git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@621 e7ae566f-a301-0410-adde-c780ea21d3b5
james authored on 2005/10/15 16:21:39... | ... |
@@ -10,6 +10,7 @@ $Id$ |
10 | 10 |
used at the same time as --pkcs12, the CA certificate is loaded |
11 | 11 |
from the file specified by --ca regardless if the pkcs12 file |
12 | 12 |
contains a CA cert or not (Mathias Sundman). |
13 |
+* Merged --capath patch (Thomas Noel). |
|
13 | 14 |
* NOTE TO PACKAGE MAINTAINERS: Moved "plugin" |
14 | 15 |
directory to "plugins". This is |
15 | 16 |
to work around a strange problem with the |
... | ... |
@@ -398,6 +398,13 @@ static const char usage_message[] = |
398 | 398 |
" number, such as 1 (default), 2, etc.\n" |
399 | 399 |
"--ca file : Certificate authority file in .pem format containing\n" |
400 | 400 |
" root certificate.\n" |
401 |
+ "--capath dir : A directory of trusted certificates (CAs" |
|
402 |
+#if OPENSSL_VERSION_NUMBER >= 0x00907000L |
|
403 |
+ " and CRLs).\n" |
|
404 |
+#else |
|
405 |
+ ").\n" |
|
406 |
+ " WARNING: no support of CRL available with this version.\n" |
|
407 |
+#endif |
|
401 | 408 |
"--dh file : File containing Diffie Hellman parameters\n" |
402 | 409 |
" in .pem format (for --tls-server only).\n" |
403 | 410 |
" Use \"openssl dhparam -out dh1024.pem 1024\" to generate.\n" |
... | ... |
@@ -1139,6 +1146,7 @@ show_settings (const struct options *o) |
1139 | 1139 |
SHOW_BOOL (tls_client); |
1140 | 1140 |
SHOW_INT (key_method); |
1141 | 1141 |
SHOW_STR (ca_file); |
1142 |
+ SHOW_STR (ca_path); |
|
1142 | 1143 |
SHOW_STR (dh_file); |
1143 | 1144 |
SHOW_STR (cert_file); |
1144 | 1145 |
SHOW_STR (priv_key_file); |
... | ... |
@@ -1671,7 +1679,8 @@ options_postprocess (struct options *options, bool first_time) |
1671 | 1671 |
#ifdef WIN32 |
1672 | 1672 |
if (options->cryptoapi_cert) |
1673 | 1673 |
{ |
1674 |
- notnull (options->ca_file, "CA file (--ca)"); |
|
1674 |
+ if ((!(options->ca_file)) && (!(options->ca_path))) |
|
1675 |
+ msg(M_USAGE, "You must define CA file (--ca) or CA path (--capath)"); |
|
1675 | 1676 |
if (options->cert_file) |
1676 | 1677 |
msg(M_USAGE, "Parameter --cert cannot be used when --cryptoapicert is also specified."); |
1677 | 1678 |
if (options->priv_key_file) |
... | ... |
@@ -1683,6 +1692,8 @@ options_postprocess (struct options *options, bool first_time) |
1683 | 1683 |
#endif |
1684 | 1684 |
if (options->pkcs12_file) |
1685 | 1685 |
{ |
1686 |
+ if (options->ca_path) |
|
1687 |
+ msg(M_USAGE, "Parameter --capath cannot be used when --pkcs12 is also specified."); |
|
1686 | 1688 |
if (options->cert_file) |
1687 | 1689 |
msg(M_USAGE, "Parameter --cert cannot be used when --pkcs12 is also specified."); |
1688 | 1690 |
if (options->priv_key_file) |
... | ... |
@@ -1690,7 +1701,8 @@ options_postprocess (struct options *options, bool first_time) |
1690 | 1690 |
} |
1691 | 1691 |
else |
1692 | 1692 |
{ |
1693 |
- notnull (options->ca_file, "CA file (--ca) or PKCS#12 file (--pkcs12)"); |
|
1693 |
+ if ((!(options->ca_file)) && (!(options->ca_path))) |
|
1694 |
+ msg(M_USAGE, "You must define CA file (--ca) or CA path (--capath)"); |
|
1694 | 1695 |
if (pull) |
1695 | 1696 |
{ |
1696 | 1697 |
const int sum = (options->cert_file != NULL) + (options->priv_key_file != NULL); |
... | ... |
@@ -1727,6 +1739,7 @@ options_postprocess (struct options *options, bool first_time) |
1727 | 1727 |
const char err[] = "Parameter %s can only be specified in TLS-mode, i.e. where --tls-server or --tls-client is also specified."; |
1728 | 1728 |
|
1729 | 1729 |
MUST_BE_UNDEF (ca_file); |
1730 |
+ MUST_BE_UNDEF (ca_path); |
|
1730 | 1731 |
MUST_BE_UNDEF (dh_file); |
1731 | 1732 |
MUST_BE_UNDEF (cert_file); |
1732 | 1733 |
MUST_BE_UNDEF (priv_key_file); |
... | ... |
@@ -4646,6 +4659,12 @@ add_option (struct options *options, |
4646 | 4646 |
VERIFY_PERMISSION (OPT_P_GENERAL); |
4647 | 4647 |
options->ca_file = p[1]; |
4648 | 4648 |
} |
4649 |
+ else if (streq (p[0], "capath") && p[1]) |
|
4650 |
+ { |
|
4651 |
+ ++i; |
|
4652 |
+ VERIFY_PERMISSION (OPT_P_GENERAL); |
|
4653 |
+ options->ca_path = p[1]; |
|
4654 |
+ } |
|
4649 | 4655 |
else if (streq (p[0], "dh") && p[1]) |
4650 | 4656 |
{ |
4651 | 4657 |
++i; |
... | ... |
@@ -914,12 +914,32 @@ init_ssl (const struct options *options) |
914 | 914 |
if (options->ca_file) |
915 | 915 |
{ |
916 | 916 |
/* Load CA file for verifying peer supplied certificate */ |
917 |
- ASSERT (options->ca_file); |
|
918 |
- if (!SSL_CTX_load_verify_locations (ctx, options->ca_file, NULL)) |
|
919 |
- msg (M_SSLERR, "Cannot load CA certificate file %s (SSL_CTX_load_verify_locations)", options->ca_file); |
|
917 |
+ ASSERT (options->ca_file || options->ca_path); |
|
918 |
+ if (!SSL_CTX_load_verify_locations (ctx, options->ca_file, options->ca_path)) |
|
919 |
+ msg (M_SSLERR, "Cannot load CA certificate file %s path %s (SSL_CTX_load_verify_locations)", options->ca_file, options->ca_path); |
|
920 |
+ |
|
921 |
+ /* Set a store for certs (CA & CRL) with a lookup on the "capath" hash directory */ |
|
922 |
+ if (options->ca_path) { |
|
923 |
+ X509_STORE *store = SSL_CTX_get_cert_store(ctx); |
|
924 |
+ |
|
925 |
+ if (store) { |
|
926 |
+ X509_LOOKUP *lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir()); |
|
927 |
+ if (!X509_LOOKUP_add_dir(lookup, options->ca_path, X509_FILETYPE_PEM)) |
|
928 |
+ X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT); |
|
929 |
+ else |
|
930 |
+ msg(M_WARN, "WARNING: experimental option --capath %s", options->ca_path); |
|
931 |
+#if OPENSSL_VERSION_NUMBER >= 0x00907000L |
|
932 |
+ X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL); |
|
933 |
+#else |
|
934 |
+#warn This version of OpenSSL cannot handle CRL files in capath |
|
935 |
+ msg(M_WARN, "WARNING: this version of OpenSSL cannot handle CRL files in capath"); |
|
936 |
+#endif |
|
937 |
+ } else |
|
938 |
+ msg(M_SSLERR, "Cannot get certificate store (SSL_CTX_get_cert_store)"); |
|
939 |
+ } |
|
920 | 940 |
|
921 | 941 |
/* Load names of CAs from file and use it as a client CA list */ |
922 |
- { |
|
942 |
+ if (options->ca_file) { |
|
923 | 943 |
STACK_OF(X509_NAME) *cert_names; |
924 | 944 |
cert_names = SSL_load_client_CA_file (options->ca_file); |
925 | 945 |
if (!cert_names) |