projects / openssl.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Add -brief option to s_client and s_server to summarise connection details.
[openssl.git] / apps / s_server.c
diff --git a/apps/s_server.c b/apps/s_server.c
index bb791e08e7125912c75bb85a5179a8d80686d2f1..002de84380a7c64948013e13abf7fcf09a41ad39 100644 (file)
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -215,6 +215,9 @@ static int generate_session_id(const SSL *ssl, unsigned char *id,
                                unsigned int *id_len);
 static void init_session_cache_ctx(SSL_CTX *sctx);
 static void free_sessions(void);
+static int ssl_load_stores(SSL_CTX *sctx,
+                       const char *vfyCApath, const char *vfyCAfile,
+                       const char *chCApath, const char *chCAfile);
 #ifndef OPENSSL_NO_DH
 static DH *load_dh_param(const char *dhfile);
 static DH *get_dh512(void);
@@ -265,7 +268,7 @@ static int accept_socket= -1;
 #undef PROG
 #define PROG           s_server_main
 
-extern int verify_depth, verify_return_error;
+extern int verify_depth, verify_return_error, verify_quiet;
 
 static char *cipher=NULL;
 static int s_server_verify=SSL_VERIFY_NONE;
@@ -274,6 +277,8 @@ static const char *s_cert_file=TEST_CERT,*s_key_file=NULL, *s_chain_file=NULL;
 #ifndef OPENSSL_NO_TLSEXT
 static const char *s_cert_file2=TEST_CERT2,*s_key_file2=NULL;
 static char *curves=NULL;
+static char *sigalgs=NULL;
+static char *client_sigalgs=NULL;
 #endif
 static char *s_dcert_file=NULL,*s_dkey_file=NULL, *s_dchain_file=NULL;
 #ifdef FIONBIO
@@ -288,6 +293,7 @@ static SSL_CTX *ctx2=NULL;
 static int www=0;
 
 static BIO *bio_s_out=NULL;
+static BIO *bio_s_msg = NULL;
 static int s_debug=0;
 #ifndef OPENSSL_NO_TLSEXT
 static int s_tlsextdebug=0;
@@ -297,6 +303,7 @@ static int cert_status_cb(SSL *s, void *arg);
 static int no_resume_ephemeral = 0;
 static int s_msg=0;
 static int s_quiet=0;
+static int s_brief=0;
 
 static char *keymatexportlabel=NULL;
 static int keymatexportlen=20;
@@ -313,6 +320,10 @@ static long socket_mtu;
 static int cert_chain = 0;
 #endif
 
+#ifndef OPENSSL_NO_TLSEXT
+static BIO *authz_in = NULL;
+static const char *s_authz_file = NULL;
+#endif
 
 #ifndef OPENSSL_NO_PSK
 static char *psk_identity="Client_identity";
@@ -456,6 +467,7 @@ static void s_server_init(void)
        s_debug=0;
        s_msg=0;
        s_quiet=0;
+       s_brief=0;
        hack=0;
 #ifndef OPENSSL_NO_ENGINE
        engine_id=NULL;
@@ -473,6 +485,7 @@ static void sv_usage(void)
        BIO_printf(bio_err," -Verify arg   - turn on peer certificate verification, must have a cert.\n");
        BIO_printf(bio_err," -cert arg     - certificate file to use\n");
        BIO_printf(bio_err,"                 (default is %s)\n",TEST_CERT);
+       BIO_printf(bio_err," -authz arg   -  binary authz file for certificate\n");
        BIO_printf(bio_err," -crl_check    - check the peer certificate has not been revoked by its CA.\n" \
                           "                 The CRL(s) are appended to the certificate file\n");
        BIO_printf(bio_err," -crl_check_all - check the peer certificate has not been revoked by its CA\n" \
@@ -919,7 +932,7 @@ static int next_proto_cb(SSL *s, const unsigned char **data, unsigned int *len,
 
        return SSL_TLSEXT_ERR_OK;
        }
-# endif  /* ndef OPENSSL_NO_NPN */
+# endif  /* ndef OPENSSL_NO_NEXTPROTONEG */
 #endif
 
 static int not_resumable_sess_cb(SSL *s, int is_forward_secure)
@@ -944,6 +957,8 @@ int MAIN(int argc, char *argv[])
        int badarg = 0;
        short port=PORT;
        char *CApath=NULL,*CAfile=NULL;
+       char *chCApath=NULL,*chCAfile=NULL;
+       char *vfyCApath=NULL,*vfyCAfile=NULL;
        unsigned char *context = NULL;
        char *dhfile = NULL;
 #ifndef OPENSSL_NO_ECDH
@@ -952,6 +967,8 @@ int MAIN(int argc, char *argv[])
        int badop=0,bugs=0;
        int ret=1;
        int off=0;
+       unsigned int cert_flags = 0;
+       int build_chain = 0;
        int no_tmp_rsa=0,no_dhe=0,no_ecdhe=0,nocert=0;
        int state=0;
        const SSL_METHOD *meth=NULL;
@@ -969,8 +986,6 @@ int MAIN(int argc, char *argv[])
 #ifndef OPENSSL_NO_TLSEXT
        EVP_PKEY *s_key2 = NULL;
        X509 *s_cert2 = NULL;
-#endif
-#ifndef OPENSSL_NO_TLSEXT
         tlsextctx tlsextcbp = {NULL, NULL, SSL_TLSEXT_ERR_ALERT_WARNING};
 # ifndef OPENSSL_NO_NEXTPROTONEG
        const char *next_proto_neg_in = NULL;
@@ -985,6 +1000,7 @@ int MAIN(int argc, char *argv[])
        char *srpuserseed = NULL;
        char *srp_verifier_file = NULL;
 #endif
+       SSL_EXCERT *exc = NULL;
        meth=SSLv23_server_method();
 
        local_argc=argc;
@@ -1044,6 +1060,13 @@ int MAIN(int argc, char *argv[])
                        if (--argc < 1) goto bad;
                        s_cert_file= *(++argv);
                        }
+#ifndef OPENSSL_NO_TLSEXT
+               else if (strcmp(*argv,"-authz") == 0)
+                       {
+                       if (--argc < 1) goto bad;
+                       s_authz_file = *(++argv);
+                       }
+#endif
                else if (strcmp(*argv,"-certform") == 0)
                        {
                        if (--argc < 1) goto bad;
@@ -1120,6 +1143,16 @@ int MAIN(int argc, char *argv[])
                        if (--argc < 1) goto bad;
                        CApath= *(++argv);
                        }
+               else if (strcmp(*argv,"-chainCApath") == 0)
+                       {
+                       if (--argc < 1) goto bad;
+                       chCApath= *(++argv);
+                       }
+               else if (strcmp(*argv,"-verifyCApath") == 0)
+                       {
+                       if (--argc < 1) goto bad;
+                       vfyCApath= *(++argv);
+                       }
                else if (strcmp(*argv,"-no_cache") == 0)
                        no_cache = 1;
                else if (strcmp(*argv,"-ext_cache") == 0)
@@ -1130,8 +1163,16 @@ int MAIN(int argc, char *argv[])
                                goto bad;
                        continue;
                        }
+               else if (args_excert(&argv, &argc, &badarg, bio_err, &exc))
+                       {
+                       if (badarg)
+                               goto bad;
+                       continue;
+                       }
                else if (strcmp(*argv,"-verify_return_error") == 0)
                        verify_return_error = 1;
+               else if (strcmp(*argv,"-verify_quiet") == 0)
+                       verify_quiet = 1;
                else if (strcmp(*argv,"-serverpref") == 0)
                        { off|=SSL_OP_CIPHER_SERVER_PREFERENCE; }
                else if (strcmp(*argv,"-legacy_renegotiation") == 0)
@@ -1141,11 +1182,23 @@ int MAIN(int argc, char *argv[])
                        if (--argc < 1) goto bad;
                        cipher= *(++argv);
                        }
+               else if (strcmp(*argv,"-build_chain") == 0)
+                       build_chain = 1;
                else if (strcmp(*argv,"-CAfile") == 0)
                        {
                        if (--argc < 1) goto bad;
                        CAfile= *(++argv);
                        }
+               else if (strcmp(*argv,"-chainCAfile") == 0)
+                       {
+                       if (--argc < 1) goto bad;
+                       chCAfile= *(++argv);
+                       }
+               else if (strcmp(*argv,"-verifyCAfile") == 0)
+                       {
+                       if (--argc < 1) goto bad;
+                       vfyCAfile= *(++argv);
+                       }
 #ifdef FIONBIO 
                else if (strcmp(*argv,"-nbio") == 0)
                        { s_nbio=1; }
@@ -1194,9 +1247,28 @@ int MAIN(int argc, char *argv[])
                        if (--argc < 1) goto bad;
                        curves= *(++argv);
                        }
+               else if (strcmp(*argv,"-sigalgs") == 0)
+                       {
+                       if (--argc < 1) goto bad;
+                       sigalgs= *(++argv);
+                       }
+               else if (strcmp(*argv,"-client_sigalgs") == 0)
+                       {
+                       if (--argc < 1) goto bad;
+                       client_sigalgs= *(++argv);
+                       }
 #endif
                else if (strcmp(*argv,"-msg") == 0)
                        { s_msg=1; }
+               else if (strcmp(*argv,"-msgfile") == 0)
+                       {
+                       if (--argc < 1) goto bad;
+                       bio_s_msg = BIO_new_file(*(++argv), "w");
+                       }
+#ifndef OPENSSL_NO_SSL_TRACE
+               else if (strcmp(*argv,"-trace") == 0)
+                       { s_msg=2; }
+#endif
                else if (strcmp(*argv,"-hack") == 0)
                        { hack=1; }
                else if (strcmp(*argv,"-state") == 0)
@@ -1205,6 +1277,12 @@ int MAIN(int argc, char *argv[])
                        { s_crlf=1; }
                else if (strcmp(*argv,"-quiet") == 0)
                        { s_quiet=1; }
+               else if (strcmp(*argv,"-brief") == 0)
+                       {
+                       s_quiet=1;
+                       s_brief=1;
+                       verify_quiet=1;
+                       }
                else if (strcmp(*argv,"-bugs") == 0)
                        { bugs=1; }
                else if (strcmp(*argv,"-no_tmp_rsa") == 0)
@@ -1260,12 +1338,12 @@ int MAIN(int argc, char *argv[])
                        { off|=SSL_OP_NO_SSLv2; }
                else if (strcmp(*argv,"-no_ssl3") == 0)
                        { off|=SSL_OP_NO_SSLv3; }
-               else if (strcmp(*argv,"-no_tls1_2") == 0)
-                       { off|=SSL_OP_NO_TLSv1_2; }
-               else if (strcmp(*argv,"-no_tls1_1") == 0)
-                       { off|=SSL_OP_NO_TLSv1_1; }
                else if (strcmp(*argv,"-no_tls1") == 0)
                        { off|=SSL_OP_NO_TLSv1; }
+               else if (strcmp(*argv,"-no_tls1_1") == 0)
+                       { off|=SSL_OP_NO_TLSv1_1; }
+               else if (strcmp(*argv,"-no_tls1_2") == 0)
+                       { off|=SSL_OP_NO_TLSv1_2; }
                else if (strcmp(*argv,"-no_comp") == 0)
                        { off|=SSL_OP_NO_COMPRESSION; }
 #ifndef OPENSSL_NO_TLSEXT
@@ -1281,14 +1359,12 @@ int MAIN(int argc, char *argv[])
                        { meth=SSLv3_server_method(); }
 #endif
 #ifndef OPENSSL_NO_TLS1
-               else if (strcmp(*argv,"-tls1_2") == 0)
-                       { meth=TLSv1_2_server_method(); }
-               else if (strcmp(*argv,"-tls1_1") == 0)
-                       { meth=TLSv1_1_server_method(); }
                else if (strcmp(*argv,"-tls1") == 0)
                        { meth=TLSv1_server_method(); }
                else if (strcmp(*argv,"-tls1_1") == 0)
                        { meth=TLSv1_1_server_method(); }
+               else if (strcmp(*argv,"-tls1_2") == 0)
+                       { meth=TLSv1_2_server_method(); }
 #endif
 #ifndef OPENSSL_NO_DTLS1
                else if (strcmp(*argv,"-dtls1") == 0)
@@ -1372,6 +1448,12 @@ int MAIN(int argc, char *argv[])
                        keymatexportlen=atoi(*(++argv));
                        if (keymatexportlen == 0) goto bad;
                        }
+               else if (strcmp(*argv, "-cert_strict") == 0)
+                       cert_flags |= SSL_CERT_FLAG_TLS_STRICT;
+#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
+               else if (strcmp(*argv, "-debug_broken_protocol") == 0)
+                       cert_flags |= SSL_CERT_FLAG_BROKEN_PROTCOL;
+#endif
                else
                        {
                        BIO_printf(bio_err,"unknown option %s\n",*argv);
@@ -1429,6 +1511,9 @@ bad:
                s_key_file2 = s_cert_file2;
 #endif
 
+       if (!load_excert(&exc, bio_err))
+               goto end;
+
        if (nocert == 0)
                {
                s_key = load_key(bio_err, s_key_file, s_key_format, 0, pass, e,
@@ -1475,24 +1560,24 @@ bad:
                                goto end;
                                }
                        }
-# ifndef OPENSSL_NO_NEXTPROTONEG
-               if (next_proto_neg_in)
-                       {
-                       unsigned short len;
-                       next_proto.data = next_protos_parse(&len,
-                               next_proto_neg_in);
-                       if (next_proto.data == NULL)
-                               goto end;
-                       next_proto.len = len;
-                       }
-               else
-                       {
-                       next_proto.data = NULL;
-                       }
-# endif
-#endif
+#endif /* OPENSSL_NO_TLSEXT */
                }
 
+#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) 
+       if (next_proto_neg_in)
+               {
+               unsigned short len;
+               next_proto.data = next_protos_parse(&len, next_proto_neg_in);
+               if (next_proto.data == NULL)
+                       goto end;
+               next_proto.len = len;
+               }
+       else
+               {
+               next_proto.data = NULL;
+               }
+#endif
+
 
        if (s_dcert_file)
                {
@@ -1589,6 +1674,8 @@ bad:
        if (bugs) SSL_CTX_set_options(ctx,SSL_OP_ALL);
        if (hack) SSL_CTX_set_options(ctx,SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG);
        SSL_CTX_set_options(ctx,off);
+       if (cert_flags) SSL_CTX_set_cert_flags(ctx, cert_flags);
+       if (exc) ssl_ctx_set_excert(ctx, exc);
        /* DTLS: partial reads end up discarding unread UDP bytes :-( 
         * Setting read ahead solves this problem.
         */
@@ -1627,6 +1714,13 @@ bad:
        if (vpm)
                SSL_CTX_set1_param(ctx, vpm);
 
+       if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile))
+               {
+               BIO_printf(bio_err, "Error loading store locations\n");
+               ERR_print_errors(bio_err);
+               goto end;
+               }
+
 #ifndef OPENSSL_NO_TLSEXT
        if (s_cert2)
                {
@@ -1662,6 +1756,8 @@ bad:
                if (bugs) SSL_CTX_set_options(ctx2,SSL_OP_ALL);
                if (hack) SSL_CTX_set_options(ctx2,SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG);
                SSL_CTX_set_options(ctx2,off);
+               if (cert_flags) SSL_CTX_set_cert_flags(ctx2, cert_flags);
+               if (exc) ssl_ctx_set_excert(ctx2, exc);
                /* DTLS: partial reads end up discarding unread UDP bytes :-( 
                 * Setting read ahead solves this problem.
                 */
@@ -1787,15 +1883,19 @@ bad:
                }
 #endif
        
-       if (!set_cert_key_stuff(ctx, s_cert, s_key, s_chain))
+       if (!set_cert_key_stuff(ctx, s_cert, s_key, s_chain, build_chain))
                goto end;
 #ifndef OPENSSL_NO_TLSEXT
-       if (ctx2 && !set_cert_key_stuff(ctx2,s_cert2,s_key2, NULL))
+       if (s_authz_file != NULL && !SSL_CTX_use_authz_file(ctx, s_authz_file))
+               goto end;
+#endif
+#ifndef OPENSSL_NO_TLSEXT
+       if (ctx2 && !set_cert_key_stuff(ctx2,s_cert2,s_key2, NULL, build_chain))
                goto end; 
 #endif
        if (s_dcert != NULL)
                {
-               if (!set_cert_key_stuff(ctx, s_dcert, s_dkey, s_dchain))
+               if (!set_cert_key_stuff(ctx, s_dcert, s_dkey, s_dchain, build_chain))
                        goto end;
                }
 
@@ -1902,6 +2002,36 @@ bad:
                        goto end;
                        }
                }
+       if (sigalgs)
+               {
+               if(!SSL_CTX_set1_sigalgs_list(ctx,sigalgs))
+                       {
+                       BIO_printf(bio_err,"error setting signature algorithms\n");
+                       ERR_print_errors(bio_err);
+                       goto end;
+                       }
+               if(ctx2 && !SSL_CTX_set1_sigalgs_list(ctx2,sigalgs))
+                       {
+                       BIO_printf(bio_err,"error setting signature algorithms\n");
+                       ERR_print_errors(bio_err);
+                       goto end;
+                       }
+               }
+       if (client_sigalgs)
+               {
+               if(!SSL_CTX_set1_client_sigalgs_list(ctx,client_sigalgs))
+                       {
+                       BIO_printf(bio_err,"error setting client signature algorithms\n");
+                       ERR_print_errors(bio_err);
+                       goto end;
+                       }
+               if(ctx2 && !SSL_CTX_set1_client_sigalgs_list(ctx2,client_sigalgs))
+                       {
+                       BIO_printf(bio_err,"error setting client signature algorithms\n");
+                       ERR_print_errors(bio_err);
+                       goto end;
+                       }
+               }
 #endif
        SSL_CTX_set_verify(ctx,s_server_verify,verify_callback);
        SSL_CTX_set_session_id_context(ctx,(void*)&s_server_session_id_context,
@@ -1935,8 +2065,8 @@ bad:
                if ((ret = SRP_VBASE_init(srp_callback_parm.vb, srp_verifier_file)) != SRP_NO_ERROR)
                        {
                        BIO_printf(bio_err,
-                                          "Cannot initialize SRP verifier file \"%s\":ret=%d\n",
-                                          srp_verifier_file,ret);
+                                  "Cannot initialize SRP verifier file \"%s\":ret=%d\n",
+                                  srp_verifier_file, ret);
                                goto end;
                        }
                SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE,verify_callback);
@@ -1972,23 +2102,41 @@ end:
                EVP_PKEY_free(s_key);
        if (s_dkey)
                EVP_PKEY_free(s_dkey);
+       if (s_chain)
+               sk_X509_pop_free(s_chain, X509_free);
+       if (s_dchain)
+               sk_X509_pop_free(s_dchain, X509_free);
        if (pass)
                OPENSSL_free(pass);
        if (dpass)
                OPENSSL_free(dpass);
        free_sessions();
 #ifndef OPENSSL_NO_TLSEXT
+       if (tlscstatp.host)
+               OPENSSL_free(tlscstatp.host);
+       if (tlscstatp.port)
+               OPENSSL_free(tlscstatp.port);
+       if (tlscstatp.path)
+               OPENSSL_free(tlscstatp.path);
        if (ctx2 != NULL) SSL_CTX_free(ctx2);
        if (s_cert2)
                X509_free(s_cert2);
        if (s_key2)
                EVP_PKEY_free(s_key2);
+       if (authz_in != NULL)
+               BIO_free(authz_in);
 #endif
+       ssl_excert_free(exc);
        if (bio_s_out != NULL)
                {
         BIO_free(bio_s_out);
                bio_s_out=NULL;
                }
+       if (bio_s_msg != NULL)
+               {
+               BIO_free(bio_s_msg);
+               bio_s_msg = NULL;
+               }
        apps_shutdown();
        OPENSSL_EXIT(ret);
        }
@@ -2143,8 +2291,13 @@ static int sv_body(char *hostname, int s, unsigned char *context)
                }
        if (s_msg)
                {
-               SSL_set_msg_callback(con, msg_cb);
-               SSL_set_msg_callback_arg(con, bio_s_out);
+#ifndef OPENSSL_NO_SSL_TRACE
+               if (s_msg == 2)
+                       SSL_set_msg_callback(con, SSL_trace);
+               else
+#endif
+                       SSL_set_msg_callback(con, msg_cb);
+               SSL_set_msg_callback_arg(con, bio_s_msg ? bio_s_msg : bio_s_out);
                }
 #ifndef OPENSSL_NO_TLSEXT
        if (s_tlsextdebug)
@@ -2246,7 +2399,7 @@ static int sv_body(char *hostname, int s, unsigned char *context)
                                }
                        else
                                i=raw_read_stdin(buf,bufsize);
-                       if (!s_quiet)
+                       if (!s_quiet && !s_brief)
                                {
                                if ((i <= 0) || (buf[0] == 'Q'))
                                        {
@@ -2456,12 +2609,12 @@ static int init_ssl_connection(SSL *con)
        X509 *peer;
        long verify_error;
        MS_STATIC char buf[BUFSIZ];
+#ifndef OPENSSL_NO_KRB5
+       char *client_princ;
+#endif
 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
        const unsigned char *next_proto_neg;
        unsigned next_proto_neg_len;
-#endif
-#ifndef OPENSSL_NO_KRB5
-       char *client_princ;
 #endif
        unsigned char *exportedkeymat;
 
@@ -2494,11 +2647,14 @@ static int init_ssl_connection(SSL *con)
                        BIO_printf(bio_err,"verify error:%s\n",
                                X509_verify_cert_error_string(verify_error));
                        }
-               else
-                       ERR_print_errors(bio_err);
+               /* Always print any error messages */
+               ERR_print_errors(bio_err);
                return(0);
                }
 
+       if (s_brief)
+               print_ssl_summary(bio_err, con);
+
        PEM_write_bio_SSL_SESSION(bio_s_out,SSL_get_session(con));
 
        peer=SSL_get_peer_certificate(con);
@@ -2517,7 +2673,7 @@ static int init_ssl_connection(SSL *con)
                BIO_printf(bio_s_out,"Shared ciphers:%s\n",buf);
        str=SSL_CIPHER_get_name(SSL_get_current_cipher(con));
        ssl_print_sigalgs(bio_s_out, con);
-       ssl_print_curves(bio_s_out, con);
+       ssl_print_curves(bio_s_out, con, 0);
        BIO_printf(bio_s_out,"CIPHER is %s\n",(str != NULL)?str:"(NONE)");
 
 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
@@ -2681,6 +2837,7 @@ static int www_body(char *hostname, int s, unsigned char *context)
                }
        SSL_set_bio(con,sbio,sbio);
        SSL_set_accept_state(con);
+
        /* SSL_set_fd(con,s); */
        BIO_set_ssl(ssl_bio,con,BIO_CLOSE);
        BIO_push(io,ssl_bio);
@@ -2696,8 +2853,13 @@ static int www_body(char *hostname, int s, unsigned char *context)
                }
        if (s_msg)
                {
-               SSL_set_msg_callback(con, msg_cb);
-               SSL_set_msg_callback_arg(con, bio_s_out);
+#ifndef OPENSSL_NO_SSL_TRACE
+               if (s_msg == 2)
+                       SSL_set_msg_callback(con, SSL_trace);
+               else
+#endif
+                       SSL_set_msg_callback(con, msg_cb);
+               SSL_set_msg_callback_arg(con, bio_s_msg ? bio_s_msg : bio_s_out);
                }
 
        for (;;)
@@ -2854,7 +3016,7 @@ static int www_body(char *hostname, int s, unsigned char *context)
                                BIO_puts(io,"\n");
                                }
                        ssl_print_sigalgs(io, con);
-                       ssl_print_curves(io, con);
+                       ssl_print_curves(io, con, 0);
                        BIO_printf(io,(SSL_cache_hit(con)
                                ?"---\nReused, "
                                :"---\nNew, "));
@@ -3205,7 +3367,36 @@ static void free_sessions(void)
                }
        first = NULL;
        }
-       
+
+static int ssl_load_stores(SSL_CTX *sctx,
+                       const char *vfyCApath, const char *vfyCAfile,
+                       const char *chCApath, const char *chCAfile)
+       {
+       X509_STORE *vfy = NULL, *ch = NULL;
+       int rv = 0;
+       if (vfyCApath || vfyCAfile)
+               {
+               vfy = X509_STORE_new();
+               if (!X509_STORE_load_locations(vfy, vfyCAfile, vfyCApath))
+                       goto err;
+               SSL_CTX_set1_verify_cert_store(ctx, vfy);
+               }
+       if (chCApath || chCAfile)
+               {
+               ch = X509_STORE_new();
+               if (!X509_STORE_load_locations(ch, chCAfile, chCApath))
+                       goto err;
+               /*X509_STORE_set_verify_cb(ch, verify_callback);*/
+               SSL_CTX_set1_chain_cert_store(ctx, ch);
+               }
+       rv = 1;
+       err:
+       if (vfy)
+               X509_STORE_free(vfy);
+       if (ch)
+               X509_STORE_free(ch);
+       return rv;
+       }
 
 
 
Unnamed repository; edit this file 'description' to name the repository.