*p += 2;
}
+#if ENABLE_INLINE_FILES
+
+struct in_src {
+# define IS_TYPE_FP 1
+# define IS_TYPE_BUF 2
+ int type;
+ union {
+ FILE *fp;
+ struct buffer *multiline;
+ } u;
+};
+
+static bool
+in_src_get (const struct in_src *is, char *line, const int size)
+{
+ if (is->type == IS_TYPE_FP)
+ {
+ return BOOL_CAST (fgets (line, size, is->u.fp));
+ }
+ else if (is->type == IS_TYPE_BUF)
+ {
+ bool status = buf_parse (is->u.multiline, '\n', line, size);
+ if ((int) strlen (line) + 1 < size)
+ strcat (line, "\n");
+ return status;
+ }
+ else
+ {
+ ASSERT (0);
+ return false;
+ }
+}
+
+static char *
+read_inline_file (struct in_src *is, const char *close_tag, struct gc_arena *gc)
+{
+ char line[OPTION_LINE_SIZE];
+ struct buffer buf = alloc_buf (10000);
+ char *ret;
+ while (in_src_get (is, line, sizeof (line)))
+ {
+ if (!strncmp (line, close_tag, strlen (close_tag)))
+ break;
+ buf_printf (&buf, line);
+ }
+ ret = string_alloc (BSTR (&buf), gc);
+ buf_clear (&buf);
+ free_buf (&buf);
+ CLEAR (line);
+ return ret;
+}
+
+static bool
+check_inline_file (struct in_src *is, char *p[], struct gc_arena *gc)
+{
+ bool ret = false;
+ if (p[0] && !p[1])
+ {
+ char *arg = p[0];
+ if (arg[0] == '<' && arg[strlen(arg)-1] == '>')
+ {
+ struct buffer close_tag;
+ arg[strlen(arg)-1] = '\0';
+ p[0] = string_alloc (arg+1, gc);
+ p[1] = string_alloc (INLINE_FILE_TAG, gc);
+ close_tag = alloc_buf (strlen(p[0]) + 4);
+ buf_printf (&close_tag, "</%s>", p[0]);
+ p[2] = read_inline_file (is, BSTR (&close_tag), gc);
+ p[3] = NULL;
+ free_buf (&close_tag);
+ ret = true;
+ }
+ }
+ return ret;
+}
+
+static bool
+check_inline_file_via_fp (FILE *fp, char *p[], struct gc_arena *gc)
+{
+ struct in_src is;
+ is.type = IS_TYPE_FP;
+ is.u.fp = fp;
+ return check_inline_file (&is, p, gc);
+}
+
+static bool
+check_inline_file_via_buf (struct buffer *multiline, char *p[], struct gc_arena *gc)
+{
+ struct in_src is;
+ is.type = IS_TYPE_BUF;
+ is.u.multiline = multiline;
+ return check_inline_file (&is, p, gc);
+}
+
+#endif
+
static int
add_option (struct options *options,
int i,
if (parse_line (line, p, SIZE (p), file, line_num, msglevel, &options->gc))
{
bypass_doubledash (&p[0]);
+#if ENABLE_INLINE_FILES
+ check_inline_file_via_fp (fp, p, &options->gc);
+#endif
add_option (options, 0, p, file, line_num, level, msglevel, permission_mask, option_types_found, es);
}
}
{
msg (msglevel, "In %s:%d: Maximum recursive include levels exceeded in include attempt of file %s -- probably you have a configuration file that tries to include itself.", top_file, top_line, file);
}
+ CLEAR (line);
+ CLEAR (p);
}
static void
if (parse_line (line, p, SIZE (p), file, line_num, msglevel, &options->gc))
{
bypass_doubledash (&p[0]);
+#if ENABLE_INLINE_FILES
+ check_inline_file_via_buf (&multiline, p, &options->gc);
+#endif
add_option (options, 0, p, NULL, line_num, 0, msglevel, permission_mask, option_types_found, es);
}
+ CLEAR (p);
}
+ CLEAR (line);
}
void
++i;
VERIFY_PERMISSION (OPT_P_GENERAL);
options->ca_file = p[1];
+#if ENABLE_INLINE_FILES
+ if (streq (p[1], INLINE_FILE_TAG) && p[2])
+ {
+ ++i;
+ options->ca_file_inline = p[2];
+ }
+#endif
}
else if (streq (p[0], "capath") && p[1])
{
++i;
VERIFY_PERMISSION (OPT_P_GENERAL);
options->dh_file = p[1];
+#if ENABLE_INLINE_FILES
+ if (streq (p[1], INLINE_FILE_TAG) && p[2])
+ {
+ ++i;
+ options->dh_file_inline = p[2];
+ }
+#endif
}
else if (streq (p[0], "cert") && p[1])
{
++i;
VERIFY_PERMISSION (OPT_P_GENERAL);
options->cert_file = p[1];
+#if ENABLE_INLINE_FILES
+ if (streq (p[1], INLINE_FILE_TAG) && p[2])
+ {
+ ++i;
+ options->cert_file_inline = p[2];
+ }
+#endif
}
#ifdef WIN32
else if (streq (p[0], "cryptoapicert") && p[1])
++i;
VERIFY_PERMISSION (OPT_P_GENERAL);
options->priv_key_file = p[1];
+#if ENABLE_INLINE_FILES
+ if (streq (p[1], INLINE_FILE_TAG) && p[2])
+ {
+ ++i;
+ options->priv_key_file_inline = p[2];
+ }
+#endif
}
else if (streq (p[0], "pkcs12") && p[1])
{
}
}
+#if ENABLE_INLINE_FILES
+
+static int
+use_inline_load_verify_locations (SSL_CTX *ctx, const char *ca_string)
+{
+ X509_STORE *store = NULL;
+ X509* cert = NULL;
+ BIO *in = NULL;
+ int ret = 0;
+
+ in = BIO_new_mem_buf ((char *)ca_string, -1);
+ if (!in)
+ goto err;
+
+ for (;;)
+ {
+ if (!PEM_read_bio_X509 (in, &cert, 0, NULL))
+ {
+ ret = 1;
+ break;
+ }
+ if (!cert)
+ break;
+
+ store = SSL_CTX_get_cert_store (ctx);
+ if (!store)
+ break;
+
+ if (!X509_STORE_add_cert (store, cert))
+ break;
+
+ if (cert)
+ {
+ X509_free (cert);
+ cert = NULL;
+ }
+ }
+
+ err:
+ if (cert)
+ X509_free (cert);
+ if (in)
+ BIO_free (in);
+ return ret;
+}
+
+static int
+xname_cmp(const X509_NAME * const *a, const X509_NAME * const *b)
+{
+ return(X509_NAME_cmp(*a,*b));
+}
+
+static STACK_OF(X509_NAME) *
+use_inline_load_client_CA_file (SSL_CTX *ctx, const char *ca_string)
+{
+ BIO *in = NULL;
+ X509 *x = NULL;
+ X509_NAME *xn = NULL;
+ STACK_OF(X509_NAME) *ret = NULL, *sk;
+
+ sk=sk_X509_NAME_new(xname_cmp);
+
+ in = BIO_new_mem_buf ((char *)ca_string, -1);
+ if (!in)
+ goto err;
+
+ if ((sk == NULL) || (in == NULL))
+ goto err;
+
+ for (;;)
+ {
+ if (PEM_read_bio_X509(in,&x,NULL,NULL) == NULL)
+ break;
+ if (ret == NULL)
+ {
+ ret = sk_X509_NAME_new_null();
+ if (ret == NULL)
+ goto err;
+ }
+ if ((xn=X509_get_subject_name(x)) == NULL) goto err;
+ /* check for duplicates */
+ xn=X509_NAME_dup(xn);
+ if (xn == NULL) goto err;
+ if (sk_X509_NAME_find(sk,xn) >= 0)
+ X509_NAME_free(xn);
+ else
+ {
+ sk_X509_NAME_push(sk,xn);
+ sk_X509_NAME_push(ret,xn);
+ }
+ }
+
+ if (0)
+ {
+ err:
+ if (ret != NULL) sk_X509_NAME_pop_free(ret,X509_NAME_free);
+ ret=NULL;
+ }
+ if (sk != NULL) sk_X509_NAME_free(sk);
+ if (in != NULL) BIO_free(in);
+ if (x != NULL) X509_free(x);
+ if (ret != NULL)
+ ERR_clear_error();
+ return(ret);
+}
+
+static int
+use_inline_certificate_file (SSL_CTX *ctx, const char *cert_string)
+{
+ BIO *in = NULL;
+ X509 *x = NULL;
+ int ret = 0;
+
+ in = BIO_new_mem_buf ((char *)cert_string, -1);
+ if (!in)
+ goto end;
+
+ x = PEM_read_bio_X509 (in,
+ NULL,
+ ctx->default_passwd_callback,
+ ctx->default_passwd_callback_userdata);
+ if (!x)
+ goto end;
+
+ ret = SSL_CTX_use_certificate(ctx, x);
+
+ end:
+ if (x)
+ X509_free (x);
+ if (in)
+ BIO_free (in);
+ return ret;
+}
+
+static int
+use_inline_PrivateKey_file (SSL_CTX *ctx, const char *key_string)
+{
+ BIO *in = NULL;
+ EVP_PKEY *pkey = NULL;
+ int ret = 0;
+
+ in = BIO_new_mem_buf ((char *)key_string, -1);
+ if (!in)
+ goto end;
+
+ pkey = PEM_read_bio_PrivateKey (in,
+ NULL,
+ ctx->default_passwd_callback,
+ ctx->default_passwd_callback_userdata);
+ if (!pkey)
+ goto end;
+
+ ret = SSL_CTX_use_PrivateKey (ctx, pkey);
+
+ end:
+ if (pkey)
+ EVP_PKEY_free (pkey);
+ if (in)
+ BIO_free (in);
+ return ret;
+}
+
+#endif
+
/*
* Initialize SSL context.
* All files are in PEM format.
SSL_CTX_set_tmp_rsa_callback (ctx, tmp_rsa_cb);
- /* Get Diffie Hellman Parameters */
- if (!(bio = BIO_new_file (options->dh_file, "r")))
- msg (M_SSLERR, "Cannot open %s for DH parameters", options->dh_file);
+#if ENABLE_INLINE_FILES
+ if (!strcmp (options->dh_file, INLINE_FILE_TAG) && options->dh_file_inline)
+ {
+ if (!(bio = BIO_new_mem_buf ((char *)options->dh_file_inline, -1)))
+ msg (M_SSLERR, "Cannot open memory BIO for inline DH parameters");
+ }
+ else
+#endif
+ {
+ /* Get Diffie Hellman Parameters */
+ if (!(bio = BIO_new_file (options->dh_file, "r")))
+ msg (M_SSLERR, "Cannot open %s for DH parameters", options->dh_file);
+ }
+
dh = PEM_read_bio_DHparams (bio, NULL, NULL, NULL);
BIO_free (bio);
if (!dh)
/* Load Certificate */
if (options->cert_file)
{
- using_cert_file = true;
- if (!SSL_CTX_use_certificate_file (ctx, options->cert_file, SSL_FILETYPE_PEM))
- msg (M_SSLERR, "Cannot load certificate file %s", options->cert_file);
+#if ENABLE_INLINE_FILES
+ if (!strcmp (options->cert_file, INLINE_FILE_TAG) && options->cert_file_inline)
+ {
+ if (!use_inline_certificate_file (ctx, options->cert_file_inline))
+ msg (M_SSLERR, "Cannot load inline certificate file");
+ }
+ else
+#endif
+ {
+ if (!SSL_CTX_use_certificate_file (ctx, options->cert_file, SSL_FILETYPE_PEM))
+ msg (M_SSLERR, "Cannot load certificate file %s", options->cert_file);
+ using_cert_file = true;
+ }
}
/* Load Private Key */
if (options->priv_key_file)
{
- if (!SSL_CTX_use_PrivateKey_file (ctx, options->priv_key_file, SSL_FILETYPE_PEM))
+ int status;
+
+#if ENABLE_INLINE_FILES
+ if (!strcmp (options->priv_key_file, INLINE_FILE_TAG) && options->priv_key_file_inline)
+ {
+ status = use_inline_PrivateKey_file (ctx, options->priv_key_file_inline);
+ }
+ else
+#endif
+ {
+ status = SSL_CTX_use_PrivateKey_file (ctx, options->priv_key_file, SSL_FILETYPE_PEM);
+ }
+ if (!status)
{
#ifdef ENABLE_MANAGEMENT
if (management && (ERR_GET_REASON (ERR_peek_error()) == EVP_R_BAD_DECRYPT))
if (options->ca_file || options->ca_path)
{
- /* Load CA file for verifying peer supplied certificate */
- ASSERT (options->ca_file || options->ca_path);
- if (!SSL_CTX_load_verify_locations (ctx, options->ca_file, options->ca_path))
- msg (M_SSLERR, "Cannot load CA certificate file %s path %s (SSL_CTX_load_verify_locations)", options->ca_file, options->ca_path);
+ int status;
+
+#if ENABLE_INLINE_FILES
+ if (!strcmp (options->ca_file, INLINE_FILE_TAG) && options->ca_file_inline)
+ {
+ status = use_inline_load_verify_locations (ctx, options->ca_file_inline);
+ }
+ else
+#endif
+ {
+ /* Load CA file for verifying peer supplied certificate */
+ status = SSL_CTX_load_verify_locations (ctx, options->ca_file, options->ca_path);
+ }
+
+ if (!status)
+ msg (M_SSLERR, "Cannot load CA certificate file %s path %s (SSL_CTX_load_verify_locations)", options->ca_file, options->ca_path);
/* Set a store for certs (CA & CRL) with a lookup on the "capath" hash directory */
if (options->ca_path) {
X509_STORE *store = SSL_CTX_get_cert_store(ctx);
- if (store) {
- X509_LOOKUP *lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir());
- if (!X509_LOOKUP_add_dir(lookup, options->ca_path, X509_FILETYPE_PEM))
- X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT);
- else
- msg(M_WARN, "WARNING: experimental option --capath %s", options->ca_path);
+ if (store)
+ {
+ X509_LOOKUP *lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir());
+ if (!X509_LOOKUP_add_dir(lookup, options->ca_path, X509_FILETYPE_PEM))
+ X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT);
+ else
+ msg(M_WARN, "WARNING: experimental option --capath %s", options->ca_path);
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
- X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
+ X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
#else
- msg(M_WARN, "WARNING: this version of OpenSSL cannot handle CRL files in capath");
+ msg(M_WARN, "WARNING: this version of OpenSSL cannot handle CRL files in capath");
#endif
- } else
+ }
+ else
msg(M_SSLERR, "Cannot get certificate store (SSL_CTX_get_cert_store)");
}
/* Load names of CAs from file and use it as a client CA list */
if (options->ca_file) {
- STACK_OF(X509_NAME) *cert_names;
- cert_names = SSL_load_client_CA_file (options->ca_file);
+ STACK_OF(X509_NAME) *cert_names = NULL;
+#if ENABLE_INLINE_FILES
+ if (!strcmp (options->ca_file, INLINE_FILE_TAG) && options->ca_file_inline)
+ {
+ cert_names = use_inline_load_client_CA_file (ctx, options->ca_file_inline);
+ }
+ else
+#endif
+ {
+ cert_names = SSL_load_client_CA_file (options->ca_file);
+ }
if (!cert_names)
msg (M_SSLERR, "Cannot load CA certificate file %s (SSL_load_client_CA_file)", options->ca_file);
SSL_CTX_set_client_CA_list (ctx, cert_names);
projects / thirdparty / openvpn.git / commitdiff
