diff options
| author | Geoff Thorpe <geoff@openssl.org> | 2000-11-29 01:29:08 +0000 |
|---|---|---|
| committer | Geoff Thorpe <geoff@openssl.org> | 2000-11-29 01:29:08 +0000 |
| commit | f2cc7559dd88aaee8d6c27f5af924b7479d5b0f0 (patch) | |
| tree | c68824fb359b7234db55d490cc6f53ace57638c1 /demos/tunala/cb.c | |
| parent | fe8686ba4b359026f7d077b6f17faa698d08b297 (diff) | |
| download | openssl-f2cc7559dd88aaee8d6c27f5af924b7479d5b0f0.tar.gz | |
Make s_client/s_server-style cert verification output configurable by
command line, and make the peer-authentication similarly configurable.
Diffstat (limited to 'demos/tunala/cb.c')
| -rw-r--r-- | demos/tunala/cb.c | 68 |
1 files changed, 65 insertions, 3 deletions
diff --git a/demos/tunala/cb.c b/demos/tunala/cb.c index ebc69bc690..37a474e37e 100644 --- a/demos/tunala/cb.c +++ b/demos/tunala/cb.c @@ -4,6 +4,11 @@ /* For callbacks generating output, here are their file-descriptors. */ static FILE *fp_cb_ssl_info = NULL; +static FILE *fp_cb_ssl_verify = NULL; + +/* Other static rubbish (to mirror s_cb.c where required) */ +static int verify_depth = 10; +static int verify_error = X509_V_OK; /* This function is largely borrowed from the one used in OpenSSL's "s_client" * and "s_server" utilities. */ @@ -21,12 +26,12 @@ void cb_ssl_info(SSL *s, int where, int ret) str2 = SSL_state_string_long(s); if (where & SSL_CB_LOOP) - fprintf(stderr, "%s:%s\n", str1, str2); + fprintf(fp_cb_ssl_info, "%s:%s\n", str1, str2); else if (where & SSL_CB_EXIT) { if (ret == 0) - fprintf(stderr, "%s:failed in %s\n", str1, str2); + fprintf(fp_cb_ssl_info, "%s:failed in %s\n", str1, str2); else if (ret < 0) - fprintf(stderr, "%s:error in %s\n", str1, str2); + fprintf(fp_cb_ssl_info, "%s:error in %s\n", str1, str2); } } @@ -35,5 +40,62 @@ void cb_ssl_info_set_output(FILE *fp) fp_cb_ssl_info = fp; } +/* Stolen wholesale from apps/s_cb.c :-) */ +int cb_ssl_verify(int ok, X509_STORE_CTX *ctx) +{ + char buf[256]; + X509 *err_cert; + int err, depth; + BIO *bio; + + if(!fp_cb_ssl_verify) + return ok; + /* There's no <damned>FILE*</damned> version of ASN1_TIME_print */ + bio = BIO_new_fp(fp_cb_ssl_verify, BIO_NOCLOSE); + err_cert = X509_STORE_CTX_get_current_cert(ctx); + err = X509_STORE_CTX_get_error(ctx); + depth = X509_STORE_CTX_get_error_depth(ctx); + + X509_NAME_oneline(X509_get_subject_name(err_cert), buf, 256); + fprintf(fp_cb_ssl_verify, "depth=%d %s\n", depth, buf); + if(!ok) { + fprintf(fp_cb_ssl_verify,"verify error:num=%d:%s\n",err, + X509_verify_cert_error_string(err)); + if(verify_depth >= depth) { + ok = 1; + verify_error = X509_V_OK; + } else { + ok=0; + verify_error = X509_V_ERR_CERT_CHAIN_TOO_LONG; + } + } + switch (ctx->error) { + case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: + X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), + buf, 256); + fprintf(fp_cb_ssl_verify, "issuer= %s\n", buf); + break; + case X509_V_ERR_CERT_NOT_YET_VALID: + case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: + fprintf(fp_cb_ssl_verify, "notBefore="); + ASN1_TIME_print(bio, X509_get_notBefore(ctx->current_cert)); + fprintf(fp_cb_ssl_verify, "\n"); + break; + case X509_V_ERR_CERT_HAS_EXPIRED: + case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: + fprintf(fp_cb_ssl_verify, "notAfter="); + ASN1_TIME_print(bio, X509_get_notAfter(ctx->current_cert)); + fprintf(fp_cb_ssl_verify, "\n"); + break; + } + fprintf(fp_cb_ssl_verify, "verify return:%d\n",ok); + return ok; +} + +void cb_ssl_verify_set_output(FILE *fp) +{ + fp_cb_ssl_verify = fp; +} + #endif /* !defined(NO_OPENSSL) */ |