1 files changed, 57 insertions, 13 deletions
diff --git a/src/regress/lib/libssl/interop/server.c b/src/regress/lib/libssl/interop/server.c
index 0aece87583..6c0c720dfe 100644
--- a/src/regress/lib/libssl/interop/server.c
+++ b/src/regress/lib/libssl/interop/server.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: server.c,v 1.3 2018/11/07 19:09:01 bluhm Exp $        */
+/*      $OpenBSD: server.c,v 1.4 2018/11/09 06:30:41 bluhm Exp $        */
 /*
 * Copyright (c) 2018 Alexander Bluhm <bluhm@openbsd.org>
 *
@@ -34,7 +34,8 @@ void __dead usage(void);
 void __dead
 usage(void)
 {
-        fprintf(stderr, "usage: server [host port]");
+        fprintf(stderr,
+            "usage: server [-vv] [-C CA] [-c crt -k key] [host port]");
        exit(2);
 }
@@ -46,22 +47,46 @@ main(int argc, char *argv[])
        SSL *ssl;
        BIO *bio;
        SSL_SESSION *session;
-        int error;
+        int error, verify = 0;
-        char buf[256];
+        char buf[256], ch;
-        char *crt, *key, *host_port, *host = "127.0.0.1", *port = "0";
+        char *ca = NULL, *crt = NULL, *key = NULL;
+        char *host_port, *host = "127.0.0.1", *port = "0";
-        if (argc == 3) {
-                host = argv[1];
+        while ((ch = getopt(argc, argv, "C:c:k:v")) != -1) {
-                port = argv[2];
+                switch (ch) {
-        } else if (argc != 1) {
+                case 'C':
+                        ca = optarg;
+                        break;
+                case 'c':
+                        crt = optarg;
+                        break;
+                case 'k':
+                        key = optarg;
+                        break;
+                case 'v':
+                        /* use twice to force client cert */
+                        verify++;
+                        break;
+                default:
+                        usage();
+                }
+        }
+        argc -= optind;
+        argv += optind;
+        if (argc == 2) {
+                host = argv[0];
+                port = argv[1];
+        } else if (argc != 0) {
                usage();
        }
        if (asprintf(&host_port, strchr(host, ':') ? "[%s]:%s" : "%s:%s",
            host, port) == -1)
                err(1, "asprintf host port");
-        if (asprintf(&crt, "%s.crt", host) == -1)
+        if ((crt == NULL && key != NULL) || (crt != NULL && key == NULL))
+                errx(1, "certificate and private key must be used together");
+        if (crt == NULL && asprintf(&crt, "%s.crt", host) == -1)
                err(1, "asprintf crt");
-        if (asprintf(&key, "%s.key", host) == -1)
+        if (key == NULL && asprintf(&key, "%s.key", host) == -1)
                err(1, "asprintf key");
        SSL_library_init();
@@ -94,6 +119,23 @@ main(int argc, char *argv[])
        if (SSL_CTX_check_private_key(ctx) <= 0)
                err_ssl(1, "SSL_CTX_check_private_key");
+        /* request client certificate and verify it */
+        if (ca != NULL) {
+                STACK_OF(X509_NAME) *x509stack;
+                x509stack = SSL_load_client_CA_file(ca);
+                if (x509stack == NULL)
+                        err_ssl(1, "SSL_load_client_CA_file");
+                SSL_CTX_set_client_CA_list(ctx, x509stack);
+                if (SSL_CTX_load_verify_locations(ctx, ca, NULL) <= 0)
+                        err_ssl(1, "SSL_CTX_load_verify_locations");
+        }
+        SSL_CTX_set_verify(ctx,
+            verify == 0 ?  SSL_VERIFY_NONE :
+            verify == 1 ?  SSL_VERIFY_PEER :
+            SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
+            verify_callback);
        /* setup ssl and bio for socket operations */
        ssl = SSL_new(ctx);
        if (ssl == NULL)
@@ -109,9 +151,11 @@ main(int argc, char *argv[])
        printf("listen ");
        print_sockname(bio);
-        /* fork to background and accept */
+        /* fork to background, set timeout, and accept */
        if (daemon(1, 1) == -1)
                err(1, "daemon");
+        if ((int)alarm(60) == -1)
+                err(1, "alarm");
        if (BIO_do_accept(bio) <= 0)
                err_ssl(1, "BIO_do_accept wait");
        bio = BIO_pop(bio);

diff --git a/src/regress/lib/libssl/interop/server.c b/src/regress/lib/libssl/interop/server.c index 0aece87583..6c0c720dfe 100644 --- a/src/regress/lib/libssl/interop/server.c +++ b/src/regress/lib/libssl/interop/server.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: server.c,v 1.3 2018/11/07 19:09:01 bluhm Exp $ */	1	/* $OpenBSD: server.c,v 1.4 2018/11/09 06:30:41 bluhm Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018 Alexander Bluhm <bluhm@openbsd.org>	3	* Copyright (c) 2018 Alexander Bluhm <bluhm@openbsd.org>
4	*	4	*
@@ -34,7 +34,8 @@ void __dead usage(void);
34	void __dead	34	void __dead
35	usage(void)	35	usage(void)
36	{	36	{
37	fprintf(stderr, "usage: server [host port]");	37	fprintf(stderr,
		38	"usage: server [-vv] [-C CA] [-c crt -k key] [host port]");
38	exit(2);	39	exit(2);
39	}	40	}
40		41
@@ -46,22 +47,46 @@ main(int argc, char *argv[])
46	SSL *ssl;	47	SSL *ssl;
47	BIO *bio;	48	BIO *bio;
48	SSL_SESSION *session;	49	SSL_SESSION *session;
49	int error;	50	int error, verify = 0;
50	char buf[256];	51	char buf[256], ch;
51	char crt, key, host_port, host = "127.0.0.1", *port = "0";	52	char ca = NULL, crt = NULL, *key = NULL;
52		53	char host_port, host = "127.0.0.1", *port = "0";
53	if (argc == 3) {	54
54	host = argv[1];	55	while ((ch = getopt(argc, argv, "C:c:k:v")) != -1) {
55	port = argv[2];	56	switch (ch) {
56	} else if (argc != 1) {	57	case 'C':
		58	ca = optarg;
		59	break;
		60	case 'c':
		61	crt = optarg;
		62	break;
		63	case 'k':
		64	key = optarg;
		65	break;
		66	case 'v':
		67	/* use twice to force client cert */
		68	verify++;
		69	break;
		70	default:
		71	usage();
		72	}
		73	}
		74	argc -= optind;
		75	argv += optind;
		76	if (argc == 2) {
		77	host = argv[0];
		78	port = argv[1];
		79	} else if (argc != 0) {
57	usage();	80	usage();
58	}	81	}
59	if (asprintf(&host_port, strchr(host, ':') ? "[%s]:%s" : "%s:%s",	82	if (asprintf(&host_port, strchr(host, ':') ? "[%s]:%s" : "%s:%s",
60	host, port) == -1)	83	host, port) == -1)
61	err(1, "asprintf host port");	84	err(1, "asprintf host port");
62	if (asprintf(&crt, "%s.crt", host) == -1)	85	if ((crt == NULL && key != NULL) \|\| (crt != NULL && key == NULL))
		86	errx(1, "certificate and private key must be used together");
		87	if (crt == NULL && asprintf(&crt, "%s.crt", host) == -1)
63	err(1, "asprintf crt");	88	err(1, "asprintf crt");
64	if (asprintf(&key, "%s.key", host) == -1)	89	if (key == NULL && asprintf(&key, "%s.key", host) == -1)
65	err(1, "asprintf key");	90	err(1, "asprintf key");
66		91
67	SSL_library_init();	92	SSL_library_init();
@@ -94,6 +119,23 @@ main(int argc, char *argv[])
94	if (SSL_CTX_check_private_key(ctx) <= 0)	119	if (SSL_CTX_check_private_key(ctx) <= 0)
95	err_ssl(1, "SSL_CTX_check_private_key");	120	err_ssl(1, "SSL_CTX_check_private_key");
96		121
		122	/* request client certificate and verify it */
		123	if (ca != NULL) {
		124	STACK_OF(X509_NAME) *x509stack;
		125
		126	x509stack = SSL_load_client_CA_file(ca);
		127	if (x509stack == NULL)
		128	err_ssl(1, "SSL_load_client_CA_file");
		129	SSL_CTX_set_client_CA_list(ctx, x509stack);
		130	if (SSL_CTX_load_verify_locations(ctx, ca, NULL) <= 0)
		131	err_ssl(1, "SSL_CTX_load_verify_locations");
		132	}
		133	SSL_CTX_set_verify(ctx,
		134	verify == 0 ? SSL_VERIFY_NONE :
		135	verify == 1 ? SSL_VERIFY_PEER :
		136	SSL_VERIFY_PEER \| SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
		137	verify_callback);
		138
97	/* setup ssl and bio for socket operations */	139	/* setup ssl and bio for socket operations */
98	ssl = SSL_new(ctx);	140	ssl = SSL_new(ctx);
99	if (ssl == NULL)	141	if (ssl == NULL)
@@ -109,9 +151,11 @@ main(int argc, char *argv[])
109	printf("listen ");	151	printf("listen ");
110	print_sockname(bio);	152	print_sockname(bio);
111		153
112	/* fork to background and accept */	154	/* fork to background, set timeout, and accept */
113	if (daemon(1, 1) == -1)	155	if (daemon(1, 1) == -1)
114	err(1, "daemon");	156	err(1, "daemon");
		157	if ((int)alarm(60) == -1)
		158	err(1, "alarm");
115	if (BIO_do_accept(bio) <= 0)	159	if (BIO_do_accept(bio) <= 0)
116	err_ssl(1, "BIO_do_accept wait");	160	err_ssl(1, "BIO_do_accept wait");
117	bio = BIO_pop(bio);	161	bio = BIO_pop(bio);