diff -ur stunnel-4.04/doc/stunnel.8 stunnel-4.04.purpose/doc/stunnel.8
--- stunnel-4.04/doc/stunnel.8 2002-12-26 23:23:45.000000000 +0100
+++ stunnel-4.04.purpose/doc/stunnel.8 2003-04-07 21:08:30.000000000 +0200
@@ -359,6 +359,20 @@
\& level 3 - verify peer with locally installed certificate
\& default - no verify
.Ve
+.IP "\fBpurpose\fR = type" 4
+.IX Item "purpose = type"
+check the peer certificate for this purpose
+.Sp
+.Vb 4
+\& ssl_server
+\& ssl_client
+\& ns_ssl_server
+\& smime_sign
+\& smime_encrypt
+\& crl_sign
+\& any
+\& default - OpenSSL default
+.Ve
.Sh "SERVICE-LEVEL \s-1OPTIONS\s0"
.IX Subsection "SERVICE-LEVEL OPTIONS"
Each configuration section begins with service name in square brackets.
diff -ur stunnel-4.04/doc/stunnel.html stunnel-4.04.purpose/doc/stunnel.html
--- stunnel-4.04/doc/stunnel.html 2002-12-26 23:23:46.000000000 +0100
+++ stunnel-4.04.purpose/doc/stunnel.html 2003-04-07 21:08:40.000000000 +0200
@@ -273,6 +273,19 @@
level 3 - verify peer with locally installed certificate
default - no verify
+check the peer certificate for this purpose
+
+ ssl_server
+ ssl_client
+ ns_ssl_server
+ smime_sign
+ smime_encrypt
+ crl_sign
+ any
+ default - OpenSSL default
+
Each configuration section begins with service name in square brackets.
diff -ur stunnel-4.04/src/common.h stunnel-4.04.purpose/src/common.h
--- stunnel-4.04/src/common.h 2003-01-01 15:45:57.000000000 +0100
+++ stunnel-4.04.purpose/src/common.h 2003-04-07 12:18:49.000000000 +0200
@@ -225,6 +225,7 @@
#include
#include /* for CRYPTO_* and SSLeay_version */
#include
+#include /* for X509_PURPOSE_* */
#else
#include
#include
diff -ur stunnel-4.04/src/options.c stunnel-4.04.purpose/src/options.c
--- stunnel-4.04/src/options.c 2003-01-01 15:21:58.000000000 +0100
+++ stunnel-4.04.purpose/src/options.c 2003-04-07 21:09:17.000000000 +0200
@@ -555,6 +555,42 @@
break;
}
+ /* certificate purpose */
+ switch(cmd) {
+ case CMD_INIT:
+ options.verify_purpose=0;
+ break;
+ case CMD_EXEC:
+ if(strcasecmp(opt, "purpose"))
+ break;
+ options.verify_level=0;
+ if (strcasecmp(arg, "ssl_client") == 0)
+ options.verify_purpose=X509_PURPOSE_SSL_CLIENT;
+ else if (strcasecmp(arg, "ssl_server") == 0)
+ options.verify_purpose=X509_PURPOSE_SSL_SERVER;
+ else if (strcasecmp(arg, "ns_ssl_server") == 0)
+ options.verify_purpose=X509_PURPOSE_NS_SSL_SERVER;
+ else if (strcasecmp(arg, "smime_sign") == 0)
+ options.verify_purpose=X509_PURPOSE_SMIME_SIGN;
+ else if (strcasecmp(arg, "smime_encrypt") == 0)
+ options.verify_purpose=X509_PURPOSE_SMIME_ENCRYPT;
+ else if (strcasecmp(arg, "crl_sign") == 0)
+ options.verify_purpose=X509_PURPOSE_CRL_SIGN;
+ else if (strcasecmp(arg, "any") == 0)
+ options.verify_purpose=X509_PURPOSE_ANY;
+ else
+ return "Unknown purpose";
+ return NULL; /* OK */
+ case CMD_DEFAULT:
+ log_raw("%-15s = OpenSSL default", "purpose");
+ break;
+ case CMD_HELP:
+ log_raw("%-15s = check the peer certificate for this purpose", "purpose");
+ log_raw("%18sssl_client, ssl_server, ns_ssl_server, smime_sign,", "");
+ log_raw("%18ssmime_encrypt, crl_sign, any", "");
+ break;
+ }
+
if(cmd==CMD_EXEC)
return option_not_found;
return NULL; /* OK */
diff -ur stunnel-4.04/src/prototypes.h stunnel-4.04.purpose/src/prototypes.h
--- stunnel-4.04/src/prototypes.h 2003-01-01 15:33:54.000000000 +0100
+++ stunnel-4.04.purpose/src/prototypes.h 2003-04-07 12:13:41.000000000 +0200
@@ -103,6 +103,7 @@
long session_timeout;
int verify_level;
int verify_use_only_my;
+ int verify_purpose;
long ssl_options;
/* some global data for stunnel.c */
diff -ur stunnel-4.04/src/ssl.c stunnel-4.04.purpose/src/ssl.c
--- stunnel-4.04/src/ssl.c 2003-01-01 15:07:08.000000000 +0100
+++ stunnel-4.04.purpose/src/ssl.c 2003-04-07 12:02:19.000000000 +0200
@@ -407,6 +407,16 @@
log(LOG_DEBUG, "Set verify directory to %s", options.ca_dir);
}
+ if(options.verify_purpose) {
+ if (!SSL_CTX_set_purpose(ctx, options.verify_purpose)) {
+ log(LOG_ERR, "Error setting verify purpose to %d",
+ options.verify_purpose);
+ sslerror("SSL_CTX_set_purpose");
+ exit(1);
+ }
+ log(LOG_DEBUG, "Set verify purpose to %d", options.verify_purpose);
+ }
+
SSL_CTX_set_verify(ctx, options.verify_level==SSL_VERIFY_NONE ?
SSL_VERIFY_PEER : options.verify_level, verify_callback);