X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=apps%2Fs_cb.c;h=04ebb79b932201d6e9477ea8e9742506c40190bd;hp=11b6ea5d99c35bcc9d9c6408785f5b99223e3f92;hb=b362ccab5c1d52086f19d29a32f4acc11073b86b;hpb=191b3f0ba9d574809b8e18e6238f54525c87b8d3

diff --git a/apps/s_cb.c b/apps/s_cb.c
index 11b6ea5d99..04ebb79b93 100644
--- a/apps/s_cb.c
+++ b/apps/s_cb.c
@@ -190,7 +190,8 @@ int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
 		BIO_printf(bio_err,"\n");
 		break;
 	case X509_V_ERR_NO_EXPLICIT_POLICY:
-		policies_print(bio_err, ctx);
+		if (!verify_quiet)
+			policies_print(bio_err, ctx);
 		break;
 		}
 	if (err == X509_V_OK && ok == 2 && !verify_quiet)
@@ -258,6 +259,7 @@ int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file)
 int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key,
 		       STACK_OF(X509) *chain, int build_chain)
 	{
+	int chflags = chain ? SSL_BUILD_CHAIN_FLAG_CHECK : 0;
 	if (cert == NULL)
 		return 1;
 	if (SSL_CTX_use_certificate(ctx,cert) <= 0)
@@ -287,13 +289,12 @@ int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key,
 		ERR_print_errors(bio_err);
 		return 0;
 		}
-	if (!chain && build_chain && !SSL_CTX_build_cert_chain(ctx, 0))
+	if (build_chain && !SSL_CTX_build_cert_chain(ctx, chflags))
 		{
 		BIO_printf(bio_err,"error building certificate chain\n");
 		ERR_print_errors(bio_err);
 		return 0;
 		}
-		
 	return 1;
 	}
 
@@ -423,6 +424,44 @@ int ssl_print_sigalgs(BIO *out, SSL *s)
 		BIO_printf(out, "Peer signing digest: %s\n", OBJ_nid2sn(mdnid));
 	return 1;
 	}
+#ifndef OPENSSL_NO_EC
+int ssl_print_point_formats(BIO *out, SSL *s)
+	{
+	int i, nformats;
+	const char *pformats;
+	nformats = SSL_get0_ec_point_formats(s, &pformats);
+	if (nformats <= 0)
+		return 1;
+	BIO_puts(out, "Supported Elliptic Curve Point Formats: ");
+	for (i = 0; i < nformats; i++, pformats++)
+		{
+		if (i)
+			BIO_puts(out, ":");
+		switch(*pformats)
+			{
+		case TLSEXT_ECPOINTFORMAT_uncompressed:
+			BIO_puts(out, "uncompressed");
+			break;
+
+		case TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime:
+			BIO_puts(out, "ansiX962_compressed_prime");
+			break;
+
+		case TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2:
+			BIO_puts(out, "ansiX962_compressed_char2");
+			break;
+
+		default:
+			BIO_printf(out, "unknown(%d)", (int)*pformats);
+			break;
+
+			}
+		}
+	if (nformats <= 0)
+		BIO_puts(out, "NONE");
+	BIO_puts(out, "\n");
+	return 1;
+	}
 
 int ssl_print_curves(BIO *out, SSL *s, int noshared)
 	{
@@ -477,7 +516,7 @@ int ssl_print_curves(BIO *out, SSL *s, int noshared)
 	BIO_puts(out, "\n");
 	return 1;
 	}
-
+#endif
 int ssl_print_tmp_key(BIO *out, SSL *s)
 	{
 	EVP_PKEY *key;
@@ -493,7 +532,7 @@ int ssl_print_tmp_key(BIO *out, SSL *s)
 	case EVP_PKEY_DH:
 		BIO_printf(out, "DH, %d bits\n", EVP_PKEY_bits(key));
 		break;
-
+#ifndef OPENSSL_NO_ECDH
 	case EVP_PKEY_EC:
 			{
 			EC_KEY *ec = EVP_PKEY_get1_EC_KEY(key);
@@ -507,6 +546,7 @@ int ssl_print_tmp_key(BIO *out, SSL *s)
 			BIO_printf(out, "ECDH, %s, %d bits\n",
 						cname, EVP_PKEY_bits(key));
 			}
+#endif
 		}
 	EVP_PKEY_free(key);
 	return 1;
@@ -840,6 +880,9 @@ void MS_CALLBACK msg_cb(int write_p, int version, int content_type, const void *
 				case 20:
 					str_details1 = ", Finished";
 					break;
+				case 23:
+					str_details1 = ", SupplementalData";
+					break;
 					}
 				}
 			}
@@ -981,6 +1024,11 @@ void MS_CALLBACK tlsext_cb(SSL *s, int client_server, int type,
 		extname = "next protocol";
 		break;
 #endif
+#ifdef TLSEXT_TYPE_encrypt_then_mac
+		case TLSEXT_TYPE_encrypt_then_mac:
+		extname = "encrypt-then-mac";
+		break;
+#endif
 
 		default:
 		extname = "unknown";
@@ -1225,6 +1273,16 @@ static int set_cert_cb(SSL *ssl, void *arg)
 	{
 	int i, rv;
 	SSL_EXCERT *exc = arg;
+#ifdef CERT_CB_TEST_RETRY
+	static int retry_cnt;
+	if (retry_cnt < 5)
+		{
+		retry_cnt++;
+		fprintf(stderr, "Certificate callback retry test: count %d\n",
+								retry_cnt);
+		return -1;
+		}
+#endif
 	SSL_certs_clear(ssl);
 
 	if (!exc)
@@ -1527,24 +1585,16 @@ void print_ssl_summary(BIO *bio, SSL *s)
 		BIO_puts(bio, "No peer certificate\n");
 	if (peer)
 		X509_free(peer);
+#ifndef OPENSSL_NO_EC
+	ssl_print_point_formats(bio, s);
 	if (SSL_is_server(s))
 		ssl_print_curves(bio, s, 1);
 	else
 		ssl_print_tmp_key(bio, s);
-	}
-
-void print_ssl_cert_checks(BIO *bio, SSL *s,
-				const unsigned char *checkhost,
-				const unsigned char *checkemail,
-				const char *checkip)
-	{
-	X509 *peer;
-	peer = SSL_get_peer_certificate(s);
-	if (peer)
-		{
-		print_cert_checks(bio, peer, checkhost, checkemail, checkip);
-		X509_free(peer);
-		}
+#else
+	if (!SSL_is_server(s))
+		ssl_print_tmp_key(bio, s);
+#endif
 	}
 
 int args_ssl(char ***pargs, int *pargc, SSL_CONF_CTX *cctx,
@@ -1594,7 +1644,7 @@ int args_ssl(char ***pargs, int *pargc, SSL_CONF_CTX *cctx,
 	}
 
 int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx,
-				STACK_OF(OPENSSL_STRING) *str, int no_ecdhe)
+		STACK_OF(OPENSSL_STRING) *str, int no_ecdhe, int no_jpake)
 	{
 	int i;
 	SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
@@ -1607,6 +1657,13 @@ int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx,
 		 */
 		if (!no_ecdhe && !strcmp(param, "-named_curve"))
 			no_ecdhe = 1;
+#ifndef OPENSSL_NO_JPAKE
+		if (!no_jpake && !strcmp(param, "-cipher"))
+			{
+			BIO_puts(err, "JPAKE sets cipher to PSK\n");
+			return 0;
+			}
+#endif
 		if (SSL_CONF_cmd(cctx, param, value) <= 0)
 			{
 			BIO_printf(err, "Error with command: \"%s %s\"\n",
@@ -1628,5 +1685,77 @@ int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx,
 			return 0;
 			}
 		}
+#ifndef OPENSSL_NO_JPAKE
+	if (!no_jpake)
+		{
+		if (SSL_CONF_cmd(cctx, "-cipher", "PSK") <= 0)
+			{
+			BIO_puts(err, "Error setting cipher to PSK\n");
+			ERR_print_errors(err);
+			return 0;
+			}
+		}
+#endif
+	if (!SSL_CONF_CTX_finish(cctx))
+		{
+		BIO_puts(err, "Error finishing context\n");
+		ERR_print_errors(err);
+		return 0;
+		}
+	return 1;
+	}
+
+static int add_crls_store(X509_STORE *st, STACK_OF(X509_CRL) *crls)
+	{
+	X509_CRL *crl;
+	int i;
+	for (i = 0; i < sk_X509_CRL_num(crls); i++)
+		{
+		crl = sk_X509_CRL_value(crls, i);
+		X509_STORE_add_crl(st, crl);
+		}
+	return 1;
+	}
+
+int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls, int crl_download)
+	{
+	X509_STORE *st;
+	st = SSL_CTX_get_cert_store(ctx);
+	add_crls_store(st, crls);
+	if (crl_download)
+		store_setup_crl_download(st);
 	return 1;
 	}
+
+int ssl_load_stores(SSL_CTX *ctx,
+			const char *vfyCApath, const char *vfyCAfile,
+			const char *chCApath, const char *chCAfile,
+			STACK_OF(X509_CRL) *crls, int crl_download)
+	{
+	X509_STORE *vfy = NULL, *ch = NULL;
+	int rv = 0;
+	if (vfyCApath || vfyCAfile)
+		{
+		vfy = X509_STORE_new();
+		if (!X509_STORE_load_locations(vfy, vfyCAfile, vfyCApath))
+			goto err;
+		add_crls_store(vfy, crls);
+		SSL_CTX_set1_verify_cert_store(ctx, vfy);
+		if (crl_download)
+			store_setup_crl_download(vfy);
+		}
+	if (chCApath || chCAfile)
+		{
+		ch = X509_STORE_new();
+		if (!X509_STORE_load_locations(ch, chCAfile, chCApath))
+			goto err;
+		SSL_CTX_set1_chain_cert_store(ctx, ch);
+		}
+	rv = 1;
+	err:
+	if (vfy)
+		X509_STORE_free(vfy);
+	if (ch)
+		X509_STORE_free(ch);
+	return rv;
+	}