From: Joshua Rogers <MegaManSec@users.noreply.github.com>
Date: Sat, 11 Oct 2025 04:14:24 +0000 (+0800)
Subject: apps/s_time: enable peer verification when -verify is used
X-Git-Tag: 4.0-PRE-CLANG-FORMAT-WEBKIT~159
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cb95203379a41cab583e8780a2c17fb8c248091d;p=thirdparty%2Fopenssl.git

apps/s_time: enable peer verification when -verify is used

s_time loaded CA material but never turned verification on, so
-verify only changed the depth while handshakes skipped verification.

Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com>

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28857)
---

diff --git a/apps/s_time.c b/apps/s_time.c
index 19d68ad2a89..29ef21dd9b3 100644
--- a/apps/s_time.c
+++ b/apps/s_time.c
@@ -128,6 +128,7 @@ int s_time_main(int argc, char **argv)
     long bytes_read = 0, finishtime = 0;
     OPTION_CHOICE o;
     int min_version = 0, max_version = 0, ver, buf_len, fd;
+    int want_verify = 0;
     size_t buf_size;
 
     meth = TLS_client_method();
@@ -155,6 +156,7 @@ int s_time_main(int argc, char **argv)
             break;
         case OPT_VERIFY:
             verify_args.depth = opt_int_arg();
+            want_verify = 1;
             BIO_printf(bio_err, "%s: verify depth is %d\n",
                        prog, verify_args.depth);
             break;
@@ -263,6 +265,15 @@ int s_time_main(int argc, char **argv)
         ERR_print_errors(bio_err);
         goto end;
     }
+
+    if (want_verify) {
+        X509_VERIFY_PARAM *vpm;
+        SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, verify_callback);
+        vpm = SSL_CTX_get0_param(ctx);
+        if (vpm != NULL && verify_args.depth >= 0)
+            X509_VERIFY_PARAM_set_depth(vpm, verify_args.depth);
+    }
+
     if (!(perform & 1))
         goto next;
     printf("Collecting connection statistics for %d seconds\n", maxtime);