static char *cipher=NULL;
static int s_server_verify=SSL_VERIFY_NONE;
static int s_server_session_id_context = 1; /* anything will do */
-static const char *s_cert_file=TEST_CERT,*s_key_file=NULL;
+static const char *s_cert_file=TEST_CERT,*s_key_file=NULL, *s_chain_file=NULL;
#ifndef OPENSSL_NO_TLSEXT
static const char *s_cert_file2=TEST_CERT2,*s_key_file2=NULL;
static char *curves=NULL;
#endif
-static char *s_dcert_file=NULL,*s_dkey_file=NULL;
+static char *s_dcert_file=NULL,*s_dkey_file=NULL, *s_dchain_file=NULL;
#ifdef FIONBIO
static int s_nbio=0;
#endif
static int cert_chain = 0;
#endif
+#ifndef OPENSSL_NO_TLSEXT
+static BIO *authz_in = NULL;
+static const char *s_authz_file = NULL;
+static unsigned char *authz = NULL;
+static size_t authz_length;
+#endif
#ifndef OPENSSL_NO_PSK
static char *psk_identity="Client_identity";
s_server_verify=SSL_VERIFY_NONE;
s_dcert_file=NULL;
s_dkey_file=NULL;
+ s_dchain_file=NULL;
s_cert_file=TEST_CERT;
s_key_file=NULL;
+ s_chain_file=NULL;
#ifndef OPENSSL_NO_TLSEXT
curves=NULL;
s_cert_file2=TEST_CERT2;
BIO_printf(bio_err," -Verify arg - turn on peer certificate verification, must have a cert.\n");
BIO_printf(bio_err," -cert arg - certificate file to use\n");
BIO_printf(bio_err," (default is %s)\n",TEST_CERT);
+ BIO_printf(bio_err," -authz arg - binary authz file for certificate\n");
BIO_printf(bio_err," -crl_check - check the peer certificate has not been revoked by its CA.\n" \
" The CRL(s) are appended to the certificate file\n");
BIO_printf(bio_err," -crl_check_all - check the peer certificate has not been revoked by its CA\n" \
char *dpassarg = NULL, *dpass = NULL;
int s_dcert_format = FORMAT_PEM, s_dkey_format = FORMAT_PEM;
X509 *s_cert = NULL, *s_dcert = NULL;
+ STACK_OF(X509) *s_chain = NULL, *s_dchain = NULL;
EVP_PKEY *s_key = NULL, *s_dkey = NULL;
int no_cache = 0;
#ifndef OPENSSL_NO_TLSEXT
if (--argc < 1) goto bad;
s_cert_file= *(++argv);
}
+#ifndef OPENSSL_NO_TLSEXT
+ else if (strcmp(*argv,"-authz") == 0)
+ {
+ if (--argc < 1) goto bad;
+ s_authz_file = *(++argv);
+ }
+#endif
else if (strcmp(*argv,"-certform") == 0)
{
if (--argc < 1) goto bad;
if (--argc < 1) goto bad;
passarg = *(++argv);
}
+ else if (strcmp(*argv,"-cert_chain") == 0)
+ {
+ if (--argc < 1) goto bad;
+ s_chain_file= *(++argv);
+ }
else if (strcmp(*argv,"-dhparam") == 0)
{
if (--argc < 1) goto bad;
if (--argc < 1) goto bad;
s_dkey_file= *(++argv);
}
+ else if (strcmp(*argv,"-dcert_chain") == 0)
+ {
+ if (--argc < 1) goto bad;
+ s_dchain_file= *(++argv);
+ }
else if (strcmp(*argv,"-nocert") == 0)
{
nocert=1;
ERR_print_errors(bio_err);
goto end;
}
+ if (s_chain_file)
+ {
+ s_chain = load_certs(bio_err, s_chain_file,FORMAT_PEM,
+ NULL, e, "server certificate chain");
+ if (!s_chain)
+ goto end;
+ }
#ifndef OPENSSL_NO_TLSEXT
if (tlsextcbp.servername)
next_proto.data = NULL;
}
# endif
-#endif
+ if (s_authz_file != NULL)
+ {
+ /* Allow authzs up to 64KB bytes. */
+ static const size_t authz_limit = 65536;
+
+ authz_in = BIO_new(BIO_s_file_internal());
+ if (authz_in == NULL)
+ {
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+
+ if (BIO_read_filename(authz_in, s_authz_file) <= 0)
+ {
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+ authz = OPENSSL_malloc(authz_limit);
+ authz_length = BIO_read(authz_in, authz, authz_limit);
+ if (authz_length == authz_limit || authz_length <= 0)
+ {
+ BIO_printf(bio_err, "authz too large\n");
+ goto end;
+ }
+ BIO_free(authz_in);
+ authz_in = NULL;
+ }
+#endif /* OPENSSL_NO_TLSEXT */
}
ERR_print_errors(bio_err);
goto end;
}
+ if (s_dchain_file)
+ {
+ s_dchain = load_certs(bio_err, s_dchain_file,FORMAT_PEM,
+ NULL, e, "second server certificate chain");
+ if (!s_dchain)
+ goto end;
+ }
}
}
#endif
- if (!set_cert_key_stuff(ctx,s_cert,s_key))
+ if (!set_cert_key_stuff(ctx, s_cert, s_key, s_chain))
+ goto end;
+#ifndef OPENSSL_NO_TLSEXT
+ if (authz != NULL && !SSL_CTX_use_authz(ctx, authz, authz_length))
goto end;
+#endif
#ifndef OPENSSL_NO_TLSEXT
- if (ctx2 && !set_cert_key_stuff(ctx2,s_cert2,s_key2))
+ if (ctx2 && !set_cert_key_stuff(ctx2,s_cert2,s_key2, NULL))
goto end;
#endif
if (s_dcert != NULL)
{
- if (!set_cert_key_stuff(ctx,s_dcert,s_dkey))
+ if (!set_cert_key_stuff(ctx, s_dcert, s_dkey, s_dchain))
goto end;
}
X509_free(s_cert2);
if (s_key2)
EVP_PKEY_free(s_key2);
+ if (authz != NULL)
+ OPENSSL_free(authz);
+ if (authz_in != NULL)
+ BIO_free(authz_in);
#endif
if (bio_s_out != NULL)
{