#ifdef MANAGMENT_EXTERNAL_KEY
else if ((options->management_flags & MF_EXTERNAL_KEY) && options->cert_file)
{
- X509 *my_cert = NULL;
+ x509_cert_t *my_cert = NULL;
tls_ctx_load_cert_file(new_ctx, options->cert_file, options->cert_file_inline,
&my_cert);
tls_ctx_use_external_private_key(new_ctx, my_cert);
* Load certificate file into the given TLS context. If the given certificate
* file contains a certificate chain, load the whole chain.
*
+ * If the x509 parameter is not NULL, the certificate will be returned in it.
+ *
* @param ctx TLS context to use
* @param cert_file The file name to load the certificate from, or
* "[[INLINE]]" in the case of inline files.
#if ENABLE_INLINE_FILES
const char *cert_file_inline,
#endif
- X509 **x509
+ x509_cert_t **x509
);
/**
* @return 1 if an error occurred, 0 if parsing was
* successful.
*/
-int tls_ctx_use_external_private_key (struct tls_root_ctx *ctx, X509 *cert);
+int tls_ctx_use_external_private_key (struct tls_root_ctx *ctx, x509_cert_t *cert);
#endif
msg (M_SSLERR, "Cannot load CA certificate file %s (SSL_load_client_CA_file)", ca_file);
SSL_CTX_set_client_CA_list (ctx->ctx, cert_names);
}
+}
+
+void
+tls_ctx_load_extra_certs (struct tls_root_ctx *ctx, const char *extra_certs_file
+#if ENABLE_INLINE_FILES
+ , const char *extra_certs_file_inline
+#endif
+ )
+{
+ BIO *bio;
+ X509 *cert;
+#if ENABLE_INLINE_FILES
+ if (!strcmp (extra_certs_file, INLINE_FILE_TAG) && extra_certs_file_inline)
+ {
+ bio = BIO_new_mem_buf ((char *)extra_certs_file_inline, -1);
+ }
+ else
+#endif
+ {
+ bio = BIO_new(BIO_s_file());
+ if (BIO_read_filename(bio, extra_certs_file) <= 0)
+ msg (M_SSLERR, "Cannot load extra-certs file: %s", extra_certs_file);
+ }
+ for (;;)
+ {
+ cert = NULL;
+ if (!PEM_read_bio_X509 (bio, &cert, 0, NULL)) /* takes ownership of cert */
+ break;
+ if (!cert)
+ msg (M_SSLERR, "Error reading extra-certs certificate");
+ if (SSL_CTX_add_extra_chain_cert(ctx->ctx, cert) != 1)
+ msg (M_SSLERR, "Error adding extra-certs certificate");
+ }
+ BIO_free (bio);
}
/* **************************************
int ret = 0;
perf_push (PERF_BIO_WRITE_PLAINTEXT);
-#ifdef USE_OPENSSL
ASSERT (NULL != ks_ssl);
ret = bio_write (ks_ssl->ssl_bio, data, len, "tls_write_plaintext_const");
-#endif /* USE_OPENSSL */
perf_pop ();
return ret;
int ret = 0;
perf_push (PERF_BIO_READ_CIPHERTEXT);
-#ifdef USE_OPENSSL
ASSERT (NULL != ks_ssl);
ret = bio_read (ks_ssl->ct_out, buf, maxlen, "tls_read_ciphertext");
-#endif /* USE_OPENSSL */
perf_pop ();
return ret;
int ret = 0;
perf_push (PERF_BIO_WRITE_CIPHERTEXT);
-#ifdef USE_OPENSSL
ASSERT (NULL != ks_ssl);
ret = bio_write (ks_ssl->ct_in, BPTR(buf), BLEN(buf), "tls_write_ciphertext");
bio_write_post (ret, buf);
-#endif /* USE_OPENSSL */
perf_pop ();
return ret;
int ret = 0;
perf_push (PERF_BIO_READ_PLAINTEXT);
-#ifdef USE_OPENSSL
ASSERT (NULL != ks_ssl);
ret = bio_read (ks_ssl->ssl_bio, buf, maxlen, "tls_read_plaintext");
-#endif /* USE_OPENSSL */
perf_pop ();
return ret;
msg (D_HANDSHAKE, "%s%s", s1, s2);
}
-void
-tls_ctx_load_extra_certs (struct tls_root_ctx *ctx, const char *extra_certs_file
-#if ENABLE_INLINE_FILES
- , const char *extra_certs_file_inline
-#endif
- )
-{
- BIO *bio;
- X509 *cert;
-#if ENABLE_INLINE_FILES
- if (!strcmp (extra_certs_file, INLINE_FILE_TAG) && extra_certs_file_inline)
- {
- bio = BIO_new_mem_buf ((char *)extra_certs_file_inline, -1);
- }
- else
-#endif
- {
- bio = BIO_new(BIO_s_file());
- if (BIO_read_filename(bio, extra_certs_file) <= 0)
- msg (M_SSLERR, "Cannot load extra-certs file: %s", extra_certs_file);
- }
- for (;;)
- {
- cert = NULL;
- if (!PEM_read_bio_X509 (bio, &cert, 0, NULL)) /* takes ownership of cert */
- break;
- if (!cert)
- msg (M_SSLERR, "Error reading extra-certs certificate");
- if (SSL_CTX_add_extra_chain_cert(ctx->ctx, cert) != 1)
- msg (M_SSLERR, "Error adding extra-certs certificate");
- }
- BIO_free (bio);
-}
-
void
show_available_tls_ciphers ()
{
/* export X509 cert SHA1 fingerprint */
{
struct gc_arena gc = gc_new ();
+ unsigned char *sha1_hash = x509_get_sha1_hash(peer_cert);
+
openvpn_snprintf (envname, sizeof(envname), "tls_digest_%d", cert_depth);
- setenv_str (es, envname,
- format_hex_ex(peer_cert->sha1_hash, SHA_DIGEST_LENGTH, 0, 1, ":", &gc));
+ setenv_str (es, envname, format_hex_ex(sha1_hash, SHA_DIGEST_LENGTH, 0, 1,
+ ":", &gc));
+ x509_free_sha1_hash(sha1_hash);
gc_free(&gc);
}
#endif
* check peer cert against CRL directory
*/
static bool
-verify_check_crl_dir(const char *crl_dir, X509 *cert)
+verify_check_crl_dir(const char *crl_dir, x509_cert_t *cert)
{
char fn[256];
int fd;
/* verify level 1 cert, i.e. the CA that signed our leaf cert */
if (cert_depth == 1 && opt->verify_hash)
{
- if (memcmp (cert->sha1_hash, opt->verify_hash, SHA_DIGEST_LENGTH))
+ unsigned char *sha1_hash = x509_get_sha1_hash(cert);
+ if (memcmp (sha1_hash, opt->verify_hash, SHA_DIGEST_LENGTH))
{
msg (D_TLS_ERRORS, "TLS Error: level-1 certificate hash verification failed");
+ x509_free_sha1_hash(sha1_hash);
goto err;
}
+ x509_free_sha1_hash(sha1_hash);
}
/* save common name in session object */
*/
/*
- * Retrieve certificate's subject name, and place it in **subject.
+ * Retrieve certificate's subject name.
*
* The returned string must be freed with \c verify_free_subject()
*
char *x509_get_subject (x509_cert_t *cert);
/*
- * Free a subjectnumber string as returned by \c verify_get_subject()
+ * Free a subject string as returned by \c verify_get_subject()
*
* @param subject The subject to be freed.
*/
void x509_free_subject (char *subject);
+/* Retrieve the certificate's SHA1 hash.
+ *
+ * The returned string must be freed with \c verify_free_sha1_hash()
+ *
+ * @param cert Certificate to retrieve the hash from.
+ *
+ * @return a string containing the SHA1 hash of the certificate
+ */
+
+unsigned char *x509_get_sha1_hash (x509_cert_t *cert);
+
+/*
+ * Free a hash as returned by \c verify_get_hash()
+ *
+ * @param hash The subject to be freed.
+ */
+void x509_free_sha1_hash (unsigned char *hash);
+
/*
* Retrieve the certificate's username from the specified field.
*
void x509_free_serial (char *serial);
/*
- * TODO: document
+ * Save X509 fields to environment, using the naming convention:
+ *
+ * X509_{cert_depth}_{name}={value}
*
* @param xt
* @param es Environment set to save variables in
*/
bool x509_verify_ns_cert_type(const x509_cert_t *cert, const int usage);
+#if OPENSSL_VERSION_NUMBER >= 0x00907000L || USE_POLARSSL
+
/*
* Verify X.509 key usage extension field.
*
*/
bool x509_verify_cert_eku (x509_cert_t *x509, const char * const expected_oid);
+#endif
+
/*
* Store the given certificate in pem format in a temporary file in tmp_dir
*
{
struct tls_session *session;
SSL *ssl;
+ unsigned char *sha1_hash = NULL;
/* get the tls_session pointer */
ssl = X509_STORE_CTX_get_ex_data (ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
session = (struct tls_session *) SSL_get_ex_data (ssl, mydata_index);
ASSERT (session);
- cert_hash_remember (session, ctx->error_depth, ctx->current_cert->sha1_hash);
+ sha1_hash = x509_get_sha1_hash(ctx->current_cert);
+ cert_hash_remember (session, ctx->error_depth, sha1_hash);
+ x509_free_sha1_hash(sha1_hash);
/* did peer present cert which was signed by our root cert? */
if (!preverify_ok)
{
/* get the X509 name */
- char *subject = X509_NAME_oneline (
- X509_get_subject_name (ctx->current_cert), NULL, 0);
+ char *subject = x509_get_serial(ctx->current_cert);
if (subject)
{
ctx->error_depth,
X509_verify_cert_error_string (ctx->error),
subject);
- free (subject);
+ x509_free_subject(subject);
}
ERR_clear_error();
OPENSSL_free(serial);
}
+unsigned char *
+x509_get_sha1_hash (X509 *cert)
+{
+ char *hash = malloc(SHA_DIGEST_LENGTH);
+ memcpy(hash, cert->sha1_hash, SHA_DIGEST_LENGTH);
+ return cert->sha1_hash;
+}
+
+void
+x509_free_sha1_hash (unsigned char *hash)
+{
+ if (hash)
+ free(hash);
+}
+
char *
x509_get_subject (X509 *cert)
{
projects / thirdparty / openvpn.git / commitdiff
