Fix -verify_return_error in s_client

The "verify_return_error" option in s_client is documented as:

 Return verification errors instead of continuing. This will typically
 abort the handshake with a fatal error.

In practice this option was ignored unless also accompanied with the
"-verify" option. It's unclear what the original intention was. One fix
could have been to change the documentation to match the actual behaviour.
However it seems unecessarily complex and unexpected that you should need
to have both options. Instead the fix implemented here is make the option
match the documentation so that "-verify" is not also required.

Note that s_server has a similar option where "-verify" (or "-Verify") is
still required. This makes more sense because those options additionally
request a certificate from the client. Without a certificate there is no
possibility of a verification failing, and so "-verify_return_error" doing
nothing seems ok.

Fixes #8079

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/8080)

diff --git a/apps/s_cb.c b/apps/s_cb.c
index af57c34558684d4bc027d1471b63d5e4f7a316ab..705550b676b7ac1da95600300d0c7afd2f230317 100644 (file)
--- a/apps/s_cb.c
+++ b/apps/s_cb.c
@@ -24,7 +24,7 @@
 
 #define COOKIE_SECRET_LENGTH    16
 
 
 #define COOKIE_SECRET_LENGTH    16
 

-VERIFY_CB_ARGS verify_args = { 0, 0, X509_V_OK, 0 };
+VERIFY_CB_ARGS verify_args = { -1, 0, X509_V_OK, 0 };

 
 #ifndef OPENSSL_NO_SOCK
 static unsigned char cookie_secret[COOKIE_SECRET_LENGTH];
 
 #ifndef OPENSSL_NO_SOCK
 static unsigned char cookie_secret[COOKIE_SECRET_LENGTH];


@@ -63,7 +63,7 @@ int verify_callback(int ok, X509_STORE_CTX *ctx)
     if (!ok) {
         BIO_printf(bio_err, "verify error:num=%d:%s\n", err,
                    X509_verify_cert_error_string(err));
     if (!ok) {
         BIO_printf(bio_err, "verify error:num=%d:%s\n", err,
                    X509_verify_cert_error_string(err));

-        if (verify_args.depth >= depth) {
+        if (verify_args.depth < 0 || verify_args.depth >= depth) {

             if (!verify_args.return_error)
                 ok = 1;
             verify_args.error = err;
             if (!verify_args.return_error)
                 ok = 1;
             verify_args.error = err;

diff --git a/apps/s_client.c b/apps/s_client.c
index 2a8313d7f409323319e4f09286248c625f03f434..a30dff44cfc22452c2d9f45fc61b176f797e11f3 100644 (file)
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -1138,6 +1138,7 @@ int s_client_main(int argc, char **argv)
                 goto opthelp;
             break;
         case OPT_VERIFY_RET_ERROR:
                 goto opthelp;
             break;
         case OPT_VERIFY_RET_ERROR:

+            verify = SSL_VERIFY_PEER;

             verify_args.return_error = 1;
             break;
         case OPT_VERIFY_QUIET:
             verify_args.return_error = 1;
             break;
         case OPT_VERIFY_QUIET: