From 2e8ff6c1bd1eb96a6551304e16af5e01e86b328f Mon Sep 17 00:00:00 2001 From: James Yonan Date: Sun, 29 Aug 2010 05:24:15 +0000 Subject: Allow PKCS12 file content to be included inline in configuration file, rendered as base64. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6412 e7ae566f-a301-0410-adde-c780ea21d3b5 --- options.c | 6 ++++++ options.h | 1 + ssl.c | 42 ++++++++++++++++++++++++++++++++---------- 3 files changed, 39 insertions(+), 10 deletions(-) diff --git a/options.c b/options.c index e1de0d9..b1ac26c 100644 --- a/options.c +++ b/options.c @@ -5680,6 +5680,12 @@ add_option (struct options *options, { VERIFY_PERMISSION (OPT_P_GENERAL); options->pkcs12_file = p[1]; +#if ENABLE_INLINE_FILES + if (streq (p[1], INLINE_FILE_TAG) && p[2]) + { + options->pkcs12_file_inline = p[2]; + } +#endif } else if (streq (p[0], "askpass")) { diff --git a/options.h b/options.h index 240f3bb..1d5fe4c 100644 --- a/options.h +++ b/options.h @@ -473,6 +473,7 @@ struct options const char *cert_file_inline; char *priv_key_file_inline; const char *dh_file_inline; + const char *pkcs12_file_inline; /* contains the base64 encoding of pkcs12 file */ #endif int ns_cert_type; /* set to 0, NS_SSL_SERVER, or NS_SSL_CLIENT */ diff --git a/ssl.c b/ssl.c index a140641..a1268ac 100644 --- a/ssl.c +++ b/ssl.c @@ -1514,23 +1514,41 @@ init_ssl (const struct options *options) if (options->pkcs12_file) { - /* Use PKCS #12 file for key, cert and CA certs */ + /* Use PKCS #12 file for key, cert and CA certs */ FILE *fp; EVP_PKEY *pkey; X509 *cert; STACK_OF(X509) *ca = NULL; - PKCS12 *p12; + PKCS12 *p12=NULL; int i; char password[256]; - /* Load the PKCS #12 file */ - if (!(fp = fopen(options->pkcs12_file, "rb"))) - msg (M_SSLERR, "Error opening file %s", options->pkcs12_file); - p12 = d2i_PKCS12_fp(fp, NULL); - fclose (fp); - if (!p12) msg (M_SSLERR, "Error reading PKCS#12 file %s", options->pkcs12_file); - +#if ENABLE_INLINE_FILES + if (!strcmp (options->pkcs12_file, INLINE_FILE_TAG) && options->pkcs12_file_inline) + { + BIO *b64 = BIO_new (BIO_f_base64()); + BIO *bio = BIO_new_mem_buf ((void *)options->pkcs12_file_inline, (int)strlen(options->pkcs12_file_inline)); + ASSERT(b64 && bio); + BIO_push (b64, bio); + p12 = d2i_PKCS12_bio(b64, NULL); + if (!p12) + msg (M_SSLERR, "Error reading inline PKCS#12 file"); + BIO_free (b64); + BIO_free (bio); + } + else +#endif + { + /* Load the PKCS #12 file */ + if (!(fp = fopen(options->pkcs12_file, "rb"))) + msg (M_SSLERR, "Error opening file %s", options->pkcs12_file); + p12 = d2i_PKCS12_fp(fp, NULL); + fclose (fp); + if (!p12) + msg (M_SSLERR, "Error reading PKCS#12 file %s", options->pkcs12_file); + } + /* Parse the PKCS #12 file */ if (!PKCS12_parse(p12, "", &pkey, &cert, &ca)) { @@ -1539,8 +1557,12 @@ init_ssl (const struct options *options) ca = NULL; if (!PKCS12_parse(p12, password, &pkey, &cert, &ca)) { +#ifdef ENABLE_MANAGEMENT + if (management && (ERR_GET_REASON (ERR_peek_error()) == PKCS12_R_MAC_VERIFY_FAILURE)) + management_auth_failure (management, UP_TYPE_PRIVATE_KEY, NULL); +#endif PKCS12_free(p12); - msg (M_WARN|M_SSL, "Error parsing PKCS#12 file %s", options->pkcs12_file); + msg (M_INFO, "OpenSSL ERROR code: %d", (ERR_GET_REASON (ERR_peek_error()))); // fixme goto err; } } -- cgit v1.2.3