New option to add CRLs for s_client and s_server.
authorDr. Stephen Henson <steve@openssl.org>
Sun, 2 Dec 2012 16:16:28 +0000 (16:16 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Sun, 2 Dec 2012 16:16:28 +0000 (16:16 +0000)
CHANGES
apps/apps.c
apps/apps.h
apps/crl.c
apps/s_apps.h
apps/s_cb.c
apps/s_client.c
apps/s_server.c

diff --git a/CHANGES b/CHANGES
index 3f6afc8020233d839335ea5a2f2bf9f906fb2c07..a03aa4bbe33328795c9429be9b73e569d6de7919 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,9 @@
 
  Changes between 1.0.x and 1.1.0  [xx XXX xxxx]
 
+  *) New options -CRL and -CRLform for s_client and s_server for CRLs.
+     [Steve Henson]
+
   *) Extend OCSP I/O functions so they can be used for simple general purpose
      HTTP as well as OCSP. New wrapper function which can be used to download
      CRLs using the OCSP API.
index b36e51799bd00e6254764c23827dc8d04cd925cc..b378836066ad39d56950ea38601edb3486596dd9 100644 (file)
@@ -929,6 +929,55 @@ end:
        return(x);
        }
 
+X509_CRL *load_crl(char *infile, int format)
+       {
+       X509_CRL *x=NULL;
+       BIO *in=NULL;
+
+       if (format == FORMAT_HTTP)
+               {
+               load_cert_crl_http(infile, bio_err, NULL, &x);
+               return x;
+               }
+
+       in=BIO_new(BIO_s_file());
+       if (in == NULL)
+               {
+               ERR_print_errors(bio_err);
+               goto end;
+               }
+
+       if (infile == NULL)
+               BIO_set_fp(in,stdin,BIO_NOCLOSE);
+       else
+               {
+               if (BIO_read_filename(in,infile) <= 0)
+                       {
+                       perror(infile);
+                       goto end;
+                       }
+               }
+       if      (format == FORMAT_ASN1)
+               x=d2i_X509_CRL_bio(in,NULL);
+       else if (format == FORMAT_PEM)
+               x=PEM_read_bio_X509_CRL(in,NULL,NULL,NULL);
+       else    {
+               BIO_printf(bio_err,"bad input format specified for input crl\n");
+               goto end;
+               }
+       if (x == NULL)
+               {
+               BIO_printf(bio_err,"unable to load CRL\n");
+               ERR_print_errors(bio_err);
+               goto end;
+               }
+       
+end:
+       BIO_free(in);
+       return(x);
+       }
+
+
 EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin,
        const char *pass, ENGINE *e, const char *key_descrip)
        {
index 165e45562d9dde696a4a501371baf715d9956062..e9d21d545a4983e442d024d5a37d517800db75f7 100644 (file)
@@ -245,6 +245,7 @@ int app_passwd(BIO *err, char *arg1, char *arg2, char **pass1, char **pass2);
 int add_oid_section(BIO *err, CONF *conf);
 X509 *load_cert(BIO *err, const char *file, int format,
        const char *pass, ENGINE *e, const char *cert_descrip);
+X509_CRL *load_crl(char *infile, int format);
 int load_cert_crl_http(const char *url, BIO *err,
                                        X509 **pcert, X509_CRL **pcrl);
 EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin,
index 888cf7ff8d35bf59fdfe648f0903da1eaa59f133..fc12734052138f9034a464c80757e9c3f4e1a10b 100644 (file)
@@ -93,7 +93,6 @@ static const char *crl_usage[]={
 NULL
 };
 
-static X509_CRL *load_crl(char *file, int format);
 static BIO *bio_out=NULL;
 
 int MAIN(int, char **);
@@ -401,52 +400,3 @@ end:
        apps_shutdown();
        OPENSSL_EXIT(ret);
        }
-
-static X509_CRL *load_crl(char *infile, int format)
-       {
-       X509_CRL *x=NULL;
-       BIO *in=NULL;
-
-       if (format == FORMAT_HTTP)
-               {
-               load_cert_crl_http(infile, bio_err, NULL, &x);
-               return x;
-               }
-
-       in=BIO_new(BIO_s_file());
-       if (in == NULL)
-               {
-               ERR_print_errors(bio_err);
-               goto end;
-               }
-
-       if (infile == NULL)
-               BIO_set_fp(in,stdin,BIO_NOCLOSE);
-       else
-               {
-               if (BIO_read_filename(in,infile) <= 0)
-                       {
-                       perror(infile);
-                       goto end;
-                       }
-               }
-       if      (format == FORMAT_ASN1)
-               x=d2i_X509_CRL_bio(in,NULL);
-       else if (format == FORMAT_PEM)
-               x=PEM_read_bio_X509_CRL(in,NULL,NULL,NULL);
-       else    {
-               BIO_printf(bio_err,"bad input format specified for input crl\n");
-               goto end;
-               }
-       if (x == NULL)
-               {
-               BIO_printf(bio_err,"unable to load CRL\n");
-               ERR_print_errors(bio_err);
-               goto end;
-               }
-       
-end:
-       BIO_free(in);
-       return(x);
-       }
-
index 6aab0a60b591f4f62bc78f765ad2a6d747c55658..0a382419be6353c5028c0127843f4c3497b4cb50 100644 (file)
@@ -201,7 +201,9 @@ int args_ssl(char ***pargs, int *pargc, SSL_CONF_CTX *cctx,
                        int *badarg, BIO *err, STACK_OF(OPENSSL_STRING) **pstr);
 int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx,
                                STACK_OF(OPENSSL_STRING) *str, int no_ecdhe);
+int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls);
 int ssl_load_stores(SSL_CTX *ctx,
                        const char *vfyCApath, const char *vfyCAfile,
-                       const char *chCApath, const char *chCAfile);
+                       const char *chCApath, const char *chCAfile,
+                       STACK_OF(X509_CRL) *crls);
 #endif
index 0759c8a7c9f8f0bbd2fb98e01da1c727733b7a03..e0289d41dd700fd4998595c3b4f8fa2b24ad2a64 100644 (file)
@@ -293,7 +293,6 @@ int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key,
                ERR_print_errors(bio_err);
                return 0;
                }
-               
        return 1;
        }
 
@@ -1670,9 +1669,36 @@ int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx,
        return 1;
        }
 
+static int add_crls_store(X509_STORE *st, STACK_OF(X509_CRL) *crls)
+       {
+       X509_CRL *crl;
+       int i;
+       if (crls)
+               {
+               for (i = 0; i < sk_X509_CRL_num(crls); i++)
+                       {
+                       crl = sk_X509_CRL_value(crls, i);
+                       X509_STORE_add_crl(st, crl);
+                       }
+               }
+       return 1;
+       }
+
+int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls)
+       {
+       X509_STORE *st;
+       if (crls)
+               {
+               st = SSL_CTX_get_cert_store(ctx);
+               add_crls_store(st, crls);
+               }
+       return 1;
+       }
+
 int ssl_load_stores(SSL_CTX *ctx,
                        const char *vfyCApath, const char *vfyCAfile,
-                       const char *chCApath, const char *chCAfile)
+                       const char *chCApath, const char *chCAfile,
+                       STACK_OF(X509_CRL) *crls)
        {
        X509_STORE *vfy = NULL, *ch = NULL;
        int rv = 0;
@@ -1681,6 +1707,7 @@ int ssl_load_stores(SSL_CTX *ctx,
                vfy = X509_STORE_new();
                if (!X509_STORE_load_locations(vfy, vfyCAfile, vfyCApath))
                        goto err;
+               add_crls_store(vfy, crls);
                SSL_CTX_set1_verify_cert_store(ctx, vfy);
                }
        if (chCApath || chCAfile)
index aebdeaca4126c9057ad3915a55f2df84d26d8e9c..1a8f8ac844d5d09f31c57a985be6db4599189987 100644 (file)
@@ -639,6 +639,10 @@ int MAIN(int argc, char **argv)
        SSL_CONF_CTX *cctx = NULL;
        STACK_OF(OPENSSL_STRING) *ssl_args = NULL;
 
+       char *crl_file = NULL;
+       int crl_format = FORMAT_PEM;
+       STACK_OF(X509_CRL) *crls = NULL;
+
        meth=SSLv23_client_method();
 
        apps_startup();
@@ -708,6 +712,11 @@ int MAIN(int argc, char **argv)
                        if (--argc < 1) goto bad;
                        cert_file= *(++argv);
                        }
+               else if (strcmp(*argv,"-CRL") == 0)
+                       {
+                       if (--argc < 1) goto bad;
+                       crl_file= *(++argv);
+                       }
                else if (strcmp(*argv,"-sess_out") == 0)
                        {
                        if (--argc < 1) goto bad;
@@ -723,6 +732,11 @@ int MAIN(int argc, char **argv)
                        if (--argc < 1) goto bad;
                        cert_format = str2fmt(*(++argv));
                        }
+               else if (strcmp(*argv,"-CRLform") == 0)
+                       {
+                       if (--argc < 1) goto bad;
+                       crl_format = str2fmt(*(++argv));
+                       }
                else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm))
                        {
                        if (badarg)
@@ -1128,6 +1142,26 @@ bad:
                        }
                }
 
+       if (crl_file)
+               {
+               X509_CRL *crl;
+               crl = load_crl(crl_file, crl_format);
+               if (!crl)
+                       {
+                       BIO_puts(bio_err, "Error loading CRL\n");
+                       ERR_print_errors(bio_err);
+                       goto end;
+                       }
+               crls = sk_X509_CRL_new_null();
+               if (!crls || !sk_X509_CRL_push(crls, crl))
+                       {
+                       BIO_puts(bio_err, "Error adding CRL\n");
+                       ERR_print_errors(bio_err);
+                       X509_CRL_free(crl);
+                       goto end;
+                       }
+               }
+
        if (!load_excert(&exc, bio_err))
                goto end;
 
@@ -1179,7 +1213,7 @@ bad:
                goto end;
                }
 
-       if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile))
+       if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile, crls))
                {
                BIO_printf(bio_err, "Error loading store locations\n");
                ERR_print_errors(bio_err);
@@ -1241,6 +1275,8 @@ bad:
                /* goto end; */
                }
 
+       ssl_ctx_add_crls(ctx, crls);
+
        if (!set_cert_key_stuff(ctx,cert,key, NULL, build_chain))
                goto end;
 
@@ -1983,6 +2019,8 @@ end:
        if (ctx != NULL) SSL_CTX_free(ctx);
        if (cert)
                X509_free(cert);
+       if (crls)
+               sk_X509_CRL_pop_free(crls, X509_CRL_free);
        if (key)
                EVP_PKEY_free(key);
        if (pass)
index 6813fb794b6f00ec7076e6a500f8e781c62bd8cb..b9f6f30b0a7781d5a14aee37f89bc03d1bbb3d3e 100644 (file)
@@ -999,6 +999,10 @@ int MAIN(int argc, char *argv[])
        SSL_CONF_CTX *cctx = NULL;
        STACK_OF(OPENSSL_STRING) *ssl_args = NULL;
 
+       char *crl_file = NULL;
+       int crl_format = FORMAT_PEM;
+       STACK_OF(X509_CRL) *crls = NULL;
+
        meth=SSLv23_server_method();
 
        local_argc=argc;
@@ -1077,6 +1081,11 @@ int MAIN(int argc, char *argv[])
                        if (--argc < 1) goto bad;
                        s_cert_file= *(++argv);
                        }
+               else if (strcmp(*argv,"-CRL") == 0)
+                       {
+                       if (--argc < 1) goto bad;
+                       crl_file= *(++argv);
+                       }
 #ifndef OPENSSL_NO_TLSEXT
                else if (strcmp(*argv,"-authz") == 0)
                        {
@@ -1167,6 +1176,11 @@ int MAIN(int argc, char *argv[])
                        no_cache = 1;
                else if (strcmp(*argv,"-ext_cache") == 0)
                        ext_cache = 1;
+               else if (strcmp(*argv,"-CRLform") == 0)
+                       {
+                       if (--argc < 1) goto bad;
+                       crl_format = str2fmt(*(++argv));
+                       }
                else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm))
                        {
                        if (badarg)
@@ -1567,6 +1581,26 @@ bad:
                }
 #endif
 
+       if (crl_file)
+               {
+               X509_CRL *crl;
+               crl = load_crl(crl_file, crl_format);
+               if (!crl)
+                       {
+                       BIO_puts(bio_err, "Error loading CRL\n");
+                       ERR_print_errors(bio_err);
+                       goto end;
+                       }
+               crls = sk_X509_CRL_new_null();
+               if (!crls || !sk_X509_CRL_push(crls, crl))
+                       {
+                       BIO_puts(bio_err, "Error adding CRL\n");
+                       ERR_print_errors(bio_err);
+                       X509_CRL_free(crl);
+                       goto end;
+                       }
+               }
+
 
        if (s_dcert_file)
                {
@@ -1702,10 +1736,12 @@ bad:
        if (vpm)
                SSL_CTX_set1_param(ctx, vpm);
 
+       ssl_ctx_add_crls(ctx, crls);
+
        if (!args_ssl_call(ctx, bio_err, cctx, ssl_args, no_ecdhe))
                goto end;
 
-       if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile))
+       if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile, crls))
                {
                BIO_printf(bio_err, "Error loading store locations\n");
                ERR_print_errors(bio_err);
@@ -1768,6 +1804,8 @@ bad:
                if (vpm)
                        SSL_CTX_set1_param(ctx2, vpm);
 
+               ssl_ctx_add_crls(ctx2, crls);
+
                if (!args_ssl_call(ctx2, bio_err, cctx, ssl_args, no_ecdhe))
                        goto end;
                }
@@ -1973,6 +2011,8 @@ end:
        if (ctx != NULL) SSL_CTX_free(ctx);
        if (s_cert)
                X509_free(s_cert);
+       if (crls)
+               sk_X509_CRL_pop_free(crls, X509_CRL_free);
        if (s_dcert)
                X509_free(s_dcert);
        if (s_key)