New option to add CRLs for s_client and s_server.
diff --git a/apps/s_client.c b/apps/s_client.c
index aebdeac..1a8f8ac 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -639,6 +639,10 @@
SSL_CONF_CTX *cctx = NULL;
STACK_OF(OPENSSL_STRING) *ssl_args = NULL;
+ char *crl_file = NULL;
+ int crl_format = FORMAT_PEM;
+ STACK_OF(X509_CRL) *crls = NULL;
+
meth=SSLv23_client_method();
apps_startup();
@@ -708,6 +712,11 @@
if (--argc < 1) goto bad;
cert_file= *(++argv);
}
+ else if (strcmp(*argv,"-CRL") == 0)
+ {
+ if (--argc < 1) goto bad;
+ crl_file= *(++argv);
+ }
else if (strcmp(*argv,"-sess_out") == 0)
{
if (--argc < 1) goto bad;
@@ -723,6 +732,11 @@
if (--argc < 1) goto bad;
cert_format = str2fmt(*(++argv));
}
+ else if (strcmp(*argv,"-CRLform") == 0)
+ {
+ if (--argc < 1) goto bad;
+ crl_format = str2fmt(*(++argv));
+ }
else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm))
{
if (badarg)
@@ -1128,6 +1142,26 @@
}
}
+ if (crl_file)
+ {
+ X509_CRL *crl;
+ crl = load_crl(crl_file, crl_format);
+ if (!crl)
+ {
+ BIO_puts(bio_err, "Error loading CRL\n");
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+ crls = sk_X509_CRL_new_null();
+ if (!crls || !sk_X509_CRL_push(crls, crl))
+ {
+ BIO_puts(bio_err, "Error adding CRL\n");
+ ERR_print_errors(bio_err);
+ X509_CRL_free(crl);
+ goto end;
+ }
+ }
+
if (!load_excert(&exc, bio_err))
goto end;
@@ -1179,7 +1213,7 @@
goto end;
}
- if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile))
+ if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile, crls))
{
BIO_printf(bio_err, "Error loading store locations\n");
ERR_print_errors(bio_err);
@@ -1241,6 +1275,8 @@
/* goto end; */
}
+ ssl_ctx_add_crls(ctx, crls);
+
if (!set_cert_key_stuff(ctx,cert,key, NULL, build_chain))
goto end;
@@ -1983,6 +2019,8 @@
if (ctx != NULL) SSL_CTX_free(ctx);
if (cert)
X509_free(cert);
+ if (crls)
+ sk_X509_CRL_pop_free(crls, X509_CRL_free);
if (key)
EVP_PKEY_free(key);
if (pass)
