New option to add CRLs for s_client and s_server.
authorDr. Stephen Henson <steve@openssl.org>
Sun, 2 Dec 2012 16:16:28 +0000 (16:16 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Sun, 2 Dec 2012 16:16:28 +0000 (16:16 +0000)
CHANGES
apps/apps.c
apps/apps.h
apps/crl.c
apps/s_apps.h
apps/s_cb.c
apps/s_client.c
apps/s_server.c

diff --git a/CHANGES b/CHANGES
index 3f6afc8..a03aa4b 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,9 @@
 
  Changes between 1.0.x and 1.1.0  [xx XXX xxxx]
 
+  *) New options -CRL and -CRLform for s_client and s_server for CRLs.
+     [Steve Henson]
+
   *) Extend OCSP I/O functions so they can be used for simple general purpose
      HTTP as well as OCSP. New wrapper function which can be used to download
      CRLs using the OCSP API.
index b36e517..b378836 100644 (file)
@@ -929,6 +929,55 @@ end:
        return(x);
        }
 
+X509_CRL *load_crl(char *infile, int format)
+       {
+       X509_CRL *x=NULL;
+       BIO *in=NULL;
+
+       if (format == FORMAT_HTTP)
+               {
+               load_cert_crl_http(infile, bio_err, NULL, &x);
+               return x;
+               }
+
+       in=BIO_new(BIO_s_file());
+       if (in == NULL)
+               {
+               ERR_print_errors(bio_err);
+               goto end;
+               }
+
+       if (infile == NULL)
+               BIO_set_fp(in,stdin,BIO_NOCLOSE);
+       else
+               {
+               if (BIO_read_filename(in,infile) <= 0)
+                       {
+                       perror(infile);
+                       goto end;
+                       }
+               }
+       if      (format == FORMAT_ASN1)
+               x=d2i_X509_CRL_bio(in,NULL);
+       else if (format == FORMAT_PEM)
+               x=PEM_read_bio_X509_CRL(in,NULL,NULL,NULL);
+       else    {
+               BIO_printf(bio_err,"bad input format specified for input crl\n");
+               goto end;
+               }
+       if (x == NULL)
+               {
+               BIO_printf(bio_err,"unable to load CRL\n");
+               ERR_print_errors(bio_err);
+               goto end;
+               }
+       
+end:
+       BIO_free(in);
+       return(x);
+       }
+
+
 EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin,
        const char *pass, ENGINE *e, const char *key_descrip)
        {
index 165e455..e9d21d5 100644 (file)
@@ -245,6 +245,7 @@ int app_passwd(BIO *err, char *arg1, char *arg2, char **pass1, char **pass2);
 int add_oid_section(BIO *err, CONF *conf);
 X509 *load_cert(BIO *err, const char *file, int format,
        const char *pass, ENGINE *e, const char *cert_descrip);
+X509_CRL *load_crl(char *infile, int format);
 int load_cert_crl_http(const char *url, BIO *err,
                                        X509 **pcert, X509_CRL **pcrl);
 EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin,
index 888cf7f..fc12734 100644 (file)
@@ -93,7 +93,6 @@ static const char *crl_usage[]={
 NULL
 };
 
-static X509_CRL *load_crl(char *file, int format);
 static BIO *bio_out=NULL;
 
 int MAIN(int, char **);
@@ -401,52 +400,3 @@ end:
        apps_shutdown();
        OPENSSL_EXIT(ret);
        }
-
-static X509_CRL *load_crl(char *infile, int format)
-       {
-       X509_CRL *x=NULL;
-       BIO *in=NULL;
-
-       if (format == FORMAT_HTTP)
-               {
-               load_cert_crl_http(infile, bio_err, NULL, &x);
-               return x;
-               }
-
-       in=BIO_new(BIO_s_file());
-       if (in == NULL)
-               {
-               ERR_print_errors(bio_err);
-               goto end;
-               }
-
-       if (infile == NULL)
-               BIO_set_fp(in,stdin,BIO_NOCLOSE);
-       else
-               {
-               if (BIO_read_filename(in,infile) <= 0)
-                       {
-                       perror(infile);
-                       goto end;
-                       }
-               }
-       if      (format == FORMAT_ASN1)
-               x=d2i_X509_CRL_bio(in,NULL);
-       else if (format == FORMAT_PEM)
-               x=PEM_read_bio_X509_CRL(in,NULL,NULL,NULL);
-       else    {
-               BIO_printf(bio_err,"bad input format specified for input crl\n");
-               goto end;
-               }
-       if (x == NULL)
-               {
-               BIO_printf(bio_err,"unable to load CRL\n");
-               ERR_print_errors(bio_err);
-               goto end;
-               }
-       
-end:
-       BIO_free(in);
-       return(x);
-       }
-
index 6aab0a6..0a38241 100644 (file)
@@ -201,7 +201,9 @@ int args_ssl(char ***pargs, int *pargc, SSL_CONF_CTX *cctx,
                        int *badarg, BIO *err, STACK_OF(OPENSSL_STRING) **pstr);
 int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx,
                                STACK_OF(OPENSSL_STRING) *str, int no_ecdhe);
+int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls);
 int ssl_load_stores(SSL_CTX *ctx,
                        const char *vfyCApath, const char *vfyCAfile,
-                       const char *chCApath, const char *chCAfile);
+                       const char *chCApath, const char *chCAfile,
+                       STACK_OF(X509_CRL) *crls);
 #endif
index 0759c8a..e0289d4 100644 (file)
@@ -293,7 +293,6 @@ int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key,
                ERR_print_errors(bio_err);
                return 0;
                }
-               
        return 1;
        }
 
@@ -1670,9 +1669,36 @@ int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx,
        return 1;
        }
 
+static int add_crls_store(X509_STORE *st, STACK_OF(X509_CRL) *crls)
+       {
+       X509_CRL *crl;
+       int i;
+       if (crls)
+               {
+               for (i = 0; i < sk_X509_CRL_num(crls); i++)
+                       {
+                       crl = sk_X509_CRL_value(crls, i);
+                       X509_STORE_add_crl(st, crl);
+                       }
+               }
+       return 1;
+       }
+
+int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls)
+       {
+       X509_STORE *st;
+       if (crls)
+               {
+               st = SSL_CTX_get_cert_store(ctx);
+               add_crls_store(st, crls);
+               }
+       return 1;
+       }
+
 int ssl_load_stores(SSL_CTX *ctx,
                        const char *vfyCApath, const char *vfyCAfile,
-                       const char *chCApath, const char *chCAfile)
+                       const char *chCApath, const char *chCAfile,
+                       STACK_OF(X509_CRL) *crls)
        {
        X509_STORE *vfy = NULL, *ch = NULL;
        int rv = 0;
@@ -1681,6 +1707,7 @@ int ssl_load_stores(SSL_CTX *ctx,
                vfy = X509_STORE_new();
                if (!X509_STORE_load_locations(vfy, vfyCAfile, vfyCApath))
                        goto err;
+               add_crls_store(vfy, crls);
                SSL_CTX_set1_verify_cert_store(ctx, vfy);
                }
        if (chCApath || chCAfile)
index aebdeac..1a8f8ac 100644 (file)
@@ -639,6 +639,10 @@ int MAIN(int argc, char **argv)
        SSL_CONF_CTX *cctx = NULL;
        STACK_OF(OPENSSL_STRING) *ssl_args = NULL;
 
+       char *crl_file = NULL;
+       int crl_format = FORMAT_PEM;
+       STACK_OF(X509_CRL) *crls = NULL;
+
        meth=SSLv23_client_method();
 
        apps_startup();
@@ -708,6 +712,11 @@ int MAIN(int argc, char **argv)
                        if (--argc < 1) goto bad;
                        cert_file= *(++argv);
                        }
+               else if (strcmp(*argv,"-CRL") == 0)
+                       {
+                       if (--argc < 1) goto bad;
+                       crl_file= *(++argv);
+                       }
                else if (strcmp(*argv,"-sess_out") == 0)
                        {
                        if (--argc < 1) goto bad;
@@ -723,6 +732,11 @@ int MAIN(int argc, char **argv)
                        if (--argc < 1) goto bad;
                        cert_format = str2fmt(*(++argv));
                        }
+               else if (strcmp(*argv,"-CRLform") == 0)
+                       {
+                       if (--argc < 1) goto bad;
+                       crl_format = str2fmt(*(++argv));
+                       }
                else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm))
                        {
                        if (badarg)
@@ -1128,6 +1142,26 @@ bad:
                        }
                }
 
+       if (crl_file)
+               {
+               X509_CRL *crl;
+               crl = load_crl(crl_file, crl_format);
+               if (!crl)
+                       {
+                       BIO_puts(bio_err, "Error loading CRL\n");
+                       ERR_print_errors(bio_err);
+                       goto end;
+                       }
+               crls = sk_X509_CRL_new_null();
+               if (!crls || !sk_X509_CRL_push(crls, crl))
+                       {
+                       BIO_puts(bio_err, "Error adding CRL\n");
+                       ERR_print_errors(bio_err);
+                       X509_CRL_free(crl);
+                       goto end;
+                       }
+               }
+
        if (!load_excert(&exc, bio_err))
                goto end;
 
@@ -1179,7 +1213,7 @@ bad:
                goto end;
                }
 
-       if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile))
+       if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile, crls))
                {
                BIO_printf(bio_err, "Error loading store locations\n");
                ERR_print_errors(bio_err);
@@ -1241,6 +1275,8 @@ bad:
                /* goto end; */
                }
 
+       ssl_ctx_add_crls(ctx, crls);
+
        if (!set_cert_key_stuff(ctx,cert,key, NULL, build_chain))
                goto end;
 
@@ -1983,6 +2019,8 @@ end:
        if (ctx != NULL) SSL_CTX_free(ctx);
        if (cert)
                X509_free(cert);
+       if (crls)
+               sk_X509_CRL_pop_free(crls, X509_CRL_free);
        if (key)
                EVP_PKEY_free(key);
        if (pass)
index 6813fb7..b9f6f30 100644 (file)
@@ -999,6 +999,10 @@ int MAIN(int argc, char *argv[])
        SSL_CONF_CTX *cctx = NULL;
        STACK_OF(OPENSSL_STRING) *ssl_args = NULL;
 
+       char *crl_file = NULL;
+       int crl_format = FORMAT_PEM;
+       STACK_OF(X509_CRL) *crls = NULL;
+
        meth=SSLv23_server_method();
 
        local_argc=argc;
@@ -1077,6 +1081,11 @@ int MAIN(int argc, char *argv[])
                        if (--argc < 1) goto bad;
                        s_cert_file= *(++argv);
                        }
+               else if (strcmp(*argv,"-CRL") == 0)
+                       {
+                       if (--argc < 1) goto bad;
+                       crl_file= *(++argv);
+                       }
 #ifndef OPENSSL_NO_TLSEXT
                else if (strcmp(*argv,"-authz") == 0)
                        {
@@ -1167,6 +1176,11 @@ int MAIN(int argc, char *argv[])
                        no_cache = 1;
                else if (strcmp(*argv,"-ext_cache") == 0)
                        ext_cache = 1;
+               else if (strcmp(*argv,"-CRLform") == 0)
+                       {
+                       if (--argc < 1) goto bad;
+                       crl_format = str2fmt(*(++argv));
+                       }
                else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm))
                        {
                        if (badarg)
@@ -1567,6 +1581,26 @@ bad:
                }
 #endif
 
+       if (crl_file)
+               {
+               X509_CRL *crl;
+               crl = load_crl(crl_file, crl_format);
+               if (!crl)
+                       {
+                       BIO_puts(bio_err, "Error loading CRL\n");
+                       ERR_print_errors(bio_err);
+                       goto end;
+                       }
+               crls = sk_X509_CRL_new_null();
+               if (!crls || !sk_X509_CRL_push(crls, crl))
+                       {
+                       BIO_puts(bio_err, "Error adding CRL\n");
+                       ERR_print_errors(bio_err);
+                       X509_CRL_free(crl);
+                       goto end;
+                       }
+               }
+
 
        if (s_dcert_file)
                {
@@ -1702,10 +1736,12 @@ bad:
        if (vpm)
                SSL_CTX_set1_param(ctx, vpm);
 
+       ssl_ctx_add_crls(ctx, crls);
+
        if (!args_ssl_call(ctx, bio_err, cctx, ssl_args, no_ecdhe))
                goto end;
 
-       if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile))
+       if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile, crls))
                {
                BIO_printf(bio_err, "Error loading store locations\n");
                ERR_print_errors(bio_err);
@@ -1768,6 +1804,8 @@ bad:
                if (vpm)
                        SSL_CTX_set1_param(ctx2, vpm);
 
+               ssl_ctx_add_crls(ctx2, crls);
+
                if (!args_ssl_call(ctx2, bio_err, cctx, ssl_args, no_ecdhe))
                        goto end;
                }
@@ -1973,6 +2011,8 @@ end:
        if (ctx != NULL) SSL_CTX_free(ctx);
        if (s_cert)
                X509_free(s_cert);
+       if (crls)
+               sk_X509_CRL_pop_free(crls, X509_CRL_free);
        if (s_dcert)
                X509_free(s_dcert);
        if (s_key)