Fix for EXP-RC2-CBC-MD5

[openssl.git] / apps / s_cb.c

diff --git a/apps/s_cb.c b/apps/s_cb.c
index 0759c8a7c9f8f0bbd2fb98e01da1c727733b7a03..65c3dae0a29b0f1f8068df7cc4c762a7840db8ad 100644 (file)
--- a/apps/s_cb.c
+++ b/apps/s_cb.c
@@ -190,7 +190,8 @@ int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
                BIO_printf(bio_err,"\n");
                break;
        case X509_V_ERR_NO_EXPLICIT_POLICY:
-               policies_print(bio_err, ctx);
+               if (!verify_quiet)
+                       policies_print(bio_err, ctx);
                break;
                }
        if (err == X509_V_OK && ok == 2 && !verify_quiet)
@@ -293,7 +294,6 @@ int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key,
                ERR_print_errors(bio_err);
                return 0;
                }
-               
        return 1;
        }
 
@@ -1572,20 +1572,6 @@ void print_ssl_summary(BIO *bio, SSL *s)
                ssl_print_tmp_key(bio, s);
        }
 
-void print_ssl_cert_checks(BIO *bio, SSL *s,
-                               const unsigned char *checkhost,
-                               const unsigned char *checkemail,
-                               const char *checkip)
-       {
-       X509 *peer;
-       peer = SSL_get_peer_certificate(s);
-       if (peer)
-               {
-               print_cert_checks(bio, peer, checkhost, checkemail, checkip);
-               X509_free(peer);
-               }
-       }
-
 int args_ssl(char ***pargs, int *pargc, SSL_CONF_CTX *cctx,
                        int *badarg, BIO *err, STACK_OF(OPENSSL_STRING) **pstr)
        {
@@ -1633,7 +1619,7 @@ int args_ssl(char ***pargs, int *pargc, SSL_CONF_CTX *cctx,
        }
 
 int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx,
-                               STACK_OF(OPENSSL_STRING) *str, int no_ecdhe)
+               STACK_OF(OPENSSL_STRING) *str, int no_ecdhe, int no_jpake)
        {
        int i;
        SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
@@ -1646,6 +1632,13 @@ int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx,
                 */
                if (!no_ecdhe && !strcmp(param, "-named_curve"))
                        no_ecdhe = 1;
+#ifndef OPENSSL_NO_JPAKE
+               if (!no_jpake && !strcmp(param, "-cipher"))
+                       {
+                       BIO_puts(err, "JPAKE sets cipher to PSK\n");
+                       return 0;
+                       }
+#endif
                if (SSL_CONF_cmd(cctx, param, value) <= 0)
                        {
                        BIO_printf(err, "Error with command: \"%s %s\"\n",
@@ -1667,12 +1660,46 @@ int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx,
                        return 0;
                        }
                }
+#ifndef OPENSSL_NO_JPAKE
+       if (!no_jpake)
+               {
+               if (SSL_CONF_cmd(cctx, "-cipher", "PSK") <= 0)
+                       {
+                       BIO_puts(err, "Error setting cipher to PSK\n");
+                       ERR_print_errors(err);
+                       return 0;
+                       }
+               }
+#endif
+       return 1;
+       }
+
+static int add_crls_store(X509_STORE *st, STACK_OF(X509_CRL) *crls)
+       {
+       X509_CRL *crl;
+       int i;
+       for (i = 0; i < sk_X509_CRL_num(crls); i++)
+               {
+               crl = sk_X509_CRL_value(crls, i);
+               X509_STORE_add_crl(st, crl);
+               }
+       return 1;
+       }
+
+int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls, int crl_download)
+       {
+       X509_STORE *st;
+       st = SSL_CTX_get_cert_store(ctx);
+       add_crls_store(st, crls);
+       if (crl_download)
+               store_setup_crl_download(st);
        return 1;
        }
 
 int ssl_load_stores(SSL_CTX *ctx,
                        const char *vfyCApath, const char *vfyCAfile,
-                       const char *chCApath, const char *chCAfile)
+                       const char *chCApath, const char *chCAfile,
+                       STACK_OF(X509_CRL) *crls, int crl_download)
        {
        X509_STORE *vfy = NULL, *ch = NULL;
        int rv = 0;
@@ -1681,7 +1708,10 @@ int ssl_load_stores(SSL_CTX *ctx,
                vfy = X509_STORE_new();
                if (!X509_STORE_load_locations(vfy, vfyCAfile, vfyCApath))
                        goto err;
+               add_crls_store(vfy, crls);
                SSL_CTX_set1_verify_cert_store(ctx, vfy);
+               if (crl_download)
+                       store_setup_crl_download(vfy);
                }
        if (chCApath || chCAfile)
                {