Added restrictions on the use of proxy certificates, as they may pose

[openssl.git] / ssl / ssltest.c

diff --git a/ssl/ssltest.c b/ssl/ssltest.c
index 698c84a1799cfe7d829fc31fc73c635f4e3bf636..9e565fb8466ed4e1a4db08fc63ecf9a9cbe06ff8 100644 (file)
--- a/ssl/ssltest.c
+++ b/ssl/ssltest.c
@@ -116,8 +116,6 @@
 
 #define _BSD_SOURCE 1          /* Or gethostname won't be declared properly
                                   on Linux and GNU platforms. */
-#define _XOPEN_SOURCE 1                /* Ot isascii won't be declared properly on
-                                  VMS (at least with DECompHP C).  */
 
 #include <assert.h>
 #include <errno.h>
@@ -126,11 +124,14 @@
 #include <stdlib.h>
 #include <string.h>
 #include <time.h>
-#include <ctype.h>
 
 #define USE_SOCKETS
 #include "e_os.h"
 
+#define _XOPEN_SOURCE 1                /* Or isascii won't be declared properly on
+                                  VMS (at least with DECompHP C).  */
+#include <ctype.h>
+
 #include <openssl/bio.h>
 #include <openssl/crypto.h>
 #include <openssl/evp.h>
@@ -189,6 +190,7 @@ struct app_verify_arg
        {
        char *string;
        int app_verify;
+       int allow_proxy_certs;
        char *proxy_auth;
        char *proxy_cond;
        };
@@ -222,6 +224,7 @@ static void sv_usage(void)
        fprintf(stderr,"\n");
        fprintf(stderr," -server_auth  - check server certificate\n");
        fprintf(stderr," -client_auth  - do client authentication\n");
+       fprintf(stderr," -proxy        - allow proxy certificates\n");
        fprintf(stderr," -proxy_auth <val> - set proxy policy rights\n");
        fprintf(stderr," -proxy_cond <val> - experssion to test proxy policy rights\n");
        fprintf(stderr," -v            - more output\n");
@@ -382,7 +385,7 @@ int main(int argc, char *argv[])
        int client_auth=0;
        int server_auth=0,i;
        struct app_verify_arg app_verify_arg =
-               { APP_CALLBACK_STRING, 0, NULL, NULL };
+               { APP_CALLBACK_STRING, 0, 0, NULL, NULL };
        char *server_cert=TEST_SERVER_CERT;
        char *server_key=NULL;
        char *client_cert=TEST_CLIENT_CERT;
@@ -579,6 +582,10 @@ int main(int argc, char *argv[])
                        {
                        app_verify_arg.app_verify = 1;
                        }
+               else if (strcmp(*argv,"-proxy") == 0)
+                       {
+                       app_verify_arg.allow_proxy_certs = 1;
+                       }
                else
                        {
                        fprintf(stderr,"unknown option %s\n",*argv);
@@ -1605,17 +1612,22 @@ static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
                        fprintf(stderr,"depth=%d %s\n",
                                ctx->error_depth,buf);
                else
+                       {
                        fprintf(stderr,"depth=%d error=%d %s\n",
                                ctx->error_depth,ctx->error,buf);
+                       }
                }
 
        if (ok == 0)
                {
+               fprintf(stderr,"Error string: %s\n",
+                       X509_verify_cert_error_string(ctx->error));
                switch (ctx->error)
                        {
                case X509_V_ERR_CERT_NOT_YET_VALID:
                case X509_V_ERR_CERT_HAS_EXPIRED:
                case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
+                       fprintf(stderr,"  ... ignored.\n");
                        ok=1;
                        }
                }
@@ -2017,6 +2029,10 @@ static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg)
                X509_STORE_CTX_set_ex_data(ctx,
                        get_proxy_auth_ex_data_idx(),letters);
                }
+       if (cb_arg->allow_proxy_certs)
+               {
+               X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS);
+               }
 
 #ifndef OPENSSL_NO_X509_VERIFY
 # ifdef OPENSSL_FIPS