diff options
| author | Adriaan de Jong <dejong@fox-it.com> | 2011-06-29 16:51:16 +0200 |
|---|---|---|
| committer | David Sommerseth <davids@redhat.com> | 2011-10-19 22:31:46 +0200 |
| commit | 289a8bb806150b418abb64abea26cb4106811850 (patch) | |
| tree | 73eccb384655f32e7340aa5042e730e2b521a84c /ssl.c | |
| parent | b5563f1154a4a4e1d4742b7194e4974a3b53b78f (diff) | |
| download | openvpn-289a8bb806150b418abb64abea26cb4106811850.tar.gz openvpn-289a8bb806150b418abb64abea26cb4106811850.tar.xz openvpn-289a8bb806150b418abb64abea26cb4106811850.zip | |
Refactored PKCS#12 key loading
Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Acked-by: James Yonan <james@openvpn.net>
Signed-off-by: David Sommerseth <davids@redhat.com>
Diffstat (limited to 'ssl.c')
| -rw-r--r-- | ssl.c | 83 |
1 files changed, 3 insertions, 80 deletions
@@ -1989,86 +1989,9 @@ init_ssl (const struct options *options, struct tls_root_ctx *new_ctx) if (options->pkcs12_file) { - /* Use PKCS #12 file for key, cert and CA certs */ - - FILE *fp; - EVP_PKEY *pkey; - X509 *cert; - STACK_OF(X509) *ca = NULL; - PKCS12 *p12=NULL; - int i; - char password[256]; - -#if ENABLE_INLINE_FILES - if (!strcmp (options->pkcs12_file, INLINE_FILE_TAG) && options->pkcs12_file_inline) - { - BIO *b64 = BIO_new (BIO_f_base64()); - BIO *bio = BIO_new_mem_buf ((void *)options->pkcs12_file_inline, (int)strlen(options->pkcs12_file_inline)); - ASSERT(b64 && bio); - BIO_push (b64, bio); - p12 = d2i_PKCS12_bio(b64, NULL); - if (!p12) - msg (M_SSLERR, "Error reading inline PKCS#12 file"); - BIO_free (b64); - BIO_free (bio); - } - else -#endif - { - /* Load the PKCS #12 file */ - if (!(fp = fopen(options->pkcs12_file, "rb"))) - msg (M_SSLERR, "Error opening file %s", options->pkcs12_file); - p12 = d2i_PKCS12_fp(fp, NULL); - fclose (fp); - if (!p12) - msg (M_SSLERR, "Error reading PKCS#12 file %s", options->pkcs12_file); - } - - /* Parse the PKCS #12 file */ - if (!PKCS12_parse(p12, "", &pkey, &cert, &ca)) - { - pem_password_callback (password, sizeof(password) - 1, 0, NULL); - /* Reparse the PKCS #12 file with password */ - ca = NULL; - if (!PKCS12_parse(p12, password, &pkey, &cert, &ca)) - { -#ifdef ENABLE_MANAGEMENT - if (management && (ERR_GET_REASON (ERR_peek_error()) == PKCS12_R_MAC_VERIFY_FAILURE)) - management_auth_failure (management, UP_TYPE_PRIVATE_KEY, NULL); -#endif - PKCS12_free(p12); - goto err; - } - } - PKCS12_free(p12); - - /* Load Certificate */ - if (!SSL_CTX_use_certificate (ctx, cert)) - msg (M_SSLERR, "Cannot use certificate"); - - /* Load Private Key */ - if (!SSL_CTX_use_PrivateKey (ctx, pkey)) - msg (M_SSLERR, "Cannot use private key"); - warn_if_group_others_accessible (options->pkcs12_file); - - /* Check Private Key */ - if (!SSL_CTX_check_private_key (ctx)) - msg (M_SSLERR, "Private key does not match the certificate"); - - /* Set Certificate Verification chain */ - if (!options->ca_file) - { - if (ca && sk_X509_num(ca)) - { - for (i = 0; i < sk_X509_num(ca); i++) - { - if (!X509_STORE_add_cert(ctx->cert_store,sk_X509_value(ca, i))) - msg (M_SSLERR, "Cannot add certificate to certificate chain (X509_STORE_add_cert)"); - if (options->tls_server && !SSL_CTX_add_client_CA(ctx, sk_X509_value(ca, i))) - msg (M_SSLERR, "Cannot add certificate to client CA list (SSL_CTX_add_client_CA)"); - } - } - } + if (0 != tls_ctx_load_pkcs12(new_ctx, options->pkcs12_file, + options->pkcs12_file_inline, !options->ca_file)) + goto err; } else { |