Allow PKCS12 file content to be included inline in configuration file,

jamesyonan · jamesyonan · commit 2e8ff6c1bd1e · 2010-08-29T05:24:15.000Z
rendered as base64. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6412 e7ae566f-a301-0410-adde-c780ea21d3b5
diff --git a/options.c b/options.c
@@ -5680,6 +5680,12 @@ add_option (struct options *options,
     {
       VERIFY_PERMISSION (OPT_P_GENERAL);
       options->pkcs12_file = p[1];
+#if ENABLE_INLINE_FILES
+      if (streq (p[1], INLINE_FILE_TAG) && p[2])
+	{
+	  options->pkcs12_file_inline = p[2];
+	}
+#endif
     }
   else if (streq (p[0], "askpass"))
     {
diff --git a/options.h b/options.h
@@ -473,6 +473,7 @@ struct options
   const char *cert_file_inline;
   char *priv_key_file_inline;
   const char *dh_file_inline;
+  const char *pkcs12_file_inline; /* contains the base64 encoding of pkcs12 file */
 #endif
 
   int ns_cert_type; /* set to 0, NS_SSL_SERVER, or NS_SSL_CLIENT */
diff --git a/ssl.c b/ssl.c
@@ -1514,23 +1514,41 @@ init_ssl (const struct options *options)
 
   if (options->pkcs12_file)
     {
-    /* Use PKCS #12 file for key, cert and CA certs */
+      /* Use PKCS #12 file for key, cert and CA certs */
 
       FILE *fp;
       EVP_PKEY *pkey;
       X509 *cert;
       STACK_OF(X509) *ca = NULL;
-      PKCS12 *p12;
+      PKCS12 *p12=NULL;
       int i;
       char password[256];
 
-      /* Load the PKCS #12 file */
-      if (!(fp = fopen(options->pkcs12_file, "rb")))
-        msg (M_SSLERR, "Error opening file %s", options->pkcs12_file);
-      p12 = d2i_PKCS12_fp(fp, NULL);
-      fclose (fp);
-      if (!p12) msg (M_SSLERR, "Error reading PKCS#12 file %s", options->pkcs12_file);
-      
+#if ENABLE_INLINE_FILES
+      if (!strcmp (options->pkcs12_file, INLINE_FILE_TAG) && options->pkcs12_file_inline)
+	{
+	  BIO *b64 = BIO_new (BIO_f_base64());
+	  BIO *bio = BIO_new_mem_buf ((void *)options->pkcs12_file_inline, (int)strlen(options->pkcs12_file_inline));
+	  ASSERT(b64 && bio);
+	  BIO_push (b64, bio);
+	  p12 = d2i_PKCS12_bio(b64, NULL);
+	  if (!p12)
+	    msg (M_SSLERR, "Error reading inline PKCS#12 file");
+	  BIO_free (b64);
+	  BIO_free (bio);
+	}
+      else
+#endif
+	{
+	  /* Load the PKCS #12 file */
+	  if (!(fp = fopen(options->pkcs12_file, "rb")))
+	    msg (M_SSLERR, "Error opening file %s", options->pkcs12_file);
+	  p12 = d2i_PKCS12_fp(fp, NULL);
+	  fclose (fp);
+	  if (!p12)
+	    msg (M_SSLERR, "Error reading PKCS#12 file %s", options->pkcs12_file);
+	}
+
       /* Parse the PKCS #12 file */
       if (!PKCS12_parse(p12, "", &pkey, &cert, &ca))
         {
@@ -1539,8 +1557,12 @@ init_ssl (const struct options *options)
           ca = NULL;
           if (!PKCS12_parse(p12, password, &pkey, &cert, &ca))
 	    {
+#ifdef ENABLE_MANAGEMENT
+	      if (management && (ERR_GET_REASON (ERR_peek_error()) == PKCS12_R_MAC_VERIFY_FAILURE))
+		management_auth_failure (management, UP_TYPE_PRIVATE_KEY, NULL);
+#endif
 	      PKCS12_free(p12);
-	      msg (M_WARN|M_SSL, "Error parsing PKCS#12 file %s", options->pkcs12_file);
+	      msg (M_INFO, "OpenSSL ERROR code: %d", (ERR_GET_REASON (ERR_peek_error()))); // fixme
 	      goto err;
 	    }
         }

Original file line number	Diff line number	Diff line change
`@@ -5680,6 +5680,12 @@ add_option (struct options *options,`
`5680`	`5680`	`{`
`5681`	`5681`	`VERIFY_PERMISSION (OPT_P_GENERAL);`
`5682`	`5682`	`options->pkcs12_file = p[1];`
	`5683`	`+#if ENABLE_INLINE_FILES`
	`5684`	`+ if (streq (p[1], INLINE_FILE_TAG) && p[2])`
	`5685`	`+ {`
	`5686`	`+ options->pkcs12_file_inline = p[2];`
	`5687`	`+ }`
	`5688`	`+#endif`
`5683`	`5689`	`}`
`5684`	`5690`	`else if (streq (p[0], "askpass"))`
`5685`	`5691`	`{`