New option to add CRLs for s_client and s_server.
authorDr. Stephen Henson <steve@openssl.org>
Sun, 2 Dec 2012 16:16:28 +0000 (16:16 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Fri, 18 Jan 2013 14:37:14 +0000 (14:37 +0000)
CHANGES
apps/apps.c
apps/apps.h
apps/crl.c
apps/s_apps.h
apps/s_cb.c
apps/s_client.c
apps/s_server.c

diff --git a/CHANGES b/CHANGES
index 34dc69b0f06213aff8068bc4d1c8cc6d7bfa59c5..918fec366c9d8b9fd384f7b439f1652d2cceefc1 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,9 @@
 
  Changes between 1.0.1 and 1.0.2 [xx XXX xxxx]
 
+  *) New options -CRL and -CRLform for s_client and s_server for CRLs.
+     [Steve Henson]
+
   *) New function X509_CRL_diff to generate a delta CRL from the difference
      of two full CRLs. Add support to "crl" utility.
      [Steve Henson]
index 391a4d10b513f47ed8410e38d1c388c60bbf9083..3c6efbc7cb338138bc9a2cf95b4e86c536d38a7f 100644 (file)
@@ -929,6 +929,55 @@ end:
        return(x);
        }
 
+X509_CRL *load_crl(char *infile, int format)
+       {
+       X509_CRL *x=NULL;
+       BIO *in=NULL;
+
+       if (format == FORMAT_HTTP)
+               {
+               load_cert_crl_http(infile, bio_err, NULL, &x);
+               return x;
+               }
+
+       in=BIO_new(BIO_s_file());
+       if (in == NULL)
+               {
+               ERR_print_errors(bio_err);
+               goto end;
+               }
+
+       if (infile == NULL)
+               BIO_set_fp(in,stdin,BIO_NOCLOSE);
+       else
+               {
+               if (BIO_read_filename(in,infile) <= 0)
+                       {
+                       perror(infile);
+                       goto end;
+                       }
+               }
+       if      (format == FORMAT_ASN1)
+               x=d2i_X509_CRL_bio(in,NULL);
+       else if (format == FORMAT_PEM)
+               x=PEM_read_bio_X509_CRL(in,NULL,NULL,NULL);
+       else    {
+               BIO_printf(bio_err,"bad input format specified for input crl\n");
+               goto end;
+               }
+       if (x == NULL)
+               {
+               BIO_printf(bio_err,"unable to load CRL\n");
+               ERR_print_errors(bio_err);
+               goto end;
+               }
+       
+end:
+       BIO_free(in);
+       return(x);
+       }
+
+
 EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin,
        const char *pass, ENGINE *e, const char *key_descrip)
        {
index cc20466cf0e9f66533aa8fae0d1ee2be31f6cae7..8a38fe70aad6caf490ee1ea0672615bc2b8112bb 100644 (file)
@@ -245,6 +245,7 @@ int app_passwd(BIO *err, char *arg1, char *arg2, char **pass1, char **pass2);
 int add_oid_section(BIO *err, CONF *conf);
 X509 *load_cert(BIO *err, const char *file, int format,
        const char *pass, ENGINE *e, const char *cert_descrip);
+X509_CRL *load_crl(char *infile, int format);
 int load_cert_crl_http(const char *url, BIO *err,
                                        X509 **pcert, X509_CRL **pcrl);
 EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin,
index 50e7d95a6f635b4b3394024ee5a716b4dc75bbe9..3520c4cbb8b248ec66b588bdbf7eabf07a79127c 100644 (file)
@@ -93,7 +93,6 @@ static const char *crl_usage[]={
 NULL
 };
 
-static X509_CRL *load_crl(char *file, int format);
 static BIO *bio_out=NULL;
 
 int MAIN(int, char **);
@@ -452,52 +451,3 @@ end:
        apps_shutdown();
        OPENSSL_EXIT(ret);
        }
-
-static X509_CRL *load_crl(char *infile, int format)
-       {
-       X509_CRL *x=NULL;
-       BIO *in=NULL;
-
-       if (format == FORMAT_HTTP)
-               {
-               load_cert_crl_http(infile, bio_err, NULL, &x);
-               return x;
-               }
-
-       in=BIO_new(BIO_s_file());
-       if (in == NULL)
-               {
-               ERR_print_errors(bio_err);
-               goto end;
-               }
-
-       if (infile == NULL)
-               BIO_set_fp(in,stdin,BIO_NOCLOSE);
-       else
-               {
-               if (BIO_read_filename(in,infile) <= 0)
-                       {
-                       perror(infile);
-                       goto end;
-                       }
-               }
-       if      (format == FORMAT_ASN1)
-               x=d2i_X509_CRL_bio(in,NULL);
-       else if (format == FORMAT_PEM)
-               x=PEM_read_bio_X509_CRL(in,NULL,NULL,NULL);
-       else    {
-               BIO_printf(bio_err,"bad input format specified for input crl\n");
-               goto end;
-               }
-       if (x == NULL)
-               {
-               BIO_printf(bio_err,"unable to load CRL\n");
-               ERR_print_errors(bio_err);
-               goto end;
-               }
-       
-end:
-       BIO_free(in);
-       return(x);
-       }
-
index 9bc61cea3a68130d2b04e128a074b824e879dc36..92bb4949f950b9682a0c52108fb9c1ffcb914a85 100644 (file)
@@ -196,7 +196,9 @@ int args_ssl(char ***pargs, int *pargc, SSL_CONF_CTX *cctx,
                        int *badarg, BIO *err, STACK_OF(OPENSSL_STRING) **pstr);
 int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx,
                STACK_OF(OPENSSL_STRING) *str, int no_ecdhe, int no_jpake);
-int ssl_load_stores(SSL_CTX *sctx,
+int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls);
+int ssl_load_stores(SSL_CTX *ctx,
                        const char *vfyCApath, const char *vfyCAfile,
-                       const char *chCApath, const char *chCAfile);
+                       const char *chCApath, const char *chCAfile,
+                       STACK_OF(X509_CRL) *crls);
 #endif
index c876adf3e95d85358354279e332b067897d90871..710c99d076e382c76961a55c0cfb33706a75e0b3 100644 (file)
@@ -288,7 +288,6 @@ int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key,
                ERR_print_errors(bio_err);
                return 0;
                }
-               
        return 1;
        }
 
@@ -1600,9 +1599,36 @@ int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx,
        return 1;
        }
 
+static int add_crls_store(X509_STORE *st, STACK_OF(X509_CRL) *crls)
+       {
+       X509_CRL *crl;
+       int i;
+       if (crls)
+               {
+               for (i = 0; i < sk_X509_CRL_num(crls); i++)
+                       {
+                       crl = sk_X509_CRL_value(crls, i);
+                       X509_STORE_add_crl(st, crl);
+                       }
+               }
+       return 1;
+       }
+
+int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls)
+       {
+       X509_STORE *st;
+       if (crls)
+               {
+               st = SSL_CTX_get_cert_store(ctx);
+               add_crls_store(st, crls);
+               }
+       return 1;
+       }
+
 int ssl_load_stores(SSL_CTX *ctx,
                        const char *vfyCApath, const char *vfyCAfile,
-                       const char *chCApath, const char *chCAfile)
+                       const char *chCApath, const char *chCAfile,
+                       STACK_OF(X509_CRL) *crls)
        {
        X509_STORE *vfy = NULL, *ch = NULL;
        int rv = 0;
@@ -1611,6 +1637,7 @@ int ssl_load_stores(SSL_CTX *ctx,
                vfy = X509_STORE_new();
                if (!X509_STORE_load_locations(vfy, vfyCAfile, vfyCApath))
                        goto err;
+               add_crls_store(vfy, crls);
                SSL_CTX_set1_verify_cert_store(ctx, vfy);
                }
        if (chCApath || chCAfile)
index 1be3028cfce593139cb0951813d405ae5bb11185..edd06fc02bd8dc330c4913cc1d40bb2487ec4f10 100644 (file)
@@ -636,6 +636,10 @@ static char *jpake_secret = NULL;
        SSL_CONF_CTX *cctx = NULL;
        STACK_OF(OPENSSL_STRING) *ssl_args = NULL;
 
+       char *crl_file = NULL;
+       int crl_format = FORMAT_PEM;
+       STACK_OF(X509_CRL) *crls = NULL;
+
        meth=SSLv23_client_method();
 
        apps_startup();
@@ -705,6 +709,11 @@ static char *jpake_secret = NULL;
                        if (--argc < 1) goto bad;
                        cert_file= *(++argv);
                        }
+               else if (strcmp(*argv,"-CRL") == 0)
+                       {
+                       if (--argc < 1) goto bad;
+                       crl_file= *(++argv);
+                       }
                else if (strcmp(*argv,"-sess_out") == 0)
                        {
                        if (--argc < 1) goto bad;
@@ -720,6 +729,11 @@ static char *jpake_secret = NULL;
                        if (--argc < 1) goto bad;
                        cert_format = str2fmt(*(++argv));
                        }
+               else if (strcmp(*argv,"-CRLform") == 0)
+                       {
+                       if (--argc < 1) goto bad;
+                       crl_format = str2fmt(*(++argv));
+                       }
                else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm))
                        {
                        if (badarg)
@@ -1108,6 +1122,26 @@ bad:
                        goto end;
                }
 
+       if (crl_file)
+               {
+               X509_CRL *crl;
+               crl = load_crl(crl_file, crl_format);
+               if (!crl)
+                       {
+                       BIO_puts(bio_err, "Error loading CRL\n");
+                       ERR_print_errors(bio_err);
+                       goto end;
+                       }
+               crls = sk_X509_CRL_new_null();
+               if (!crls || !sk_X509_CRL_push(crls, crl))
+                       {
+                       BIO_puts(bio_err, "Error adding CRL\n");
+                       ERR_print_errors(bio_err);
+                       X509_CRL_free(crl);
+                       goto end;
+                       }
+               }
+
        if (!load_excert(&exc, bio_err))
                goto end;
 
@@ -1159,7 +1193,7 @@ bad:
                goto end;
                }
 
-       if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile))
+       if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile, crls))
                {
                BIO_printf(bio_err, "Error loading store locations\n");
                ERR_print_errors(bio_err);
@@ -1221,6 +1255,7 @@ bad:
                /* goto end; */
                }
 
+       ssl_ctx_add_crls(ctx, crls);
        if (!set_cert_key_stuff(ctx,cert,key,chain,build_chain))
                goto end;
 
@@ -1955,6 +1990,8 @@ end:
        if (ctx != NULL) SSL_CTX_free(ctx);
        if (cert)
                X509_free(cert);
+       if (crls)
+               sk_X509_CRL_pop_free(crls, X509_CRL_free);
        if (key)
                EVP_PKEY_free(key);
        if (chain)
index 2b8754bbf524ddd6f5a56c939c0b42b3645d3159..acc124538afa74c5911fbc52748b15eec405d806 100644 (file)
@@ -986,6 +986,11 @@ int MAIN(int argc, char *argv[])
        SSL_EXCERT *exc = NULL;
        SSL_CONF_CTX *cctx = NULL;
        STACK_OF(OPENSSL_STRING) *ssl_args = NULL;
+
+       char *crl_file = NULL;
+       int crl_format = FORMAT_PEM;
+       STACK_OF(X509_CRL) *crls = NULL;
+
        meth=SSLv23_server_method();
 
        local_argc=argc;
@@ -1051,6 +1056,11 @@ int MAIN(int argc, char *argv[])
                        if (--argc < 1) goto bad;
                        s_cert_file= *(++argv);
                        }
+               else if (strcmp(*argv,"-CRL") == 0)
+                       {
+                       if (--argc < 1) goto bad;
+                       crl_file= *(++argv);
+                       }
 #ifndef OPENSSL_NO_TLSEXT
                else if (strcmp(*argv,"-authz") == 0)
                        {
@@ -1146,6 +1156,11 @@ int MAIN(int argc, char *argv[])
                        }
                else if (strcmp(*argv,"-no_cache") == 0)
                        no_cache = 1;
+               else if (strcmp(*argv,"-CRLform") == 0)
+                       {
+                       if (--argc < 1) goto bad;
+                       crl_format = str2fmt(*(++argv));
+                       }
                else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm))
                        {
                        if (badarg)
@@ -1508,6 +1523,26 @@ bad:
                }
 #endif
 
+       if (crl_file)
+               {
+               X509_CRL *crl;
+               crl = load_crl(crl_file, crl_format);
+               if (!crl)
+                       {
+                       BIO_puts(bio_err, "Error loading CRL\n");
+                       ERR_print_errors(bio_err);
+                       goto end;
+                       }
+               crls = sk_X509_CRL_new_null();
+               if (!crls || !sk_X509_CRL_push(crls, crl))
+                       {
+                       BIO_puts(bio_err, "Error adding CRL\n");
+                       ERR_print_errors(bio_err);
+                       X509_CRL_free(crl);
+                       goto end;
+                       }
+               }
+
 
        if (s_dcert_file)
                {
@@ -1641,10 +1676,12 @@ bad:
        if (vpm)
                SSL_CTX_set1_param(ctx, vpm);
 
+       ssl_ctx_add_crls(ctx, crls);
+
        if (!args_ssl_call(ctx, bio_err, cctx, ssl_args, no_ecdhe, no_jpake))
                goto end;
 
-       if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile))
+       if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile, crls))
                {
                BIO_printf(bio_err, "Error loading store locations\n");
                ERR_print_errors(bio_err);
@@ -1705,8 +1742,11 @@ bad:
                if (vpm)
                        SSL_CTX_set1_param(ctx2, vpm);
 
+               ssl_ctx_add_crls(ctx2, crls);
+
                if (!args_ssl_call(ctx2, bio_err, cctx, ssl_args, no_ecdhe, no_jpake))
                        goto end;
+
                }
 
 # ifndef OPENSSL_NO_NEXTPROTONEG
@@ -1968,6 +2008,8 @@ end:
        if (ctx != NULL) SSL_CTX_free(ctx);
        if (s_cert)
                X509_free(s_cert);
+       if (crls)
+               sk_X509_CRL_pop_free(crls, X509_CRL_free);
        if (s_dcert)
                X509_free(s_dcert);
        if (s_key)