From 5b90eb98f6746e8db7d2a6c3eae58aca38254494 Mon Sep 17 00:00:00 2001
From: David Benjamin <davidben@google.com>
Date: Sat, 4 Nov 2017 22:57:54 -0400
Subject: [PATCH] Add a -require-any-client-cert flag to bssl server

Useful for testing client cert stuff.

Change-Id: Ieb3cb02a685b22c18cfc50b44170221017889a57
Reviewed-on: https://boringssl-review.googlesource.com/22644
Commit-Queue: Steven Valdez <svaldez@google.com>
Reviewed-by: Steven Valdez <svaldez@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
---
 tool/server.cc | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/tool/server.cc b/tool/server.cc
index b6ed284a..0061cb34 100644
--- a/tool/server.cc
+++ b/tool/server.cc
@@ -79,6 +79,10 @@ static const struct argument kArguments[] = {
         "-debug", kBooleanArgument,
         "Print debug information about the handshake",
     },
+    {
+        "-require-any-client-cert", kBooleanArgument,
+        "The server will require a client certificate.",
+    },
     {
         "", kOptionalArgument, "",
     },
@@ -320,6 +324,14 @@ bool Server(const std::vector<std::string> &args) {
     SSL_CTX_set_info_callback(ctx.get(), InfoCallback);
   }
 
+  if (args_map.count("-require-any-client-cert") != 0) {
+    SSL_CTX_set_verify(
+        ctx.get(), SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, nullptr);
+    SSL_CTX_set_cert_verify_callback(
+        ctx.get(), [](X509_STORE_CTX *store, void *arg) -> int { return 1; },
+        nullptr);
+  }
+
   Listener listener;
   if (!listener.Init(args_map["-accept"])) {
     return false;