Add 'void *' argument to app_verify_callback.

         *) applies to 0.9.6a ... 0.9.6d and 0.9.7

         +) applies to 0.9.7 only

  +) Fix the 'app_verify_callback' interface so that the user-defined

     argument is actually passed to the callback: In the

     SSL_CTX_set_cert_verify_callback() prototype, the callback

     declaration has been changed from

          int (*cb)()

     into

          int (*cb)(X509_STORE_CTX *,void *);

     in ssl_verify_cert_chain (ssl/ssl_cert.c), the call

          i=s->ctx->app_verify_callback(&ctx)

     has been changed into

          i=s->ctx->app_verify_callback(&ctx, s->ctx->app_verify_arg).

     To update applications using SSL_CTX_set_cert_verify_callback(),

     a dummy argument can be added to their callback functions.

     [D. K. Smetters <smetters@parc.xerox.com>]

  +) Added the '4758cca' ENGINE to support IBM 4758 cards.

     [Maurice Gittens <maurice@gittens.nl>, touchups by Geoff Thorpe]

/* -*- Mode: C; c-file-style: "bsd" -*- */

/*

 * easy-tls.c -- generic TLS proxy.

 * $Id: easy-tls.c,v 1.2 2001/09/24 07:54:09 bodo Exp $

 * $Id: easy-tls.c,v 1.3 2002/02/28 10:52:01 bodo Exp $

 */

/*

 (c) Copyright 1999 Bodo Moeller.  All rights reserved.

 */

static char const rcsid[] =

"$Id: easy-tls.c,v 1.2 2001/09/24 07:54:09 bodo Exp $";

"$Id: easy-tls.c,v 1.3 2002/02/28 10:52:01 bodo Exp $";

#include <assert.h>

#include <errno.h>

}

static int

verify_dont_fail_cb(X509_STORE_CTX *c)

verify_dont_fail_cb(X509_STORE_CTX *c, void *unused_arg)

{

    int i;

 #include <openssl/ssl.h>

 void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*callback)(),

                                       char *arg);

 int (*callback)();

 void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*callback)(X509_STORE_CTX *,void *), void *arg);

=head1 DESCRIPTION

SSL_CTX_set_cert_verify_callback() sets the verification callback function for

B<ctx>. SSL objects, that are created from B<ctx> inherit the setting valid at

the time, L<SSL_new(3)|SSL_new(3)> is called. B<arg> is currently ignored.

I<ctx>. SSL objects that are created from I<ctx> inherit the setting valid at

the time when L<SSL_new(3)|SSL_new(3)> is called.

=head1 NOTES

Whenever a certificate is verified during a SSL/TLS handshake, a verification

function is called. If the application does not explicitly specify a

verification callback function, the built-in verification function is used.

If a verification callback B<callback> is specified via

If a verification callback I<callback> is specified via

SSL_CTX_set_cert_verify_callback(), the supplied callback function is called

instead. By setting B<callback> to NULL, the default behaviour is restored.

instead. By setting I<callback> to NULL, the default behaviour is restored.

When the verification must be performed, B<callback> will be called with

the argument callback(X509_STORE_CTX *x509_store_ctx). The arguments B<arg>

that can be specified when setting B<callback> are currently ignored.

When the verification must be performed, I<callback> will be called with

the arguments callback(X509_STORE_CTX *x509_store_ctx, void *arg). The 

argument I<arg> is specified by the application when setting I<callback>.

B<callback> should return 1 to indicate verification success and 0 to

indicate verification failure. If SSL_VERIFY_PEER is set and B<callback>

I<callback> should return 1 to indicate verification success and 0 to

indicate verification failure. If SSL_VERIFY_PEER is set and I<callback>

returns 0, the handshake will fail. As the verification procedure may

allow to continue the connection in case of failure (by always returning 1)

the verification result must be set in any case using the B<error>

member of B<x509_store_ctx>, so that the calling application will be informed

member of I<x509_store_ctx> so that the calling application will be informed

about the detailed result of the verification procedure! 

Within B<x509_store_ctx>, B<callback> has access to the B<verify_callback>

Within I<x509_store_ctx>, I<callback> has access to the I<verify_callback>

function set using L<SSL_CTX_set_verify(3)|SSL_CTX_set_verify(3)>.

=head1 WARNINGS

=head1 BUGS

It is possible to specify arguments to be passed to the verification callback.

Currently they are however not passed but ignored.

The B<callback> function is not specified via a prototype, so that no

type checking takes place.

=head1 RETURN VALUES

SSL_CTX_set_cert_verify_callback() does not provide diagnostic information.

L<SSL_get_verify_result(3)|SSL_get_verify_result(3)>,

L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>

=head1 HISTORY

Previous to OpenSSL 0.9.7, the I<arg> argument to B<SSL_CTX_set_cert_verify_callback>

was ignored, and I<callback> was called simply as

 int (*callback)(X509_STORE_CTX *)

To compile software written for previous versions of OpenSSL, a dummy

argument will have to be added to I<callback>.

=cut

	int references;

	/* if defined, these override the X509_verify_cert() calls */

	int (*app_verify_callback)();

	char *app_verify_arg; /* never used; should be void * */

	int (*app_verify_callback)(X509_STORE_CTX *, void *);

	void *app_verify_arg;

	/* before OpenSSL 0.9.7, 'app_verify_arg' was ignored

	 * ('app_verify_callback' was called with just one argument) */

	/* Default password callback. */

	pem_password_cb *default_passwd_callback;

void SSL_CTX_set_verify(SSL_CTX *ctx,int mode,

			int (*callback)(int, X509_STORE_CTX *));

void SSL_CTX_set_verify_depth(SSL_CTX *ctx,int depth);

void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*cb)(),char *arg);

void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*cb)(X509_STORE_CTX *,void *), void *arg);

#ifndef OPENSSL_NO_RSA

int SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa);

#endif

		X509_STORE_CTX_set_verify_cb(&ctx, s->verify_callback);

	if (s->ctx->app_verify_callback != NULL)

#if 1 /* new with OpenSSL 0.9.7 */

		i=s->ctx->app_verify_callback(&ctx, s->ctx->app_verify_arg); 

#else

		i=s->ctx->app_verify_callback(&ctx); /* should pass app_verify_arg */

#endif

	else

		{

#ifndef OPENSSL_NO_X509_VERIFY