From e318431e5408a341b582cf14159220a0d1346886 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Sun, 2 Dec 2012 16:16:28 +0000 Subject: [PATCH] New option to add CRLs for s_client and s_server. --- CHANGES | 3 +++ apps/apps.c | 49 ++++++++++++++++++++++++++++++++++++++++++++++++ apps/apps.h | 1 + apps/crl.c | 50 ------------------------------------------------- apps/s_apps.h | 6 ++++-- apps/s_cb.c | 31 ++++++++++++++++++++++++++++-- apps/s_client.c | 39 +++++++++++++++++++++++++++++++++++++- apps/s_server.c | 44 ++++++++++++++++++++++++++++++++++++++++++- 8 files changed, 167 insertions(+), 56 deletions(-) diff --git a/CHANGES b/CHANGES index 34dc69b0f0..918fec366c 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,9 @@ Changes between 1.0.1 and 1.0.2 [xx XXX xxxx] + *) New options -CRL and -CRLform for s_client and s_server for CRLs. + [Steve Henson] + *) New function X509_CRL_diff to generate a delta CRL from the difference of two full CRLs. Add support to "crl" utility. [Steve Henson] diff --git a/apps/apps.c b/apps/apps.c index 391a4d10b5..3c6efbc7cb 100644 --- a/apps/apps.c +++ b/apps/apps.c @@ -929,6 +929,55 @@ end: return(x); } +X509_CRL *load_crl(char *infile, int format) + { + X509_CRL *x=NULL; + BIO *in=NULL; + + if (format == FORMAT_HTTP) + { + load_cert_crl_http(infile, bio_err, NULL, &x); + return x; + } + + in=BIO_new(BIO_s_file()); + if (in == NULL) + { + ERR_print_errors(bio_err); + goto end; + } + + if (infile == NULL) + BIO_set_fp(in,stdin,BIO_NOCLOSE); + else + { + if (BIO_read_filename(in,infile) <= 0) + { + perror(infile); + goto end; + } + } + if (format == FORMAT_ASN1) + x=d2i_X509_CRL_bio(in,NULL); + else if (format == FORMAT_PEM) + x=PEM_read_bio_X509_CRL(in,NULL,NULL,NULL); + else { + BIO_printf(bio_err,"bad input format specified for input crl\n"); + goto end; + } + if (x == NULL) + { + BIO_printf(bio_err,"unable to load CRL\n"); + ERR_print_errors(bio_err); + goto end; + } + +end: + BIO_free(in); + return(x); + } + + EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin, const char *pass, ENGINE *e, const char *key_descrip) { diff --git a/apps/apps.h b/apps/apps.h index cc20466cf0..8a38fe70aa 100644 --- a/apps/apps.h +++ b/apps/apps.h @@ -245,6 +245,7 @@ int app_passwd(BIO *err, char *arg1, char *arg2, char **pass1, char **pass2); int add_oid_section(BIO *err, CONF *conf); X509 *load_cert(BIO *err, const char *file, int format, const char *pass, ENGINE *e, const char *cert_descrip); +X509_CRL *load_crl(char *infile, int format); int load_cert_crl_http(const char *url, BIO *err, X509 **pcert, X509_CRL **pcrl); EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin, diff --git a/apps/crl.c b/apps/crl.c index 50e7d95a6f..3520c4cbb8 100644 --- a/apps/crl.c +++ b/apps/crl.c @@ -93,7 +93,6 @@ static const char *crl_usage[]={ NULL }; -static X509_CRL *load_crl(char *file, int format); static BIO *bio_out=NULL; int MAIN(int, char **); @@ -452,52 +451,3 @@ end: apps_shutdown(); OPENSSL_EXIT(ret); } - -static X509_CRL *load_crl(char *infile, int format) - { - X509_CRL *x=NULL; - BIO *in=NULL; - - if (format == FORMAT_HTTP) - { - load_cert_crl_http(infile, bio_err, NULL, &x); - return x; - } - - in=BIO_new(BIO_s_file()); - if (in == NULL) - { - ERR_print_errors(bio_err); - goto end; - } - - if (infile == NULL) - BIO_set_fp(in,stdin,BIO_NOCLOSE); - else - { - if (BIO_read_filename(in,infile) <= 0) - { - perror(infile); - goto end; - } - } - if (format == FORMAT_ASN1) - x=d2i_X509_CRL_bio(in,NULL); - else if (format == FORMAT_PEM) - x=PEM_read_bio_X509_CRL(in,NULL,NULL,NULL); - else { - BIO_printf(bio_err,"bad input format specified for input crl\n"); - goto end; - } - if (x == NULL) - { - BIO_printf(bio_err,"unable to load CRL\n"); - ERR_print_errors(bio_err); - goto end; - } - -end: - BIO_free(in); - return(x); - } - diff --git a/apps/s_apps.h b/apps/s_apps.h index 9bc61cea3a..92bb4949f9 100644 --- a/apps/s_apps.h +++ b/apps/s_apps.h @@ -196,7 +196,9 @@ int args_ssl(char ***pargs, int *pargc, SSL_CONF_CTX *cctx, int *badarg, BIO *err, STACK_OF(OPENSSL_STRING) **pstr); int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str, int no_ecdhe, int no_jpake); -int ssl_load_stores(SSL_CTX *sctx, +int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls); +int ssl_load_stores(SSL_CTX *ctx, const char *vfyCApath, const char *vfyCAfile, - const char *chCApath, const char *chCAfile); + const char *chCApath, const char *chCAfile, + STACK_OF(X509_CRL) *crls); #endif diff --git a/apps/s_cb.c b/apps/s_cb.c index c876adf3e9..710c99d076 100644 --- a/apps/s_cb.c +++ b/apps/s_cb.c @@ -288,7 +288,6 @@ int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key, ERR_print_errors(bio_err); return 0; } - return 1; } @@ -1600,9 +1599,36 @@ int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx, return 1; } +static int add_crls_store(X509_STORE *st, STACK_OF(X509_CRL) *crls) + { + X509_CRL *crl; + int i; + if (crls) + { + for (i = 0; i < sk_X509_CRL_num(crls); i++) + { + crl = sk_X509_CRL_value(crls, i); + X509_STORE_add_crl(st, crl); + } + } + return 1; + } + +int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls) + { + X509_STORE *st; + if (crls) + { + st = SSL_CTX_get_cert_store(ctx); + add_crls_store(st, crls); + } + return 1; + } + int ssl_load_stores(SSL_CTX *ctx, const char *vfyCApath, const char *vfyCAfile, - const char *chCApath, const char *chCAfile) + const char *chCApath, const char *chCAfile, + STACK_OF(X509_CRL) *crls) { X509_STORE *vfy = NULL, *ch = NULL; int rv = 0; @@ -1611,6 +1637,7 @@ int ssl_load_stores(SSL_CTX *ctx, vfy = X509_STORE_new(); if (!X509_STORE_load_locations(vfy, vfyCAfile, vfyCApath)) goto err; + add_crls_store(vfy, crls); SSL_CTX_set1_verify_cert_store(ctx, vfy); } if (chCApath || chCAfile) diff --git a/apps/s_client.c b/apps/s_client.c index 1be3028cfc..edd06fc02b 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -636,6 +636,10 @@ static char *jpake_secret = NULL; SSL_CONF_CTX *cctx = NULL; STACK_OF(OPENSSL_STRING) *ssl_args = NULL; + char *crl_file = NULL; + int crl_format = FORMAT_PEM; + STACK_OF(X509_CRL) *crls = NULL; + meth=SSLv23_client_method(); apps_startup(); @@ -705,6 +709,11 @@ static char *jpake_secret = NULL; if (--argc < 1) goto bad; cert_file= *(++argv); } + else if (strcmp(*argv,"-CRL") == 0) + { + if (--argc < 1) goto bad; + crl_file= *(++argv); + } else if (strcmp(*argv,"-sess_out") == 0) { if (--argc < 1) goto bad; @@ -720,6 +729,11 @@ static char *jpake_secret = NULL; if (--argc < 1) goto bad; cert_format = str2fmt(*(++argv)); } + else if (strcmp(*argv,"-CRLform") == 0) + { + if (--argc < 1) goto bad; + crl_format = str2fmt(*(++argv)); + } else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm)) { if (badarg) @@ -1108,6 +1122,26 @@ bad: goto end; } + if (crl_file) + { + X509_CRL *crl; + crl = load_crl(crl_file, crl_format); + if (!crl) + { + BIO_puts(bio_err, "Error loading CRL\n"); + ERR_print_errors(bio_err); + goto end; + } + crls = sk_X509_CRL_new_null(); + if (!crls || !sk_X509_CRL_push(crls, crl)) + { + BIO_puts(bio_err, "Error adding CRL\n"); + ERR_print_errors(bio_err); + X509_CRL_free(crl); + goto end; + } + } + if (!load_excert(&exc, bio_err)) goto end; @@ -1159,7 +1193,7 @@ bad: goto end; } - if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile)) + if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile, crls)) { BIO_printf(bio_err, "Error loading store locations\n"); ERR_print_errors(bio_err); @@ -1221,6 +1255,7 @@ bad: /* goto end; */ } + ssl_ctx_add_crls(ctx, crls); if (!set_cert_key_stuff(ctx,cert,key,chain,build_chain)) goto end; @@ -1955,6 +1990,8 @@ end: if (ctx != NULL) SSL_CTX_free(ctx); if (cert) X509_free(cert); + if (crls) + sk_X509_CRL_pop_free(crls, X509_CRL_free); if (key) EVP_PKEY_free(key); if (chain) diff --git a/apps/s_server.c b/apps/s_server.c index 2b8754bbf5..acc124538a 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -986,6 +986,11 @@ int MAIN(int argc, char *argv[]) SSL_EXCERT *exc = NULL; SSL_CONF_CTX *cctx = NULL; STACK_OF(OPENSSL_STRING) *ssl_args = NULL; + + char *crl_file = NULL; + int crl_format = FORMAT_PEM; + STACK_OF(X509_CRL) *crls = NULL; + meth=SSLv23_server_method(); local_argc=argc; @@ -1051,6 +1056,11 @@ int MAIN(int argc, char *argv[]) if (--argc < 1) goto bad; s_cert_file= *(++argv); } + else if (strcmp(*argv,"-CRL") == 0) + { + if (--argc < 1) goto bad; + crl_file= *(++argv); + } #ifndef OPENSSL_NO_TLSEXT else if (strcmp(*argv,"-authz") == 0) { @@ -1146,6 +1156,11 @@ int MAIN(int argc, char *argv[]) } else if (strcmp(*argv,"-no_cache") == 0) no_cache = 1; + else if (strcmp(*argv,"-CRLform") == 0) + { + if (--argc < 1) goto bad; + crl_format = str2fmt(*(++argv)); + } else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm)) { if (badarg) @@ -1508,6 +1523,26 @@ bad: } #endif + if (crl_file) + { + X509_CRL *crl; + crl = load_crl(crl_file, crl_format); + if (!crl) + { + BIO_puts(bio_err, "Error loading CRL\n"); + ERR_print_errors(bio_err); + goto end; + } + crls = sk_X509_CRL_new_null(); + if (!crls || !sk_X509_CRL_push(crls, crl)) + { + BIO_puts(bio_err, "Error adding CRL\n"); + ERR_print_errors(bio_err); + X509_CRL_free(crl); + goto end; + } + } + if (s_dcert_file) { @@ -1641,10 +1676,12 @@ bad: if (vpm) SSL_CTX_set1_param(ctx, vpm); + ssl_ctx_add_crls(ctx, crls); + if (!args_ssl_call(ctx, bio_err, cctx, ssl_args, no_ecdhe, no_jpake)) goto end; - if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile)) + if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile, crls)) { BIO_printf(bio_err, "Error loading store locations\n"); ERR_print_errors(bio_err); @@ -1705,8 +1742,11 @@ bad: if (vpm) SSL_CTX_set1_param(ctx2, vpm); + ssl_ctx_add_crls(ctx2, crls); + if (!args_ssl_call(ctx2, bio_err, cctx, ssl_args, no_ecdhe, no_jpake)) goto end; + } # ifndef OPENSSL_NO_NEXTPROTONEG @@ -1968,6 +2008,8 @@ end: if (ctx != NULL) SSL_CTX_free(ctx); if (s_cert) X509_free(s_cert); + if (crls) + sk_X509_CRL_pop_free(crls, X509_CRL_free); if (s_dcert) X509_free(s_dcert); if (s_key) -- 2.25.1