From 3208fc59dbc31c58ab1eb1e631e43a2cfa886c7e Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Tue, 3 Jul 2012 14:53:27 +0000 Subject: [PATCH] add support for client certificate callbak, fix memory leak --- apps/s_cb.c | 13 +++++++++---- apps/s_client.c | 16 ++++++++++++++++ 2 files changed, 25 insertions(+), 4 deletions(-) diff --git a/apps/s_cb.c b/apps/s_cb.c index 34c0185559..6c4c405792 100644 --- a/apps/s_cb.c +++ b/apps/s_cb.c @@ -1192,11 +1192,16 @@ int args_excert(char ***pargs, int *pargc, { char *arg = **pargs, *argn = (*pargs)[1]; SSL_EXCERT *exc = *pexc; - if (!exc && !ssl_excert_prepend(&exc)) + if (!exc) { - BIO_printf(err, "Error initialising xcert\n"); - *badarg = 1; - goto err; + if (ssl_excert_prepend(&exc)) + *pexc = exc; + else + { + BIO_printf(err, "Error initialising xcert\n"); + *badarg = 1; + goto err; + } } if (strcmp(arg, "-xcert") == 0) { diff --git a/apps/s_client.c b/apps/s_client.c index b7809c5baf..60776480de 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -558,6 +558,7 @@ int MAIN(int, char **); int MAIN(int argc, char **argv) { unsigned int off=0, clr=0; + int cert_flags=0; SSL *con=NULL; #ifndef OPENSSL_NO_KRB5 KSSL_CTX *kctx; @@ -628,6 +629,7 @@ int MAIN(int argc, char **argv) int srp_lateuser = 0; SRP_ARG srp_arg = {NULL,NULL,0,0,0,1024}; #endif + SSL_EXCERT *exc = NULL; meth=SSLv23_client_method(); @@ -715,6 +717,12 @@ int MAIN(int argc, char **argv) } else if (strcmp(*argv,"-verify_return_error") == 0) verify_return_error = 1; + else if (args_excert(&argv, &argc, &badarg, bio_err, &exc)) + { + if (badarg) + goto bad; + continue; + } else if (strcmp(*argv,"-prexit") == 0) prexit=1; else if (strcmp(*argv,"-crlf") == 0) @@ -994,6 +1002,8 @@ int MAIN(int argc, char **argv) keymatexportlen=atoi(*(++argv)); if (keymatexportlen == 0) goto bad; } + else if (strcmp(*argv, "-cert_strict") == 0) + cert_flags |= SSL_CERT_FLAG_TLS_STRICT; else { BIO_printf(bio_err,"unknown option %s\n",*argv); @@ -1099,6 +1109,9 @@ bad: } } + if (!load_excert(&exc, bio_err)) + goto end; + if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL && !RAND_status()) { @@ -1174,6 +1187,8 @@ bad: if (clr) SSL_CTX_clear_options(ctx, clr); + if (cert_flags) SSL_CTX_set_cert_flags(ctx, cert_flags); + if (exc) ssl_ctx_set_excert(ctx, exc); /* DTLS: partial reads end up discarding unread UDP bytes :-( * Setting read ahead solves this problem. */ @@ -1957,6 +1972,7 @@ end: EVP_PKEY_free(key); if (pass) OPENSSL_free(pass); + ssl_excert_free(exc); if (cbuf != NULL) { OPENSSL_cleanse(cbuf,BUFSIZZ); OPENSSL_free(cbuf); } if (sbuf != NULL) { OPENSSL_cleanse(sbuf,BUFSIZZ); OPENSSL_free(sbuf); } if (mbuf != NULL) { OPENSSL_cleanse(mbuf,BUFSIZZ); OPENSSL_free(mbuf); } -- 2.25.1