diff options
Diffstat (limited to 'ssl.c')
-rw-r--r-- | ssl.c | 195 |
1 files changed, 5 insertions, 190 deletions
@@ -1602,114 +1602,6 @@ tls_deauthenticate (struct tls_multi *multi) } } -#if ENABLE_INLINE_FILES - -static int -use_inline_load_verify_locations (SSL_CTX *ctx, const char *ca_string) -{ - X509_STORE *store = NULL; - X509* cert = NULL; - BIO *in = NULL; - int ret = 0; - - in = BIO_new_mem_buf ((char *)ca_string, -1); - if (!in) - goto err; - - for (;;) - { - if (!PEM_read_bio_X509 (in, &cert, 0, NULL)) - { - ret = 1; - break; - } - if (!cert) - break; - - store = SSL_CTX_get_cert_store (ctx); - if (!store) - break; - - if (!X509_STORE_add_cert (store, cert)) - break; - - if (cert) - { - X509_free (cert); - cert = NULL; - } - } - - err: - if (cert) - X509_free (cert); - if (in) - BIO_free (in); - return ret; -} - -static int -xname_cmp(const X509_NAME * const *a, const X509_NAME * const *b) -{ - return(X509_NAME_cmp(*a,*b)); -} - -static STACK_OF(X509_NAME) * -use_inline_load_client_CA_file (SSL_CTX *ctx, const char *ca_string) -{ - BIO *in = NULL; - X509 *x = NULL; - X509_NAME *xn = NULL; - STACK_OF(X509_NAME) *ret = NULL, *sk; - - sk=sk_X509_NAME_new(xname_cmp); - - in = BIO_new_mem_buf ((char *)ca_string, -1); - if (!in) - goto err; - - if ((sk == NULL) || (in == NULL)) - goto err; - - for (;;) - { - if (PEM_read_bio_X509(in,&x,NULL,NULL) == NULL) - break; - if (ret == NULL) - { - ret = sk_X509_NAME_new_null(); - if (ret == NULL) - goto err; - } - if ((xn=X509_get_subject_name(x)) == NULL) goto err; - /* check for duplicates */ - xn=X509_NAME_dup(xn); - if (xn == NULL) goto err; - if (sk_X509_NAME_find(sk,xn) >= 0) - X509_NAME_free(xn); - else - { - sk_X509_NAME_push(sk,xn); - sk_X509_NAME_push(ret,xn); - } - } - - if (0) - { - err: - if (ret != NULL) sk_X509_NAME_pop_free(ret,X509_NAME_free); - ret=NULL; - } - if (sk != NULL) sk_X509_NAME_free(sk); - if (in != NULL) BIO_free(in); - if (x != NULL) X509_free(x); - if (ret != NULL) - ERR_clear_error(); - return(ret); -} - -#endif - /* * Initialize SSL context. * All files are in PEM format. @@ -1735,8 +1627,6 @@ init_ssl (const struct options *options, struct tls_root_ctx *new_ctx) tls_ctx_set_options(new_ctx, options->ssl_flags); - ctx = new_ctx->ctx; - if (options->pkcs12_file) { if (0 != tls_ctx_load_pkcs12(new_ctx, options->pkcs12_file, @@ -1783,94 +1673,19 @@ init_ssl (const struct options *options, struct tls_root_ctx *new_ctx) } } + ctx = new_ctx->ctx; + if (options->ca_file || options->ca_path) { - int status; - -#if ENABLE_INLINE_FILES - if (options->ca_file && !strcmp (options->ca_file, INLINE_FILE_TAG) && options->ca_file_inline) - { - status = use_inline_load_verify_locations (ctx, options->ca_file_inline); - } - else -#endif - { - /* Load CA file for verifying peer supplied certificate */ - status = SSL_CTX_load_verify_locations (ctx, options->ca_file, NULL); - } - - if (!status) - msg (M_SSLERR, "Cannot load CA certificate file %s path %s (SSL_CTX_load_verify_locations)", np(options->ca_file), np(options->ca_path)); - - /* Set a store for certs (CA & CRL) with a lookup on the "capath" hash directory */ - if (options->ca_path) { - X509_STORE *store = SSL_CTX_get_cert_store(ctx); - - if (store) - { - X509_LOOKUP *lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir()); - if (!X509_LOOKUP_add_dir(lookup, options->ca_path, X509_FILETYPE_PEM)) - X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT); - else - msg(M_WARN, "WARNING: experimental option --capath %s", options->ca_path); -#if OPENSSL_VERSION_NUMBER >= 0x00907000L - X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL); -#else - msg(M_WARN, "WARNING: this version of OpenSSL cannot handle CRL files in capath"); -#endif - } - else - msg(M_SSLERR, "Cannot get certificate store (SSL_CTX_get_cert_store)"); - } - - /* Load names of CAs from file and use it as a client CA list */ - if (options->ca_file && options->tls_server) { - STACK_OF(X509_NAME) *cert_names = NULL; -#if ENABLE_INLINE_FILES - if (!strcmp (options->ca_file, INLINE_FILE_TAG) && options->ca_file_inline) - { - cert_names = use_inline_load_client_CA_file (ctx, options->ca_file_inline); - } - else -#endif - { - cert_names = SSL_load_client_CA_file (options->ca_file); - } - if (!cert_names) - msg (M_SSLERR, "Cannot load CA certificate file %s (SSL_load_client_CA_file)", options->ca_file); - SSL_CTX_set_client_CA_list (ctx, cert_names); - } + tls_ctx_load_ca(new_ctx, options->ca_file, options->ca_file_inline, + options->ca_path, options->tls_server); } /* Load extra certificates that are part of our own certificate chain but shouldn't be included in the verify chain */ if (options->extra_certs_file || options->extra_certs_file_inline) { - BIO *bio; - X509 *cert; -#if ENABLE_INLINE_FILES - if (!strcmp (options->extra_certs_file, INLINE_FILE_TAG) && options->extra_certs_file_inline) - { - bio = BIO_new_mem_buf ((char *)options->extra_certs_file_inline, -1); - } - else -#endif - { - bio = BIO_new(BIO_s_file()); - if (BIO_read_filename(bio, options->extra_certs_file) <= 0) - msg (M_SSLERR, "Cannot load extra-certs file: %s", options->extra_certs_file); - } - for (;;) - { - cert = NULL; - if (!PEM_read_bio_X509 (bio, &cert, 0, NULL)) /* takes ownership of cert */ - break; - if (!cert) - msg (M_SSLERR, "Error reading extra-certs certificate"); - if (SSL_CTX_add_extra_chain_cert(ctx, cert) != 1) - msg (M_SSLERR, "Error adding extra-certs certificate"); - } - BIO_free (bio); + tls_ctx_load_extra_certs(new_ctx, options->extra_certs_file, options->extra_certs_file_inline); } #if P2MP_SERVER |