Allow PKCS12 file content to be included inline in configuration file,

rendered as base64.

git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6412 e7ae566f-a301-0410-adde-c780ea21d3b5

diff --git a/options.c b/options.c
index e1de0d90e622d26cd1a64bcad4719a52e919d0f7..b1ac26c113f72985e9298a79f5ec6a0f9b4127e0 100644 (file)
--- a/options.c
+++ b/options.c
@@ -5680,6 +5680,12 @@ add_option (struct options *options,
     {
       VERIFY_PERMISSION (OPT_P_GENERAL);
       options->pkcs12_file = p[1];
+#if ENABLE_INLINE_FILES
+      if (streq (p[1], INLINE_FILE_TAG) && p[2])
+       {
+         options->pkcs12_file_inline = p[2];
+       }
+#endif
     }
   else if (streq (p[0], "askpass"))
     {

diff --git a/options.h b/options.h
index 240f3bb5f23c48f6d3247a26e0267496048aa99c..1d5fe4c2194a33241f82f2a251a748fd8a5468db 100644 (file)
--- a/options.h
+++ b/options.h
@@ -473,6 +473,7 @@ struct options
   const char *cert_file_inline;
   char *priv_key_file_inline;
   const char *dh_file_inline;
+  const char *pkcs12_file_inline; /* contains the base64 encoding of pkcs12 file */
 #endif
 
   int ns_cert_type; /* set to 0, NS_SSL_SERVER, or NS_SSL_CLIENT */

diff --git a/ssl.c b/ssl.c
index a14064162621909899837cd9f5b2b9f443f1ceb7..a1268ac2a9291dc1512fa28e3ab4efc65085c952 100644 (file)
--- a/ssl.c
+++ b/ssl.c
@@ -1514,23 +1514,41 @@ init_ssl (const struct options *options)
 
   if (options->pkcs12_file)
     {
-    /* Use PKCS #12 file for key, cert and CA certs */
+      /* Use PKCS #12 file for key, cert and CA certs */
 
       FILE *fp;
       EVP_PKEY *pkey;
       X509 *cert;
       STACK_OF(X509) *ca = NULL;
-      PKCS12 *p12;
+      PKCS12 *p12=NULL;
       int i;
       char password[256];
 
-      /* Load the PKCS #12 file */
-      if (!(fp = fopen(options->pkcs12_file, "rb")))
-        msg (M_SSLERR, "Error opening file %s", options->pkcs12_file);
-      p12 = d2i_PKCS12_fp(fp, NULL);
-      fclose (fp);
-      if (!p12) msg (M_SSLERR, "Error reading PKCS#12 file %s", options->pkcs12_file);
-      
+#if ENABLE_INLINE_FILES
+      if (!strcmp (options->pkcs12_file, INLINE_FILE_TAG) && options->pkcs12_file_inline)
+       {
+         BIO *b64 = BIO_new (BIO_f_base64());
+         BIO *bio = BIO_new_mem_buf ((void *)options->pkcs12_file_inline, (int)strlen(options->pkcs12_file_inline));
+         ASSERT(b64 && bio);
+         BIO_push (b64, bio);
+         p12 = d2i_PKCS12_bio(b64, NULL);
+         if (!p12)
+           msg (M_SSLERR, "Error reading inline PKCS#12 file");
+         BIO_free (b64);
+         BIO_free (bio);
+       }
+      else
+#endif
+       {
+         /* Load the PKCS #12 file */
+         if (!(fp = fopen(options->pkcs12_file, "rb")))
+           msg (M_SSLERR, "Error opening file %s", options->pkcs12_file);
+         p12 = d2i_PKCS12_fp(fp, NULL);
+         fclose (fp);
+         if (!p12)
+           msg (M_SSLERR, "Error reading PKCS#12 file %s", options->pkcs12_file);
+       }
+
       /* Parse the PKCS #12 file */
       if (!PKCS12_parse(p12, "", &pkey, &cert, &ca))
         {
@@ -1539,8 +1557,12 @@ init_ssl (const struct options *options)
           ca = NULL;
           if (!PKCS12_parse(p12, password, &pkey, &cert, &ca))
            {
+#ifdef ENABLE_MANAGEMENT
+             if (management && (ERR_GET_REASON (ERR_peek_error()) == PKCS12_R_MAC_VERIFY_FAILURE))
+               management_auth_failure (management, UP_TYPE_PRIVATE_KEY, NULL);
+#endif
              PKCS12_free(p12);
-             msg (M_WARN|M_SSL, "Error parsing PKCS#12 file %s", options->pkcs12_file);
+             msg (M_INFO, "OpenSSL ERROR code: %d", (ERR_GET_REASON (ERR_peek_error()))); // fixme
              goto err;
            }
         }