Fix --ca or --ca-path check when --pkcs11-id or --cryptoapicert
is used with --peer-fingerprint.
The multiple --ca or --capath checks are consolidated into a function
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20210524184506.20582-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22443.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
... | ... |
@@ -2056,6 +2056,27 @@ connection_entry_preload_key(const char **key_file, bool *key_inline, |
2056 | 2056 |
} |
2057 | 2057 |
|
2058 | 2058 |
static void |
2059 |
+check_ca_required(const struct options *options) |
|
2060 |
+{ |
|
2061 |
+ if (options->verify_hash_no_ca |
|
2062 |
+ || options->pkcs12_file |
|
2063 |
+ || options->ca_file |
|
2064 |
+#ifndef ENABLE_CRYPTO_MBEDTLS |
|
2065 |
+ || options->ca_path |
|
2066 |
+#endif |
|
2067 |
+ ) |
|
2068 |
+ { |
|
2069 |
+ return; |
|
2070 |
+ } |
|
2071 |
+ |
|
2072 |
+ msg(M_USAGE, "You must define CA file (--ca)" |
|
2073 |
+#ifndef ENABLE_CRYPTO_MBEDTLS |
|
2074 |
+ " or CA path (--capath)" |
|
2075 |
+#endif |
|
2076 |
+ " and/or peer fingeprint verification " "(--peer-fingerprint)"); |
|
2077 |
+} |
|
2078 |
+ |
|
2079 |
+static void |
|
2059 | 2080 |
options_postprocess_verify_ce(const struct options *options, |
2060 | 2081 |
const struct connection_entry *ce) |
2061 | 2082 |
{ |
... | ... |
@@ -2592,11 +2613,10 @@ options_postprocess_verify_ce(const struct options *options, |
2592 | 2592 |
|
2593 | 2593 |
if (options->tls_server || options->tls_client) |
2594 | 2594 |
{ |
2595 |
+ check_ca_required(options); |
|
2595 | 2596 |
#ifdef ENABLE_PKCS11 |
2596 | 2597 |
if (options->pkcs11_providers[0]) |
2597 | 2598 |
{ |
2598 |
- notnull(options->ca_file, "CA file (--ca)"); |
|
2599 |
- |
|
2600 | 2599 |
if (options->pkcs11_id_management && options->pkcs11_id != NULL) |
2601 | 2600 |
{ |
2602 | 2601 |
msg(M_USAGE, "Parameter --pkcs11-id cannot be used when --pkcs11-id-management is also specified."); |
... | ... |
@@ -2657,10 +2677,6 @@ options_postprocess_verify_ce(const struct options *options, |
2657 | 2657 |
#ifdef ENABLE_CRYPTOAPI |
2658 | 2658 |
if (options->cryptoapi_cert) |
2659 | 2659 |
{ |
2660 |
- if ((!(options->ca_file)) && (!(options->ca_path))) |
|
2661 |
- { |
|
2662 |
- msg(M_USAGE, "You must define CA file (--ca) or CA path (--capath)"); |
|
2663 |
- } |
|
2664 | 2660 |
if (options->cert_file) |
2665 | 2661 |
{ |
2666 | 2662 |
msg(M_USAGE, "Parameter --cert cannot be used when --cryptoapicert is also specified."); |
... | ... |
@@ -2718,25 +2734,11 @@ options_postprocess_verify_ce(const struct options *options, |
2718 | 2718 |
else |
2719 | 2719 |
{ |
2720 | 2720 |
#ifdef ENABLE_CRYPTO_MBEDTLS |
2721 |
- if (!(options->ca_file || options->verify_hash_no_ca)) |
|
2722 |
- { |
|
2723 |
- msg(M_USAGE, "You must define CA file (--ca) and/or " |
|
2724 |
- "peer fingeprint verification " |
|
2725 |
- "(--peer-fingerprint)"); |
|
2726 |
- } |
|
2727 | 2721 |
if (options->ca_path) |
2728 | 2722 |
{ |
2729 | 2723 |
msg(M_USAGE, "Parameter --capath cannot be used with the mbed TLS version version of OpenVPN."); |
2730 | 2724 |
} |
2731 |
-#else /* ifdef ENABLE_CRYPTO_MBEDTLS */ |
|
2732 |
- if ((!(options->ca_file)) && (!(options->ca_path)) |
|
2733 |
- && (!(options->verify_hash_no_ca))) |
|
2734 |
- { |
|
2735 |
- msg(M_USAGE, "You must define CA file (--ca) or CA path " |
|
2736 |
- "(--capath) and/or peer fingeprint verification " |
|
2737 |
- "(--peer-fingerprint)"); |
|
2738 |
- } |
|
2739 |
-#endif |
|
2725 |
+#endif /* ifdef ENABLE_CRYPTO_MBEDTLS */ |
|
2740 | 2726 |
if (pull) |
2741 | 2727 |
{ |
2742 | 2728 |
|