Added restrictions on the use of proxy certificates, as they may pose

  *) Undo Cygwin change.

     [Ulf Möller]

  *) Added support for proxy certificates according to RFC 3820.

     Because they may be a security thread to unaware applications,

     they must be explicitely allowed in run-time.  See

     docs/HOWTO/proxy_certificates.txt for further information.

     [Richard Levitte]

 Changes between 0.9.7e and 0.9.7f  [22 Mar 2005]

  *) Use (SSL_RANDOM_VALUE - 4) bytes of pseudo random data when generating

		return ("path length constraint exceeded");

	case X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED:

		return("proxy path length constraint exceeded");

	case X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED:

		return("proxy cerificates not allowed, please set the appropriate flag");

	case X509_V_ERR_INVALID_PURPOSE:

		return ("unsupported certificate purpose");

	case X509_V_ERR_CERT_UNTRUSTED:

	int (*cb)(int ok,X509_STORE_CTX *ctx);

	int proxy_path_length = 0;

	cb=ctx->verify_cb;

	int allow_proxy_certs = !!(ctx->flags & X509_V_FLAG_ALLOW_PROXY_CERTS);

	/* must_be_ca can have 1 of 3 values:

	   -1: we accept both CA and non-CA certificates, to allow direct

	       all certificates in the chain except the leaf certificate.

	*/

	must_be_ca = -1;

	/* A hack to keep people who don't want to modify their software

	   happy */

	if (getenv("OPENSSL_ALLOW_PROXY_CERTS"))

		allow_proxy_certs = 1;

	/* Check all untrusted certificates */

	for (i = 0; i < ctx->last_untrusted; i++)

		{

			ok=cb(0,ctx);

			if (!ok) goto end;

			}

		if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY))

			{

			ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED;

			ctx->error_depth = i;

			ctx->current_cert = x;

			ok=cb(0,ctx);

			if (!ok) goto end;

			}

		ret = X509_check_ca(x);

		switch(must_be_ca)

			{

#define		X509_V_ERR_INVALID_NON_CA			37

#define		X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED		38

#define		X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE	39

#define		X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED	40

#define		X509_V_ERR_INVALID_EXTENSION			40

#define		X509_V_ERR_INVALID_POLICY_EXTENSION		41

#define		X509_V_ERR_NO_EXPLICIT_POLICY			42

#define		X509_V_ERR_INVALID_EXTENSION			41

#define		X509_V_ERR_INVALID_POLICY_EXTENSION		42

#define		X509_V_ERR_NO_EXPLICIT_POLICY			43

/* The application is not happy */

#define	X509_V_FLAG_IGNORE_CRITICAL		0x10

/* Disable workarounds for broken certificates */

#define	X509_V_FLAG_X509_STRICT			0x20

/* Enable proxy certificate validation */

#define	X509_V_FLAG_ALLOW_PROXY_CERTS		0x40

/* Enable policy checking */

#define X509_V_FLAG_POLICY_CHECK		0x40

#define X509_V_FLAG_POLICY_CHECK		0x80

/* Policy variable require-explicit-policy */

#define X509_V_FLAG_EXPLICIT_POLICY		0x80

#define X509_V_FLAG_EXPLICIT_POLICY		0x100

/* Policy variable inhibit-any-policy */

#define	X509_V_FLAG_INHIBIT_ANY			0x100

#define	X509_V_FLAG_INHIBIT_ANY			0x200

/* Policy variable inhibit-policy-mapping */

#define X509_V_FLAG_INHIBIT_MAP			0x200

#define X509_V_FLAG_INHIBIT_MAP			0x400

/* Notify callback that policy is OK */

#define X509_V_FLAG_NOTIFY_POLICY		0x800

	}

	/* Handle proxy certificates */

	if((pci=X509_get_ext_d2i(x, NID_proxyCertInfo, NULL, NULL))) {

		if (x->ex_flags & EXFLAG_CA) {

		if (x->ex_flags & EXFLAG_CA

		    || X509_get_ext_by_NID(x, NID_subject_alt_name, 0) >= 0

		    || X509_get_ext_by_NID(x, NID_issuer_alt_name, 0) >= 0) {

			x->ex_flags |= EXFLAG_INVALID;

		}

		if (pci->pcPathLengthConstraint) {