Browse code
Allow PKCS12 file content to be included inline in configuration file, rendered as base64.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6412 e7ae566f-a301-0410-adde-c780ea21d3b5
James Yonan authored on 2010/08/29 14:24:15Showing 3 changed files
| ... | ... |
@@ -5680,6 +5680,12 @@ add_option (struct options *options, |
| 5680 | 5680 |
{
|
| 5681 | 5681 |
VERIFY_PERMISSION (OPT_P_GENERAL); |
| 5682 | 5682 |
options->pkcs12_file = p[1]; |
| 5683 |
+#if ENABLE_INLINE_FILES |
|
| 5684 |
+ if (streq (p[1], INLINE_FILE_TAG) && p[2]) |
|
| 5685 |
+ {
|
|
| 5686 |
+ options->pkcs12_file_inline = p[2]; |
|
| 5687 |
+ } |
|
| 5688 |
+#endif |
|
| 5683 | 5689 |
} |
| 5684 | 5690 |
else if (streq (p[0], "askpass")) |
| 5685 | 5691 |
{
|
| ... | ... |
@@ -473,6 +473,7 @@ struct options |
| 473 | 473 |
const char *cert_file_inline; |
| 474 | 474 |
char *priv_key_file_inline; |
| 475 | 475 |
const char *dh_file_inline; |
| 476 |
+ const char *pkcs12_file_inline; /* contains the base64 encoding of pkcs12 file */ |
|
| 476 | 477 |
#endif |
| 477 | 478 |
|
| 478 | 479 |
int ns_cert_type; /* set to 0, NS_SSL_SERVER, or NS_SSL_CLIENT */ |
| ... | ... |
@@ -1514,23 +1514,41 @@ init_ssl (const struct options *options) |
| 1514 | 1514 |
|
| 1515 | 1515 |
if (options->pkcs12_file) |
| 1516 | 1516 |
{
|
| 1517 |
- /* Use PKCS #12 file for key, cert and CA certs */ |
|
| 1517 |
+ /* Use PKCS #12 file for key, cert and CA certs */ |
|
| 1518 | 1518 |
|
| 1519 | 1519 |
FILE *fp; |
| 1520 | 1520 |
EVP_PKEY *pkey; |
| 1521 | 1521 |
X509 *cert; |
| 1522 | 1522 |
STACK_OF(X509) *ca = NULL; |
| 1523 |
- PKCS12 *p12; |
|
| 1523 |
+ PKCS12 *p12=NULL; |
|
| 1524 | 1524 |
int i; |
| 1525 | 1525 |
char password[256]; |
| 1526 | 1526 |
|
| 1527 |
- /* Load the PKCS #12 file */ |
|
| 1528 |
- if (!(fp = fopen(options->pkcs12_file, "rb"))) |
|
| 1529 |
- msg (M_SSLERR, "Error opening file %s", options->pkcs12_file); |
|
| 1530 |
- p12 = d2i_PKCS12_fp(fp, NULL); |
|
| 1531 |
- fclose (fp); |
|
| 1532 |
- if (!p12) msg (M_SSLERR, "Error reading PKCS#12 file %s", options->pkcs12_file); |
|
| 1533 |
- |
|
| 1527 |
+#if ENABLE_INLINE_FILES |
|
| 1528 |
+ if (!strcmp (options->pkcs12_file, INLINE_FILE_TAG) && options->pkcs12_file_inline) |
|
| 1529 |
+ {
|
|
| 1530 |
+ BIO *b64 = BIO_new (BIO_f_base64()); |
|
| 1531 |
+ BIO *bio = BIO_new_mem_buf ((void *)options->pkcs12_file_inline, (int)strlen(options->pkcs12_file_inline)); |
|
| 1532 |
+ ASSERT(b64 && bio); |
|
| 1533 |
+ BIO_push (b64, bio); |
|
| 1534 |
+ p12 = d2i_PKCS12_bio(b64, NULL); |
|
| 1535 |
+ if (!p12) |
|
| 1536 |
+ msg (M_SSLERR, "Error reading inline PKCS#12 file"); |
|
| 1537 |
+ BIO_free (b64); |
|
| 1538 |
+ BIO_free (bio); |
|
| 1539 |
+ } |
|
| 1540 |
+ else |
|
| 1541 |
+#endif |
|
| 1542 |
+ {
|
|
| 1543 |
+ /* Load the PKCS #12 file */ |
|
| 1544 |
+ if (!(fp = fopen(options->pkcs12_file, "rb"))) |
|
| 1545 |
+ msg (M_SSLERR, "Error opening file %s", options->pkcs12_file); |
|
| 1546 |
+ p12 = d2i_PKCS12_fp(fp, NULL); |
|
| 1547 |
+ fclose (fp); |
|
| 1548 |
+ if (!p12) |
|
| 1549 |
+ msg (M_SSLERR, "Error reading PKCS#12 file %s", options->pkcs12_file); |
|
| 1550 |
+ } |
|
| 1551 |
+ |
|
| 1534 | 1552 |
/* Parse the PKCS #12 file */ |
| 1535 | 1553 |
if (!PKCS12_parse(p12, "", &pkey, &cert, &ca)) |
| 1536 | 1554 |
{
|
| ... | ... |
@@ -1539,8 +1557,12 @@ init_ssl (const struct options *options) |
| 1539 | 1539 |
ca = NULL; |
| 1540 | 1540 |
if (!PKCS12_parse(p12, password, &pkey, &cert, &ca)) |
| 1541 | 1541 |
{
|
| 1542 |
+#ifdef ENABLE_MANAGEMENT |
|
| 1543 |
+ if (management && (ERR_GET_REASON (ERR_peek_error()) == PKCS12_R_MAC_VERIFY_FAILURE)) |
|
| 1544 |
+ management_auth_failure (management, UP_TYPE_PRIVATE_KEY, NULL); |
|
| 1545 |
+#endif |
|
| 1542 | 1546 |
PKCS12_free(p12); |
| 1543 |
- msg (M_WARN|M_SSL, "Error parsing PKCS#12 file %s", options->pkcs12_file); |
|
| 1547 |
+ msg (M_INFO, "OpenSSL ERROR code: %d", (ERR_GET_REASON (ERR_peek_error()))); // fixme |
|
| 1544 | 1548 |
goto err; |
| 1545 | 1549 |
} |
| 1546 | 1550 |
} |