Changes between 1.0.1 and 1.0.2 [xx XXX xxxx]
+ *) New options -CRL and -CRLform for s_client and s_server for CRLs.
+ [Steve Henson]
+
*) New function X509_CRL_diff to generate a delta CRL from the difference
of two full CRLs. Add support to "crl" utility.
[Steve Henson]
return(x);
}
+X509_CRL *load_crl(char *infile, int format)
+ {
+ X509_CRL *x=NULL;
+ BIO *in=NULL;
+
+ if (format == FORMAT_HTTP)
+ {
+ load_cert_crl_http(infile, bio_err, NULL, &x);
+ return x;
+ }
+
+ in=BIO_new(BIO_s_file());
+ if (in == NULL)
+ {
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+
+ if (infile == NULL)
+ BIO_set_fp(in,stdin,BIO_NOCLOSE);
+ else
+ {
+ if (BIO_read_filename(in,infile) <= 0)
+ {
+ perror(infile);
+ goto end;
+ }
+ }
+ if (format == FORMAT_ASN1)
+ x=d2i_X509_CRL_bio(in,NULL);
+ else if (format == FORMAT_PEM)
+ x=PEM_read_bio_X509_CRL(in,NULL,NULL,NULL);
+ else {
+ BIO_printf(bio_err,"bad input format specified for input crl\n");
+ goto end;
+ }
+ if (x == NULL)
+ {
+ BIO_printf(bio_err,"unable to load CRL\n");
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+
+end:
+ BIO_free(in);
+ return(x);
+ }
+
+
EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin,
const char *pass, ENGINE *e, const char *key_descrip)
{
int add_oid_section(BIO *err, CONF *conf);
X509 *load_cert(BIO *err, const char *file, int format,
const char *pass, ENGINE *e, const char *cert_descrip);
+X509_CRL *load_crl(char *infile, int format);
int load_cert_crl_http(const char *url, BIO *err,
X509 **pcert, X509_CRL **pcrl);
EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin,
NULL
};
-static X509_CRL *load_crl(char *file, int format);
static BIO *bio_out=NULL;
int MAIN(int, char **);
apps_shutdown();
OPENSSL_EXIT(ret);
}
-
-static X509_CRL *load_crl(char *infile, int format)
- {
- X509_CRL *x=NULL;
- BIO *in=NULL;
-
- if (format == FORMAT_HTTP)
- {
- load_cert_crl_http(infile, bio_err, NULL, &x);
- return x;
- }
-
- in=BIO_new(BIO_s_file());
- if (in == NULL)
- {
- ERR_print_errors(bio_err);
- goto end;
- }
-
- if (infile == NULL)
- BIO_set_fp(in,stdin,BIO_NOCLOSE);
- else
- {
- if (BIO_read_filename(in,infile) <= 0)
- {
- perror(infile);
- goto end;
- }
- }
- if (format == FORMAT_ASN1)
- x=d2i_X509_CRL_bio(in,NULL);
- else if (format == FORMAT_PEM)
- x=PEM_read_bio_X509_CRL(in,NULL,NULL,NULL);
- else {
- BIO_printf(bio_err,"bad input format specified for input crl\n");
- goto end;
- }
- if (x == NULL)
- {
- BIO_printf(bio_err,"unable to load CRL\n");
- ERR_print_errors(bio_err);
- goto end;
- }
-
-end:
- BIO_free(in);
- return(x);
- }
-
int *badarg, BIO *err, STACK_OF(OPENSSL_STRING) **pstr);
int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx,
STACK_OF(OPENSSL_STRING) *str, int no_ecdhe, int no_jpake);
-int ssl_load_stores(SSL_CTX *sctx,
+int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls);
+int ssl_load_stores(SSL_CTX *ctx,
const char *vfyCApath, const char *vfyCAfile,
- const char *chCApath, const char *chCAfile);
+ const char *chCApath, const char *chCAfile,
+ STACK_OF(X509_CRL) *crls);
#endif
ERR_print_errors(bio_err);
return 0;
}
-
return 1;
}
return 1;
}
+static int add_crls_store(X509_STORE *st, STACK_OF(X509_CRL) *crls)
+ {
+ X509_CRL *crl;
+ int i;
+ if (crls)
+ {
+ for (i = 0; i < sk_X509_CRL_num(crls); i++)
+ {
+ crl = sk_X509_CRL_value(crls, i);
+ X509_STORE_add_crl(st, crl);
+ }
+ }
+ return 1;
+ }
+
+int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls)
+ {
+ X509_STORE *st;
+ if (crls)
+ {
+ st = SSL_CTX_get_cert_store(ctx);
+ add_crls_store(st, crls);
+ }
+ return 1;
+ }
+
int ssl_load_stores(SSL_CTX *ctx,
const char *vfyCApath, const char *vfyCAfile,
- const char *chCApath, const char *chCAfile)
+ const char *chCApath, const char *chCAfile,
+ STACK_OF(X509_CRL) *crls)
{
X509_STORE *vfy = NULL, *ch = NULL;
int rv = 0;
vfy = X509_STORE_new();
if (!X509_STORE_load_locations(vfy, vfyCAfile, vfyCApath))
goto err;
+ add_crls_store(vfy, crls);
SSL_CTX_set1_verify_cert_store(ctx, vfy);
}
if (chCApath || chCAfile)
SSL_CONF_CTX *cctx = NULL;
STACK_OF(OPENSSL_STRING) *ssl_args = NULL;
+ char *crl_file = NULL;
+ int crl_format = FORMAT_PEM;
+ STACK_OF(X509_CRL) *crls = NULL;
+
meth=SSLv23_client_method();
apps_startup();
if (--argc < 1) goto bad;
cert_file= *(++argv);
}
+ else if (strcmp(*argv,"-CRL") == 0)
+ {
+ if (--argc < 1) goto bad;
+ crl_file= *(++argv);
+ }
else if (strcmp(*argv,"-sess_out") == 0)
{
if (--argc < 1) goto bad;
if (--argc < 1) goto bad;
cert_format = str2fmt(*(++argv));
}
+ else if (strcmp(*argv,"-CRLform") == 0)
+ {
+ if (--argc < 1) goto bad;
+ crl_format = str2fmt(*(++argv));
+ }
else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm))
{
if (badarg)
goto end;
}
+ if (crl_file)
+ {
+ X509_CRL *crl;
+ crl = load_crl(crl_file, crl_format);
+ if (!crl)
+ {
+ BIO_puts(bio_err, "Error loading CRL\n");
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+ crls = sk_X509_CRL_new_null();
+ if (!crls || !sk_X509_CRL_push(crls, crl))
+ {
+ BIO_puts(bio_err, "Error adding CRL\n");
+ ERR_print_errors(bio_err);
+ X509_CRL_free(crl);
+ goto end;
+ }
+ }
+
if (!load_excert(&exc, bio_err))
goto end;
goto end;
}
- if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile))
+ if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile, crls))
{
BIO_printf(bio_err, "Error loading store locations\n");
ERR_print_errors(bio_err);
/* goto end; */
}
+ ssl_ctx_add_crls(ctx, crls);
if (!set_cert_key_stuff(ctx,cert,key,chain,build_chain))
goto end;
if (ctx != NULL) SSL_CTX_free(ctx);
if (cert)
X509_free(cert);
+ if (crls)
+ sk_X509_CRL_pop_free(crls, X509_CRL_free);
if (key)
EVP_PKEY_free(key);
if (chain)
SSL_EXCERT *exc = NULL;
SSL_CONF_CTX *cctx = NULL;
STACK_OF(OPENSSL_STRING) *ssl_args = NULL;
+
+ char *crl_file = NULL;
+ int crl_format = FORMAT_PEM;
+ STACK_OF(X509_CRL) *crls = NULL;
+
meth=SSLv23_server_method();
local_argc=argc;
if (--argc < 1) goto bad;
s_cert_file= *(++argv);
}
+ else if (strcmp(*argv,"-CRL") == 0)
+ {
+ if (--argc < 1) goto bad;
+ crl_file= *(++argv);
+ }
#ifndef OPENSSL_NO_TLSEXT
else if (strcmp(*argv,"-authz") == 0)
{
}
else if (strcmp(*argv,"-no_cache") == 0)
no_cache = 1;
+ else if (strcmp(*argv,"-CRLform") == 0)
+ {
+ if (--argc < 1) goto bad;
+ crl_format = str2fmt(*(++argv));
+ }
else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm))
{
if (badarg)
}
#endif
+ if (crl_file)
+ {
+ X509_CRL *crl;
+ crl = load_crl(crl_file, crl_format);
+ if (!crl)
+ {
+ BIO_puts(bio_err, "Error loading CRL\n");
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+ crls = sk_X509_CRL_new_null();
+ if (!crls || !sk_X509_CRL_push(crls, crl))
+ {
+ BIO_puts(bio_err, "Error adding CRL\n");
+ ERR_print_errors(bio_err);
+ X509_CRL_free(crl);
+ goto end;
+ }
+ }
+
if (s_dcert_file)
{
if (vpm)
SSL_CTX_set1_param(ctx, vpm);
+ ssl_ctx_add_crls(ctx, crls);
+
if (!args_ssl_call(ctx, bio_err, cctx, ssl_args, no_ecdhe, no_jpake))
goto end;
- if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile))
+ if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile, crls))
{
BIO_printf(bio_err, "Error loading store locations\n");
ERR_print_errors(bio_err);
if (vpm)
SSL_CTX_set1_param(ctx2, vpm);
+ ssl_ctx_add_crls(ctx2, crls);
+
if (!args_ssl_call(ctx2, bio_err, cctx, ssl_args, no_ecdhe, no_jpake))
goto end;
+
}
# ifndef OPENSSL_NO_NEXTPROTONEG
if (ctx != NULL) SSL_CTX_free(ctx);
if (s_cert)
X509_free(s_cert);
+ if (crls)
+ sk_X509_CRL_pop_free(crls, X509_CRL_free);
if (s_dcert)
X509_free(s_dcert);
if (s_key)