Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>
... | ... |
@@ -6248,6 +6248,7 @@ add_option (struct options *options, |
6248 | 6248 |
} |
6249 | 6249 |
#endif |
6250 | 6250 |
} |
6251 |
+#ifdef USE_POLARSSL |
|
6251 | 6252 |
else if (streq (p[0], "pkcs12") && p[1]) |
6252 | 6253 |
{ |
6253 | 6254 |
VERIFY_PERMISSION (OPT_P_GENERAL); |
... | ... |
@@ -6259,6 +6260,7 @@ add_option (struct options *options, |
6259 | 6259 |
} |
6260 | 6260 |
#endif |
6261 | 6261 |
} |
6262 |
+#endif /* USE_POLARSSL */ |
|
6262 | 6263 |
else if (streq (p[0], "askpass")) |
6263 | 6264 |
{ |
6264 | 6265 |
VERIFY_PERMISSION (OPT_P_GENERAL); |
... | ... |
@@ -6320,11 +6322,13 @@ add_option (struct options *options, |
6320 | 6320 |
warn_multiple_script (options->tls_verify, "tls-verify"); |
6321 | 6321 |
options->tls_verify = string_substitute (p[1], ',', ' ', &options->gc); |
6322 | 6322 |
} |
6323 |
+#ifndef USE_POLARSSL |
|
6323 | 6324 |
else if (streq (p[0], "tls-export-cert") && p[1]) |
6324 | 6325 |
{ |
6325 | 6326 |
VERIFY_PERMISSION (OPT_P_GENERAL); |
6326 | 6327 |
options->tls_export_cert = p[1]; |
6327 | 6328 |
} |
6329 |
+#endif |
|
6328 | 6330 |
else if (streq (p[0], "tls-remote") && p[1]) |
6329 | 6331 |
{ |
6330 | 6332 |
VERIFY_PERMISSION (OPT_P_GENERAL); |
... | ... |
@@ -464,6 +464,34 @@ verify_cert_call_plugin(const struct plugin_list *plugins, struct env_set *es, |
464 | 464 |
return 0; |
465 | 465 |
} |
466 | 466 |
|
467 |
+static const char * |
|
468 |
+verify_cert_export_cert(x509_cert_t *peercert, const char *tmp_dir, struct gc_arena *gc) |
|
469 |
+{ |
|
470 |
+ FILE *peercert_file; |
|
471 |
+ const char *peercert_filename=""; |
|
472 |
+ |
|
473 |
+ if(!tmp_dir) |
|
474 |
+ return NULL; |
|
475 |
+ |
|
476 |
+ /* create tmp file to store peer cert */ |
|
477 |
+ peercert_filename = create_temp_file (tmp_dir, "pcf", gc); |
|
478 |
+ |
|
479 |
+ /* write peer-cert in tmp-file */ |
|
480 |
+ peercert_file = fopen(peercert_filename, "w+"); |
|
481 |
+ if(!peercert_file) |
|
482 |
+ { |
|
483 |
+ msg (M_ERR, "Failed to open temporary file : %s", peercert_filename); |
|
484 |
+ return NULL; |
|
485 |
+ } |
|
486 |
+ |
|
487 |
+ if (x509_write_pem(peercert_file, peercert)) |
|
488 |
+ msg (M_ERR, "Error writing PEM file containing certificate"); |
|
489 |
+ |
|
490 |
+ fclose(peercert_file); |
|
491 |
+ return peercert_filename; |
|
492 |
+} |
|
493 |
+ |
|
494 |
+ |
|
467 | 495 |
/* |
468 | 496 |
* run --tls-verify script |
469 | 497 |
*/ |
... | ... |
@@ -481,7 +509,7 @@ verify_cert_call_command(const char *verify_command, struct env_set *es, |
481 | 481 |
if (verify_export_cert) |
482 | 482 |
{ |
483 | 483 |
gc = gc_new(); |
484 |
- if ((tmp_file=x509_write_cert(cert, verify_export_cert,&gc))) |
|
484 |
+ if ((tmp_file=verify_cert_export_cert(cert, verify_export_cert, &gc))) |
|
485 | 485 |
{ |
486 | 486 |
setenv_str(es, "peer_cert", tmp_file); |
487 | 487 |
} |
... | ... |
@@ -98,7 +98,6 @@ void x509_free_subject (char *subject); |
98 | 98 |
* |
99 | 99 |
* @return a string containing the SHA1 hash of the certificate |
100 | 100 |
*/ |
101 |
- |
|
102 | 101 |
unsigned char *x509_get_sha1_hash (x509_cert_t *cert); |
103 | 102 |
|
104 | 103 |
/* |
... | ... |
@@ -247,8 +246,7 @@ bool x509_verify_cert_eku (x509_cert_t *x509, const char * const expected_oid); |
247 | 247 |
* @param tmp_dir Temporary directory to store the directory |
248 | 248 |
* @param gc gc_arena to store temporary objects in |
249 | 249 |
*/ |
250 |
-const char *x509_write_cert(x509_cert_t *cert, const char *tmp_dir, |
|
251 |
- struct gc_arena *gc); |
|
250 |
+bool x509_write_pem(FILE *peercert_file, x509_cert_t *peercert); |
|
252 | 251 |
|
253 | 252 |
/* |
254 | 253 |
* Check the certificate against a CRL file. |
... | ... |
@@ -515,34 +515,15 @@ x509_verify_cert_eku (X509 *x509, const char * const expected_oid) |
515 | 515 |
return fFound; |
516 | 516 |
} |
517 | 517 |
|
518 |
-const char * |
|
519 |
-x509_write_cert(X509 *peercert, const char *tmp_dir, struct gc_arena *gc) |
|
518 |
+bool |
|
519 |
+x509_write_pem(FILE *peercert_file, X509 *peercert) |
|
520 | 520 |
{ |
521 |
- FILE *peercert_file; |
|
522 |
- const char *peercert_filename=""; |
|
523 |
- |
|
524 |
- if(!tmp_dir) |
|
525 |
- return NULL; |
|
526 |
- |
|
527 |
- /* create tmp file to store peer cert */ |
|
528 |
- peercert_filename = create_temp_file (tmp_dir, "pcf", gc); |
|
529 |
- |
|
530 |
- /* write peer-cert in tmp-file */ |
|
531 |
- peercert_file = fopen(peercert_filename, "w+"); |
|
532 |
- if(!peercert_file) |
|
533 |
- { |
|
534 |
- msg (M_ERR, "Failed to open temporary file : %s", peercert_filename); |
|
535 |
- return NULL; |
|
536 |
- } |
|
537 |
- if(PEM_write_X509(peercert_file,peercert)<0) |
|
521 |
+ if (PEM_write_X509(peercert_file, peercert) < 0) |
|
538 | 522 |
{ |
539 | 523 |
msg (M_ERR, "Failed to write peer certificate in PEM format"); |
540 |
- fclose(peercert_file); |
|
541 |
- return NULL; |
|
524 |
+ return true; |
|
542 | 525 |
} |
543 |
- |
|
544 |
- fclose(peercert_file); |
|
545 |
- return peercert_filename; |
|
526 |
+ return false; |
|
546 | 527 |
} |
547 | 528 |
|
548 | 529 |
#endif /* OPENSSL_VERSION_NUMBER */ |
... | ... |
@@ -372,35 +372,11 @@ x509_verify_cert_eku (x509_cert *cert, const char * const expected_oid) |
372 | 372 |
return fFound; |
373 | 373 |
} |
374 | 374 |
|
375 |
-const char * |
|
376 |
-x509_write_cert(x509_cert *peercert, const char *tmp_dir, struct gc_arena *gc) |
|
375 |
+bool |
|
376 |
+x509_write_pem(FILE *peercert_file, x509_cert *peercert) |
|
377 | 377 |
{ |
378 |
- FILE *peercert_file; |
|
379 |
- const char *peercert_filename=""; |
|
380 |
- |
|
381 |
- if(!tmp_dir) |
|
382 |
- return NULL; |
|
383 |
- |
|
384 |
- /* create tmp file to store peer cert */ |
|
385 |
- peercert_filename = create_temp_file (tmp_dir, "pcf", gc); |
|
386 |
- |
|
387 |
- /* write peer-cert in tmp-file */ |
|
388 |
- peercert_file = fopen(peercert_filename, "w+"); |
|
389 |
- if(!peercert_file) |
|
390 |
- { |
|
391 |
- msg (M_ERR, "Failed to open temporary file : %s", peercert_filename); |
|
392 |
- return NULL; |
|
393 |
- } |
|
394 |
- |
|
395 |
-// if(PEM_write_X509(peercert_file,peercert)<0) |
|
396 |
-// { |
|
397 |
- msg (M_ERR, "PolarSSL does not support writing peer certificate in PEM format"); |
|
398 |
- fclose(peercert_file); |
|
399 |
- return NULL; |
|
400 |
-// } |
|
401 |
- |
|
402 |
- fclose(peercert_file); |
|
403 |
- return peercert_filename; |
|
378 |
+ msg (M_WARN, "PolarSSL does not support writing peer certificate in PEM format"); |
|
379 |
+ return true; |
|
404 | 380 |
} |
405 | 381 |
|
406 | 382 |
/* |