Add code to download CRLs based on CRLDP extension.

Just a sample, real world applications would have to be cleverer.
2012-12-06 18:43:40 +00:00
parent e998f8aeb8
commit 57912ed329
8 changed files with 117 additions and 22 deletions
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -987,6 +987,7 @@ int MAIN(int argc, char *argv[])

 	char *crl_file = NULL;
 	int crl_format = FORMAT_PEM;
+	int crl_download = 0;
 	STACK_OF(X509_CRL) *crls = NULL;

 	meth=SSLv23_server_method();
@@ -1059,6 +1060,8 @@ int MAIN(int argc, char *argv[])
 			if (--argc < 1) goto bad;
 			crl_file= *(++argv);
 			}
+		else if	(strcmp(*argv,"-crl_download") == 0)
+			crl_download = 1;
 #ifndef OPENSSL_NO_TLSEXT
 		else if	(strcmp(*argv,"-authz") == 0)
 			{
@@ -1674,12 +1677,13 @@ bad:
 	if (vpm)
 		SSL_CTX_set1_param(ctx, vpm);

-	ssl_ctx_add_crls(ctx, crls);
+	ssl_ctx_add_crls(ctx, crls, 0);

 	if (!args_ssl_call(ctx, bio_err, cctx, ssl_args, no_ecdhe, no_jpake))
 		goto end;

-	if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile, crls))
+	if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile,
+						crls, crl_download))
 		{
 		BIO_printf(bio_err, "Error loading store locations\n");
 		ERR_print_errors(bio_err);
@@ -1740,7 +1744,7 @@ bad:
 		if (vpm)
 			SSL_CTX_set1_param(ctx2, vpm);

-		ssl_ctx_add_crls(ctx2, crls);
+		ssl_ctx_add_crls(ctx2, crls, 0);

 		if (!args_ssl_call(ctx2, bio_err, cctx, ssl_args, no_ecdhe, no_jpake))
 			goto end;