From 65a0f684849b49033bb035d681b46f96f128f84b Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Wed, 11 Apr 2012 16:54:07 +0000
Subject: [PATCH] Add options to set additional type specific certificate
 chains to s_server.

---
 apps/s_apps.h   |  3 ++-
 apps/s_cb.c     |  9 ++++++++-
 apps/s_client.c |  2 +-
 apps/s_server.c | 37 ++++++++++++++++++++++++++++++++-----
 4 files changed, 43 insertions(+), 8 deletions(-)

diff --git a/apps/s_apps.h b/apps/s_apps.h
index 39a11d9a77..5de65329a9 100644
--- a/apps/s_apps.h
+++ b/apps/s_apps.h
@@ -154,7 +154,8 @@ int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
 #endif
 #ifdef HEADER_SSL_H
 int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file);
-int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key);
+int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key,
+							STACK_OF(X509) *chain);
 int ssl_print_sigalgs(BIO *out, SSL *s);
 int ssl_print_curves(BIO *out, SSL *s);
 #endif
diff --git a/apps/s_cb.c b/apps/s_cb.c
index 4395f194aa..b21a4283df 100644
--- a/apps/s_cb.c
+++ b/apps/s_cb.c
@@ -250,7 +250,8 @@ int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file)
 	return(1);
 	}
 
-int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key)
+int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key,
+							STACK_OF(X509) *chain)
 	{
 	if (cert ==  NULL)
 		return 1;
@@ -275,6 +276,12 @@ int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key)
 		BIO_printf(bio_err,"Private key does not match the certificate public key\n");
 		return 0;
 		}
+	if (chain && !SSL_CTX_set1_chain(ctx, chain))
+		{
+		BIO_printf(bio_err,"error setting certificate chain\n");
+		ERR_print_errors(bio_err);
+		return 0;
+		}
 	return 1;
 	}
 
diff --git a/apps/s_client.c b/apps/s_client.c
index 96cb4a61f9..5ad6756ff9 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -1169,7 +1169,7 @@ bad:
 #endif
 
 	SSL_CTX_set_verify(ctx,verify,verify_callback);
-	if (!set_cert_key_stuff(ctx,cert,key))
+	if (!set_cert_key_stuff(ctx,cert,key, NULL))
 		goto end;
 
 	if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
diff --git a/apps/s_server.c b/apps/s_server.c
index 56e15fae38..23f7988393 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -267,12 +267,12 @@ extern int verify_depth, verify_return_error;
 static char *cipher=NULL;
 static int s_server_verify=SSL_VERIFY_NONE;
 static int s_server_session_id_context = 1; /* anything will do */
-static const char *s_cert_file=TEST_CERT,*s_key_file=NULL;
+static const char *s_cert_file=TEST_CERT,*s_key_file=NULL, *s_chain_file=NULL;
 #ifndef OPENSSL_NO_TLSEXT
 static const char *s_cert_file2=TEST_CERT2,*s_key_file2=NULL;
 static char *curves=NULL;
 #endif
-static char *s_dcert_file=NULL,*s_dkey_file=NULL;
+static char *s_dcert_file=NULL,*s_dkey_file=NULL, *s_dchain_file=NULL;
 #ifdef FIONBIO
 static int s_nbio=0;
 #endif
@@ -431,8 +431,10 @@ static void s_server_init(void)
 	s_server_verify=SSL_VERIFY_NONE;
 	s_dcert_file=NULL;
 	s_dkey_file=NULL;
+	s_dchain_file=NULL;
 	s_cert_file=TEST_CERT;
 	s_key_file=NULL;
+	s_chain_file=NULL;
 #ifndef OPENSSL_NO_TLSEXT
 	curves=NULL;
 	s_cert_file2=TEST_CERT2;
@@ -952,6 +954,7 @@ int MAIN(int argc, char *argv[])
 	char *dpassarg = NULL, *dpass = NULL;
 	int s_dcert_format = FORMAT_PEM, s_dkey_format = FORMAT_PEM;
 	X509 *s_cert = NULL, *s_dcert = NULL;
+	STACK_OF(X509) *s_chain = NULL, *s_dchain = NULL;
 	EVP_PKEY *s_key = NULL, *s_dkey = NULL;
 	int no_cache = 0;
 #ifndef OPENSSL_NO_TLSEXT
@@ -1050,6 +1053,11 @@ int MAIN(int argc, char *argv[])
 			if (--argc < 1) goto bad;
 			passarg = *(++argv);
 			}
+		else if	(strcmp(*argv,"-cert_chain") == 0)
+			{
+			if (--argc < 1) goto bad;
+			s_chain_file= *(++argv);
+			}
 		else if	(strcmp(*argv,"-dhparam") == 0)
 			{
 			if (--argc < 1) goto bad;
@@ -1087,6 +1095,11 @@ int MAIN(int argc, char *argv[])
 			if (--argc < 1) goto bad;
 			s_dkey_file= *(++argv);
 			}
+		else if	(strcmp(*argv,"-dcert_chain") == 0)
+			{
+			if (--argc < 1) goto bad;
+			s_dchain_file= *(++argv);
+			}
 		else if (strcmp(*argv,"-nocert") == 0)
 			{
 			nocert=1;
@@ -1417,6 +1430,13 @@ bad:
 			ERR_print_errors(bio_err);
 			goto end;
 			}
+		if (s_chain_file)
+			{
+			s_chain = load_certs(bio_err, s_chain_file,FORMAT_PEM,
+					NULL, e, "server certificate chain");
+			if (!s_chain)
+				goto end;
+			}
 
 #ifndef OPENSSL_NO_TLSEXT
 		if (tlsextcbp.servername) 
@@ -1481,6 +1501,13 @@ bad:
 			ERR_print_errors(bio_err);
 			goto end;
 			}
+		if (s_dchain_file)
+			{
+			s_dchain = load_certs(bio_err, s_dchain_file,FORMAT_PEM,
+				NULL, e, "second server certificate chain");
+			if (!s_dchain)
+				goto end;
+			}
 
 		}
 
@@ -1740,15 +1767,15 @@ bad:
 		}
 #endif
 	
-	if (!set_cert_key_stuff(ctx,s_cert,s_key))
+	if (!set_cert_key_stuff(ctx, s_cert, s_key, s_chain))
 		goto end;
 #ifndef OPENSSL_NO_TLSEXT
-	if (ctx2 && !set_cert_key_stuff(ctx2,s_cert2,s_key2))
+	if (ctx2 && !set_cert_key_stuff(ctx2,s_cert2,s_key2, NULL))
 		goto end; 
 #endif
 	if (s_dcert != NULL)
 		{
-		if (!set_cert_key_stuff(ctx,s_dcert,s_dkey))
+		if (!set_cert_key_stuff(ctx, s_dcert, s_dkey, s_dchain))
 			goto end;
 		}
 
-- 
2.25.1