Use common verify parameters instead of the small ad-hoc subset in

s_client, s_server.

diff --git a/apps/s_client.c b/apps/s_client.c
index bd2a3b8633920b3d8e680eb19d3d692387d03f53..a41a915ed4d5a8e849054e104e2cc2d968e929b7 100644 (file)
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -383,7 +383,6 @@ int MAIN(int argc, char **argv)
        {
        int off=0;
        SSL *con=NULL;
        {
        int off=0;
        SSL *con=NULL;

-       X509_STORE *store = NULL;

        int s,k,width,state=0;
        char *cbuf=NULL,*sbuf=NULL,*mbuf=NULL;
        int cbuf_len,cbuf_off;
        int s,k,width,state=0;
        char *cbuf=NULL,*sbuf=NULL,*mbuf=NULL;
        int cbuf_len,cbuf_off;


@@ -404,7 +403,9 @@ int MAIN(int argc, char **argv)
        SSL_CTX *ctx=NULL;
        int ret=1,in_init=1,i,nbio_test=0;
        int starttls_proto = PROTO_OFF;
        SSL_CTX *ctx=NULL;
        int ret=1,in_init=1,i,nbio_test=0;
        int starttls_proto = PROTO_OFF;

-       int prexit = 0, vflags = 0;
+       int prexit = 0;
+       X509_VERIFY_PARAM *vpm = NULL;
+       int badarg = 0;

        const SSL_METHOD *meth=NULL;
        int socket_type=SOCK_STREAM;
        BIO *sbio;
        const SSL_METHOD *meth=NULL;
        int socket_type=SOCK_STREAM;
        BIO *sbio;


@@ -521,10 +522,12 @@ int MAIN(int argc, char **argv)
                        if (--argc < 1) goto bad;
                        cert_format = str2fmt(*(++argv));
                        }
                        if (--argc < 1) goto bad;
                        cert_format = str2fmt(*(++argv));
                        }

-               else if (strcmp(*argv,"-crl_check") == 0)
-                       vflags |= X509_V_FLAG_CRL_CHECK;
-               else if (strcmp(*argv,"-crl_check_all") == 0)
-                       vflags |= X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL;
+               else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm))
+                       {
+                       if (badarg)
+                               goto bad;
+                       continue;
+                       }

                else if (strcmp(*argv,"-verify_return_error") == 0)
                        verify_return_error = 1;
                else if (strcmp(*argv,"-prexit") == 0)
                else if (strcmp(*argv,"-verify_return_error") == 0)
                        verify_return_error = 1;
                else if (strcmp(*argv,"-prexit") == 0)


@@ -831,6 +834,9 @@ bad:
                goto end;
                }
 
                goto end;
                }
 

+       if (vpm)
+               SSL_CTX_set1_param(ctx, vpm);
+

 #ifndef OPENSSL_NO_ENGINE
        if (ssl_client_engine)
                {
 #ifndef OPENSSL_NO_ENGINE
        if (ssl_client_engine)
                {


@@ -890,8 +896,6 @@ bad:
                /* goto end; */
                }
 
                /* goto end; */
                }
 

-       store = SSL_CTX_get_cert_store(ctx);
-       X509_STORE_set_flags(store, vflags);

 #ifndef OPENSSL_NO_TLSEXT
        if (servername != NULL)
                {
 #ifndef OPENSSL_NO_TLSEXT
        if (servername != NULL)
                {

diff --git a/apps/s_server.c b/apps/s_server.c
index 6c9e6baba41f178e49db9d0bc950efb7e52d3555..456952ea7fd459696fcc3ec693a8ccb208aa1558 100644 (file)
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -835,8 +835,8 @@ static char *jpake_secret = NULL;
 
 int MAIN(int argc, char *argv[])
        {
 
 int MAIN(int argc, char *argv[])
        {

-       X509_STORE *store = NULL;
-       int vflags = 0;
+       X509_VERIFY_PARAM *vpm = NULL;
+       int badarg = 0;

        short port=PORT;
        char *CApath=NULL,*CAfile=NULL;
        unsigned char *context = NULL;
        short port=PORT;
        char *CApath=NULL,*CAfile=NULL;
        unsigned char *context = NULL;


@@ -1001,13 +1001,11 @@ int MAIN(int argc, char *argv[])
                        if (--argc < 1) goto bad;
                        CApath= *(++argv);
                        }
                        if (--argc < 1) goto bad;
                        CApath= *(++argv);
                        }

-               else if (strcmp(*argv,"-crl_check") == 0)
+               else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm))

                        {
                        {

-                       vflags |= X509_V_FLAG_CRL_CHECK;
-                       }
-               else if (strcmp(*argv,"-crl_check_all") == 0)
-                       {
-                       vflags |= X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL;
+                       if (badarg)
+                               goto bad;
+                       continue;

                        }
                else if (strcmp(*argv,"-verify_return_error") == 0)
                        verify_return_error = 1;
                        }
                else if (strcmp(*argv,"-verify_return_error") == 0)
                        verify_return_error = 1;


@@ -1412,8 +1410,8 @@ bad:
                ERR_print_errors(bio_err);
                /* goto end; */
                }
                ERR_print_errors(bio_err);
                /* goto end; */
                }

-       store = SSL_CTX_get_cert_store(ctx);
-       X509_STORE_set_flags(store, vflags);
+       if (vpm)
+               SSL_CTX_set1_param(ctx, vpm);

 
 #ifndef OPENSSL_NO_TLSEXT
        if (s_cert2)
 
 #ifndef OPENSSL_NO_TLSEXT
        if (s_cert2)


@@ -1464,8 +1462,8 @@ bad:
                        {
                        ERR_print_errors(bio_err);
                        }
                        {
                        ERR_print_errors(bio_err);
                        }

-               store = SSL_CTX_get_cert_store(ctx2);
-               X509_STORE_set_flags(store, vflags);
+               if (vpm)
+                       SSL_CTX_set1_param(ctx2, vpm);

                }
 #endif 
 
                }
 #endif