From 4817e27d4d52540f6a6c5985925f31c5f2003785 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Mon, 10 Apr 2017 13:44:33 +0100 Subject: [PATCH] Add the CA list suppression option to ssl_server2 Adding the CA suppression list option to the 'ssl_server2' sample program is a prerequisite for adding tests for this feature to the integration test suite (ssl-opt.sh). --- programs/ssl/ssl_server2.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 96bd35f67..07b12c8b6 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -124,6 +124,7 @@ int main( void ) #define DFL_MAX_VERSION -1 #define DFL_ARC4 -1 #define DFL_AUTH_MODE -1 +#define DFL_CERT_REQ_CA_LIST MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED #define DFL_MFL_CODE MBEDTLS_SSL_MAX_FRAG_LEN_NONE #define DFL_TRUNC_HMAC -1 #define DFL_TICKETS MBEDTLS_SSL_SESSION_TICKETS_ENABLED @@ -326,6 +327,8 @@ int main( void ) "\n" \ " auth_mode=%%s default: (library default: none)\n" \ " options: none, optional, required\n" \ + " cert_req_ca_list=%%d default: 1 (send ca list)\n" \ + " options: 1 (send ca list), 0 (don't send)\n" \ USAGE_IO \ USAGE_SNI \ "\n" \ @@ -401,6 +404,7 @@ struct options int max_version; /* maximum protocol version accepted */ int arc4; /* flag for arc4 suites support */ int auth_mode; /* verify mode for connection */ + int cert_req_ca_list; /* should we send the CA list? */ unsigned char mfl_code; /* code for maximum fragment length */ int trunc_hmac; /* accept truncated hmac? */ int tickets; /* enable / disable session tickets */ @@ -944,6 +948,7 @@ int main( int argc, char *argv[] ) opt.max_version = DFL_MAX_VERSION; opt.arc4 = DFL_ARC4; opt.auth_mode = DFL_AUTH_MODE; + opt.cert_req_ca_list = DFL_CERT_REQ_CA_LIST; opt.mfl_code = DFL_MFL_CODE; opt.trunc_hmac = DFL_TRUNC_HMAC; opt.tickets = DFL_TICKETS; @@ -1155,6 +1160,12 @@ int main( int argc, char *argv[] ) if( ( opt.auth_mode = get_auth_mode( q ) ) < 0 ) goto usage; } + else if( strcmp( p, "cert_req_ca_list" ) == 0 ) + { + opt.cert_req_ca_list = atoi( q ); + if( opt.cert_req_ca_list < 0 || opt.cert_req_ca_list > 1 ) + goto usage; + } else if( strcmp( p, "max_frag_len" ) == 0 ) { if( strcmp( q, "512" ) == 0 ) @@ -1634,6 +1645,9 @@ int main( int argc, char *argv[] ) if( opt.auth_mode != DFL_AUTH_MODE ) mbedtls_ssl_conf_authmode( &conf, opt.auth_mode ); + if( opt.cert_req_ca_list != DFL_CERT_REQ_CA_LIST ) + mbedtls_ssl_conf_cert_req_ca_list( &conf, opt.cert_req_ca_list ); + #if defined(MBEDTLS_SSL_PROTO_DTLS) if( opt.hs_to_min != DFL_HS_TO_MIN || opt.hs_to_max != DFL_HS_TO_MAX ) mbedtls_ssl_conf_handshake_timeout( &conf, opt.hs_to_min, opt.hs_to_max );