@@ -10,6 +10,7 @@ $Id$

   used at the same time as --pkcs12, the CA certificate is loaded

   from the file specified by --ca regardless if the pkcs12 file

   contains a CA cert or not (Mathias Sundman).

+* Merged --capath patch (Thomas Noel).

 * NOTE TO PACKAGE MAINTAINERS: Moved "plugin"

   directory to "plugins".  This is

   to work around a strange problem with the

@@ -398,6 +398,13 @@ static const char usage_message[] =

   "                  number, such as 1 (default), 2, etc.\n"

   "--ca file       : Certificate authority file in .pem format containing\n"

   "                  root certificate.\n"

+  "--capath dir    : A directory of trusted certificates (CAs"

+#if OPENSSL_VERSION_NUMBER >= 0x00907000L

+  " and CRLs).\n"

+#else

+  ").\n"

+  "                  WARNING: no support of CRL available with this version.\n"

+#endif

   "--dh file       : File containing Diffie Hellman parameters\n"

   "                  in .pem format (for --tls-server only).\n"

   "                  Use \"openssl dhparam -out dh1024.pem 1024\" to generate.\n"

@@ -1139,6 +1146,7 @@ show_settings (const struct options *o)

   SHOW_BOOL (tls_client);

   SHOW_INT (key_method);

   SHOW_STR (ca_file);

+  SHOW_STR (ca_path);

   SHOW_STR (dh_file);

   SHOW_STR (cert_file);

   SHOW_STR (priv_key_file);

@@ -1671,7 +1679,8 @@ options_postprocess (struct options *options, bool first_time)

 #ifdef WIN32

       if (options->cryptoapi_cert)

 	{

-          notnull (options->ca_file, "CA file (--ca)");

+	  if ((!(options->ca_file)) && (!(options->ca_path)))

+	    msg(M_USAGE, "You must define CA file (--ca) or CA path (--capath)");

           if (options->cert_file)

 	    msg(M_USAGE, "Parameter --cert cannot be used when --cryptoapicert is also specified.");

           if (options->priv_key_file)

@@ -1683,6 +1692,8 @@ options_postprocess (struct options *options, bool first_time)

 #endif

       if (options->pkcs12_file)

         {

+          if (options->ca_path)

+	    msg(M_USAGE, "Parameter --capath cannot be used when --pkcs12 is also specified.");

           if (options->cert_file)

 	    msg(M_USAGE, "Parameter --cert cannot be used when --pkcs12 is also specified.");

           if (options->priv_key_file)

@@ -1690,7 +1701,8 @@ options_postprocess (struct options *options, bool first_time)

         }

       else

         {

-          notnull (options->ca_file, "CA file (--ca) or PKCS#12 file (--pkcs12)");

+	  if ((!(options->ca_file)) && (!(options->ca_path)))

+	    msg(M_USAGE, "You must define CA file (--ca) or CA path (--capath)");

 	  if (pull)

 	    {

 	      const int sum = (options->cert_file != NULL) + (options->priv_key_file != NULL);

@@ -1727,6 +1739,7 @@ options_postprocess (struct options *options, bool first_time)

       const char err[] = "Parameter %s can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified.";

       MUST_BE_UNDEF (ca_file);

+      MUST_BE_UNDEF (ca_path);

       MUST_BE_UNDEF (dh_file);

       MUST_BE_UNDEF (cert_file);

       MUST_BE_UNDEF (priv_key_file);

@@ -4646,6 +4659,12 @@ add_option (struct options *options,

       VERIFY_PERMISSION (OPT_P_GENERAL);

       options->ca_file = p[1];

     }

+  else if (streq (p[0], "capath") && p[1])

+    {

+      ++i;

+      VERIFY_PERMISSION (OPT_P_GENERAL);

+      options->ca_path = p[1];

+    }

   else if (streq (p[0], "dh") && p[1])

     {

       ++i;

@@ -368,6 +368,7 @@ struct options

   bool tls_server;

   bool tls_client;

   const char *ca_file;

+  const char *ca_path;

   const char *dh_file;

   const char *cert_file;

   const char *priv_key_file;

@@ -914,12 +914,32 @@ init_ssl (const struct options *options)

   if (options->ca_file)

     {

       /* Load CA file for verifying peer supplied certificate */

-      ASSERT (options->ca_file);

-      if (!SSL_CTX_load_verify_locations (ctx, options->ca_file, NULL))

-        msg (M_SSLERR, "Cannot load CA certificate file %s (SSL_CTX_load_verify_locations)", options->ca_file);

+      ASSERT (options->ca_file || options->ca_path);

+      if (!SSL_CTX_load_verify_locations (ctx, options->ca_file, options->ca_path))

+        msg (M_SSLERR, "Cannot load CA certificate file %s path %s (SSL_CTX_load_verify_locations)", options->ca_file, options->ca_path);

+

+      /* Set a store for certs (CA & CRL) with a lookup on the "capath" hash directory */

+      if (options->ca_path) {

+        X509_STORE *store = SSL_CTX_get_cert_store(ctx);

+

+        if (store) {

+          X509_LOOKUP *lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir());

+	  if (!X509_LOOKUP_add_dir(lookup, options->ca_path, X509_FILETYPE_PEM))

+            X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT);

+	  else

+	    msg(M_WARN, "WARNING: experimental option --capath %s", options->ca_path);

+#if OPENSSL_VERSION_NUMBER >= 0x00907000L

+          X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);

+#else

+#warn This version of OpenSSL cannot handle CRL files in capath 

+          msg(M_WARN, "WARNING: this version of OpenSSL cannot handle CRL files in capath");

+#endif

+	} else

+          msg(M_SSLERR, "Cannot get certificate store (SSL_CTX_get_cert_store)");

+      }

       /* Load names of CAs from file and use it as a client CA list */

-      {

+      if (options->ca_file) {

         STACK_OF(X509_NAME) *cert_names;

         cert_names = SSL_load_client_CA_file (options->ca_file);

         if (!cert_names)