diff -Nur stunnel-4.05/doc/stunnel.8 stunnel-4.05.purpose/doc/stunnel.8
--- stunnel-4.05/doc/stunnel.8 2004-01-25 18:33:21.000000000 +0100
+++ stunnel-4.05.purpose/doc/stunnel.8 2004-09-16 00:13:02.118372416 +0200
@@ -382,6 +382,20 @@
\& level 3 - verify peer with locally installed certificate
\& default - no verify
.Ve
+.IP "\fBpurpose\fR = type" 4
+.IX Item "purpose = type"
+check the peer certificate for this purpose
+.Sp
+.Vb 4
+\& ssl_server
+\& ssl_client
+\& ns_ssl_server
+\& smime_sign
+\& smime_encrypt
+\& crl_sign
+\& any
+\& default - OpenSSL default
+.Ve
.Sh "SERVICE-LEVEL \s-1OPTIONS\s0"
.IX Subsection "SERVICE-LEVEL OPTIONS"
Each configuration section begins with service name in square brackets.
diff -Nur stunnel-4.05/doc/stunnel.html stunnel-4.05.purpose/doc/stunnel.html
--- stunnel-4.05/doc/stunnel.html 2004-01-25 18:33:22.000000000 +0100
+++ stunnel-4.05.purpose/doc/stunnel.html 2004-09-16 00:13:02.121371960 +0200
@@ -296,6 +296,19 @@
level 3 - verify peer with locally installed certificate
default - no verify
+check the peer certificate for this purpose
+
+ ssl_server
+ ssl_client
+ ns_ssl_server
+ smime_sign
+ smime_encrypt
+ crl_sign
+ any
+ default - OpenSSL default
+
Each configuration section begins with service name in square brackets.
diff -Nur stunnel-4.05/src/common.h stunnel-4.05.purpose/src/common.h
--- stunnel-4.05/src/common.h 2004-02-14 13:19:46.000000000 +0100
+++ stunnel-4.05.purpose/src/common.h 2004-09-16 00:13:02.124371504 +0200
@@ -234,6 +234,7 @@
#include
#include /* for CRYPTO_* and SSLeay_version */
#include
+#include /* for X509_PURPOSE_* */
#if SSLEAY_VERSION_NUMBER >= 0x00907000L
#include
#endif
diff -Nur stunnel-4.05/src/options.c stunnel-4.05.purpose/src/options.c
--- stunnel-4.05/src/options.c 2004-01-25 18:25:30.000000000 +0100
+++ stunnel-4.05.purpose/src/options.c 2004-09-16 00:13:02.127371048 +0200
@@ -620,6 +620,42 @@
break;
}
+ /* certificate purpose */
+ switch(cmd) {
+ case CMD_INIT:
+ options.verify_purpose=0;
+ break;
+ case CMD_EXEC:
+ if(strcasecmp(opt, "purpose"))
+ break;
+ options.verify_purpose=0;
+ if (strcasecmp(arg, "ssl_client") == 0)
+ options.verify_purpose=X509_PURPOSE_SSL_CLIENT;
+ else if (strcasecmp(arg, "ssl_server") == 0)
+ options.verify_purpose=X509_PURPOSE_SSL_SERVER;
+ else if (strcasecmp(arg, "ns_ssl_server") == 0)
+ options.verify_purpose=X509_PURPOSE_NS_SSL_SERVER;
+ else if (strcasecmp(arg, "smime_sign") == 0)
+ options.verify_purpose=X509_PURPOSE_SMIME_SIGN;
+ else if (strcasecmp(arg, "smime_encrypt") == 0)
+ options.verify_purpose=X509_PURPOSE_SMIME_ENCRYPT;
+ else if (strcasecmp(arg, "crl_sign") == 0)
+ options.verify_purpose=X509_PURPOSE_CRL_SIGN;
+ else if (strcasecmp(arg, "any") == 0)
+ options.verify_purpose=X509_PURPOSE_ANY;
+ else
+ return "Unknown purpose";
+ return NULL; /* OK */
+ case CMD_DEFAULT:
+ log_raw("%-15s = OpenSSL default", "purpose");
+ break;
+ case CMD_HELP:
+ log_raw("%-15s = check the peer certificate for this purpose", "purpose");
+ log_raw("%18sssl_client, ssl_server, ns_ssl_server, smime_sign,", "");
+ log_raw("%18ssmime_encrypt, crl_sign, any", "");
+ break;
+ }
+
if(cmd==CMD_EXEC)
return option_not_found;
return NULL; /* OK */
diff -Nur stunnel-4.05/src/prototypes.h stunnel-4.05.purpose/src/prototypes.h
--- stunnel-4.05/src/prototypes.h 2004-02-10 20:14:43.000000000 +0100
+++ stunnel-4.05.purpose/src/prototypes.h 2004-09-16 00:13:02.132370288 +0200
@@ -107,6 +107,7 @@
long session_timeout;
int verify_level;
int verify_use_only_my;
+ int verify_purpose;
long ssl_options;
/* some global data for stunnel.c */
diff -Nur stunnel-4.05/src/ssl.c stunnel-4.05.purpose/src/ssl.c
--- stunnel-4.05/src/ssl.c 2004-01-25 20:25:41.000000000 +0100
+++ stunnel-4.05.purpose/src/ssl.c 2004-09-16 00:13:02.135369832 +0200
@@ -457,6 +457,16 @@
}
}
+ if(options.verify_purpose) {
+ if (!SSL_CTX_set_purpose(ctx, options.verify_purpose)) {
+ log(LOG_ERR, "Error setting verify purpose to %d",
+ options.verify_purpose);
+ sslerror("SSL_CTX_set_purpose");
+ exit(1);
+ }
+ log(LOG_DEBUG, "Set verify purpose to %d", options.verify_purpose);
+ }
+
SSL_CTX_set_verify(ctx, options.verify_level==SSL_VERIFY_NONE ?
SSL_VERIFY_PEER : options.verify_level, verify_callback);