apps/s_time: enable peer verification when -verify is used

s_time loaded CA material but never turned verification on, so
-verify only changed the depth while handshakes skipped verification.

Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28857)

diff --git a/apps/s_time.c b/apps/s_time.c
index 19d68ad2a8999ce5fe07c665c637a15876f69eb6..29ef21dd9b30ad238703002a74cccea508fb9aa2 100644 (file)
--- a/apps/s_time.c
+++ b/apps/s_time.c
@@ -128,6 +128,7 @@ int s_time_main(int argc, char **argv)
     long bytes_read = 0, finishtime = 0;
     OPTION_CHOICE o;
     int min_version = 0, max_version = 0, ver, buf_len, fd;
+    int want_verify = 0;
     size_t buf_size;
 
     meth = TLS_client_method();
@@ -155,6 +156,7 @@ int s_time_main(int argc, char **argv)
             break;
         case OPT_VERIFY:
             verify_args.depth = opt_int_arg();
+            want_verify = 1;
             BIO_printf(bio_err, "%s: verify depth is %d\n",
                        prog, verify_args.depth);
             break;
@@ -263,6 +265,15 @@ int s_time_main(int argc, char **argv)
         ERR_print_errors(bio_err);
         goto end;
     }
+
+    if (want_verify) {
+        X509_VERIFY_PARAM *vpm;
+        SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, verify_callback);
+        vpm = SSL_CTX_get0_param(ctx);
+        if (vpm != NULL && verify_args.depth >= 0)
+            X509_VERIFY_PARAM_set_depth(vpm, verify_args.depth);
+    }
+
     if (!(perform & 1))
         goto next;
     printf("Collecting connection statistics for %d seconds\n", maxtime);