From 3341b820cc9b9632f4e764306988d29940d17c23 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Sun, 30 Dec 2012 16:27:15 +0000 Subject: [PATCH] add support for separate verify can chain stores to s_client (backport from HEAD) --- apps/s_apps.h | 3 +++ apps/s_cb.c | 30 ++++++++++++++++++++++++++++++ apps/s_client.c | 29 +++++++++++++++++++++++++++++ apps/s_server.c | 33 --------------------------------- 4 files changed, 62 insertions(+), 33 deletions(-) diff --git a/apps/s_apps.h b/apps/s_apps.h index 74e5a2f872..9bc61cea3a 100644 --- a/apps/s_apps.h +++ b/apps/s_apps.h @@ -196,4 +196,7 @@ int args_ssl(char ***pargs, int *pargc, SSL_CONF_CTX *cctx, int *badarg, BIO *err, STACK_OF(OPENSSL_STRING) **pstr); int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str, int no_ecdhe, int no_jpake); +int ssl_load_stores(SSL_CTX *sctx, + const char *vfyCApath, const char *vfyCAfile, + const char *chCApath, const char *chCAfile); #endif diff --git a/apps/s_cb.c b/apps/s_cb.c index e760289f9d..c876adf3e9 100644 --- a/apps/s_cb.c +++ b/apps/s_cb.c @@ -1599,3 +1599,33 @@ int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx, #endif return 1; } + +int ssl_load_stores(SSL_CTX *ctx, + const char *vfyCApath, const char *vfyCAfile, + const char *chCApath, const char *chCAfile) + { + X509_STORE *vfy = NULL, *ch = NULL; + int rv = 0; + if (vfyCApath || vfyCAfile) + { + vfy = X509_STORE_new(); + if (!X509_STORE_load_locations(vfy, vfyCAfile, vfyCApath)) + goto err; + SSL_CTX_set1_verify_cert_store(ctx, vfy); + } + if (chCApath || chCAfile) + { + ch = X509_STORE_new(); + if (!X509_STORE_load_locations(ch, chCAfile, chCApath)) + goto err; + /*X509_STORE_set_verify_cb(ch, verify_callback);*/ + SSL_CTX_set1_chain_cert_store(ctx, ch); + } + rv = 1; + err: + if (vfy) + X509_STORE_free(vfy); + if (ch) + X509_STORE_free(ch); + return rv; + } diff --git a/apps/s_client.c b/apps/s_client.c index 6df4e92a4d..1be3028cfc 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -577,6 +577,8 @@ int MAIN(int argc, char **argv) EVP_PKEY *key = NULL; STACK_OF(X509) *chain = NULL; char *CApath=NULL,*CAfile=NULL; + char *chCApath=NULL,*chCAfile=NULL; + char *vfyCApath=NULL,*vfyCAfile=NULL; int reconnect=0,badop=0,verify=SSL_VERIFY_NONE; int crlf=0; int write_tty,read_tty,write_ssl,read_ssl,tty_on,ssl_pending; @@ -895,6 +897,16 @@ static char *jpake_secret = NULL; if (--argc < 1) goto bad; CApath= *(++argv); } + else if (strcmp(*argv,"-chainCApath") == 0) + { + if (--argc < 1) goto bad; + chCApath= *(++argv); + } + else if (strcmp(*argv,"-verifyCApath") == 0) + { + if (--argc < 1) goto bad; + vfyCApath= *(++argv); + } else if (strcmp(*argv,"-build_chain") == 0) build_chain = 1; else if (strcmp(*argv,"-CAfile") == 0) @@ -902,6 +914,16 @@ static char *jpake_secret = NULL; if (--argc < 1) goto bad; CAfile= *(++argv); } + else if (strcmp(*argv,"-chainCAfile") == 0) + { + if (--argc < 1) goto bad; + chCAfile= *(++argv); + } + else if (strcmp(*argv,"-verifyCAfile") == 0) + { + if (--argc < 1) goto bad; + vfyCAfile= *(++argv); + } #ifndef OPENSSL_NO_TLSEXT # ifndef OPENSSL_NO_NEXTPROTONEG else if (strcmp(*argv,"-nextprotoneg") == 0) @@ -1137,6 +1159,13 @@ bad: goto end; } + if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile)) + { + BIO_printf(bio_err, "Error loading store locations\n"); + ERR_print_errors(bio_err); + goto end; + } + #ifndef OPENSSL_NO_ENGINE if (ssl_client_engine) { diff --git a/apps/s_server.c b/apps/s_server.c index 9abeec93b3..2b8754bbf5 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -212,9 +212,6 @@ static int init_ssl_connection(SSL *s); static void print_stats(BIO *bp,SSL_CTX *ctx); static int generate_session_id(const SSL *ssl, unsigned char *id, unsigned int *id_len); -static int ssl_load_stores(SSL_CTX *sctx, - const char *vfyCApath, const char *vfyCAfile, - const char *chCApath, const char *chCAfile); #ifndef OPENSSL_NO_DH static DH *load_dh_param(const char *dhfile); static DH *get_dh512(void); @@ -3122,33 +3119,3 @@ static int generate_session_id(const SSL *ssl, unsigned char *id, return 0; return 1; } - -static int ssl_load_stores(SSL_CTX *sctx, - const char *vfyCApath, const char *vfyCAfile, - const char *chCApath, const char *chCAfile) - { - X509_STORE *vfy = NULL, *ch = NULL; - int rv = 0; - if (vfyCApath || vfyCAfile) - { - vfy = X509_STORE_new(); - if (!X509_STORE_load_locations(vfy, vfyCAfile, vfyCApath)) - goto err; - SSL_CTX_set1_verify_cert_store(ctx, vfy); - } - if (chCApath || chCAfile) - { - ch = X509_STORE_new(); - if (!X509_STORE_load_locations(ch, chCAfile, chCApath)) - goto err; - /*X509_STORE_set_verify_cb(ch, verify_callback);*/ - SSL_CTX_set1_chain_cert_store(ctx, ch); - } - rv = 1; - err: - if (vfy) - X509_STORE_free(vfy); - if (ch) - X509_STORE_free(ch); - return rv; - } -- 2.25.1