
+-----BEGIN CERTIFICATE-----
+MIIDFDCCAfygAwIBAgIBAjANBgkqhkiG9w0BAQUFADAoMQ4wDAYDVQQKEwVYeVNT
+TDEWMBQGA1UEAxMNWHlTU0wgVGVzdCBDQTAeFw0wNzExMjkxOTUwMzhaFw0wOTEx
+MjgxOTUwMzhaMCQxDjAMBgNVBAoTBVh5U1NMMRIwEAYDVQQDEwlsb2NhbGhvc3Qw
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDM1FY4SebWf1Dn0gXImSUy
+RXHdHOFyPWiUwGjiLpWUhwNb/HBpxLOglOZxAhixAFu9kO4I0M0z0vteytbCWO3w
+UbdUrKSZIoujB7vXQRTeClqSnS0IHF+/m9wCu8LKBrjyjQRnUsqcOhWjujAvUQdN
+jGlcjJ9BVgPKtIi4zg/wKGcZ3UyWZI0cB7LGy1i/2StCOe0ogDBhIw6V1ycRb368
+vHtzAcOaVvvmroiolloPu6WxndVKdAAmaAg9Z5JJWKviagBFgzvh4+bHLMBAucpo
+C6SPum1Tr296V4RP2LCuDM4jGyUyE7Y6l3TKryyWdjSyJG45RRPsvhbbuEFxBgDt
+AgMBAAGjTTBLMAkGA1UdEwQCMAAwHQYDVR0OBBYEFLGw6jGdXE8Af80NH3ipGF2W
+3qqxMB8GA1UdIwQYMBaAFPJnsV1fUV7aUYnp2elryouvpS5pMA0GCSqGSIb3DQEB
+BQUAA4IBAQArn133jEKJRdkZb9GHccd07BPBw31RtW3D+PTMitU77lkOC7i/f6NK
+acvqVPxYmDQFCmKqc2HyFYwgk2ELn/1k0X2Hs+VDG3E2tEyxGTgENef2UuU80KUt
+VZmeW9/VYGxZrOT3TvdVztocnF41qNVBRwng3311fo5BLJM0v9JeWxUVBQJNJB7E
+WwNSqwqsbXIAPN75D4Rz3LLmUmyCryaXWlhQiaPH2V2lijzg6D5j60///UWy7KH7
+RQMPN9ChjUK/I5FmLglhGD5b57fkbuAtiA3CKuYZ+jUFDYuk8/sFVJiHZlqi81a1
+OXwcKFAGSjxgWujsGU5+zbFWXqNN+Gxy
+-----END CERTIFICATE-----
diff --git a/programs/ssl/test-ca/newcerts/03.pem b/programs/ssl/test-ca/newcerts/03.pem
new file mode 100644
index 0000000..679bbea
--- /dev/null
+++ b/programs/ssl/test-ca/newcerts/03.pem
@@ -0,0 +1,76 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 3 (0x3)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: O=XySSL, CN=XySSL Test CA
+ Validity
+ Not Before: Nov 29 19:50:42 2007 GMT
+ Not After : Nov 28 19:50:42 2009 GMT
+ Subject: O=XySSL, CN=Test User 1
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:a7:2b:e9:c3:d5:68:7c:e7:4b:23:20:31:c8:0e:
+ be:9f:c8:e6:b6:a7:09:c5:59:67:ab:6d:e9:f3:7e:
+ b2:e7:3b:1c:99:28:33:e0:b8:e9:8b:ee:45:a3:de:
+ 91:f8:03:59:34:f1:b6:e0:b3:62:33:45:87:64:8e:
+ 59:d3:34:4f:f9:fb:3c:64:53:a2:f2:53:20:97:a3:
+ 2b:fe:6d:c4:f3:38:83:02:92:c8:cb:8f:9e:d9:d3:
+ 5e:87:36:ec:17:b3:50:5b:68:b7:03:04:e2:90:2f:
+ d4:0e:48:40:b1:ad:11:28:de:8a:a9:4c:df:20:05:
+ 47:8a:ef:ba:24:09:fa:ec:f6:d4:f1:0f:a1:31:b7:
+ f0:54:d5:d5:23:19:1e:41:6d:b7:96:17:81:ff:b3:
+ 1e:83:92:76:4b:7c:ce:b1:8f:18:b0:69:20:60:f9:
+ 41:8b:04:ae:89:84:a8:20:48:ae:f3:1f:50:ec:1c:
+ 61:97:bd:81:50:54:61:5d:23:c3:c2:84:ed:19:1b:
+ ee:0f:22:38:28:de:51:04:41:6d:e1:82:43:76:e7:
+ 7b:40:fd:84:ea:9e:e8:d8:da:c2:72:c4:31:c6:b0:
+ ca:ce:ac:7b:5c:fa:43:15:5f:41:1c:21:be:dc:96:
+ 95:d6:77:16:ef:1d:51:8d:10:65:aa:f5:9e:f8:47:
+ 6a:41
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ X509v3 Subject Key Identifier:
+ F2:C4:96:02:CF:BF:C1:AA:B0:D2:1A:DA:E7:F3:4B:2C:5D:D1:DF:14
+ X509v3 Authority Key Identifier:
+ keyid:F2:67:B1:5D:5F:51:5E:DA:51:89:E9:D9:E9:6B:CA:8B:AF:A5:2E:69
+
+ Signature Algorithm: sha1WithRSAEncryption
+ ca:29:3f:44:90:8d:9c:c6:0d:f9:e2:a9:50:d8:e5:d6:0a:e0:
+ be:6e:48:fb:e8:7a:f4:5f:50:dc:6b:d1:76:a5:f9:88:91:96:
+ 62:e5:66:89:da:eb:17:01:f7:d0:d2:f7:3b:35:78:dd:80:45:
+ d0:64:32:13:67:20:a8:fc:d8:62:e1:44:d4:ae:41:37:2e:e7:
+ 63:94:37:66:61:3b:38:e9:7d:8a:b6:18:d4:b7:2c:59:ea:46:
+ a0:ed:ab:84:79:04:be:da:0f:9e:2d:68:34:a0:06:63:fa:33:
+ 61:bc:8a:00:07:62:c3:81:11:0d:28:d9:80:8f:51:a2:db:be:
+ 23:16:a4:37:65:18:72:34:17:c2:a9:63:e3:5f:f4:0e:7c:58:
+ 5e:e4:a5:44:8f:6b:23:ba:18:4e:e3:0c:25:2a:86:ee:5d:c2:
+ a2:e7:92:8d:a8:84:77:ef:b5:9c:af:2c:53:5d:4c:1b:eb:96:
+ a4:56:27:f5:bf:cb:82:91:51:6e:8a:f4:49:6a:84:39:44:a3:
+ 23:7e:d0:83:ce:2b:4a:5f:18:1b:d1:1f:74:14:6f:91:da:1a:
+ ee:95:1d:ee:c7:9e:77:a2:df:1c:22:72:c2:08:bc:98:60:a0:
+ d6:5f:eb:d8:e8:ad:b3:f5:05:c4:1a:9b:a9:8d:29:83:7e:26:
+ 62:fa:e3:79
+-----BEGIN CERTIFICATE-----
+MIIDFjCCAf6gAwIBAgIBAzANBgkqhkiG9w0BAQUFADAoMQ4wDAYDVQQKEwVYeVNT
+TDEWMBQGA1UEAxMNWHlTU0wgVGVzdCBDQTAeFw0wNzExMjkxOTUwNDJaFw0wOTEx
+MjgxOTUwNDJaMCYxDjAMBgNVBAoTBVh5U1NMMRQwEgYDVQQDEwtUZXN0IFVzZXIg
+MTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKcr6cPVaHznSyMgMcgO
+vp/I5ranCcVZZ6tt6fN+suc7HJkoM+C46YvuRaPekfgDWTTxtuCzYjNFh2SOWdM0
+T/n7PGRTovJTIJejK/5txPM4gwKSyMuPntnTXoc27BezUFtotwME4pAv1A5IQLGt
+ESjeiqlM3yAFR4rvuiQJ+uz21PEPoTG38FTV1SMZHkFtt5YXgf+zHoOSdkt8zrGP
+GLBpIGD5QYsEromEqCBIrvMfUOwcYZe9gVBUYV0jw8KE7Rkb7g8iOCjeUQRBbeGC
+Q3bne0D9hOqe6NjawnLEMcawys6se1z6QxVfQRwhvtyWldZ3Fu8dUY0QZar1nvhH
+akECAwEAAaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQU8sSWAs+/waqw0hra5/NL
+LF3R3xQwHwYDVR0jBBgwFoAU8mexXV9RXtpRienZ6WvKi6+lLmkwDQYJKoZIhvcN
+AQEFBQADggEBAMopP0SQjZzGDfniqVDY5dYK4L5uSPvoevRfUNxr0Xal+YiRlmLl
+Zona6xcB99DS9zs1eN2ARdBkMhNnIKj82GLhRNSuQTcu52OUN2ZhOzjpfYq2GNS3
+LFnqRqDtq4R5BL7aD54taDSgBmP6M2G8igAHYsOBEQ0o2YCPUaLbviMWpDdlGHI0
+F8KpY+Nf9A58WF7kpUSPayO6GE7jDCUqhu5dwqLnko2ohHfvtZyvLFNdTBvrlqRW
+J/W/y4KRUW6K9ElqhDlEoyN+0IPOK0pfGBvRH3QUb5HaGu6VHe7Hnnei3xwicsII
+vJhgoNZf69jorbP1BcQam6mNKYN+JmL643k=
+-----END CERTIFICATE-----
diff --git a/programs/ssl/test-ca/newcerts/04.pem b/programs/ssl/test-ca/newcerts/04.pem
new file mode 100644
index 0000000..14a90ca
--- /dev/null
+++ b/programs/ssl/test-ca/newcerts/04.pem
@@ -0,0 +1,76 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 4 (0x4)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: O=XySSL, CN=XySSL Test CA
+ Validity
+ Not Before: Nov 29 19:50:48 2007 GMT
+ Not After : Nov 28 19:50:48 2009 GMT
+ Subject: O=XySSL, CN=Test User 2
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:e5:7b:e1:94:06:e5:dd:20:0a:0d:6a:4f:9e:2c:
+ 43:ea:74:f8:af:90:ab:60:7e:45:17:27:d9:1b:1d:
+ 90:44:97:42:45:67:22:32:d5:eb:97:4e:76:ef:45:
+ 99:3f:80:29:c5:45:94:7d:43:c0:0b:01:bd:ac:9c:
+ 9d:cf:ff:3f:ea:1e:04:1c:2a:70:94:ff:6b:d1:63:
+ 6f:cd:b0:5f:1d:bf:d6:45:f2:e1:32:17:18:87:b4:
+ 79:39:52:01:23:50:5d:8d:10:89:02:c7:e8:a8:67:
+ a5:14:41:0f:1a:d7:25:2b:91:f8:6a:c6:5d:e3:b0:
+ fe:30:7c:47:56:95:93:e1:e8:e4:74:e5:1f:bf:00:
+ 32:49:8e:f7:1d:29:07:68:4c:8e:ca:6f:84:96:37:
+ 37:3d:ee:92:1d:15:b3:18:30:ef:a0:46:b1:6e:7b:
+ ec:d4:a6:27:8d:11:f9:35:31:9c:91:04:c8:e2:8a:
+ ac:4f:cb:b4:49:b0:92:2b:82:59:4e:69:00:62:51:
+ 4f:5d:10:72:54:03:5c:24:39:8a:fb:39:6b:c1:da:
+ 84:10:15:c3:04:cb:31:26:91:b8:0a:b1:b5:32:69:
+ ec:0f:64:a7:51:53:dc:64:13:b1:c2:ec:fc:55:0a:
+ d8:f5:22:e7:c4:d9:4f:73:8d:85:b6:cc:8b:2a:51:
+ 76:e3
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ X509v3 Subject Key Identifier:
+ 72:A9:55:09:13:A6:61:1E:1D:9F:00:BA:AF:93:D9:8D:69:86:1D:20
+ X509v3 Authority Key Identifier:
+ keyid:F2:67:B1:5D:5F:51:5E:DA:51:89:E9:D9:E9:6B:CA:8B:AF:A5:2E:69
+
+ Signature Algorithm: sha1WithRSAEncryption
+ 68:32:9c:c5:ea:15:03:a3:2a:5b:e0:3b:ef:02:72:72:5e:5f:
+ 57:b3:32:1f:a8:46:93:33:38:75:92:5f:41:e3:99:97:3a:f2:
+ 0d:7d:2b:71:81:31:a7:ff:15:28:e8:f1:fe:d4:c1:83:2b:0b:
+ 1a:1b:6c:b3:81:01:e1:4c:77:51:8b:09:2d:7f:da:52:2c:f5:
+ 9e:38:a7:59:b8:cc:dc:f5:42:d4:3f:7f:22:96:7e:4a:89:f0:
+ cc:6e:77:f0:ee:79:d3:82:20:7a:0c:17:e2:c8:14:77:81:cd:
+ bf:34:27:76:7c:c2:eb:4f:93:dd:0a:a3:ee:2e:b9:f6:8a:d2:
+ 7f:0b:f0:69:0f:90:05:6e:d6:ca:23:91:6d:38:68:28:2b:c7:
+ 2d:99:17:c7:2a:1b:a6:1b:78:ea:68:56:cb:2e:83:d4:98:54:
+ 1f:a5:77:cd:88:59:9c:bd:a2:88:70:4e:f4:68:f0:0e:70:45:
+ 9c:c0:ef:d4:48:f0:14:cc:24:b5:47:40:08:07:2f:df:78:0b:
+ 0b:50:f6:49:85:41:8c:48:12:78:3a:67:67:d9:82:09:0f:54:
+ a5:fe:14:7c:d4:21:60:a2:45:2b:ea:97:df:38:cc:f5:5a:cd:
+ 4d:62:5a:a1:cf:51:cb:93:36:2e:c7:17:ec:77:89:06:f2:c9:
+ 55:70:96:f3
+-----BEGIN CERTIFICATE-----
+MIIDFjCCAf6gAwIBAgIBBDANBgkqhkiG9w0BAQUFADAoMQ4wDAYDVQQKEwVYeVNT
+TDEWMBQGA1UEAxMNWHlTU0wgVGVzdCBDQTAeFw0wNzExMjkxOTUwNDhaFw0wOTEx
+MjgxOTUwNDhaMCYxDjAMBgNVBAoTBVh5U1NMMRQwEgYDVQQDEwtUZXN0IFVzZXIg
+MjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOV74ZQG5d0gCg1qT54s
+Q+p0+K+Qq2B+RRcn2RsdkESXQkVnIjLV65dOdu9FmT+AKcVFlH1DwAsBvaycnc//
+P+oeBBwqcJT/a9Fjb82wXx2/1kXy4TIXGIe0eTlSASNQXY0QiQLH6KhnpRRBDxrX
+JSuR+GrGXeOw/jB8R1aVk+Ho5HTlH78AMkmO9x0pB2hMjspvhJY3Nz3ukh0Vsxgw
+76BGsW577NSmJ40R+TUxnJEEyOKKrE/LtEmwkiuCWU5pAGJRT10QclQDXCQ5ivs5
+a8HahBAVwwTLMSaRuAqxtTJp7A9kp1FT3GQTscLs/FUK2PUi58TZT3ONhbbMiypR
+duMCAwEAAaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQUcqlVCROmYR4dnwC6r5PZ
+jWmGHSAwHwYDVR0jBBgwFoAU8mexXV9RXtpRienZ6WvKi6+lLmkwDQYJKoZIhvcN
+AQEFBQADggEBAGgynMXqFQOjKlvgO+8CcnJeX1ezMh+oRpMzOHWSX0HjmZc68g19
+K3GBMaf/FSjo8f7UwYMrCxobbLOBAeFMd1GLCS1/2lIs9Z44p1m4zNz1QtQ/fyKW
+fkqJ8Mxud/DuedOCIHoMF+LIFHeBzb80J3Z8wutPk90Ko+4uufaK0n8L8GkPkAVu
+1sojkW04aCgrxy2ZF8cqG6YbeOpoVssug9SYVB+ld82IWZy9oohwTvRo8A5wRZzA
+79RI8BTMJLVHQAgHL994CwtQ9kmFQYxIEng6Z2fZggkPVKX+FHzUIWCiRSvql984
+zPVazU1iWqHPUcuTNi7HF+x3iQbyyVVwlvM=
+-----END CERTIFICATE-----
diff --git a/programs/ssl/test-ca/serial b/programs/ssl/test-ca/serial
new file mode 100644
index 0000000..eeee65e
--- /dev/null
+++ b/programs/ssl/test-ca/serial
@@ -0,0 +1 @@
+05
diff --git a/programs/ssl/test-ca/server1.crt b/programs/ssl/test-ca/server1.crt
new file mode 100644
index 0000000..fb7dcd4
--- /dev/null
+++ b/programs/ssl/test-ca/server1.crt
@@ -0,0 +1,76 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 1 (0x1)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: O=XySSL, CN=XySSL Test CA
+ Validity
+ Not Before: Nov 29 19:50:30 2007 GMT
+ Not After : Nov 28 19:50:30 2009 GMT
+ Subject: O=XySSL, CN=server1.test
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:c6:ca:48:5e:2b:f2:79:4b:32:0c:38:01:e1:4c:
+ 1c:d1:24:bb:ea:de:b8:2f:fb:7a:01:da:4b:3c:13:
+ 0b:d1:12:c0:69:dc:f3:37:2b:fd:b7:a3:b7:49:f2:
+ 57:c2:6d:f8:be:90:f6:7e:fa:80:37:89:17:b8:4c:
+ 85:22:36:f4:36:51:9f:91:6b:48:01:9e:bb:e6:8e:
+ 99:be:ab:45:01:c2:6f:f0:0f:ad:22:ba:83:06:38:
+ aa:b2:3c:e7:f4:aa:c9:32:30:32:db:1c:1a:96:87:
+ eb:2f:53:0d:97:2d:75:3c:bc:75:74:e5:04:51:67:
+ 4e:4e:81:d0:00:4c:ff:47:e7:c3:ca:1f:5d:1c:65:
+ 00:89:0b:d2:78:a5:d3:d2:8f:5c:f8:fe:e5:54:9d:
+ 64:83:bc:12:dc:38:cc:b4:68:3e:2b:c6:b9:d0:ef:
+ b1:e8:bc:cf:5a:b5:b3:1f:47:0a:b1:0f:79:06:97:
+ 73:3b:75:f0:6e:26:1d:36:88:4a:e9:64:b6:e6:58:
+ f8:92:12:a6:7c:08:cc:7b:69:47:6e:c6:65:ae:d8:
+ 31:39:30:3d:ca:0a:4b:2c:c2:01:3e:e9:05:c6:6e:
+ 1f:ce:38:21:22:f4:f5:00:1e:18:0e:d5:48:1a:6e:
+ d5:22:82:af:be:09:a7:47:03:0b:d3:4d:52:5e:34:
+ d1:15
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ X509v3 Subject Key Identifier:
+ F7:AB:E7:C0:58:5F:E0:01:C5:A4:26:83:44:CC:1E:7A:91:C9:44:65
+ X509v3 Authority Key Identifier:
+ keyid:F2:67:B1:5D:5F:51:5E:DA:51:89:E9:D9:E9:6B:CA:8B:AF:A5:2E:69
+
+ Signature Algorithm: sha1WithRSAEncryption
+ 06:9b:8d:63:8c:bb:8a:2b:1a:87:ae:3a:27:34:bc:24:60:f0:
+ 95:12:0e:f5:4c:e6:e4:1f:bd:e2:83:a3:d4:1e:dd:ed:8e:c1:
+ 93:bc:e6:20:96:34:65:73:ac:bb:85:64:54:49:53:82:da:27:
+ 8d:86:e5:a3:12:a5:b6:8e:c6:40:87:0b:1a:a4:02:fe:47:a9:
+ bf:36:39:b1:54:a7:63:1f:92:b2:1a:4f:9e:05:98:e6:f5:b1:
+ 16:fb:47:bb:57:1f:31:35:8e:f8:36:d1:36:48:6a:25:c8:0e:
+ 1c:3d:02:90:cd:cd:1e:68:d2:af:09:e2:69:51:ce:3a:11:67:
+ 20:40:44:c9:9a:4d:9c:3c:af:07:22:dc:99:77:71:40:46:d7:
+ fe:3c:00:30:fc:67:50:89:73:aa:04:4c:ef:e2:44:c1:2e:88:
+ 83:89:83:80:47:88:47:ca:1b:db:67:7e:e7:a8:0a:54:b8:72:
+ f4:96:3f:eb:c1:ba:21:c1:fe:07:eb:ce:4d:b0:80:d6:d9:cf:
+ 2d:e9:8e:c2:2f:6f:cc:8b:a9:13:fd:48:50:5e:2f:86:cd:9e:
+ 8b:ad:16:7f:69:ab:b7:7b:7f:c6:d8:49:f8:06:d0:8a:37:71:
+ 75:d8:4f:3f:02:29:3e:9e:29:cc:f6:e7:c3:10:42:77:6c:34:
+ 63:f3:be:57
+-----BEGIN CERTIFICATE-----
+MIIDFzCCAf+gAwIBAgIBATANBgkqhkiG9w0BAQUFADAoMQ4wDAYDVQQKEwVYeVNT
+TDEWMBQGA1UEAxMNWHlTU0wgVGVzdCBDQTAeFw0wNzExMjkxOTUwMzBaFw0wOTEx
+MjgxOTUwMzBaMCcxDjAMBgNVBAoTBVh5U1NMMRUwEwYDVQQDEwxzZXJ2ZXIxLnRl
+c3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDGykheK/J5SzIMOAHh
+TBzRJLvq3rgv+3oB2ks8EwvREsBp3PM3K/23o7dJ8lfCbfi+kPZ++oA3iRe4TIUi
+NvQ2UZ+Ra0gBnrvmjpm+q0UBwm/wD60iuoMGOKqyPOf0qskyMDLbHBqWh+svUw2X
+LXU8vHV05QRRZ05OgdAATP9H58PKH10cZQCJC9J4pdPSj1z4/uVUnWSDvBLcOMy0
+aD4rxrnQ77HovM9atbMfRwqxD3kGl3M7dfBuJh02iErpZLbmWPiSEqZ8CMx7aUdu
+xmWu2DE5MD3KCksswgE+6QXGbh/OOCEi9PUAHhgO1UgabtUigq++CadHAwvTTVJe
+NNEVAgMBAAGjTTBLMAkGA1UdEwQCMAAwHQYDVR0OBBYEFPer58BYX+ABxaQmg0TM
+HnqRyURlMB8GA1UdIwQYMBaAFPJnsV1fUV7aUYnp2elryouvpS5pMA0GCSqGSIb3
+DQEBBQUAA4IBAQAGm41jjLuKKxqHrjonNLwkYPCVEg71TObkH73ig6PUHt3tjsGT
+vOYgljRlc6y7hWRUSVOC2ieNhuWjEqW2jsZAhwsapAL+R6m/NjmxVKdjH5KyGk+e
+BZjm9bEW+0e7Vx8xNY74NtE2SGolyA4cPQKQzc0eaNKvCeJpUc46EWcgQETJmk2c
+PK8HItyZd3FARtf+PAAw/GdQiXOqBEzv4kTBLoiDiYOAR4hHyhvbZ37nqApUuHL0
+lj/rwbohwf4H685NsIDW2c8t6Y7CL2/Mi6kT/UhQXi+GzZ6LrRZ/aau3e3/G2En4
+BtCKN3F12E8/Aik+ninM9ufDEEJ3bDRj875X
+-----END CERTIFICATE-----
diff --git a/programs/ssl/test-ca/server1.key b/programs/ssl/test-ca/server1.key
new file mode 100644
index 0000000..b418c6d
--- /dev/null
+++ b/programs/ssl/test-ca/server1.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAxspIXivyeUsyDDgB4Uwc0SS76t64L/t6AdpLPBML0RLAadzz
+Nyv9t6O3SfJXwm34vpD2fvqAN4kXuEyFIjb0NlGfkWtIAZ675o6ZvqtFAcJv8A+t
+IrqDBjiqsjzn9KrJMjAy2xwalofrL1MNly11PLx1dOUEUWdOToHQAEz/R+fDyh9d
+HGUAiQvSeKXT0o9c+P7lVJ1kg7wS3DjMtGg+K8a50O+x6LzPWrWzH0cKsQ95Bpdz
+O3XwbiYdNohK6WS25lj4khKmfAjMe2lHbsZlrtgxOTA9ygpLLMIBPukFxm4fzjgh
+IvT1AB4YDtVIGm7VIoKvvgmnRwML001SXjTRFQIDAQABAoIBAHw0n4rXgqTuqtKf
+m+0dFVRH03IovoScZ9sIfcGHVPbI9JgwiXaLcfdvv3HgjZzaAXVwNdOYyMvqSHvK
+s9Rw6Z2W2lCN62u3tkeUCdPsRy2WQ0KHSPJN/tfASEcdbwCcRSGqo9vrb2FmgzgK
+eI9gw8OzLOBgx5XlKjQ7P68wbMCLoQ4z7UZQkqWRhBrO6r2yR6/+y91OgrFixp/D
+rpsWvvW4+EmPihYceA8CTqqZSz7DKcNvNyPqCFRav+856m/9oBxKOkuuvoR3811c
+GSn+c8Np/bbKQxZ6YA94QujoKMXO8i8ZEnRfMKa/NbBMpa1jSRTd/5uA6/CI+bUB
+io1nLgECgYEA4eVuezN7SvMN8ihB61Hg6fGwa2YiTPkCp7WWeRHB8f+2iq0hFCAn
+yu9YsyafVMVPwoebEMCkqaIrlrKdL0w3xUjDNwhgSyAQyXUnSQFwa3IkhLWNkj5P
+pQCAeZy9PEGwolPQKBNVaU+J7p7ipOv9VAyBmyqUq4XXwpYcdyH6NbUCgYEA4Ugd
+Kt3/iOJpv1PMIQpXI926lXbH6hquqlQbpb35YlNgC4N8eC/r4Q/yW7FI0kD72ipO
+EUlSFne8FJHPluNe6GahF9np6M48ogmv6QhiOFf5T+6kVXdJ+akqYhcWC5m/hArT
+/q27+PwTpYBwIwf54PaM/k9iOz0zH9bqY3TvSeECgYEAmChicroKokF1c1eKj2dn
+iC00GCODlzVjhHPcF1DOwqLr4h0b2uKN6zOtG384c3E0eGO/H1mjkF+b3LYTCnjc
+WBba54bM1c2TgR9YhuRhRP5teraP1aIDI7Fi2IerL5tPzweFfnkHXxgkYIbFQzFy
+QdrqsgnMenx9CKT0J4rLbsECgYA5a2gDxRGckhjh6zncMgaD3b/w2JWb1bEvOMDT
+PdiSdy3DwX+4In68npPnSwiEjouiz6WWQlnp4BrQI1oF224VThNBQQmdjPNnWZC8
+lKZ0NfgVp327SuxP9g4XckrsKgPmY9wkzaNbkuRvCo2KYD4QWMcXCqS+9JpTQzP6
+pZNYAQKBgQC5mvSC9zxQYX9Ia9PDL4q6AjdG0XweZuYHk2/bQ1LQjM7qI1mescol
+CXbNXUxhw2XAXkw8BFAfPJ3npIL7FX0htEiYx7KqpCYN7IXSpQ6xexZn6nEm+mBz
+VMWO8Roj95S3tyZOTzbmuUNbQsfLZlQ2hUeUBvJ5UH+LBFivjxy0pw==
+-----END RSA PRIVATE KEY-----
diff --git a/programs/ssl/test-ca/server2.crt b/programs/ssl/test-ca/server2.crt
new file mode 100644
index 0000000..72b06f7
--- /dev/null
+++ b/programs/ssl/test-ca/server2.crt
@@ -0,0 +1,76 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 2 (0x2)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: O=XySSL, CN=XySSL Test CA
+ Validity
+ Not Before: Nov 29 19:50:38 2007 GMT
+ Not After : Nov 28 19:50:38 2009 GMT
+ Subject: O=XySSL, CN=localhost
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:cc:d4:56:38:49:e6:d6:7f:50:e7:d2:05:c8:99:
+ 25:32:45:71:dd:1c:e1:72:3d:68:94:c0:68:e2:2e:
+ 95:94:87:03:5b:fc:70:69:c4:b3:a0:94:e6:71:02:
+ 18:b1:00:5b:bd:90:ee:08:d0:cd:33:d2:fb:5e:ca:
+ d6:c2:58:ed:f0:51:b7:54:ac:a4:99:22:8b:a3:07:
+ bb:d7:41:14:de:0a:5a:92:9d:2d:08:1c:5f:bf:9b:
+ dc:02:bb:c2:ca:06:b8:f2:8d:04:67:52:ca:9c:3a:
+ 15:a3:ba:30:2f:51:07:4d:8c:69:5c:8c:9f:41:56:
+ 03:ca:b4:88:b8:ce:0f:f0:28:67:19:dd:4c:96:64:
+ 8d:1c:07:b2:c6:cb:58:bf:d9:2b:42:39:ed:28:80:
+ 30:61:23:0e:95:d7:27:11:6f:7e:bc:bc:7b:73:01:
+ c3:9a:56:fb:e6:ae:88:a8:96:5a:0f:bb:a5:b1:9d:
+ d5:4a:74:00:26:68:08:3d:67:92:49:58:ab:e2:6a:
+ 00:45:83:3b:e1:e3:e6:c7:2c:c0:40:b9:ca:68:0b:
+ a4:8f:ba:6d:53:af:6f:7a:57:84:4f:d8:b0:ae:0c:
+ ce:23:1b:25:32:13:b6:3a:97:74:ca:af:2c:96:76:
+ 34:b2:24:6e:39:45:13:ec:be:16:db:b8:41:71:06:
+ 00:ed
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ X509v3 Subject Key Identifier:
+ B1:B0:EA:31:9D:5C:4F:00:7F:CD:0D:1F:78:A9:18:5D:96:DE:AA:B1
+ X509v3 Authority Key Identifier:
+ keyid:F2:67:B1:5D:5F:51:5E:DA:51:89:E9:D9:E9:6B:CA:8B:AF:A5:2E:69
+
+ Signature Algorithm: sha1WithRSAEncryption
+ 2b:9f:5d:f7:8c:42:89:45:d9:19:6f:d1:87:71:c7:74:ec:13:
+ c1:c3:7d:51:b5:6d:c3:f8:f4:cc:8a:d5:3b:ee:59:0e:0b:b8:
+ bf:7f:a3:4a:69:cb:ea:54:fc:58:98:34:05:0a:62:aa:73:61:
+ f2:15:8c:20:93:61:0b:9f:fd:64:d1:7d:87:b3:e5:43:1b:71:
+ 36:b4:4c:b1:19:38:04:35:e7:f6:52:e5:3c:d0:a5:2d:55:99:
+ 9e:5b:df:d5:60:6c:59:ac:e4:f7:4e:f7:55:ce:da:1c:9c:5e:
+ 35:a8:d5:41:47:09:e0:df:7d:75:7e:8e:41:2c:93:34:bf:d2:
+ 5e:5b:15:15:05:02:4d:24:1e:c4:5b:03:52:ab:0a:ac:6d:72:
+ 00:3c:de:f9:0f:84:73:dc:b2:e6:52:6c:82:af:26:97:5a:58:
+ 50:89:a3:c7:d9:5d:a5:8a:3c:e0:e8:3e:63:eb:4f:ff:fd:45:
+ b2:ec:a1:fb:45:03:0f:37:d0:a1:8d:42:bf:23:91:66:2e:09:
+ 61:18:3e:5b:e7:b7:e4:6e:e0:2d:88:0d:c2:2a:e6:19:fa:35:
+ 05:0d:8b:a4:f3:fb:05:54:98:87:66:5a:a2:f3:56:b5:39:7c:
+ 1c:28:50:06:4a:3c:60:5a:e8:ec:19:4e:7e:cd:b1:56:5e:a3:
+ 4d:f8:6c:72
+-----BEGIN CERTIFICATE-----
+MIIDFDCCAfygAwIBAgIBAjANBgkqhkiG9w0BAQUFADAoMQ4wDAYDVQQKEwVYeVNT
+TDEWMBQGA1UEAxMNWHlTU0wgVGVzdCBDQTAeFw0wNzExMjkxOTUwMzhaFw0wOTEx
+MjgxOTUwMzhaMCQxDjAMBgNVBAoTBVh5U1NMMRIwEAYDVQQDEwlsb2NhbGhvc3Qw
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDM1FY4SebWf1Dn0gXImSUy
+RXHdHOFyPWiUwGjiLpWUhwNb/HBpxLOglOZxAhixAFu9kO4I0M0z0vteytbCWO3w
+UbdUrKSZIoujB7vXQRTeClqSnS0IHF+/m9wCu8LKBrjyjQRnUsqcOhWjujAvUQdN
+jGlcjJ9BVgPKtIi4zg/wKGcZ3UyWZI0cB7LGy1i/2StCOe0ogDBhIw6V1ycRb368
+vHtzAcOaVvvmroiolloPu6WxndVKdAAmaAg9Z5JJWKviagBFgzvh4+bHLMBAucpo
+C6SPum1Tr296V4RP2LCuDM4jGyUyE7Y6l3TKryyWdjSyJG45RRPsvhbbuEFxBgDt
+AgMBAAGjTTBLMAkGA1UdEwQCMAAwHQYDVR0OBBYEFLGw6jGdXE8Af80NH3ipGF2W
+3qqxMB8GA1UdIwQYMBaAFPJnsV1fUV7aUYnp2elryouvpS5pMA0GCSqGSIb3DQEB
+BQUAA4IBAQArn133jEKJRdkZb9GHccd07BPBw31RtW3D+PTMitU77lkOC7i/f6NK
+acvqVPxYmDQFCmKqc2HyFYwgk2ELn/1k0X2Hs+VDG3E2tEyxGTgENef2UuU80KUt
+VZmeW9/VYGxZrOT3TvdVztocnF41qNVBRwng3311fo5BLJM0v9JeWxUVBQJNJB7E
+WwNSqwqsbXIAPN75D4Rz3LLmUmyCryaXWlhQiaPH2V2lijzg6D5j60///UWy7KH7
+RQMPN9ChjUK/I5FmLglhGD5b57fkbuAtiA3CKuYZ+jUFDYuk8/sFVJiHZlqi81a1
+OXwcKFAGSjxgWujsGU5+zbFWXqNN+Gxy
+-----END CERTIFICATE-----
diff --git a/programs/ssl/test-ca/server2.key b/programs/ssl/test-ca/server2.key
new file mode 100644
index 0000000..72a355c
--- /dev/null
+++ b/programs/ssl/test-ca/server2.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAzNRWOEnm1n9Q59IFyJklMkVx3Rzhcj1olMBo4i6VlIcDW/xw
+acSzoJTmcQIYsQBbvZDuCNDNM9L7XsrWwljt8FG3VKykmSKLowe710EU3gpakp0t
+CBxfv5vcArvCyga48o0EZ1LKnDoVo7owL1EHTYxpXIyfQVYDyrSIuM4P8ChnGd1M
+lmSNHAeyxstYv9krQjntKIAwYSMOldcnEW9+vLx7cwHDmlb75q6IqJZaD7ulsZ3V
+SnQAJmgIPWeSSVir4moARYM74ePmxyzAQLnKaAukj7ptU69veleET9iwrgzOIxsl
+MhO2Opd0yq8slnY0siRuOUUT7L4W27hBcQYA7QIDAQABAoIBAFSSyBbtzLZ8Uzek
+7GZrdYRQUDdwGVZGLMxete/ONEzjgmuUzAWgBlsjoBLBPti2wSqAkQhqzo+7abc2
+IX6VoYk89Gmt7zibnvRt2Q2D/c3AkK1A4LscnBxNioZGaKNqKytbNppDAQ2Ini7A
+Tez7k/xdIZPpLEiZ727fJCTKUKJkDhY0WlxFT4btMLJNZ4SyW6HGO+hKFzxdAtur
+QoNQcWfy2FBICPeI4ZopVyMUaR3skIUJQWDAi2dqSkSevoD67o4/fF4nDxs7DZWV
+ZQV6/WQ3IZHgTFc15g5qI1693ttmggytXXY2Kp41qOzGFNyrAgfj5IZef8SME2cJ
+bp/6QIECgYEA/0TWDUd6u7Z1vRRPqzXQtmGfsLry+0nYd1Q0/IvPwsVDtLxaXGcl
+rkhqVgxY7vP4rzU1PvjNEWKtWlD+qpv+OK7nVWeGVlmeb0ZEb+mz+qNm0inum64k
+VEYDQadVX3UHLP+Uquv7iUowtrOrPrRVkFdoo7S8dzIRuU3ONkLvXeUCgYEAzWqE
+sAh+KOw0YWZdAj9HFOjCOA1gaDrcQF13Cyoh3ZEIFK0J7nNkh8CZVFx7D5W1u6B0
+fAmoolMO3I4PfjbuwayMELjLdpii7a10/DC6BmtVCM3+sfpJtB7LmL13MVkPpNEv
+4BKFADTaxhbflemydXqUA/Cx4KBf7OhZK16+pmkCgYA9Kul/1Rj70gT0geF1TTft
+/Aaf+qwuuss8DNmFipsGOO64aEneynilAoU4iUzmNV/p2/4eUNAS0mpnsfDUQPzx
+6DdWp6/xERh94YCUsJOIA4+n3JRoiZn696vgF5DFhu1pQvUE3/cuNrDllrf6FoxK
+Qie40p42kbDdjl9TcUaaYQKBgAdfO0PWCjENyRN1yQC7pKFreQzp7fvPoPfuYsdT
+y8NX4SJc025rVcBJeTc92mzEwrDpIUUSU6r/sBjaQFQXRJpOxvgSqbqn37EH+JrU
+ZNi2IWcffXSFtv9v236vzgdHWvhfSYiRIZTQUMmrKHsI2A6/R3CcwsV8+/RUol6c
+F9uBAoGBAOV3xH5x9nVEecWO0vGC3/kTPYgox5pLEhCv298LcYRVgft7ajZS7C9A
+/inksiXGKtIuv6jCGbQULuzBdCGOQfAOInQ9HstX01cC+kJqTdb7/g8e/qWNAaIU
+/SyXap7wY6Nw0VloTBNmaEo4ZErRl1ytzbYCSa9VZrzOPIl8LUMn
+-----END RSA PRIVATE KEY-----
diff --git a/programs/ssl/test-ca/sslconf.txt b/programs/ssl/test-ca/sslconf.txt
new file mode 100644
index 0000000..f468f1f
--- /dev/null
+++ b/programs/ssl/test-ca/sslconf.txt
@@ -0,0 +1,60 @@
+##================================================================
+##============== Example OpenSSL configuration file ==============
+##================================================================
+
+# References:
+#
+# /etc/ssl/openssl.conf
+# http://www.openssl.org/docs/apps/config.html
+# http://www.openssl.org/docs/apps/x509v3_config.html
+
+[ ca ]
+default_ca = my_ca
+
+[ my_ca ]
+certificate = test-ca.crt
+private_key = test-ca.key
+database = index
+serial = serial
+
+new_certs_dir = newcerts
+default_crl_days = 60
+default_days = 730
+default_md = sha1
+policy = my_policy
+x509_extensions = v3_usr
+
+[ my_policy ]
+countryName = optional
+stateOrProvinceName = optional
+organizationName = match
+organizationalUnitName = optional
+commonName = supplied
+emailAddress = optional
+
+[ req ]
+distinguished_name = my_req_dn
+x509_extensions = v3_ca
+
+[ my_req_dn ]
+countryName = Country Name..............
+countryName_min = 2
+countryName_max = 2
+stateOrProvinceName = State or Province Name....
+localityName = Locality Name.............
+0.organizationName = Organization Name.........
+organizationalUnitName = Org. Unit Name............
+commonName = Common Name (required)....
+commonName_max = 64
+emailAddress = Email Address.............
+emailAddress_max = 64
+
+[ v3_ca ]
+basicConstraints = CA:TRUE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+
+[ v3_usr ]
+basicConstraints = CA:FALSE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer
diff --git a/programs/ssl/test-ca/test-ca.crt b/programs/ssl/test-ca/test-ca.crt
new file mode 100644
index 0000000..54b3d11
--- /dev/null
+++ b/programs/ssl/test-ca/test-ca.crt
@@ -0,0 +1,79 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 0 (0x0)
+ Signature Algorithm: sha1WithRSAEncryption
+ Issuer: O=XySSL, CN=XySSL Test CA
+ Validity
+ Not Before: Nov 29 19:49:14 2007 GMT
+ Not After : Nov 29 19:49:14 2017 GMT
+ Subject: O=XySSL, CN=XySSL Test CA
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ RSA Public Key: (2048 bit)
+ Modulus (2048 bit):
+ 00:d1:f4:8c:48:85:e1:15:a8:92:f4:43:e4:e4:f8:
+ ee:e7:63:bb:0a:50:39:09:0b:2f:09:be:4c:da:9d:
+ f9:30:40:03:76:27:94:db:73:8a:af:77:bf:73:3a:
+ e2:a5:9b:aa:0d:fd:26:b3:d1:37:98:e8:bc:21:82:
+ 86:17:92:90:bf:4d:d1:73:95:f4:a3:a8:07:be:51:
+ 15:2a:40:3b:29:d7:43:c0:f3:5e:1c:4a:37:34:f3:
+ 34:1f:06:d3:73:8a:4f:80:a1:e7:74:03:e3:b5:77:
+ 1f:63:54:ef:9b:9b:65:6b:d3:b5:0f:5f:6a:85:dc:
+ ea:4f:5b:19:59:4d:e1:29:f5:ac:a7:8d:32:b3:83:
+ 0c:7f:f5:7d:44:ba:d4:82:ed:23:be:ae:51:c5:a8:
+ 57:1d:d9:53:f0:33:2f:36:3c:21:2c:cc:18:c4:6b:
+ 4f:57:ad:03:1e:80:92:a7:c8:15:8d:1c:e0:03:18:
+ ae:d9:08:06:45:9a:af:72:68:f7:02:69:e6:01:e7:
+ 91:34:5f:ba:e7:7d:2e:4f:79:d7:c4:39:52:cc:3b:
+ dc:8d:d9:2f:f3:67:94:5e:ed:3a:f8:1e:ad:39:e1:
+ b4:df:f0:fb:5c:4d:4e:98:62:ac:5d:e5:45:ae:3a:
+ b4:1a:a7:07:bd:40:c4:43:ba:64:58:c3:a0:e1:5b:
+ 93:77
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ F2:67:B1:5D:5F:51:5E:DA:51:89:E9:D9:E9:6B:CA:8B:AF:A5:2E:69
+ X509v3 Authority Key Identifier:
+ keyid:F2:67:B1:5D:5F:51:5E:DA:51:89:E9:D9:E9:6B:CA:8B:AF:A5:2E:69
+ DirName:/O=XySSL/CN=XySSL Test CA
+ serial:00
+
+ Signature Algorithm: sha1WithRSAEncryption
+ 30:cf:17:9e:93:3b:0d:ec:3a:37:c3:fe:66:b2:eb:92:56:a4:
+ da:f6:c7:b1:95:e6:a5:a1:88:e5:b3:fd:d7:a3:ae:48:44:89:
+ 4b:3e:ad:70:24:93:c8:5f:88:86:b0:c5:89:75:d7:14:86:9d:
+ af:66:d5:1c:de:cb:1d:45:12:fd:ba:61:61:a3:f0:f8:fa:8b:
+ 12:2e:b2:75:62:8c:93:71:37:04:ba:ce:5e:0d:eb:bd:c2:41:
+ b5:d9:59:c8:d0:09:32:c4:58:bb:71:8d:0c:78:ee:b1:b0:9a:
+ f1:5c:05:49:79:82:84:bf:c2:19:fa:43:4b:e7:40:0a:20:86:
+ 58:2d:a8:6e:9d:d4:16:d8:e8:88:5f:84:59:0b:fb:50:8b:40:
+ 7d:7b:8a:e5:27:5d:c6:1c:51:3c:86:50:8f:22:1a:fa:c4:9b:
+ c2:84:68:9f:7d:96:15:47:94:de:3a:5c:cf:33:45:ba:92:44:
+ 46:9c:a1:f5:42:4a:db:c1:e5:27:2a:1f:9f:cc:28:4c:94:53:
+ e6:b4:c6:0f:db:f5:65:19:e6:75:f2:ec:10:d1:99:27:94:9a:
+ fc:a1:0c:31:11:a8:28:4c:4c:88:10:58:60:05:83:33:e2:a9:
+ 26:2d:5e:24:a5:76:63:12:23:4f:f1:6a:60:bd:38:fa:65:f4:
+ a9:da:f1:75
+-----BEGIN CERTIFICATE-----
+MIIDTTCCAjWgAwIBAgIBADANBgkqhkiG9w0BAQUFADAoMQ4wDAYDVQQKEwVYeVNT
+TDEWMBQGA1UEAxMNWHlTU0wgVGVzdCBDQTAeFw0wNzExMjkxOTQ5MTRaFw0xNzEx
+MjkxOTQ5MTRaMCgxDjAMBgNVBAoTBVh5U1NMMRYwFAYDVQQDEw1YeVNTTCBUZXN0
+IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0fSMSIXhFaiS9EPk
+5Pju52O7ClA5CQsvCb5M2p35MEADdieU23OKr3e/czripZuqDf0ms9E3mOi8IYKG
+F5KQv03Rc5X0o6gHvlEVKkA7KddDwPNeHEo3NPM0HwbTc4pPgKHndAPjtXcfY1Tv
+m5tla9O1D19qhdzqT1sZWU3hKfWsp40ys4MMf/V9RLrUgu0jvq5RxahXHdlT8DMv
+NjwhLMwYxGtPV60DHoCSp8gVjRzgAxiu2QgGRZqvcmj3AmnmAeeRNF+6530uT3nX
+xDlSzDvcjdkv82eUXu06+B6tOeG03/D7XE1OmGKsXeVFrjq0GqcHvUDEQ7pkWMOg
+4VuTdwIDAQABo4GBMH8wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQU8mexXV9RXtpR
+ienZ6WvKi6+lLmkwUAYDVR0jBEkwR4AU8mexXV9RXtpRienZ6WvKi6+lLmmhLKQq
+MCgxDjAMBgNVBAoTBVh5U1NMMRYwFAYDVQQDEw1YeVNTTCBUZXN0IENBggEAMA0G
+CSqGSIb3DQEBBQUAA4IBAQAwzxeekzsN7Do3w/5msuuSVqTa9sexlealoYjls/3X
+o65IRIlLPq1wJJPIX4iGsMWJddcUhp2vZtUc3ssdRRL9umFho/D4+osSLrJ1YoyT
+cTcEus5eDeu9wkG12VnI0AkyxFi7cY0MeO6xsJrxXAVJeYKEv8IZ+kNL50AKIIZY
+LahundQW2OiIX4RZC/tQi0B9e4rlJ13GHFE8hlCPIhr6xJvChGiffZYVR5TeOlzP
+M0W6kkRGnKH1QkrbweUnKh+fzChMlFPmtMYP2/VlGeZ18uwQ0ZknlJr8oQwxEago
+TEyIEFhgBYMz4qkmLV4kpXZjEiNP8WpgvTj6ZfSp2vF1
+-----END CERTIFICATE-----
diff --git a/programs/ssl/test-ca/test-ca.key b/programs/ssl/test-ca/test-ca.key
new file mode 100644
index 0000000..7814b49
--- /dev/null
+++ b/programs/ssl/test-ca/test-ca.key
@@ -0,0 +1,30 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,FED222215EA5FD24
+
+jP877McdF++j3XBbkQtSyNc4W8dQ4oueOHs5oLN04HDgg3brbfvm0m5GyZCmMa3C
+B9rp2BqX9agR7zfzPVi3c9DS/piYFi26gaDCwucsBq6jPTFuICAJYnMaXRmZPrvz
+DPzlL5hrDOVpDWJl5l2Vv3T1Ag4CtEFaP6DRcfwGNyUeN8P6Api2i/XmIXNv47gl
+QsVNQx/rL+veOj/ayFB084CbxzlOX6STMsL/TVPuFjP4vvBTyVBeseFRWAw97bog
+nrphjK6eOBMnF25XbF+cg5vzagPsPYh/3wOuZfLFAwcKrTm8KM493xYRacBmRcon
+CjUrxAoo7QmdTSBBzd4kRalNS+Mj9QaIqgFBZSFCieYgezU4603GTPpYKDIf993P
+xHTqGMln78Uk+JT95MdfUWojk/rPaJ5XprLaOkhnAPEeTcYwH5kYsbmn3tBfpfdM
+i4sW6ISDcBLDHvM9JEbUCaCcPP8fIiNwACrZg25RBmMAx+ZdQ6fQpiQ/K2KmByyl
+01Vh5VC+mnUQ2W/Gkp5G6SS/ROkbTwQIJhzAAZodK+818x6lz2rRg5srEEWi1RWp
+l3043nNcSMdmxJ6Bcd/ErxWeWa5P8rk4UlapJQF4f9Z6JxAj9kds+gBF4OMf9WvB
+d6v2I6u3kX/iwXN/SLTF3yrDPIhIyQsJT06UuoXtKJz4vu/IjY2lMK1DFeF/dq9s
+kKyqZ9NyimiuxTV8O2dZe0xjk60XDh1vkHmhfnwAMV8XHRqjclgYdcZgQM1+Ze50
+scLx3PmqwWlLZ6rYMkeM/ekiLmPknz37/w3Gns2pwHNIClIimH4zkkxSOCXXH+9i
+gVgjtcj9nhf8MpJIaNYA7Q2hm9kfA2Vul2EAR8auv1str41haCMrkVLm6c/eomJP
+ScLCRr61DGYM4n084enkiWG6iyIwLcZ7ocTTzuxKUKWr34+JQy4Ex11tVbAicPmE
+7Mz3JTsuR9b2tXrLQaNh7PlXtbs56vcXqQ4ScaJu58kcGiAdDZkeKRyo0ibeer+e
+qd1VGMhrI0St5OJOxMusRJT+hljOf4k96OugI2t39BWN8fQVLAKWYLJZDkDq2kSl
+y/Hz1iKxV01M60luHDAoj3AhsN9p7IocV9jPzk+jxXVqjAzJawl4xyBRPlS/2bSw
+rOe+ZgKdzhlUR9OoU4/ZiGu35XJHZPZf2rxLAhXfgnAT+3A9Ft/WVXp/d9N4hJuU
+Qz1Ln6HyohjMOcPjrz70OXrq7kra4Cevs7rmK773LxDtw+pPfDWMasuy9lSeIulR
++riSNLrffYWXGPINnhVhqmyj6SwcKZUY/eosEwvorWAC5krt+juVzJjKTOzczTvX
+ETQCSXmLG5M+oiiYzH0zqLVUkqHvW4flNYsvkQw4V2BLarzwMNq2lF35WAU6VA9J
+bYw/3iAl7zZEJuE7+e5ObL/sWt6GwFf78QVMgsKonoxtDQ4B7DjVGw/WTKlon9fV
+4jSZhlw81nX5GhnvrnkYhiD2Y+6ZEzcUIoB4WjzBLQ2B4rf6jy686Tl52yuydZpU
+s10dX8yDbqUPBkzi3uvocFOKZd80hHq+3cy4IKP40fB1fwUcQlAj2bKgOPYg+oGB
+-----END RSA PRIVATE KEY-----
diff --git a/programs/test/benchmark.c b/programs/test/benchmark.c
new file mode 100644
index 0000000..9869cc4
--- /dev/null
+++ b/programs/test/benchmark.c
@@ -0,0 +1,253 @@
+/*
+ * Benchmark demonstration program
+ *
+ * Copyright (C) 2006-2007 Christophe Devine
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#ifndef _CRT_SECURE_NO_DEPRECATE
+#define _CRT_SECURE_NO_DEPRECATE 1
+#endif
+
+#include <string.h>
+#include <stdlib.h>
+#include <stdio.h>
+
+#include "xyssl/config.h"
+
+#include "xyssl/md4.h"
+#include "xyssl/md5.h"
+#include "xyssl/sha1.h"
+#include "xyssl/sha2.h"
+#include "xyssl/arc4.h"
+#include "xyssl/des.h"
+#include "xyssl/aes.h"
+#include "xyssl/rsa.h"
+#include "xyssl/timing.h"
+
+#define BUFSIZE 1024
+
+static int myrand( void *rng_state )
+{
+ if( rng_state != NULL )
+ rng_state = NULL;
+
+ return( rand() );
+}
+
+unsigned char buf[BUFSIZE];
+
+int main( void )
+{
+ int keysize;
+ unsigned long i, j, tsc;
+ unsigned char tmp[32];
+#if defined(XYSSL_ARC4_C)
+ arc4_context arc4;
+#endif
+#if defined(XYSSL_DES_C)
+ des3_context des3;
+ des_context des;
+#endif
+#if defined(XYSSL_AES_C)
+ aes_context aes;
+#endif
+#if defined(XYSSL_RSA_C)
+ rsa_context rsa;
+#endif
+
+ memset( buf, 0xAA, sizeof( buf ) );
+
+ printf( "\n" );
+
+#if defined(XYSSL_MD4_C)
+ printf( " MD4 : " );
+ fflush( stdout );
+
+ set_alarm( 1 );
+ for( i = 1; ! alarmed; i++ )
+ md4( buf, BUFSIZE, tmp );
+
+ tsc = hardclock();
+ for( j = 0; j < 1024; j++ )
+ md4( buf, BUFSIZE, tmp );
+
+ printf( "%9lu Kb/s, %9lu cycles/byte\n", i * BUFSIZE / 1024,
+ ( hardclock() - tsc ) / ( j * BUFSIZE ) );
+#endif
+
+#if defined(XYSSL_MD5_C)
+ printf( " MD5 : " );
+ fflush( stdout );
+
+ set_alarm( 1 );
+ for( i = 1; ! alarmed; i++ )
+ md5( buf, BUFSIZE, tmp );
+
+ tsc = hardclock();
+ for( j = 0; j < 1024; j++ )
+ md5( buf, BUFSIZE, tmp );
+
+ printf( "%9lu Kb/s, %9lu cycles/byte\n", i * BUFSIZE / 1024,
+ ( hardclock() - tsc ) / ( j * BUFSIZE ) );
+#endif
+
+#if defined(XYSSL_SHA1_C)
+ printf( " SHA-1 : " );
+ fflush( stdout );
+
+ set_alarm( 1 );
+ for( i = 1; ! alarmed; i++ )
+ sha1( buf, BUFSIZE, tmp );
+
+ tsc = hardclock();
+ for( j = 0; j < 1024; j++ )
+ sha1( buf, BUFSIZE, tmp );
+
+ printf( "%9lu Kb/s, %9lu cycles/byte\n", i * BUFSIZE / 1024,
+ ( hardclock() - tsc ) / ( j * BUFSIZE ) );
+#endif
+
+#if defined(XYSSL_SHA2_C)
+ printf( " SHA-256 : " );
+ fflush( stdout );
+
+ set_alarm( 1 );
+ for( i = 1; ! alarmed; i++ )
+ sha2( buf, BUFSIZE, tmp, 0 );
+
+ tsc = hardclock();
+ for( j = 0; j < 1024; j++ )
+ sha2( buf, BUFSIZE, tmp, 0 );
+
+ printf( "%9lu Kb/s, %9lu cycles/byte\n", i * BUFSIZE / 1024,
+ ( hardclock() - tsc ) / ( j * BUFSIZE ) );
+#endif
+
+#if defined(XYSSL_ARC4_C)
+ printf( " ARC4 : " );
+ fflush( stdout );
+
+ arc4_setup( &arc4, tmp, 32 );
+
+ set_alarm( 1 );
+ for( i = 1; ! alarmed; i++ )
+ arc4_crypt( &arc4, buf, BUFSIZE );
+
+ tsc = hardclock();
+ for( j = 0; j < 1024; j++ )
+ arc4_crypt( &arc4, buf, BUFSIZE );
+
+ printf( "%9lu Kb/s, %9lu cycles/byte\n", i * BUFSIZE / 1024,
+ ( hardclock() - tsc ) / ( j * BUFSIZE ) );
+#endif
+
+#if defined(XYSSL_DES_C)
+ printf( " 3DES : " );
+ fflush( stdout );
+
+ des3_set3key_enc( &des3, tmp );
+
+ set_alarm( 1 );
+ for( i = 1; ! alarmed; i++ )
+ des3_crypt_cbc( &des3, DES_ENCRYPT, BUFSIZE, tmp, buf, buf );
+
+ tsc = hardclock();
+ for( j = 0; j < 1024; j++ )
+ des3_crypt_cbc( &des3, DES_ENCRYPT, BUFSIZE, tmp, buf, buf );
+
+ printf( "%9lu Kb/s, %9lu cycles/byte\n", i * BUFSIZE / 1024,
+ ( hardclock() - tsc ) / ( j * BUFSIZE ) );
+
+ printf( " DES : " );
+ fflush( stdout );
+
+ des_setkey_enc( &des, tmp );
+
+ set_alarm( 1 );
+ for( i = 1; ! alarmed; i++ )
+ des_crypt_cbc( &des, DES_ENCRYPT, BUFSIZE, tmp, buf, buf );
+
+ tsc = hardclock();
+ for( j = 0; j < 1024; j++ )
+ des_crypt_cbc( &des, DES_ENCRYPT, BUFSIZE, tmp, buf, buf );
+
+ printf( "%9lu Kb/s, %9lu cycles/byte\n", i * BUFSIZE / 1024,
+ ( hardclock() - tsc ) / ( j * BUFSIZE ) );
+#endif
+
+#if defined(XYSSL_AES_C)
+ for( keysize = 128; keysize <= 256; keysize += 64 )
+ {
+ printf( " AES-%d : ", keysize );
+ fflush( stdout );
+
+ memset( buf, 0, sizeof( buf ) );
+ memset( tmp, 0, sizeof( tmp ) );
+ aes_setkey_enc( &aes, tmp, keysize );
+
+ set_alarm( 1 );
+
+ for( i = 1; ! alarmed; i++ )
+ aes_crypt_cbc( &aes, AES_ENCRYPT, BUFSIZE, tmp, buf, buf );
+
+ tsc = hardclock();
+ for( j = 0; j < 4096; j++ )
+ aes_crypt_cbc( &aes, AES_ENCRYPT, BUFSIZE, tmp, buf, buf );
+
+ printf( "%9lu Kb/s, %9lu cycles/byte\n", i * BUFSIZE / 1024,
+ ( hardclock() - tsc ) / ( j * BUFSIZE ) );
+ }
+#endif
+
+#if defined(XYSSL_RSA_C)
+ rsa_init( &rsa, RSA_PKCS_V15, 0, myrand, NULL );
+ rsa_gen_key( &rsa, 1024, 65537 );
+
+ printf( " RSA-1024 : " );
+ fflush( stdout );
+ set_alarm( 3 );
+
+ for( i = 1; ! alarmed; i++ )
+ {
+ buf[0] = 0;
+ rsa_public( &rsa, buf, buf );
+ }
+
+ printf( "%9lu public/s\n", i / 3 );
+
+ printf( " RSA-1024 : " );
+ fflush( stdout );
+ set_alarm( 3 );
+
+ for( i = 1; ! alarmed; i++ )
+ {
+ buf[0] = 0;
+ rsa_private( &rsa, buf, buf );
+ }
+
+ printf( "%9lu private/s\n\n", i / 3 );
+
+ rsa_free( &rsa );
+#endif
+
+#ifdef WIN32
+ printf( " Press Enter to exit this program.\n" );
+ fflush( stdout ); getchar();
+#endif
+
+ return( 0 );
+}
diff --git a/programs/test/selftest.c b/programs/test/selftest.c
new file mode 100644
index 0000000..6fc0e1f
--- /dev/null
+++ b/programs/test/selftest.c
@@ -0,0 +1,131 @@
+/*
+ * Self-test demonstration program
+ *
+ * Copyright (C) 2006-2007 Christophe Devine
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#ifndef _CRT_SECURE_NO_DEPRECATE
+#define _CRT_SECURE_NO_DEPRECATE 1
+#endif
+
+#include <string.h>
+#include <stdio.h>
+
+#include "xyssl/config.h"
+
+#include "xyssl/md2.h"
+#include "xyssl/md4.h"
+#include "xyssl/md5.h"
+#include "xyssl/sha1.h"
+#include "xyssl/sha2.h"
+#include "xyssl/sha4.h"
+#include "xyssl/arc4.h"
+#include "xyssl/des.h"
+#include "xyssl/aes.h"
+#include "xyssl/base64.h"
+#include "xyssl/bignum.h"
+#include "xyssl/rsa.h"
+#include "xyssl/x509.h"
+
+int main( int argc, char *argv[] )
+{
+ int ret, v;
+
+ if( argc == 2 && strcmp( argv[1], "-quiet" ) == 0 )
+ v = 0;
+ else
+ {
+ v = 1;
+ printf( "\n" );
+ }
+
+#if defined(XYSSL_MD2_C)
+ if( ( ret = md2_self_test( v ) ) != 0 )
+ return( ret );
+#endif
+
+#if defined(XYSSL_MD4_C)
+ if( ( ret = md4_self_test( v ) ) != 0 )
+ return( ret );
+#endif
+
+#if defined(XYSSL_MD5_C)
+ if( ( ret = md5_self_test( v ) ) != 0 )
+ return( ret );
+#endif
+
+#if defined(XYSSL_SHA1_C)
+ if( ( ret = sha1_self_test( v ) ) != 0 )
+ return( ret );
+#endif
+
+#if defined(XYSSL_SHA2_C)
+ if( ( ret = sha2_self_test( v ) ) != 0 )
+ return( ret );
+#endif
+
+#if defined(XYSSL_SHA4_C)
+ if( ( ret = sha4_self_test( v ) ) != 0 )
+ return( ret );
+#endif
+
+#if defined(XYSSL_ARC4_C)
+ if( ( ret = arc4_self_test( v ) ) != 0 )
+ return( ret );
+#endif
+
+#if defined(XYSSL_DES_C)
+ if( ( ret = des_self_test( v ) ) != 0 )
+ return( ret );
+#endif
+
+#if defined(XYSSL_AES_C)
+ if( ( ret = aes_self_test( v ) ) != 0 )
+ return( ret );
+#endif
+
+#if defined(XYSSL_BASE64_C)
+ if( ( ret = base64_self_test( v ) ) != 0 )
+ return( ret );
+#endif
+
+#if defined(XYSSL_BIGNUM_C)
+ if( ( ret = mpi_self_test( v ) ) != 0 )
+ return( ret );
+#endif
+
+#if defined(XYSSL_RSA_C)
+ if( ( ret = rsa_self_test( v ) ) != 0 )
+ return( ret );
+#endif
+
+#if defined(XYSSL_X509_C)
+ if( ( ret = x509_self_test( v ) ) != 0 )
+ return( ret );
+#endif
+
+ if( v != 0 )
+ {
+ printf( " [ All tests passed ]\n\n" );
+#ifdef WIN32
+ printf( " Press Enter to exit this program.\n" );
+ fflush( stdout ); getchar();
+#endif
+ }
+
+ return( ret );
+}
diff --git a/programs/test/ssl_test.c b/programs/test/ssl_test.c
new file mode 100644
index 0000000..44ff7d8
--- /dev/null
+++ b/programs/test/ssl_test.c
@@ -0,0 +1,580 @@
+/*
+ * SSL/TLS stress testing program
+ *
+ * Copyright (C) 2006-2007 Christophe Devine
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#ifndef _CRT_SECURE_NO_DEPRECATE
+#define _CRT_SECURE_NO_DEPRECATE 1
+#endif
+
+#include <string.h>
+#include <stdlib.h>
+#include <stdio.h>
+
+#include "xyssl/net.h"
+#include "xyssl/ssl.h"
+#include "xyssl/havege.h"
+#include "xyssl/timing.h"
+#include "xyssl/certs.h"
+
+#define OPMODE_NONE 0
+#define OPMODE_CLIENT 1
+#define OPMODE_SERVER 2
+
+#define IOMODE_BLOCK 0
+#define IOMODE_NONBLOCK 1
+
+#define COMMAND_READ 1
+#define COMMAND_WRITE 2
+#define COMMAND_BOTH 3
+
+#define DFL_OPMODE OPMODE_NONE
+#define DFL_IOMODE IOMODE_BLOCK
+#define DFL_SERVER_NAME "localhost"
+#define DFL_SERVER_PORT 4433
+#define DFL_COMMAND COMMAND_READ
+#define DFL_BUFFER_SIZE 1024
+#define DFL_MAX_BYTES 0
+#define DFL_DEBUG_LEVEL 0
+#define DFL_CONN_TIMEOUT 0
+#define DFL_MAX_CONNECTIONS 0
+#define DFL_SESSION_REUSE 1
+#define DFL_SESSION_LIFETIME 86400
+#define DFL_FORCE_CIPHER 0
+
+/*
+ * server-specific data
+ */
+char *dhm_G = "4";
+char *dhm_P =
+"E4004C1F94182000103D883A448B3F802CE4B44A83301270002C20D0321CFD00" \
+"11CCEF784C26A400F43DFB901BCA7538F2C6B176001CF5A0FD16D2C48B1D0C1C" \
+"F6AC8E1DA6BCC3B4E1F96B0564965300FFA1D0B601EB2800F489AA512C4B248C" \
+"01F76949A60BB7F00A40B1EAB64BDD48E8A700D60B7F1200FA8E77B0A979DABF";
+
+int server_fd = -1;
+
+/*
+ * global options
+ */
+struct options
+{
+ int opmode; /* operation mode (client or server) */
+ int iomode; /* I/O mode (blocking or non-blocking) */
+ char *server_name; /* hostname of the server (client only) */
+ int server_port; /* port on which the ssl service runs */
+ int command; /* what to do: read or write operation */
+ int buffer_size; /* size of the send/receive buffer */
+ int max_bytes; /* max. # of bytes before a reconnect */
+ int debug_level; /* level of debugging */
+ int conn_timeout; /* max. delay before a reconnect */
+ int max_connections; /* max. number of reconnections */
+ int session_reuse; /* flag to reuse the keying material */
+ int session_lifetime; /* if reached, session data is expired */
+ int force_cipher[2]; /* protocol/cipher to use, or all */
+};
+
+/*
+ * Although this PRNG has good statistical properties (eg. passes
+ * DIEHARD), it is not cryptographically secure.
+ */
+unsigned long int lcppm5( unsigned long int *state )
+{
+ unsigned long int u, v;
+
+ u = v = state[4] ^ 1;
+ state[u & 3] ^= u;
+ u ^= (v << 12) ^ (v >> 12);
+ u ^= v * state[0]; v >>= 8;
+ u ^= v * state[1]; v >>= 8;
+ u ^= v * state[2]; v >>= 8;
+ u ^= v * state[3];
+ u &= 0xFFFFFFFF;
+ state[4] = u;
+
+ return( u );
+}
+
+void my_debug( void *ctx, int level, char *str )
+{
+ if( level < ((struct options *) ctx)->debug_level )
+ fprintf( stderr, "%s", str );
+}
+
+/*
+ * perform a single SSL connection
+ */
+static int ssl_test( struct options *opt )
+{
+ int ret, i;
+ int client_fd;
+ int bytes_to_read;
+ int bytes_to_write;
+ int offset_to_read;
+ int offset_to_write;
+
+ long int nb_read;
+ long int nb_written;
+
+ unsigned long read_state[5];
+ unsigned long write_state[5];
+
+ unsigned char *read_buf;
+ unsigned char *write_buf;
+
+ struct hr_time t;
+ havege_state hs;
+ ssl_context ssl;
+ ssl_session ssn;
+ x509_cert srvcert;
+ rsa_context rsa;
+
+ ret = 1;
+
+ havege_init( &hs );
+ get_timer( &t, 1 );
+
+ memset( read_state, 0, sizeof( read_state ) );
+ memset( write_state, 0, sizeof( write_state ) );
+
+ memset( &srvcert, 0, sizeof( x509_cert ) );
+ memset( &rsa, 0, sizeof( rsa_context ) );
+
+ if( opt->opmode == OPMODE_CLIENT )
+ {
+ if( ( ret = net_connect( &client_fd, opt->server_name,
+ opt->server_port ) ) != 0 )
+ {
+ printf( " ! net_connect returned %d\n\n", ret );
+ return( ret );
+ }
+
+ if( ( ret = ssl_init( &ssl ) ) != 0 )
+ {
+ printf( " ! ssl_init returned %d\n\n", ret );
+ return( ret );
+ }
+
+ ssl_set_endpoint( &ssl, SSL_IS_CLIENT );
+ }
+
+ if( opt->opmode == OPMODE_SERVER )
+ {
+ ret = x509parse_crt( &srvcert, (unsigned char *) test_srv_crt,
+ strlen( test_srv_crt ) );
+ if( ret != 0 )
+ {
+ printf( " ! x509parse_crt returned %d\n\n", ret );
+ goto exit;
+ }
+
+ ret = x509parse_crt( &srvcert, (unsigned char *) test_ca_crt,
+ strlen( test_ca_crt ) );
+ if( ret != 0 )
+ {
+ printf( " ! x509parse_crt returned %d\n\n", ret );
+ goto exit;
+ }
+
+ ret = x509parse_key( &rsa, (unsigned char *) test_srv_key,
+ strlen( test_srv_key ), NULL, 0 );
+ if( ret != 0 )
+ {
+ printf( " ! x509parse_key returned %d\n\n", ret );
+ goto exit;
+ }
+
+ if( server_fd < 0 )
+ {
+ if( ( ret = net_bind( &server_fd, NULL,
+ opt->server_port ) ) != 0 )
+ {
+ printf( " ! net_bind returned %d\n\n", ret );
+ return( ret );
+ }
+ }
+
+ if( ( ret = net_accept( server_fd, &client_fd, NULL ) ) != 0 )
+ {
+ printf( " ! net_accept returned %d\n\n", ret );
+ return( ret );
+ }
+
+ if( ( ret = ssl_init( &ssl ) ) != 0 )
+ {
+ printf( " ! ssl_init returned %d\n\n", ret );
+ return( ret );
+ }
+
+ ssl_set_endpoint( &ssl, SSL_IS_SERVER );
+ ssl_set_dh_param( &ssl, dhm_P, dhm_G );
+ ssl_set_ca_chain( &ssl, srvcert.next, NULL );
+ ssl_set_own_cert( &ssl, &srvcert, &rsa );
+ }
+
+ ssl_set_authmode( &ssl, SSL_VERIFY_NONE );
+
+ ssl_set_rng( &ssl, havege_rand, &hs );
+ ssl_set_dbg( &ssl, my_debug, opt );
+ ssl_set_bio( &ssl, net_recv, &client_fd,
+ net_send, &client_fd );
+
+ ssl_set_session( &ssl, opt->session_reuse,
+ opt->session_lifetime, &ssn );
+
+ if( opt->force_cipher[0] == DFL_FORCE_CIPHER )
+ ssl_set_ciphers( &ssl, ssl_default_ciphers );
+ else ssl_set_ciphers( &ssl, opt->force_cipher );
+
+ if( opt->iomode == IOMODE_NONBLOCK )
+ net_set_nonblock( client_fd );
+
+ read_buf = (unsigned char *) malloc( opt->buffer_size );
+ write_buf = (unsigned char *) malloc( opt->buffer_size );
+
+ if( read_buf == NULL || write_buf == NULL )
+ {
+ printf( " ! malloc(%d bytes) failed\n\n", opt->buffer_size );
+ goto exit;
+ }
+
+ nb_read = bytes_to_read = 0;
+ nb_written = bytes_to_write = 0;
+
+ while( 1 )
+ {
+ if( opt->command & COMMAND_WRITE )
+ {
+ if( bytes_to_write == 0 )
+ {
+ while( bytes_to_write == 0 )
+ bytes_to_write = rand() % opt->buffer_size;
+
+ for( i = 0; i < bytes_to_write; i++ )
+ write_buf[i] = (unsigned char) lcppm5( write_state );
+
+ offset_to_write = 0;
+ }
+
+ ret = ssl_write( &ssl, write_buf + offset_to_write,
+ bytes_to_write );
+
+ if( ret >= 0 )
+ {
+ nb_written += ret;
+ bytes_to_write -= ret;
+ offset_to_write += ret;
+ }
+
+ if( ret == XYSSL_ERR_SSL_PEER_CLOSE_NOTIFY ||
+ ret == XYSSL_ERR_NET_CONN_RESET )
+ {
+ ret = 0;
+ goto exit;
+ }
+
+ if( ret < 0 && ret != XYSSL_ERR_NET_TRY_AGAIN )
+ {
+ printf( " ! ssl_write returned %d\n\n", ret );
+ break;
+ }
+ }
+
+ if( opt->command & COMMAND_READ )
+ {
+ if( bytes_to_read == 0 )
+ {
+ bytes_to_read = rand() % opt->buffer_size;
+ offset_to_read = 0;
+ }
+
+ ret = ssl_read( &ssl, read_buf + offset_to_read,
+ bytes_to_read );
+
+ if( ret >= 0 )
+ {
+ for( i = 0; i < ret; i++ )
+ {
+ if( read_buf[offset_to_read + i] !=
+ (unsigned char) lcppm5( read_state ) )
+ {
+ ret = 1;
+ printf( " ! plaintext mismatch\n\n" );
+ goto exit;
+ }
+ }
+
+ nb_read += ret;
+ bytes_to_read -= ret;
+ offset_to_read += ret;
+ }
+
+ if( ret == XYSSL_ERR_SSL_PEER_CLOSE_NOTIFY ||
+ ret == XYSSL_ERR_NET_CONN_RESET )
+ {
+ ret = 0;
+ goto exit;
+ }
+
+ if( ret < 0 && ret != XYSSL_ERR_NET_TRY_AGAIN )
+ {
+ printf( " ! ssl_read returned %d\n\n", ret );
+ break;
+ }
+ }
+
+ ret = 0;
+
+ if( opt->max_bytes != 0 &&
+ ( opt->max_bytes <= nb_read ||
+ opt->max_bytes <= nb_written ) )
+ break;
+
+ if( opt->conn_timeout != 0 &&
+ opt->conn_timeout <= (int) get_timer( &t, 0 ) )
+ break;
+ }
+
+exit:
+
+ fflush( stdout );
+
+ if( read_buf != NULL )
+ free( read_buf );
+
+ if( write_buf != NULL )
+ free( write_buf );
+
+ ssl_close_notify( &ssl );
+ x509_free( &srvcert );
+ rsa_free( &rsa );
+ ssl_free( &ssl );
+ net_close( client_fd );
+
+ return( ret );
+}
+
+#define USAGE \
+ "\n usage: ssl_test opmode=<> command=<>...\n" \
+ "\n acceptable parameters:\n" \
+ " opmode=client/server default: <none>\n" \
+ " iomode=block/nonblock default: block\n" \
+ " server_name=%%s default: localhost\n" \
+ " server_port=%%d default: 4433\n" \
+ " command=read/write/both default: read\n" \
+ " buffer_size=%%d (bytes) default: 1024\n" \
+ " max_bytes=%%d (bytes) default: 0 (no limit)\n" \
+ " debug_level=%%d default: 0 (disabled)\n" \
+ " conn_timeout=%%d (ms) default: 0 (no timeout)\n" \
+ " max_connections=%%d default: 0 (no limit)\n" \
+ " session_reuse=on/off default: on (enabled)\n" \
+ " session_lifetime=%%d (s) default: 86400\n" \
+ " force_cipher=<name> default: all enabled\n" \
+ " acceptable cipher names:\n" \
+ " SSL_RSA_RC4_128_MD5 SSL_RSA_RC4_128_SHA\n" \
+ " SSL_RSA_DES_168_SHA SSL_EDH_RSA_DES_168_SHA\n" \
+ " SSL_RSA_AES_128_SHA SSL_EDH_RSA_AES_256_SHA\n" \
+ " SSL_RSA_AES_256_SHA\n\n"
+
+int main( int argc, char *argv[] )
+{
+ int i, j, n;
+ int ret = 1;
+ int nb_conn;
+ char *p, *q;
+ struct options opt;
+
+ if( argc == 1 )
+ {
+ usage:
+ printf( USAGE );
+ goto exit;
+ }
+
+ opt.opmode = DFL_OPMODE;
+ opt.iomode = DFL_IOMODE;
+ opt.server_name = DFL_SERVER_NAME;
+ opt.server_port = DFL_SERVER_PORT;
+ opt.command = DFL_COMMAND;
+ opt.buffer_size = DFL_BUFFER_SIZE;
+ opt.max_bytes = DFL_MAX_BYTES;
+ opt.debug_level = DFL_DEBUG_LEVEL;
+ opt.conn_timeout = DFL_CONN_TIMEOUT;
+ opt.max_connections = DFL_MAX_CONNECTIONS;
+ opt.session_reuse = DFL_SESSION_REUSE;
+ opt.session_lifetime = DFL_SESSION_LIFETIME;
+ opt.force_cipher[0] = DFL_FORCE_CIPHER;
+
+ for( i = 1; i < argc; i++ )
+ {
+ n = strlen( argv[i] );
+
+ for( j = 0; j < n; j++ )
+ {
+ if( argv[i][j] >= 'A' && argv[i][j] <= 'Z' )
+ argv[i][j] |= 0x20;
+ }
+
+ p = argv[i];
+ if( ( q = strchr( p, '=' ) ) == NULL )
+ continue;
+ *q++ = '\0';
+
+ if( strcmp( p, "opmode" ) == 0 )
+ {
+ if( strcmp( q, "client" ) == 0 )
+ opt.opmode = OPMODE_CLIENT;
+ else
+ if( strcmp( q, "server" ) == 0 )
+ opt.opmode = OPMODE_SERVER;
+ else goto usage;
+ }
+
+ if( strcmp( p, "iomode" ) == 0 )
+ {
+ if( strcmp( q, "block" ) == 0 )
+ opt.iomode = IOMODE_BLOCK;
+ else
+ if( strcmp( q, "nonblock" ) == 0 )
+ opt.iomode = IOMODE_NONBLOCK;
+ else goto usage;
+ }
+
+ if( strcmp( p, "server_name" ) == 0 )
+ opt.server_name = q;
+
+ if( strcmp( p, "server_port" ) == 0 )
+ {
+ opt.server_port = atoi( q );
+ if( opt.server_port < 1 || opt.server_port > 65535 )
+ goto usage;
+ }
+
+ if( strcmp( p, "command" ) == 0 )
+ {
+ if( strcmp( q, "read" ) == 0 )
+ opt.command = COMMAND_READ;
+ else
+ if( strcmp( q, "write" ) == 0 )
+ opt.command = COMMAND_WRITE;
+ else
+ if( strcmp( q, "both" ) == 0 )
+ {
+ opt.iomode = IOMODE_NONBLOCK;
+ opt.command = COMMAND_BOTH;
+ }
+ else goto usage;
+ }
+
+ if( strcmp( p, "buffer_size" ) == 0 )
+ {
+ opt.buffer_size = atoi( q );
+ if( opt.buffer_size < 1 || opt.buffer_size > 1048576 )
+ goto usage;
+ }
+
+ if( strcmp( p, "max_bytes" ) == 0 )
+ opt.max_bytes = atoi( q );
+
+ if( strcmp( p, "debug_level" ) == 0 )
+ opt.debug_level = atoi( q );
+
+ if( strcmp( p, "conn_timeout" ) == 0 )
+ opt.conn_timeout = atoi( q );
+
+ if( strcmp( p, "max_connections" ) == 0 )
+ opt.max_connections = atoi( q );
+
+ if( strcmp( p, "session_reuse" ) == 0 )
+ {
+ if( strcmp( q, "on" ) == 0 )
+ opt.session_reuse = 1;
+ else
+ if( strcmp( q, "off" ) == 0 )
+ opt.session_reuse = 0;
+ else
+ goto usage;
+ }
+
+ if( strcmp( p, "session_lifetime" ) == 0 )
+ opt.session_lifetime = atoi( q );
+
+ if( strcmp( p, "force_cipher" ) == 0 )
+ {
+ opt.force_cipher[0] = -1;
+
+ if( strcmp( q, "ssl_rsa_rc4_128_md5" ) == 0 )
+ opt.force_cipher[0] = SSL_RSA_RC4_128_MD5;
+
+ if( strcmp( q, "ssl_rsa_rc4_128_sha" ) == 0 )
+ opt.force_cipher[0] = SSL_RSA_RC4_128_SHA;
+
+ if( strcmp( q, "ssl_rsa_des_168_sha" ) == 0 )
+ opt.force_cipher[0] = SSL_RSA_DES_168_SHA;
+
+ if( strcmp( q, "ssl_edh_rsa_des_168_sha" ) == 0 )
+ opt.force_cipher[0] = SSL_EDH_RSA_DES_168_SHA;
+
+ if( strcmp( q, "ssl_rsa_aes_128_sha" ) == 0 )
+ opt.force_cipher[0] = SSL_RSA_AES_128_SHA;
+
+ if( strcmp( q, "ssl_rsa_aes_256_sha" ) == 0 )
+ opt.force_cipher[0] = SSL_RSA_AES_256_SHA;
+
+ if( strcmp( q, "ssl_edh_rsa_aes_256_sha" ) == 0 )
+ opt.force_cipher[0] = SSL_EDH_RSA_AES_256_SHA;
+
+ if( opt.force_cipher[0] < 0 )
+ goto usage;
+
+ opt.force_cipher[1] = 0;
+ }
+ }
+
+ switch( opt.opmode )
+ {
+ case OPMODE_CLIENT:
+ break;
+
+ case OPMODE_SERVER:
+ break;
+
+ default:
+ goto usage;
+ }
+
+ nb_conn = 0;
+
+ do {
+ nb_conn++;
+ ret = ssl_test( &opt );
+ if( opt.max_connections != 0 &&
+ opt.max_connections <= nb_conn )
+ break;
+ }
+ while( ret == 0 );
+
+exit:
+
+#ifdef WIN32
+ printf( " Press Enter to exit this program.\n" );
+ fflush( stdout ); getchar();
+#endif
+
+ return( ret );
+}