aboutsummaryrefslogtreecommitdiff
path: root/options.c
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--options.c52
1 files changed, 52 insertions, 0 deletions
diff --git a/options.c b/options.c
index fd3fec6..1cfccd3 100644
--- a/options.c
+++ b/options.c
@@ -507,9 +507,11 @@ static const char usage_message[] =
" Use \"openssl dhparam -out dh1024.pem 1024\" to generate.\n"
"--cert file : Local certificate in .pem format -- must be signed\n"
" by a Certificate Authority in --ca file.\n"
+ "--extra-certs file : one or more PEM certs that complete the cert chain.\n"
"--key file : Local private key in .pem format.\n"
"--pkcs12 file : PKCS#12 file containing local private key, local certificate\n"
" and optionally the root CA certificate.\n"
+ "--verify-hash : Specify SHA1 fingerprint for level-1 cert.\n"
#ifdef WIN32
"--cryptoapicert select-string : Load the certificate and private key from the\n"
" Windows Certificate System Store.\n"
@@ -894,6 +896,40 @@ is_stateful_restart (const struct options *o)
return is_persist_option (o) || connection_list_defined (o);
}
+#ifdef USE_SSL
+static uint8_t *
+parse_hash_fingerprint(const char *str, int nbytes, int msglevel, struct gc_arena *gc)
+{
+ int i;
+ const char *cp = str;
+ uint8_t *ret = (uint8_t *) gc_malloc (nbytes, true, gc);
+ char term = 1;
+ int byte;
+ char bs[3];
+
+ for (i = 0; i < nbytes; ++i)
+ {
+ if (strlen(cp) < 2)
+ msg (msglevel, "format error in hash fingerprint: %s", str);
+ bs[0] = *cp++;
+ bs[1] = *cp++;
+ bs[2] = 0;
+ byte = 0;
+ if (sscanf(bs, "%x", &byte) != 1)
+ msg (msglevel, "format error in hash fingerprint hex byte: %s", str);
+ ret[i] = (uint8_t)byte;
+ term = *cp++;
+ if (term != ':' && term != 0)
+ msg (msglevel, "format error in hash fingerprint delimiter: %s", str);
+ if (term == 0)
+ break;
+ }
+ if (term != 0 || i != nbytes-1)
+ msg (msglevel, "hash fingerprint is different length than expected (%d bytes): %s", nbytes, str);
+ return ret;
+}
+#endif
+
#ifdef WIN32
#ifdef ENABLE_DEBUG
@@ -5758,6 +5794,22 @@ add_option (struct options *options,
}
#endif
}
+ else if (streq (p[0], "extra-certs") && p[1])
+ {
+ VERIFY_PERMISSION (OPT_P_GENERAL);
+ options->extra_certs_file = p[1];
+#if ENABLE_INLINE_FILES
+ if (streq (p[1], INLINE_FILE_TAG) && p[2])
+ {
+ options->extra_certs_file_inline = p[2];
+ }
+#endif
+ }
+ else if (streq (p[0], "verify-hash") && p[1])
+ {
+ VERIFY_PERMISSION (OPT_P_GENERAL);
+ options->verify_hash = parse_hash_fingerprint(p[1], SHA_DIGEST_LENGTH, msglevel, &options->gc);
+ }
#ifdef WIN32
else if (streq (p[0], "cryptoapicert") && p[1])
{