From 91ebfb5272a34d3e50631c5470532e002e35a75e Mon Sep 17 00:00:00 2001
From: Paul Bakker <p.j.bakker@polarssl.org>
Date: Fri, 23 Nov 2012 14:04:08 +0100
Subject: [PATCH] Made auth_mode as an command line option

---
 programs/ssl/ssl_client2.c | 18 +++++++++++++++++-
 programs/ssl/ssl_server2.c | 18 +++++++++++++++++-
 2 files changed, 34 insertions(+), 2 deletions(-)

diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index 0d7a4180f..89820a341 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -54,6 +54,7 @@
 #define DFL_ALLOW_LEGACY        SSL_LEGACY_NO_RENEGOTIATION
 #define DFL_MIN_VERSION         -1
 #define DFL_MAX_VERSION         -1
+#define DFL_AUTH_MODE           SSL_VERIFY_OPTIONAL
 
 #define GET_REQUEST "GET %s HTTP/1.0\r\n\r\n"
 
@@ -75,6 +76,7 @@ struct options
     int allow_legacy;           /* allow legacy renegotiation               */
     int min_version;            /* minimum protocol version accepted        */
     int max_version;            /* maximum protocol version accepted        */
+    int auth_mode;              /* verify mode for connection               */
 } opt;
 
 void my_debug( void *ctx, int level, const char *str )
@@ -154,6 +156,8 @@ int my_verify( void *data, x509_cert *crt, int depth, int *flags )
     "    max_version=%%s      default: \"\" (tls1_2)\n"     \
     "    force_version=%%s    default: \"\" (none)\n"       \
     "                        options: ssl3, tls1, tls1_1, tls1_2\n" \
+    "    auth_mode=%%s        default: \"optional\"\n"          \
+    "                        options: none, optional, required\n" \
     "\n"                                                    \
     "    force_ciphersuite=<name>    default: all enabled\n"\
     " acceptable ciphersuite names:\n"
@@ -230,6 +234,7 @@ int main( int argc, char *argv[] )
     opt.allow_legacy        = DFL_ALLOW_LEGACY;
     opt.min_version         = DFL_MIN_VERSION;
     opt.max_version         = DFL_MAX_VERSION;
+    opt.auth_mode           = DFL_AUTH_MODE;
 
     for( i = 1; i < argc; i++ )
     {
@@ -337,6 +342,17 @@ int main( int argc, char *argv[] )
             else
                 goto usage;
         }
+        else if( strcmp( p, "auth_mode" ) == 0 )
+        {
+            if( strcmp( q, "none" ) == 0 )
+                opt.auth_mode = SSL_VERIFY_NONE;
+            else if( strcmp( q, "optional" ) == 0 )
+                opt.auth_mode = SSL_VERIFY_OPTIONAL;
+            else if( strcmp( q, "required" ) == 0 )
+                opt.auth_mode = SSL_VERIFY_REQUIRED;
+            else
+                goto usage;
+        }
         else
             goto usage;
     }
@@ -471,7 +487,7 @@ int main( int argc, char *argv[] )
         ssl_set_verify( &ssl, my_verify, NULL );
 
     ssl_set_endpoint( &ssl, SSL_IS_CLIENT );
-    ssl_set_authmode( &ssl, SSL_VERIFY_OPTIONAL );
+    ssl_set_authmode( &ssl, opt.auth_mode );
 
     ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );
     ssl_set_dbg( &ssl, my_debug, stdout );
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index cc94e5ca7..c1b3810c4 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -60,6 +60,7 @@
 #define DFL_RENEGOTIATION       SSL_RENEGOTIATION_ENABLED
 #define DFL_ALLOW_LEGACY        SSL_LEGACY_NO_RENEGOTIATION
 #define DFL_MIN_VERSION         -1
+#define DFL_AUTH_MODE           SSL_VERIFY_OPTIONAL
 
 #define HTTP_RESPONSE \
     "HTTP/1.0 200 OK\r\nContent-Type: text/html\r\n\r\n" \
@@ -81,6 +82,7 @@ struct options
     int renegotiation;          /* enable / disable renegotiation           */
     int allow_legacy;           /* allow legacy renegotiation               */
     int min_version;            /* minimum protocol version accepted        */
+    int auth_mode;              /* verify mode for connection               */
 } opt;
 
 void my_debug( void *ctx, int level, const char *str )
@@ -207,6 +209,8 @@ int my_ciphersuites[] =
     "    allow_legacy=%%d     default: 0 (disabled)\n"      \
     "    min_version=%%s      default: \"ssl3\"\n"          \
     "                        options: ssl3, tls1, tls1_1, tls1_2\n" \
+    "    auth_mode=%%s        default: \"optional\"\n"          \
+    "                        options: none, optional, required\n" \
     "    force_ciphersuite=<name>    default: all enabled\n"\
     " acceptable ciphersuite names:\n"
 
@@ -287,6 +291,7 @@ int main( int argc, char *argv[] )
     opt.renegotiation       = DFL_RENEGOTIATION;
     opt.allow_legacy        = DFL_ALLOW_LEGACY;
     opt.min_version         = DFL_MIN_VERSION;
+    opt.auth_mode           = DFL_AUTH_MODE;
 
     for( i = 1; i < argc; i++ )
     {
@@ -352,6 +357,17 @@ int main( int argc, char *argv[] )
             else
                 goto usage;
         }
+        else if( strcmp( p, "auth_mode" ) == 0 )
+        {
+            if( strcmp( q, "none" ) == 0 )
+                opt.auth_mode = SSL_VERIFY_NONE;
+            else if( strcmp( q, "optional" ) == 0 )
+                opt.auth_mode = SSL_VERIFY_OPTIONAL;
+            else if( strcmp( q, "required" ) == 0 )
+                opt.auth_mode = SSL_VERIFY_REQUIRED;
+            else
+                goto usage;
+        }
         else
             goto usage;
     }
@@ -477,7 +493,7 @@ int main( int argc, char *argv[] )
     }
 
     ssl_set_endpoint( &ssl, SSL_IS_SERVER );
-    ssl_set_authmode( &ssl, SSL_VERIFY_NONE );
+    ssl_set_authmode( &ssl, opt.auth_mode );
 
     ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );
     ssl_set_dbg( &ssl, my_debug, stdout );