Engage Applink in mingw. Note that application-side module is not

[openssl.git] / ssl / ssltest.c
diff --git a/ssl/ssltest.c b/ssl/ssltest.c

index e57a8e7540f8f968f263717478f4afe987276bd4..f8e86c3ceb614945085a701ce3781cf8a914a45b 100644 (file)
--- a/ssl/ssltest.c
+++ b/ssl/ssltest.c
@@ -190,6 +190,7 @@ struct app_verify_arg
         {
         char *string;
         int app_verify;
+       int allow_proxy_certs;
         char *proxy_auth;
         char *proxy_cond;
         };
@@ -223,6 +224,7 @@ static void sv_usage(void)
         fprintf(stderr,"\n");
         fprintf(stderr," -server_auth  - check server certificate\n");
         fprintf(stderr," -client_auth  - do client authentication\n");
+       fprintf(stderr," -proxy        - allow proxy certificates\n");
         fprintf(stderr," -proxy_auth <val> - set proxy policy rights\n");
         fprintf(stderr," -proxy_cond <val> - experssion to test proxy policy rights\n");
         fprintf(stderr," -v            - more output\n");
@@ -383,7 +385,7 @@ int main(int argc, char *argv[])
         int client_auth=0;
         int server_auth=0,i;
         struct app_verify_arg app_verify_arg =
-               { APP_CALLBACK_STRING, 0, NULL, NULL };
+               { APP_CALLBACK_STRING, 0, 0, NULL, NULL };
         char *server_cert=TEST_SERVER_CERT;
         char *server_key=NULL;
         char *client_cert=TEST_CLIENT_CERT;
@@ -580,6 +582,10 @@ int main(int argc, char *argv[])
                         {
                         app_verify_arg.app_verify = 1;
                         }
+               else if (strcmp(*argv,"-proxy") == 0)
+                       {
+                       app_verify_arg.allow_proxy_certs = 1;
+                       }
                 else
                         {
                         fprintf(stderr,"unknown option %s\n",*argv);
@@ -714,36 +720,30 @@ bad:
  #ifndef OPENSSL_NO_ECDH
         if (!no_ecdhe)
                 {
-               ecdh = EC_KEY_new();
-               if (ecdh != NULL)
-                       {
-                       if (named_curve)
-                               {
-                               int nid = OBJ_sn2nid(named_curve);
+               int nid;
  
-                               if (nid == 0)
-                                       {
-                                       BIO_printf(bio_err, "unknown curve name (%s)\n", named_curve);
-                                       EC_KEY_free(ecdh);
-                                       goto end;
-                                       }
-
-                               ecdh->group = EC_GROUP_new_by_nid(nid);
-                               if (ecdh->group == NULL)
-                                       {
-                                       BIO_printf(bio_err, "unable to create curve (%s)\n", named_curve);
-                                       EC_KEY_free(ecdh);
-                                       goto end;
-                                       }
+               if (named_curve != NULL)
+                       {
+                       nid = OBJ_sn2nid(named_curve);
+                       if (nid == 0)
+                       {
+                               BIO_printf(bio_err, "unknown curve name (%s)\n", named_curve);
+                               goto end;
                                 }
-                       
-                       if (ecdh->group == NULL)
-                               ecdh->group=EC_GROUP_new_by_nid(NID_sect163r2);
+                       }
+               else
+                       nid = NID_sect163r2;
  
-                       SSL_CTX_set_tmp_ecdh(s_ctx, ecdh);
-                       SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_ECDH_USE);
-                       EC_KEY_free(ecdh);
+               ecdh = EC_KEY_new_by_curve_name(nid);
+               if (ecdh == NULL)
+                       {
+                       BIO_printf(bio_err, "unable to create curve\n");
+                       goto end;
                         }
+
+               SSL_CTX_set_tmp_ecdh(s_ctx, ecdh);
+               SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_ECDH_USE);
+               EC_KEY_free(ecdh);
                 }
  #else
         (void)no_ecdhe;
@@ -1606,17 +1606,22 @@ static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
                         fprintf(stderr,"depth=%d %s\n",
                                 ctx->error_depth,buf);
                 else
+                       {
                         fprintf(stderr,"depth=%d error=%d %s\n",
                                 ctx->error_depth,ctx->error,buf);
+                       }
                 }
  
         if (ok == 0)
                 {
+               fprintf(stderr,"Error string: %s\n",
+                       X509_verify_cert_error_string(ctx->error));
                 switch (ctx->error)
                         {
                 case X509_V_ERR_CERT_NOT_YET_VALID:
                 case X509_V_ERR_CERT_HAS_EXPIRED:
                 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
+                       fprintf(stderr,"  ... ignored.\n");
                         ok=1;
                         }
                 }
@@ -1975,8 +1980,8 @@ static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg)
  
                 fprintf(stderr, "In app_verify_callback, allowing cert. ");
                 fprintf(stderr, "Arg is: %s\n", cb_arg->string);
-               fprintf(stderr, "Finished printing do we have a context? 0x%x a cert? 0x%x\n",
-                       (unsigned int)ctx, (unsigned int)ctx->cert);
+               fprintf(stderr, "Finished printing do we have a context? 0x%p a cert? 0x%p\n",
+                       (void *)ctx, (void *)ctx->cert);
                 if (ctx->cert)
                         s=X509_NAME_oneline(X509_get_subject_name(ctx->cert),buf,256);
                 if (s != NULL)
@@ -2018,6 +2023,10 @@ static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg)
                 X509_STORE_CTX_set_ex_data(ctx,
                         get_proxy_auth_ex_data_idx(),letters);
                 }
+       if (cb_arg->allow_proxy_certs)
+               {
+               X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS);
+               }
  
  #ifndef OPENSSL_NO_X509_VERIFY
  # ifdef OPENSSL_FIPS