diff options
| author | Adriaan de Jong <dejong@fox-it.com> | 2011-07-05 11:48:38 +0200 |
|---|---|---|
| committer | David Sommerseth <davids@redhat.com> | 2011-10-22 16:00:49 +0200 |
| commit | 8bb72fbcba4721a68333f06d8b38a5ad05f6638a (patch) | |
| tree | 1dca2e795ba58b236b87c74dd906aebcfecccd61 | |
| parent | 477127061a22e6e998755c657873aa1b212ea59a (diff) | |
| download | openvpn-8bb72fbcba4721a68333f06d8b38a5ad05f6638a.tar.gz openvpn-8bb72fbcba4721a68333f06d8b38a5ad05f6638a.tar.xz openvpn-8bb72fbcba4721a68333f06d8b38a5ad05f6638a.zip | |
Refactored (and disabled for PolarSSL) support for writing external cert files in scripts
Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>
| -rw-r--r-- | options.c | 4 | ||||
| -rw-r--r-- | ssl_verify.c | 30 | ||||
| -rw-r--r-- | ssl_verify_backend.h | 4 | ||||
| -rw-r--r-- | ssl_verify_openssl.c | 29 | ||||
| -rw-r--r-- | ssl_verify_polarssl.c | 32 |
5 files changed, 43 insertions, 56 deletions
@@ -6248,6 +6248,7 @@ add_option (struct options *options, } #endif } +#ifdef USE_POLARSSL else if (streq (p[0], "pkcs12") && p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); @@ -6259,6 +6260,7 @@ add_option (struct options *options, } #endif } +#endif /* USE_POLARSSL */ else if (streq (p[0], "askpass")) { VERIFY_PERMISSION (OPT_P_GENERAL); @@ -6320,11 +6322,13 @@ add_option (struct options *options, warn_multiple_script (options->tls_verify, "tls-verify"); options->tls_verify = string_substitute (p[1], ',', ' ', &options->gc); } +#ifndef USE_POLARSSL else if (streq (p[0], "tls-export-cert") && p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); options->tls_export_cert = p[1]; } +#endif else if (streq (p[0], "tls-remote") && p[1]) { VERIFY_PERMISSION (OPT_P_GENERAL); diff --git a/ssl_verify.c b/ssl_verify.c index 0c1296a..8233147 100644 --- a/ssl_verify.c +++ b/ssl_verify.c @@ -464,6 +464,34 @@ verify_cert_call_plugin(const struct plugin_list *plugins, struct env_set *es, return 0; } +static const char * +verify_cert_export_cert(x509_cert_t *peercert, const char *tmp_dir, struct gc_arena *gc) +{ + FILE *peercert_file; + const char *peercert_filename=""; + + if(!tmp_dir) + return NULL; + + /* create tmp file to store peer cert */ + peercert_filename = create_temp_file (tmp_dir, "pcf", gc); + + /* write peer-cert in tmp-file */ + peercert_file = fopen(peercert_filename, "w+"); + if(!peercert_file) + { + msg (M_ERR, "Failed to open temporary file : %s", peercert_filename); + return NULL; + } + + if (x509_write_pem(peercert_file, peercert)) + msg (M_ERR, "Error writing PEM file containing certificate"); + + fclose(peercert_file); + return peercert_filename; +} + + /* * run --tls-verify script */ @@ -481,7 +509,7 @@ verify_cert_call_command(const char *verify_command, struct env_set *es, if (verify_export_cert) { gc = gc_new(); - if ((tmp_file=x509_write_cert(cert, verify_export_cert,&gc))) + if ((tmp_file=verify_cert_export_cert(cert, verify_export_cert, &gc))) { setenv_str(es, "peer_cert", tmp_file); } diff --git a/ssl_verify_backend.h b/ssl_verify_backend.h index d526270..f7e0861 100644 --- a/ssl_verify_backend.h +++ b/ssl_verify_backend.h @@ -98,7 +98,6 @@ void x509_free_subject (char *subject); * * @return a string containing the SHA1 hash of the certificate */ - unsigned char *x509_get_sha1_hash (x509_cert_t *cert); /* @@ -247,8 +246,7 @@ bool x509_verify_cert_eku (x509_cert_t *x509, const char * const expected_oid); * @param tmp_dir Temporary directory to store the directory * @param gc gc_arena to store temporary objects in */ -const char *x509_write_cert(x509_cert_t *cert, const char *tmp_dir, - struct gc_arena *gc); +bool x509_write_pem(FILE *peercert_file, x509_cert_t *peercert); /* * Check the certificate against a CRL file. diff --git a/ssl_verify_openssl.c b/ssl_verify_openssl.c index 8bcdc10..a8e2e49 100644 --- a/ssl_verify_openssl.c +++ b/ssl_verify_openssl.c @@ -515,34 +515,15 @@ x509_verify_cert_eku (X509 *x509, const char * const expected_oid) return fFound; } -const char * -x509_write_cert(X509 *peercert, const char *tmp_dir, struct gc_arena *gc) +bool +x509_write_pem(FILE *peercert_file, X509 *peercert) { - FILE *peercert_file; - const char *peercert_filename=""; - - if(!tmp_dir) - return NULL; - - /* create tmp file to store peer cert */ - peercert_filename = create_temp_file (tmp_dir, "pcf", gc); - - /* write peer-cert in tmp-file */ - peercert_file = fopen(peercert_filename, "w+"); - if(!peercert_file) - { - msg (M_ERR, "Failed to open temporary file : %s", peercert_filename); - return NULL; - } - if(PEM_write_X509(peercert_file,peercert)<0) + if (PEM_write_X509(peercert_file, peercert) < 0) { msg (M_ERR, "Failed to write peer certificate in PEM format"); - fclose(peercert_file); - return NULL; + return true; } - - fclose(peercert_file); - return peercert_filename; + return false; } #endif /* OPENSSL_VERSION_NUMBER */ diff --git a/ssl_verify_polarssl.c b/ssl_verify_polarssl.c index 91a699a..03a28fe 100644 --- a/ssl_verify_polarssl.c +++ b/ssl_verify_polarssl.c @@ -372,35 +372,11 @@ x509_verify_cert_eku (x509_cert *cert, const char * const expected_oid) return fFound; } -const char * -x509_write_cert(x509_cert *peercert, const char *tmp_dir, struct gc_arena *gc) +bool +x509_write_pem(FILE *peercert_file, x509_cert *peercert) { - FILE *peercert_file; - const char *peercert_filename=""; - - if(!tmp_dir) - return NULL; - - /* create tmp file to store peer cert */ - peercert_filename = create_temp_file (tmp_dir, "pcf", gc); - - /* write peer-cert in tmp-file */ - peercert_file = fopen(peercert_filename, "w+"); - if(!peercert_file) - { - msg (M_ERR, "Failed to open temporary file : %s", peercert_filename); - return NULL; - } - -// if(PEM_write_X509(peercert_file,peercert)<0) -// { - msg (M_ERR, "PolarSSL does not support writing peer certificate in PEM format"); - fclose(peercert_file); - return NULL; -// } - - fclose(peercert_file); - return peercert_filename; + msg (M_WARN, "PolarSSL does not support writing peer certificate in PEM format"); + return true; } /* |