Add a --with-system-ca-path <path-to-ca-directory> option to configure (#406)

Allow distributions to specify a default CA path. Fix for github issue #405.

Signed-off-by: Eivind Næss <eivnaes@yahoo.com>

diff --git a/configure.ac b/configure.ac
index bb45caba7f284ffe8040afbd621818b7013d7030..1180f64ec0540807804e15fe0797dcf32f1393b2 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -221,6 +221,28 @@ AS_IF([test -n "$with_logfile_dir"],
        [PPPD_LOGFILE_DIR="${localstatedir}/log/ppp"])
 AC_SUBST(PPPD_LOGFILE_DIR)
 
+#
+# System CA certificates path
+AC_ARG_WITH(system-ca-path,
+    AS_HELP_STRING([--with-system-ca-path=/path/to/ssl/certs], [path to system CA certificates]),
+    [
+       case "$withval" in
+       "" | y | ye | yes)
+            with_system_ca_path="${sysconfdir}/ssl/certs"
+            ;;
+       n | no)
+            ;;
+       *)
+            with_system_ca_path="$withval"
+            ;;
+       esac
+    ],[with_system_ca_path="${sysconfdir}/ssl/certs"])
+AM_CONDITIONAL(PPP_WITH_SYSTEM_CA_PATH, [test "$with_system_ca_path" != "no"])
+AM_COND_IF(PPP_WITH_SYSTEM_CA_PATH, [
+    SYSTEM_CA_PATH="$with_system_ca_path"
+])
+AC_SUBST(SYSTEM_CA_PATH)
+
 #
 # Check for OpenSSL
 AX_CHECK_OPENSSL
@@ -390,6 +412,7 @@ $PACKAGE_NAME version $PACKAGE_VERSION
     Runtime Dir..........: $PPPD_RUNTIME_DIR
     Logfile Dir..........: $PPPD_LOGFILE_DIR
     Plugin Dir...........: $PPPD_PLUGIN_DIR
+    System CA Path ......: ${SYSTEM_CA_PATH:-not set}
     With OpenSSL.........: ${with_openssl:-yes}
     With libatm..........: ${with_atm:-no}
     With libpam..........: ${with_pam:-no}

diff --git a/pppd/Makefile.am b/pppd/Makefile.am
index c93a86a0979b0f61342abb67f67a9055e1552fe9..e5bedf26af963325edfb9852864249a0765b42bd 100644 (file)
--- a/pppd/Makefile.am
+++ b/pppd/Makefile.am
@@ -87,6 +87,10 @@ pppd_CPPFLAGS = -DSYSCONFDIR=\"${sysconfdir}\" -DLOCALSTATEDIR=\"${localstatedir
 pppd_LDFLAGS =
 pppd_LIBS =
 
+if PPP_WITH_SYSTEM_CA_PATH
+pppd_CPPFLAGS += -DSYSTEM_CA_PATH='"@SYSTEM_CA_PATH@"'
+endif
+
 if LINUX
 pppd_SOURCES += sys-linux.c
 noinst_HEADERS += termios_linux.h

diff --git a/pppd/auth.c b/pppd/auth.c
index 202d557a5a4b41539ee1065ad43fbacb1f3bc5bb..cee847ea5a7341164ad7d835aede46ca5d9203ef 100644 (file)
--- a/pppd/auth.c
+++ b/pppd/auth.c
@@ -1334,6 +1334,13 @@ auth_check_options(void)
     if (user[0] == 0 && !explicit_user)
        strlcpy(user, our_name, sizeof(user));
 
+#if defined(SYSTEM_CA_PATH) && (defined(PPP_WITH_EAPTLS) || defined(PPP_WITH_PEAP))
+    /* Use system default for CA Path if not specified */
+    if (!ca_path) {
+        ca_path = SYSTEM_CA_PATH;
+    }
+#endif
+
     /*
      * If we have a default route, require the peer to authenticate
      * unless the noauth option was given or the real user is root.