resolve conflicts.

crypto/dist/openssl/CHANGES

@@ -2,6 +2,25 @@
  OpenSSL CHANGES
  _______________
 
+ Changes between 0.9.7f and 0.9.7g  [11 Apr 2005]
+
+  *) Fixes for newer kerberos headers. NB: the casts are needed because
+     the 'length' field is signed on one version and unsigned on another
+     with no (?) obvious way to tell the difference, without these VC++
+     complains. Also the "definition" of FAR (blank) is no longer included
+     nor is the error ENOMEM. KRB5_PRIVATE has to be set to 1 to pick up
+     some needed definitions.
+     [Steve Henson]
+
+  *) Undo Cygwin change.
+     [Ulf Möller]
+
+  *) Added support for proxy certificates according to RFC 3820.
+     Because they may be a security thread to unaware applications,
+     they must be explicitely allowed in run-time.  See
+     docs/HOWTO/proxy_certificates.txt for further information.
+     [Richard Levitte]
+
  Changes between 0.9.7e and 0.9.7f  [22 Mar 2005]
 
   *) Use (SSL_RANDOM_VALUE - 4) bytes of pseudo random data when generating

crypto/dist/openssl/FAQ

@@ -70,7 +70,7 @@ OpenSSL  -  Frequently Asked Questions
 * Which is the current version of OpenSSL?
 
 The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 0.9.7f was released on March 22, 2005.
+OpenSSL 0.9.7g was released on April 11, 2005.
 
 In addition to the current stable release, you can also access daily
 snapshots of the OpenSSL development version at <URL:
@@ -792,9 +792,20 @@ that is allocated when an application starts up. Since such tables do not grow
 in size over time they are harmless.
 
 These internal tables can be freed up when an application closes using various
-functions.  Currently these include: EVP_cleanup(), ERR_remove_state(),
-ERR_free_strings(), ENGINE_cleanup(), CONF_modules_unload() and
-CRYPTO_cleanup_all_ex_data().
+functions.  Currently these include following:
+
+Thread-local cleanup functions:
+
+  ERR_remove_state()
+
+Application-global cleanup functions that are aware of usage (and therefore
+thread-safe):
+
+  ENGINE_cleanup() and CONF_modules_unload()
+
+"Brutal" (thread-unsafe) Application-global cleanup functions:
+
+  ERR_free_strings(), EVP_cleanup() and CRYPTO_cleanup_all_ex_data().
 
 
 ===============================================================================

crypto/dist/openssl/crypto/asn1/asn1.h

@@ -823,7 +823,7 @@ BIGNUM *ASN1_ENUMERATED_to_BN(ASN1_ENUMERATED *ai,BIGNUM *bn);
 
 /* General */
 /* given a string, return the correct type, max is the maximum length */
-int ASN1_PRINTABLE_type(unsigned char *s, int max);
+int ASN1_PRINTABLE_type(const unsigned char *s, int max);
 
 int i2d_ASN1_bytes(ASN1_STRING *a, unsigned char **pp, int tag, int xclass);
 ASN1_STRING *d2i_ASN1_bytes(ASN1_STRING **a, unsigned char **pp,

crypto/dist/openssl/crypto/cryptlib.c

@@ -480,13 +480,12 @@ const char *CRYPTO_get_lock_name(int type)
 		return(sk_value(app_locks,type-CRYPTO_NUM_LOCKS));
 	}
 
-#ifdef _DLL
-#ifdef OPENSSL_SYS_WIN32
+#if defined(_WIN32) && defined(_WINDLL)
 
 /* All we really need to do is remove the 'error' state when a thread
  * detaches */
 
-BOOL WINAPI DLLEntryPoint(HINSTANCE hinstDLL, DWORD fdwReason,
+BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason,
 	     LPVOID lpvReserved)
 	{
 	switch(fdwReason)
@@ -505,8 +504,6 @@ BOOL WINAPI DLLEntryPoint(HINSTANCE hinstDLL, DWORD fdwReason,
 	}
 #endif
 
-#endif
-
 void OpenSSLDie(const char *file,int line,const char *assertion)
 	{
 	fprintf(stderr,

crypto/dist/openssl/crypto/x509/x509.h

@@ -987,18 +987,18 @@ int X509_NAME_add_entry_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, int type,
 int X509_NAME_add_entry_by_NID(X509_NAME *name, int nid, int type,
 			unsigned char *bytes, int len, int loc, int set);
 X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne,
-		char *field, int type, unsigned char *bytes, int len);
+		const char *field, int type, const unsigned char *bytes, int len);
 X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid,
 			int type,unsigned char *bytes, int len);
-int X509_NAME_add_entry_by_txt(X509_NAME *name, char *field, int type,
-			unsigned char *bytes, int len, int loc, int set);
+int X509_NAME_add_entry_by_txt(X509_NAME *name, const char *field, int type,
+			const unsigned char *bytes, int len, int loc, int set);
 X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne,
-			ASN1_OBJECT *obj, int type,unsigned char *bytes,
+			ASN1_OBJECT *obj, int type,const unsigned char *bytes,
 			int len);
 int 		X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *ne,
 			ASN1_OBJECT *obj);
 int 		X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type,
-			unsigned char *bytes, int len);
+			const unsigned char *bytes, int len);
 ASN1_OBJECT *	X509_NAME_ENTRY_get_object(X509_NAME_ENTRY *ne);
 ASN1_STRING *	X509_NAME_ENTRY_get_data(X509_NAME_ENTRY *ne);
 

crypto/dist/openssl/crypto/x509/x509_txt.c

@@ -126,6 +126,10 @@ const char *X509_verify_cert_error_string(long n)
 		return ("invalid non-CA certificate (has CA markings)");
 	case X509_V_ERR_PATH_LENGTH_EXCEEDED:
 		return ("path length constraint exceeded");
+	case X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED:
+		return("proxy path length constraint exceeded");
+	case X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED:
+		return("proxy cerificates not allowed, please set the appropriate flag");
 	case X509_V_ERR_INVALID_PURPOSE:
 		return ("unsupported certificate purpose");
 	case X509_V_ERR_CERT_UNTRUSTED:
@@ -142,19 +146,16 @@ const char *X509_verify_cert_error_string(long n)
 		return("authority and issuer serial number mismatch");
 	case X509_V_ERR_KEYUSAGE_NO_CERTSIGN:
 		return("key usage does not include certificate signing");
-
 	case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER:
 		return("unable to get CRL issuer certificate");
-
 	case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION:
 		return("unhandled critical extension");
-
 	case X509_V_ERR_KEYUSAGE_NO_CRL_SIGN:
 		return("key usage does not include CRL signing");
-
+	case X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE:
+		return("key usage does not include digital signature");
 	case X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION:
 		return("unhandled critical CRL extension");
-
 	default:
 		BIO_snprintf(buf,sizeof buf,"error number %ld",n);
 		return(buf);

crypto/dist/openssl/crypto/x509/x509_vfy.c

@@ -379,6 +379,8 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
 	int i, ok=0, must_be_ca;
 	X509 *x;
 	int (*cb)();
+	int proxy_path_length = 0;
+	int allow_proxy_certs = !!(ctx->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);
 	cb=ctx->verify_cb;
 
 	/* must_be_ca can have 1 of 3 values:
@@ -390,6 +392,12 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
 	       all certificates in the chain except the leaf certificate.
 	*/
 	must_be_ca = -1;
+
+	/* A hack to keep people who don't want to modify their software
+	   happy */
+	if (getenv("OPENSSL_ALLOW_PROXY_CERTS"))
+		allow_proxy_certs = 1;
+
 	/* Check all untrusted certificates */
 	for (i = 0; i < ctx->last_untrusted; i++)
 		{
@@ -404,6 +412,14 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
 			ok=cb(0,ctx);
 			if (!ok) goto end;
 			}
+		if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY))
+			{
+			ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED;
+			ctx->error_depth = i;
+			ctx->current_cert = x;
+			ok=cb(0,ctx);
+			if (!ok) goto end;
+			}
 		ret = X509_check_ca(x);
 		switch(must_be_ca)
 			{
@@ -462,7 +478,7 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
 			}
 		/* Check pathlen */
 		if ((i > 1) && (x->ex_pathlen != -1)
-			   && (i > (x->ex_pathlen + 1)))
+			   && (i > (x->ex_pathlen + proxy_path_length + 1)))
 			{
 			ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
 			ctx->error_depth = i;
@@ -470,8 +486,32 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
 			ok=cb(0,ctx);
 			if (!ok) goto end;
 			}
-		/* The next certificate must be a CA */
-		must_be_ca = 1;
+		/* If this certificate is a proxy certificate, the next
+		   certificate must be another proxy certificate or a EE
+		   certificate.  If not, the next certificate must be a
+		   CA certificate.  */
+		if (x->ex_flags & EXFLAG_PROXY)
+			{
+			PROXY_CERT_INFO_EXTENSION *pci =
+				X509_get_ext_d2i(x, NID_proxyCertInfo,
+					NULL, NULL);
+			if (pci->pcPathLengthConstraint &&
+				ASN1_INTEGER_get(pci->pcPathLengthConstraint)
+				< i)
+				{
+				PROXY_CERT_INFO_EXTENSION_free(pci);
+				ctx->error = X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED;
+				ctx->error_depth = i;
+				ctx->current_cert = x;
+				ok=cb(0,ctx);
+				if (!ok) goto end;
+				}
+			PROXY_CERT_INFO_EXTENSION_free(pci);
+			proxy_path_length++;
+			must_be_ca = 0;
+			}
+		else
+			must_be_ca = 1;
 		}
 	ok = 1;
  end:
@@ -835,6 +875,7 @@ static int internal_verify(X509_STORE_CTX *ctx)
 			}
 
 		/* The last error (if any) is still in the error value */
+		ctx->current_issuer=xi;
 		ctx->current_cert=xs;
 		ok=(*cb)(1,ctx);
 		if (!ok) goto end;

crypto/dist/openssl/crypto/x509/x509_vfy.h

@@ -274,7 +274,7 @@ struct x509_store_ctx_st      /* X509_STORE_CTX */
 #define		X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY	6
 #define		X509_V_ERR_CERT_SIGNATURE_FAILURE		7
 #define		X509_V_ERR_CRL_SIGNATURE_FAILURE		8
-#define		X509_V_ERR_CERT_NOT_YET_VALID			9	
+#define		X509_V_ERR_CERT_NOT_YET_VALID			9
 #define		X509_V_ERR_CERT_HAS_EXPIRED			10
 #define		X509_V_ERR_CRL_NOT_YET_VALID			11
 #define		X509_V_ERR_CRL_HAS_EXPIRED			12
@@ -305,6 +305,9 @@ struct x509_store_ctx_st      /* X509_STORE_CTX */
 #define		X509_V_ERR_KEYUSAGE_NO_CRL_SIGN			35
 #define		X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION	36
 #define		X509_V_ERR_INVALID_NON_CA			37
+#define		X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED		38
+#define		X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE	39
+#define		X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED	40
 
 /* The application is not happy */
 #define		X509_V_ERR_APPLICATION_VERIFICATION		50
@@ -323,6 +326,8 @@ struct x509_store_ctx_st      /* X509_STORE_CTX */
 #define	X509_V_FLAG_IGNORE_CRITICAL		0x10
 /* Disable workarounds for broken certificates */
 #define	X509_V_FLAG_X509_STRICT			0x20
+/* Enable proxy certificate validation */
+#define	X509_V_FLAG_ALLOW_PROXY_CERTS		0x40
 
 int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type,
 	     X509_NAME *name);

crypto/dist/openssl/crypto/x509v3/v3_purp.c

@@ -285,7 +285,8 @@ int X509_supported_extension(X509_EXTENSION *ex)
         	NID_key_usage,		/* 83 */
 		NID_subject_alt_name,	/* 85 */
 		NID_basic_constraints,	/* 87 */
-        	NID_ext_key_usage	/* 126 */
+        	NID_ext_key_usage,	/* 126 */
+		NID_proxyCertInfo	/* 661 */
 	};
 
 	int ex_nid;
@@ -306,6 +307,7 @@ int X509_supported_extension(X509_EXTENSION *ex)
 static void x509v3_cache_extensions(X509 *x)
 {
 	BASIC_CONSTRAINTS *bs;
+	PROXY_CERT_INFO_EXTENSION *pci;
 	ASN1_BIT_STRING *usage;
 	ASN1_BIT_STRING *ns;
 	EXTENDED_KEY_USAGE *extusage;
@@ -334,6 +336,16 @@ static void x509v3_cache_extensions(X509 *x)
 		BASIC_CONSTRAINTS_free(bs);
 		x->ex_flags |= EXFLAG_BCONS;
 	}
+	/* Handle proxy certificates */
+	if((pci=X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) {
+		if (x->ex_flags & EXFLAG_CA
+		    || X509_get_ext_by_NID(x, NID_subject_alt_name, 0) >= 0
+		    || X509_get_ext_by_NID(x, NID_issuer_alt_name, 0) >= 0) {
+			x->ex_flags |= EXFLAG_INVALID;
+		}
+		PROXY_CERT_INFO_EXTENSION_free(pci);
+		x->ex_flags |= EXFLAG_PROXY;
+	}
 	/* Handle key usage */
 	if((usage=X509_get_ext_d2i(x, NID_key_usage, NULL, NULL))) {
 		if(usage->length > 0) {
@@ -623,7 +635,13 @@ int X509_check_issued(X509 *issuer, X509 *subject)
 				return X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH;
 		}
 	}
-	if(ku_reject(issuer, KU_KEY_CERT_SIGN)) return X509_V_ERR_KEYUSAGE_NO_CERTSIGN;
+	if(subject->ex_flags & EXFLAG_PROXY)
+		{
+		if(ku_reject(issuer, KU_DIGITAL_SIGNATURE))
+			return X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE;
+		}
+	else if(ku_reject(issuer, KU_KEY_CERT_SIGN))
+		return X509_V_ERR_KEYUSAGE_NO_CERTSIGN;
 	return X509_V_OK;
 }
 

crypto/dist/openssl/doc/crypto/EVP_EncryptInit.pod

@@ -479,6 +479,7 @@ General encryption, decryption function example using FILE I/O and RC2 with an
 		if(!EVP_CipherUpdate(&ctx, outbuf, &outlen, inbuf, inlen))
 			{
 			/* Error */
+			EVP_CIPHER_CTX_cleanup(&ctx);
 			return 0;
 			}
 		fwrite(outbuf, 1, outlen, out);
@@ -486,6 +487,7 @@ General encryption, decryption function example using FILE I/O and RC2 with an
 	if(!EVP_CipherFinal_ex(&ctx, outbuf, &outlen))
 		{
 		/* Error */
+		EVP_CIPHER_CTX_cleanup(&ctx);
 		return 0;
 		}
 	fwrite(outbuf, 1, outlen, out);

crypto/dist/openssl/doc/crypto/EVP_SealInit.pod

@@ -8,8 +8,9 @@ EVP_SealInit, EVP_SealUpdate, EVP_SealFinal - EVP envelope encryption
 
  #include <openssl/evp.h>
 
- int EVP_SealInit(EVP_CIPHER_CTX *ctx, EVP_CIPHER *type, unsigned char **ek,
-		int *ekl, unsigned char *iv,EVP_PKEY **pubk, int npubk);
+ int EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, 
+		unsigned char **ek, int *ekl, unsigned char *iv,
+		EVP_PKEY **pubk, int npubk);
  int EVP_SealUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out,
          int *outl, unsigned char *in, int inl);
  int EVP_SealFinal(EVP_CIPHER_CTX *ctx, unsigned char *out,

crypto/dist/openssl/doc/ssl/SSL_get_error.pod

@@ -8,7 +8,7 @@ SSL_get_error - obtain result code for TLS/SSL I/O operation
 
  #include <openssl/ssl.h>
 
- int SSL_get_error(SSL *ssl, int ret);
+ int SSL_get_error(const SSL *ssl, int ret);
 
 =head1 DESCRIPTION
 

crypto/dist/openssl/doc/ssl/ssl.pod

@@ -213,7 +213,7 @@ protocol context defined in the B<SSL_CTX> structure.
 
 =item int B<SSL_CTX_add_session>(SSL_CTX *ctx, SSL_SESSION *c);
 
-=item int B<SSL_CTX_check_private_key>(SSL_CTX *ctx);
+=item int B<SSL_CTX_check_private_key>(const SSL_CTX *ctx);
 
 =item long B<SSL_CTX_ctrl>(SSL_CTX *ctx, int cmd, long larg, char *parg);
 
@@ -225,23 +225,23 @@ protocol context defined in the B<SSL_CTX> structure.
 
 =item X509_STORE *B<SSL_CTX_get_cert_store>(SSL_CTX *ctx);
 
-=item STACK *B<SSL_CTX_get_client_CA_list>(SSL_CTX *ctx);
+=item STACK *B<SSL_CTX_get_client_CA_list>(const SSL_CTX *ctx);
 
 =item int (*B<SSL_CTX_get_client_cert_cb>(SSL_CTX *ctx))(SSL *ssl, X509 **x509, EVP_PKEY **pkey);
 
-=item char *B<SSL_CTX_get_ex_data>(SSL_CTX *s, int idx);
+=item char *B<SSL_CTX_get_ex_data>(const SSL_CTX *s, int idx);
 
 =item int B<SSL_CTX_get_ex_new_index>(long argl, char *argp, int (*new_func);(void), int (*dup_func)(void), void (*free_func)(void))
 
 =item void (*B<SSL_CTX_get_info_callback>(SSL_CTX *ctx))(SSL *ssl, int cb, int ret);
 
-=item int B<SSL_CTX_get_quiet_shutdown>(SSL_CTX *ctx);
+=item int B<SSL_CTX_get_quiet_shutdown>(const SSL_CTX *ctx);
 
 =item int B<SSL_CTX_get_session_cache_mode>(SSL_CTX *ctx);
 
-=item long B<SSL_CTX_get_timeout>(SSL_CTX *ctx);
+=item long B<SSL_CTX_get_timeout>(const SSL_CTX *ctx);
 
-=item int (*B<SSL_CTX_get_verify_callback>(SSL_CTX *ctx))(int ok, X509_STORE_CTX *ctx);
+=item int (*B<SSL_CTX_get_verify_callback>(const SSL_CTX *ctx))(int ok, X509_STORE_CTX *ctx);
 
 =item int B<SSL_CTX_get_verify_mode>(SSL_CTX *ctx);
 
@@ -383,27 +383,27 @@ sessions defined in the B<SSL_SESSION> structures.
 
 =over 4
 
-=item int B<SSL_SESSION_cmp>(SSL_SESSION *a, SSL_SESSION *b);
+=item int B<SSL_SESSION_cmp>(const SSL_SESSION *a, const SSL_SESSION *b);
 
 =item void B<SSL_SESSION_free>(SSL_SESSION *ss);
 
 =item char *B<SSL_SESSION_get_app_data>(SSL_SESSION *s);
 
-=item char *B<SSL_SESSION_get_ex_data>(SSL_SESSION *s, int idx);
+=item char *B<SSL_SESSION_get_ex_data>(const SSL_SESSION *s, int idx);
 
 =item int B<SSL_SESSION_get_ex_new_index>(long argl, char *argp, int (*new_func);(void), int (*dup_func)(void), void (*free_func)(void))
 
-=item long B<SSL_SESSION_get_time>(SSL_SESSION *s);
+=item long B<SSL_SESSION_get_time>(const SSL_SESSION *s);
 
-=item long B<SSL_SESSION_get_timeout>(SSL_SESSION *s);
+=item long B<SSL_SESSION_get_timeout>(const SSL_SESSION *s);
 
-=item unsigned long B<SSL_SESSION_hash>(SSL_SESSION *a);
+=item unsigned long B<SSL_SESSION_hash>(const SSL_SESSION *a);
 
 =item SSL_SESSION *B<SSL_SESSION_new>(void);
 
-=item int B<SSL_SESSION_print>(BIO *bp, SSL_SESSION *x);
+=item int B<SSL_SESSION_print>(BIO *bp, const SSL_SESSION *x);
 
-=item int B<SSL_SESSION_print_fp>(FILE *fp, SSL_SESSION *x);
+=item int B<SSL_SESSION_print_fp>(FILE *fp, const SSL_SESSION *x);
 
 =item void B<SSL_SESSION_set_app_data>(SSL_SESSION *s, char *a);
 
@@ -438,7 +438,7 @@ connection defined in the B<SSL> structure.
 
 =item char *B<SSL_alert_type_string_long>(int value);
 
-=item int B<SSL_check_private_key>(SSL *ssl);
+=item int B<SSL_check_private_key>(const SSL *ssl);
 
 =item void B<SSL_clear>(SSL *ssl);
 
@@ -446,7 +446,7 @@ connection defined in the B<SSL> structure.
 
 =item int B<SSL_connect>(SSL *ssl);
 
-=item void B<SSL_copy_session_id>(SSL *t, SSL *f);
+=item void B<SSL_copy_session_id>(SSL *t, const SSL *f);
 
 =item long B<SSL_ctrl>(SSL *ssl, int cmd, long larg, char *parg);
 
@@ -458,77 +458,77 @@ connection defined in the B<SSL> structure.
 
 =item void B<SSL_free>(SSL *ssl);
 
-=item SSL_CTX *B<SSL_get_SSL_CTX>(SSL *ssl);
+=item SSL_CTX *B<SSL_get_SSL_CTX>(const SSL *ssl);
 
 =item char *B<SSL_get_app_data>(SSL *ssl);
 
-=item X509 *B<SSL_get_certificate>(SSL *ssl);
+=item X509 *B<SSL_get_certificate>(const SSL *ssl);
 
-=item const char *B<SSL_get_cipher>(SSL *ssl);
+=item const char *B<SSL_get_cipher>(const SSL *ssl);
 
-=item int B<SSL_get_cipher_bits>(SSL *ssl, int *alg_bits);
+=item int B<SSL_get_cipher_bits>(const SSL *ssl, int *alg_bits);
 
-=item char *B<SSL_get_cipher_list>(SSL *ssl, int n);
+=item char *B<SSL_get_cipher_list>(const SSL *ssl, int n);
 
-=item char *B<SSL_get_cipher_name>(SSL *ssl);
+=item char *B<SSL_get_cipher_name>(const SSL *ssl);
 
-=item char *B<SSL_get_cipher_version>(SSL *ssl);
+=item char *B<SSL_get_cipher_version>(const SSL *ssl);
 
-=item STACK *B<SSL_get_ciphers>(SSL *ssl);
+=item STACK *B<SSL_get_ciphers>(const SSL *ssl);
 
-=item STACK *B<SSL_get_client_CA_list>(SSL *ssl);
+=item STACK *B<SSL_get_client_CA_list>(const SSL *ssl);
 
 =item SSL_CIPHER *B<SSL_get_current_cipher>(SSL *ssl);
 
-=item long B<SSL_get_default_timeout>(SSL *ssl);
+=item long B<SSL_get_default_timeout>(const SSL *ssl);
 
-=item int B<SSL_get_error>(SSL *ssl, int i);
+=item int B<SSL_get_error>(const SSL *ssl, int i);
 
-=item char *B<SSL_get_ex_data>(SSL *ssl, int idx);
+=item char *B<SSL_get_ex_data>(const SSL *ssl, int idx);
 
 =item int B<SSL_get_ex_data_X509_STORE_CTX_idx>(void);
 
 =item int B<SSL_get_ex_new_index>(long argl, char *argp, int (*new_func);(void), int (*dup_func)(void), void (*free_func)(void))
 
-=item int B<SSL_get_fd>(SSL *ssl);
+=item int B<SSL_get_fd>(const SSL *ssl);
 
-=item void (*B<SSL_get_info_callback>(SSL *ssl);)(void)
+=item void (*B<SSL_get_info_callback>(const SSL *ssl);)()
 
-=item STACK *B<SSL_get_peer_cert_chain>(SSL *ssl);
+=item STACK *B<SSL_get_peer_cert_chain>(const SSL *ssl);
 
-=item X509 *B<SSL_get_peer_certificate>(SSL *ssl);
+=item X509 *B<SSL_get_peer_certificate>(const SSL *ssl);
 
 =item EVP_PKEY *B<SSL_get_privatekey>(SSL *ssl);
 
-=item int B<SSL_get_quiet_shutdown>(SSL *ssl);
+=item int B<SSL_get_quiet_shutdown>(const SSL *ssl);
 
-=item BIO *B<SSL_get_rbio>(SSL *ssl);
+=item BIO *B<SSL_get_rbio>(const SSL *ssl);
 
-=item int B<SSL_get_read_ahead>(SSL *ssl);
+=item int B<SSL_get_read_ahead>(const SSL *ssl);
 
-=item SSL_SESSION *B<SSL_get_session>(SSL *ssl);
+=item SSL_SESSION *B<SSL_get_session>(const SSL *ssl);
 
-=item char *B<SSL_get_shared_ciphers>(SSL *ssl, char *buf, int len);
+=item char *B<SSL_get_shared_ciphers>(const SSL *ssl, char *buf, int len);
 
-=item int B<SSL_get_shutdown>(SSL *ssl);
+=item int B<SSL_get_shutdown>(const SSL *ssl);
 
 =item SSL_METHOD *B<SSL_get_ssl_method>(SSL *ssl);
 
-=item int B<SSL_get_state>(SSL *ssl);
+=item int B<SSL_get_state>(const SSL *ssl);
 
-=item long B<SSL_get_time>(SSL *ssl);
+=item long B<SSL_get_time>(const SSL *ssl);
 
-=item long B<SSL_get_timeout>(SSL *ssl);
+=item long B<SSL_get_timeout>(const SSL *ssl);
 
-=item int (*B<SSL_get_verify_callback>(SSL *ssl);)(void)
+=item int (*B<SSL_get_verify_callback>(const SSL *ssl))(int,X509_STORE_CTX *)
 
-=item int B<SSL_get_verify_mode>(SSL *ssl);
+=item int B<SSL_get_verify_mode>(const SSL *ssl);
 
-=item long B<SSL_get_verify_result>(SSL *ssl);
+=item long B<SSL_get_verify_result>(const SSL *ssl);
 
-=item char *B<SSL_get_version>(SSL *ssl);
+=item char *B<SSL_get_version>(const SSL *ssl);
 
-=item BIO *B<SSL_get_wbio>(SSL *ssl);
+=item BIO *B<SSL_get_wbio>(const SSL *ssl);
 
 =item int B<SSL_in_accept_init>(SSL *ssl);
 
@@ -550,7 +550,7 @@ connection defined in the B<SSL> structure.
 
 =item int B<SSL_peek>(SSL *ssl, void *buf, int num);
 
-=item int B<SSL_pending>(SSL *ssl);
+=item int B<SSL_pending>(const SSL *ssl);
 
 =item int B<SSL_read>(SSL *ssl, void *buf, int num);
 
@@ -610,11 +610,11 @@ connection defined in the B<SSL> structure.
 
 =item int B<SSL_shutdown>(SSL *ssl);
 
-=item int B<SSL_state>(SSL *ssl);
+=item int B<SSL_state>(const SSL *ssl);
 
-=item char *B<SSL_state_string>(SSL *ssl);
+=item char *B<SSL_state_string>(const SSL *ssl);
 
-=item char *B<SSL_state_string_long>(SSL *ssl);
+=item char *B<SSL_state_string_long>(const SSL *ssl);
 
 =item long B<SSL_total_renegotiations>(SSL *ssl);
 
@@ -636,17 +636,17 @@ connection defined in the B<SSL> structure.
 
 =item int B<SSL_use_certificate_file>(SSL *ssl, char *file, int type);
 
-=item int B<SSL_version>(SSL *ssl);
+=item int B<SSL_version>(const SSL *ssl);
 
-=item int B<SSL_want>(SSL *ssl);
+=item int B<SSL_want>(const SSL *ssl);
 
-=item int B<SSL_want_nothing>(SSL *ssl);
+=item int B<SSL_want_nothing>(const SSL *ssl);
 
-=item int B<SSL_want_read>(SSL *ssl);
+=item int B<SSL_want_read>(const SSL *ssl);
 
-=item int B<SSL_want_write>(SSL *ssl);
+=item int B<SSL_want_write>(const SSL *ssl);
 
-=item int B<SSL_want_x509_lookup>(s);
+=item int B<SSL_want_x509_lookup>(const SSL *ssl);
 
 =item int B<SSL_write>(SSL *ssl, const void *buf, int num);
 

crypto/dist/openssl/ssl/s2_lib.c

@@ -263,7 +263,7 @@ SSL_CIPHER *ssl2_get_cipher(unsigned int u)
 		return(NULL);
 	}
 
-int ssl2_pending(SSL *s)
+int ssl2_pending(const SSL *s)
 	{
 	return SSL_in_init(s) ? 0 : s->s2->ract_data_length;
 	}

crypto/dist/openssl/ssl/s3_lib.c

@@ -541,7 +541,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL3_TXT_KRB5_DES_64_CBC_SHA,
 	SSL3_CK_KRB5_DES_64_CBC_SHA,
 	SSL_kKRB5|SSL_aKRB5|  SSL_DES|SSL_SHA1   |SSL_SSLV3,
-	SSL_NOT_EXP|SSL_LOW,
+	SSL_NOT_EXP|SSL_LOW|SSL_FIPS,
 	0,
 	56,
 	56,
@@ -555,7 +555,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL3_TXT_KRB5_DES_192_CBC3_SHA,
 	SSL3_CK_KRB5_DES_192_CBC3_SHA,
 	SSL_kKRB5|SSL_aKRB5|  SSL_3DES|SSL_SHA1  |SSL_SSLV3,
-	SSL_NOT_EXP|SSL_HIGH,
+	SSL_NOT_EXP|SSL_HIGH|SSL_FIPS,
 	0,
 	112,
 	168,
@@ -653,7 +653,7 @@ OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={
 	SSL3_TXT_KRB5_DES_40_CBC_SHA,
 	SSL3_CK_KRB5_DES_40_CBC_SHA,
 	SSL_kKRB5|SSL_aKRB5|  SSL_DES|SSL_SHA1   |SSL_SSLV3,
-	SSL_EXPORT|SSL_EXP40,
+	SSL_EXPORT|SSL_EXP40|SSL_FIPS,
 	0,
 	40,
 	56,
@@ -1057,7 +1057,7 @@ SSL_CIPHER *ssl3_get_cipher(unsigned int u)
 		return(NULL);
 	}
 
-int ssl3_pending(SSL *s)
+int ssl3_pending(const SSL *s)
 	{
 	if (s->rstate == SSL_ST_READ_BODY)
 		return 0;

crypto/dist/openssl/ssl/s3_srvr.c

@@ -1594,7 +1594,7 @@ static int ssl3_get_client_key_exchange(SSL *s)
 		n2s(p,i);
 		enc_ticket.length = i;
 
-		if (n < enc_ticket.length + 6)
+		if (n < (long)enc_ticket.length + 6)
 			{
 			SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
 				SSL_R_DATA_LENGTH_TOO_LONG);
@@ -1607,7 +1607,7 @@ static int ssl3_get_client_key_exchange(SSL *s)
 		n2s(p,i);
 		authenticator.length = i;
 
-		if (n < enc_ticket.length + authenticator.length + 6)
+		if (n < (long)(enc_ticket.length + authenticator.length + 6))
 			{
 			SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
 				SSL_R_DATA_LENGTH_TOO_LONG);
@@ -1632,8 +1632,8 @@ static int ssl3_get_client_key_exchange(SSL *s)
 			goto err;
 			}
 
-		if (n != enc_ticket.length + authenticator.length +
-						enc_pms.length + 6)
+		if (n != (long)(enc_ticket.length + authenticator.length +
+						enc_pms.length + 6))
 			{
 			SSLerr(SSL_F_SSL3_GET_CLIENT_KEY_EXCHANGE,
 				SSL_R_DATA_LENGTH_TOO_LONG);

crypto/dist/openssl/ssl/ssl.h

@@ -363,7 +363,7 @@ typedef struct ssl_method_st
 	long (*ssl_ctx_ctrl)(SSL_CTX *ctx,int cmd,long larg,void *parg);
 	SSL_CIPHER *(*get_cipher_by_char)(const unsigned char *ptr);
 	int (*put_cipher_by_char)(const SSL_CIPHER *cipher,unsigned char *ptr);
-	int (*ssl_pending)(SSL *s);
+	int (*ssl_pending)(const SSL *s);
 	int (*num_ciphers)(void);
 	SSL_CIPHER *(*get_cipher)(unsigned ncipher);
 	struct ssl_method_st *(*get_ssl_method)(int version);
@@ -958,8 +958,8 @@ extern "C" {
  *   -- that we sent (SSL_get_finished)
  *   -- that we expected from peer (SSL_get_peer_finished).
  * Returns length (0 == no Finished so far), copies up to 'count' bytes. */
-size_t SSL_get_finished(SSL *s, void *buf, size_t count);
-size_t SSL_get_peer_finished(SSL *s, void *buf, size_t count);
+size_t SSL_get_finished(const SSL *s, void *buf, size_t count);
+size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count);
 
 /* use either SSL_VERIFY_NONE or SSL_VERIFY_PEER, the last 2 options
  * are 'ored' with SSL_VERIFY_PEER if they are desired */
@@ -1129,37 +1129,37 @@ int	SSL_CTX_set_cipher_list(SSL_CTX *,const char *str);
 SSL_CTX *SSL_CTX_new(SSL_METHOD *meth);
 void	SSL_CTX_free(SSL_CTX *);
 long SSL_CTX_set_timeout(SSL_CTX *ctx,long t);
-long SSL_CTX_get_timeout(SSL_CTX *ctx);
-X509_STORE *SSL_CTX_get_cert_store(SSL_CTX *);
+long SSL_CTX_get_timeout(const SSL_CTX *ctx);
+X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *);
 void SSL_CTX_set_cert_store(SSL_CTX *,X509_STORE *);
-int SSL_want(SSL *s);
+int SSL_want(const SSL *s);
 int	SSL_clear(SSL *s);
 
 void	SSL_CTX_flush_sessions(SSL_CTX *ctx,long tm);
 
-SSL_CIPHER *SSL_get_current_cipher(SSL *s);
-int	SSL_CIPHER_get_bits(SSL_CIPHER *c,int *alg_bits);
-char *	SSL_CIPHER_get_version(SSL_CIPHER *c);
-const char *	SSL_CIPHER_get_name(SSL_CIPHER *c);
+SSL_CIPHER *SSL_get_current_cipher(const SSL *s);
+int	SSL_CIPHER_get_bits(const SSL_CIPHER *c,int *alg_bits);
+char *	SSL_CIPHER_get_version(const SSL_CIPHER *c);
+const char *	SSL_CIPHER_get_name(const SSL_CIPHER *c);
 
-int	SSL_get_fd(SSL *s);
-int	SSL_get_rfd(SSL *s);
-int	SSL_get_wfd(SSL *s);
-const char  * SSL_get_cipher_list(SSL *s,int n);
-char *	SSL_get_shared_ciphers(SSL *s, char *buf, int len);
-int	SSL_get_read_ahead(SSL * s);
-int	SSL_pending(SSL *s);
+int	SSL_get_fd(const SSL *s);
+int	SSL_get_rfd(const SSL *s);
+int	SSL_get_wfd(const SSL *s);
+const char  * SSL_get_cipher_list(const SSL *s,int n);
+char *	SSL_get_shared_ciphers(const SSL *s, char *buf, int len);
+int	SSL_get_read_ahead(const SSL * s);
+int	SSL_pending(const SSL *s);
 int	SSL_set_fd(SSL *s, int fd);
 int	SSL_set_rfd(SSL *s, int fd);
 int	SSL_set_wfd(SSL *s, int fd);
 void	SSL_set_bio(SSL *s, BIO *rbio,BIO *wbio);
-BIO *	SSL_get_rbio(SSL *s);
-BIO *	SSL_get_wbio(SSL *s);
+BIO *	SSL_get_rbio(const SSL *s);
+BIO *	SSL_get_wbio(const SSL *s);
 int	SSL_set_cipher_list(SSL *s, const char *str);
 void	SSL_set_read_ahead(SSL *s, int yes);
-int	SSL_get_verify_mode(SSL *s);
-int	SSL_get_verify_depth(SSL *s);
-int	(*SSL_get_verify_callback(SSL *s))(int,X509_STORE_CTX *);
+int	SSL_get_verify_mode(const SSL *s);
+int	SSL_get_verify_depth(const SSL *s);
+int	(*SSL_get_verify_callback(const SSL *s))(int,X509_STORE_CTX *);
 void	SSL_set_verify(SSL *s, int mode,
 		       int (*callback)(int ok,X509_STORE_CTX *ctx));
 void	SSL_set_verify_depth(SSL *s, int depth);
@@ -1188,17 +1188,17 @@ const char *SSL_state_string(const SSL *s);
 const char *SSL_rstate_string(const SSL *s);
 const char *SSL_state_string_long(const SSL *s);
 const char *SSL_rstate_string_long(const SSL *s);
-long	SSL_SESSION_get_time(SSL_SESSION *s);
+long	SSL_SESSION_get_time(const SSL_SESSION *s);
 long	SSL_SESSION_set_time(SSL_SESSION *s, long t);
-long	SSL_SESSION_get_timeout(SSL_SESSION *s);
+long	SSL_SESSION_get_timeout(const SSL_SESSION *s);
 long	SSL_SESSION_set_timeout(SSL_SESSION *s, long t);
-void	SSL_copy_session_id(SSL *to,SSL *from);
+void	SSL_copy_session_id(SSL *to,const SSL *from);
 
 SSL_SESSION *SSL_SESSION_new(void);
-unsigned long SSL_SESSION_hash(SSL_SESSION *a);
-int	SSL_SESSION_cmp(SSL_SESSION *a,SSL_SESSION *b);
-int	SSL_SESSION_print_fp(FILE *fp,SSL_SESSION *ses);
-int	SSL_SESSION_print(BIO *fp,SSL_SESSION *ses);
+unsigned long SSL_SESSION_hash(const SSL_SESSION *a);
+int	SSL_SESSION_cmp(const SSL_SESSION *a,const SSL_SESSION *b);
+int	SSL_SESSION_print_fp(FILE *fp,const SSL_SESSION *ses);
+int	SSL_SESSION_print(BIO *fp,const SSL_SESSION *ses);
 void	SSL_SESSION_free(SSL_SESSION *ses);
 int	i2d_SSL_SESSION(SSL_SESSION *in,unsigned char **pp);
 int	SSL_set_session(SSL *to, SSL_SESSION *session);
@@ -1208,17 +1208,18 @@ int	SSL_CTX_set_generate_session_id(SSL_CTX *, GEN_SESSION_CB);
 int	SSL_set_generate_session_id(SSL *, GEN_SESSION_CB);
 int	SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id,
 					unsigned int id_len);
-SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a,unsigned char **pp,long length);
+SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a,const unsigned char * const *pp,
+			     long length);
 
 #ifdef HEADER_X509_H
-X509 *	SSL_get_peer_certificate(SSL *s);
+X509 *	SSL_get_peer_certificate(const SSL *s);
 #endif
 
-STACK_OF(X509) *SSL_get_peer_cert_chain(SSL *s);
+STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *s);
 
-int SSL_CTX_get_verify_mode(SSL_CTX *ctx);
-int SSL_CTX_get_verify_depth(SSL_CTX *ctx);
-int (*SSL_CTX_get_verify_callback(SSL_CTX *ctx))(int,X509_STORE_CTX *);
+int SSL_CTX_get_verify_mode(const SSL_CTX *ctx);
+int SSL_CTX_get_verify_depth(const SSL_CTX *ctx);
+int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(int,X509_STORE_CTX *);
 void SSL_CTX_set_verify(SSL_CTX *ctx,int mode,
 			int (*callback)(int, X509_STORE_CTX *));
 void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth);
@@ -1234,8 +1235,8 @@ int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, unsigned char *d);
 void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb);
 void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u);
 
-int SSL_CTX_check_private_key(SSL_CTX *ctx);
-int SSL_check_private_key(SSL *ctx);
+int SSL_CTX_check_private_key(const SSL_CTX *ctx);
+int SSL_check_private_key(const SSL *ctx);
 
 int	SSL_CTX_set_session_id_context(SSL_CTX *ctx,const unsigned char *sid_ctx,
 				       unsigned int sid_ctx_len);
@@ -1260,8 +1261,8 @@ long	SSL_callback_ctrl(SSL *, int, void (*)());
 long	SSL_CTX_ctrl(SSL_CTX *ctx,int cmd, long larg, void *parg);
 long	SSL_CTX_callback_ctrl(SSL_CTX *, int, void (*)());
 
-int	SSL_get_error(SSL *s,int ret_code);
-const char *SSL_get_version(SSL *s);
+int	SSL_get_error(const SSL *s,int ret_code);
+const char *SSL_get_version(const SSL *s);
 
 /* This sets the 'default' SSL version that SSL_new() will create */
 int SSL_CTX_set_ssl_version(SSL_CTX *ctx,SSL_METHOD *meth);
@@ -1282,7 +1283,7 @@ SSL_METHOD *TLSv1_method(void);		/* TLSv1.0 */
 SSL_METHOD *TLSv1_server_method(void);	/* TLSv1.0 */
 SSL_METHOD *TLSv1_client_method(void);	/* TLSv1.0 */
 
-STACK_OF(SSL_CIPHER) *SSL_get_ciphers(SSL *s);
+STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s);
 
 int SSL_do_handshake(SSL *s);
 int SSL_renegotiate(SSL *s);
@@ -1298,15 +1299,15 @@ const char *SSL_alert_desc_string(int value);
 
 void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list);
 void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list);
-STACK_OF(X509_NAME) *SSL_get_client_CA_list(SSL *s);
-STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(SSL_CTX *s);
+STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s);
+STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *s);
 int SSL_add_client_CA(SSL *ssl,X509 *x);
 int SSL_CTX_add_client_CA(SSL_CTX *ctx,X509 *x);
 
 void SSL_set_connect_state(SSL *s);
 void SSL_set_accept_state(SSL *s);
 
-long SSL_get_default_timeout(SSL *s);
+long SSL_get_default_timeout(const SSL *s);
 
 int SSL_library_init(void );
 
@@ -1315,43 +1316,43 @@ STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *sk);
 
 SSL *SSL_dup(SSL *ssl);
 
-X509 *SSL_get_certificate(SSL *ssl);
+X509 *SSL_get_certificate(const SSL *ssl);
 /* EVP_PKEY */ struct evp_pkey_st *SSL_get_privatekey(SSL *ssl);
 
 void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx,int mode);
-int SSL_CTX_get_quiet_shutdown(SSL_CTX *ctx);
+int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx);
 void SSL_set_quiet_shutdown(SSL *ssl,int mode);
-int SSL_get_quiet_shutdown(SSL *ssl);
+int SSL_get_quiet_shutdown(const SSL *ssl);
 void SSL_set_shutdown(SSL *ssl,int mode);
-int SSL_get_shutdown(SSL *ssl);
-int SSL_version(SSL *ssl);
+int SSL_get_shutdown(const SSL *ssl);
+int SSL_version(const SSL *ssl);
 int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx);
 int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
 	const char *CApath);
 #define SSL_get0_session SSL_get_session /* just peek at pointer */
-SSL_SESSION *SSL_get_session(SSL *ssl);
+SSL_SESSION *SSL_get_session(const SSL *ssl);
 SSL_SESSION *SSL_get1_session(SSL *ssl); /* obtain a reference count */
-SSL_CTX *SSL_get_SSL_CTX(SSL *ssl);
+SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl);
 void SSL_set_info_callback(SSL *ssl,
 			   void (*cb)(const SSL *ssl,int type,int val));
-void (*SSL_get_info_callback(SSL *ssl))(const SSL *ssl,int type,int val);
-int SSL_state(SSL *ssl);
+void (*SSL_get_info_callback(const SSL *ssl))(const SSL *ssl,int type,int val);
+int SSL_state(const SSL *ssl);
 
 void SSL_set_verify_result(SSL *ssl,long v);
-long SSL_get_verify_result(SSL *ssl);
+long SSL_get_verify_result(const SSL *ssl);
 
 int SSL_set_ex_data(SSL *ssl,int idx,void *data);
-void *SSL_get_ex_data(SSL *ssl,int idx);
+void *SSL_get_ex_data(const SSL *ssl,int idx);
 int SSL_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
 	CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
 
 int SSL_SESSION_set_ex_data(SSL_SESSION *ss,int idx,void *data);
-void *SSL_SESSION_get_ex_data(SSL_SESSION *ss,int idx);
+void *SSL_SESSION_get_ex_data(const SSL_SESSION *ss,int idx);
 int SSL_SESSION_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
 	CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
 
 int SSL_CTX_set_ex_data(SSL_CTX *ssl,int idx,void *data);
-void *SSL_CTX_get_ex_data(SSL_CTX *ssl,int idx);
+void *SSL_CTX_get_ex_data(const SSL_CTX *ssl,int idx);
 int SSL_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func,
 	CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
 
@@ -1534,6 +1535,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_F_SSL_SET_TRUST				 228
 #define SSL_F_SSL_SET_WFD				 196
 #define SSL_F_SSL_SHUTDOWN				 224
+#define SSL_F_SSL_UNDEFINED_CONST_FUNCTION		 243
 #define SSL_F_SSL_UNDEFINED_FUNCTION			 197
 #define SSL_F_SSL_USE_CERTIFICATE			 198
 #define SSL_F_SSL_USE_CERTIFICATE_ASN1			 199

crypto/dist/openssl/ssl/ssl_asn1.c

@@ -226,7 +226,7 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
 	M_ASN1_I2D_finish();
 	}
 
-SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, unsigned char **pp,
+SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char * const *pp,
 	     long length)
 	{
 	int version,ssl_version=0,i;
@@ -266,7 +266,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, unsigned char **pp,
 			((unsigned long)os.data[1]<< 8L)|
 			 (unsigned long)os.data[2];
 		}
-	else if ((ssl_version>>8) == 3)
+	else if ((ssl_version>>8) == SSL3_VERSION_MAJOR)
 		{
 		if (os.length != 2)
 			{
@@ -287,9 +287,9 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, unsigned char **pp,
 	ret->cipher_id=id;
 
 	M_ASN1_D2I_get(osp,d2i_ASN1_OCTET_STRING);
-	if ((ssl_version>>8) == SSL3_VERSION)
+	if ((ssl_version>>8) == SSL3_VERSION_MAJOR)
 		i=SSL3_MAX_SSL_SESSION_ID_LENGTH;
-	else /* if (ssl_version == SSL2_VERSION) */
+	else /* if (ssl_version == SSL2_VERSION_MAJOR) */
 		i=SSL2_MAX_SSL_SESSION_ID_LENGTH;
 
 	if (os.length > i)

crypto/dist/openssl/ssl/ssl_cert.c

@@ -544,12 +544,12 @@ void SSL_CTX_set_client_CA_list(SSL_CTX *ctx,STACK_OF(X509_NAME) *name_list)
 	set_client_CA_list(&(ctx->client_CA),name_list);
 	}
 
-STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(SSL_CTX *ctx)
+STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx)
 	{
 	return(ctx->client_CA);
 	}
 
-STACK_OF(X509_NAME) *SSL_get_client_CA_list(SSL *s)
+STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s)
 	{
 	if (s->type == SSL_ST_CONNECT)
 		{ /* we are in the client */

crypto/dist/openssl/ssl/ssl_ciph.c

@@ -189,7 +189,7 @@ static void load_ciphers(void)
 	init_ciphers=0;
 	}
 
-int ssl_cipher_get_evp(SSL_SESSION *s, const EVP_CIPHER **enc,
+int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc,
 	     const EVP_MD **md, SSL_COMP **comp)
 	{
 	int i;
@@ -1067,7 +1067,7 @@ char *SSL_CIPHER_description(SSL_CIPHER *cipher, char *buf, int len)
 	return(buf);
 	}
 
-char *SSL_CIPHER_get_version(SSL_CIPHER *c)
+char *SSL_CIPHER_get_version(const SSL_CIPHER *c)
 	{
 	int i;
 
@@ -1082,7 +1082,7 @@ char *SSL_CIPHER_get_version(SSL_CIPHER *c)
 	}
 
 /* return the actual cipher being used */
-const char *SSL_CIPHER_get_name(SSL_CIPHER *c)
+const char *SSL_CIPHER_get_name(const SSL_CIPHER *c)
 	{
 	if (c != NULL)
 		return(c->name);
@@ -1090,7 +1090,7 @@ const char *SSL_CIPHER_get_name(SSL_CIPHER *c)
 	}
 
 /* number of bits for symmetric cipher */
-int SSL_CIPHER_get_bits(SSL_CIPHER *c, int *alg_bits)
+int SSL_CIPHER_get_bits(const SSL_CIPHER *c, int *alg_bits)
 	{
 	int ret=0;
 

crypto/dist/openssl/ssl/ssl_err.c

@@ -193,6 +193,7 @@ static ERR_STRING_DATA SSL_str_functs[]=
 {ERR_PACK(0,SSL_F_SSL_SET_TRUST,0),	"SSL_set_trust"},
 {ERR_PACK(0,SSL_F_SSL_SET_WFD,0),	"SSL_set_wfd"},
 {ERR_PACK(0,SSL_F_SSL_SHUTDOWN,0),	"SSL_shutdown"},
+{ERR_PACK(0,SSL_F_SSL_UNDEFINED_CONST_FUNCTION,0),	"SSL_UNDEFINED_CONST_FUNCTION"},
 {ERR_PACK(0,SSL_F_SSL_UNDEFINED_FUNCTION,0),	"SSL_UNDEFINED_FUNCTION"},
 {ERR_PACK(0,SSL_F_SSL_USE_CERTIFICATE,0),	"SSL_use_certificate"},
 {ERR_PACK(0,SSL_F_SSL_USE_CERTIFICATE_ASN1,0),	"SSL_use_certificate_ASN1"},

crypto/dist/openssl/ssl/ssl_locl.h

@@ -485,10 +485,11 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *meth,
 					     STACK_OF(SSL_CIPHER) **sorted,
 					     const char *rule_str);
 void ssl_update_cache(SSL *s, int mode);
-int ssl_cipher_get_evp(SSL_SESSION *s,const EVP_CIPHER **enc,const EVP_MD **md,
-		       SSL_COMP **comp);
+int ssl_cipher_get_evp(const SSL_SESSION *s,const EVP_CIPHER **enc,
+		       const EVP_MD **md,SSL_COMP **comp);
 int ssl_verify_cert_chain(SSL *s,STACK_OF(X509) *sk);
 int ssl_undefined_function(SSL *s);
+int ssl_undefined_const_function(const SSL *s);
 X509 *ssl_get_server_send_cert(SSL *);
 EVP_PKEY *ssl_get_sign_pkey(SSL *,SSL_CIPHER *);
 int ssl_cert_type(X509 *x,EVP_PKEY *pkey);
@@ -522,7 +523,7 @@ long	ssl2_ctrl(SSL *s,int cmd, long larg, void *parg);
 long	ssl2_ctx_ctrl(SSL_CTX *s,int cmd, long larg, void *parg);
 long	ssl2_callback_ctrl(SSL *s,int cmd, void (*fp)());
 long	ssl2_ctx_callback_ctrl(SSL_CTX *s,int cmd, void (*fp)());
-int	ssl2_pending(SSL *s);
+int	ssl2_pending(const SSL *s);
 
 SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p);
 int ssl3_put_cipher_by_char(const SSL_CIPHER *c,unsigned char *p);
@@ -570,7 +571,7 @@ long	ssl3_ctrl(SSL *s,int cmd, long larg, void *parg);
 long	ssl3_ctx_ctrl(SSL_CTX *s,int cmd, long larg, void *parg);
 long	ssl3_callback_ctrl(SSL *s,int cmd, void (*fp)());
 long	ssl3_ctx_callback_ctrl(SSL_CTX *s,int cmd, void (*fp)());
-int	ssl3_pending(SSL *s);
+int	ssl3_pending(const SSL *s);
 
 int ssl23_accept(SSL *s);
 int ssl23_connect(SSL *s);

crypto/dist/openssl/ssl/ssl_sess.c

@@ -65,7 +65,7 @@ static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s);
 static void SSL_SESSION_list_add(SSL_CTX *ctx,SSL_SESSION *s);
 static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck);
 
-SSL_SESSION *SSL_get_session(SSL *ssl)
+SSL_SESSION *SSL_get_session(const SSL *ssl)
 /* aka SSL_get0_session; gets 0 objects, just returns a copy of the pointer */
 	{
 	return(ssl->session);
@@ -98,7 +98,7 @@ int SSL_SESSION_set_ex_data(SSL_SESSION *s, int idx, void *arg)
 	return(CRYPTO_set_ex_data(&s->ex_data,idx,arg));
 	}
 
-void *SSL_SESSION_get_ex_data(SSL_SESSION *s, int idx)
+void *SSL_SESSION_get_ex_data(const SSL_SESSION *s, int idx)
 	{
 	return(CRYPTO_get_ex_data(&s->ex_data,idx));
 	}
@@ -610,13 +610,13 @@ long SSL_SESSION_set_timeout(SSL_SESSION *s, long t)
 	return(1);
 	}
 
-long SSL_SESSION_get_timeout(SSL_SESSION *s)
+long SSL_SESSION_get_timeout(const SSL_SESSION *s)
 	{
 	if (s == NULL) return(0);
 	return(s->timeout);
 	}
 
-long SSL_SESSION_get_time(SSL_SESSION *s)
+long SSL_SESSION_get_time(const SSL_SESSION *s)
 	{
 	if (s == NULL) return(0);
 	return(s->time);
@@ -638,7 +638,7 @@ long SSL_CTX_set_timeout(SSL_CTX *s, long t)
 	return(l);
 	}
 
-long SSL_CTX_get_timeout(SSL_CTX *s)
+long SSL_CTX_get_timeout(const SSL_CTX *s)
 	{
 	if (s == NULL) return(0);
 	return(s->session_timeout);

crypto/dist/openssl/ssl/ssltest.c

@@ -119,6 +119,7 @@
 #include <stdlib.h>
 #include <string.h>
 #include <time.h>
+#include <ctype.h>
 
 #define USE_SOCKETS
 #include "e_os.h"
@@ -127,6 +128,7 @@
 #include <openssl/crypto.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
+#include <openssl/x509v3.h>
 #include <openssl/ssl.h>
 #ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
@@ -169,8 +171,15 @@ static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export,int keylength);
 static void free_tmp_rsa(void);
 #endif
 static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg);
-#define APP_CALLBACK "Test Callback Argument"
-static char *app_verify_arg = APP_CALLBACK;
+#define APP_CALLBACK_STRING "Test Callback Argument"
+struct app_verify_arg
+	{
+	char *string;
+	int app_verify;
+	int allow_proxy_certs;
+	char *proxy_auth;
+	char *proxy_cond;
+	};
 
 #ifndef OPENSSL_NO_DH
 static DH *get_dh512(void);
@@ -204,6 +213,9 @@ static void sv_usage(void)
 #endif
 	fprintf(stderr," -server_auth  - check server certificate\n");
 	fprintf(stderr," -client_auth  - do client authentication\n");
+	fprintf(stderr," -proxy        - allow proxy certificates\n");
+	fprintf(stderr," -proxy_auth <val> - set proxy policy rights\n");
+	fprintf(stderr," -proxy_cond <val> - experssion to test proxy policy rights\n");
 	fprintf(stderr," -v            - more output\n");
 	fprintf(stderr," -d            - debug output\n");
 	fprintf(stderr," -reuse        - use session-id reuse\n");
@@ -353,7 +365,8 @@ int main(int argc, char *argv[])
 	int tls1=0,ssl2=0,ssl3=0,ret=1;
 	int client_auth=0;
 	int server_auth=0,i;
-	int app_verify=0;
+	struct app_verify_arg app_verify_arg =
+		{ APP_CALLBACK_STRING, 0, 0, NULL, NULL };
 	char *server_cert=TEST_SERVER_CERT;
 	char *server_key=NULL;
 	char *client_cert=TEST_CLIENT_CERT;
@@ -421,6 +434,16 @@ int main(int argc, char *argv[])
 			server_auth=1;
 		else if	(strcmp(*argv,"-client_auth") == 0)
 			client_auth=1;
+		else if (strcmp(*argv,"-proxy_auth") == 0)
+			{
+			if (--argc < 1) goto bad;
+			app_verify_arg.proxy_auth= *(++argv);
+			}
+		else if (strcmp(*argv,"-proxy_cond") == 0)
+			{
+			if (--argc < 1) goto bad;
+			app_verify_arg.proxy_cond= *(++argv);
+			}
 		else if	(strcmp(*argv,"-v") == 0)
 			verbose=1;
 		else if	(strcmp(*argv,"-d") == 0)
@@ -533,7 +556,11 @@ int main(int argc, char *argv[])
 			}
 		else if	(strcmp(*argv,"-app_verify") == 0)
 			{
-			app_verify = 1;
+			app_verify_arg.app_verify = 1;
+			}
+		else if	(strcmp(*argv,"-proxy") == 0)
+			{
+			app_verify_arg.allow_proxy_certs = 1;
 			}
 		else
 			{
@@ -708,20 +735,14 @@ bad:
 		SSL_CTX_set_verify(s_ctx,
 			SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
 			verify_callback);
-		if (app_verify) 
-			{
-			SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, app_verify_arg);
-			}
+		SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, &app_verify_arg);
 		}
 	if (server_auth)
 		{
 		BIO_printf(bio_err,"server authentication\n");
 		SSL_CTX_set_verify(c_ctx,SSL_VERIFY_PEER,
 			verify_callback);
-		if (app_verify) 
-			{
-			SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, app_verify_arg);
-			}
+		SSL_CTX_set_cert_verify_callback(c_ctx, app_verify_callback, &app_verify_arg);
 		}
 	
 	{
@@ -1503,6 +1524,22 @@ err:
 	return(ret);
 	}
 
+static int get_proxy_auth_ex_data_idx(void)
+	{
+	static volatile int idx = -1;
+	if (idx < 0)
+		{
+		CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
+		if (idx < 0)
+			{
+			idx = X509_STORE_CTX_get_ex_new_index(0,
+				"SSLtest for verify callback", NULL,NULL,NULL);
+			}
+		CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
+		}
+	return idx;
+	}
+
 static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
 	{
 	char *s,buf[256];
@@ -1512,42 +1549,467 @@ static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
 	if (s != NULL)
 		{
 		if (ok)
-			fprintf(stderr,"depth=%d %s\n",ctx->error_depth,buf);
+			fprintf(stderr,"depth=%d %s\n",
+				ctx->error_depth,buf);
 		else
+			{
 			fprintf(stderr,"depth=%d error=%d %s\n",
 				ctx->error_depth,ctx->error,buf);
+			}
 		}
 
 	if (ok == 0)
 		{
+		fprintf(stderr,"Error string: %s\n",
+			X509_verify_cert_error_string(ctx->error));
 		switch (ctx->error)
 			{
 		case X509_V_ERR_CERT_NOT_YET_VALID:
 		case X509_V_ERR_CERT_HAS_EXPIRED:
 		case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
+			fprintf(stderr,"  ... ignored.\n");
 			ok=1;
 			}
 		}
 
+	if (ok == 1)
+		{
+		X509 *xs = ctx->current_cert;
+#if 0
+		X509 *xi = ctx->current_issuer;
+#endif
+
+		if (xs->ex_flags & EXFLAG_PROXY)
+			{
+			unsigned int *letters =
+				X509_STORE_CTX_get_ex_data(ctx,
+					get_proxy_auth_ex_data_idx());
+
+			if (letters)
+				{
+				int found_any = 0;
+				int i;
+				PROXY_CERT_INFO_EXTENSION *pci =
+					X509_get_ext_d2i(xs, NID_proxyCertInfo,
+						NULL, NULL);
+
+				switch (OBJ_obj2nid(pci->proxyPolicy->policyLanguage))
+					{
+				case NID_Independent:
+					/* Completely meaningless in this
+					   program, as there's no way to
+					   grant explicit rights to a
+					   specific PrC.  Basically, using
+					   id-ppl-Independent is the perfect
+					   way to grant no rights at all. */
+					fprintf(stderr, "  Independent proxy certificate");
+					for (i = 0; i < 26; i++)
+						letters[i] = 0;
+					break;
+				case NID_id_ppl_inheritAll:
+					/* This is basically a NOP, we
+					   simply let the current rights
+					   stand as they are. */
+					fprintf(stderr, "  Proxy certificate inherits all");
+					break;
+				default:
+					s = (char *)
+						pci->proxyPolicy->policy->data;
+					i = pci->proxyPolicy->policy->length;
+
+					/* The algorithm works as follows:
+					   it is assumed that previous
+					   iterations or the initial granted
+					   rights has already set some elements
+					   of `letters'.  What we need to do is
+					   to clear those that weren't granted
+					   by the current PrC as well.  The
+					   easiest way to do this is to add 1
+					   to all the elements whose letters
+					   are given with the current policy.
+					   That way, all elements that are set
+					   by the current policy and were
+					   already set by earlier policies and
+					   through the original grant of rights
+					   will get the value 2 or higher.
+					   The last thing to do is to sweep
+					   through `letters' and keep the
+					   elements having the value 2 as set,
+					   and clear all the others. */
+
+					fprintf(stderr, "  Certificate proxy rights = %*.*s", i, i, s);
+					while(i-- > 0)
+						{
+						char c = *s++;
+						if (isascii(c) && isalpha(c))
+							{
+							if (islower(c))
+								c = toupper(c);
+							letters[c - 'A']++;
+							}
+						}
+					for (i = 0; i < 26; i++)
+						if (letters[i] < 2)
+							letters[i] = 0;
+						else
+							letters[i] = 1;
+					}
+
+				found_any = 0;
+				fprintf(stderr,
+					", resulting proxy rights = ");
+				for(i = 0; i < 26; i++)
+					if (letters[i])
+						{
+						fprintf(stderr, "%c", i + 'A');
+						found_any = 1;
+						}
+				if (!found_any)
+					fprintf(stderr, "none");
+				fprintf(stderr, "\n");
+
+				PROXY_CERT_INFO_EXTENSION_free(pci);
+				}
+			}
+		}
+
 	return(ok);
 	}
 
-static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg)
+static void process_proxy_debug(int indent, const char *format, ...)
 	{
-	char *s = NULL,buf[256];
-	int ok=1;
+	static const char indentation[] =
+		">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"
+		">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"; /* That's 80 > */
+	char my_format[256];
+	va_list args;
 
-	fprintf(stderr, "In app_verify_callback, allowing cert. ");
-	fprintf(stderr, "Arg is: %s\n", (char *)arg);
-	fprintf(stderr, "Finished printing do we have a context? 0x%x a cert? 0x%x\n",
-			(unsigned int)ctx, (unsigned int)ctx->cert);
-	if (ctx->cert)
-		s=X509_NAME_oneline(X509_get_subject_name(ctx->cert),buf,256);
-	if (s != NULL)
+	BIO_snprintf(my_format, sizeof(my_format), "%*.*s %s",
+		indent, indent, indentation, format);
+
+	va_start(args, format);
+	vfprintf(stderr, my_format, args);
+	va_end(args);
+	}
+/* Priority levels:
+   0	[!]var, ()
+   1	& ^
+   2	|
+*/
+static int process_proxy_cond_adders(unsigned int letters[26],
+	const char *cond, const char **cond_end, int *pos, int indent);
+static int process_proxy_cond_val(unsigned int letters[26],
+	const char *cond, const char **cond_end, int *pos, int indent)
+	{
+	char c;
+	int ok = 1;
+	int negate = 0;
+
+	while(isspace(*cond))
 		{
-			fprintf(stderr,"cert depth=%d %s\n",ctx->error_depth,buf);
+		cond++; (*pos)++;
+		}
+	c = *cond;
+
+	if (debug)
+		process_proxy_debug(indent,
+			"Start process_proxy_cond_val at position %d: %s\n",
+			*pos, cond);
+
+	while(c == '!')
+		{
+		negate = !negate;
+		cond++; (*pos)++;
+		while(isspace(*cond))
+			{
+			cond++; (*pos)++;
+			}
+		c = *cond;
 		}
 
+	if (c == '(')
+		{
+		cond++; (*pos)++;
+		ok = process_proxy_cond_adders(letters, cond, cond_end, pos,
+			indent + 1);
+		cond = *cond_end;
+		if (ok < 0)
+			goto end;
+		while(isspace(*cond))
+			{
+			cond++; (*pos)++;
+			}
+		c = *cond;
+		if (c != ')')
+			{
+			fprintf(stderr,
+				"Weird condition character in position %d: "
+				"%c\n", *pos, c);
+			ok = -1;
+			goto end;
+			}
+		cond++; (*pos)++;
+		}
+	else if (isascii(c) && isalpha(c))
+		{
+		if (islower(c))
+			c = toupper(c);
+		ok = letters[c - 'A'];
+		cond++; (*pos)++;
+		}
+	else
+		{
+		fprintf(stderr,
+			"Weird condition character in position %d: "
+			"%c\n", *pos, c);
+		ok = -1;
+		goto end;
+		}
+ end:
+	*cond_end = cond;
+	if (ok >= 0 && negate)
+		ok = !ok;
+
+	if (debug)
+		process_proxy_debug(indent,
+			"End process_proxy_cond_val at position %d: %s, returning %d\n",
+			*pos, cond, ok);
+
+	return ok;
+	}
+static int process_proxy_cond_multipliers(unsigned int letters[26],
+	const char *cond, const char **cond_end, int *pos, int indent)
+	{
+	int ok;
+	char c;
+
+	if (debug)
+		process_proxy_debug(indent,
+			"Start process_proxy_cond_multipliers at position %d: %s\n",
+			*pos, cond);
+
+	ok = process_proxy_cond_val(letters, cond, cond_end, pos, indent + 1);
+	cond = *cond_end;
+	if (ok < 0)
+		goto end;
+
+	while(ok >= 0)
+		{
+		while(isspace(*cond))
+			{
+			cond++; (*pos)++;
+			}
+		c = *cond;
+
+		switch(c)
+			{
+		case '&':
+		case '^':
+			{
+			int save_ok = ok;
+
+			cond++; (*pos)++;
+			ok = process_proxy_cond_val(letters,
+				cond, cond_end, pos, indent + 1);
+			cond = *cond_end;
+			if (ok < 0)
+				break;
+
+			switch(c)
+				{
+			case '&':
+				ok &= save_ok;
+				break;
+			case '^':
+				ok ^= save_ok;
+				break;
+			default:
+				fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
+					" STOPPING\n");
+				EXIT(1);
+				}
+			}
+			break;
+		default:
+			goto end;
+			}
+		}
+ end:
+	if (debug)
+		process_proxy_debug(indent,
+			"End process_proxy_cond_multipliers at position %d: %s, returning %d\n",
+			*pos, cond, ok);
+
+	*cond_end = cond;
+	return ok;
+	}
+static int process_proxy_cond_adders(unsigned int letters[26],
+	const char *cond, const char **cond_end, int *pos, int indent)
+	{
+	int ok;
+	char c;
+
+	if (debug)
+		process_proxy_debug(indent,
+			"Start process_proxy_cond_adders at position %d: %s\n",
+			*pos, cond);
+
+	ok = process_proxy_cond_multipliers(letters, cond, cond_end, pos,
+		indent + 1);
+	cond = *cond_end;
+	if (ok < 0)
+		goto end;
+
+	while(ok >= 0)
+		{
+		while(isspace(*cond))
+			{
+			cond++; (*pos)++;
+			}
+		c = *cond;
+
+		switch(c)
+			{
+		case '|':
+			{
+			int save_ok = ok;
+
+			cond++; (*pos)++;
+			ok = process_proxy_cond_multipliers(letters,
+				cond, cond_end, pos, indent + 1);
+			cond = *cond_end;
+			if (ok < 0)
+				break;
+
+			switch(c)
+				{
+			case '|':
+				ok |= save_ok;
+				break;
+			default:
+				fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
+					" STOPPING\n");
+				EXIT(1);
+				}
+			}
+			break;
+		default:
+			goto end;
+			}
+		}
+ end:
+	if (debug)
+		process_proxy_debug(indent,
+			"End process_proxy_cond_adders at position %d: %s, returning %d\n",
+			*pos, cond, ok);
+
+	*cond_end = cond;
+	return ok;
+	}
+
+static int process_proxy_cond(unsigned int letters[26],
+	const char *cond, const char **cond_end)
+	{
+	int pos = 1;
+	return process_proxy_cond_adders(letters, cond, cond_end, &pos, 1);
+	}
+
+static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg)
+	{
+	int ok=1;
+	struct app_verify_arg *cb_arg = arg;
+	unsigned int letters[26]; /* only used with proxy_auth */
+
+	if (cb_arg->app_verify)
+		{
+		char *s = NULL,buf[256];
+
+		fprintf(stderr, "In app_verify_callback, allowing cert. ");
+		fprintf(stderr, "Arg is: %s\n", cb_arg->string);
+		fprintf(stderr, "Finished printing do we have a context? 0x%x a cert? 0x%x\n",
+			(unsigned int)ctx, (unsigned int)ctx->cert);
+		if (ctx->cert)
+			s=X509_NAME_oneline(X509_get_subject_name(ctx->cert),buf,256);
+		if (s != NULL)
+			{
+			fprintf(stderr,"cert depth=%d %s\n",ctx->error_depth,buf);
+			}
+		return(1);
+		}
+	if (cb_arg->proxy_auth)
+		{
+		int found_any = 0, i;
+		char *sp;
+
+		for(i = 0; i < 26; i++)
+			letters[i] = 0;
+		for(sp = cb_arg->proxy_auth; *sp; sp++)
+			{
+			char c = *sp;
+			if (isascii(c) && isalpha(c))
+				{
+				if (islower(c))
+					c = toupper(c);
+				letters[c - 'A'] = 1;
+				}
+			}
+
+		fprintf(stderr,
+			"  Initial proxy rights = ");
+		for(i = 0; i < 26; i++)
+			if (letters[i])
+				{
+				fprintf(stderr, "%c", i + 'A');
+				found_any = 1;
+				}
+		if (!found_any)
+			fprintf(stderr, "none");
+		fprintf(stderr, "\n");
+
+		X509_STORE_CTX_set_ex_data(ctx,
+			get_proxy_auth_ex_data_idx(),letters);
+		}
+	if (cb_arg->allow_proxy_certs)
+		{
+		X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS);
+		}
+
+#ifndef OPENSSL_NO_X509_VERIFY
+# ifdef OPENSSL_FIPS
+	if(s->version == TLS1_VERSION)
+		FIPS_allow_md5(1);
+# endif
+	ok = X509_verify_cert(ctx);
+# ifdef OPENSSL_FIPS
+	if(s->version == TLS1_VERSION)
+		FIPS_allow_md5(0);
+# endif
+#endif
+
+	if (cb_arg->proxy_auth)
+		{
+		if (ok)
+			{
+			const char *cond_end = NULL;
+
+			ok = process_proxy_cond(letters,
+				cb_arg->proxy_cond, &cond_end);
+
+			if (ok < 0)
+				EXIT(3);
+			if (*cond_end)
+				{
+				fprintf(stderr, "Stopped processing condition before it's end.\n");
+				ok = 0;
+				}
+			if (!ok)
+				fprintf(stderr, "Proxy rights check with condition '%s' proved invalid\n",
+					cb_arg->proxy_cond);
+			else
+				fprintf(stderr, "Proxy rights check with condition '%s' proved valid\n",
+					cb_arg->proxy_cond);
+			}
+		}
 	return(ok);
 	}