* A sort of pseudo-filename for data provided inline within
* the configuration file.
*/
-#if ENABLE_INLINE_FILES
#define INLINE_FILE_TAG "[[INLINE]]"
-#endif
/*
* Script security warning
kt.cipher_length = 0;
kt.cipher = NULL;
-#if ENABLE_INLINE_FILES
if (flags & GHK_INLINE)
{
/* key was specified inline, key text is in passphrase_file */
msg (M_FATAL, "INLINE tls-auth file lacks the requisite 2 keys");
}
else
-#endif
{
/* first try to parse as an OpenVPN static key file */
read_key_file (&key2, passphrase_file, 0);
* Key can be provided as a filename in 'file' or if RKF_INLINE
* is set, the actual key data itself in ascii form.
*/
-#if ENABLE_INLINE_FILES
if (flags & RKF_INLINE) /* 'file' is a string containing ascii representation of key */
{
size = strlen (file) + 1;
error_filename = INLINE_FILE_TAG;
}
else /* 'file' is a filename which refers to a file containing the ascii key */
-#endif
{
in = alloc_buf_gc (2048, &gc);
fd = platform_open (file, O_RDONLY, 0);
}
/* zero file read buffer if not an inline file */
-#if ENABLE_INLINE_FILES
if (!(flags & RKF_INLINE))
-#endif
buf_clear (&in);
if (key2->n)
unsigned int rkf_flags = RKF_MUST_SUCCEED;
const char *rkf_file = options->shared_secret_file;
-#if ENABLE_INLINE_FILES
if (options->shared_secret_file_inline)
{
rkf_file = options->shared_secret_file_inline;
rkf_flags |= RKF_INLINE;
}
-#endif
read_key_file (&key2, rkf_file, rkf_flags);
}
unsigned int flags = 0;
const char *file = options->tls_auth_file;
-#if ENABLE_INLINE_FILES
if (options->tls_auth_file_inline)
{
flags |= GHK_INLINE;
file = options->tls_auth_file_inline;
}
-#endif
get_tls_handshake_key (&c->c1.ks.key_type,
&c->c1.ks.tls_auth_key,
file,
{
#ifndef WIN32
#ifdef HAVE_STAT
-#if ENABLE_INLINE_FILES
if (strcmp (filename, INLINE_FILE_TAG))
-#endif
{
struct stat st;
if (stat (filename, &st))
return (const char **)ret;
}
-#if ENABLE_INLINE_FILES
static const char **
make_inline_array (const char *str, struct gc_arena *gc)
{
ret[i] = NULL;
return (const char **)ret;
}
-#endif
static const char **
make_arg_copy (char **p, struct gc_arena *gc)
make_extended_arg_array (char **p, struct gc_arena *gc)
{
const int argc = string_array_len ((const char **)p);
-#if ENABLE_INLINE_FILES
if (!strcmp (p[0], INLINE_FILE_TAG) && argc == 2)
return make_inline_array (p[1], gc);
else
-#endif
if (argc == 0)
return make_arg_array (NULL, NULL, gc);
else if (argc == 1)
*p += 2;
}
-#if ENABLE_INLINE_FILES
-
struct in_src {
# define IS_TYPE_FP 1
# define IS_TYPE_BUF 2
return check_inline_file (&is, p, gc);
}
-#endif
-
static void
add_option (struct options *options,
char *p[],
if (parse_line (line, p, SIZE (p), file, line_num, msglevel, &options->gc))
{
bypass_doubledash (&p[0]);
-#if ENABLE_INLINE_FILES
check_inline_file_via_fp (fp, p, &options->gc);
-#endif
add_option (options, p, file, line_num, level, msglevel, permission_mask, option_types_found, es);
}
}
if (parse_line (line, p, SIZE (p), prefix, line_num, msglevel, &options->gc))
{
bypass_doubledash (&p[0]);
-#if ENABLE_INLINE_FILES
check_inline_file_via_buf (&multiline, p, &options->gc);
-#endif
add_option (options, p, NULL, line_num, 0, msglevel, permission_mask, option_types_found, es);
}
CLEAR (p);
else if (streq (p[0], "secret") && p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
-#if ENABLE_INLINE_FILES
if (streq (p[1], INLINE_FILE_TAG) && p[2])
{
options->shared_secret_file_inline = p[2];
}
else
-#endif
if (p[2])
{
int key_direction;
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->ca_file = p[1];
-#if ENABLE_INLINE_FILES
if (streq (p[1], INLINE_FILE_TAG) && p[2])
{
options->ca_file_inline = p[2];
}
-#endif
}
#ifndef ENABLE_CRYPTO_POLARSSL
else if (streq (p[0], "capath") && p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->dh_file = p[1];
-#if ENABLE_INLINE_FILES
if (streq (p[1], INLINE_FILE_TAG) && p[2])
{
options->dh_file_inline = p[2];
}
-#endif
}
else if (streq (p[0], "cert") && p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->cert_file = p[1];
-#if ENABLE_INLINE_FILES
if (streq (p[1], INLINE_FILE_TAG) && p[2])
{
options->cert_file_inline = p[2];
}
-#endif
}
else if (streq (p[0], "extra-certs") && p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->extra_certs_file = p[1];
-#if ENABLE_INLINE_FILES
if (streq (p[1], INLINE_FILE_TAG) && p[2])
{
options->extra_certs_file_inline = p[2];
}
-#endif
}
else if (streq (p[0], "verify-hash") && p[1])
{
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->priv_key_file = p[1];
-#if ENABLE_INLINE_FILES
if (streq (p[1], INLINE_FILE_TAG) && p[2])
{
options->priv_key_file_inline = p[2];
}
-#endif
}
#ifndef ENABLE_CRYPTO_POLARSSL
else if (streq (p[0], "pkcs12") && p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
options->pkcs12_file = p[1];
-#if ENABLE_INLINE_FILES
if (streq (p[1], INLINE_FILE_TAG) && p[2])
{
options->pkcs12_file_inline = p[2];
}
-#endif
}
#endif /* ENABLE_CRYPTO_POLARSSL */
else if (streq (p[0], "askpass"))
else if (streq (p[0], "tls-auth") && p[1])
{
VERIFY_PERMISSION (OPT_P_GENERAL);
-#if ENABLE_INLINE_FILES
if (streq (p[1], INLINE_FILE_TAG) && p[2])
{
options->tls_auth_file_inline = p[2];
}
else
-#endif
if (p[2])
{
int key_direction;
#ifdef ENABLE_CRYPTO
/* Cipher parms */
const char *shared_secret_file;
-#if ENABLE_INLINE_FILES
const char *shared_secret_file_inline;
-#endif
int key_direction;
bool ciphername_defined;
const char *ciphername;
const char *tls_remote;
const char *crl_file;
-#if ENABLE_INLINE_FILES
const char *ca_file_inline;
const char *cert_file_inline;
const char *extra_certs_file_inline;
char *priv_key_file_inline;
const char *dh_file_inline;
const char *pkcs12_file_inline; /* contains the base64 encoding of pkcs12 file */
-#endif
int ns_cert_type; /* set to 0, NS_CERT_CHECK_SERVER, or NS_CERT_CHECK_CLIENT */
unsigned remote_cert_ku[MAX_PARMS];
/* Special authentication MAC for TLS control channel */
const char *tls_auth_file; /* shared secret */
-#if ENABLE_INLINE_FILES
const char *tls_auth_file_inline;
-#endif
/* Allow only one session */
bool single_session;
* "[[INLINE]]" in the case of inline files.
* @param dh_file_inline A string containing the parameters
*/
-void tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file
-#if ENABLE_INLINE_FILES
- , const char *dh_file_inline
-#endif /* ENABLE_INLINE_FILES */
- );
+void tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file,
+ const char *dh_file_inline);
/**
* Load PKCS #12 file for key, cert and (optionally) CA certs, and add to
* successful.
*/
int tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file,
-#if ENABLE_INLINE_FILES
- const char *pkcs12_file_inline,
-#endif /* ENABLE_INLINE_FILES */
- bool load_ca_file
+ const char *pkcs12_file_inline, bool load_ca_file
);
/**
* *x509 must be NULL.
*/
void tls_ctx_load_cert_file (struct tls_root_ctx *ctx, const char *cert_file,
-#if ENABLE_INLINE_FILES
- const char *cert_file_inline,
-#endif
- openvpn_x509_cert_t **x509
+ const char *cert_file_inline, openvpn_x509_cert_t **x509
);
/**
* @return 1 if an error occurred, 0 if parsing was
* successful.
*/
-int tls_ctx_load_priv_file (struct tls_root_ctx *ctx, const char *priv_key_file
-#if ENABLE_INLINE_FILES
- , const char *priv_key_file_inline
-#endif
+int tls_ctx_load_priv_file (struct tls_root_ctx *ctx, const char *priv_key_file,
+ const char *priv_key_file_inline
);
#ifdef MANAGMENT_EXTERNAL_KEY
* successful.
*/
int tls_ctx_use_external_private_key (struct tls_root_ctx *ctx, openvpn_x509_cert_t *cert);
-
#endif
+
/**
* Load certificate authority certificates from the given file or path.
*
* @param ca_path The path to load the CAs from
*/
void tls_ctx_load_ca (struct tls_root_ctx *ctx, const char *ca_file,
-#if ENABLE_INLINE_FILES
- const char *ca_file_inline,
-#endif
- const char *ca_path, bool tls_server
+ const char *ca_file_inline, const char *ca_path, bool tls_server
);
/**
* "[[INLINE]]" in the case of inline files.
* @param extra_certs_file_inline A string containing the certs
*/
-void tls_ctx_load_extra_certs (struct tls_root_ctx *ctx, const char *extra_certs_file
-#if ENABLE_INLINE_FILES
- , const char *extra_certs_file_inline
-#endif
+void tls_ctx_load_extra_certs (struct tls_root_ctx *ctx, const char *extra_certs_file,
+ const char *extra_certs_file_inline
);
#ifdef ENABLE_CRYPTO_POLARSSL
}
void
-tls_ctx_load_dh_params (struct tls_root_ctx *ctx, const char *dh_file
-#if ENABLE_INLINE_FILES
- , const char *dh_file_inline
-#endif /* ENABLE_INLINE_FILES */
+tls_ctx_load_dh_params (struct tls_root_ctx *ctx, const char *dh_file,
+ const char *dh_file_inline
)
{
DH *dh;
ASSERT(NULL != ctx);
-#if ENABLE_INLINE_FILES
if (!strcmp (dh_file, INLINE_FILE_TAG) && dh_file_inline)
{
if (!(bio = BIO_new_mem_buf ((char *)dh_file_inline, -1)))
msg (M_SSLERR, "Cannot open memory BIO for inline DH parameters");
}
else
-#endif /* ENABLE_INLINE_FILES */
{
/* Get Diffie Hellman Parameters */
if (!(bio = BIO_new_file (dh_file, "r")))
int
tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file,
-#if ENABLE_INLINE_FILES
const char *pkcs12_file_inline,
-#endif /* ENABLE_INLINE_FILES */
bool load_ca_file
)
{
ASSERT(NULL != ctx);
-#if ENABLE_INLINE_FILES
if (!strcmp (pkcs12_file, INLINE_FILE_TAG) && pkcs12_file_inline)
{
BIO *b64 = BIO_new(BIO_f_base64());
BIO_free(bio);
}
else
-#endif
{
/* Load the PKCS #12 file */
if (!(fp = platform_fopen(pkcs12_file, "rb")))
void
tls_ctx_load_cert_file (struct tls_root_ctx *ctx, const char *cert_file,
-#if ENABLE_INLINE_FILES
- const char *cert_file_inline,
-#endif
- X509 **x509
+ const char *cert_file_inline, X509 **x509
)
{
BIO *in = NULL;
if (NULL != x509)
ASSERT (NULL == *x509);
-#if ENABLE_INLINE_FILES
inline_file = (strcmp (cert_file, INLINE_FILE_TAG) == 0);
if (inline_file && cert_file_inline)
in = BIO_new_mem_buf ((char *)cert_file_inline, -1);
else
-#endif /* ENABLE_INLINE_FILES */
in = BIO_new_file (cert_file, "r");
if (in == NULL)
}
int
-tls_ctx_load_priv_file (struct tls_root_ctx *ctx, const char *priv_key_file
-#if ENABLE_INLINE_FILES
- , const char *priv_key_file_inline
-#endif
+tls_ctx_load_priv_file (struct tls_root_ctx *ctx, const char *priv_key_file,
+ const char *priv_key_file_inline
)
{
int status;
ssl_ctx = ctx->ctx;
-#if ENABLE_INLINE_FILES
if (!strcmp (priv_key_file, INLINE_FILE_TAG) && priv_key_file_inline)
in = BIO_new_mem_buf ((char *)priv_key_file_inline, -1);
else
-#endif /* ENABLE_INLINE_FILES */
in = BIO_new_file (priv_key_file, "r");
if (!in)
void
tls_ctx_load_ca (struct tls_root_ctx *ctx, const char *ca_file,
-#if ENABLE_INLINE_FILES
const char *ca_file_inline,
-#endif
const char *ca_path, bool tls_server
)
{
/* Try to add certificates and CRLs from ca_file */
if (ca_file)
{
-#if ENABLE_INLINE_FILES
if (!strcmp (ca_file, INLINE_FILE_TAG) && ca_file_inline)
in = BIO_new_mem_buf ((char *)ca_file_inline, -1);
else
-#endif
in = BIO_new_file (ca_file, "r");
if (in)
}
void
-tls_ctx_load_extra_certs (struct tls_root_ctx *ctx, const char *extra_certs_file
-#if ENABLE_INLINE_FILES
- , const char *extra_certs_file_inline
-#endif
+tls_ctx_load_extra_certs (struct tls_root_ctx *ctx, const char *extra_certs_file,
+ const char *extra_certs_file_inline
)
{
BIO *in;
-#if ENABLE_INLINE_FILES
if (!strcmp (extra_certs_file, INLINE_FILE_TAG) && extra_certs_file_inline)
in = BIO_new_mem_buf ((char *)extra_certs_file_inline, -1);
else
-#endif
in = BIO_new_file (extra_certs_file, "r");
if (in == NULL)
}
void
-tls_ctx_load_dh_params (struct tls_root_ctx *ctx, const char *dh_file
-#if ENABLE_INLINE_FILES
- , const char *dh_file_inline
-#endif /* ENABLE_INLINE_FILES */
+tls_ctx_load_dh_params (struct tls_root_ctx *ctx, const char *dh_file,
+ const char *dh_file_inline
)
{
-#if ENABLE_INLINE_FILES
if (!strcmp (dh_file, INLINE_FILE_TAG) && dh_file_inline)
{
if (0 != x509parse_dhm(ctx->dhm_ctx, dh_file_inline, strlen(dh_file_inline)))
msg (M_FATAL, "Cannot read inline DH parameters");
}
else
-#endif /* ENABLE_INLINE_FILES */
{
if (0 != x509parse_dhmfile(ctx->dhm_ctx, dh_file))
msg (M_FATAL, "Cannot read DH parameters from file %s", dh_file);
int
tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file,
-#if ENABLE_INLINE_FILES
const char *pkcs12_file_inline,
-#endif /* ENABLE_INLINE_FILES */
bool load_ca_file
)
{
void
tls_ctx_load_cert_file (struct tls_root_ctx *ctx, const char *cert_file,
-#if ENABLE_INLINE_FILES
const char *cert_file_inline,
-#endif
openvpn_x509_cert_t **x509
)
{
if (NULL != x509)
ASSERT(NULL == *x509);
-#if ENABLE_INLINE_FILES
if (!strcmp (cert_file, INLINE_FILE_TAG) && cert_file_inline)
{
if (0 != x509parse_crt(ctx->crt_chain, cert_file_inline,
msg (M_FATAL, "Cannot load inline certificate file");
}
else
-#endif /* ENABLE_INLINE_FILES */
{
if (0 != x509parse_crtfile(ctx->crt_chain, cert_file))
msg (M_FATAL, "Cannot load certificate file %s", cert_file);
}
int
-tls_ctx_load_priv_file (struct tls_root_ctx *ctx, const char *priv_key_file
-#if ENABLE_INLINE_FILES
- , const char *priv_key_file_inline
-#endif /* ENABLE_INLINE_FILES */
+tls_ctx_load_priv_file (struct tls_root_ctx *ctx, const char *priv_key_file,
+ const char *priv_key_file_inline
)
{
int status;
ASSERT(NULL != ctx);
-#if ENABLE_INLINE_FILES
if (!strcmp (priv_key_file, INLINE_FILE_TAG) && priv_key_file_inline)
{
status = x509parse_key(ctx->priv_key,
}
}
else
-#endif /* ENABLE_INLINE_FILES */
{
status = x509parse_keyfile(ctx->priv_key, priv_key_file, NULL);
if (POLARSSL_ERR_PEM_PASSWORD_REQUIRED == status)
#endif
void tls_ctx_load_ca (struct tls_root_ctx *ctx, const char *ca_file,
-#if ENABLE_INLINE_FILES
const char *ca_file_inline,
-#endif
const char *ca_path, bool tls_server
)
{
if (ca_path)
msg(M_FATAL, "ERROR: PolarSSL cannot handle the capath directive");
-#if ENABLE_INLINE_FILES
if (ca_file && !strcmp (ca_file, INLINE_FILE_TAG) && ca_file_inline)
{
if (0 != x509parse_crt(ctx->ca_chain, ca_file_inline, strlen(ca_file_inline)));
msg (M_FATAL, "Cannot load inline CA certificates");
}
else
-#endif
{
/* Load CA file for verifying peer supplied certificate */
if (0 != x509parse_crtfile(ctx->ca_chain, ca_file))
}
void
-tls_ctx_load_extra_certs (struct tls_root_ctx *ctx, const char *extra_certs_file
-#if ENABLE_INLINE_FILES
- , const char *extra_certs_file_inline
-#endif
+tls_ctx_load_extra_certs (struct tls_root_ctx *ctx, const char *extra_certs_file,
+ const char *extra_certs_file_inline
)
{
ASSERT(NULL != ctx);
-#if ENABLE_INLINE_FILES
if (!strcmp (extra_certs_file, INLINE_FILE_TAG) && extra_certs_file_inline)
{
if (0 != x509parse_crt(ctx->crt_chain, extra_certs_file_inline,
msg (M_FATAL, "Cannot load inline extra-certs file");
}
else
-#endif /* ENABLE_INLINE_FILES */
{
if (0 != x509parse_crtfile(ctx->crt_chain, extra_certs_file))
msg (M_FATAL, "Cannot load extra-certs file: %s", extra_certs_file);
#define EPOLL 0
#endif
-/*
- * Should we allow ca/cert/key files to be
- * included inline, in the configuration file?
- */
-#define ENABLE_INLINE_FILES 1
-
/*
* Support "connection" directive
*/
-#if ENABLE_INLINE_FILES
#define ENABLE_CONNECTION 1
-#endif
/*
* Should we include http proxy fallback functionality
projects / thirdparty / openvpn.git / commitdiff
