generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

add support for separate verify can chain stores to s_client (backport from HEAD)

Browse Source
This commit is contained in:
Dr. Stephen Henson 2012-12-30 16:27:15 +00:00
parent ede5f6cf74
commit 3341b820cc
4 changed files with 62 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
apps/s_apps.h
View File

@ -196,4 +196,7 @@ int args_ssl(char ***pargs, int *pargc, SSL_CONF_CTX *cctx,
int *badarg, BIO *err, STACK_OF(OPENSSL_STRING) **pstr); int *badarg, BIO *err, STACK_OF(OPENSSL_STRING) **pstr);
int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx, int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx,
STACK_OF(OPENSSL_STRING) *str, int no_ecdhe, int no_jpake); STACK_OF(OPENSSL_STRING) *str, int no_ecdhe, int no_jpake);
int ssl_load_stores(SSL_CTX *sctx,
const char *vfyCApath, const char *vfyCAfile,
const char *chCApath, const char *chCAfile);
#endif #endif

30
apps/s_cb.c
View File

@ -1599,3 +1599,33 @@ int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx,
#endif #endif
return 1; return 1;
} }
int ssl_load_stores(SSL_CTX *ctx,
const char *vfyCApath, const char *vfyCAfile,
const char *chCApath, const char *chCAfile)
{
X509_STORE *vfy = NULL, *ch = NULL;
int rv = 0;
if (vfyCApath || vfyCAfile)
{
vfy = X509_STORE_new();
if (!X509_STORE_load_locations(vfy, vfyCAfile, vfyCApath))
goto err;
SSL_CTX_set1_verify_cert_store(ctx, vfy);
}
if (chCApath || chCAfile)
{
ch = X509_STORE_new();
if (!X509_STORE_load_locations(ch, chCAfile, chCApath))
goto err;
/*X509_STORE_set_verify_cb(ch, verify_callback);*/
SSL_CTX_set1_chain_cert_store(ctx, ch);
}
rv = 1;
err:
if (vfy)
X509_STORE_free(vfy);
if (ch)
X509_STORE_free(ch);
return rv;
}

29
apps/s_client.c
View File

@ -577,6 +577,8 @@ int MAIN(int argc, char **argv)
EVP_PKEY *key = NULL; EVP_PKEY *key = NULL;
STACK_OF(X509) *chain = NULL; STACK_OF(X509) *chain = NULL;
char *CApath=NULL,*CAfile=NULL; char *CApath=NULL,*CAfile=NULL;
char *chCApath=NULL,*chCAfile=NULL;
char *vfyCApath=NULL,*vfyCAfile=NULL;
int reconnect=0,badop=0,verify=SSL_VERIFY_NONE; int reconnect=0,badop=0,verify=SSL_VERIFY_NONE;
int crlf=0; int crlf=0;
int write_tty,read_tty,write_ssl,read_ssl,tty_on,ssl_pending; int write_tty,read_tty,write_ssl,read_ssl,tty_on,ssl_pending;
@ -895,6 +897,16 @@ static char *jpake_secret = NULL;
if (--argc < 1) goto bad; if (--argc < 1) goto bad;
CApath= *(++argv); CApath= *(++argv);
} }
else if (strcmp(*argv,"-chainCApath") == 0)
{
if (--argc < 1) goto bad;
chCApath= *(++argv);
}
else if (strcmp(*argv,"-verifyCApath") == 0)
{
if (--argc < 1) goto bad;
vfyCApath= *(++argv);
}
else if (strcmp(*argv,"-build_chain") == 0) else if (strcmp(*argv,"-build_chain") == 0)
build_chain = 1; build_chain = 1;
else if (strcmp(*argv,"-CAfile") == 0) else if (strcmp(*argv,"-CAfile") == 0)
@ -902,6 +914,16 @@ static char *jpake_secret = NULL;
if (--argc < 1) goto bad; if (--argc < 1) goto bad;
CAfile= *(++argv); CAfile= *(++argv);
} }
else if (strcmp(*argv,"-chainCAfile") == 0)
{
if (--argc < 1) goto bad;
chCAfile= *(++argv);
}
else if (strcmp(*argv,"-verifyCAfile") == 0)
{
if (--argc < 1) goto bad;
vfyCAfile= *(++argv);
}
#ifndef OPENSSL_NO_TLSEXT #ifndef OPENSSL_NO_TLSEXT
# ifndef OPENSSL_NO_NEXTPROTONEG # ifndef OPENSSL_NO_NEXTPROTONEG
else if (strcmp(*argv,"-nextprotoneg") == 0) else if (strcmp(*argv,"-nextprotoneg") == 0)
@ -1137,6 +1159,13 @@ bad:
goto end; goto end;
} }
if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile))
{
BIO_printf(bio_err, "Error loading store locations\n");
ERR_print_errors(bio_err);
goto end;
}
#ifndef OPENSSL_NO_ENGINE #ifndef OPENSSL_NO_ENGINE
if (ssl_client_engine) if (ssl_client_engine)
{ {

33
apps/s_server.c
View File

@ -212,9 +212,6 @@ static int init_ssl_connection(SSL *s);
static void print_stats(BIO *bp,SSL_CTX *ctx); static void print_stats(BIO *bp,SSL_CTX *ctx);
static int generate_session_id(const SSL *ssl, unsigned char *id, static int generate_session_id(const SSL *ssl, unsigned char *id,
unsigned int *id_len); unsigned int *id_len);
static int ssl_load_stores(SSL_CTX *sctx,
const char *vfyCApath, const char *vfyCAfile,
const char *chCApath, const char *chCAfile);
#ifndef OPENSSL_NO_DH #ifndef OPENSSL_NO_DH
static DH *load_dh_param(const char *dhfile); static DH *load_dh_param(const char *dhfile);
static DH *get_dh512(void); static DH *get_dh512(void);
@ -3122,33 +3119,3 @@ static int generate_session_id(const SSL *ssl, unsigned char *id,
return 0; return 0;
return 1; return 1;
} }
static int ssl_load_stores(SSL_CTX *sctx,
const char *vfyCApath, const char *vfyCAfile,
const char *chCApath, const char *chCAfile)
{
X509_STORE *vfy = NULL, *ch = NULL;
int rv = 0;
if (vfyCApath || vfyCAfile)
{
vfy = X509_STORE_new();
if (!X509_STORE_load_locations(vfy, vfyCAfile, vfyCApath))
goto err;
SSL_CTX_set1_verify_cert_store(ctx, vfy);
}
if (chCApath || chCAfile)
{
ch = X509_STORE_new();
if (!X509_STORE_load_locations(ch, chCAfile, chCApath))
goto err;
/*X509_STORE_set_verify_cb(ch, verify_callback);*/
SSL_CTX_set1_chain_cert_store(ctx, ch);
}
rv = 1;
err:
if (vfy)
X509_STORE_free(vfy);
if (ch)
X509_STORE_free(ch);
return rv;
}