X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=apps%2Fs_cb.c;h=ae15f554f446482f02042d016d8ecc665c3d15e2;hp=2c7fce5272f56f12ea583514e95cfaf1a41f9cbc;hb=0e1d6ecf37ea33ad963249cdb5efebeb04299033;hpb=42ef7aead2b310a183e53a4d336a6706395b5c17 diff --git a/apps/s_cb.c b/apps/s_cb.c index 2c7fce5272..ae15f554f4 100644 --- a/apps/s_cb.c +++ b/apps/s_cb.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -11,9 +11,7 @@ #include #include #include /* for memcpy() and strcmp() */ -#define USE_SOCKETS #include "apps.h" -#undef USE_SOCKETS #include #include #include @@ -32,6 +30,7 @@ VERIFY_CB_ARGS verify_args = { 0, 0, X509_V_OK, 0 }; static unsigned char cookie_secret[COOKIE_SECRET_LENGTH]; static int cookie_initialized = 0; #endif +static BIO *bio_keylog = NULL; static const char *lookup(int val, const STRINT_PAIR* list, const char* def) { @@ -52,13 +51,14 @@ int verify_callback(int ok, X509_STORE_CTX *ctx) if (!verify_args.quiet || !ok) { BIO_printf(bio_err, "depth=%d ", depth); - if (err_cert) { + if (err_cert != NULL) { X509_NAME_print_ex(bio_err, X509_get_subject_name(err_cert), - 0, XN_FLAG_ONELINE); + 0, get_nameopt()); BIO_puts(bio_err, "\n"); - } else + } else { BIO_puts(bio_err, "\n"); + } } if (!ok) { BIO_printf(bio_err, "verify error:num=%d:%s\n", err, @@ -76,7 +76,7 @@ int verify_callback(int ok, X509_STORE_CTX *ctx) case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: BIO_puts(bio_err, "issuer= "); X509_NAME_print_ex(bio_err, X509_get_issuer_name(err_cert), - 0, XN_FLAG_ONELINE); + 0, get_nameopt()); BIO_puts(bio_err, "\n"); break; case X509_V_ERR_CERT_NOT_YET_VALID: @@ -100,7 +100,7 @@ int verify_callback(int ok, X509_STORE_CTX *ctx) policies_print(ctx); if (ok && !verify_args.quiet) BIO_printf(bio_err, "verify return:%d\n", ok); - return (ok); + return ok; } int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file) @@ -111,7 +111,7 @@ int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file) BIO_printf(bio_err, "unable to get certificate from '%s'\n", cert_file); ERR_print_errors(bio_err); - return (0); + return 0; } if (key_file == NULL) key_file = cert_file; @@ -119,7 +119,7 @@ int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file) BIO_printf(bio_err, "unable to get private key from '%s'\n", key_file); ERR_print_errors(bio_err); - return (0); + return 0; } /* @@ -134,10 +134,10 @@ int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file) if (!SSL_CTX_check_private_key(ctx)) { BIO_printf(bio_err, "Private key does not match the certificate public key\n"); - return (0); + return 0; } } - return (1); + return 1; } int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key, @@ -205,7 +205,7 @@ static void ssl_print_client_cert_types(BIO *bio, SSL *s) if (i) BIO_puts(bio, ", "); - if (cname) + if (cname != NULL) BIO_puts(bio, cname); else BIO_printf(bio, "UNKNOWN (%d),", cert_type); @@ -228,6 +228,12 @@ static const char *get_sigtype(int nid) case EVP_PKEY_EC: return "ECDSA"; + case NID_ED25519: + return "Ed25519"; + + case NID_ED448: + return "Ed448"; + default: return NULL; } @@ -238,7 +244,7 @@ static int do_print_sigalgs(BIO *out, SSL *s, int shared) int i, nsig, client; client = SSL_is_server(s) ? 0 : 1; if (shared) - nsig = SSL_get_shared_sigalgs(s, -1, NULL, NULL, NULL, NULL, NULL); + nsig = SSL_get_shared_sigalgs(s, 0, NULL, NULL, NULL, NULL, NULL); else nsig = SSL_get_sigalgs(s, -1, NULL, NULL, NULL, NULL, NULL); if (nsig == 0) @@ -261,15 +267,15 @@ static int do_print_sigalgs(BIO *out, SSL *s, int shared) SSL_get_sigalgs(s, i, &sign_nid, &hash_nid, NULL, &rsign, &rhash); if (i) BIO_puts(out, ":"); - sstr= get_sigtype(sign_nid); + sstr = get_sigtype(sign_nid); if (sstr) - BIO_printf(out, "%s+", sstr); + BIO_printf(out, "%s", sstr); else - BIO_printf(out, "0x%02X+", (int)rsign); + BIO_printf(out, "0x%02X", (int)rsign); if (hash_nid != NID_undef) - BIO_printf(out, "%s", OBJ_nid2sn(hash_nid)); - else - BIO_printf(out, "0x%02X", (int)rhash); + BIO_printf(out, "+%s", OBJ_nid2sn(hash_nid)); + else if (sstr == NULL) + BIO_printf(out, "+0x%02X", (int)rhash); } BIO_puts(out, "\n"); return 1; @@ -282,10 +288,10 @@ int ssl_print_sigalgs(BIO *out, SSL *s) ssl_print_client_cert_types(out, s); do_print_sigalgs(out, s, 0); do_print_sigalgs(out, s, 1); - if (SSL_get_peer_signature_nid(s, &nid)) + if (SSL_get_peer_signature_nid(s, &nid) && nid != NID_undef) BIO_printf(out, "Peer signing digest: %s\n", OBJ_nid2sn(nid)); if (SSL_get_peer_signature_type_nid(s, &nid)) - BIO_printf(bio_err, "Peer signature type: %s\n", get_sigtype(nid)); + BIO_printf(out, "Peer signature type: %s\n", get_sigtype(nid)); return 1; } @@ -341,13 +347,13 @@ int ssl_print_groups(BIO *out, SSL *s, int noshared) BIO_puts(out, ":"); nid = groups[i]; /* If unrecognised print out hex version */ - if (nid & TLSEXT_nid_unknown) + if (nid & TLSEXT_nid_unknown) { BIO_printf(out, "0x%04X", nid & 0xFFFF); - else { + } else { /* TODO(TLS1.3): Get group name here */ /* Use NIST name for curve if it exists */ gname = EC_curve_nid2nist(nid); - if (!gname) + if (gname == NULL) gname = OBJ_nid2sn(nid); BIO_printf(out, "%s", gname); } @@ -365,7 +371,7 @@ int ssl_print_groups(BIO *out, SSL *s, int noshared) nid = SSL_get_shared_group(s, i); /* TODO(TLS1.3): Convert for DH groups */ gname = EC_curve_nid2nist(nid); - if (!gname) + if (gname == NULL) gname = OBJ_nid2sn(nid); BIO_printf(out, "%s", gname); } @@ -375,6 +381,7 @@ int ssl_print_groups(BIO *out, SSL *s, int noshared) return 1; } #endif + int ssl_print_tmp_key(BIO *out, SSL *s) { EVP_PKEY *key; @@ -398,7 +405,7 @@ int ssl_print_tmp_key(BIO *out, SSL *s) nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec)); EC_KEY_free(ec); cname = EC_curve_nid2nist(nid); - if (!cname) + if (cname == NULL) cname = OBJ_nid2sn(nid); BIO_printf(out, "ECDH, %s, %d bits\n", cname, EVP_PKEY_bits(key)); } @@ -419,19 +426,19 @@ long bio_dump_callback(BIO *bio, int cmd, const char *argp, out = (BIO *)BIO_get_callback_arg(bio); if (out == NULL) - return (ret); + return ret; if (cmd == (BIO_CB_READ | BIO_CB_RETURN)) { BIO_printf(out, "read from %p [%p] (%lu bytes => %ld (0x%lX))\n", (void *)bio, (void *)argp, (unsigned long)argi, ret, ret); BIO_dump(out, argp, (int)ret); - return (ret); + return ret; } else if (cmd == (BIO_CB_WRITE | BIO_CB_RETURN)) { BIO_printf(out, "write to %p [%p] (%lu bytes => %ld (0x%lX))\n", (void *)bio, (void *)argp, (unsigned long)argi, ret, ret); BIO_dump(out, argp, (int)ret); } - return (ret); + return ret; } void apps_ssl_info_callback(const SSL *s, int where, int ret) @@ -460,10 +467,9 @@ void apps_ssl_info_callback(const SSL *s, int where, int ret) if (ret == 0) BIO_printf(bio_err, "%s:failed in %s\n", str, SSL_state_string_long(s)); - else if (ret < 0) { + else if (ret < 0) BIO_printf(bio_err, "%s:error in %s\n", str, SSL_state_string_long(s)); - } } } @@ -477,8 +483,10 @@ static STRINT_PAIR ssl_versions[] = { {"DTLS 1.0 (bad)", DTLS1_BAD_VER}, {NULL} }; + static STRINT_PAIR alert_types[] = { {" close_notify", 0}, + {" end_of_early_data", 1}, {" unexpected_message", 10}, {" bad_record_mac", 20}, {" decryption_failed", 21}, @@ -499,33 +507,43 @@ static STRINT_PAIR alert_types[] = { {" protocol_version", 70}, {" insufficient_security", 71}, {" internal_error", 80}, + {" inappropriate_fallback", 86}, {" user_canceled", 90}, {" no_renegotiation", 100}, + {" missing_extension", 109}, {" unsupported_extension", 110}, {" certificate_unobtainable", 111}, {" unrecognized_name", 112}, {" bad_certificate_status_response", 113}, {" bad_certificate_hash_value", 114}, {" unknown_psk_identity", 115}, + {" certificate_required", 116}, {NULL} }; static STRINT_PAIR handshakes[] = { - {", HelloRequest", 0}, - {", ClientHello", 1}, - {", ServerHello", 2}, - {", HelloVerifyRequest", 3}, - {", NewSessionTicket", 4}, - {", Certificate", 11}, - {", ServerKeyExchange", 12}, - {", CertificateRequest", 13}, - {", ServerHelloDone", 14}, - {", CertificateVerify", 15}, - {", ClientKeyExchange", 16}, - {", Finished", 20}, + {", HelloRequest", SSL3_MT_HELLO_REQUEST}, + {", ClientHello", SSL3_MT_CLIENT_HELLO}, + {", ServerHello", SSL3_MT_SERVER_HELLO}, + {", HelloVerifyRequest", DTLS1_MT_HELLO_VERIFY_REQUEST}, + {", NewSessionTicket", SSL3_MT_NEWSESSION_TICKET}, + {", EndOfEarlyData", SSL3_MT_END_OF_EARLY_DATA}, + {", EncryptedExtensions", SSL3_MT_ENCRYPTED_EXTENSIONS}, + {", Certificate", SSL3_MT_CERTIFICATE}, + {", ServerKeyExchange", SSL3_MT_SERVER_KEY_EXCHANGE}, + {", CertificateRequest", SSL3_MT_CERTIFICATE_REQUEST}, + {", ServerHelloDone", SSL3_MT_SERVER_DONE}, + {", CertificateVerify", SSL3_MT_CERTIFICATE_VERIFY}, + {", ClientKeyExchange", SSL3_MT_CLIENT_KEY_EXCHANGE}, + {", Finished", SSL3_MT_FINISHED}, {", CertificateUrl", 21}, - {", CertificateStatus", 22}, + {", CertificateStatus", SSL3_MT_CERTIFICATE_STATUS}, {", SupplementalData", 23}, + {", KeyUpdate", SSL3_MT_KEY_UPDATE}, +#ifndef OPENSSL_NO_NEXTPROTONEG + {", NextProto", SSL3_MT_NEXT_PROTO}, +#endif + {", MessageHash", SSL3_MT_MESSAGE_HASH}, {NULL} }; @@ -546,10 +564,10 @@ void msg_cb(int write_p, int version, int content_type, const void *buf, version == DTLS1_VERSION || version == DTLS1_BAD_VER) { switch (content_type) { case 20: - str_content_type = "ChangeCipherSpec"; + str_content_type = ", ChangeCipherSpec"; break; case 21: - str_content_type = "Alert"; + str_content_type = ", Alert"; str_details1 = ", ???"; if (len == 2) { switch (bp[0]) { @@ -564,13 +582,13 @@ void msg_cb(int write_p, int version, int content_type, const void *buf, } break; case 22: - str_content_type = "Handshake"; + str_content_type = ", Handshake"; str_details1 = "???"; if (len > 0) str_details1 = lookup((int)bp[0], handshakes, "???"); break; case 23: - str_content_type = "ApplicationData"; + str_content_type = ", ApplicationData"; break; #ifndef OPENSSL_NO_HEARTBEATS case 24: @@ -646,6 +664,12 @@ static STRINT_PAIR tlsext_types[] = { #ifdef TLSEXT_TYPE_extended_master_secret {"extended master secret", TLSEXT_TYPE_extended_master_secret}, #endif + {"key share", TLSEXT_TYPE_key_share}, + {"supported versions", TLSEXT_TYPE_supported_versions}, + {"psk", TLSEXT_TYPE_psk}, + {"psk kex modes", TLSEXT_TYPE_psk_kex_modes}, + {"certificate authorities", TLSEXT_TYPE_certificate_authorities}, + {"post handshake auth", TLSEXT_TYPE_post_handshake_auth}, {NULL} }; @@ -666,9 +690,9 @@ int generate_cookie_callback(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len) { unsigned char *buffer; - size_t length; + size_t length = 0; unsigned short port; - BIO_ADDR *peer = NULL; + BIO_ADDR *lpeer = NULL, *peer = NULL; /* Initialize a random secret */ if (!cookie_initialized) { @@ -679,17 +703,24 @@ int generate_cookie_callback(SSL *ssl, unsigned char *cookie, cookie_initialized = 1; } - peer = BIO_ADDR_new(); - if (peer == NULL) { - BIO_printf(bio_err, "memory full\n"); - return 0; - } + if (SSL_is_dtls(ssl)) { + lpeer = peer = BIO_ADDR_new(); + if (peer == NULL) { + BIO_printf(bio_err, "memory full\n"); + return 0; + } - /* Read peer information */ - (void)BIO_dgram_get_peer(SSL_get_rbio(ssl), peer); + /* Read peer information */ + (void)BIO_dgram_get_peer(SSL_get_rbio(ssl), peer); + } else { + peer = ourpeer; + } /* Create buffer with peer's address and port */ - BIO_ADDR_rawaddress(peer, NULL, &length); + if (!BIO_ADDR_rawaddress(peer, NULL, &length)) { + BIO_printf(bio_err, "Failed getting peer address\n"); + return 0; + } OPENSSL_assert(length != 0); port = BIO_ADDR_rawport(peer); length += sizeof(port); @@ -703,7 +734,7 @@ int generate_cookie_callback(SSL *ssl, unsigned char *cookie, buffer, length, cookie, cookie_len); OPENSSL_free(buffer); - BIO_ADDR_free(peer); + BIO_ADDR_free(lpeer); return 1; } @@ -795,24 +826,24 @@ static int set_cert_cb(SSL *ssl, void *arg) #endif SSL_certs_clear(ssl); - if (!exc) + if (exc == NULL) return 1; /* * Go to end of list and traverse backwards since we prepend newer * entries this retains the original order. */ - while (exc->next) + while (exc->next != NULL) exc = exc->next; i = 0; - while (exc) { + while (exc != NULL) { i++; rv = SSL_check_chain(ssl, exc->cert, exc->key, exc->chain); BIO_printf(bio_err, "Checking cert chain %d:\nSubject: ", i); X509_NAME_print_ex(bio_err, X509_get_subject_name(exc->cert), 0, - XN_FLAG_ONELINE); + get_nameopt()); BIO_puts(bio_err, "\n"); print_chain_flags(ssl, rv); if (rv & CERT_PKEY_VALID) { @@ -828,8 +859,9 @@ static int set_cert_cb(SSL *ssl, void *arg) if (exc->build_chain) { if (!SSL_build_cert_chain(ssl, 0)) return 0; - } else if (exc->chain) + } else if (exc->chain != NULL) { SSL_set1_chain(ssl, exc->chain); + } } exc = exc->prev; } @@ -866,7 +898,7 @@ void ssl_excert_free(SSL_EXCERT *exc) { SSL_EXCERT *curr; - if (!exc) + if (exc == NULL) return; while (exc) { X509_free(exc->cert); @@ -881,33 +913,33 @@ void ssl_excert_free(SSL_EXCERT *exc) int load_excert(SSL_EXCERT **pexc) { SSL_EXCERT *exc = *pexc; - if (!exc) + if (exc == NULL) return 1; /* If nothing in list, free and set to NULL */ - if (!exc->certfile && !exc->next) { + if (exc->certfile == NULL && exc->next == NULL) { ssl_excert_free(exc); *pexc = NULL; return 1; } for (; exc; exc = exc->next) { - if (!exc->certfile) { + if (exc->certfile == NULL) { BIO_printf(bio_err, "Missing filename\n"); return 0; } exc->cert = load_cert(exc->certfile, exc->certform, "Server Certificate"); - if (!exc->cert) + if (exc->cert == NULL) return 0; - if (exc->keyfile) { + if (exc->keyfile != NULL) { exc->key = load_key(exc->keyfile, exc->keyform, 0, NULL, NULL, "Server Key"); } else { exc->key = load_key(exc->certfile, exc->certform, 0, NULL, NULL, "Server Key"); } - if (!exc->key) + if (exc->key == NULL) return 0; - if (exc->chainfile) { + if (exc->chainfile != NULL) { if (!load_certs(exc->chainfile, &exc->chain, FORMAT_PEM, NULL, "Server Chain")) return 0; @@ -939,21 +971,22 @@ int args_excert(int opt, SSL_EXCERT **pexc) case OPT_X__LAST: return 0; case OPT_X_CERT: - if (exc->certfile && !ssl_excert_prepend(&exc)) { + if (exc->certfile != NULL && !ssl_excert_prepend(&exc)) { BIO_printf(bio_err, "%s: Error adding xcert\n", opt_getprog()); goto err; } + *pexc = exc; exc->certfile = opt_arg(); break; case OPT_X_KEY: - if (exc->keyfile) { + if (exc->keyfile != NULL) { BIO_printf(bio_err, "%s: Key already specified\n", opt_getprog()); goto err; } exc->keyfile = opt_arg(); break; case OPT_X_CHAIN: - if (exc->chainfile) { + if (exc->chainfile != NULL) { BIO_printf(bio_err, "%s: Chain already specified\n", opt_getprog()); goto err; @@ -996,11 +1029,11 @@ static void print_raw_cipherlist(SSL *s) const SSL_CIPHER *c = SSL_CIPHER_find(s, rlist); if (i) BIO_puts(bio_err, ":"); - if (c) + if (c != NULL) { BIO_puts(bio_err, SSL_CIPHER_get_name(c)); - else if (!memcmp(rlist, scsv_id, num)) + } else if (memcmp(rlist, scsv_id, num) == 0) { BIO_puts(bio_err, "SCSV"); - else { + } else { size_t j; BIO_puts(bio_err, "0x"); for (j = 0; j < num; j++) @@ -1022,8 +1055,8 @@ static char *hexencode(const unsigned char *data, size_t len) int ilen = (int) outlen; if (outlen < len || ilen < 0 || outlen != (size_t)ilen) { - BIO_printf(bio_err, "%s: %" PRIu64 "-byte buffer too large to hexencode\n", - opt_getprog(), (uint64_t)len); + BIO_printf(bio_err, "%s: %zu-byte buffer too large to hexencode\n", + opt_getprog(), len); exit(1); } cp = out = app_malloc(ilen, "TLSA hex data buffer"); @@ -1088,7 +1121,6 @@ void print_ssl_summary(SSL *s) { const SSL_CIPHER *c; X509 *peer; - /* const char *pnam = SSL_is_server(s) ? "client" : "server"; */ BIO_printf(bio_err, "Protocol version: %s\n", SSL_get_version(s)); print_raw_cipherlist(s); @@ -1096,20 +1128,21 @@ void print_ssl_summary(SSL *s) BIO_printf(bio_err, "Ciphersuite: %s\n", SSL_CIPHER_get_name(c)); do_print_sigalgs(bio_err, s, 0); peer = SSL_get_peer_certificate(s); - if (peer) { + if (peer != NULL) { int nid; BIO_puts(bio_err, "Peer certificate: "); X509_NAME_print_ex(bio_err, X509_get_subject_name(peer), - 0, XN_FLAG_ONELINE); + 0, get_nameopt()); BIO_puts(bio_err, "\n"); if (SSL_get_peer_signature_nid(s, &nid)) BIO_printf(bio_err, "Hash used: %s\n", OBJ_nid2sn(nid)); if (SSL_get_peer_signature_type_nid(s, &nid)) BIO_printf(bio_err, "Signature type: %s\n", get_sigtype(nid)); print_verify_detail(s, bio_err); - } else + } else { BIO_puts(bio_err, "No peer certificate\n"); + } X509_free(peer); #ifndef OPENSSL_NO_EC ssl_print_point_formats(bio_err, s); @@ -1133,7 +1166,7 @@ int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str, const char *flag = sk_OPENSSL_STRING_value(str, i); const char *arg = sk_OPENSSL_STRING_value(str, i + 1); if (SSL_CONF_cmd(cctx, flag, arg) <= 0) { - if (arg) + if (arg != NULL) BIO_printf(bio_err, "Error with command: \"%s %s\"\n", flag, arg); else @@ -1267,7 +1300,7 @@ static int security_callback_debug(const SSL *s, const SSL_CTX *ctx, cert_md = 1; break; } - if (nm) + if (nm != NULL) BIO_printf(sdb->out, "%s=", nm); switch (op & SSL_SECOP_OTHER_TYPE) { @@ -1355,3 +1388,68 @@ void ssl_ctx_security_debug(SSL_CTX *ctx, int verbose) SSL_CTX_set_security_callback(ctx, security_callback_debug); SSL_CTX_set0_security_ex_data(ctx, &sdb); } + +static void keylog_callback(const SSL *ssl, const char *line) +{ + if (bio_keylog == NULL) { + BIO_printf(bio_err, "Keylog callback is invoked without valid file!\n"); + return; + } + + /* + * There might be concurrent writers to the keylog file, so we must ensure + * that the given line is written at once. + */ + BIO_printf(bio_keylog, "%s\n", line); + (void)BIO_flush(bio_keylog); +} + +int set_keylog_file(SSL_CTX *ctx, const char *keylog_file) +{ + /* Close any open files */ + BIO_free_all(bio_keylog); + bio_keylog = NULL; + + if (ctx == NULL || keylog_file == NULL) { + /* Keylogging is disabled, OK. */ + return 0; + } + + /* + * Append rather than write in order to allow concurrent modification. + * Furthermore, this preserves existing keylog files which is useful when + * the tool is run multiple times. + */ + bio_keylog = BIO_new_file(keylog_file, "a"); + if (bio_keylog == NULL) { + BIO_printf(bio_err, "Error writing keylog file %s\n", keylog_file); + return 1; + } + + /* Write a header for seekable, empty files (this excludes pipes). */ + if (BIO_tell(bio_keylog) == 0) { + BIO_puts(bio_keylog, + "# SSL/TLS secrets log file, generated by OpenSSL\n"); + (void)BIO_flush(bio_keylog); + } + SSL_CTX_set_keylog_callback(ctx, keylog_callback); + return 0; +} + +void print_ca_names(BIO *bio, SSL *s) +{ + const char *cs = SSL_is_server(s) ? "server" : "client"; + const STACK_OF(X509_NAME) *sk = SSL_get0_peer_CA_list(s); + int i; + + if (sk == NULL || sk_X509_NAME_num(sk) == 0) { + BIO_printf(bio, "---\nNo %s certificate CA names sent\n", cs); + return; + } + + BIO_printf(bio, "---\nAcceptable %s certificate CA names\n",cs); + for (i = 0; i < sk_X509_NAME_num(sk); i++) { + X509_NAME_print_ex(bio, sk_X509_NAME_value(sk, i), 0, get_nameopt()); + BIO_write(bio, "\n", 1); + } +}