Rearrange and test authz extension.

1 files changed, 119 insertions, 0 deletions

diff --git a/ssl/ssltest.c b/ssl/ssltest.c
index 316bbb0c95..1f557dd9a1 100644
--- a/ssl/ssltest.c
+++ b/ssl/ssltest.c
@@ -369,6 +369,11 @@ static void sv_usage(void)
 	               "                 (default is sect163r2).\n");
 #endif
 	fprintf(stderr," -test_cipherlist - verifies the order of the ssl cipher lists\n");
+#ifndef OPENSSL_NO_TLSEXT
+	fprintf(stderr," -server_authz arg - binary authz file for certificate\n");
+	fprintf(stderr," -c_support_proof  - indicate client support for server_authz audit proofs\n");
+	fprintf(stderr," -c_require_proof  - fail if no audit proof is sent\n");
+#endif
 	}
 
 static void print_details(SSL *c_ssl, const char *prefix)
@@ -498,6 +503,56 @@ int opaque_prf_input_cb(SSL *ssl, void *peerinput, size_t len, void *arg_)
 	}
 #endif
 
+#ifndef OPENSSL_NO_TLSEXT
+struct audit_proof_cb_arg_st
+	{
+	unsigned char *expected_proof;
+	size_t expected_proof_length;
+	int require;
+	};
+
+struct audit_proof_cb_arg_st c_expected = { NULL, 0, 0 };
+
+static int audit_proof_cb(SSL *s, void *arg)
+	{
+	const unsigned char *proof;
+	size_t proof_len;
+	SSL_SESSION *sess = SSL_get_session(s);
+	struct audit_proof_cb_arg_st *cb_arg = (struct audit_proof_cb_arg_st*)arg;
+
+	proof = SSL_SESSION_get_tlsext_authz_server_audit_proof(sess,
+		&proof_len);
+	if (proof != NULL)
+		{
+		if (proof_len == cb_arg->expected_proof_length &&
+			cb_arg->expected_proof != NULL &&
+			memcmp(proof, cb_arg->expected_proof, proof_len) == 0)
+			{
+			BIO_printf(bio_stdout, "Audit proof OK (%lu bytes).\n",
+				   (long)proof_len);
+			return 1;
+			}
+		else
+			{
+			BIO_printf(bio_stdout, "Audit proof mismatch.\n");
+			/* Cause handshake failure. */
+			return 0;
+			}
+		}
+
+	else /* proof == NULL */
+		{
+		BIO_printf(bio_stdout, "No audit proof found.\n");
+		if (cb_arg->require)
+			{
+			/* Cause handshake failure. */
+			return 0;
+			}
+		return 1;
+		}
+	}
+#endif
+
 int main(int argc, char *argv[])
 	{
 	char *CApath=NULL,*CAfile=NULL;
@@ -549,6 +604,11 @@ int main(int argc, char *argv[])
 #ifdef OPENSSL_FIPS
 	int fips_mode=0;
 #endif
+#ifndef OPENSSL_NO_TLSEXT
+	char *s_authz_file = NULL;
+	int c_support_proof = 0;
+	int c_require_proof = 0;
+#endif
 
 	verbose = 0;
 	debug = 0;
@@ -765,6 +825,24 @@ int main(int argc, char *argv[])
 			{
 			test_cipherlist = 1;
 			}
+#ifndef OPENSSL_NO_TLSEXT
+		else if(strcmp(*argv,"-server_authz") == 0)
+			{
+			if (--argc < 1) goto bad;
+			s_authz_file = *(++argv);
+			tls1 = 1;
+			}
+		else if (strcmp(*argv,"-c_support_proof") == 0)
+			{
+			c_support_proof = 1;
+			tls1 = 1;
+			}
+		else if (strcmp(*argv,"-c_require_proof") == 0)
+			{
+			c_require_proof = 1;
+			tls1 = 1;
+			}
+#endif
 		else
 			{
 			fprintf(stderr,"unknown option %s\n",*argv);
@@ -798,6 +876,15 @@ bad:
 			"to avoid protocol mismatch.\n");
 		EXIT(1);
 		}
+	if (c_require_proof && s_authz_file == NULL && !force)
+		{
+		fprintf(stderr, "This case cannot work. -c_require_proof "
+			"requires an audit proof, but none was supplied. "
+			"Use -f to perform the test anyway (and\n-d to see "
+			"what happens), or use -server_authz to supply an "
+			"audit proof.\n");
+		EXIT(1);
+		}
 
 #ifdef OPENSSL_FIPS
 	if(fips_mode)
@@ -1063,6 +1150,34 @@ bad:
 		SSL_CTX_set_srp_username_callback(s_ctx, ssl_srp_server_param_cb);
 		}
 #endif
+#ifndef OPENSSL_NO_TLSEXT
+	if (s_authz_file != NULL)
+		{
+		if(!SSL_CTX_use_authz_file(s_ctx, s_authz_file))
+			{
+			BIO_printf(bio_err, "Unable to set authz data\n");
+			goto end;
+			}
+		}
+	if (c_support_proof || c_require_proof)
+		{
+		size_t proof_length;
+		const unsigned char *proof = SSL_CTX_get_authz_data(s_ctx,
+			TLSEXT_AUTHZDATAFORMAT_audit_proof, &proof_length);
+		if (proof != NULL)
+			{
+			/* Store a local copy. */
+			c_expected.expected_proof = OPENSSL_malloc(proof_length);
+			c_expected.expected_proof_length = proof_length;
+			memcpy(c_expected.expected_proof, proof, proof_length);
+			}
+		c_expected.require = c_require_proof;
+		SSL_CTX_set_tlsext_authz_server_audit_proof_cb(c_ctx,
+			audit_proof_cb);
+		SSL_CTX_set_tlsext_authz_server_audit_proof_cb_arg(c_ctx,
+			&c_expected);
+		}
+#endif
 
 	c_ssl=SSL_new(c_ctx);
 	s_ssl=SSL_new(s_ctx);
@@ -1138,6 +1253,10 @@ end:
 #ifndef OPENSSL_NO_ENGINE
 	ENGINE_cleanup();
 #endif
+#ifndef OPENSSL_NO_TLSEXT
+	if (c_expected.expected_proof != NULL)
+		OPENSSL_free(c_expected.expected_proof);
+#endif
 	CRYPTO_cleanup_all_ex_data();
 	ERR_free_strings();
 	ERR_remove_thread_state(NULL);