18 files changed, 215 insertions, 40 deletions
diff --git a/src/lib/libssl/test/CAss.cnf b/src/lib/libssl/test/CAss.cnf
index b941b7ae15..21da59a73a 100644
--- a/src/lib/libssl/test/CAss.cnf
+++ b/src/lib/libssl/test/CAss.cnf
@@ -23,3 +23,11 @@ organizationName_value		= Dodgy Brothers
 commonName                      = Common Name (eg, YOUR name)
 commonName_value                = Dodgy CA
+[ v3_ca ]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+basicConstraints = CA:true,pathlen:1
+keyUsage = cRLSign, keyCertSign
+issuerAltName=issuer:copy
diff --git a/src/lib/libssl/test/P1ss.cnf b/src/lib/libssl/test/P1ss.cnf
new file mode 100644
index 0000000000..876a0d35f8
--- /dev/null
+++ b/src/lib/libssl/test/P1ss.cnf
@@ -0,0 +1,37 @@
+#
+# SSLeay example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+RANDFILE                = ./.rnd
+####################################################################
+[ req ]
+default_bits            = 512
+default_keyfile         = keySS.pem
+distinguished_name      = req_distinguished_name
+encrypt_rsa_key         = no
+default_md              = md2
+[ req_distinguished_name ]
+countryName                     = Country Name (2 letter code)
+countryName_default             = AU
+countryName_value               = AU
+organizationName                = Organization Name (eg, company)
+organizationName_value          = Dodgy Brothers
+0.commonName                    = Common Name (eg, YOUR name)
+0.commonName_value              = Brother 1
+1.commonName                    = Common Name (eg, YOUR name)
+1.commonName_value              = Brother 2
+2.commonName                    = Common Name (eg, YOUR name)
+2.commonName_value              = Proxy 1
+[ v3_proxy ]
+basicConstraints=CA:FALSE
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:1,policy:text:AB
diff --git a/src/lib/libssl/test/P2ss.cnf b/src/lib/libssl/test/P2ss.cnf
new file mode 100644
index 0000000000..373a87e7c2
--- /dev/null
+++ b/src/lib/libssl/test/P2ss.cnf
@@ -0,0 +1,45 @@
+#
+# SSLeay example configuration file.
+# This is mostly being used for generation of certificate requests.
+#
+RANDFILE                = ./.rnd
+####################################################################
+[ req ]
+default_bits            = 512
+default_keyfile         = keySS.pem
+distinguished_name      = req_distinguished_name
+encrypt_rsa_key         = no
+default_md              = md2
+[ req_distinguished_name ]
+countryName                     = Country Name (2 letter code)
+countryName_default             = AU
+countryName_value               = AU
+organizationName                = Organization Name (eg, company)
+organizationName_value          = Dodgy Brothers
+0.commonName                    = Common Name (eg, YOUR name)
+0.commonName_value              = Brother 1
+1.commonName                    = Common Name (eg, YOUR name)
+1.commonName_value              = Brother 2
+2.commonName                    = Common Name (eg, YOUR name)
+2.commonName_value              = Proxy 1
+3.commonName                    = Common Name (eg, YOUR name)
+3.commonName_value              = Proxy 2
+[ v3_proxy ]
+basicConstraints=CA:FALSE
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+proxyCertInfo=critical,@proxy_ext
+[ proxy_ext ]
+language=id-ppl-anyLanguage
+pathlen=0
+policy=text:BC
diff --git a/src/lib/libssl/test/Uss.cnf b/src/lib/libssl/test/Uss.cnf
index c89692d519..0c0ebb5f67 100644
--- a/src/lib/libssl/test/Uss.cnf
+++ b/src/lib/libssl/test/Uss.cnf
@@ -26,3 +26,11 @@ organizationName_value          = Dodgy Brothers
 1.commonName                    = Common Name (eg, YOUR name)
 1.commonName_value              = Brother 2
+[ v3_ee ]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer:always
+basicConstraints = CA:false
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+issuerAltName=issuer:copy
diff --git a/src/lib/libssl/test/bctest b/src/lib/libssl/test/bctest
index bdb3218f7a..e81fc0733a 100644
--- a/src/lib/libssl/test/bctest
+++ b/src/lib/libssl/test/bctest
@@ -1,6 +1,6 @@
 #!/bin/sh
-# This script is used by test/Makefile.ssl to check whether a sane 'bc'
+# This script is used by test/Makefile to check whether a sane 'bc'
 # is installed.
 # ('make test_bn' should not try to run 'bc' if it does not exist or if
 # it is a broken 'bc' version that is known to cause trouble.)
diff --git a/src/lib/libssl/test/tcrl b/src/lib/libssl/test/tcrl
index f71ef7a863..3ffed12a03 100644
--- a/src/lib/libssl/test/tcrl
+++ b/src/lib/libssl/test/tcrl
@@ -7,7 +7,7 @@ else
 fi
 export PATH
-cmd='../apps/openssl crl'
+cmd='../util/shlib_wrap.sh ../apps/openssl crl'
 if [ "$1"x != "x" ]; then
        t=$1
diff --git a/src/lib/libssl/test/testca b/src/lib/libssl/test/testca
index 8215ebb5d1..5b2faa78f1 100644
--- a/src/lib/libssl/test/testca
+++ b/src/lib/libssl/test/testca
@@ -11,6 +11,9 @@ export SH PATH
 SSLEAY_CONFIG="-config CAss.cnf"
 export SSLEAY_CONFIG
+OPENSSL="`pwd`/../util/shlib_wrap.sh openssl"
+export OPENSSL
 /bin/rm -fr demoCA
 $SH ../apps/CA.sh -newca <<EOF
 EOF
diff --git a/src/lib/libssl/test/testenc b/src/lib/libssl/test/testenc
index 0656c7f525..4571ea2875 100644
--- a/src/lib/libssl/test/testenc
+++ b/src/lib/libssl/test/testenc
@@ -1,14 +1,14 @@
 #!/bin/sh
-testsrc=Makefile.ssl
+testsrc=Makefile
 test=./p
-cmd=../apps/openssl
+cmd="../util/shlib_wrap.sh ../apps/openssl"
 cat $testsrc >$test;
 echo cat
-$cmd enc < $test > $test.cipher
+$cmd enc -non-fips-allow < $test > $test.cipher
-$cmd enc < $test.cipher >$test.clear
+$cmd enc -non-fips-allow < $test.cipher >$test.clear
 cmp $test $test.clear
 if [ $? != 0 ]
 then
@@ -17,8 +17,8 @@ else
        /bin/rm $test.cipher $test.clear
 fi
 echo base64
-$cmd enc -a -e < $test > $test.cipher
+$cmd enc -non-fips-allow -a -e < $test > $test.cipher
-$cmd enc -a -d < $test.cipher >$test.clear
+$cmd enc -non-fips-allow -a -d < $test.cipher >$test.clear
 cmp $test $test.clear
 if [ $? != 0 ]
 then
@@ -30,8 +30,8 @@ fi
 for i in `$cmd list-cipher-commands`
 do
        echo $i
-        $cmd $i -bufsize 113 -e -k test < $test > $test.$i.cipher
+        $cmd $i -non-fips-allow -bufsize 113 -e -k test < $test > $test.$i.cipher
-        $cmd $i -bufsize 157 -d -k test < $test.$i.cipher >$test.$i.clear
+        $cmd $i -non-fips-allow -bufsize 157 -d -k test < $test.$i.cipher >$test.$i.clear
        cmp $test $test.$i.clear
        if [ $? != 0 ]
        then
@@ -41,8 +41,8 @@ do
        fi
        echo $i base64
-        $cmd $i -bufsize 113 -a -e -k test < $test > $test.$i.cipher
+        $cmd $i -non-fips-allow -bufsize 113 -a -e -k test < $test > $test.$i.cipher
-        $cmd $i -bufsize 157 -a -d -k test < $test.$i.cipher >$test.$i.clear
+        $cmd $i -non-fips-allow -bufsize 157 -a -d -k test < $test.$i.cipher >$test.$i.clear
        cmp $test $test.$i.clear
        if [ $? != 0 ]
        then
diff --git a/src/lib/libssl/test/testgen b/src/lib/libssl/test/testgen
index 3798543e04..524c0d134c 100644
--- a/src/lib/libssl/test/testgen
+++ b/src/lib/libssl/test/testgen
@@ -17,7 +17,7 @@ echo "generating certificate request"
 echo "string to make the random number generator think it has entropy" >> ./.rnd
-if ../apps/openssl no-rsa; then
+if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then
  req_new='-newkey dsa:../apps/dsa512.pem'
 else
  req_new='-new'
@@ -29,13 +29,13 @@ echo "This could take some time."
 rm -f testkey.pem testreq.pem
-../apps/openssl req -config test.cnf $req_new -out testreq.pem
+../util/shlib_wrap.sh ../apps/openssl req -config test.cnf $req_new -out testreq.pem
 if [ $? != 0 ]; then
 echo problems creating request
 exit 1
 fi
-../apps/openssl req -config test.cnf -verify -in testreq.pem -noout
+../util/shlib_wrap.sh ../apps/openssl req -config test.cnf -verify -in testreq.pem -noout
 if [ $? != 0 ]; then
 echo signature on req is wrong
 exit 1
diff --git a/src/lib/libssl/test/testss b/src/lib/libssl/test/testss
index 8d3557f356..1a426857d3 100644
--- a/src/lib/libssl/test/testss
+++ b/src/lib/libssl/test/testss
@@ -1,9 +1,9 @@
 #!/bin/sh
-digest='-md5'
+digest='-sha1'
-reqcmd="../apps/openssl req"
+reqcmd="../util/shlib_wrap.sh ../apps/openssl req"
-x509cmd="../apps/openssl x509 $digest"
+x509cmd="../util/shlib_wrap.sh ../apps/openssl x509 $digest"
-verifycmd="../apps/openssl verify"
+verifycmd="../util/shlib_wrap.sh ../apps/openssl verify"
 dummycnf="../apps/openssl.cnf"
 CAkey="keyCA.ss"
@@ -17,12 +17,24 @@ Ukey="keyU.ss"
 Ureq="reqU.ss"
 Ucert="certU.ss"
+P1conf="P1ss.cnf"
+P1key="keyP1.ss"
+P1req="reqP1.ss"
+P1cert="certP1.ss"
+P1intermediate="tmp_intP1.ss"
+P2conf="P2ss.cnf"
+P2key="keyP2.ss"
+P2req="reqP2.ss"
+P2cert="certP2.ss"
+P2intermediate="tmp_intP2.ss"
 echo
 echo "make a certificate request using 'req'"
 echo "string to make the random number generator think it has entropy" >> ./.rnd
-if ../apps/openssl no-rsa; then
+if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then
  req_new='-newkey dsa:../apps/dsa512.pem'
 else
  req_new='-new'
@@ -35,7 +47,7 @@ if [ $? != 0 ]; then
 fi
 echo
 echo "convert the certificate request into a self signed certificate using 'x509'"
-$x509cmd -CAcreateserial -in $CAreq -days 30 -req -out $CAcert -signkey $CAkey >err.ss
+$x509cmd -CAcreateserial -in $CAreq -days 30 -req -out $CAcert -signkey $CAkey -extfile $CAconf -extensions v3_ca >err.ss
 if [ $? != 0 ]; then
        echo "error using 'x509' to self sign a certificate request"
        exit 1
@@ -68,18 +80,18 @@ if [ $? != 0 ]; then
 fi
 echo
-echo "make another certificate request using 'req'"
+echo "make a user certificate request using 'req'"
 $reqcmd -config $Uconf -out $Ureq -keyout $Ukey $req_new >err.ss
 if [ $? != 0 ]; then
-        echo "error using 'req' to generate a certificate request"
+        echo "error using 'req' to generate a user certificate request"
        exit 1
 fi
 echo
-echo "sign certificate request with the just created CA via 'x509'"
+echo "sign user certificate request with the just created CA via 'x509'"
-$x509cmd -CAcreateserial -in $Ureq -days 30 -req -out $Ucert -CA $CAcert -CAkey $CAkey >err.ss
+$x509cmd -CAcreateserial -in $Ureq -days 30 -req -out $Ucert -CA $CAcert -CAkey $CAkey -extfile $Uconf -extensions v3_ee >err.ss
 if [ $? != 0 ]; then
-        echo "error using 'x509' to sign a certificate request"
+        echo "error using 'x509' to sign a user certificate request"
        exit 1
 fi
@@ -89,11 +101,63 @@ echo "Certificate details"
 $x509cmd -subject -issuer -startdate -enddate -noout -in $Ucert
 echo
+echo "make a proxy certificate request using 'req'"
+$reqcmd -config $P1conf -out $P1req -keyout $P1key $req_new >err.ss
+if [ $? != 0 ]; then
+        echo "error using 'req' to generate a proxy certificate request"
+        exit 1
+fi
+echo
+echo "sign proxy certificate request with the just created user certificate via 'x509'"
+$x509cmd -CAcreateserial -in $P1req -days 30 -req -out $P1cert -CA $Ucert -CAkey $Ukey -extfile $P1conf -extensions v3_proxy >err.ss
+if [ $? != 0 ]; then
+        echo "error using 'x509' to sign a proxy certificate request"
+        exit 1
+fi
+cat $Ucert > $P1intermediate
+$verifycmd -CAfile $CAcert -untrusted $P1intermediate $P1cert
+echo
+echo "Certificate details"
+$x509cmd -subject -issuer -startdate -enddate -noout -in $P1cert
+echo
+echo "make another proxy certificate request using 'req'"
+$reqcmd -config $P2conf -out $P2req -keyout $P2key $req_new >err.ss
+if [ $? != 0 ]; then
+        echo "error using 'req' to generate another proxy certificate request"
+        exit 1
+fi
+echo
+echo "sign second proxy certificate request with the first proxy certificate via 'x509'"
+$x509cmd -CAcreateserial -in $P2req -days 30 -req -out $P2cert -CA $P1cert -CAkey $P1key -extfile $P2conf -extensions v3_proxy >err.ss
+if [ $? != 0 ]; then
+        echo "error using 'x509' to sign a second proxy certificate request"
+        exit 1
+fi
+cat $Ucert $P1cert > $P2intermediate
+$verifycmd -CAfile $CAcert -untrusted $P2intermediate $P2cert
+echo
+echo "Certificate details"
+$x509cmd -subject -issuer -startdate -enddate -noout -in $P2cert
+echo
 echo The generated CA certificate is $CAcert
 echo The generated CA private key is $CAkey
 echo The generated user certificate is $Ucert
 echo The generated user private key is $Ukey
+echo The first generated proxy certificate is $P1cert
+echo The first generated proxy private key is $P1key
+echo The second generated proxy certificate is $P2cert
+echo The second generated proxy private key is $P2key
 /bin/rm err.ss
+#/bin/rm $P1intermediate
+#/bin/rm $P2intermediate
 exit 0
diff --git a/src/lib/libssl/test/testssl b/src/lib/libssl/test/testssl
index ca8e718022..8ac90ae5ee 100644
--- a/src/lib/libssl/test/testssl
+++ b/src/lib/libssl/test/testssl
@@ -10,9 +10,9 @@ if [ "$2" = "" ]; then
 else
  cert="$2"
 fi
-ssltest="./ssltest -key $key -cert $cert -c_key $key -c_cert $cert"
+ssltest="../util/shlib_wrap.sh ./ssltest -key $key -cert $cert -c_key $key -c_cert $cert"
-if ../apps/openssl x509 -in $cert -text -noout | fgrep 'DSA Public Key' >/dev/null; then
+if ../util/shlib_wrap.sh ../apps/openssl x509 -in $cert -text -noout | fgrep 'DSA Public Key' >/dev/null; then
  dsa_cert=YES
 else
  dsa_cert=NO
@@ -121,24 +121,24 @@ $ssltest -bio_pair -server_auth -client_auth -app_verify $CA $extra || exit 1
 #############################################################################
-if ../apps/openssl no-dh; then
+if ../util/shlib_wrap.sh ../apps/openssl no-dh; then
  echo skipping anonymous DH tests
 else
  echo test tls1 with 1024bit anonymous DH, multiple handshakes
  $ssltest -v -bio_pair -tls1 -cipher ADH -dhe1024dsa -num 10 -f -time $extra || exit 1
 fi
-if ../apps/openssl no-rsa; then
+if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then
  echo skipping RSA tests
 else
  echo test tls1 with 1024bit RSA, no DHE, multiple handshakes
-  ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -no_dhe -num 10 -f -time $extra || exit 1
+  ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -no_dhe -num 10 -f -time $extra || exit 1
-  if ../apps/openssl no-dh; then
+  if ../util/shlib_wrap.sh ../apps/openssl no-dh; then
    echo skipping RSA+DHE tests
  else
    echo test tls1 with 1024bit RSA, 1024bit DHE, multiple handshakes
-    ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -dhe1024dsa -num 10 -f -time $extra || exit 1
+    ../util/shlib_wrap.sh ./ssltest -v -bio_pair -tls1 -cert ../apps/server2.pem -dhe1024dsa -num 10 -f -time $extra || exit 1
  fi
 fi
diff --git a/src/lib/libssl/test/testsslproxy b/src/lib/libssl/test/testsslproxy
new file mode 100644
index 0000000000..58bbda8ab7
--- /dev/null
+++ b/src/lib/libssl/test/testsslproxy
@@ -0,0 +1,10 @@
+#! /bin/sh
+echo 'Testing a lot of proxy conditions.'
+echo 'Some of them may turn out being invalid, which is fine.'
+for auth in A B C BC; do
+    for cond in A B C 'A|B&!C'; do
+        sh ./testssl $1 $2 $3 "-proxy -proxy_auth $auth -proxy_cond $cond"
+        if [ $? = 3 ]; then exit 1; fi
+    done
+done
diff --git a/src/lib/libssl/test/tpkcs7 b/src/lib/libssl/test/tpkcs7
index cf3bd9fadb..79bb6e0edf 100644
--- a/src/lib/libssl/test/tpkcs7
+++ b/src/lib/libssl/test/tpkcs7
@@ -7,7 +7,7 @@ else
 fi
 export PATH
-cmd='../apps/openssl pkcs7'
+cmd='../util/shlib_wrap.sh ../apps/openssl pkcs7'
 if [ "$1"x != "x" ]; then
        t=$1
diff --git a/src/lib/libssl/test/tpkcs7d b/src/lib/libssl/test/tpkcs7d
index 18f9311b06..20394b34c4 100644
--- a/src/lib/libssl/test/tpkcs7d
+++ b/src/lib/libssl/test/tpkcs7d
@@ -7,7 +7,7 @@ else
 fi
 export PATH
-cmd='../apps/openssl pkcs7'
+cmd='../util/shlib_wrap.sh ../apps/openssl pkcs7'
 if [ "$1"x != "x" ]; then
        t=$1
diff --git a/src/lib/libssl/test/treq b/src/lib/libssl/test/treq
index 47a8273cde..7e020210a5 100644
--- a/src/lib/libssl/test/treq
+++ b/src/lib/libssl/test/treq
@@ -7,7 +7,7 @@ else
 fi
 export PATH
-cmd='../apps/openssl req -config ../apps/openssl.cnf'
+cmd='../util/shlib_wrap.sh ../apps/openssl req -config ../apps/openssl.cnf'
 if [ "$1"x != "x" ]; then
        t=$1
diff --git a/src/lib/libssl/test/trsa b/src/lib/libssl/test/trsa
index 413e2ec0a0..67b4a98841 100644
--- a/src/lib/libssl/test/trsa
+++ b/src/lib/libssl/test/trsa
@@ -7,12 +7,12 @@ else
 fi
 export PATH
-if ../apps/openssl no-rsa; then
+if ../util/shlib_wrap.sh ../apps/openssl no-rsa; then
  echo skipping rsa conversion test
  exit 0
 fi
-cmd='../apps/openssl rsa'
+cmd='../util/shlib_wrap.sh ../apps/openssl rsa'
 if [ "$1"x != "x" ]; then
        t=$1
diff --git a/src/lib/libssl/test/tsid b/src/lib/libssl/test/tsid
index 40a1dfa97c..fb4a7213b9 100644
--- a/src/lib/libssl/test/tsid
+++ b/src/lib/libssl/test/tsid
@@ -7,7 +7,7 @@ else
 fi
 export PATH
-cmd='../apps/openssl sess_id'
+cmd='../util/shlib_wrap.sh ../apps/openssl sess_id'
 if [ "$1"x != "x" ]; then
        t=$1
diff --git a/src/lib/libssl/test/tx509 b/src/lib/libssl/test/tx509
index d380963abc..1b9c8661f3 100644
--- a/src/lib/libssl/test/tx509
+++ b/src/lib/libssl/test/tx509
@@ -7,7 +7,7 @@ else
 fi
 export PATH
-cmd='../apps/openssl x509'
+cmd='../util/shlib_wrap.sh ../apps/openssl x509'
 if [ "$1"x != "x" ]; then
        t=$1