aboutsummaryrefslogtreecommitdiff
path: root/ssl.c
diff options
context:
space:
mode:
authorjames <james@e7ae566f-a301-0410-adde-c780ea21d3b5>2005-11-08 12:50:11 +0000
committerjames <james@e7ae566f-a301-0410-adde-c780ea21d3b5>2005-11-08 12:50:11 +0000
commitd40f2b204b78ace5c2c9c3007887571ca5a2ec11 (patch)
tree979cef9340fd0ae688e6a11d01a61bdc856bedaf /ssl.c
parentMerged /contrib/alon/BETA21@778 (diff)
downloadopenvpn-d40f2b204b78ace5c2c9c3007887571ca5a2ec11.tar.xz
Added ENABLE_INLINE_FILES feature.
git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@784 e7ae566f-a301-0410-adde-c780ea21d3b5
Diffstat (limited to '')
-rw-r--r--ssl.c264
1 files changed, 242 insertions, 22 deletions
diff --git a/ssl.c b/ssl.c
index 945edd0..2b78bd0 100644
--- a/ssl.c
+++ b/ssl.c
@@ -734,6 +734,170 @@ info_callback (INFO_CALLBACK_SSL_CONST SSL * s, int where, int ret)
}
}
+#if ENABLE_INLINE_FILES
+
+static int
+use_inline_load_verify_locations (SSL_CTX *ctx, const char *ca_string)
+{
+ X509_STORE *store = NULL;
+ X509* cert = NULL;
+ BIO *in = NULL;
+ int ret = 0;
+
+ in = BIO_new_mem_buf ((char *)ca_string, -1);
+ if (!in)
+ goto err;
+
+ for (;;)
+ {
+ if (!PEM_read_bio_X509 (in, &cert, 0, NULL))
+ {
+ ret = 1;
+ break;
+ }
+ if (!cert)
+ break;
+
+ store = SSL_CTX_get_cert_store (ctx);
+ if (!store)
+ break;
+
+ if (!X509_STORE_add_cert (store, cert))
+ break;
+
+ if (cert)
+ {
+ X509_free (cert);
+ cert = NULL;
+ }
+ }
+
+ err:
+ if (cert)
+ X509_free (cert);
+ if (in)
+ BIO_free (in);
+ return ret;
+}
+
+static int
+xname_cmp(const X509_NAME * const *a, const X509_NAME * const *b)
+{
+ return(X509_NAME_cmp(*a,*b));
+}
+
+static STACK_OF(X509_NAME) *
+use_inline_load_client_CA_file (SSL_CTX *ctx, const char *ca_string)
+{
+ BIO *in = NULL;
+ X509 *x = NULL;
+ X509_NAME *xn = NULL;
+ STACK_OF(X509_NAME) *ret = NULL, *sk;
+
+ sk=sk_X509_NAME_new(xname_cmp);
+
+ in = BIO_new_mem_buf ((char *)ca_string, -1);
+ if (!in)
+ goto err;
+
+ if ((sk == NULL) || (in == NULL))
+ goto err;
+
+ for (;;)
+ {
+ if (PEM_read_bio_X509(in,&x,NULL,NULL) == NULL)
+ break;
+ if (ret == NULL)
+ {
+ ret = sk_X509_NAME_new_null();
+ if (ret == NULL)
+ goto err;
+ }
+ if ((xn=X509_get_subject_name(x)) == NULL) goto err;
+ /* check for duplicates */
+ xn=X509_NAME_dup(xn);
+ if (xn == NULL) goto err;
+ if (sk_X509_NAME_find(sk,xn) >= 0)
+ X509_NAME_free(xn);
+ else
+ {
+ sk_X509_NAME_push(sk,xn);
+ sk_X509_NAME_push(ret,xn);
+ }
+ }
+
+ if (0)
+ {
+ err:
+ if (ret != NULL) sk_X509_NAME_pop_free(ret,X509_NAME_free);
+ ret=NULL;
+ }
+ if (sk != NULL) sk_X509_NAME_free(sk);
+ if (in != NULL) BIO_free(in);
+ if (x != NULL) X509_free(x);
+ if (ret != NULL)
+ ERR_clear_error();
+ return(ret);
+}
+
+static int
+use_inline_certificate_file (SSL_CTX *ctx, const char *cert_string)
+{
+ BIO *in = NULL;
+ X509 *x = NULL;
+ int ret = 0;
+
+ in = BIO_new_mem_buf ((char *)cert_string, -1);
+ if (!in)
+ goto end;
+
+ x = PEM_read_bio_X509 (in,
+ NULL,
+ ctx->default_passwd_callback,
+ ctx->default_passwd_callback_userdata);
+ if (!x)
+ goto end;
+
+ ret = SSL_CTX_use_certificate(ctx, x);
+
+ end:
+ if (x)
+ X509_free (x);
+ if (in)
+ BIO_free (in);
+ return ret;
+}
+
+static int
+use_inline_PrivateKey_file (SSL_CTX *ctx, const char *key_string)
+{
+ BIO *in = NULL;
+ EVP_PKEY *pkey = NULL;
+ int ret = 0;
+
+ in = BIO_new_mem_buf ((char *)key_string, -1);
+ if (!in)
+ goto end;
+
+ pkey = PEM_read_bio_PrivateKey (in,
+ NULL,
+ ctx->default_passwd_callback,
+ ctx->default_passwd_callback_userdata);
+ if (!pkey)
+ goto end;
+
+ ret = SSL_CTX_use_PrivateKey (ctx, pkey);
+
+ end:
+ if (pkey)
+ EVP_PKEY_free (pkey);
+ if (in)
+ BIO_free (in);
+ return ret;
+}
+
+#endif
+
/*
* Initialize SSL context.
* All files are in PEM format.
@@ -756,9 +920,20 @@ init_ssl (const struct options *options)
SSL_CTX_set_tmp_rsa_callback (ctx, tmp_rsa_cb);
- /* Get Diffie Hellman Parameters */
- if (!(bio = BIO_new_file (options->dh_file, "r")))
- msg (M_SSLERR, "Cannot open %s for DH parameters", options->dh_file);
+#if ENABLE_INLINE_FILES
+ if (!strcmp (options->dh_file, INLINE_FILE_TAG) && options->dh_file_inline)
+ {
+ if (!(bio = BIO_new_mem_buf ((char *)options->dh_file_inline, -1)))
+ msg (M_SSLERR, "Cannot open memory BIO for inline DH parameters");
+ }
+ else
+#endif
+ {
+ /* Get Diffie Hellman Parameters */
+ if (!(bio = BIO_new_file (options->dh_file, "r")))
+ msg (M_SSLERR, "Cannot open %s for DH parameters", options->dh_file);
+ }
+
dh = PEM_read_bio_DHparams (bio, NULL, NULL, NULL);
BIO_free (bio);
if (!dh)
@@ -874,15 +1049,37 @@ init_ssl (const struct options *options)
/* Load Certificate */
if (options->cert_file)
{
- using_cert_file = true;
- if (!SSL_CTX_use_certificate_file (ctx, options->cert_file, SSL_FILETYPE_PEM))
- msg (M_SSLERR, "Cannot load certificate file %s", options->cert_file);
+#if ENABLE_INLINE_FILES
+ if (!strcmp (options->cert_file, INLINE_FILE_TAG) && options->cert_file_inline)
+ {
+ if (!use_inline_certificate_file (ctx, options->cert_file_inline))
+ msg (M_SSLERR, "Cannot load inline certificate file");
+ }
+ else
+#endif
+ {
+ if (!SSL_CTX_use_certificate_file (ctx, options->cert_file, SSL_FILETYPE_PEM))
+ msg (M_SSLERR, "Cannot load certificate file %s", options->cert_file);
+ using_cert_file = true;
+ }
}
/* Load Private Key */
if (options->priv_key_file)
{
- if (!SSL_CTX_use_PrivateKey_file (ctx, options->priv_key_file, SSL_FILETYPE_PEM))
+ int status;
+
+#if ENABLE_INLINE_FILES
+ if (!strcmp (options->priv_key_file, INLINE_FILE_TAG) && options->priv_key_file_inline)
+ {
+ status = use_inline_PrivateKey_file (ctx, options->priv_key_file_inline);
+ }
+ else
+#endif
+ {
+ status = SSL_CTX_use_PrivateKey_file (ctx, options->priv_key_file, SSL_FILETYPE_PEM);
+ }
+ if (!status)
{
#ifdef ENABLE_MANAGEMENT
if (management && (ERR_GET_REASON (ERR_peek_error()) == EVP_R_BAD_DECRYPT))
@@ -902,34 +1099,57 @@ init_ssl (const struct options *options)
if (options->ca_file || options->ca_path)
{
- /* Load CA file for verifying peer supplied certificate */
- ASSERT (options->ca_file || options->ca_path);
- if (!SSL_CTX_load_verify_locations (ctx, options->ca_file, options->ca_path))
- msg (M_SSLERR, "Cannot load CA certificate file %s path %s (SSL_CTX_load_verify_locations)", options->ca_file, options->ca_path);
+ int status;
+
+#if ENABLE_INLINE_FILES
+ if (!strcmp (options->ca_file, INLINE_FILE_TAG) && options->ca_file_inline)
+ {
+ status = use_inline_load_verify_locations (ctx, options->ca_file_inline);
+ }
+ else
+#endif
+ {
+ /* Load CA file for verifying peer supplied certificate */
+ status = SSL_CTX_load_verify_locations (ctx, options->ca_file, options->ca_path);
+ }
+
+ if (!status)
+ msg (M_SSLERR, "Cannot load CA certificate file %s path %s (SSL_CTX_load_verify_locations)", options->ca_file, options->ca_path);
/* Set a store for certs (CA & CRL) with a lookup on the "capath" hash directory */
if (options->ca_path) {
X509_STORE *store = SSL_CTX_get_cert_store(ctx);
- if (store) {
- X509_LOOKUP *lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir());
- if (!X509_LOOKUP_add_dir(lookup, options->ca_path, X509_FILETYPE_PEM))
- X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT);
- else
- msg(M_WARN, "WARNING: experimental option --capath %s", options->ca_path);
+ if (store)
+ {
+ X509_LOOKUP *lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir());
+ if (!X509_LOOKUP_add_dir(lookup, options->ca_path, X509_FILETYPE_PEM))
+ X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT);
+ else
+ msg(M_WARN, "WARNING: experimental option --capath %s", options->ca_path);
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
- X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
+ X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
#else
- msg(M_WARN, "WARNING: this version of OpenSSL cannot handle CRL files in capath");
+ msg(M_WARN, "WARNING: this version of OpenSSL cannot handle CRL files in capath");
#endif
- } else
+ }
+ else
msg(M_SSLERR, "Cannot get certificate store (SSL_CTX_get_cert_store)");
}
/* Load names of CAs from file and use it as a client CA list */
if (options->ca_file) {
- STACK_OF(X509_NAME) *cert_names;
- cert_names = SSL_load_client_CA_file (options->ca_file);
+ STACK_OF(X509_NAME) *cert_names = NULL;
+#if ENABLE_INLINE_FILES
+ if (!strcmp (options->ca_file, INLINE_FILE_TAG) && options->ca_file_inline)
+ {
+ cert_names = use_inline_load_client_CA_file (ctx, options->ca_file_inline);
+ }
+ else
+#endif
+ {
+ cert_names = SSL_load_client_CA_file (options->ca_file);
+ }
if (!cert_names)
msg (M_SSLERR, "Cannot load CA certificate file %s (SSL_load_client_CA_file)", options->ca_file);
SSL_CTX_set_client_CA_list (ctx, cert_names);