Print CA names in s_server, add -requestCAfile to s_client

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3015)

diff --git a/apps/s_apps.h b/apps/s_apps.h
index bf27de2fae99cff25393103ea20f3df03243f9b4..aa0565d360d645ae6aa2d10431246192a247ccdb 100644 (file)
--- a/apps/s_apps.h
+++ b/apps/s_apps.h
@@ -77,4 +77,5 @@ int ssl_load_stores(SSL_CTX *ctx, const char *vfyCApath,
                     int crl_download);
 void ssl_ctx_security_debug(SSL_CTX *ctx, int verbose);
 int set_keylog_file(SSL_CTX *ctx, const char *keylog_file);
+void print_ca_names(BIO *bio, SSL *s);
 #endif

diff --git a/apps/s_cb.c b/apps/s_cb.c
index 8c6ce48863d766a8db5e438463e8a76ec15dd200..1b6816448548944a0a5691c870ad3f21ceb91688 100644 (file)
--- a/apps/s_cb.c
+++ b/apps/s_cb.c
@@ -1426,3 +1426,21 @@ int set_keylog_file(SSL_CTX *ctx, const char *keylog_file)
     SSL_CTX_set_keylog_callback(ctx, keylog_callback);
     return 0;
 }
+
+void print_ca_names(BIO *bio, SSL *s)
+{
+    const char *cs = SSL_is_server(s) ? "server" : "client";
+    const STACK_OF(X509_NAME) *sk = SSL_get0_peer_CA_list(s);
+    int i;
+
+    if (sk == NULL || sk_X509_NAME_num(sk) == 0) {
+        BIO_printf(bio, "---\nNo %s certificate CA names sent\n", cs);
+        return;
+    }
+
+    BIO_printf(bio, "---\nAcceptable %s certificate CA names\n",cs);
+    for (i = 0; i < sk_X509_NAME_num(sk); i++) {
+        X509_NAME_print_ex(bio, sk_X509_NAME_value(sk, i), 0, XN_FLAG_ONELINE);
+        BIO_write(bio, "\n", 1);
+    }
+}

diff --git a/apps/s_client.c b/apps/s_client.c
index 8e1a5dda0c3e7830005c46df92fc272cffb95ffb..9267393582ebe3be00b9a52e6f0bfbbf8194692f 100644 (file)
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -588,7 +588,7 @@ const OPTIONS s_client_options[] = {
     {"no-CApath", OPT_NOCAPATH, '-',
      "Do not load certificates from the default certificates directory"},
     {"requestCAfile", OPT_REQCAFILE, '<',
-      "PEM format file of CA names sent to server"},
+      "PEM format file of CA names to send to the server"},
     {"dane_tlsa_domain", OPT_DANE_TLSA_DOMAIN, 's', "DANE TLSA base domain"},
     {"dane_tlsa_rrdata", OPT_DANE_TLSA_RRDATA, 's',
      "DANE TLSA rrdata presentation form"},
@@ -1585,6 +1585,7 @@ int s_client_main(int argc, char **argv)
     }
     if (ReqCAfile != NULL) {
         STACK_OF(X509_NAME) *nm = sk_X509_NAME_new_null();
+
         if (nm == NULL || !SSL_add_file_cert_subjects_to_stack(nm, ReqCAfile)) {
             sk_X509_NAME_pop_free(nm, X509_NAME_free);
             BIO_printf(bio_err, "Error loading CA names\n");
@@ -2820,9 +2821,7 @@ static void print_stuff(BIO *bio, SSL *s, int full)
     X509 *peer = NULL;
     char buf[BUFSIZ];
     STACK_OF(X509) *sk;
-    STACK_OF(X509_NAME) *sk2;
     const SSL_CIPHER *c;
-    X509_NAME *xn;
     int i;
 #ifndef OPENSSL_NO_COMP
     const COMP_METHOD *comp, *expansion;
@@ -2864,21 +2863,10 @@ static void print_stuff(BIO *bio, SSL *s, int full)
             BIO_printf(bio, "subject=%s\n", buf);
             X509_NAME_oneline(X509_get_issuer_name(peer), buf, sizeof buf);
             BIO_printf(bio, "issuer=%s\n", buf);
-        } else
-            BIO_printf(bio, "no peer certificate available\n");
-
-        sk2 = SSL_get_client_CA_list(s);
-        if ((sk2 != NULL) && (sk_X509_NAME_num(sk2) > 0)) {
-            BIO_printf(bio, "---\nAcceptable client certificate CA names\n");
-            for (i = 0; i < sk_X509_NAME_num(sk2); i++) {
-                xn = sk_X509_NAME_value(sk2, i);
-                X509_NAME_oneline(xn, buf, sizeof(buf));
-                BIO_write(bio, buf, strlen(buf));
-                BIO_write(bio, "\n", 1);
-            }
         } else {
-            BIO_printf(bio, "---\nNo client certificate CA names sent\n");
+            BIO_printf(bio, "no peer certificate available\n");
         }
+        print_ca_names(bio, s);
 
         ssl_print_sigalgs(bio, s);
         ssl_print_tmp_key(bio, s);

diff --git a/apps/s_server.c b/apps/s_server.c
index 5858278b466fb791312f58cfd7399734adf619d2..4bd2620c9fa71b4b502519ca27ef51e9f31b11a9 100644 (file)
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -2704,6 +2704,7 @@ static void print_connection_info(SSL *con)
     ssl_print_point_formats(bio_s_out, con);
     ssl_print_groups(bio_s_out, con, 0);
 #endif
+    print_ca_names(bio_s_out, con);
     BIO_printf(bio_s_out, "CIPHER is %s\n", (str != NULL) ? str : "(NONE)");
 
 #if !defined(OPENSSL_NO_NEXTPROTONEG)
@@ -2990,6 +2991,7 @@ static int www_body(int s, int stype, unsigned char *context)
 #ifndef OPENSSL_NO_EC
             ssl_print_groups(io, con, 0);
 #endif
+            print_ca_names(io, con);
             BIO_printf(io, (SSL_session_reused(con)
                             ? "---\nReused, " : "---\nNew, "));
             c = SSL_get_current_cipher(con);