From a5afc0a8f43cb4ffea5db74b18abc0c6a5b9770c Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Fri, 23 Nov 2012 18:56:25 +0000 Subject: [PATCH] Don't display messages about verify depth in s_server if -quiet it set. Add support for separate verify and chain stores in s_client. --- apps/s_apps.h | 3 +++ apps/s_cb.c | 29 +++++++++++++++++++++++++++++ apps/s_client.c | 29 +++++++++++++++++++++++++++++ apps/s_server.c | 48 ++++-------------------------------------------- 4 files changed, 65 insertions(+), 44 deletions(-) diff --git a/apps/s_apps.h b/apps/s_apps.h index 5d7d158a7d..6aab0a60b5 100644 --- a/apps/s_apps.h +++ b/apps/s_apps.h @@ -201,4 +201,7 @@ int args_ssl(char ***pargs, int *pargc, SSL_CONF_CTX *cctx, int *badarg, BIO *err, STACK_OF(OPENSSL_STRING) **pstr); int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str, int no_ecdhe); +int ssl_load_stores(SSL_CTX *ctx, + const char *vfyCApath, const char *vfyCAfile, + const char *chCApath, const char *chCAfile); #endif diff --git a/apps/s_cb.c b/apps/s_cb.c index c83687fb0b..aed718b1f6 100644 --- a/apps/s_cb.c +++ b/apps/s_cb.c @@ -1671,3 +1671,32 @@ int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx, } return 1; } + +int ssl_load_stores(SSL_CTX *ctx, + const char *vfyCApath, const char *vfyCAfile, + const char *chCApath, const char *chCAfile) + { + X509_STORE *vfy = NULL, *ch = NULL; + int rv = 0; + if (vfyCApath || vfyCAfile) + { + vfy = X509_STORE_new(); + if (!X509_STORE_load_locations(vfy, vfyCAfile, vfyCApath)) + goto err; + SSL_CTX_set1_verify_cert_store(ctx, vfy); + } + if (chCApath || chCAfile) + { + ch = X509_STORE_new(); + if (!X509_STORE_load_locations(ch, chCAfile, chCApath)) + goto err; + SSL_CTX_set1_chain_cert_store(ctx, ch); + } + rv = 1; + err: + if (vfy) + X509_STORE_free(vfy); + if (ch) + X509_STORE_free(ch); + return rv; + } diff --git a/apps/s_client.c b/apps/s_client.c index 2a8861e8bd..aebdeaca41 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -581,6 +581,8 @@ int MAIN(int argc, char **argv) X509 *cert = NULL; EVP_PKEY *key = NULL; char *CApath=NULL,*CAfile=NULL; + char *chCApath=NULL,*chCAfile=NULL; + char *vfyCApath=NULL,*vfyCAfile=NULL; int reconnect=0,badop=0,verify=SSL_VERIFY_NONE; int crlf=0; int write_tty,read_tty,write_ssl,read_ssl,tty_on,ssl_pending; @@ -901,6 +903,16 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; CApath= *(++argv); } + else if (strcmp(*argv,"-chainCApath") == 0) + { + if (--argc < 1) goto bad; + chCApath= *(++argv); + } + else if (strcmp(*argv,"-verifyCApath") == 0) + { + if (--argc < 1) goto bad; + vfyCApath= *(++argv); + } else if (strcmp(*argv,"-build_chain") == 0) build_chain = 1; else if (strcmp(*argv,"-CAfile") == 0) @@ -908,6 +920,16 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; CAfile= *(++argv); } + else if (strcmp(*argv,"-chainCAfile") == 0) + { + if (--argc < 1) goto bad; + chCAfile= *(++argv); + } + else if (strcmp(*argv,"-verifyCAfile") == 0) + { + if (--argc < 1) goto bad; + vfyCAfile= *(++argv); + } #ifndef OPENSSL_NO_TLSEXT # ifndef OPENSSL_NO_NEXTPROTONEG else if (strcmp(*argv,"-nextprotoneg") == 0) @@ -1157,6 +1179,13 @@ bad: goto end; } + if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile)) + { + BIO_printf(bio_err, "Error loading store locations\n"); + ERR_print_errors(bio_err); + goto end; + } + #ifndef OPENSSL_NO_ENGINE if (ssl_client_engine) { diff --git a/apps/s_server.c b/apps/s_server.c index f9e33e72c2..2fd2ec0738 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -216,9 +216,6 @@ static int generate_session_id(const SSL *ssl, unsigned char *id, unsigned int *id_len); static void init_session_cache_ctx(SSL_CTX *sctx); static void free_sessions(void); -static int ssl_load_stores(SSL_CTX *sctx, - const char *vfyCApath, const char *vfyCAfile, - const char *chCApath, const char *chCAfile); #ifndef OPENSSL_NO_DH static DH *load_dh_param(const char *dhfile); static DH *get_dh512(void); @@ -1057,7 +1054,8 @@ int MAIN(int argc, char *argv[]) s_server_verify=SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE; if (--argc < 1) goto bad; verify_depth=atoi(*(++argv)); - BIO_printf(bio_err,"verify depth is %d\n",verify_depth); + if (!s_quiet) + BIO_printf(bio_err,"verify depth is %d\n",verify_depth); } else if (strcmp(*argv,"-Verify") == 0) { @@ -1065,7 +1063,8 @@ int MAIN(int argc, char *argv[]) SSL_VERIFY_CLIENT_ONCE; if (--argc < 1) goto bad; verify_depth=atoi(*(++argv)); - BIO_printf(bio_err,"verify depth is %d, must return a certificate\n",verify_depth); + if (!s_quiet) + BIO_printf(bio_err,"verify depth is %d, must return a certificate\n",verify_depth); } else if (strcmp(*argv,"-context") == 0) { @@ -3399,42 +3398,3 @@ static void free_sessions(void) } first = NULL; } - -static int ssl_load_stores(SSL_CTX *sctx, - const char *vfyCApath, const char *vfyCAfile, - const char *chCApath, const char *chCAfile) - { - X509_STORE *vfy = NULL, *ch = NULL; - int rv = 0; - if (vfyCApath || vfyCAfile) - { - vfy = X509_STORE_new(); - if (!X509_STORE_load_locations(vfy, vfyCAfile, vfyCApath)) - goto err; - SSL_CTX_set1_verify_cert_store(ctx, vfy); - } - if (chCApath || chCAfile) - { - ch = X509_STORE_new(); - if (!X509_STORE_load_locations(ch, chCAfile, chCApath)) - goto err; - /*X509_STORE_set_verify_cb(ch, verify_callback);*/ - SSL_CTX_set1_chain_cert_store(ctx, ch); - } - rv = 1; - err: - if (vfy) - X509_STORE_free(vfy); - if (ch) - X509_STORE_free(ch); - return rv; - } - - - - - - - - - -- 2.25.1