ssltest: Drop more policy go from this test.

Hopefully that is all. What an absolutely horrid mess.
author: tb <> 2023-04-15 16:50:05 +0000
committer: tb <> 2023-04-15 16:50:05 +0000
commit: 3e1ff76458200d603d89c1acf7741c1c31497902 (patch)
tree: 7f732af46a46e437e08090793711437dec6c441c /src
parent: 8221e1f6e1937082adf9adf85edcd0232abe3aa6 (diff)
download: openbsd-3e1ff76458200d603d89c1acf7741c1c31497902.tar.gz
openbsd-3e1ff76458200d603d89c1acf7741c1c31497902.tar.bz2
openbsd-3e1ff76458200d603d89c1acf7741c1c31497902.zip
1 files changed, 21 insertions, 357 deletions
diff --git a/src/regress/lib/libssl/ssl/ssltest.c b/src/regress/lib/libssl/ssl/ssltest.c
index 7ecea2620c..b4b10446e6 100644
--- a/src/regress/lib/libssl/ssl/ssltest.c
+++ b/src/regress/lib/libssl/ssl/ssltest.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: ssltest.c,v 1.38 2023/04/15 16:17:57 tb Exp $ */
+/*      $OpenBSD: ssltest.c,v 1.39 2023/04/15 16:50:05 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -157,8 +157,6 @@
 #include <time.h>
 #include <unistd.h>
-#include <ctype.h>
 #include <openssl/opensslconf.h>
 #include <openssl/bio.h>
 #include <openssl/crypto.h>
@@ -183,14 +181,6 @@
 static int verify_callback(int ok, X509_STORE_CTX *ctx);
 static int app_verify_callback(X509_STORE_CTX *ctx, void *arg);
-#define APP_CALLBACK_STRING "Test Callback Argument"
-struct app_verify_arg {
-        char *string;
-        int app_verify;
-        int allow_proxy_certs;
-        char *proxy_auth;
-        char *proxy_cond;
-};
 static DH *get_dh1024(void);
 static DH *get_dh1024dsa(void);
@@ -422,8 +412,7 @@ main(int argc, char *argv[])
        int tls1 = 0, tls1_2 = 0, dtls1 = 0, ret = 1;
        int client_auth = 0;
        int server_auth = 0, i;
-        struct app_verify_arg app_verify_arg =
+        char *app_verify_arg = "Test Callback Argument";
-            { APP_CALLBACK_STRING, 0, 0, NULL, NULL };
        char *server_cert = TEST_SERVER_CERT;
        char *server_key = NULL;
        char *client_cert = TEST_CLIENT_CERT;
@@ -463,15 +452,7 @@ main(int argc, char *argv[])
                        server_auth = 1;
                else if (strcmp(*argv, "-client_auth") == 0)
                        client_auth = 1;
-                else if (strcmp(*argv, "-proxy_auth") == 0) {
+                else if (strcmp(*argv, "-v") == 0)
-                        if (--argc < 1)
-                                goto bad;
-                        app_verify_arg.proxy_auth= *(++argv);
-                } else if (strcmp(*argv, "-proxy_cond") == 0) {
-                        if (--argc < 1)
-                                goto bad;
-                        app_verify_arg.proxy_cond= *(++argv);
-                } else if (strcmp(*argv, "-v") == 0)
                        verbose = 1;
                else if (strcmp(*argv, "-d") == 0)
                        debug = 1;
@@ -557,9 +538,7 @@ main(int argc, char *argv[])
                                goto bad;
                        named_curve = *(++argv);
                } else if (strcmp(*argv, "-app_verify") == 0) {
-                        app_verify_arg.app_verify = 1;
+                        ;
-                } else if (strcmp(*argv, "-proxy") == 0) {
-                        app_verify_arg.allow_proxy_certs = 1;
                } else if (strcmp(*argv, "-alpn_client") == 0) {
                        if (--argc < 1)
                                goto bad;
@@ -697,14 +676,14 @@ bad:
                    SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
                    verify_callback);
                SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback,
-                    &app_verify_arg);
+                    app_verify_arg);
        }
        if (server_auth) {
                BIO_printf(bio_err, "server authentication\n");
                SSL_CTX_set_verify(c_ctx, SSL_VERIFY_PEER,
                    verify_callback);
                SSL_CTX_set_cert_verify_callback(c_ctx, app_verify_callback,
-                    &app_verify_arg);
+                    app_verify_arg);
        }
        {
@@ -1390,21 +1369,6 @@ err:
 }
 static int
-get_proxy_auth_ex_data_idx(void)
-{
-        static volatile int idx = -1;
-        if (idx < 0) {
-                CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
-                if (idx < 0) {
-                        idx = X509_STORE_CTX_get_ex_new_index(0,
-                            "SSLtest for verify callback", NULL, NULL, NULL);
-                }
-                CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
-        }
-        return idx;
-}
-static int
 verify_callback(int ok, X509_STORE_CTX *ctx)
 {
        X509 *xs;
@@ -1439,326 +1403,26 @@ verify_callback(int ok, X509_STORE_CTX *ctx)
        return (ok);
 }
-static void
-process_proxy_debug(int indent, const char *format, ...)
-{
-        static const char indentation[] =
-            ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"
-            ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"; /* That's 80 > */
-        char my_format[256];
-        va_list args;
-        (void) snprintf(my_format, sizeof(my_format), "%*.*s %s",
-            indent, indent, indentation, format);
-        va_start(args, format);
-        vfprintf(stderr, my_format, args);
-        va_end(args);
-}
-/* Priority levels:
-   0    [!]var, ()
-   1    & ^
-   2    |
-*/
-static int process_proxy_cond_adders(unsigned int letters[26],
-    const char *cond, const char **cond_end, int *pos, int indent);
-static int
-process_proxy_cond_val(unsigned int letters[26], const char *cond,
-    const char **cond_end, int *pos, int indent)
-{
-        int c;
-        int ok = 1;
-        int negate = 0;
-        while (isspace((int)*cond)) {
-                cond++;
-                (*pos)++;
-        }
-        c = *cond;
-        if (debug)
-                process_proxy_debug(indent,
-                    "Start process_proxy_cond_val at position %d: %s\n",
-                    *pos, cond);
-        while (c == '!') {
-                negate = !negate;
-                cond++;
-                (*pos)++;
-                while (isspace((int)*cond)) {
-                        cond++;
-                        (*pos)++;
-                }
-                c = *cond;
-        }
-        if (c == '(') {
-                cond++;
-                (*pos)++;
-                ok = process_proxy_cond_adders(letters, cond, cond_end, pos,
-                    indent + 1);
-                cond = *cond_end;
-                if (ok < 0)
-                        goto end;
-                while (isspace((int)*cond)) {
-                        cond++;
-                        (*pos)++;
-                }
-                c = *cond;
-                if (c != ')') {
-                        fprintf(stderr,
-                            "Weird condition character in position %d: "
-                            "%c\n", *pos, c);
-                        ok = -1;
-                        goto end;
-                }
-                cond++;
-                (*pos)++;
-        } else if (isascii(c) && isalpha(c)) {
-                if (islower(c))
-                        c = toupper(c);
-                ok = letters[c - 'A'];
-                cond++;
-                (*pos)++;
-        } else {
-                fprintf(stderr,
-                    "Weird condition character in position %d: "
-                    "%c\n", *pos, c);
-                ok = -1;
-                goto end;
-        }
-end:
-        *cond_end = cond;
-        if (ok >= 0 && negate)
-                ok = !ok;
-        if (debug)
-                process_proxy_debug(indent,
-                    "End process_proxy_cond_val at position %d: %s, returning %d\n",
-                    *pos, cond, ok);
-        return ok;
-}
-static int
-process_proxy_cond_multipliers(unsigned int letters[26], const char *cond,
-    const char **cond_end, int *pos, int indent)
-{
-        int ok;
-        char c;
-        if (debug)
-                process_proxy_debug(indent,
-                    "Start process_proxy_cond_multipliers at position %d: %s\n",
-                    *pos, cond);
-        ok = process_proxy_cond_val(letters, cond, cond_end, pos, indent + 1);
-        cond = *cond_end;
-        if (ok < 0)
-                goto end;
-        while (ok >= 0) {
-                while (isspace((int)*cond)) {
-                        cond++;
-                        (*pos)++;
-                }
-                c = *cond;
-                switch (c) {
-                case '&':
-                case '^':
-                        {
-                                int save_ok = ok;
-                                cond++;
-                                (*pos)++;
-                                ok = process_proxy_cond_val(letters,
-                                    cond, cond_end, pos, indent + 1);
-                                cond = *cond_end;
-                                if (ok < 0)
-                                        break;
-                                switch (c) {
-                                case '&':
-                                        ok &= save_ok;
-                                        break;
-                                case '^':
-                                        ok ^= save_ok;
-                                        break;
-                                default:
-                                        fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
-                                            " STOPPING\n");
-                                        exit(1);
-                                }
-                        }
-                        break;
-                default:
-                        goto end;
-                }
-        }
-end:
-        if (debug)
-                process_proxy_debug(indent,
-                    "End process_proxy_cond_multipliers at position %d: %s, "
-                    "returning %d\n",
-                    *pos, cond, ok);
-        *cond_end = cond;
-        return ok;
-}
-static int
-process_proxy_cond_adders(unsigned int letters[26], const char *cond,
-    const char **cond_end, int *pos, int indent)
-{
-        int ok;
-        char c;
-        if (debug)
-                process_proxy_debug(indent,
-                    "Start process_proxy_cond_adders at position %d: %s\n",
-                    *pos, cond);
-        ok = process_proxy_cond_multipliers(letters, cond, cond_end, pos,
-            indent + 1);
-        cond = *cond_end;
-        if (ok < 0)
-                goto end;
-        while (ok >= 0) {
-                while (isspace((int)*cond)) {
-                        cond++;
-                        (*pos)++;
-                }
-                c = *cond;
-                switch (c) {
-                case '|':
-                        {
-                                int save_ok = ok;
-                                cond++;
-                                (*pos)++;
-                                ok = process_proxy_cond_multipliers(letters,
-                                    cond, cond_end, pos, indent + 1);
-                                cond = *cond_end;
-                                if (ok < 0)
-                                        break;
-                                switch (c) {
-                                case '|':
-                                        ok |= save_ok;
-                                        break;
-                                default:
-                                        fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
-                                            " STOPPING\n");
-                                        exit(1);
-                                }
-                        }
-                        break;
-                default:
-                        goto end;
-                }
-        }
-end:
-        if (debug)
-                process_proxy_debug(indent,
-                    "End process_proxy_cond_adders at position %d: %s, returning %d\n",
-                    *pos, cond, ok);
-        *cond_end = cond;
-        return ok;
-}
-static int
-process_proxy_cond(unsigned int letters[26], const char *cond,
-    const char **cond_end)
-{
-        int pos = 1;
-        return process_proxy_cond_adders(letters, cond, cond_end, &pos, 1);
-}
 static int
 app_verify_callback(X509_STORE_CTX *ctx, void *arg)
 {
-        int ok = 1;
+        X509 *xs;
-        struct app_verify_arg *cb_arg = arg;
+        char *s = NULL, buf[256];
-        unsigned int letters[26]; /* only used with proxy_auth */
+        const char *cb_arg = arg;
-        if (cb_arg->app_verify) {
+        xs = X509_STORE_CTX_get0_cert(ctx);
-                X509 *xs;
+        fprintf(stderr, "In app_verify_callback, allowing cert. ");
-                char *s = NULL, buf[256];
+        fprintf(stderr, "Arg is: %s\n", cb_arg);
+        fprintf(stderr, "Finished printing do we have a context? 0x%p a cert? 0x%p\n",
-                xs = X509_STORE_CTX_get0_cert(ctx);
+            (void *)ctx, (void *)xs);
-                fprintf(stderr, "In app_verify_callback, allowing cert. ");
+        if (xs)
-                fprintf(stderr, "Arg is: %s\n", cb_arg->string);
+                s = X509_NAME_oneline(X509_get_subject_name(xs), buf, 256);
-                fprintf(stderr, "Finished printing do we have a context? 0x%p a cert? 0x%p\n",
+        if (s != NULL) {
-                    (void *)ctx, (void *)xs);
+                fprintf(stderr, "cert depth=%d %s\n",
-                if (xs)
+                    X509_STORE_CTX_get_error_depth(ctx), buf);
-                        s = X509_NAME_oneline(X509_get_subject_name(xs), buf, 256);
-                if (s != NULL) {
-                        fprintf(stderr, "cert depth=%d %s\n",
-                            X509_STORE_CTX_get_error_depth(ctx), buf);
-                }
-                return (1);
-        }
-        if (cb_arg->proxy_auth) {
-                int found_any = 0, i;
-                char *sp;
-                for (i = 0; i < 26; i++)
-                        letters[i] = 0;
-                for (sp = cb_arg->proxy_auth; *sp; sp++) {
-                        int c = *sp;
-                        if (isascii(c) && isalpha(c)) {
-                                if (islower(c))
-                                        c = toupper(c);
-                                letters[c - 'A'] = 1;
-                        }
-                }
-                fprintf(stderr, "  Initial proxy rights = ");
-                for (i = 0; i < 26; i++)
-                        if (letters[i]) {
-                        fprintf(stderr, "%c", i + 'A');
-                        found_any = 1;
-                }
-                if (!found_any)
-                        fprintf(stderr, "none");
-                fprintf(stderr, "\n");
-                X509_STORE_CTX_set_ex_data(ctx,
-                    get_proxy_auth_ex_data_idx(), letters);
-        }
-        if (cb_arg->allow_proxy_certs) {
-                X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS);
        }
-        ok = X509_verify_cert(ctx);
+        return 1;
-        if (cb_arg->proxy_auth) {
-                if (ok > 0) {
-                        const char *cond_end = NULL;
-                        ok = process_proxy_cond(letters,
-                            cb_arg->proxy_cond, &cond_end);
-                        if (ok < 0)
-                                exit(3);
-                        if (*cond_end) {
-                                fprintf(stderr, "Stopped processing condition before it's end.\n");
-                                ok = 0;
-                        }
-                        if (!ok)
-                                fprintf(stderr, "Proxy rights check with condition '%s' proved invalid\n",
-                                    cb_arg->proxy_cond);
-                        else
-                                fprintf(stderr, "Proxy rights check with condition '%s' proved valid\n",
-                                    cb_arg->proxy_cond);
-                }
-        }
-        return (ok);
 }
 /* These DH parameters have been generated as follows:
author	tb <>	2023-04-15 16:50:05 +0000
committer	tb <>	2023-04-15 16:50:05 +0000
commit	3e1ff76458200d603d89c1acf7741c1c31497902 (patch)
tree	7f732af46a46e437e08090793711437dec6c441c /src
parent	8221e1f6e1937082adf9adf85edcd0232abe3aa6 (diff)
download	openbsd-3e1ff76458200d603d89c1acf7741c1c31497902.tar.gz openbsd-3e1ff76458200d603d89c1acf7741c1c31497902.tar.bz2 openbsd-3e1ff76458200d603d89c1acf7741c1c31497902.zip

diff --git a/src/regress/lib/libssl/ssl/ssltest.c b/src/regress/lib/libssl/ssl/ssltest.c index 7ecea2620c..b4b10446e6 100644 --- a/src/regress/lib/libssl/ssl/ssltest.c +++ b/src/regress/lib/libssl/ssl/ssltest.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ssltest.c,v 1.38 2023/04/15 16:17:57 tb Exp $ */	1	/* $OpenBSD: ssltest.c,v 1.39 2023/04/15 16:50:05 tb Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -157,8 +157,6 @@
157	#include <time.h>	157	#include <time.h>
158	#include <unistd.h>	158	#include <unistd.h>
159		159
160	#include <ctype.h>
161
162	#include <openssl/opensslconf.h>	160	#include <openssl/opensslconf.h>
163	#include <openssl/bio.h>	161	#include <openssl/bio.h>
164	#include <openssl/crypto.h>	162	#include <openssl/crypto.h>
@@ -183,14 +181,6 @@
183		181
184	static int verify_callback(int ok, X509_STORE_CTX *ctx);	182	static int verify_callback(int ok, X509_STORE_CTX *ctx);
185	static int app_verify_callback(X509_STORE_CTX ctx, void arg);	183	static int app_verify_callback(X509_STORE_CTX ctx, void arg);
186	#define APP_CALLBACK_STRING "Test Callback Argument"
187	struct app_verify_arg {
188	char *string;
189	int app_verify;
190	int allow_proxy_certs;
191	char *proxy_auth;
192	char *proxy_cond;
193	};
194		184
195	static DH *get_dh1024(void);	185	static DH *get_dh1024(void);
196	static DH *get_dh1024dsa(void);	186	static DH *get_dh1024dsa(void);
@@ -422,8 +412,7 @@ main(int argc, char *argv[])
422	int tls1 = 0, tls1_2 = 0, dtls1 = 0, ret = 1;	412	int tls1 = 0, tls1_2 = 0, dtls1 = 0, ret = 1;
423	int client_auth = 0;	413	int client_auth = 0;
424	int server_auth = 0, i;	414	int server_auth = 0, i;
425	struct app_verify_arg app_verify_arg =	415	char *app_verify_arg = "Test Callback Argument";
426	{ APP_CALLBACK_STRING, 0, 0, NULL, NULL };
427	char *server_cert = TEST_SERVER_CERT;	416	char *server_cert = TEST_SERVER_CERT;
428	char *server_key = NULL;	417	char *server_key = NULL;
429	char *client_cert = TEST_CLIENT_CERT;	418	char *client_cert = TEST_CLIENT_CERT;
@@ -463,15 +452,7 @@ main(int argc, char *argv[])
463	server_auth = 1;	452	server_auth = 1;
464	else if (strcmp(*argv, "-client_auth") == 0)	453	else if (strcmp(*argv, "-client_auth") == 0)
465	client_auth = 1;	454	client_auth = 1;
466	else if (strcmp(*argv, "-proxy_auth") == 0) {	455	else if (strcmp(*argv, "-v") == 0)
467	if (--argc < 1)
468	goto bad;
469	app_verify_arg.proxy_auth= *(++argv);
470	} else if (strcmp(*argv, "-proxy_cond") == 0) {
471	if (--argc < 1)
472	goto bad;
473	app_verify_arg.proxy_cond= *(++argv);
474	} else if (strcmp(*argv, "-v") == 0)
475	verbose = 1;	456	verbose = 1;
476	else if (strcmp(*argv, "-d") == 0)	457	else if (strcmp(*argv, "-d") == 0)
477	debug = 1;	458	debug = 1;
@@ -557,9 +538,7 @@ main(int argc, char *argv[])
557	goto bad;	538	goto bad;
558	named_curve = *(++argv);	539	named_curve = *(++argv);
559	} else if (strcmp(*argv, "-app_verify") == 0) {	540	} else if (strcmp(*argv, "-app_verify") == 0) {
560	app_verify_arg.app_verify = 1;	541	;
561	} else if (strcmp(*argv, "-proxy") == 0) {
562	app_verify_arg.allow_proxy_certs = 1;
563	} else if (strcmp(*argv, "-alpn_client") == 0) {	542	} else if (strcmp(*argv, "-alpn_client") == 0) {
564	if (--argc < 1)	543	if (--argc < 1)
565	goto bad;	544	goto bad;
@@ -697,14 +676,14 @@ bad:
697	SSL_VERIFY_PEER\|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,	676	SSL_VERIFY_PEER\|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
698	verify_callback);	677	verify_callback);
699	SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback,	678	SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback,
700	&app_verify_arg);	679	app_verify_arg);
701	}	680	}
702	if (server_auth) {	681	if (server_auth) {
703	BIO_printf(bio_err, "server authentication\n");	682	BIO_printf(bio_err, "server authentication\n");
704	SSL_CTX_set_verify(c_ctx, SSL_VERIFY_PEER,	683	SSL_CTX_set_verify(c_ctx, SSL_VERIFY_PEER,
705	verify_callback);	684	verify_callback);
706	SSL_CTX_set_cert_verify_callback(c_ctx, app_verify_callback,	685	SSL_CTX_set_cert_verify_callback(c_ctx, app_verify_callback,
707	&app_verify_arg);	686	app_verify_arg);
708	}	687	}
709		688
710	{	689	{
@@ -1390,21 +1369,6 @@ err:
1390	}	1369	}
1391		1370
1392	static int	1371	static int
1393	get_proxy_auth_ex_data_idx(void)
1394	{
1395	static volatile int idx = -1;
1396	if (idx < 0) {
1397	CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
1398	if (idx < 0) {
1399	idx = X509_STORE_CTX_get_ex_new_index(0,
1400	"SSLtest for verify callback", NULL, NULL, NULL);
1401	}
1402	CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
1403	}
1404	return idx;
1405	}
1406
1407	static int
1408	verify_callback(int ok, X509_STORE_CTX *ctx)	1372	verify_callback(int ok, X509_STORE_CTX *ctx)
1409	{	1373	{
1410	X509 *xs;	1374	X509 *xs;
@@ -1439,326 +1403,26 @@ verify_callback(int ok, X509_STORE_CTX *ctx)
1439	return (ok);	1403	return (ok);
1440	}	1404	}
1441		1405
1442	static void
1443	process_proxy_debug(int indent, const char *format, ...)
1444	{
1445	static const char indentation[] =
1446	">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"
1447	">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"; /* That's 80 > */
1448	char my_format[256];
1449	va_list args;
1450
1451	(void) snprintf(my_format, sizeof(my_format), "%.s %s",
1452	indent, indent, indentation, format);
1453
1454	va_start(args, format);
1455	vfprintf(stderr, my_format, args);
1456	va_end(args);
1457	}
1458	/* Priority levels:
1459	0 [!]var, ()
1460	1 & ^
1461	2 \|
1462	*/
1463	static int process_proxy_cond_adders(unsigned int letters[26],
1464	const char cond, const char cond_end, int pos, int indent);
1465
1466	static int
1467	process_proxy_cond_val(unsigned int letters[26], const char *cond,
1468	const char *cond_end, int pos, int indent)
1469	{
1470	int c;
1471	int ok = 1;
1472	int negate = 0;
1473
1474	while (isspace((int)*cond)) {
1475	cond++;
1476	(*pos)++;
1477	}
1478	c = *cond;
1479
1480	if (debug)
1481	process_proxy_debug(indent,
1482	"Start process_proxy_cond_val at position %d: %s\n",
1483	*pos, cond);
1484
1485	while (c == '!') {
1486	negate = !negate;
1487	cond++;
1488	(*pos)++;
1489	while (isspace((int)*cond)) {
1490	cond++;
1491	(*pos)++;
1492	}
1493	c = *cond;
1494	}
1495
1496	if (c == '(') {
1497	cond++;
1498	(*pos)++;
1499	ok = process_proxy_cond_adders(letters, cond, cond_end, pos,
1500	indent + 1);
1501	cond = *cond_end;
1502	if (ok < 0)
1503	goto end;
1504	while (isspace((int)*cond)) {
1505	cond++;
1506	(*pos)++;
1507	}
1508	c = *cond;
1509	if (c != ')') {
1510	fprintf(stderr,
1511	"Weird condition character in position %d: "
1512	"%c\n", *pos, c);
1513	ok = -1;
1514	goto end;
1515	}
1516	cond++;
1517	(*pos)++;
1518	} else if (isascii(c) && isalpha(c)) {
1519	if (islower(c))
1520	c = toupper(c);
1521	ok = letters[c - 'A'];
1522	cond++;
1523	(*pos)++;
1524	} else {
1525	fprintf(stderr,
1526	"Weird condition character in position %d: "
1527	"%c\n", *pos, c);
1528	ok = -1;
1529	goto end;
1530	}
1531	end:
1532	*cond_end = cond;
1533	if (ok >= 0 && negate)
1534	ok = !ok;
1535
1536	if (debug)
1537	process_proxy_debug(indent,
1538	"End process_proxy_cond_val at position %d: %s, returning %d\n",
1539	*pos, cond, ok);
1540
1541	return ok;
1542	}
1543
1544	static int
1545	process_proxy_cond_multipliers(unsigned int letters[26], const char *cond,
1546	const char *cond_end, int pos, int indent)
1547	{
1548	int ok;
1549	char c;
1550
1551	if (debug)
1552	process_proxy_debug(indent,
1553	"Start process_proxy_cond_multipliers at position %d: %s\n",
1554	*pos, cond);
1555
1556	ok = process_proxy_cond_val(letters, cond, cond_end, pos, indent + 1);
1557	cond = *cond_end;
1558	if (ok < 0)
1559	goto end;
1560
1561	while (ok >= 0) {
1562	while (isspace((int)*cond)) {
1563	cond++;
1564	(*pos)++;
1565	}
1566	c = *cond;
1567
1568	switch (c) {
1569	case '&':
1570	case '^':
1571	{
1572	int save_ok = ok;
1573
1574	cond++;
1575	(*pos)++;
1576	ok = process_proxy_cond_val(letters,
1577	cond, cond_end, pos, indent + 1);
1578	cond = *cond_end;
1579	if (ok < 0)
1580	break;
1581
1582	switch (c) {
1583	case '&':
1584	ok &= save_ok;
1585	break;
1586	case '^':
1587	ok ^= save_ok;
1588	break;
1589	default:
1590	fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
1591	" STOPPING\n");
1592	exit(1);
1593	}
1594	}
1595	break;
1596	default:
1597	goto end;
1598	}
1599	}
1600	end:
1601	if (debug)
1602	process_proxy_debug(indent,
1603	"End process_proxy_cond_multipliers at position %d: %s, "
1604	"returning %d\n",
1605	*pos, cond, ok);
1606
1607	*cond_end = cond;
1608	return ok;
1609	}
1610
1611	static int
1612	process_proxy_cond_adders(unsigned int letters[26], const char *cond,
1613	const char *cond_end, int pos, int indent)
1614	{
1615	int ok;
1616	char c;
1617
1618	if (debug)
1619	process_proxy_debug(indent,
1620	"Start process_proxy_cond_adders at position %d: %s\n",
1621	*pos, cond);
1622
1623	ok = process_proxy_cond_multipliers(letters, cond, cond_end, pos,
1624	indent + 1);
1625	cond = *cond_end;
1626	if (ok < 0)
1627	goto end;
1628
1629	while (ok >= 0) {
1630	while (isspace((int)*cond)) {
1631	cond++;
1632	(*pos)++;
1633	}
1634	c = *cond;
1635
1636	switch (c) {
1637	case '\|':
1638	{
1639	int save_ok = ok;
1640
1641	cond++;
1642	(*pos)++;
1643	ok = process_proxy_cond_multipliers(letters,
1644	cond, cond_end, pos, indent + 1);
1645	cond = *cond_end;
1646	if (ok < 0)
1647	break;
1648
1649	switch (c) {
1650	case '\|':
1651	ok \|= save_ok;
1652	break;
1653	default:
1654	fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
1655	" STOPPING\n");
1656	exit(1);
1657	}
1658	}
1659	break;
1660	default:
1661	goto end;
1662	}
1663	}
1664	end:
1665	if (debug)
1666	process_proxy_debug(indent,
1667	"End process_proxy_cond_adders at position %d: %s, returning %d\n",
1668	*pos, cond, ok);
1669
1670	*cond_end = cond;
1671	return ok;
1672	}
1673
1674	static int
1675	process_proxy_cond(unsigned int letters[26], const char *cond,
1676	const char **cond_end)
1677	{
1678	int pos = 1;
1679	return process_proxy_cond_adders(letters, cond, cond_end, &pos, 1);
1680	}
1681
1682	static int	1406	static int
1683	app_verify_callback(X509_STORE_CTX ctx, void arg)	1407	app_verify_callback(X509_STORE_CTX ctx, void arg)
1684	{	1408	{
1685	int ok = 1;	1409	X509 *xs;
1686	struct app_verify_arg *cb_arg = arg;	1410	char *s = NULL, buf[256];
1687	unsigned int letters[26]; /* only used with proxy_auth */	1411	const char *cb_arg = arg;
1688		1412
1689	if (cb_arg->app_verify) {	1413	xs = X509_STORE_CTX_get0_cert(ctx);
1690	X509 *xs;	1414	fprintf(stderr, "In app_verify_callback, allowing cert. ");
1691	char *s = NULL, buf[256];	1415	fprintf(stderr, "Arg is: %s\n", cb_arg);
1692		1416	fprintf(stderr, "Finished printing do we have a context? 0x%p a cert? 0x%p\n",
1693	xs = X509_STORE_CTX_get0_cert(ctx);	1417	(void )ctx, (void )xs);
1694	fprintf(stderr, "In app_verify_callback, allowing cert. ");	1418	if (xs)
1695	fprintf(stderr, "Arg is: %s\n", cb_arg->string);	1419	s = X509_NAME_oneline(X509_get_subject_name(xs), buf, 256);
1696	fprintf(stderr, "Finished printing do we have a context? 0x%p a cert? 0x%p\n",	1420	if (s != NULL) {
1697	(void )ctx, (void )xs);	1421	fprintf(stderr, "cert depth=%d %s\n",
1698	if (xs)	1422	X509_STORE_CTX_get_error_depth(ctx), buf);
1699	s = X509_NAME_oneline(X509_get_subject_name(xs), buf, 256);
1700	if (s != NULL) {
1701	fprintf(stderr, "cert depth=%d %s\n",
1702	X509_STORE_CTX_get_error_depth(ctx), buf);
1703	}
1704	return (1);
1705	}
1706	if (cb_arg->proxy_auth) {
1707	int found_any = 0, i;
1708	char *sp;
1709
1710	for (i = 0; i < 26; i++)
1711	letters[i] = 0;
1712	for (sp = cb_arg->proxy_auth; *sp; sp++) {
1713	int c = *sp;
1714	if (isascii(c) && isalpha(c)) {
1715	if (islower(c))
1716	c = toupper(c);
1717	letters[c - 'A'] = 1;
1718	}
1719	}
1720
1721	fprintf(stderr, " Initial proxy rights = ");
1722	for (i = 0; i < 26; i++)
1723	if (letters[i]) {
1724	fprintf(stderr, "%c", i + 'A');
1725	found_any = 1;
1726	}
1727	if (!found_any)
1728	fprintf(stderr, "none");
1729	fprintf(stderr, "\n");
1730
1731	X509_STORE_CTX_set_ex_data(ctx,
1732	get_proxy_auth_ex_data_idx(), letters);
1733	}
1734	if (cb_arg->allow_proxy_certs) {
1735	X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS);
1736	}	1423	}
1737		1424
1738	ok = X509_verify_cert(ctx);	1425	return 1;
1739
1740	if (cb_arg->proxy_auth) {
1741	if (ok > 0) {
1742	const char *cond_end = NULL;
1743
1744	ok = process_proxy_cond(letters,
1745	cb_arg->proxy_cond, &cond_end);
1746
1747	if (ok < 0)
1748	exit(3);
1749	if (*cond_end) {
1750	fprintf(stderr, "Stopped processing condition before it's end.\n");
1751	ok = 0;
1752	}
1753	if (!ok)
1754	fprintf(stderr, "Proxy rights check with condition '%s' proved invalid\n",
1755	cb_arg->proxy_cond);
1756	else
1757	fprintf(stderr, "Proxy rights check with condition '%s' proved valid\n",
1758	cb_arg->proxy_cond);
1759	}
1760	}
1761	return (ok);
1762	}	1426	}
1763		1427
1764	/* These DH parameters have been generated as follows:	1428	/* These DH parameters have been generated as follows: