1 files changed, 516 insertions, 22 deletions
diff --git a/src/lib/libssl/src/ssl/ssltest.c b/src/lib/libssl/src/ssl/ssltest.c
index 28095148e7..02878981f1 100644
--- a/src/lib/libssl/src/ssl/ssltest.c
+++ b/src/lib/libssl/src/ssl/ssltest.c
@@ -119,6 +119,7 @@
 #include <stdlib.h>
 #include <string.h>
 #include <time.h>
+#include <ctype.h>
 #define USE_SOCKETS
 #include "e_os.h"
@@ -127,12 +128,14 @@
 #include <openssl/crypto.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
+#include <openssl/x509v3.h>
 #include <openssl/ssl.h>
 #ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
 #endif
 #include <openssl/err.h>
 #include <openssl/rand.h>
+#include <openssl/fips.h>
 #define _XOPEN_SOURCE_EXTENDED  1 /* Or gethostname won't be declared properly
                                     on Compaq platforms (at least with DEC C).
@@ -168,8 +171,15 @@ static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export,int keylength);
 static void free_tmp_rsa(void);
 #endif
 static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg);
-#define APP_CALLBACK "Test Callback Argument"
+#define APP_CALLBACK_STRING "Test Callback Argument"
-static char *app_verify_arg = APP_CALLBACK;
+struct app_verify_arg
+        {
+        char *string;
+        int app_verify;
+        int allow_proxy_certs;
+        char *proxy_auth;
+        char *proxy_cond;
+        };
 #ifndef OPENSSL_NO_DH
 static DH *get_dh512(void);
@@ -198,8 +208,14 @@ static void sv_usage(void)
        {
        fprintf(stderr,"usage: ssltest [args ...]\n");
        fprintf(stderr,"\n");
+#ifdef OPENSSL_FIPS
+        fprintf(stderr,"-F             - run test in FIPS mode\n");
+#endif
        fprintf(stderr," -server_auth  - check server certificate\n");
        fprintf(stderr," -client_auth  - do client authentication\n");
+        fprintf(stderr," -proxy        - allow proxy certificates\n");
+        fprintf(stderr," -proxy_auth <val> - set proxy policy rights\n");
+        fprintf(stderr," -proxy_cond <val> - experssion to test proxy policy rights\n");
        fprintf(stderr," -v            - more output\n");
        fprintf(stderr," -d            - debug output\n");
        fprintf(stderr," -reuse        - use session-id reuse\n");
@@ -349,7 +365,8 @@ int main(int argc, char *argv[])
        int tls1=0,ssl2=0,ssl3=0,ret=1;
        int client_auth=0;
        int server_auth=0,i;
-        int app_verify=0;
+        struct app_verify_arg app_verify_arg =
+                { APP_CALLBACK_STRING, 0, 0, NULL, NULL };
        char *server_cert=TEST_SERVER_CERT;
        char *server_key=NULL;
        char *client_cert=TEST_CLIENT_CERT;
@@ -369,6 +386,10 @@ int main(int argc, char *argv[])
        clock_t s_time = 0, c_time = 0;
        int comp = 0;
        COMP_METHOD *cm = NULL;
+#ifdef OPENSSL_FIPS
+        int fips_mode=0;
+        const char *path=argv[0];
+#endif
        verbose = 0;
        debug = 0;
@@ -400,10 +421,29 @@ int main(int argc, char *argv[])
        while (argc >= 1)
                {
-                if      (strcmp(*argv,"-server_auth") == 0)
+                if(!strcmp(*argv,"-F"))
+                        {
+#ifdef OPENSSL_FIPS
+                        fips_mode=1;
+#else
+                        fprintf(stderr,"not compiled with FIPS support, so exitting without running.\n");
+                        EXIT(0);
+#endif
+                        }
+                else if (strcmp(*argv,"-server_auth") == 0)
                        server_auth=1;
                else if (strcmp(*argv,"-client_auth") == 0)
                        client_auth=1;
+                else if (strcmp(*argv,"-proxy_auth") == 0)
+                        {
+                        if (--argc < 1) goto bad;
+                        app_verify_arg.proxy_auth= *(++argv);
+                        }
+                else if (strcmp(*argv,"-proxy_cond") == 0)
+                        {
+                        if (--argc < 1) goto bad;
+                        app_verify_arg.proxy_cond= *(++argv);
+                        }
                else if (strcmp(*argv,"-v") == 0)
                        verbose=1;
                else if (strcmp(*argv,"-d") == 0)
@@ -516,7 +556,11 @@ int main(int argc, char *argv[])
                        }
                else if (strcmp(*argv,"-app_verify") == 0)
                        {
-                        app_verify = 1;
+                        app_verify_arg.app_verify = 1;
+                        }
+                else if (strcmp(*argv,"-proxy") == 0)
+                        {
+                        app_verify_arg.allow_proxy_certs = 1;
                        }
                else
                        {
@@ -534,6 +578,7 @@ bad:
                goto end;
                }
        if (!ssl2 && !ssl3 && !tls1 && number > 1 && !reuse && !force)
                {
                fprintf(stderr, "This case cannot work.  Use -f to perform "
@@ -543,6 +588,20 @@ bad:
                EXIT(1);
                }
+#ifdef OPENSSL_FIPS
+        if(fips_mode)
+                {
+                if(!FIPS_mode_set(1,path))
+                        {
+                        ERR_load_crypto_strings();
+                        ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
+                        EXIT(1);
+                        }
+                else
+                        fprintf(stderr,"*** IN FIPS MODE ***\n");
+                }
+#endif
        if (print_time)
                {
                if (!bio_pair)
@@ -676,20 +735,14 @@ bad:
                SSL_CTX_set_verify(s_ctx,
                        SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
                        verify_callback);
-                if (app_verify) 
+                SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, &app_verify_arg);
-                        {
-                        SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, app_verify_arg);
-                        }
                }
        if (server_auth)
                {
                BIO_printf(bio_err,"server authentication\n");
                SSL_CTX_set_verify(c_ctx,SSL_VERIFY_PEER,
                        verify_callback);
-                if (app_verify) 
+                SSL_CTX_set_cert_verify_callback(c_ctx, app_verify_callback, &app_verify_arg);
-                        {
-                        SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, app_verify_arg);
-                        }
                }
        
        {
@@ -1471,6 +1524,22 @@ err:
        return(ret);
        }
+static int get_proxy_auth_ex_data_idx(void)
+        {
+        static volatile int idx = -1;
+        if (idx < 0)
+                {
+                CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
+                if (idx < 0)
+                        {
+                        idx = X509_STORE_CTX_get_ex_new_index(0,
+                                "SSLtest for verify callback", NULL,NULL,NULL);
+                        }
+                CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
+                }
+        return idx;
+        }
 static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
        {
        char *s,buf[256];
@@ -1480,42 +1549,467 @@ static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
        if (s != NULL)
                {
                if (ok)
-                        fprintf(stderr,"depth=%d %s\n",ctx->error_depth,buf);
+                        fprintf(stderr,"depth=%d %s\n",
+                                ctx->error_depth,buf);
                else
+                        {
                        fprintf(stderr,"depth=%d error=%d %s\n",
                                ctx->error_depth,ctx->error,buf);
+                        }
                }
        if (ok == 0)
                {
+                fprintf(stderr,"Error string: %s\n",
+                        X509_verify_cert_error_string(ctx->error));
                switch (ctx->error)
                        {
                case X509_V_ERR_CERT_NOT_YET_VALID:
                case X509_V_ERR_CERT_HAS_EXPIRED:
                case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
+                        fprintf(stderr,"  ... ignored.\n");
                        ok=1;
                        }
                }
+        if (ok == 1)
+                {
+                X509 *xs = ctx->current_cert;
+#if 0
+                X509 *xi = ctx->current_issuer;
+#endif
+                if (xs->ex_flags & EXFLAG_PROXY)
+                        {
+                        unsigned int *letters =
+                                X509_STORE_CTX_get_ex_data(ctx,
+                                        get_proxy_auth_ex_data_idx());
+                        if (letters)
+                                {
+                                int found_any = 0;
+                                int i;
+                                PROXY_CERT_INFO_EXTENSION *pci =
+                                        X509_get_ext_d2i(xs, NID_proxyCertInfo,
+                                                NULL, NULL);
+                                switch (OBJ_obj2nid(pci->proxyPolicy->policyLanguage))
+                                        {
+                                case NID_Independent:
+                                        /* Completely meaningless in this
+                                           program, as there's no way to
+                                           grant explicit rights to a
+                                           specific PrC.  Basically, using
+                                           id-ppl-Independent is the perfect
+                                           way to grant no rights at all. */
+                                        fprintf(stderr, "  Independent proxy certificate");
+                                        for (i = 0; i < 26; i++)
+                                                letters[i] = 0;
+                                        break;
+                                case NID_id_ppl_inheritAll:
+                                        /* This is basically a NOP, we
+                                           simply let the current rights
+                                           stand as they are. */
+                                        fprintf(stderr, "  Proxy certificate inherits all");
+                                        break;
+                                default:
+                                        s = (char *)
+                                                pci->proxyPolicy->policy->data;
+                                        i = pci->proxyPolicy->policy->length;
+                                        /* The algorithm works as follows:
+                                           it is assumed that previous
+                                           iterations or the initial granted
+                                           rights has already set some elements
+                                           of `letters'.  What we need to do is
+                                           to clear those that weren't granted
+                                           by the current PrC as well.  The
+                                           easiest way to do this is to add 1
+                                           to all the elements whose letters
+                                           are given with the current policy.
+                                           That way, all elements that are set
+                                           by the current policy and were
+                                           already set by earlier policies and
+                                           through the original grant of rights
+                                           will get the value 2 or higher.
+                                           The last thing to do is to sweep
+                                           through `letters' and keep the
+                                           elements having the value 2 as set,
+                                           and clear all the others. */
+                                        fprintf(stderr, "  Certificate proxy rights = %*.*s", i, i, s);
+                                        while(i-- > 0)
+                                                {
+                                                char c = *s++;
+                                                if (isascii(c) && isalpha(c))
+                                                        {
+                                                        if (islower(c))
+                                                                c = toupper(c);
+                                                        letters[c - 'A']++;
+                                                        }
+                                                }
+                                        for (i = 0; i < 26; i++)
+                                                if (letters[i] < 2)
+                                                        letters[i] = 0;
+                                                else
+                                                        letters[i] = 1;
+                                        }
+                                found_any = 0;
+                                fprintf(stderr,
+                                        ", resulting proxy rights = ");
+                                for(i = 0; i < 26; i++)
+                                        if (letters[i])
+                                                {
+                                                fprintf(stderr, "%c", i + 'A');
+                                                found_any = 1;
+                                                }
+                                if (!found_any)
+                                        fprintf(stderr, "none");
+                                fprintf(stderr, "\n");
+                                PROXY_CERT_INFO_EXTENSION_free(pci);
+                                }
+                        }
+                }
        return(ok);
        }
+static void process_proxy_debug(int indent, const char *format, ...)
+        {
+        static const char indentation[] =
+                ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"
+                ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"; /* That's 80 > */
+        char my_format[256];
+        va_list args;
+        BIO_snprintf(my_format, sizeof(my_format), "%*.*s %s",
+                indent, indent, indentation, format);
+        va_start(args, format);
+        vfprintf(stderr, my_format, args);
+        va_end(args);
+        }
+/* Priority levels:
+   0    [!]var, ()
+   1    & ^
+   2    |
+*/
+static int process_proxy_cond_adders(unsigned int letters[26],
+        const char *cond, const char **cond_end, int *pos, int indent);
+static int process_proxy_cond_val(unsigned int letters[26],
+        const char *cond, const char **cond_end, int *pos, int indent)
+        {
+        char c;
+        int ok = 1;
+        int negate = 0;
+        while(isspace(*cond))
+                {
+                cond++; (*pos)++;
+                }
+        c = *cond;
+        if (debug)
+                process_proxy_debug(indent,
+                        "Start process_proxy_cond_val at position %d: %s\n",
+                        *pos, cond);
+        while(c == '!')
+                {
+                negate = !negate;
+                cond++; (*pos)++;
+                while(isspace(*cond))
+                        {
+                        cond++; (*pos)++;
+                        }
+                c = *cond;
+                }
+        if (c == '(')
+                {
+                cond++; (*pos)++;
+                ok = process_proxy_cond_adders(letters, cond, cond_end, pos,
+                        indent + 1);
+                cond = *cond_end;
+                if (ok < 0)
+                        goto end;
+                while(isspace(*cond))
+                        {
+                        cond++; (*pos)++;
+                        }
+                c = *cond;
+                if (c != ')')
+                        {
+                        fprintf(stderr,
+                                "Weird condition character in position %d: "
+                                "%c\n", *pos, c);
+                        ok = -1;
+                        goto end;
+                        }
+                cond++; (*pos)++;
+                }
+        else if (isascii(c) && isalpha(c))
+                {
+                if (islower(c))
+                        c = toupper(c);
+                ok = letters[c - 'A'];
+                cond++; (*pos)++;
+                }
+        else
+                {
+                fprintf(stderr,
+                        "Weird condition character in position %d: "
+                        "%c\n", *pos, c);
+                ok = -1;
+                goto end;
+                }
+ end:
+        *cond_end = cond;
+        if (ok >= 0 && negate)
+                ok = !ok;
+        if (debug)
+                process_proxy_debug(indent,
+                        "End process_proxy_cond_val at position %d: %s, returning %d\n",
+                        *pos, cond, ok);
+        return ok;
+        }
+static int process_proxy_cond_multipliers(unsigned int letters[26],
+        const char *cond, const char **cond_end, int *pos, int indent)
+        {
+        int ok;
+        char c;
+        if (debug)
+                process_proxy_debug(indent,
+                        "Start process_proxy_cond_multipliers at position %d: %s\n",
+                        *pos, cond);
+        ok = process_proxy_cond_val(letters, cond, cond_end, pos, indent + 1);
+        cond = *cond_end;
+        if (ok < 0)
+                goto end;
+        while(ok >= 0)
+                {
+                while(isspace(*cond))
+                        {
+                        cond++; (*pos)++;
+                        }
+                c = *cond;
+                switch(c)
+                        {
+                case '&':
+                case '^':
+                        {
+                        int save_ok = ok;
+                        cond++; (*pos)++;
+                        ok = process_proxy_cond_val(letters,
+                                cond, cond_end, pos, indent + 1);
+                        cond = *cond_end;
+                        if (ok < 0)
+                                break;
+                        switch(c)
+                                {
+                        case '&':
+                                ok &= save_ok;
+                                break;
+                        case '^':
+                                ok ^= save_ok;
+                                break;
+                        default:
+                                fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
+                                        " STOPPING\n");
+                                EXIT(1);
+                                }
+                        }
+                        break;
+                default:
+                        goto end;
+                        }
+                }
+ end:
+        if (debug)
+                process_proxy_debug(indent,
+                        "End process_proxy_cond_multipliers at position %d: %s, returning %d\n",
+                        *pos, cond, ok);
+        *cond_end = cond;
+        return ok;
+        }
+static int process_proxy_cond_adders(unsigned int letters[26],
+        const char *cond, const char **cond_end, int *pos, int indent)
+        {
+        int ok;
+        char c;
+        if (debug)
+                process_proxy_debug(indent,
+                        "Start process_proxy_cond_adders at position %d: %s\n",
+                        *pos, cond);
+        ok = process_proxy_cond_multipliers(letters, cond, cond_end, pos,
+                indent + 1);
+        cond = *cond_end;
+        if (ok < 0)
+                goto end;
+        while(ok >= 0)
+                {
+                while(isspace(*cond))
+                        {
+                        cond++; (*pos)++;
+                        }
+                c = *cond;
+                switch(c)
+                        {
+                case '|':
+                        {
+                        int save_ok = ok;
+                        cond++; (*pos)++;
+                        ok = process_proxy_cond_multipliers(letters,
+                                cond, cond_end, pos, indent + 1);
+                        cond = *cond_end;
+                        if (ok < 0)
+                                break;
+                        switch(c)
+                                {
+                        case '|':
+                                ok |= save_ok;
+                                break;
+                        default:
+                                fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
+                                        " STOPPING\n");
+                                EXIT(1);
+                                }
+                        }
+                        break;
+                default:
+                        goto end;
+                        }
+                }
+ end:
+        if (debug)
+                process_proxy_debug(indent,
+                        "End process_proxy_cond_adders at position %d: %s, returning %d\n",
+                        *pos, cond, ok);
+        *cond_end = cond;
+        return ok;
+        }
+static int process_proxy_cond(unsigned int letters[26],
+        const char *cond, const char **cond_end)
+        {
+        int pos = 1;
+        return process_proxy_cond_adders(letters, cond, cond_end, &pos, 1);
+        }
 static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg)
        {
-        char *s = NULL,buf[256];
        int ok=1;
+        struct app_verify_arg *cb_arg = arg;
+        unsigned int letters[26]; /* only used with proxy_auth */
-        fprintf(stderr, "In app_verify_callback, allowing cert. ");
+        if (cb_arg->app_verify)
-        fprintf(stderr, "Arg is: %s\n", (char *)arg);
-        fprintf(stderr, "Finished printing do we have a context? 0x%x a cert? 0x%x\n",
-                        (unsigned int)ctx, (unsigned int)ctx->cert);
-        if (ctx->cert)
-                s=X509_NAME_oneline(X509_get_subject_name(ctx->cert),buf,256);
-        if (s != NULL)
                {
+                char *s = NULL,buf[256];
+                fprintf(stderr, "In app_verify_callback, allowing cert. ");
+                fprintf(stderr, "Arg is: %s\n", cb_arg->string);
+                fprintf(stderr, "Finished printing do we have a context? 0x%x a cert? 0x%x\n",
+                        (unsigned int)ctx, (unsigned int)ctx->cert);
+                if (ctx->cert)
+                        s=X509_NAME_oneline(X509_get_subject_name(ctx->cert),buf,256);
+                if (s != NULL)
+                        {
                        fprintf(stderr,"cert depth=%d %s\n",ctx->error_depth,buf);
+                        }
+                return(1);
+                }
+        if (cb_arg->proxy_auth)
+                {
+                int found_any = 0, i;
+                char *sp;
+                for(i = 0; i < 26; i++)
+                        letters[i] = 0;
+                for(sp = cb_arg->proxy_auth; *sp; sp++)
+                        {
+                        char c = *sp;
+                        if (isascii(c) && isalpha(c))
+                                {
+                                if (islower(c))
+                                        c = toupper(c);
+                                letters[c - 'A'] = 1;
+                                }
+                        }
+                fprintf(stderr,
+                        "  Initial proxy rights = ");
+                for(i = 0; i < 26; i++)
+                        if (letters[i])
+                                {
+                                fprintf(stderr, "%c", i + 'A');
+                                found_any = 1;
+                                }
+                if (!found_any)
+                        fprintf(stderr, "none");
+                fprintf(stderr, "\n");
+                X509_STORE_CTX_set_ex_data(ctx,
+                        get_proxy_auth_ex_data_idx(),letters);
+                }
+        if (cb_arg->allow_proxy_certs)
+                {
+                X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS);
                }
+#ifndef OPENSSL_NO_X509_VERIFY
+# ifdef OPENSSL_FIPS
+        if(s->version == TLS1_VERSION)
+                FIPS_allow_md5(1);
+# endif
+        ok = X509_verify_cert(ctx);
+# ifdef OPENSSL_FIPS
+        if(s->version == TLS1_VERSION)
+                FIPS_allow_md5(0);
+# endif
+#endif
+        if (cb_arg->proxy_auth)
+                {
+                if (ok)
+                        {
+                        const char *cond_end = NULL;
+                        ok = process_proxy_cond(letters,
+                                cb_arg->proxy_cond, &cond_end);
+                        if (ok < 0)
+                                EXIT(3);
+                        if (*cond_end)
+                                {
+                                fprintf(stderr, "Stopped processing condition before it's end.\n");
+                                ok = 0;
+                                }
+                        if (!ok)
+                                fprintf(stderr, "Proxy rights check with condition '%s' proved invalid\n",
+                                        cb_arg->proxy_cond);
+                        else
+                                fprintf(stderr, "Proxy rights check with condition '%s' proved valid\n",
+                                        cb_arg->proxy_cond);
+                        }
+                }
        return(ok);
        }

diff --git a/src/lib/libssl/src/ssl/ssltest.c b/src/lib/libssl/src/ssl/ssltest.c index 28095148e7..02878981f1 100644 --- a/src/lib/libssl/src/ssl/ssltest.c +++ b/src/lib/libssl/src/ssl/ssltest.c
@@ -119,6 +119,7 @@
119	#include <stdlib.h>	119	#include <stdlib.h>
120	#include <string.h>	120	#include <string.h>
121	#include <time.h>	121	#include <time.h>
		122	#include <ctype.h>
122		123
123	#define USE_SOCKETS	124	#define USE_SOCKETS
124	#include "e_os.h"	125	#include "e_os.h"
@@ -127,12 +128,14 @@
127	#include <openssl/crypto.h>	128	#include <openssl/crypto.h>
128	#include <openssl/evp.h>	129	#include <openssl/evp.h>
129	#include <openssl/x509.h>	130	#include <openssl/x509.h>
		131	#include <openssl/x509v3.h>
130	#include <openssl/ssl.h>	132	#include <openssl/ssl.h>
131	#ifndef OPENSSL_NO_ENGINE	133	#ifndef OPENSSL_NO_ENGINE
132	#include <openssl/engine.h>	134	#include <openssl/engine.h>
133	#endif	135	#endif
134	#include <openssl/err.h>	136	#include <openssl/err.h>
135	#include <openssl/rand.h>	137	#include <openssl/rand.h>
		138	#include <openssl/fips.h>
136		139
137	#define _XOPEN_SOURCE_EXTENDED 1 /* Or gethostname won't be declared properly	140	#define _XOPEN_SOURCE_EXTENDED 1 /* Or gethostname won't be declared properly
138	on Compaq platforms (at least with DEC C).	141	on Compaq platforms (at least with DEC C).
@@ -168,8 +171,15 @@ static RSA MS_CALLBACK tmp_rsa_cb(SSL s, int is_export,int keylength);
168	static void free_tmp_rsa(void);	171	static void free_tmp_rsa(void);
169	#endif	172	#endif
170	static int MS_CALLBACK app_verify_callback(X509_STORE_CTX ctx, void arg);	173	static int MS_CALLBACK app_verify_callback(X509_STORE_CTX ctx, void arg);
171	#define APP_CALLBACK "Test Callback Argument"	174	#define APP_CALLBACK_STRING "Test Callback Argument"
172	static char *app_verify_arg = APP_CALLBACK;	175	struct app_verify_arg
		176	{
		177	char *string;
		178	int app_verify;
		179	int allow_proxy_certs;
		180	char *proxy_auth;
		181	char *proxy_cond;
		182	};
173		183
174	#ifndef OPENSSL_NO_DH	184	#ifndef OPENSSL_NO_DH
175	static DH *get_dh512(void);	185	static DH *get_dh512(void);
@@ -198,8 +208,14 @@ static void sv_usage(void)
198	{	208	{
199	fprintf(stderr,"usage: ssltest [args ...]\n");	209	fprintf(stderr,"usage: ssltest [args ...]\n");
200	fprintf(stderr,"\n");	210	fprintf(stderr,"\n");
		211	#ifdef OPENSSL_FIPS
		212	fprintf(stderr,"-F - run test in FIPS mode\n");
		213	#endif
201	fprintf(stderr," -server_auth - check server certificate\n");	214	fprintf(stderr," -server_auth - check server certificate\n");
202	fprintf(stderr," -client_auth - do client authentication\n");	215	fprintf(stderr," -client_auth - do client authentication\n");
		216	fprintf(stderr," -proxy - allow proxy certificates\n");
		217	fprintf(stderr," -proxy_auth <val> - set proxy policy rights\n");
		218	fprintf(stderr," -proxy_cond <val> - experssion to test proxy policy rights\n");
203	fprintf(stderr," -v - more output\n");	219	fprintf(stderr," -v - more output\n");
204	fprintf(stderr," -d - debug output\n");	220	fprintf(stderr," -d - debug output\n");
205	fprintf(stderr," -reuse - use session-id reuse\n");	221	fprintf(stderr," -reuse - use session-id reuse\n");
@@ -349,7 +365,8 @@ int main(int argc, char *argv[])
349	int tls1=0,ssl2=0,ssl3=0,ret=1;	365	int tls1=0,ssl2=0,ssl3=0,ret=1;
350	int client_auth=0;	366	int client_auth=0;
351	int server_auth=0,i;	367	int server_auth=0,i;
352	int app_verify=0;	368	struct app_verify_arg app_verify_arg =
		369	{ APP_CALLBACK_STRING, 0, 0, NULL, NULL };
353	char *server_cert=TEST_SERVER_CERT;	370	char *server_cert=TEST_SERVER_CERT;
354	char *server_key=NULL;	371	char *server_key=NULL;
355	char *client_cert=TEST_CLIENT_CERT;	372	char *client_cert=TEST_CLIENT_CERT;
@@ -369,6 +386,10 @@ int main(int argc, char *argv[])
369	clock_t s_time = 0, c_time = 0;	386	clock_t s_time = 0, c_time = 0;
370	int comp = 0;	387	int comp = 0;
371	COMP_METHOD *cm = NULL;	388	COMP_METHOD *cm = NULL;
		389	#ifdef OPENSSL_FIPS
		390	int fips_mode=0;
		391	const char *path=argv[0];
		392	#endif
372		393
373	verbose = 0;	394	verbose = 0;
374	debug = 0;	395	debug = 0;
@@ -400,10 +421,29 @@ int main(int argc, char *argv[])
400		421
401	while (argc >= 1)	422	while (argc >= 1)
402	{	423	{
403	if (strcmp(*argv,"-server_auth") == 0)	424	if(!strcmp(*argv,"-F"))
		425	{
		426	#ifdef OPENSSL_FIPS
		427	fips_mode=1;
		428	#else
		429	fprintf(stderr,"not compiled with FIPS support, so exitting without running.\n");
		430	EXIT(0);
		431	#endif
		432	}
		433	else if (strcmp(*argv,"-server_auth") == 0)
404	server_auth=1;	434	server_auth=1;
405	else if (strcmp(*argv,"-client_auth") == 0)	435	else if (strcmp(*argv,"-client_auth") == 0)
406	client_auth=1;	436	client_auth=1;
		437	else if (strcmp(*argv,"-proxy_auth") == 0)
		438	{
		439	if (--argc < 1) goto bad;
		440	app_verify_arg.proxy_auth= *(++argv);
		441	}
		442	else if (strcmp(*argv,"-proxy_cond") == 0)
		443	{
		444	if (--argc < 1) goto bad;
		445	app_verify_arg.proxy_cond= *(++argv);
		446	}
407	else if (strcmp(*argv,"-v") == 0)	447	else if (strcmp(*argv,"-v") == 0)
408	verbose=1;	448	verbose=1;
409	else if (strcmp(*argv,"-d") == 0)	449	else if (strcmp(*argv,"-d") == 0)
@@ -516,7 +556,11 @@ int main(int argc, char *argv[])
516	}	556	}
517	else if (strcmp(*argv,"-app_verify") == 0)	557	else if (strcmp(*argv,"-app_verify") == 0)
518	{	558	{
519	app_verify = 1;	559	app_verify_arg.app_verify = 1;
		560	}
		561	else if (strcmp(*argv,"-proxy") == 0)
		562	{
		563	app_verify_arg.allow_proxy_certs = 1;
520	}	564	}
521	else	565	else
522	{	566	{
@@ -534,6 +578,7 @@ bad:
534	goto end;	578	goto end;
535	}	579	}
536		580
		581
537	if (!ssl2 && !ssl3 && !tls1 && number > 1 && !reuse && !force)	582	if (!ssl2 && !ssl3 && !tls1 && number > 1 && !reuse && !force)
538	{	583	{
539	fprintf(stderr, "This case cannot work. Use -f to perform "	584	fprintf(stderr, "This case cannot work. Use -f to perform "
@@ -543,6 +588,20 @@ bad:
543	EXIT(1);	588	EXIT(1);
544	}	589	}
545		590
		591	#ifdef OPENSSL_FIPS
		592	if(fips_mode)
		593	{
		594	if(!FIPS_mode_set(1,path))
		595	{
		596	ERR_load_crypto_strings();
		597	ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
		598	EXIT(1);
		599	}
		600	else
		601	fprintf(stderr,"* IN FIPS MODE *\n");
		602	}
		603	#endif
		604
546	if (print_time)	605	if (print_time)
547	{	606	{
548	if (!bio_pair)	607	if (!bio_pair)
@@ -676,20 +735,14 @@ bad:
676	SSL_CTX_set_verify(s_ctx,	735	SSL_CTX_set_verify(s_ctx,
677	SSL_VERIFY_PEER\|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,	736	SSL_VERIFY_PEER\|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
678	verify_callback);	737	verify_callback);
679	if (app_verify)	738	SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, &app_verify_arg);
680	{
681	SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, app_verify_arg);
682	}
683	}	739	}
684	if (server_auth)	740	if (server_auth)
685	{	741	{
686	BIO_printf(bio_err,"server authentication\n");	742	BIO_printf(bio_err,"server authentication\n");
687	SSL_CTX_set_verify(c_ctx,SSL_VERIFY_PEER,	743	SSL_CTX_set_verify(c_ctx,SSL_VERIFY_PEER,
688	verify_callback);	744	verify_callback);
689	if (app_verify)	745	SSL_CTX_set_cert_verify_callback(c_ctx, app_verify_callback, &app_verify_arg);
690	{
691	SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, app_verify_arg);
692	}
693	}	746	}
694		747
695	{	748	{
@@ -1471,6 +1524,22 @@ err:
1471	return(ret);	1524	return(ret);
1472	}	1525	}
1473		1526
		1527	static int get_proxy_auth_ex_data_idx(void)
		1528	{
		1529	static volatile int idx = -1;
		1530	if (idx < 0)
		1531	{
		1532	CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
		1533	if (idx < 0)
		1534	{
		1535	idx = X509_STORE_CTX_get_ex_new_index(0,
		1536	"SSLtest for verify callback", NULL,NULL,NULL);
		1537	}
		1538	CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
		1539	}
		1540	return idx;
		1541	}
		1542
1474	static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)	1543	static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
1475	{	1544	{
1476	char *s,buf[256];	1545	char *s,buf[256];
@@ -1480,42 +1549,467 @@ static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
1480	if (s != NULL)	1549	if (s != NULL)
1481	{	1550	{
1482	if (ok)	1551	if (ok)
1483	fprintf(stderr,"depth=%d %s\n",ctx->error_depth,buf);	1552	fprintf(stderr,"depth=%d %s\n",
		1553	ctx->error_depth,buf);
1484	else	1554	else
		1555	{
1485	fprintf(stderr,"depth=%d error=%d %s\n",	1556	fprintf(stderr,"depth=%d error=%d %s\n",
1486	ctx->error_depth,ctx->error,buf);	1557	ctx->error_depth,ctx->error,buf);
		1558	}
1487	}	1559	}
1488		1560
1489	if (ok == 0)	1561	if (ok == 0)
1490	{	1562	{
		1563	fprintf(stderr,"Error string: %s\n",
		1564	X509_verify_cert_error_string(ctx->error));
1491	switch (ctx->error)	1565	switch (ctx->error)
1492	{	1566	{
1493	case X509_V_ERR_CERT_NOT_YET_VALID:	1567	case X509_V_ERR_CERT_NOT_YET_VALID:
1494	case X509_V_ERR_CERT_HAS_EXPIRED:	1568	case X509_V_ERR_CERT_HAS_EXPIRED:
1495	case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:	1569	case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
		1570	fprintf(stderr," ... ignored.\n");
1496	ok=1;	1571	ok=1;
1497	}	1572	}
1498	}	1573	}
1499		1574
		1575	if (ok == 1)
		1576	{
		1577	X509 *xs = ctx->current_cert;
		1578	#if 0
		1579	X509 *xi = ctx->current_issuer;
		1580	#endif
		1581
		1582	if (xs->ex_flags & EXFLAG_PROXY)
		1583	{
		1584	unsigned int *letters =
		1585	X509_STORE_CTX_get_ex_data(ctx,
		1586	get_proxy_auth_ex_data_idx());
		1587
		1588	if (letters)
		1589	{
		1590	int found_any = 0;
		1591	int i;
		1592	PROXY_CERT_INFO_EXTENSION *pci =
		1593	X509_get_ext_d2i(xs, NID_proxyCertInfo,
		1594	NULL, NULL);
		1595
		1596	switch (OBJ_obj2nid(pci->proxyPolicy->policyLanguage))
		1597	{
		1598	case NID_Independent:
		1599	/* Completely meaningless in this
		1600	program, as there's no way to
		1601	grant explicit rights to a
		1602	specific PrC. Basically, using
		1603	id-ppl-Independent is the perfect
		1604	way to grant no rights at all. */
		1605	fprintf(stderr, " Independent proxy certificate");
		1606	for (i = 0; i < 26; i++)
		1607	letters[i] = 0;
		1608	break;
		1609	case NID_id_ppl_inheritAll:
		1610	/* This is basically a NOP, we
		1611	simply let the current rights
		1612	stand as they are. */
		1613	fprintf(stderr, " Proxy certificate inherits all");
		1614	break;
		1615	default:
		1616	s = (char *)
		1617	pci->proxyPolicy->policy->data;
		1618	i = pci->proxyPolicy->policy->length;
		1619
		1620	/* The algorithm works as follows:
		1621	it is assumed that previous
		1622	iterations or the initial granted
		1623	rights has already set some elements
		1624	of `letters'. What we need to do is
		1625	to clear those that weren't granted
		1626	by the current PrC as well. The
		1627	easiest way to do this is to add 1
		1628	to all the elements whose letters
		1629	are given with the current policy.
		1630	That way, all elements that are set
		1631	by the current policy and were
		1632	already set by earlier policies and
		1633	through the original grant of rights
		1634	will get the value 2 or higher.
		1635	The last thing to do is to sweep
		1636	through `letters' and keep the
		1637	elements having the value 2 as set,
		1638	and clear all the others. */
		1639
		1640	fprintf(stderr, " Certificate proxy rights = %.s", i, i, s);
		1641	while(i-- > 0)
		1642	{
		1643	char c = *s++;
		1644	if (isascii(c) && isalpha(c))
		1645	{
		1646	if (islower(c))
		1647	c = toupper(c);
		1648	letters[c - 'A']++;
		1649	}
		1650	}
		1651	for (i = 0; i < 26; i++)
		1652	if (letters[i] < 2)
		1653	letters[i] = 0;
		1654	else
		1655	letters[i] = 1;
		1656	}
		1657
		1658	found_any = 0;
		1659	fprintf(stderr,
		1660	", resulting proxy rights = ");
		1661	for(i = 0; i < 26; i++)
		1662	if (letters[i])
		1663	{
		1664	fprintf(stderr, "%c", i + 'A');
		1665	found_any = 1;
		1666	}
		1667	if (!found_any)
		1668	fprintf(stderr, "none");
		1669	fprintf(stderr, "\n");
		1670
		1671	PROXY_CERT_INFO_EXTENSION_free(pci);
		1672	}
		1673	}
		1674	}
		1675
1500	return(ok);	1676	return(ok);
1501	}	1677	}
1502		1678
		1679	static void process_proxy_debug(int indent, const char *format, ...)
		1680	{
		1681	static const char indentation[] =
		1682	">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"
		1683	">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"; /* That's 80 > */
		1684	char my_format[256];
		1685	va_list args;
		1686
		1687	BIO_snprintf(my_format, sizeof(my_format), "%.s %s",
		1688	indent, indent, indentation, format);
		1689
		1690	va_start(args, format);
		1691	vfprintf(stderr, my_format, args);
		1692	va_end(args);
		1693	}
		1694	/* Priority levels:
		1695	0 [!]var, ()
		1696	1 & ^
		1697	2 \|
		1698	*/
		1699	static int process_proxy_cond_adders(unsigned int letters[26],
		1700	const char cond, const char cond_end, int pos, int indent);
		1701	static int process_proxy_cond_val(unsigned int letters[26],
		1702	const char cond, const char cond_end, int pos, int indent)
		1703	{
		1704	char c;
		1705	int ok = 1;
		1706	int negate = 0;
		1707
		1708	while(isspace(*cond))
		1709	{
		1710	cond++; (*pos)++;
		1711	}
		1712	c = *cond;
		1713
		1714	if (debug)
		1715	process_proxy_debug(indent,
		1716	"Start process_proxy_cond_val at position %d: %s\n",
		1717	*pos, cond);
		1718
		1719	while(c == '!')
		1720	{
		1721	negate = !negate;
		1722	cond++; (*pos)++;
		1723	while(isspace(*cond))
		1724	{
		1725	cond++; (*pos)++;
		1726	}
		1727	c = *cond;
		1728	}
		1729
		1730	if (c == '(')
		1731	{
		1732	cond++; (*pos)++;
		1733	ok = process_proxy_cond_adders(letters, cond, cond_end, pos,
		1734	indent + 1);
		1735	cond = *cond_end;
		1736	if (ok < 0)
		1737	goto end;
		1738	while(isspace(*cond))
		1739	{
		1740	cond++; (*pos)++;
		1741	}
		1742	c = *cond;
		1743	if (c != ')')
		1744	{
		1745	fprintf(stderr,
		1746	"Weird condition character in position %d: "
		1747	"%c\n", *pos, c);
		1748	ok = -1;
		1749	goto end;
		1750	}
		1751	cond++; (*pos)++;
		1752	}
		1753	else if (isascii(c) && isalpha(c))
		1754	{
		1755	if (islower(c))
		1756	c = toupper(c);
		1757	ok = letters[c - 'A'];
		1758	cond++; (*pos)++;
		1759	}
		1760	else
		1761	{
		1762	fprintf(stderr,
		1763	"Weird condition character in position %d: "
		1764	"%c\n", *pos, c);
		1765	ok = -1;
		1766	goto end;
		1767	}
		1768	end:
		1769	*cond_end = cond;
		1770	if (ok >= 0 && negate)
		1771	ok = !ok;
		1772
		1773	if (debug)
		1774	process_proxy_debug(indent,
		1775	"End process_proxy_cond_val at position %d: %s, returning %d\n",
		1776	*pos, cond, ok);
		1777
		1778	return ok;
		1779	}
		1780	static int process_proxy_cond_multipliers(unsigned int letters[26],
		1781	const char cond, const char cond_end, int pos, int indent)
		1782	{
		1783	int ok;
		1784	char c;
		1785
		1786	if (debug)
		1787	process_proxy_debug(indent,
		1788	"Start process_proxy_cond_multipliers at position %d: %s\n",
		1789	*pos, cond);
		1790
		1791	ok = process_proxy_cond_val(letters, cond, cond_end, pos, indent + 1);
		1792	cond = *cond_end;
		1793	if (ok < 0)
		1794	goto end;
		1795
		1796	while(ok >= 0)
		1797	{
		1798	while(isspace(*cond))
		1799	{
		1800	cond++; (*pos)++;
		1801	}
		1802	c = *cond;
		1803
		1804	switch(c)
		1805	{
		1806	case '&':
		1807	case '^':
		1808	{
		1809	int save_ok = ok;
		1810
		1811	cond++; (*pos)++;
		1812	ok = process_proxy_cond_val(letters,
		1813	cond, cond_end, pos, indent + 1);
		1814	cond = *cond_end;
		1815	if (ok < 0)
		1816	break;
		1817
		1818	switch(c)
		1819	{
		1820	case '&':
		1821	ok &= save_ok;
		1822	break;
		1823	case '^':
		1824	ok ^= save_ok;
		1825	break;
		1826	default:
		1827	fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
		1828	" STOPPING\n");
		1829	EXIT(1);
		1830	}
		1831	}
		1832	break;
		1833	default:
		1834	goto end;
		1835	}
		1836	}
		1837	end:
		1838	if (debug)
		1839	process_proxy_debug(indent,
		1840	"End process_proxy_cond_multipliers at position %d: %s, returning %d\n",
		1841	*pos, cond, ok);
		1842
		1843	*cond_end = cond;
		1844	return ok;
		1845	}
		1846	static int process_proxy_cond_adders(unsigned int letters[26],
		1847	const char cond, const char cond_end, int pos, int indent)
		1848	{
		1849	int ok;
		1850	char c;
		1851
		1852	if (debug)
		1853	process_proxy_debug(indent,
		1854	"Start process_proxy_cond_adders at position %d: %s\n",
		1855	*pos, cond);
		1856
		1857	ok = process_proxy_cond_multipliers(letters, cond, cond_end, pos,
		1858	indent + 1);
		1859	cond = *cond_end;
		1860	if (ok < 0)
		1861	goto end;
		1862
		1863	while(ok >= 0)
		1864	{
		1865	while(isspace(*cond))
		1866	{
		1867	cond++; (*pos)++;
		1868	}
		1869	c = *cond;
		1870
		1871	switch(c)
		1872	{
		1873	case '\|':
		1874	{
		1875	int save_ok = ok;
		1876
		1877	cond++; (*pos)++;
		1878	ok = process_proxy_cond_multipliers(letters,
		1879	cond, cond_end, pos, indent + 1);
		1880	cond = *cond_end;
		1881	if (ok < 0)
		1882	break;
		1883
		1884	switch(c)
		1885	{
		1886	case '\|':
		1887	ok \|= save_ok;
		1888	break;
		1889	default:
		1890	fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
		1891	" STOPPING\n");
		1892	EXIT(1);
		1893	}
		1894	}
		1895	break;
		1896	default:
		1897	goto end;
		1898	}
		1899	}
		1900	end:
		1901	if (debug)
		1902	process_proxy_debug(indent,
		1903	"End process_proxy_cond_adders at position %d: %s, returning %d\n",
		1904	*pos, cond, ok);
		1905
		1906	*cond_end = cond;
		1907	return ok;
		1908	}
		1909
		1910	static int process_proxy_cond(unsigned int letters[26],
		1911	const char cond, const char *cond_end)
		1912	{
		1913	int pos = 1;
		1914	return process_proxy_cond_adders(letters, cond, cond_end, &pos, 1);
		1915	}
		1916
1503	static int MS_CALLBACK app_verify_callback(X509_STORE_CTX ctx, void arg)	1917	static int MS_CALLBACK app_verify_callback(X509_STORE_CTX ctx, void arg)
1504	{	1918	{
1505	char *s = NULL,buf[256];
1506	int ok=1;	1919	int ok=1;
		1920	struct app_verify_arg *cb_arg = arg;
		1921	unsigned int letters[26]; /* only used with proxy_auth */
1507		1922
1508	fprintf(stderr, "In app_verify_callback, allowing cert. ");	1923	if (cb_arg->app_verify)
1509	fprintf(stderr, "Arg is: %s\n", (char *)arg);
1510	fprintf(stderr, "Finished printing do we have a context? 0x%x a cert? 0x%x\n",
1511	(unsigned int)ctx, (unsigned int)ctx->cert);
1512	if (ctx->cert)
1513	s=X509_NAME_oneline(X509_get_subject_name(ctx->cert),buf,256);
1514	if (s != NULL)
1515	{	1924	{
		1925	char *s = NULL,buf[256];
		1926
		1927	fprintf(stderr, "In app_verify_callback, allowing cert. ");
		1928	fprintf(stderr, "Arg is: %s\n", cb_arg->string);
		1929	fprintf(stderr, "Finished printing do we have a context? 0x%x a cert? 0x%x\n",
		1930	(unsigned int)ctx, (unsigned int)ctx->cert);
		1931	if (ctx->cert)
		1932	s=X509_NAME_oneline(X509_get_subject_name(ctx->cert),buf,256);
		1933	if (s != NULL)
		1934	{
1516	fprintf(stderr,"cert depth=%d %s\n",ctx->error_depth,buf);	1935	fprintf(stderr,"cert depth=%d %s\n",ctx->error_depth,buf);
		1936	}
		1937	return(1);
		1938	}
		1939	if (cb_arg->proxy_auth)
		1940	{
		1941	int found_any = 0, i;
		1942	char *sp;
		1943
		1944	for(i = 0; i < 26; i++)
		1945	letters[i] = 0;
		1946	for(sp = cb_arg->proxy_auth; *sp; sp++)
		1947	{
		1948	char c = *sp;
		1949	if (isascii(c) && isalpha(c))
		1950	{
		1951	if (islower(c))
		1952	c = toupper(c);
		1953	letters[c - 'A'] = 1;
		1954	}
		1955	}
		1956
		1957	fprintf(stderr,
		1958	" Initial proxy rights = ");
		1959	for(i = 0; i < 26; i++)
		1960	if (letters[i])
		1961	{
		1962	fprintf(stderr, "%c", i + 'A');
		1963	found_any = 1;
		1964	}
		1965	if (!found_any)
		1966	fprintf(stderr, "none");
		1967	fprintf(stderr, "\n");
		1968
		1969	X509_STORE_CTX_set_ex_data(ctx,
		1970	get_proxy_auth_ex_data_idx(),letters);
		1971	}
		1972	if (cb_arg->allow_proxy_certs)
		1973	{
		1974	X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS);
1517	}	1975	}
1518		1976
		1977	#ifndef OPENSSL_NO_X509_VERIFY
		1978	# ifdef OPENSSL_FIPS
		1979	if(s->version == TLS1_VERSION)
		1980	FIPS_allow_md5(1);
		1981	# endif
		1982	ok = X509_verify_cert(ctx);
		1983	# ifdef OPENSSL_FIPS
		1984	if(s->version == TLS1_VERSION)
		1985	FIPS_allow_md5(0);
		1986	# endif
		1987	#endif
		1988
		1989	if (cb_arg->proxy_auth)
		1990	{
		1991	if (ok)
		1992	{
		1993	const char *cond_end = NULL;
		1994
		1995	ok = process_proxy_cond(letters,
		1996	cb_arg->proxy_cond, &cond_end);
		1997
		1998	if (ok < 0)
		1999	EXIT(3);
		2000	if (*cond_end)
		2001	{
		2002	fprintf(stderr, "Stopped processing condition before it's end.\n");
		2003	ok = 0;
		2004	}
		2005	if (!ok)
		2006	fprintf(stderr, "Proxy rights check with condition '%s' proved invalid\n",
		2007	cb_arg->proxy_cond);
		2008	else
		2009	fprintf(stderr, "Proxy rights check with condition '%s' proved valid\n",
		2010	cb_arg->proxy_cond);
		2011	}
		2012	}
1519	return(ok);	2013	return(ok);
1520	}	2014	}
1521		2015