projects / openssl.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 95ea531)
New option to add CRLs for s_client and s_server.
authorDr. Stephen Henson <steve@openssl.org>
Sun, 2 Dec 2012 16:16:28 +0000 (16:16 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Sun, 2 Dec 2012 16:16:28 +0000 (16:16 +0000)
CHANGES patch | blob | history
apps/apps.c patch | blob | history
apps/apps.h patch | blob | history
apps/crl.c patch | blob | history
apps/s_apps.h patch | blob | history
apps/s_cb.c patch | blob | history
apps/s_client.c patch | blob | history
apps/s_server.c patch | blob | history

diff --git a/CHANGES b/CHANGES
index 3f6afc8020233d839335ea5a2f2bf9f906fb2c07..a03aa4bbe33328795c9429be9b73e569d6de7919 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,9 @@
 
  Changes between 1.0.x and 1.1.0  [xx XXX xxxx]
 
 
  Changes between 1.0.x and 1.1.0  [xx XXX xxxx]
 
+  *) New options -CRL and -CRLform for s_client and s_server for CRLs.
+     [Steve Henson]
+
   *) Extend OCSP I/O functions so they can be used for simple general purpose
      HTTP as well as OCSP. New wrapper function which can be used to download
      CRLs using the OCSP API.
   *) Extend OCSP I/O functions so they can be used for simple general purpose
      HTTP as well as OCSP. New wrapper function which can be used to download
      CRLs using the OCSP API.
diff --git a/apps/apps.c b/apps/apps.c
index b36e51799bd00e6254764c23827dc8d04cd925cc..b378836066ad39d56950ea38601edb3486596dd9 100644 (file)
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -929,6 +929,55 @@ end:
        return(x);
        }
 
        return(x);
        }
 
+X509_CRL *load_crl(char *infile, int format)
+       {
+       X509_CRL *x=NULL;
+       BIO *in=NULL;
+
+       if (format == FORMAT_HTTP)
+               {
+               load_cert_crl_http(infile, bio_err, NULL, &x);
+               return x;
+               }
+
+       in=BIO_new(BIO_s_file());
+       if (in == NULL)
+               {
+               ERR_print_errors(bio_err);
+               goto end;
+               }
+
+       if (infile == NULL)
+               BIO_set_fp(in,stdin,BIO_NOCLOSE);
+       else
+               {
+               if (BIO_read_filename(in,infile) <= 0)
+                       {
+                       perror(infile);
+                       goto end;
+                       }
+               }
+       if      (format == FORMAT_ASN1)
+               x=d2i_X509_CRL_bio(in,NULL);
+       else if (format == FORMAT_PEM)
+               x=PEM_read_bio_X509_CRL(in,NULL,NULL,NULL);
+       else    {
+               BIO_printf(bio_err,"bad input format specified for input crl\n");
+               goto end;
+               }
+       if (x == NULL)
+               {
+               BIO_printf(bio_err,"unable to load CRL\n");
+               ERR_print_errors(bio_err);
+               goto end;
+               }
+       
+end:
+       BIO_free(in);
+       return(x);
+       }
+
+
 EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin,
        const char *pass, ENGINE *e, const char *key_descrip)
        {
 EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin,
        const char *pass, ENGINE *e, const char *key_descrip)
        {
diff --git a/apps/apps.h b/apps/apps.h
index 165e45562d9dde696a4a501371baf715d9956062..e9d21d545a4983e442d024d5a37d517800db75f7 100644 (file)
--- a/apps/apps.h
+++ b/apps/apps.h
@@ -245,6 +245,7 @@ int app_passwd(BIO *err, char *arg1, char *arg2, char **pass1, char **pass2);
 int add_oid_section(BIO *err, CONF *conf);
 X509 *load_cert(BIO *err, const char *file, int format,
        const char *pass, ENGINE *e, const char *cert_descrip);
 int add_oid_section(BIO *err, CONF *conf);
 X509 *load_cert(BIO *err, const char *file, int format,
        const char *pass, ENGINE *e, const char *cert_descrip);
+X509_CRL *load_crl(char *infile, int format);
 int load_cert_crl_http(const char *url, BIO *err,
                                        X509 **pcert, X509_CRL **pcrl);
 EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin,
 int load_cert_crl_http(const char *url, BIO *err,
                                        X509 **pcert, X509_CRL **pcrl);
 EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin,
diff --git a/apps/crl.c b/apps/crl.c
index 888cf7ff8d35bf59fdfe648f0903da1eaa59f133..fc12734052138f9034a464c80757e9c3f4e1a10b 100644 (file)
--- a/apps/crl.c
+++ b/apps/crl.c
@@ -93,7 +93,6 @@ static const char *crl_usage[]={
 NULL
 };
 
 NULL
 };
 
-static X509_CRL *load_crl(char *file, int format);
 static BIO *bio_out=NULL;
 
 int MAIN(int, char **);
 static BIO *bio_out=NULL;
 
 int MAIN(int, char **);
@@ -401,52 +400,3 @@ end:
        apps_shutdown();
        OPENSSL_EXIT(ret);
        }
        apps_shutdown();
        OPENSSL_EXIT(ret);
        }
-
-static X509_CRL *load_crl(char *infile, int format)
-       {
-       X509_CRL *x=NULL;
-       BIO *in=NULL;
-
-       if (format == FORMAT_HTTP)
-               {
-               load_cert_crl_http(infile, bio_err, NULL, &x);
-               return x;
-               }
-
-       in=BIO_new(BIO_s_file());
-       if (in == NULL)
-               {
-               ERR_print_errors(bio_err);
-               goto end;
-               }
-
-       if (infile == NULL)
-               BIO_set_fp(in,stdin,BIO_NOCLOSE);
-       else
-               {
-               if (BIO_read_filename(in,infile) <= 0)
-                       {
-                       perror(infile);
-                       goto end;
-                       }
-               }
-       if      (format == FORMAT_ASN1)
-               x=d2i_X509_CRL_bio(in,NULL);
-       else if (format == FORMAT_PEM)
-               x=PEM_read_bio_X509_CRL(in,NULL,NULL,NULL);
-       else    {
-               BIO_printf(bio_err,"bad input format specified for input crl\n");
-               goto end;
-               }
-       if (x == NULL)
-               {
-               BIO_printf(bio_err,"unable to load CRL\n");
-               ERR_print_errors(bio_err);
-               goto end;
-               }
-       
-end:
-       BIO_free(in);
-       return(x);
-       }
-
diff --git a/apps/s_apps.h b/apps/s_apps.h
index 6aab0a60b591f4f62bc78f765ad2a6d747c55658..0a382419be6353c5028c0127843f4c3497b4cb50 100644 (file)
--- a/apps/s_apps.h
+++ b/apps/s_apps.h
@@ -201,7 +201,9 @@ int args_ssl(char ***pargs, int *pargc, SSL_CONF_CTX *cctx,
                        int *badarg, BIO *err, STACK_OF(OPENSSL_STRING) **pstr);
 int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx,
                                STACK_OF(OPENSSL_STRING) *str, int no_ecdhe);
                        int *badarg, BIO *err, STACK_OF(OPENSSL_STRING) **pstr);
 int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx,
                                STACK_OF(OPENSSL_STRING) *str, int no_ecdhe);
+int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls);
 int ssl_load_stores(SSL_CTX *ctx,
                        const char *vfyCApath, const char *vfyCAfile,
 int ssl_load_stores(SSL_CTX *ctx,
                        const char *vfyCApath, const char *vfyCAfile,
-                       const char *chCApath, const char *chCAfile);
+                       const char *chCApath, const char *chCAfile,
+                       STACK_OF(X509_CRL) *crls);
 #endif
 #endif
diff --git a/apps/s_cb.c b/apps/s_cb.c
index 0759c8a7c9f8f0bbd2fb98e01da1c727733b7a03..e0289d41dd700fd4998595c3b4f8fa2b24ad2a64 100644 (file)
--- a/apps/s_cb.c
+++ b/apps/s_cb.c
@@ -293,7 +293,6 @@ int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key,
                ERR_print_errors(bio_err);
                return 0;
                }
                ERR_print_errors(bio_err);
                return 0;
                }
-               
        return 1;
        }
 
        return 1;
        }
 
@@ -1670,9 +1669,36 @@ int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx,
        return 1;
        }
 
        return 1;
        }
 
+static int add_crls_store(X509_STORE *st, STACK_OF(X509_CRL) *crls)
+       {
+       X509_CRL *crl;
+       int i;
+       if (crls)
+               {
+               for (i = 0; i < sk_X509_CRL_num(crls); i++)
+                       {
+                       crl = sk_X509_CRL_value(crls, i);
+                       X509_STORE_add_crl(st, crl);
+                       }
+               }
+       return 1;
+       }
+
+int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls)
+       {
+       X509_STORE *st;
+       if (crls)
+               {
+               st = SSL_CTX_get_cert_store(ctx);
+               add_crls_store(st, crls);
+               }
+       return 1;
+       }
+
 int ssl_load_stores(SSL_CTX *ctx,
                        const char *vfyCApath, const char *vfyCAfile,
 int ssl_load_stores(SSL_CTX *ctx,
                        const char *vfyCApath, const char *vfyCAfile,
-                       const char *chCApath, const char *chCAfile)
+                       const char *chCApath, const char *chCAfile,
+                       STACK_OF(X509_CRL) *crls)
        {
        X509_STORE *vfy = NULL, *ch = NULL;
        int rv = 0;
        {
        X509_STORE *vfy = NULL, *ch = NULL;
        int rv = 0;
@@ -1681,6 +1707,7 @@ int ssl_load_stores(SSL_CTX *ctx,
                vfy = X509_STORE_new();
                if (!X509_STORE_load_locations(vfy, vfyCAfile, vfyCApath))
                        goto err;
                vfy = X509_STORE_new();
                if (!X509_STORE_load_locations(vfy, vfyCAfile, vfyCApath))
                        goto err;
+               add_crls_store(vfy, crls);
                SSL_CTX_set1_verify_cert_store(ctx, vfy);
                }
        if (chCApath || chCAfile)
                SSL_CTX_set1_verify_cert_store(ctx, vfy);
                }
        if (chCApath || chCAfile)
diff --git a/apps/s_client.c b/apps/s_client.c
index aebdeaca4126c9057ad3915a55f2df84d26d8e9c..1a8f8ac844d5d09f31c57a985be6db4599189987 100644 (file)
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -639,6 +639,10 @@ int MAIN(int argc, char **argv)
        SSL_CONF_CTX *cctx = NULL;
        STACK_OF(OPENSSL_STRING) *ssl_args = NULL;
 
        SSL_CONF_CTX *cctx = NULL;
        STACK_OF(OPENSSL_STRING) *ssl_args = NULL;
 
+       char *crl_file = NULL;
+       int crl_format = FORMAT_PEM;
+       STACK_OF(X509_CRL) *crls = NULL;
+
        meth=SSLv23_client_method();
 
        apps_startup();
        meth=SSLv23_client_method();
 
        apps_startup();
@@ -708,6 +712,11 @@ int MAIN(int argc, char **argv)
                        if (--argc < 1) goto bad;
                        cert_file= *(++argv);
                        }
                        if (--argc < 1) goto bad;
                        cert_file= *(++argv);
                        }
+               else if (strcmp(*argv,"-CRL") == 0)
+                       {
+                       if (--argc < 1) goto bad;
+                       crl_file= *(++argv);
+                       }
                else if (strcmp(*argv,"-sess_out") == 0)
                        {
                        if (--argc < 1) goto bad;
                else if (strcmp(*argv,"-sess_out") == 0)
                        {
                        if (--argc < 1) goto bad;
@@ -723,6 +732,11 @@ int MAIN(int argc, char **argv)
                        if (--argc < 1) goto bad;
                        cert_format = str2fmt(*(++argv));
                        }
                        if (--argc < 1) goto bad;
                        cert_format = str2fmt(*(++argv));
                        }
+               else if (strcmp(*argv,"-CRLform") == 0)
+                       {
+                       if (--argc < 1) goto bad;
+                       crl_format = str2fmt(*(++argv));
+                       }
                else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm))
                        {
                        if (badarg)
                else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm))
                        {
                        if (badarg)
@@ -1128,6 +1142,26 @@ bad:
                        }
                }
 
                        }
                }
 
+       if (crl_file)
+               {
+               X509_CRL *crl;
+               crl = load_crl(crl_file, crl_format);
+               if (!crl)
+                       {
+                       BIO_puts(bio_err, "Error loading CRL\n");
+                       ERR_print_errors(bio_err);
+                       goto end;
+                       }
+               crls = sk_X509_CRL_new_null();
+               if (!crls || !sk_X509_CRL_push(crls, crl))
+                       {
+                       BIO_puts(bio_err, "Error adding CRL\n");
+                       ERR_print_errors(bio_err);
+                       X509_CRL_free(crl);
+                       goto end;
+                       }
+               }
+
        if (!load_excert(&exc, bio_err))
                goto end;
 
        if (!load_excert(&exc, bio_err))
                goto end;
 
@@ -1179,7 +1213,7 @@ bad:
                goto end;
                }
 
                goto end;
                }
 
-       if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile))
+       if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile, crls))
                {
                BIO_printf(bio_err, "Error loading store locations\n");
                ERR_print_errors(bio_err);
                {
                BIO_printf(bio_err, "Error loading store locations\n");
                ERR_print_errors(bio_err);
@@ -1241,6 +1275,8 @@ bad:
                /* goto end; */
                }
 
                /* goto end; */
                }
 
+       ssl_ctx_add_crls(ctx, crls);
+
        if (!set_cert_key_stuff(ctx,cert,key, NULL, build_chain))
                goto end;
 
        if (!set_cert_key_stuff(ctx,cert,key, NULL, build_chain))
                goto end;
 
@@ -1983,6 +2019,8 @@ end:
        if (ctx != NULL) SSL_CTX_free(ctx);
        if (cert)
                X509_free(cert);
        if (ctx != NULL) SSL_CTX_free(ctx);
        if (cert)
                X509_free(cert);
+       if (crls)
+               sk_X509_CRL_pop_free(crls, X509_CRL_free);
        if (key)
                EVP_PKEY_free(key);
        if (pass)
        if (key)
                EVP_PKEY_free(key);
        if (pass)
diff --git a/apps/s_server.c b/apps/s_server.c
index 6813fb794b6f00ec7076e6a500f8e781c62bd8cb..b9f6f30b0a7781d5a14aee37f89bc03d1bbb3d3e 100644 (file)
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -999,6 +999,10 @@ int MAIN(int argc, char *argv[])
        SSL_CONF_CTX *cctx = NULL;
        STACK_OF(OPENSSL_STRING) *ssl_args = NULL;
 
        SSL_CONF_CTX *cctx = NULL;
        STACK_OF(OPENSSL_STRING) *ssl_args = NULL;
 
+       char *crl_file = NULL;
+       int crl_format = FORMAT_PEM;
+       STACK_OF(X509_CRL) *crls = NULL;
+
        meth=SSLv23_server_method();
 
        local_argc=argc;
        meth=SSLv23_server_method();
 
        local_argc=argc;
@@ -1077,6 +1081,11 @@ int MAIN(int argc, char *argv[])
                        if (--argc < 1) goto bad;
                        s_cert_file= *(++argv);
                        }
                        if (--argc < 1) goto bad;
                        s_cert_file= *(++argv);
                        }
+               else if (strcmp(*argv,"-CRL") == 0)
+                       {
+                       if (--argc < 1) goto bad;
+                       crl_file= *(++argv);
+                       }
 #ifndef OPENSSL_NO_TLSEXT
                else if (strcmp(*argv,"-authz") == 0)
                        {
 #ifndef OPENSSL_NO_TLSEXT
                else if (strcmp(*argv,"-authz") == 0)
                        {
@@ -1167,6 +1176,11 @@ int MAIN(int argc, char *argv[])
                        no_cache = 1;
                else if (strcmp(*argv,"-ext_cache") == 0)
                        ext_cache = 1;
                        no_cache = 1;
                else if (strcmp(*argv,"-ext_cache") == 0)
                        ext_cache = 1;
+               else if (strcmp(*argv,"-CRLform") == 0)
+                       {
+                       if (--argc < 1) goto bad;
+                       crl_format = str2fmt(*(++argv));
+                       }
                else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm))
                        {
                        if (badarg)
                else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm))
                        {
                        if (badarg)
@@ -1567,6 +1581,26 @@ bad:
                }
 #endif
 
                }
 #endif
 
+       if (crl_file)
+               {
+               X509_CRL *crl;
+               crl = load_crl(crl_file, crl_format);
+               if (!crl)
+                       {
+                       BIO_puts(bio_err, "Error loading CRL\n");
+                       ERR_print_errors(bio_err);
+                       goto end;
+                       }
+               crls = sk_X509_CRL_new_null();
+               if (!crls || !sk_X509_CRL_push(crls, crl))
+                       {
+                       BIO_puts(bio_err, "Error adding CRL\n");
+                       ERR_print_errors(bio_err);
+                       X509_CRL_free(crl);
+                       goto end;
+                       }
+               }
+
 
        if (s_dcert_file)
                {
 
        if (s_dcert_file)
                {
@@ -1702,10 +1736,12 @@ bad:
        if (vpm)
                SSL_CTX_set1_param(ctx, vpm);
 
        if (vpm)
                SSL_CTX_set1_param(ctx, vpm);
 
+       ssl_ctx_add_crls(ctx, crls);
+
        if (!args_ssl_call(ctx, bio_err, cctx, ssl_args, no_ecdhe))
                goto end;
 
        if (!args_ssl_call(ctx, bio_err, cctx, ssl_args, no_ecdhe))
                goto end;
 
-       if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile))
+       if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile, crls))
                {
                BIO_printf(bio_err, "Error loading store locations\n");
                ERR_print_errors(bio_err);
                {
                BIO_printf(bio_err, "Error loading store locations\n");
                ERR_print_errors(bio_err);
@@ -1768,6 +1804,8 @@ bad:
                if (vpm)
                        SSL_CTX_set1_param(ctx2, vpm);
 
                if (vpm)
                        SSL_CTX_set1_param(ctx2, vpm);
 
+               ssl_ctx_add_crls(ctx2, crls);
+
                if (!args_ssl_call(ctx2, bio_err, cctx, ssl_args, no_ecdhe))
                        goto end;
                }
                if (!args_ssl_call(ctx2, bio_err, cctx, ssl_args, no_ecdhe))
                        goto end;
                }
@@ -1973,6 +2011,8 @@ end:
        if (ctx != NULL) SSL_CTX_free(ctx);
        if (s_cert)
                X509_free(s_cert);
        if (ctx != NULL) SSL_CTX_free(ctx);
        if (s_cert)
                X509_free(s_cert);
+       if (crls)
+               sk_X509_CRL_pop_free(crls, X509_CRL_free);
        if (s_dcert)
                X509_free(s_dcert);
        if (s_key)
        if (s_dcert)
                X509_free(s_dcert);
        if (s_key)
Unnamed repository; edit this file 'description' to name the repository.