[openssl-commits] [openssl] master update
Dr. Stephen Henson
steve at openssl.org
Tue Jul 21 13:03:02 UTC 2015
The branch master has been updated
via 3d9ebc373f6c95df1d4b079d73f3ab0194c57621 (commit)
via 429261d0d836fa44213eae99abbf19dbb6194daf (commit)
from 7e5363abe3c00d9db037f464f3c121e194bb5bb6 (commit)
- Log -----------------------------------------------------------------
commit 3d9ebc373f6c95df1d4b079d73f3ab0194c57621
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Tue Jul 14 14:19:38 2015 +0100
Update demo.
Use new SSL_CONF options in demo. Add intermediate and root CAs and
update all to use SHA256.
Reviewed-by: Viktor Dukhovni <viktor at openssl.org>
commit 429261d0d836fa44213eae99abbf19dbb6194daf
Author: Dr. Stephen Henson <steve at openssl.org>
Date: Tue Jul 14 14:18:37 2015 +0100
SSL_CONF additions.
Add support for loading verify and chain stores in SSL_CONF.
Commands to set verify mode and client CA names.
Add documentation.
Reviewed-by: Viktor Dukhovni <viktor at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
demos/bio/accept.cnf | 6 ++
demos/bio/intca.pem | 23 +++++++
demos/bio/root.pem | 22 +++++++
demos/bio/server.pem | 21 +++----
doc/ssl/SSL_CONF_cmd.pod | 27 ++++++++
ssl/ssl_conf.c | 156 +++++++++++++++++++++++++++++++++++++++++++----
6 files changed, 232 insertions(+), 23 deletions(-)
create mode 100644 demos/bio/intca.pem
create mode 100644 demos/bio/root.pem
diff --git a/demos/bio/accept.cnf b/demos/bio/accept.cnf
index e4acea7..5a2ef45 100644
--- a/demos/bio/accept.cnf
+++ b/demos/bio/accept.cnf
@@ -11,3 +11,9 @@ ECDHParameters = Automatic
SignatureAlgorithms = RSA+SHA512:ECDSA+SHA512
Certificate=server.pem
PrivateKey=server.pem
+ChainCAFile=root.pem
+VerifyCAFile=root.pem
+
+# Request certificate
+VerifyMode=Request
+ClientCAFile=root.pem
diff --git a/demos/bio/intca.pem b/demos/bio/intca.pem
new file mode 100644
index 0000000..3551ea9
--- /dev/null
+++ b/demos/bio/intca.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDvjCCAqagAwIBAgIJAPzCy4CUW9/qMA0GCSqGSIb3DQEBCwUAMGgxCzAJBgNV
+BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMSIwIAYDVQQLDBlGT1IgVEVT
+VElORyBQVVJQT1NFUyBPTkxZMR0wGwYDVQQDDBRPcGVuU1NMIFRlc3QgUm9vdCBD
+QTAeFw0xNTA3MTQxMzIyMDVaFw0yNTA2MjExMzIyMDVaMHAxCzAJBgNVBAYTAlVL
+MRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMSIwIAYDVQQLDBlGT1IgVEVTVElORyBQ
+VVJQT1NFUyBPTkxZMSUwIwYDVQQDDBxPcGVuU1NMIFRlc3QgSW50ZXJtZWRpYXRl
+IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsErw75CmLYD6pkrG
+W/YhAl/K8L5wJYxDjqu2FghxjD8K308W3EHq4uBxEwR1OHXaM1+6ZZw7/r2I37VL
+IdurBEAIEUdbzx0so74FPawgz5EW2CTqoJnK8F71/vo5Kj1VPwW46CxwxUR3cfvJ
+GNXND2ip0TcyTSPLROXOyQakcVfIGJmdSa1wHKi+c2gMA4emADudZUOYLrg80gr2
+ldePm07ynbVsKKzCcStw8MdmoW9Qt3fLnPJn2TFUUBNWj+4kvL+88edWCVQXKNds
+ysD/CDrH4W/hjyPDStVsM6XpiNU0+L2ZY6fcj3OP8d0goOx45xotMn9m8hNkCGsr
+VXx9IwIDAQABo2MwYTAdBgNVHQ4EFgQUNsNsiOeV/rC97M4+PYarIYGH2towHwYD
+VR0jBBgwFoAUjBkP10IxdwUG4dOxn+s5+3hxOkUwDwYDVR0TAQH/BAUwAwEB/zAO
+BgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADggEBAANQT0pDWBQoT/RY76xz
+audadGz/dfYnwvSwT0RMFcXLcMVVRNqP0HeR8OP8qLaP7onRbNnEXNfos9pxXYlg
+j+/WjWTBLVcr3pX2Xtmcaqw3CGN9qbQI8B3JkYeijZmc5+3r5MzK/9R0w8Y/T9Xt
+CXEiQhtWHpPrFEfrExeVy2kjJNRctEfq3OTd1bjgX64zvTU7eR+MHFYKPoyMqwIR
+gjoVKinvovEwWoZe5kfMQwJNA3IgoJexX9BXbS8efAYF/ku3tS0laoZS/q6V/o5I
+RvG0OqnNgxhul+96PE5ujSaprsyvBswIUKt+e/BCxGaS6f2AJ8RmtoPOSfT4b9qN
+thI=
+-----END CERTIFICATE-----
diff --git a/demos/bio/root.pem b/demos/bio/root.pem
new file mode 100644
index 0000000..3bd0e9b
--- /dev/null
+++ b/demos/bio/root.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDtjCCAp6gAwIBAgIJAKkg71CjIAovMA0GCSqGSIb3DQEBBQUAMGgxCzAJBgNV
+BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMSIwIAYDVQQLDBlGT1IgVEVT
+VElORyBQVVJQT1NFUyBPTkxZMR0wGwYDVQQDDBRPcGVuU1NMIFRlc3QgUm9vdCBD
+QTAeFw0xNDAyMjMxMzA1MTNaFw0yNDAyMjExMzA1MTNaMGgxCzAJBgNVBAYTAlVL
+MRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMSIwIAYDVQQLDBlGT1IgVEVTVElORyBQ
+VVJQT1NFUyBPTkxZMR0wGwYDVQQDDBRPcGVuU1NMIFRlc3QgUm9vdCBDQTCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANMaarigKGOra5Mc/LrhOkcmHzDs
+vkYL7dfaaht8fLBKRTYwzSBvO9x54koTWjq7HkbaxkYAg3HnDTkNCyzkGKNdM89H
+q/PtGIFFlceQIOat3Kjd05Iw3PtLEWTDjT6FMA9Mkjk/XbpmycqRIwNKtgICoFsG
+juIpc4P31kxK7i3ri+JnlyvVmRZjJxrheJB0qHGXilrOVDPOliDn//jXbcyzXemu
+R8KgAeQM4IIs9jYHJOgHrTItIpwa9wNTEp9KCGkO6xr20NkKyDp6XRyd+hmnUB7r
+77WTptvKPFFTjTDFqEtcif9U2kVkCfn2mSRO8noCbVH++fuR8LMWlD99gt8CAwEA
+AaNjMGEwHQYDVR0OBBYEFIwZD9dCMXcFBuHTsZ/rOft4cTpFMB8GA1UdIwQYMBaA
+FIwZD9dCMXcFBuHTsZ/rOft4cTpFMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/
+BAQDAgEGMA0GCSqGSIb3DQEBBQUAA4IBAQCsoxVi49anYZ1aI/2rVJ5bvEd3ZvGn
+wx1Y+l75SQVYU2qX9CHNBVg1t8reIBN8yPEfBM1WcFPEg7Vy3zFaklMPm/oYXwVI
+/lX/LsfPUxdnQmONxLw4x/0booN1LV/dtRcebewUSqog6W9Z2fbTEe6srIBE4M5G
+Wa943lthlmQM6HzlU4D606PQ3zQbX08mue4eqQB813r4uSoI1MpGLqxkziBRFGGN
+T4VNYp8DeSVr3jHjNBmKCAPZxJIYElnLEK027OG00RH7sF7SGFDNsCjN1NmCvuRz
+9AHnjVIBNzIvI3uiOn9tngRDXBRIcUBsdYG19tal8yWBgrr9SdlqFy/Y
+-----END CERTIFICATE-----
diff --git a/demos/bio/server.pem b/demos/bio/server.pem
index d0fc265..ef0d22a 100644
--- a/demos/bio/server.pem
+++ b/demos/bio/server.pem
@@ -1,10 +1,10 @@
subject= C = UK, O = OpenSSL Group, OU = FOR TESTING PURPOSES ONLY, CN = Test Server Cert
issuer= C = UK, O = OpenSSL Group, OU = FOR TESTING PURPOSES ONLY, CN = OpenSSL Test Intermediate CA
-----BEGIN CERTIFICATE-----
-MIID5zCCAs+gAwIBAgIJALnu1NlVpZ6zMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
+MIIDpTCCAo2gAwIBAgIJAK8ArbvjIOQlMA0GCSqGSIb3DQEBCwUAMHAxCzAJBgNV
BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMSIwIAYDVQQLDBlGT1IgVEVT
VElORyBQVVJQT1NFUyBPTkxZMSUwIwYDVQQDDBxPcGVuU1NMIFRlc3QgSW50ZXJt
-ZWRpYXRlIENBMB4XDTExMTIwODE0MDE0OFoXDTIxMTAxNjE0MDE0OFowZDELMAkG
+ZWRpYXRlIENBMB4XDTE1MDcxNDEzMjIwNVoXDTI1MDUyMjEzMjIwNVowZDELMAkG
A1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxIjAgBgNVBAsMGUZPUiBU
RVNUSU5HIFBVUlBPU0VTIE9OTFkxGTAXBgNVBAMMEFRlc3QgU2VydmVyIENlcnQw
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDzhPOSNtyyRspmeuUpxfNJ
@@ -13,15 +13,14 @@ R7bfSdI/+qIQt8KXRH6HNG1t8ou0VSvWId5TS5Dq/er5ODUr9OaaDva7EquHIcMv
vPQGuI+OEAcnleVCy9HVEIySrO4P3CNIicnGkwwiAud05yUAq/gPXBC1hTtmlPD7
TVcGVSEiJdvzqqlgv02qedGrkki6GY4S7GjZxrrf7Foc2EP+51LJzwLQx3/JfrCU
41NEWAsu/Sl0tQabXESN+zJ1pDqoZ3uHMgpQjeGiE0olr+YcsSW/tJmiU9OiAr8R
-AgMBAAGjgY8wgYwwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwLAYJYIZI
-AYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQW
-BBSCvM8AABPR9zklmifnr9LvIBturDAfBgNVHSMEGDAWgBQ2w2yI55X+sL3szj49
-hqshgYfa2jANBgkqhkiG9w0BAQUFAAOCAQEAqb1NV0B0/pbpK9Z4/bNjzPQLTRLK
-WnSNm/Jh5v0GEUOE/Beg7GNjNrmeNmqxAlpqWz9qoeoFZax+QBpIZYjROU3TS3fp
-yLsrnlr0CDQ5R7kCCDGa8dkXxemmpZZLbUCpW2Uoy8sAA4JjN9OtsZY7dvUXFgJ7
-vVNTRnI01ghknbtD+2SxSQd3CWF6QhcRMAzZJ1z1cbbwGDDzfvGFPzJ+Sq+zEPds
-xoVLLSetCiBc+40ZcDS5dV98h9XD7JMTQfxzA7mNGv73JoZJA6nFgj+ADSlJsY/t
-JBv+z1iQRueoh9Qeee+ZbRifPouCB8FDx+AltvHTANdAq0t/K3o+pplMVA==
+AgMBAAGjTjBMMAwGA1UdEwEB/wQCMAAwDgYDVR0PAQH/BAQDAgXgMCwGCWCGSAGG
++EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTANBgkqhkiG9w0B
+AQsFAAOCAQEAq8v8dvU3Xskb7q5LKbLXxTIF6owFs5uLk2k2msEAQzX7SrYFZwdE
+5e33S71rpDbXiJjyD4Yj0Av5yeRlW0YVFlBZAwgPn29CDCD6+DeQ7AwtXvJhcq9e
+llTLpB1EuXC5UCerQmq99wmfTrK0q4hgK7/5c7mcoD7V1iOEvxI2kmG6ukIupbKi
+P1TNVVET1kPhRG1dFP9rge7j2ssY3/H+j3jlAJnwQQoYg+YCZ6g0atjOrqvywAy3
+5E2d9LPF3TKw2mf4mAxjU6hPDOk0tiMS6g1xdHyeTftPXfN8Gli0T0LpNpy5a24B
+dLPqZEpj0kXT8gTYEROX7tq9gYwpe6FVKw==
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA84TzkjbcskbKZnrlKcXzSSgi07n+4N7kOM7uIhzpkTuU0HIv
diff --git a/doc/ssl/SSL_CONF_cmd.pod b/doc/ssl/SSL_CONF_cmd.pod
index dbdacd1..16b368a 100644
--- a/doc/ssl/SSL_CONF_cmd.pod
+++ b/doc/ssl/SSL_CONF_cmd.pod
@@ -195,6 +195,12 @@ context. This option is only supported if certificate operations
are permitted. Note: if no B<PrivateKey> option is set then a private key is
not loaded unless the B<SSL_CONF_FLAG_REQUIRE_PRIVATE> is set.
+=item B<ChainCAFile>, B<ChainCAPath>, B<VerifyCAFile>, B<VerifyCAPath>
+
+These options indicate a file or directory used for building certificate
+chains or verifying certificate chains. These options are only supported
+if certificate operations are permitted.
+
=item B<ServerInfoFile>
Attempts to use the file B<value> in the "serverinfo" extension using the
@@ -306,6 +312,27 @@ B<UnsafeLegacyServerConnect> permits the use of unsafe legacy renegotiation
for OpenSSL clients only. Equivalent to B<SSL_OP_LEGACY_SERVER_CONNECT>.
Set by default.
+=item B<VerifyMode>
+
+The B<value> argument is a comma separated list of flags to set.
+
+B<Peer> enables peer verification: for clients only.
+
+B<Request> requests but does not require a certificate from the client.
+Servers only.
+
+B<Require> requests and requires a certificate from the client: an error
+occurs if the client does not present a certificate. Servers only.
+
+B<Once> requests a certificate from a client only on the initial connection:
+not when renegotiating. Servers only.
+
+=item B<ClientCAFile>, B<ClientCAPath>
+
+A file or directory of certificates in PEM format whose names are used as the
+set of acceptable names for client CAs. Servers only. This option is only
+supported if certificate operations are permitted.
+
=back
=head1 SUPPORTED COMMAND TYPES
diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c
index 819e730..4160566 100644
--- a/ssl/ssl_conf.c
+++ b/ssl/ssl_conf.c
@@ -86,8 +86,14 @@ typedef struct {
/* Sense of name is inverted e.g. "TLSv1" will clear SSL_OP_NO_TLSv1 */
#define SSL_TFLAG_INV 0x1
-/* Flags refers to cert_flags not options */
-#define SSL_TFLAG_CERT 0x2
+/* Mask for type of flag referred to */
+#define SSL_TFLAG_TYPE_MASK 0xf00
+/* Flag is for options */
+#define SSL_TFLAG_OPTION 0x000
+/* Flag is for cert_flags */
+#define SSL_TFLAG_CERT 0x100
+/* Flag is for verify mode */
+#define SSL_TFLAG_VFY 0x200
/* Option can only be used for clients */
#define SSL_TFLAG_CLIENT SSL_CONF_FLAG_CLIENT
/* Option can only be used for servers */
@@ -107,6 +113,11 @@ typedef struct {
#define SSL_FLAG_TBL_CERT(str, flag) \
{str, (int)(sizeof(str) - 1), SSL_TFLAG_CERT|SSL_TFLAG_BOTH, flag}
+#define SSL_FLAG_VFY_CLI(str, flag) \
+ {str, (int)(sizeof(str) - 1), SSL_TFLAG_VFY | SSL_TFLAG_CLIENT, flag}
+#define SSL_FLAG_VFY_SRV(str, flag) \
+ {str, (int)(sizeof(str) - 1), SSL_TFLAG_VFY | SSL_TFLAG_SERVER, flag}
+
/*
* Opaque structure containing SSL configuration context.
*/
@@ -129,30 +140,46 @@ struct ssl_conf_ctx_st {
char *cert_filename[SSL_PKEY_NUM];
/* Pointer to SSL or SSL_CTX cert_flags or NULL if none */
uint32_t *pcert_flags;
+ /* Pointer to SSL or SSL_CTX verify_mode or NULL if none */
+ uint32_t *pvfy_flags;
/* Current flag table being worked on */
const ssl_flag_tbl *tbl;
/* Size of table */
size_t ntbl;
+ /* Client CA names */
+ STACK_OF(X509_NAME) *canames;
};
static void ssl_set_option(SSL_CONF_CTX *cctx, unsigned int name_flags,
unsigned long option_value, int onoff)
{
+ unint32_t *pflags;
if (cctx->poptions == NULL)
return;
if (name_flags & SSL_TFLAG_INV)
onoff ^= 1;
- if (name_flags & SSL_TFLAG_CERT) {
- if (onoff)
- *cctx->pcert_flags |= option_value;
- else
- *cctx->pcert_flags &= ~option_value;
- } else {
- if (onoff)
- *cctx->poptions |= option_value;
- else
- *cctx->poptions &= ~option_value;
+ switch (name_flags & SSL_TFLAG_TYPE_MASK) {
+
+ case SSL_TFLAG_CERT:
+ pflags = cctx->pcert_flags;
+ break;
+
+ case SSL_TFLAG_VFY:
+ pflags = cctx->pvfy_flags;
+ break;
+
+ case SSL_TFLAG_OPTION:
+ pflags = cctx->poptions;
+ break;
+
+ default:
+ return;
+
}
+ if (onoff)
+ *pflags |= option_value;
+ else
+ *pflags &= ~option_value;
}
static int ssl_match_option(SSL_CONF_CTX *cctx, const ssl_flag_tbl *tbl,
@@ -335,6 +362,22 @@ static int cmd_Options(SSL_CONF_CTX *cctx, const char *value)
return CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx);
}
+static int cmd_VerifyMode(SSL_CONF_CTX *cctx, const char *value)
+{
+ static const ssl_flag_tbl ssl_vfy_list[] = {
+ SSL_FLAG_VFY_CLI("Peer", SSL_VERIFY_PEER),
+ SSL_FLAG_VFY_SRV("Request", SSL_VERIFY_PEER),
+ SSL_FLAG_VFY_SRV("Require",
+ SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
+ SSL_FLAG_VFY_SRV("Once", SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE)
+ };
+ if (value == NULL)
+ return -3;
+ cctx->tbl = ssl_vfy_list;
+ cctx->ntbl = OSSL_NELEM(ssl_vfy_list);
+ return CONF_parse_list(value, ',', 1, ssl_set_option_list, cctx);
+}
+
static int cmd_Certificate(SSL_CONF_CTX *cctx, const char *value)
{
int rv = 1;
@@ -378,6 +421,64 @@ static int cmd_ServerInfoFile(SSL_CONF_CTX *cctx, const char *value)
return rv > 0;
}
+static int do_store(SSL_CONF_CTX *cctx,
+ const char *CAfile, const char *CApath, int verify_store)
+{
+ CERT *cert;
+ X509_STORE **st;
+ if (cctx->ctx)
+ cert = cctx->ctx->cert;
+ else if (cctx->ssl)
+ cert = cctx->ssl->cert;
+ else
+ return 1;
+ st = verify_store ? &cert->verify_store : &cert->chain_store;
+ if (*st == NULL) {
+ *st = X509_STORE_new();
+ if (*st == NULL)
+ return 0;
+ }
+ return X509_STORE_load_locations(*st, CAfile, CApath) > 0;
+}
+
+static int cmd_ChainCAPath(SSL_CONF_CTX *cctx, const char *value)
+{
+ return do_store(cctx, NULL, value, 0);
+}
+
+static int cmd_ChainCAFile(SSL_CONF_CTX *cctx, const char *value)
+{
+ return do_store(cctx, value, NULL, 0);
+}
+
+static int cmd_VerifyCAPath(SSL_CONF_CTX *cctx, const char *value)
+{
+ return do_store(cctx, NULL, value, 1);
+}
+
+static int cmd_VerifyCAFile(SSL_CONF_CTX *cctx, const char *value)
+{
+ return do_store(cctx, value, NULL, 1);
+}
+
+static int cmd_ClientCAFile(SSL_CONF_CTX *cctx, const char *value)
+{
+ if (cctx->canames == NULL)
+ cctx->canames = sk_X509_NAME_new_null();
+ if (cctx->canames == NULL)
+ return 0;
+ return SSL_add_file_cert_subjects_to_stack(cctx->canames, value);
+}
+
+static int cmd_ClientCAPath(SSL_CONF_CTX *cctx, const char *value)
+{
+ if (cctx->canames == NULL)
+ cctx->canames = sk_X509_NAME_new_null();
+ if (cctx->canames == NULL)
+ return 0;
+ return SSL_add_dir_cert_subjects_to_stack(cctx->canames, value);
+}
+
#ifndef OPENSSL_NO_DH
static int cmd_DHParameters(SSL_CONF_CTX *cctx, const char *value)
{
@@ -452,6 +553,7 @@ static const ssl_conf_cmd_tbl ssl_conf_cmds[] = {
SSL_CONF_CMD_STRING(CipherString, "cipher", 0),
SSL_CONF_CMD_STRING(Protocol, NULL, 0),
SSL_CONF_CMD_STRING(Options, NULL, 0),
+ SSL_CONF_CMD_STRING(VerifyMode, NULL, 0),
SSL_CONF_CMD(Certificate, "cert", SSL_CONF_FLAG_CERTIFICATE,
SSL_CONF_TYPE_FILE),
SSL_CONF_CMD(PrivateKey, "key", SSL_CONF_FLAG_CERTIFICATE,
@@ -459,6 +561,20 @@ static const ssl_conf_cmd_tbl ssl_conf_cmds[] = {
SSL_CONF_CMD(ServerInfoFile, NULL,
SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE,
SSL_CONF_TYPE_FILE),
+ SSL_CONF_CMD(ChainCAPath, "chainCApath", SSL_CONF_FLAG_CERTIFICATE,
+ SSL_CONF_TYPE_DIR),
+ SSL_CONF_CMD(ChainCAFile, "chainCAfile", SSL_CONF_FLAG_CERTIFICATE,
+ SSL_CONF_TYPE_FILE),
+ SSL_CONF_CMD(VerifyCAPath, "verifyCApath", SSL_CONF_FLAG_CERTIFICATE,
+ SSL_CONF_TYPE_DIR),
+ SSL_CONF_CMD(VerifyCAFile, "verifyCAfile", SSL_CONF_FLAG_CERTIFICATE,
+ SSL_CONF_TYPE_FILE),
+ SSL_CONF_CMD(ClientCAFile, NULL,
+ SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE,
+ SSL_CONF_TYPE_FILE),
+ SSL_CONF_CMD(ClientCAPath, NULL,
+ SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE,
+ SSL_CONF_TYPE_DIR),
#ifndef OPENSSL_NO_DH
SSL_CONF_CMD(DHParameters, "dhparam",
SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE,
@@ -666,10 +782,12 @@ SSL_CONF_CTX *SSL_CONF_CTX_new(void)
ret->ctx = NULL;
ret->poptions = NULL;
ret->pcert_flags = NULL;
+ ret->pvfy_flags = NULL;
ret->tbl = NULL;
ret->ntbl = 0;
for (i = 0; i < SSL_PKEY_NUM; i++)
ret->cert_filename[i] = NULL;
+ ret->canames = NULL;
}
return ret;
}
@@ -695,6 +813,15 @@ int SSL_CONF_CTX_finish(SSL_CONF_CTX *cctx)
}
}
}
+ if (cctx->canames) {
+ if (cctx->ssl)
+ SSL_set_client_CA_list(cctx->ssl, cctx->canames);
+ else if (cctx->ctx)
+ SSL_CTX_set_client_CA_list(cctx->ctx, cctx->canames);
+ else
+ sk_X509_NAME_pop_free(cctx->canames, X509_NAME_free);
+ cctx->canames = NULL;
+ }
return 1;
}
@@ -706,6 +833,7 @@ void SSL_CONF_CTX_free(SSL_CONF_CTX *cctx)
OPENSSL_free(cctx->cert_filename[i]);
OPENSSL_free(cctx->prefix);
OPENSSL_free(cctx);
+ sk_X509_NAME_pop_free(cctx->canames, X509_NAME_free);
}
}
@@ -745,9 +873,11 @@ void SSL_CONF_CTX_set_ssl(SSL_CONF_CTX *cctx, SSL *ssl)
if (ssl) {
cctx->poptions = &ssl->options;
cctx->pcert_flags = &ssl->cert->cert_flags;
+ cctx->pvfy_flags = &ssl->verify_mode;
} else {
cctx->poptions = NULL;
cctx->pcert_flags = NULL;
+ cctx->pvfy_flags = NULL;
}
}
@@ -758,8 +888,10 @@ void SSL_CONF_CTX_set_ssl_ctx(SSL_CONF_CTX *cctx, SSL_CTX *ctx)
if (ctx) {
cctx->poptions = &ctx->options;
cctx->pcert_flags = &ctx->cert->cert_flags;
+ cctx->pvfy_flags = &ctx->verify_mode;
} else {
cctx->poptions = NULL;
cctx->pcert_flags = NULL;
+ cctx->pvfy_flags = NULL;
}
}
More information about the openssl-commits
mailing list