resolve conflicts

author: djm <> 2005-04-29 05:39:33 +0000
committer: djm <> 2005-04-29 05:39:33 +0000
commit: 68edd00d9258df93b1366c71ac124e0cadf7bc08 (patch)
tree: 3ce4ae2a9747bbc11aed1f95f9bbea92c41f8683 /src/lib/libssl/src/ssl/ssltest.c
parent: f396ed0f5ce0af56bfde2e75e15cf1f52924c779 (diff)
download: openbsd-68edd00d9258df93b1366c71ac124e0cadf7bc08.tar.gz
openbsd-68edd00d9258df93b1366c71ac124e0cadf7bc08.tar.bz2
openbsd-68edd00d9258df93b1366c71ac124e0cadf7bc08.zip
1 files changed, 516 insertions, 22 deletions
diff --git a/src/lib/libssl/src/ssl/ssltest.c b/src/lib/libssl/src/ssl/ssltest.c
index 033f309ffe..3a0db0cb51 100644
--- a/src/lib/libssl/src/ssl/ssltest.c
+++ b/src/lib/libssl/src/ssl/ssltest.c
@@ -120,6 +120,7 @@
 #include <string.h>
 #include <time.h>
 #include <inttypes.h>
+#include <ctype.h>
 #define USE_SOCKETS
 #include "e_os.h"
@@ -128,12 +129,14 @@
 #include <openssl/crypto.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
+#include <openssl/x509v3.h>
 #include <openssl/ssl.h>
 #ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
 #endif
 #include <openssl/err.h>
 #include <openssl/rand.h>
+#include <openssl/fips.h>
 #define _XOPEN_SOURCE_EXTENDED  1 /* Or gethostname won't be declared properly
                                     on Compaq platforms (at least with DEC C).
@@ -169,8 +172,15 @@ static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export,int keylength);
 static void free_tmp_rsa(void);
 #endif
 static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg);
-#define APP_CALLBACK "Test Callback Argument"
+#define APP_CALLBACK_STRING "Test Callback Argument"
-static char *app_verify_arg = APP_CALLBACK;
+struct app_verify_arg
+        {
+        char *string;
+        int app_verify;
+        int allow_proxy_certs;
+        char *proxy_auth;
+        char *proxy_cond;
+        };
 #ifndef OPENSSL_NO_DH
 static DH *get_dh512(void);
@@ -199,8 +209,14 @@ static void sv_usage(void)
        {
        fprintf(stderr,"usage: ssltest [args ...]\n");
        fprintf(stderr,"\n");
+#ifdef OPENSSL_FIPS
+        fprintf(stderr,"-F             - run test in FIPS mode\n");
+#endif
        fprintf(stderr," -server_auth  - check server certificate\n");
        fprintf(stderr," -client_auth  - do client authentication\n");
+        fprintf(stderr," -proxy        - allow proxy certificates\n");
+        fprintf(stderr," -proxy_auth <val> - set proxy policy rights\n");
+        fprintf(stderr," -proxy_cond <val> - experssion to test proxy policy rights\n");
        fprintf(stderr," -v            - more output\n");
        fprintf(stderr," -d            - debug output\n");
        fprintf(stderr," -reuse        - use session-id reuse\n");
@@ -350,7 +366,8 @@ int main(int argc, char *argv[])
        int tls1=0,ssl2=0,ssl3=0,ret=1;
        int client_auth=0;
        int server_auth=0,i;
-        int app_verify=0;
+        struct app_verify_arg app_verify_arg =
+                { APP_CALLBACK_STRING, 0, 0, NULL, NULL };
        char *server_cert=TEST_SERVER_CERT;
        char *server_key=NULL;
        char *client_cert=TEST_CLIENT_CERT;
@@ -370,6 +387,10 @@ int main(int argc, char *argv[])
        clock_t s_time = 0, c_time = 0;
        int comp = 0;
        COMP_METHOD *cm = NULL;
+#ifdef OPENSSL_FIPS
+        int fips_mode=0;
+        const char *path=argv[0];
+#endif
        verbose = 0;
        debug = 0;
@@ -401,10 +422,29 @@ int main(int argc, char *argv[])
        while (argc >= 1)
                {
-                if      (strcmp(*argv,"-server_auth") == 0)
+                if(!strcmp(*argv,"-F"))
+                        {
+#ifdef OPENSSL_FIPS
+                        fips_mode=1;
+#else
+                        fprintf(stderr,"not compiled with FIPS support, so exitting without running.\n");
+                        EXIT(0);
+#endif
+                        }
+                else if (strcmp(*argv,"-server_auth") == 0)
                        server_auth=1;
                else if (strcmp(*argv,"-client_auth") == 0)
                        client_auth=1;
+                else if (strcmp(*argv,"-proxy_auth") == 0)
+                        {
+                        if (--argc < 1) goto bad;
+                        app_verify_arg.proxy_auth= *(++argv);
+                        }
+                else if (strcmp(*argv,"-proxy_cond") == 0)
+                        {
+                        if (--argc < 1) goto bad;
+                        app_verify_arg.proxy_cond= *(++argv);
+                        }
                else if (strcmp(*argv,"-v") == 0)
                        verbose=1;
                else if (strcmp(*argv,"-d") == 0)
@@ -517,7 +557,11 @@ int main(int argc, char *argv[])
                        }
                else if (strcmp(*argv,"-app_verify") == 0)
                        {
-                        app_verify = 1;
+                        app_verify_arg.app_verify = 1;
+                        }
+                else if (strcmp(*argv,"-proxy") == 0)
+                        {
+                        app_verify_arg.allow_proxy_certs = 1;
                        }
                else
                        {
@@ -535,6 +579,7 @@ bad:
                goto end;
                }
        if (!ssl2 && !ssl3 && !tls1 && number > 1 && !reuse && !force)
                {
                fprintf(stderr, "This case cannot work.  Use -f to perform "
@@ -544,6 +589,20 @@ bad:
                EXIT(1);
                }
+#ifdef OPENSSL_FIPS
+        if(fips_mode)
+                {
+                if(!FIPS_mode_set(1,path))
+                        {
+                        ERR_load_crypto_strings();
+                        ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
+                        EXIT(1);
+                        }
+                else
+                        fprintf(stderr,"*** IN FIPS MODE ***\n");
+                }
+#endif
        if (print_time)
                {
                if (!bio_pair)
@@ -677,20 +736,14 @@ bad:
                SSL_CTX_set_verify(s_ctx,
                        SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
                        verify_callback);
-                if (app_verify) 
+                SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, &app_verify_arg);
-                        {
-                        SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, app_verify_arg);
-                        }
                }
        if (server_auth)
                {
                BIO_printf(bio_err,"server authentication\n");
                SSL_CTX_set_verify(c_ctx,SSL_VERIFY_PEER,
                        verify_callback);
-                if (app_verify) 
+                SSL_CTX_set_cert_verify_callback(c_ctx, app_verify_callback, &app_verify_arg);
-                        {
-                        SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, app_verify_arg);
-                        }
                }
        
        {
@@ -1472,6 +1525,22 @@ err:
        return(ret);
        }
+static int get_proxy_auth_ex_data_idx(void)
+        {
+        static volatile int idx = -1;
+        if (idx < 0)
+                {
+                CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
+                if (idx < 0)
+                        {
+                        idx = X509_STORE_CTX_get_ex_new_index(0,
+                                "SSLtest for verify callback", NULL,NULL,NULL);
+                        }
+                CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
+                }
+        return idx;
+        }
 static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
        {
        char *s,buf[256];
@@ -1481,42 +1550,467 @@ static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
        if (s != NULL)
                {
                if (ok)
-                        fprintf(stderr,"depth=%d %s\n",ctx->error_depth,buf);
+                        fprintf(stderr,"depth=%d %s\n",
+                                ctx->error_depth,buf);
                else
+                        {
                        fprintf(stderr,"depth=%d error=%d %s\n",
                                ctx->error_depth,ctx->error,buf);
+                        }
                }
        if (ok == 0)
                {
+                fprintf(stderr,"Error string: %s\n",
+                        X509_verify_cert_error_string(ctx->error));
                switch (ctx->error)
                        {
                case X509_V_ERR_CERT_NOT_YET_VALID:
                case X509_V_ERR_CERT_HAS_EXPIRED:
                case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
+                        fprintf(stderr,"  ... ignored.\n");
                        ok=1;
                        }
                }
+        if (ok == 1)
+                {
+                X509 *xs = ctx->current_cert;
+#if 0
+                X509 *xi = ctx->current_issuer;
+#endif
+                if (xs->ex_flags & EXFLAG_PROXY)
+                        {
+                        unsigned int *letters =
+                                X509_STORE_CTX_get_ex_data(ctx,
+                                        get_proxy_auth_ex_data_idx());
+                        if (letters)
+                                {
+                                int found_any = 0;
+                                int i;
+                                PROXY_CERT_INFO_EXTENSION *pci =
+                                        X509_get_ext_d2i(xs, NID_proxyCertInfo,
+                                                NULL, NULL);
+                                switch (OBJ_obj2nid(pci->proxyPolicy->policyLanguage))
+                                        {
+                                case NID_Independent:
+                                        /* Completely meaningless in this
+                                           program, as there's no way to
+                                           grant explicit rights to a
+                                           specific PrC.  Basically, using
+                                           id-ppl-Independent is the perfect
+                                           way to grant no rights at all. */
+                                        fprintf(stderr, "  Independent proxy certificate");
+                                        for (i = 0; i < 26; i++)
+                                                letters[i] = 0;
+                                        break;
+                                case NID_id_ppl_inheritAll:
+                                        /* This is basically a NOP, we
+                                           simply let the current rights
+                                           stand as they are. */
+                                        fprintf(stderr, "  Proxy certificate inherits all");
+                                        break;
+                                default:
+                                        s = (char *)
+                                                pci->proxyPolicy->policy->data;
+                                        i = pci->proxyPolicy->policy->length;
+                                        /* The algorithm works as follows:
+                                           it is assumed that previous
+                                           iterations or the initial granted
+                                           rights has already set some elements
+                                           of `letters'.  What we need to do is
+                                           to clear those that weren't granted
+                                           by the current PrC as well.  The
+                                           easiest way to do this is to add 1
+                                           to all the elements whose letters
+                                           are given with the current policy.
+                                           That way, all elements that are set
+                                           by the current policy and were
+                                           already set by earlier policies and
+                                           through the original grant of rights
+                                           will get the value 2 or higher.
+                                           The last thing to do is to sweep
+                                           through `letters' and keep the
+                                           elements having the value 2 as set,
+                                           and clear all the others. */
+                                        fprintf(stderr, "  Certificate proxy rights = %*.*s", i, i, s);
+                                        while(i-- > 0)
+                                                {
+                                                char c = *s++;
+                                                if (isascii(c) && isalpha(c))
+                                                        {
+                                                        if (islower(c))
+                                                                c = toupper(c);
+                                                        letters[c - 'A']++;
+                                                        }
+                                                }
+                                        for (i = 0; i < 26; i++)
+                                                if (letters[i] < 2)
+                                                        letters[i] = 0;
+                                                else
+                                                        letters[i] = 1;
+                                        }
+                                found_any = 0;
+                                fprintf(stderr,
+                                        ", resulting proxy rights = ");
+                                for(i = 0; i < 26; i++)
+                                        if (letters[i])
+                                                {
+                                                fprintf(stderr, "%c", i + 'A');
+                                                found_any = 1;
+                                                }
+                                if (!found_any)
+                                        fprintf(stderr, "none");
+                                fprintf(stderr, "\n");
+                                PROXY_CERT_INFO_EXTENSION_free(pci);
+                                }
+                        }
+                }
        return(ok);
        }
+static void process_proxy_debug(int indent, const char *format, ...)
+        {
+        static const char indentation[] =
+                ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"
+                ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"; /* That's 80 > */
+        char my_format[256];
+        va_list args;
+        BIO_snprintf(my_format, sizeof(my_format), "%*.*s %s",
+                indent, indent, indentation, format);
+        va_start(args, format);
+        vfprintf(stderr, my_format, args);
+        va_end(args);
+        }
+/* Priority levels:
+   0    [!]var, ()
+   1    & ^
+   2    |
+*/
+static int process_proxy_cond_adders(unsigned int letters[26],
+        const char *cond, const char **cond_end, int *pos, int indent);
+static int process_proxy_cond_val(unsigned int letters[26],
+        const char *cond, const char **cond_end, int *pos, int indent)
+        {
+        char c;
+        int ok = 1;
+        int negate = 0;
+        while(isspace(*cond))
+                {
+                cond++; (*pos)++;
+                }
+        c = *cond;
+        if (debug)
+                process_proxy_debug(indent,
+                        "Start process_proxy_cond_val at position %d: %s\n",
+                        *pos, cond);
+        while(c == '!')
+                {
+                negate = !negate;
+                cond++; (*pos)++;
+                while(isspace(*cond))
+                        {
+                        cond++; (*pos)++;
+                        }
+                c = *cond;
+                }
+        if (c == '(')
+                {
+                cond++; (*pos)++;
+                ok = process_proxy_cond_adders(letters, cond, cond_end, pos,
+                        indent + 1);
+                cond = *cond_end;
+                if (ok < 0)
+                        goto end;
+                while(isspace(*cond))
+                        {
+                        cond++; (*pos)++;
+                        }
+                c = *cond;
+                if (c != ')')
+                        {
+                        fprintf(stderr,
+                                "Weird condition character in position %d: "
+                                "%c\n", *pos, c);
+                        ok = -1;
+                        goto end;
+                        }
+                cond++; (*pos)++;
+                }
+        else if (isascii(c) && isalpha(c))
+                {
+                if (islower(c))
+                        c = toupper(c);
+                ok = letters[c - 'A'];
+                cond++; (*pos)++;
+                }
+        else
+                {
+                fprintf(stderr,
+                        "Weird condition character in position %d: "
+                        "%c\n", *pos, c);
+                ok = -1;
+                goto end;
+                }
+ end:
+        *cond_end = cond;
+        if (ok >= 0 && negate)
+                ok = !ok;
+        if (debug)
+                process_proxy_debug(indent,
+                        "End process_proxy_cond_val at position %d: %s, returning %d\n",
+                        *pos, cond, ok);
+        return ok;
+        }
+static int process_proxy_cond_multipliers(unsigned int letters[26],
+        const char *cond, const char **cond_end, int *pos, int indent)
+        {
+        int ok;
+        char c;
+        if (debug)
+                process_proxy_debug(indent,
+                        "Start process_proxy_cond_multipliers at position %d: %s\n",
+                        *pos, cond);
+        ok = process_proxy_cond_val(letters, cond, cond_end, pos, indent + 1);
+        cond = *cond_end;
+        if (ok < 0)
+                goto end;
+        while(ok >= 0)
+                {
+                while(isspace(*cond))
+                        {
+                        cond++; (*pos)++;
+                        }
+                c = *cond;
+                switch(c)
+                        {
+                case '&':
+                case '^':
+                        {
+                        int save_ok = ok;
+                        cond++; (*pos)++;
+                        ok = process_proxy_cond_val(letters,
+                                cond, cond_end, pos, indent + 1);
+                        cond = *cond_end;
+                        if (ok < 0)
+                                break;
+                        switch(c)
+                                {
+                        case '&':
+                                ok &= save_ok;
+                                break;
+                        case '^':
+                                ok ^= save_ok;
+                                break;
+                        default:
+                                fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
+                                        " STOPPING\n");
+                                EXIT(1);
+                                }
+                        }
+                        break;
+                default:
+                        goto end;
+                        }
+                }
+ end:
+        if (debug)
+                process_proxy_debug(indent,
+                        "End process_proxy_cond_multipliers at position %d: %s, returning %d\n",
+                        *pos, cond, ok);
+        *cond_end = cond;
+        return ok;
+        }
+static int process_proxy_cond_adders(unsigned int letters[26],
+        const char *cond, const char **cond_end, int *pos, int indent)
+        {
+        int ok;
+        char c;
+        if (debug)
+                process_proxy_debug(indent,
+                        "Start process_proxy_cond_adders at position %d: %s\n",
+                        *pos, cond);
+        ok = process_proxy_cond_multipliers(letters, cond, cond_end, pos,
+                indent + 1);
+        cond = *cond_end;
+        if (ok < 0)
+                goto end;
+        while(ok >= 0)
+                {
+                while(isspace(*cond))
+                        {
+                        cond++; (*pos)++;
+                        }
+                c = *cond;
+                switch(c)
+                        {
+                case '|':
+                        {
+                        int save_ok = ok;
+                        cond++; (*pos)++;
+                        ok = process_proxy_cond_multipliers(letters,
+                                cond, cond_end, pos, indent + 1);
+                        cond = *cond_end;
+                        if (ok < 0)
+                                break;
+                        switch(c)
+                                {
+                        case '|':
+                                ok |= save_ok;
+                                break;
+                        default:
+                                fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
+                                        " STOPPING\n");
+                                EXIT(1);
+                                }
+                        }
+                        break;
+                default:
+                        goto end;
+                        }
+                }
+ end:
+        if (debug)
+                process_proxy_debug(indent,
+                        "End process_proxy_cond_adders at position %d: %s, returning %d\n",
+                        *pos, cond, ok);
+        *cond_end = cond;
+        return ok;
+        }
+static int process_proxy_cond(unsigned int letters[26],
+        const char *cond, const char **cond_end)
+        {
+        int pos = 1;
+        return process_proxy_cond_adders(letters, cond, cond_end, &pos, 1);
+        }
 static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg)
        {
-        char *s = NULL,buf[256];
        int ok=1;
+        struct app_verify_arg *cb_arg = arg;
+        unsigned int letters[26]; /* only used with proxy_auth */
-        fprintf(stderr, "In app_verify_callback, allowing cert. ");
+        if (cb_arg->app_verify)
-        fprintf(stderr, "Arg is: %s\n", (char *)arg);
-        fprintf(stderr, "Finished printing do we have a context? 0x%lx a cert? 0x%lx\n",
-                        (uintptr_t)ctx, (uintptr_t)ctx->cert);
-        if (ctx->cert)
-                s=X509_NAME_oneline(X509_get_subject_name(ctx->cert),buf,256);
-        if (s != NULL)
                {
+                char *s = NULL,buf[256];
+                fprintf(stderr, "In app_verify_callback, allowing cert. ");
+                fprintf(stderr, "Arg is: %s\n", cb_arg->string);
+                fprintf(stderr, "Finished printing do we have a context? 0x%x a cert? 0x%x\n",
+                        (unsigned int)ctx, (unsigned int)ctx->cert);
+                if (ctx->cert)
+                        s=X509_NAME_oneline(X509_get_subject_name(ctx->cert),buf,256);
+                if (s != NULL)
+                        {
                        fprintf(stderr,"cert depth=%d %s\n",ctx->error_depth,buf);
+                        }
+                return(1);
                }
+        if (cb_arg->proxy_auth)
+                {
+                int found_any = 0, i;
+                char *sp;
+                for(i = 0; i < 26; i++)
+                        letters[i] = 0;
+                for(sp = cb_arg->proxy_auth; *sp; sp++)
+                        {
+                        char c = *sp;
+                        if (isascii(c) && isalpha(c))
+                                {
+                                if (islower(c))
+                                        c = toupper(c);
+                                letters[c - 'A'] = 1;
+                                }
+                        }
+                fprintf(stderr,
+                        "  Initial proxy rights = ");
+                for(i = 0; i < 26; i++)
+                        if (letters[i])
+                                {
+                                fprintf(stderr, "%c", i + 'A');
+                                found_any = 1;
+                                }
+                if (!found_any)
+                        fprintf(stderr, "none");
+                fprintf(stderr, "\n");
+                X509_STORE_CTX_set_ex_data(ctx,
+                        get_proxy_auth_ex_data_idx(),letters);
+                }
+        if (cb_arg->allow_proxy_certs)
+                {
+                X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS);
+                }
+#ifndef OPENSSL_NO_X509_VERIFY
+# ifdef OPENSSL_FIPS
+        if(s->version == TLS1_VERSION)
+                FIPS_allow_md5(1);
+# endif
+        ok = X509_verify_cert(ctx);
+# ifdef OPENSSL_FIPS
+        if(s->version == TLS1_VERSION)
+                FIPS_allow_md5(0);
+# endif
+#endif
+        if (cb_arg->proxy_auth)
+                {
+                if (ok)
+                        {
+                        const char *cond_end = NULL;
+                        ok = process_proxy_cond(letters,
+                                cb_arg->proxy_cond, &cond_end);
+                        if (ok < 0)
+                                EXIT(3);
+                        if (*cond_end)
+                                {
+                                fprintf(stderr, "Stopped processing condition before it's end.\n");
+                                ok = 0;
+                                }
+                        if (!ok)
+                                fprintf(stderr, "Proxy rights check with condition '%s' proved invalid\n",
+                                        cb_arg->proxy_cond);
+                        else
+                                fprintf(stderr, "Proxy rights check with condition '%s' proved valid\n",
+                                        cb_arg->proxy_cond);
+                        }
+                }
        return(ok);
        }
author	djm <>	2005-04-29 05:39:33 +0000
committer	djm <>	2005-04-29 05:39:33 +0000
commit	68edd00d9258df93b1366c71ac124e0cadf7bc08 (patch)
tree	3ce4ae2a9747bbc11aed1f95f9bbea92c41f8683 /src/lib/libssl/src/ssl/ssltest.c
parent	f396ed0f5ce0af56bfde2e75e15cf1f52924c779 (diff)
download	openbsd-68edd00d9258df93b1366c71ac124e0cadf7bc08.tar.gz openbsd-68edd00d9258df93b1366c71ac124e0cadf7bc08.tar.bz2 openbsd-68edd00d9258df93b1366c71ac124e0cadf7bc08.zip

diff --git a/src/lib/libssl/src/ssl/ssltest.c b/src/lib/libssl/src/ssl/ssltest.c index 033f309ffe..3a0db0cb51 100644 --- a/src/lib/libssl/src/ssl/ssltest.c +++ b/src/lib/libssl/src/ssl/ssltest.c
@@ -120,6 +120,7 @@
120	#include <string.h>	120	#include <string.h>
121	#include <time.h>	121	#include <time.h>
122	#include <inttypes.h>	122	#include <inttypes.h>
		123	#include <ctype.h>
123		124
124	#define USE_SOCKETS	125	#define USE_SOCKETS
125	#include "e_os.h"	126	#include "e_os.h"
@@ -128,12 +129,14 @@
128	#include <openssl/crypto.h>	129	#include <openssl/crypto.h>
129	#include <openssl/evp.h>	130	#include <openssl/evp.h>
130	#include <openssl/x509.h>	131	#include <openssl/x509.h>
		132	#include <openssl/x509v3.h>
131	#include <openssl/ssl.h>	133	#include <openssl/ssl.h>
132	#ifndef OPENSSL_NO_ENGINE	134	#ifndef OPENSSL_NO_ENGINE
133	#include <openssl/engine.h>	135	#include <openssl/engine.h>
134	#endif	136	#endif
135	#include <openssl/err.h>	137	#include <openssl/err.h>
136	#include <openssl/rand.h>	138	#include <openssl/rand.h>
		139	#include <openssl/fips.h>
137		140
138	#define _XOPEN_SOURCE_EXTENDED 1 /* Or gethostname won't be declared properly	141	#define _XOPEN_SOURCE_EXTENDED 1 /* Or gethostname won't be declared properly
139	on Compaq platforms (at least with DEC C).	142	on Compaq platforms (at least with DEC C).
@@ -169,8 +172,15 @@ static RSA MS_CALLBACK tmp_rsa_cb(SSL s, int is_export,int keylength);
169	static void free_tmp_rsa(void);	172	static void free_tmp_rsa(void);
170	#endif	173	#endif
171	static int MS_CALLBACK app_verify_callback(X509_STORE_CTX ctx, void arg);	174	static int MS_CALLBACK app_verify_callback(X509_STORE_CTX ctx, void arg);
172	#define APP_CALLBACK "Test Callback Argument"	175	#define APP_CALLBACK_STRING "Test Callback Argument"
173	static char *app_verify_arg = APP_CALLBACK;	176	struct app_verify_arg
		177	{
		178	char *string;
		179	int app_verify;
		180	int allow_proxy_certs;
		181	char *proxy_auth;
		182	char *proxy_cond;
		183	};
174		184
175	#ifndef OPENSSL_NO_DH	185	#ifndef OPENSSL_NO_DH
176	static DH *get_dh512(void);	186	static DH *get_dh512(void);
@@ -199,8 +209,14 @@ static void sv_usage(void)
199	{	209	{
200	fprintf(stderr,"usage: ssltest [args ...]\n");	210	fprintf(stderr,"usage: ssltest [args ...]\n");
201	fprintf(stderr,"\n");	211	fprintf(stderr,"\n");
		212	#ifdef OPENSSL_FIPS
		213	fprintf(stderr,"-F - run test in FIPS mode\n");
		214	#endif
202	fprintf(stderr," -server_auth - check server certificate\n");	215	fprintf(stderr," -server_auth - check server certificate\n");
203	fprintf(stderr," -client_auth - do client authentication\n");	216	fprintf(stderr," -client_auth - do client authentication\n");
		217	fprintf(stderr," -proxy - allow proxy certificates\n");
		218	fprintf(stderr," -proxy_auth <val> - set proxy policy rights\n");
		219	fprintf(stderr," -proxy_cond <val> - experssion to test proxy policy rights\n");
204	fprintf(stderr," -v - more output\n");	220	fprintf(stderr," -v - more output\n");
205	fprintf(stderr," -d - debug output\n");	221	fprintf(stderr," -d - debug output\n");
206	fprintf(stderr," -reuse - use session-id reuse\n");	222	fprintf(stderr," -reuse - use session-id reuse\n");
@@ -350,7 +366,8 @@ int main(int argc, char *argv[])
350	int tls1=0,ssl2=0,ssl3=0,ret=1;	366	int tls1=0,ssl2=0,ssl3=0,ret=1;
351	int client_auth=0;	367	int client_auth=0;
352	int server_auth=0,i;	368	int server_auth=0,i;
353	int app_verify=0;	369	struct app_verify_arg app_verify_arg =
		370	{ APP_CALLBACK_STRING, 0, 0, NULL, NULL };
354	char *server_cert=TEST_SERVER_CERT;	371	char *server_cert=TEST_SERVER_CERT;
355	char *server_key=NULL;	372	char *server_key=NULL;
356	char *client_cert=TEST_CLIENT_CERT;	373	char *client_cert=TEST_CLIENT_CERT;
@@ -370,6 +387,10 @@ int main(int argc, char *argv[])
370	clock_t s_time = 0, c_time = 0;	387	clock_t s_time = 0, c_time = 0;
371	int comp = 0;	388	int comp = 0;
372	COMP_METHOD *cm = NULL;	389	COMP_METHOD *cm = NULL;
		390	#ifdef OPENSSL_FIPS
		391	int fips_mode=0;
		392	const char *path=argv[0];
		393	#endif
373		394
374	verbose = 0;	395	verbose = 0;
375	debug = 0;	396	debug = 0;
@@ -401,10 +422,29 @@ int main(int argc, char *argv[])
401		422
402	while (argc >= 1)	423	while (argc >= 1)
403	{	424	{
404	if (strcmp(*argv,"-server_auth") == 0)	425	if(!strcmp(*argv,"-F"))
		426	{
		427	#ifdef OPENSSL_FIPS
		428	fips_mode=1;
		429	#else
		430	fprintf(stderr,"not compiled with FIPS support, so exitting without running.\n");
		431	EXIT(0);
		432	#endif
		433	}
		434	else if (strcmp(*argv,"-server_auth") == 0)
405	server_auth=1;	435	server_auth=1;
406	else if (strcmp(*argv,"-client_auth") == 0)	436	else if (strcmp(*argv,"-client_auth") == 0)
407	client_auth=1;	437	client_auth=1;
		438	else if (strcmp(*argv,"-proxy_auth") == 0)
		439	{
		440	if (--argc < 1) goto bad;
		441	app_verify_arg.proxy_auth= *(++argv);
		442	}
		443	else if (strcmp(*argv,"-proxy_cond") == 0)
		444	{
		445	if (--argc < 1) goto bad;
		446	app_verify_arg.proxy_cond= *(++argv);
		447	}
408	else if (strcmp(*argv,"-v") == 0)	448	else if (strcmp(*argv,"-v") == 0)
409	verbose=1;	449	verbose=1;
410	else if (strcmp(*argv,"-d") == 0)	450	else if (strcmp(*argv,"-d") == 0)
@@ -517,7 +557,11 @@ int main(int argc, char *argv[])
517	}	557	}
518	else if (strcmp(*argv,"-app_verify") == 0)	558	else if (strcmp(*argv,"-app_verify") == 0)
519	{	559	{
520	app_verify = 1;	560	app_verify_arg.app_verify = 1;
		561	}
		562	else if (strcmp(*argv,"-proxy") == 0)
		563	{
		564	app_verify_arg.allow_proxy_certs = 1;
521	}	565	}
522	else	566	else
523	{	567	{
@@ -535,6 +579,7 @@ bad:
535	goto end;	579	goto end;
536	}	580	}
537		581
		582
538	if (!ssl2 && !ssl3 && !tls1 && number > 1 && !reuse && !force)	583	if (!ssl2 && !ssl3 && !tls1 && number > 1 && !reuse && !force)
539	{	584	{
540	fprintf(stderr, "This case cannot work. Use -f to perform "	585	fprintf(stderr, "This case cannot work. Use -f to perform "
@@ -544,6 +589,20 @@ bad:
544	EXIT(1);	589	EXIT(1);
545	}	590	}
546		591
		592	#ifdef OPENSSL_FIPS
		593	if(fips_mode)
		594	{
		595	if(!FIPS_mode_set(1,path))
		596	{
		597	ERR_load_crypto_strings();
		598	ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
		599	EXIT(1);
		600	}
		601	else
		602	fprintf(stderr,"* IN FIPS MODE *\n");
		603	}
		604	#endif
		605
547	if (print_time)	606	if (print_time)
548	{	607	{
549	if (!bio_pair)	608	if (!bio_pair)
@@ -677,20 +736,14 @@ bad:
677	SSL_CTX_set_verify(s_ctx,	736	SSL_CTX_set_verify(s_ctx,
678	SSL_VERIFY_PEER\|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,	737	SSL_VERIFY_PEER\|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
679	verify_callback);	738	verify_callback);
680	if (app_verify)	739	SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, &app_verify_arg);
681	{
682	SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, app_verify_arg);
683	}
684	}	740	}
685	if (server_auth)	741	if (server_auth)
686	{	742	{
687	BIO_printf(bio_err,"server authentication\n");	743	BIO_printf(bio_err,"server authentication\n");
688	SSL_CTX_set_verify(c_ctx,SSL_VERIFY_PEER,	744	SSL_CTX_set_verify(c_ctx,SSL_VERIFY_PEER,
689	verify_callback);	745	verify_callback);
690	if (app_verify)	746	SSL_CTX_set_cert_verify_callback(c_ctx, app_verify_callback, &app_verify_arg);
691	{
692	SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, app_verify_arg);
693	}
694	}	747	}
695		748
696	{	749	{
@@ -1472,6 +1525,22 @@ err:
1472	return(ret);	1525	return(ret);
1473	}	1526	}
1474		1527
		1528	static int get_proxy_auth_ex_data_idx(void)
		1529	{
		1530	static volatile int idx = -1;
		1531	if (idx < 0)
		1532	{
		1533	CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
		1534	if (idx < 0)
		1535	{
		1536	idx = X509_STORE_CTX_get_ex_new_index(0,
		1537	"SSLtest for verify callback", NULL,NULL,NULL);
		1538	}
		1539	CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
		1540	}
		1541	return idx;
		1542	}
		1543
1475	static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)	1544	static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
1476	{	1545	{
1477	char *s,buf[256];	1546	char *s,buf[256];
@@ -1481,42 +1550,467 @@ static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
1481	if (s != NULL)	1550	if (s != NULL)
1482	{	1551	{
1483	if (ok)	1552	if (ok)
1484	fprintf(stderr,"depth=%d %s\n",ctx->error_depth,buf);	1553	fprintf(stderr,"depth=%d %s\n",
		1554	ctx->error_depth,buf);
1485	else	1555	else
		1556	{
1486	fprintf(stderr,"depth=%d error=%d %s\n",	1557	fprintf(stderr,"depth=%d error=%d %s\n",
1487	ctx->error_depth,ctx->error,buf);	1558	ctx->error_depth,ctx->error,buf);
		1559	}
1488	}	1560	}
1489		1561
1490	if (ok == 0)	1562	if (ok == 0)
1491	{	1563	{
		1564	fprintf(stderr,"Error string: %s\n",
		1565	X509_verify_cert_error_string(ctx->error));
1492	switch (ctx->error)	1566	switch (ctx->error)
1493	{	1567	{
1494	case X509_V_ERR_CERT_NOT_YET_VALID:	1568	case X509_V_ERR_CERT_NOT_YET_VALID:
1495	case X509_V_ERR_CERT_HAS_EXPIRED:	1569	case X509_V_ERR_CERT_HAS_EXPIRED:
1496	case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:	1570	case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
		1571	fprintf(stderr," ... ignored.\n");
1497	ok=1;	1572	ok=1;
1498	}	1573	}
1499	}	1574	}
1500		1575
		1576	if (ok == 1)
		1577	{
		1578	X509 *xs = ctx->current_cert;
		1579	#if 0
		1580	X509 *xi = ctx->current_issuer;
		1581	#endif
		1582
		1583	if (xs->ex_flags & EXFLAG_PROXY)
		1584	{
		1585	unsigned int *letters =
		1586	X509_STORE_CTX_get_ex_data(ctx,
		1587	get_proxy_auth_ex_data_idx());
		1588
		1589	if (letters)
		1590	{
		1591	int found_any = 0;
		1592	int i;
		1593	PROXY_CERT_INFO_EXTENSION *pci =
		1594	X509_get_ext_d2i(xs, NID_proxyCertInfo,
		1595	NULL, NULL);
		1596
		1597	switch (OBJ_obj2nid(pci->proxyPolicy->policyLanguage))
		1598	{
		1599	case NID_Independent:
		1600	/* Completely meaningless in this
		1601	program, as there's no way to
		1602	grant explicit rights to a
		1603	specific PrC. Basically, using
		1604	id-ppl-Independent is the perfect
		1605	way to grant no rights at all. */
		1606	fprintf(stderr, " Independent proxy certificate");
		1607	for (i = 0; i < 26; i++)
		1608	letters[i] = 0;
		1609	break;
		1610	case NID_id_ppl_inheritAll:
		1611	/* This is basically a NOP, we
		1612	simply let the current rights
		1613	stand as they are. */
		1614	fprintf(stderr, " Proxy certificate inherits all");
		1615	break;
		1616	default:
		1617	s = (char *)
		1618	pci->proxyPolicy->policy->data;
		1619	i = pci->proxyPolicy->policy->length;
		1620
		1621	/* The algorithm works as follows:
		1622	it is assumed that previous
		1623	iterations or the initial granted
		1624	rights has already set some elements
		1625	of `letters'. What we need to do is
		1626	to clear those that weren't granted
		1627	by the current PrC as well. The
		1628	easiest way to do this is to add 1
		1629	to all the elements whose letters
		1630	are given with the current policy.
		1631	That way, all elements that are set
		1632	by the current policy and were
		1633	already set by earlier policies and
		1634	through the original grant of rights
		1635	will get the value 2 or higher.
		1636	The last thing to do is to sweep
		1637	through `letters' and keep the
		1638	elements having the value 2 as set,
		1639	and clear all the others. */
		1640
		1641	fprintf(stderr, " Certificate proxy rights = %.s", i, i, s);
		1642	while(i-- > 0)
		1643	{
		1644	char c = *s++;
		1645	if (isascii(c) && isalpha(c))
		1646	{
		1647	if (islower(c))
		1648	c = toupper(c);
		1649	letters[c - 'A']++;
		1650	}
		1651	}
		1652	for (i = 0; i < 26; i++)
		1653	if (letters[i] < 2)
		1654	letters[i] = 0;
		1655	else
		1656	letters[i] = 1;
		1657	}
		1658
		1659	found_any = 0;
		1660	fprintf(stderr,
		1661	", resulting proxy rights = ");
		1662	for(i = 0; i < 26; i++)
		1663	if (letters[i])
		1664	{
		1665	fprintf(stderr, "%c", i + 'A');
		1666	found_any = 1;
		1667	}
		1668	if (!found_any)
		1669	fprintf(stderr, "none");
		1670	fprintf(stderr, "\n");
		1671
		1672	PROXY_CERT_INFO_EXTENSION_free(pci);
		1673	}
		1674	}
		1675	}
		1676
1501	return(ok);	1677	return(ok);
1502	}	1678	}
1503		1679
		1680	static void process_proxy_debug(int indent, const char *format, ...)
		1681	{
		1682	static const char indentation[] =
		1683	">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"
		1684	">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"; /* That's 80 > */
		1685	char my_format[256];
		1686	va_list args;
		1687
		1688	BIO_snprintf(my_format, sizeof(my_format), "%.s %s",
		1689	indent, indent, indentation, format);
		1690
		1691	va_start(args, format);
		1692	vfprintf(stderr, my_format, args);
		1693	va_end(args);
		1694	}
		1695	/* Priority levels:
		1696	0 [!]var, ()
		1697	1 & ^
		1698	2 \|
		1699	*/
		1700	static int process_proxy_cond_adders(unsigned int letters[26],
		1701	const char cond, const char cond_end, int pos, int indent);
		1702	static int process_proxy_cond_val(unsigned int letters[26],
		1703	const char cond, const char cond_end, int pos, int indent)
		1704	{
		1705	char c;
		1706	int ok = 1;
		1707	int negate = 0;
		1708
		1709	while(isspace(*cond))
		1710	{
		1711	cond++; (*pos)++;
		1712	}
		1713	c = *cond;
		1714
		1715	if (debug)
		1716	process_proxy_debug(indent,
		1717	"Start process_proxy_cond_val at position %d: %s\n",
		1718	*pos, cond);
		1719
		1720	while(c == '!')
		1721	{
		1722	negate = !negate;
		1723	cond++; (*pos)++;
		1724	while(isspace(*cond))
		1725	{
		1726	cond++; (*pos)++;
		1727	}
		1728	c = *cond;
		1729	}
		1730
		1731	if (c == '(')
		1732	{
		1733	cond++; (*pos)++;
		1734	ok = process_proxy_cond_adders(letters, cond, cond_end, pos,
		1735	indent + 1);
		1736	cond = *cond_end;
		1737	if (ok < 0)
		1738	goto end;
		1739	while(isspace(*cond))
		1740	{
		1741	cond++; (*pos)++;
		1742	}
		1743	c = *cond;
		1744	if (c != ')')
		1745	{
		1746	fprintf(stderr,
		1747	"Weird condition character in position %d: "
		1748	"%c\n", *pos, c);
		1749	ok = -1;
		1750	goto end;
		1751	}
		1752	cond++; (*pos)++;
		1753	}
		1754	else if (isascii(c) && isalpha(c))
		1755	{
		1756	if (islower(c))
		1757	c = toupper(c);
		1758	ok = letters[c - 'A'];
		1759	cond++; (*pos)++;
		1760	}
		1761	else
		1762	{
		1763	fprintf(stderr,
		1764	"Weird condition character in position %d: "
		1765	"%c\n", *pos, c);
		1766	ok = -1;
		1767	goto end;
		1768	}
		1769	end:
		1770	*cond_end = cond;
		1771	if (ok >= 0 && negate)
		1772	ok = !ok;
		1773
		1774	if (debug)
		1775	process_proxy_debug(indent,
		1776	"End process_proxy_cond_val at position %d: %s, returning %d\n",
		1777	*pos, cond, ok);
		1778
		1779	return ok;
		1780	}
		1781	static int process_proxy_cond_multipliers(unsigned int letters[26],
		1782	const char cond, const char cond_end, int pos, int indent)
		1783	{
		1784	int ok;
		1785	char c;
		1786
		1787	if (debug)
		1788	process_proxy_debug(indent,
		1789	"Start process_proxy_cond_multipliers at position %d: %s\n",
		1790	*pos, cond);
		1791
		1792	ok = process_proxy_cond_val(letters, cond, cond_end, pos, indent + 1);
		1793	cond = *cond_end;
		1794	if (ok < 0)
		1795	goto end;
		1796
		1797	while(ok >= 0)
		1798	{
		1799	while(isspace(*cond))
		1800	{
		1801	cond++; (*pos)++;
		1802	}
		1803	c = *cond;
		1804
		1805	switch(c)
		1806	{
		1807	case '&':
		1808	case '^':
		1809	{
		1810	int save_ok = ok;
		1811
		1812	cond++; (*pos)++;
		1813	ok = process_proxy_cond_val(letters,
		1814	cond, cond_end, pos, indent + 1);
		1815	cond = *cond_end;
		1816	if (ok < 0)
		1817	break;
		1818
		1819	switch(c)
		1820	{
		1821	case '&':
		1822	ok &= save_ok;
		1823	break;
		1824	case '^':
		1825	ok ^= save_ok;
		1826	break;
		1827	default:
		1828	fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
		1829	" STOPPING\n");
		1830	EXIT(1);
		1831	}
		1832	}
		1833	break;
		1834	default:
		1835	goto end;
		1836	}
		1837	}
		1838	end:
		1839	if (debug)
		1840	process_proxy_debug(indent,
		1841	"End process_proxy_cond_multipliers at position %d: %s, returning %d\n",
		1842	*pos, cond, ok);
		1843
		1844	*cond_end = cond;
		1845	return ok;
		1846	}
		1847	static int process_proxy_cond_adders(unsigned int letters[26],
		1848	const char cond, const char cond_end, int pos, int indent)
		1849	{
		1850	int ok;
		1851	char c;
		1852
		1853	if (debug)
		1854	process_proxy_debug(indent,
		1855	"Start process_proxy_cond_adders at position %d: %s\n",
		1856	*pos, cond);
		1857
		1858	ok = process_proxy_cond_multipliers(letters, cond, cond_end, pos,
		1859	indent + 1);
		1860	cond = *cond_end;
		1861	if (ok < 0)
		1862	goto end;
		1863
		1864	while(ok >= 0)
		1865	{
		1866	while(isspace(*cond))
		1867	{
		1868	cond++; (*pos)++;
		1869	}
		1870	c = *cond;
		1871
		1872	switch(c)
		1873	{
		1874	case '\|':
		1875	{
		1876	int save_ok = ok;
		1877
		1878	cond++; (*pos)++;
		1879	ok = process_proxy_cond_multipliers(letters,
		1880	cond, cond_end, pos, indent + 1);
		1881	cond = *cond_end;
		1882	if (ok < 0)
		1883	break;
		1884
		1885	switch(c)
		1886	{
		1887	case '\|':
		1888	ok \|= save_ok;
		1889	break;
		1890	default:
		1891	fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
		1892	" STOPPING\n");
		1893	EXIT(1);
		1894	}
		1895	}
		1896	break;
		1897	default:
		1898	goto end;
		1899	}
		1900	}
		1901	end:
		1902	if (debug)
		1903	process_proxy_debug(indent,
		1904	"End process_proxy_cond_adders at position %d: %s, returning %d\n",
		1905	*pos, cond, ok);
		1906
		1907	*cond_end = cond;
		1908	return ok;
		1909	}
		1910
		1911	static int process_proxy_cond(unsigned int letters[26],
		1912	const char cond, const char *cond_end)
		1913	{
		1914	int pos = 1;
		1915	return process_proxy_cond_adders(letters, cond, cond_end, &pos, 1);
		1916	}
		1917
1504	static int MS_CALLBACK app_verify_callback(X509_STORE_CTX ctx, void arg)	1918	static int MS_CALLBACK app_verify_callback(X509_STORE_CTX ctx, void arg)
1505	{	1919	{
1506	char *s = NULL,buf[256];
1507	int ok=1;	1920	int ok=1;
		1921	struct app_verify_arg *cb_arg = arg;
		1922	unsigned int letters[26]; /* only used with proxy_auth */
1508		1923
1509	fprintf(stderr, "In app_verify_callback, allowing cert. ");	1924	if (cb_arg->app_verify)
1510	fprintf(stderr, "Arg is: %s\n", (char *)arg);
1511	fprintf(stderr, "Finished printing do we have a context? 0x%lx a cert? 0x%lx\n",
1512	(uintptr_t)ctx, (uintptr_t)ctx->cert);
1513	if (ctx->cert)
1514	s=X509_NAME_oneline(X509_get_subject_name(ctx->cert),buf,256);
1515	if (s != NULL)
1516	{	1925	{
		1926	char *s = NULL,buf[256];
		1927
		1928	fprintf(stderr, "In app_verify_callback, allowing cert. ");
		1929	fprintf(stderr, "Arg is: %s\n", cb_arg->string);
		1930	fprintf(stderr, "Finished printing do we have a context? 0x%x a cert? 0x%x\n",
		1931	(unsigned int)ctx, (unsigned int)ctx->cert);
		1932	if (ctx->cert)
		1933	s=X509_NAME_oneline(X509_get_subject_name(ctx->cert),buf,256);
		1934	if (s != NULL)
		1935	{
1517	fprintf(stderr,"cert depth=%d %s\n",ctx->error_depth,buf);	1936	fprintf(stderr,"cert depth=%d %s\n",ctx->error_depth,buf);
		1937	}
		1938	return(1);
1518	}	1939	}
		1940	if (cb_arg->proxy_auth)
		1941	{
		1942	int found_any = 0, i;
		1943	char *sp;
		1944
		1945	for(i = 0; i < 26; i++)
		1946	letters[i] = 0;
		1947	for(sp = cb_arg->proxy_auth; *sp; sp++)
		1948	{
		1949	char c = *sp;
		1950	if (isascii(c) && isalpha(c))
		1951	{
		1952	if (islower(c))
		1953	c = toupper(c);
		1954	letters[c - 'A'] = 1;
		1955	}
		1956	}
1519		1957
		1958	fprintf(stderr,
		1959	" Initial proxy rights = ");
		1960	for(i = 0; i < 26; i++)
		1961	if (letters[i])
		1962	{
		1963	fprintf(stderr, "%c", i + 'A');
		1964	found_any = 1;
		1965	}
		1966	if (!found_any)
		1967	fprintf(stderr, "none");
		1968	fprintf(stderr, "\n");
		1969
		1970	X509_STORE_CTX_set_ex_data(ctx,
		1971	get_proxy_auth_ex_data_idx(),letters);
		1972	}
		1973	if (cb_arg->allow_proxy_certs)
		1974	{
		1975	X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS);
		1976	}
		1977
		1978	#ifndef OPENSSL_NO_X509_VERIFY
		1979	# ifdef OPENSSL_FIPS
		1980	if(s->version == TLS1_VERSION)
		1981	FIPS_allow_md5(1);
		1982	# endif
		1983	ok = X509_verify_cert(ctx);
		1984	# ifdef OPENSSL_FIPS
		1985	if(s->version == TLS1_VERSION)
		1986	FIPS_allow_md5(0);
		1987	# endif
		1988	#endif
		1989
		1990	if (cb_arg->proxy_auth)
		1991	{
		1992	if (ok)
		1993	{
		1994	const char *cond_end = NULL;
		1995
		1996	ok = process_proxy_cond(letters,
		1997	cb_arg->proxy_cond, &cond_end);
		1998
		1999	if (ok < 0)
		2000	EXIT(3);
		2001	if (*cond_end)
		2002	{
		2003	fprintf(stderr, "Stopped processing condition before it's end.\n");
		2004	ok = 0;
		2005	}
		2006	if (!ok)
		2007	fprintf(stderr, "Proxy rights check with condition '%s' proved invalid\n",
		2008	cb_arg->proxy_cond);
		2009	else
		2010	fprintf(stderr, "Proxy rights check with condition '%s' proved valid\n",
		2011	cb_arg->proxy_cond);
		2012	}
		2013	}
1520	return(ok);	2014	return(ok);
1521	}	2015	}
1522		2016