Browse code
Do not require CA when peer-fingerprint is used
Fix --ca or --ca-path check when --pkcs11-id or --cryptoapicert
is used with --peer-fingerprint.
The multiple --ca or --capath checks are consolidated into a function
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20210524184506.20582-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22443.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair authored on 2021/05/25 03:45:06Showing 1 changed files
| ... | ... |
@@ -2056,6 +2056,27 @@ connection_entry_preload_key(const char **key_file, bool *key_inline, |
| 2056 | 2056 |
} |
| 2057 | 2057 |
|
| 2058 | 2058 |
static void |
| 2059 |
+check_ca_required(const struct options *options) |
|
| 2060 |
+{
|
|
| 2061 |
+ if (options->verify_hash_no_ca |
|
| 2062 |
+ || options->pkcs12_file |
|
| 2063 |
+ || options->ca_file |
|
| 2064 |
+#ifndef ENABLE_CRYPTO_MBEDTLS |
|
| 2065 |
+ || options->ca_path |
|
| 2066 |
+#endif |
|
| 2067 |
+ ) |
|
| 2068 |
+ {
|
|
| 2069 |
+ return; |
|
| 2070 |
+ } |
|
| 2071 |
+ |
|
| 2072 |
+ msg(M_USAGE, "You must define CA file (--ca)" |
|
| 2073 |
+#ifndef ENABLE_CRYPTO_MBEDTLS |
|
| 2074 |
+ " or CA path (--capath)" |
|
| 2075 |
+#endif |
|
| 2076 |
+ " and/or peer fingeprint verification " "(--peer-fingerprint)"); |
|
| 2077 |
+} |
|
| 2078 |
+ |
|
| 2079 |
+static void |
|
| 2059 | 2080 |
options_postprocess_verify_ce(const struct options *options, |
| 2060 | 2081 |
const struct connection_entry *ce) |
| 2061 | 2082 |
{
|
| ... | ... |
@@ -2592,11 +2613,10 @@ options_postprocess_verify_ce(const struct options *options, |
| 2592 | 2592 |
|
| 2593 | 2593 |
if (options->tls_server || options->tls_client) |
| 2594 | 2594 |
{
|
| 2595 |
+ check_ca_required(options); |
|
| 2595 | 2596 |
#ifdef ENABLE_PKCS11 |
| 2596 | 2597 |
if (options->pkcs11_providers[0]) |
| 2597 | 2598 |
{
|
| 2598 |
- notnull(options->ca_file, "CA file (--ca)"); |
|
| 2599 |
- |
|
| 2600 | 2599 |
if (options->pkcs11_id_management && options->pkcs11_id != NULL) |
| 2601 | 2600 |
{
|
| 2602 | 2601 |
msg(M_USAGE, "Parameter --pkcs11-id cannot be used when --pkcs11-id-management is also specified."); |
| ... | ... |
@@ -2657,10 +2677,6 @@ options_postprocess_verify_ce(const struct options *options, |
| 2657 | 2657 |
#ifdef ENABLE_CRYPTOAPI |
| 2658 | 2658 |
if (options->cryptoapi_cert) |
| 2659 | 2659 |
{
|
| 2660 |
- if ((!(options->ca_file)) && (!(options->ca_path))) |
|
| 2661 |
- {
|
|
| 2662 |
- msg(M_USAGE, "You must define CA file (--ca) or CA path (--capath)"); |
|
| 2663 |
- } |
|
| 2664 | 2660 |
if (options->cert_file) |
| 2665 | 2661 |
{
|
| 2666 | 2662 |
msg(M_USAGE, "Parameter --cert cannot be used when --cryptoapicert is also specified."); |
| ... | ... |
@@ -2718,25 +2734,11 @@ options_postprocess_verify_ce(const struct options *options, |
| 2718 | 2718 |
else |
| 2719 | 2719 |
{
|
| 2720 | 2720 |
#ifdef ENABLE_CRYPTO_MBEDTLS |
| 2721 |
- if (!(options->ca_file || options->verify_hash_no_ca)) |
|
| 2722 |
- {
|
|
| 2723 |
- msg(M_USAGE, "You must define CA file (--ca) and/or " |
|
| 2724 |
- "peer fingeprint verification " |
|
| 2725 |
- "(--peer-fingerprint)"); |
|
| 2726 |
- } |
|
| 2727 | 2721 |
if (options->ca_path) |
| 2728 | 2722 |
{
|
| 2729 | 2723 |
msg(M_USAGE, "Parameter --capath cannot be used with the mbed TLS version version of OpenVPN."); |
| 2730 | 2724 |
} |
| 2731 |
-#else /* ifdef ENABLE_CRYPTO_MBEDTLS */ |
|
| 2732 |
- if ((!(options->ca_file)) && (!(options->ca_path)) |
|
| 2733 |
- && (!(options->verify_hash_no_ca))) |
|
| 2734 |
- {
|
|
| 2735 |
- msg(M_USAGE, "You must define CA file (--ca) or CA path " |
|
| 2736 |
- "(--capath) and/or peer fingeprint verification " |
|
| 2737 |
- "(--peer-fingerprint)"); |
|
| 2738 |
- } |
|
| 2739 |
-#endif |
|
| 2725 |
+#endif /* ifdef ENABLE_CRYPTO_MBEDTLS */ |
|
| 2740 | 2726 |
if (pull) |
| 2741 | 2727 |
{
|
| 2742 | 2728 |
|