}
}
-#if ENABLE_INLINE_FILES
-
-static int
-use_inline_load_verify_locations (SSL_CTX *ctx, const char *ca_string)
-{
- X509_STORE *store = NULL;
- X509* cert = NULL;
- BIO *in = NULL;
- int ret = 0;
-
- in = BIO_new_mem_buf ((char *)ca_string, -1);
- if (!in)
- goto err;
-
- for (;;)
- {
- if (!PEM_read_bio_X509 (in, &cert, 0, NULL))
- {
- ret = 1;
- break;
- }
- if (!cert)
- break;
-
- store = SSL_CTX_get_cert_store (ctx);
- if (!store)
- break;
-
- if (!X509_STORE_add_cert (store, cert))
- break;
-
- if (cert)
- {
- X509_free (cert);
- cert = NULL;
- }
- }
-
- err:
- if (cert)
- X509_free (cert);
- if (in)
- BIO_free (in);
- return ret;
-}
-
-static int
-xname_cmp(const X509_NAME * const *a, const X509_NAME * const *b)
-{
- return(X509_NAME_cmp(*a,*b));
-}
-
-static STACK_OF(X509_NAME) *
-use_inline_load_client_CA_file (SSL_CTX *ctx, const char *ca_string)
-{
- BIO *in = NULL;
- X509 *x = NULL;
- X509_NAME *xn = NULL;
- STACK_OF(X509_NAME) *ret = NULL, *sk;
-
- sk=sk_X509_NAME_new(xname_cmp);
-
- in = BIO_new_mem_buf ((char *)ca_string, -1);
- if (!in)
- goto err;
-
- if ((sk == NULL) || (in == NULL))
- goto err;
-
- for (;;)
- {
- if (PEM_read_bio_X509(in,&x,NULL,NULL) == NULL)
- break;
- if (ret == NULL)
- {
- ret = sk_X509_NAME_new_null();
- if (ret == NULL)
- goto err;
- }
- if ((xn=X509_get_subject_name(x)) == NULL) goto err;
- /* check for duplicates */
- xn=X509_NAME_dup(xn);
- if (xn == NULL) goto err;
- if (sk_X509_NAME_find(sk,xn) >= 0)
- X509_NAME_free(xn);
- else
- {
- sk_X509_NAME_push(sk,xn);
- sk_X509_NAME_push(ret,xn);
- }
- }
-
- if (0)
- {
- err:
- if (ret != NULL) sk_X509_NAME_pop_free(ret,X509_NAME_free);
- ret=NULL;
- }
- if (sk != NULL) sk_X509_NAME_free(sk);
- if (in != NULL) BIO_free(in);
- if (x != NULL) X509_free(x);
- if (ret != NULL)
- ERR_clear_error();
- return(ret);
-}
-
-#endif
-
/*
* Initialize SSL context.
* All files are in PEM format.
tls_ctx_set_options(new_ctx, options->ssl_flags);
- ctx = new_ctx->ctx;
-
if (options->pkcs12_file)
{
if (0 != tls_ctx_load_pkcs12(new_ctx, options->pkcs12_file,
}
}
+ ctx = new_ctx->ctx;
+
if (options->ca_file || options->ca_path)
{
- int status;
-
-#if ENABLE_INLINE_FILES
- if (options->ca_file && !strcmp (options->ca_file, INLINE_FILE_TAG) && options->ca_file_inline)
- {
- status = use_inline_load_verify_locations (ctx, options->ca_file_inline);
- }
- else
-#endif
- {
- /* Load CA file for verifying peer supplied certificate */
- status = SSL_CTX_load_verify_locations (ctx, options->ca_file, NULL);
- }
-
- if (!status)
- msg (M_SSLERR, "Cannot load CA certificate file %s path %s (SSL_CTX_load_verify_locations)", np(options->ca_file), np(options->ca_path));
-
- /* Set a store for certs (CA & CRL) with a lookup on the "capath" hash directory */
- if (options->ca_path) {
- X509_STORE *store = SSL_CTX_get_cert_store(ctx);
-
- if (store)
- {
- X509_LOOKUP *lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir());
- if (!X509_LOOKUP_add_dir(lookup, options->ca_path, X509_FILETYPE_PEM))
- X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT);
- else
- msg(M_WARN, "WARNING: experimental option --capath %s", options->ca_path);
-#if OPENSSL_VERSION_NUMBER >= 0x00907000L
- X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
-#else
- msg(M_WARN, "WARNING: this version of OpenSSL cannot handle CRL files in capath");
-#endif
- }
- else
- msg(M_SSLERR, "Cannot get certificate store (SSL_CTX_get_cert_store)");
- }
-
- /* Load names of CAs from file and use it as a client CA list */
- if (options->ca_file && options->tls_server) {
- STACK_OF(X509_NAME) *cert_names = NULL;
-#if ENABLE_INLINE_FILES
- if (!strcmp (options->ca_file, INLINE_FILE_TAG) && options->ca_file_inline)
- {
- cert_names = use_inline_load_client_CA_file (ctx, options->ca_file_inline);
- }
- else
-#endif
- {
- cert_names = SSL_load_client_CA_file (options->ca_file);
- }
- if (!cert_names)
- msg (M_SSLERR, "Cannot load CA certificate file %s (SSL_load_client_CA_file)", options->ca_file);
- SSL_CTX_set_client_CA_list (ctx, cert_names);
- }
+ tls_ctx_load_ca(new_ctx, options->ca_file, options->ca_file_inline,
+ options->ca_path, options->tls_server);
}
/* Load extra certificates that are part of our own certificate
chain but shouldn't be included in the verify chain */
if (options->extra_certs_file || options->extra_certs_file_inline)
{
- BIO *bio;
- X509 *cert;
-#if ENABLE_INLINE_FILES
- if (!strcmp (options->extra_certs_file, INLINE_FILE_TAG) && options->extra_certs_file_inline)
- {
- bio = BIO_new_mem_buf ((char *)options->extra_certs_file_inline, -1);
- }
- else
-#endif
- {
- bio = BIO_new(BIO_s_file());
- if (BIO_read_filename(bio, options->extra_certs_file) <= 0)
- msg (M_SSLERR, "Cannot load extra-certs file: %s", options->extra_certs_file);
- }
- for (;;)
- {
- cert = NULL;
- if (!PEM_read_bio_X509 (bio, &cert, 0, NULL)) /* takes ownership of cert */
- break;
- if (!cert)
- msg (M_SSLERR, "Error reading extra-certs certificate");
- if (SSL_CTX_add_extra_chain_cert(ctx, cert) != 1)
- msg (M_SSLERR, "Error adding extra-certs certificate");
- }
- BIO_free (bio);
+ tls_ctx_load_extra_certs(new_ctx, options->extra_certs_file, options->extra_certs_file_inline);
}
#if P2MP_SERVER
#endif
/**
+ * Load certificate authority certificates from the given file or path.
+ *
+ * Note that not all SSL libraries support loading from a path.
+ *
+ * @param ctx TLS context to use
+ * @param ca_file The file name to load the CAs from, or
+ * "[[INLINE]]" in the case of inline files.
+ * @param ca_file_inline A string containing the CAs
+ * @param ca_path The path to load the CAs from
+ */
+void tls_ctx_load_ca (struct tls_root_ctx *ctx, const char *ca_file,
+#if ENABLE_INLINE_FILES
+ const char *ca_file_inline,
+#endif
+ const char *ca_path, bool tls_server
+ );
+
+/**
+ * Load extra certificate authority certificates from the given file or path.
+ * These Load extra certificates that are part of our own certificate
+ * chain but shouldn't be included in the verify chain.
+ *
+ *
+ * @param ctx TLS context to use
+ * @param extra_certs_file The file name to load the certs from, or
+ * "[[INLINE]]" in the case of inline files.
+ * @param extra_certs_file_inline A string containing the certs
+ */
+void tls_ctx_load_extra_certs (struct tls_root_ctx *ctx, const char *extra_certs_file
+#if ENABLE_INLINE_FILES
+ , const char *extra_certs_file_inline
+#endif
+ );
+
+/*
* Show the TLS ciphers that are available for us to use in the OpenSSL
* library.
*/
#endif
+#if ENABLE_INLINE_FILES
+static int
+xname_cmp(const X509_NAME * const *a, const X509_NAME * const *b)
+{
+ return(X509_NAME_cmp(*a,*b));
+}
+
+static STACK_OF(X509_NAME) *
+use_inline_load_client_CA_file (SSL_CTX *ctx, const char *ca_string)
+{
+ BIO *in = NULL;
+ X509 *x = NULL;
+ X509_NAME *xn = NULL;
+ STACK_OF(X509_NAME) *ret = NULL, *sk;
+
+ sk=sk_X509_NAME_new(xname_cmp);
+
+ in = BIO_new_mem_buf ((char *)ca_string, -1);
+ if (!in)
+ goto err;
+
+ if ((sk == NULL) || (in == NULL))
+ goto err;
+
+ for (;;)
+ {
+ if (PEM_read_bio_X509(in,&x,NULL,NULL) == NULL)
+ break;
+ if (ret == NULL)
+ {
+ ret = sk_X509_NAME_new_null();
+ if (ret == NULL)
+ goto err;
+ }
+ if ((xn=X509_get_subject_name(x)) == NULL) goto err;
+ /* check for duplicates */
+ xn=X509_NAME_dup(xn);
+ if (xn == NULL) goto err;
+ if (sk_X509_NAME_find(sk,xn) >= 0)
+ X509_NAME_free(xn);
+ else
+ {
+ sk_X509_NAME_push(sk,xn);
+ sk_X509_NAME_push(ret,xn);
+ }
+ }
+
+ if (0)
+ {
+ err:
+ if (ret != NULL) sk_X509_NAME_pop_free(ret,X509_NAME_free);
+ ret=NULL;
+ }
+ if (sk != NULL) sk_X509_NAME_free(sk);
+ if (in != NULL) BIO_free(in);
+ if (x != NULL) X509_free(x);
+ if (ret != NULL)
+ ERR_clear_error();
+ return(ret);
+}
+
+static int
+use_inline_load_verify_locations (SSL_CTX *ctx, const char *ca_string)
+{
+ X509_STORE *store = NULL;
+ X509* cert = NULL;
+ BIO *in = NULL;
+ int ret = 0;
+
+ in = BIO_new_mem_buf ((char *)ca_string, -1);
+ if (!in)
+ goto err;
+
+ for (;;)
+ {
+ if (!PEM_read_bio_X509 (in, &cert, 0, NULL))
+ {
+ ret = 1;
+ break;
+ }
+ if (!cert)
+ break;
+
+ store = SSL_CTX_get_cert_store (ctx);
+ if (!store)
+ break;
+
+ if (!X509_STORE_add_cert (store, cert))
+ break;
+
+ if (cert)
+ {
+ X509_free (cert);
+ cert = NULL;
+ }
+ }
+
+ err:
+ if (cert)
+ X509_free (cert);
+ if (in)
+ BIO_free (in);
+ return ret;
+}
+#endif /* ENABLE_INLINE_FILES */
+
+void
+tls_ctx_load_ca (struct tls_root_ctx *ctx, const char *ca_file,
+#if ENABLE_INLINE_FILES
+ const char *ca_file_inline,
+#endif
+ const char *ca_path, bool tls_server
+ )
+{
+ int status;
+
+ ASSERT(NULL != ctx);
+
+#if ENABLE_INLINE_FILES
+ if (ca_file && !strcmp (ca_file, INLINE_FILE_TAG) && ca_file_inline)
+ {
+ status = use_inline_load_verify_locations (ctx->ctx, ca_file_inline);
+ }
+ else
+#endif
+ {
+ /* Load CA file for verifying peer supplied certificate */
+ status = SSL_CTX_load_verify_locations (ctx->ctx, ca_file, ca_path);
+ }
+
+ if (!status)
+ msg (M_SSLERR, "Cannot load CA certificate file %s path %s (SSL_CTX_load_verify_locations)", np(ca_file), np(ca_path));
+
+ /* Set a store for certs (CA & CRL) with a lookup on the "capath" hash directory */
+ if (ca_path) {
+ X509_STORE *store = SSL_CTX_get_cert_store(ctx->ctx);
+
+ if (store)
+ {
+ X509_LOOKUP *lookup = X509_STORE_add_lookup(store, X509_LOOKUP_hash_dir());
+ if (!X509_LOOKUP_add_dir(lookup, ca_path, X509_FILETYPE_PEM))
+ X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT);
+ else
+ msg(M_WARN, "WARNING: experimental option --capath %s", ca_path);
+#if OPENSSL_VERSION_NUMBER >= 0x00907000L
+ X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
+#else
+ msg(M_WARN, "WARNING: this version of OpenSSL cannot handle CRL files in capath");
+#endif
+ }
+ else
+ msg(M_SSLERR, "Cannot get certificate store (SSL_CTX_get_cert_store)");
+ }
+
+ /* Load names of CAs from file and use it as a client CA list */
+ if (ca_file && tls_server) {
+ STACK_OF(X509_NAME) *cert_names = NULL;
+#if ENABLE_INLINE_FILES
+ if (!strcmp (ca_file, INLINE_FILE_TAG) && ca_file_inline)
+ {
+ cert_names = use_inline_load_client_CA_file (ctx->ctx, ca_file_inline);
+ }
+ else
+#endif
+ {
+ cert_names = SSL_load_client_CA_file (ca_file);
+ }
+ if (!cert_names)
+ msg (M_SSLERR, "Cannot load CA certificate file %s (SSL_load_client_CA_file)", ca_file);
+ SSL_CTX_set_client_CA_list (ctx->ctx, cert_names);
+ }
+
+}
+
+void
+tls_ctx_load_extra_certs (struct tls_root_ctx *ctx, const char *extra_certs_file
+#if ENABLE_INLINE_FILES
+ , const char *extra_certs_file_inline
+#endif
+ )
+{
+ BIO *bio;
+ X509 *cert;
+#if ENABLE_INLINE_FILES
+ if (!strcmp (extra_certs_file, INLINE_FILE_TAG) && extra_certs_file_inline)
+ {
+ bio = BIO_new_mem_buf ((char *)extra_certs_file_inline, -1);
+ }
+ else
+#endif
+ {
+ bio = BIO_new(BIO_s_file());
+ if (BIO_read_filename(bio, extra_certs_file) <= 0)
+ msg (M_SSLERR, "Cannot load extra-certs file: %s", extra_certs_file);
+ }
+ for (;;)
+ {
+ cert = NULL;
+ if (!PEM_read_bio_X509 (bio, &cert, 0, NULL)) /* takes ownership of cert */
+ break;
+ if (!cert)
+ msg (M_SSLERR, "Error reading extra-certs certificate");
+ if (SSL_CTX_add_extra_chain_cert(ctx->ctx, cert) != 1)
+ msg (M_SSLERR, "Error adding extra-certs certificate");
+ }
+ BIO_free (bio);
+}
+
void
show_available_tls_ciphers ()
{
projects / thirdparty / openvpn.git / commitdiff
