aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJames Yonan <james@openvpn.net>2010-08-29 05:24:15 +0000
committerJames Yonan <james@openvpn.net>2010-08-29 05:24:15 +0000
commit2e8ff6c1bd1eb96a6551304e16af5e01e86b328f (patch)
tree9d745e5d1dedcc22dea127474f975b1ad2162210
parentAttempt to fix issue where domake-win build system was not properly (diff)
downloadopenvpn-2e8ff6c1bd1eb96a6551304e16af5e01e86b328f.tar.xz
Allow PKCS12 file content to be included inline in configuration file,
rendered as base64. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6412 e7ae566f-a301-0410-adde-c780ea21d3b5
Diffstat (limited to '')
-rw-r--r--options.c6
-rw-r--r--options.h1
-rw-r--r--ssl.c42
3 files changed, 39 insertions, 10 deletions
diff --git a/options.c b/options.c
index e1de0d9..b1ac26c 100644
--- a/options.c
+++ b/options.c
@@ -5680,6 +5680,12 @@ add_option (struct options *options,
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->pkcs12_file = p[1];
+#if ENABLE_INLINE_FILES
+ if (streq (p[1], INLINE_FILE_TAG) && p[2])
+ {
+ options->pkcs12_file_inline = p[2];
+ }
+#endif
}
else if (streq (p[0], "askpass"))
{
diff --git a/options.h b/options.h
index 240f3bb..1d5fe4c 100644
--- a/options.h
+++ b/options.h
@@ -473,6 +473,7 @@ struct options
const char *cert_file_inline;
char *priv_key_file_inline;
const char *dh_file_inline;
+ const char *pkcs12_file_inline; /* contains the base64 encoding of pkcs12 file */
#endif
int ns_cert_type; /* set to 0, NS_SSL_SERVER, or NS_SSL_CLIENT */
diff --git a/ssl.c b/ssl.c
index a140641..a1268ac 100644
--- a/ssl.c
+++ b/ssl.c
@@ -1514,23 +1514,41 @@ init_ssl (const struct options *options)
if (options->pkcs12_file)
{
- /* Use PKCS #12 file for key, cert and CA certs */
+ /* Use PKCS #12 file for key, cert and CA certs */
FILE *fp;
EVP_PKEY *pkey;
X509 *cert;
STACK_OF(X509) *ca = NULL;
- PKCS12 *p12;
+ PKCS12 *p12=NULL;
int i;
char password[256];
- /* Load the PKCS #12 file */
- if (!(fp = fopen(options->pkcs12_file, "rb")))
- msg (M_SSLERR, "Error opening file %s", options->pkcs12_file);
- p12 = d2i_PKCS12_fp(fp, NULL);
- fclose (fp);
- if (!p12) msg (M_SSLERR, "Error reading PKCS#12 file %s", options->pkcs12_file);
-
+#if ENABLE_INLINE_FILES
+ if (!strcmp (options->pkcs12_file, INLINE_FILE_TAG) && options->pkcs12_file_inline)
+ {
+ BIO *b64 = BIO_new (BIO_f_base64());
+ BIO *bio = BIO_new_mem_buf ((void *)options->pkcs12_file_inline, (int)strlen(options->pkcs12_file_inline));
+ ASSERT(b64 && bio);
+ BIO_push (b64, bio);
+ p12 = d2i_PKCS12_bio(b64, NULL);
+ if (!p12)
+ msg (M_SSLERR, "Error reading inline PKCS#12 file");
+ BIO_free (b64);
+ BIO_free (bio);
+ }
+ else
+#endif
+ {
+ /* Load the PKCS #12 file */
+ if (!(fp = fopen(options->pkcs12_file, "rb")))
+ msg (M_SSLERR, "Error opening file %s", options->pkcs12_file);
+ p12 = d2i_PKCS12_fp(fp, NULL);
+ fclose (fp);
+ if (!p12)
+ msg (M_SSLERR, "Error reading PKCS#12 file %s", options->pkcs12_file);
+ }
+
/* Parse the PKCS #12 file */
if (!PKCS12_parse(p12, "", &pkey, &cert, &ca))
{
@@ -1539,8 +1557,12 @@ init_ssl (const struct options *options)
ca = NULL;
if (!PKCS12_parse(p12, password, &pkey, &cert, &ca))
{
+#ifdef ENABLE_MANAGEMENT
+ if (management && (ERR_GET_REASON (ERR_peek_error()) == PKCS12_R_MAC_VERIFY_FAILURE))
+ management_auth_failure (management, UP_TYPE_PRIVATE_KEY, NULL);
+#endif
PKCS12_free(p12);
- msg (M_WARN|M_SSL, "Error parsing PKCS#12 file %s", options->pkcs12_file);
+ msg (M_INFO, "OpenSSL ERROR code: %d", (ERR_GET_REASON (ERR_peek_error()))); // fixme
goto err;
}
}