diff options
Diffstat (limited to 'apps/s_server.c')
| -rw-r--r-- | apps/s_server.c | 72 |
1 files changed, 68 insertions, 4 deletions
diff --git a/apps/s_server.c b/apps/s_server.c index 5dd9e8e059..bbe24929fb 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -215,6 +215,9 @@ static int generate_session_id(const SSL *ssl, unsigned char *id, unsigned int *id_len); static void init_session_cache_ctx(SSL_CTX *sctx); static void free_sessions(void); +static int ssl_load_stores(SSL_CTX *sctx, + const char *vfyCApath, const char *vfyCAfile, + const char *chCApath, const char *chCAfile); #ifndef OPENSSL_NO_DH static DH *load_dh_param(const char *dhfile); static DH *get_dh512(void); @@ -952,6 +955,8 @@ int MAIN(int argc, char *argv[]) int badarg = 0; short port=PORT; char *CApath=NULL,*CAfile=NULL; + char *chCApath=NULL,*chCAfile=NULL; + char *vfyCApath=NULL,*vfyCAfile=NULL; unsigned char *context = NULL; char *dhfile = NULL; #ifndef OPENSSL_NO_ECDH @@ -961,6 +966,7 @@ int MAIN(int argc, char *argv[]) int ret=1; int off=0; unsigned int cert_flags = 0; + int build_chain = 0; int no_tmp_rsa=0,no_dhe=0,no_ecdhe=0,nocert=0; int state=0; const SSL_METHOD *meth=NULL; @@ -1135,6 +1141,16 @@ int MAIN(int argc, char *argv[]) if (--argc < 1) goto bad; CApath= *(++argv); } + else if (strcmp(*argv,"-chainCApath") == 0) + { + if (--argc < 1) goto bad; + chCApath= *(++argv); + } + else if (strcmp(*argv,"-verifyCApath") == 0) + { + if (--argc < 1) goto bad; + vfyCApath= *(++argv); + } else if (strcmp(*argv,"-no_cache") == 0) no_cache = 1; else if (strcmp(*argv,"-ext_cache") == 0) @@ -1162,11 +1178,23 @@ int MAIN(int argc, char *argv[]) if (--argc < 1) goto bad; cipher= *(++argv); } + else if (strcmp(*argv,"-build_chain") == 0) + build_chain = 1; else if (strcmp(*argv,"-CAfile") == 0) { if (--argc < 1) goto bad; CAfile= *(++argv); } + else if (strcmp(*argv,"-chainCAfile") == 0) + { + if (--argc < 1) goto bad; + chCAfile= *(++argv); + } + else if (strcmp(*argv,"-verifyCAfile") == 0) + { + if (--argc < 1) goto bad; + vfyCAfile= *(++argv); + } #ifdef FIONBIO else if (strcmp(*argv,"-nbio") == 0) { s_nbio=1; } @@ -1672,6 +1700,13 @@ bad: if (vpm) SSL_CTX_set1_param(ctx, vpm); + if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile)) + { + BIO_printf(bio_err, "Error loading store locations\n"); + ERR_print_errors(bio_err); + goto end; + } + #ifndef OPENSSL_NO_TLSEXT if (s_cert2) { @@ -1834,19 +1869,19 @@ bad: } #endif - if (!set_cert_key_stuff(ctx, s_cert, s_key, s_chain)) + if (!set_cert_key_stuff(ctx, s_cert, s_key, s_chain, build_chain)) goto end; #ifndef OPENSSL_NO_TLSEXT if (s_authz_file != NULL && !SSL_CTX_use_authz_file(ctx, s_authz_file)) goto end; #endif #ifndef OPENSSL_NO_TLSEXT - if (ctx2 && !set_cert_key_stuff(ctx2,s_cert2,s_key2, NULL)) + if (ctx2 && !set_cert_key_stuff(ctx2,s_cert2,s_key2, NULL, build_chain)) goto end; #endif if (s_dcert != NULL) { - if (!set_cert_key_stuff(ctx, s_dcert, s_dkey, s_dchain)) + if (!set_cert_key_stuff(ctx, s_dcert, s_dkey, s_dchain, build_chain)) goto end; } @@ -3305,7 +3340,36 @@ static void free_sessions(void) } first = NULL; } - + +static int ssl_load_stores(SSL_CTX *sctx, + const char *vfyCApath, const char *vfyCAfile, + const char *chCApath, const char *chCAfile) + { + X509_STORE *vfy = NULL, *ch = NULL; + int rv = 0; + if (vfyCApath || vfyCAfile) + { + vfy = X509_STORE_new(); + if (!X509_STORE_load_locations(vfy, vfyCAfile, vfyCApath)) + goto err; + SSL_CTX_set1_verify_cert_store(ctx, vfy); + } + if (chCApath || chCAfile) + { + ch = X509_STORE_new(); + if (!X509_STORE_load_locations(ch, chCAfile, chCApath)) + goto err; + /*X509_STORE_set_verify_cb(ch, verify_callback);*/ + SSL_CTX_set1_chain_cert_store(ctx, ch); + } + rv = 1; + err: + if (vfy) + X509_STORE_free(vfy); + if (ch) + X509_STORE_free(ch); + return rv; + } |