From: Adriaan de Jong <dejong@fox-it.com>
Date: Mon, 27 Jun 2011 12:39:23 +0000 (+0200)
Subject: Refactored private key loading code
X-Git-Tag: v2.3-alpha1~147
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d67c3147b006aed24f0c3f6e0e288bf0d6a55973;p=thirdparty%2Fopenvpn.git

Refactored private key loading code

Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>
---

diff --git a/ssl.c b/ssl.c
index 343097211..4091eba94 100644
--- a/ssl.c
+++ b/ssl.c
@@ -1842,34 +1842,6 @@ use_inline_load_client_CA_file (SSL_CTX *ctx, const char *ca_string)
   return(ret);
 }
 
-static int
-use_inline_PrivateKey_file (SSL_CTX *ctx, const char *key_string)
-{
-  BIO *in = NULL;
-  EVP_PKEY *pkey = NULL;
-  int ret = 0;
-
-  in = BIO_new_mem_buf ((char *)key_string, -1);
-  if (!in)
-    goto end;
-
-  pkey = PEM_read_bio_PrivateKey (in,
-				  NULL,
-				  ctx->default_passwd_callback,
-				  ctx->default_passwd_callback_userdata);
-  if (!pkey)
-    goto end;
-
-  ret = SSL_CTX_use_PrivateKey (ctx, pkey);
-
- end:
-  if (pkey)
-    EVP_PKEY_free (pkey);
-  if (in)
-    BIO_free (in);
-  return ret;
-}
-
 #endif
 
 /*
@@ -1935,44 +1907,19 @@ init_ssl (const struct options *options, struct tls_root_ctx *new_ctx)
 #endif
   else
     {
-      /* Use seperate PEM files for key, cert and CA certs */
       /* Load Certificate */
       if (options->cert_file)
 	{
           tls_ctx_load_cert_file(new_ctx, options->cert_file, options->cert_file_inline, NULL);
 	}
 
-	  /* Load Private Key */
-	  if (options->priv_key_file)
-	    {
-	      int status;
-	      
-#if ENABLE_INLINE_FILES
-	      if (!strcmp (options->priv_key_file, INLINE_FILE_TAG) && options->priv_key_file_inline)
-		{
-		  status = use_inline_PrivateKey_file (ctx, options->priv_key_file_inline);
-		}
-	      else
-#endif
-	      {
-		status = SSL_CTX_use_PrivateKey_file (ctx, options->priv_key_file, SSL_FILETYPE_PEM);
-	      }
-	      if (!status)
-		{
-#ifdef ENABLE_MANAGEMENT
-		  if (management && (ERR_GET_REASON (ERR_peek_error()) == EVP_R_BAD_DECRYPT))
-		    management_auth_failure (management, UP_TYPE_PRIVATE_KEY, NULL);
-#endif
-		  msg (M_WARN|M_SSL, "Cannot load private key file %s", options->priv_key_file);
-		  goto err;
-		}
-	      warn_if_group_others_accessible (options->priv_key_file);
-
-	      /* Check Private Key */
-	      if (!SSL_CTX_check_private_key (ctx))
-		msg (M_SSLERR, "Private key does not match the certificate");
-	    }
+      /* Load Private Key */
+      if (options->priv_key_file)
+	{
+          if (0 != tls_ctx_load_priv_file(new_ctx, options->priv_key_file, options->priv_key_file_inline))
+            goto err;
 	}
+    }
 
   if (options->ca_file || options->ca_path)
     {
diff --git a/ssl_backend.h b/ssl_backend.h
index 0af14697b..3beee1927 100644
--- a/ssl_backend.h
+++ b/ssl_backend.h
@@ -192,6 +192,23 @@ void tls_ctx_load_cert_file (struct tls_root_ctx *ctx, const char *cert_file,
     X509 **x509
     );
 
+/**
+ * Load private key file into the given TLS context.
+ *
+ * @param ctx			TLS context to use
+ * @param priv_key_file		The file name to load the private key from, or
+ * 				"[[INLINE]]" in the case of inline files.
+ * @param priv_key_file_inline	A string containing the private key
+ *
+ * @return 			1 if an error occurred, 0 if parsing was
+ * 				successful.
+ */
+int tls_ctx_load_priv_file (struct tls_root_ctx *ctx, const char *priv_key_file
+#if ENABLE_INLINE_FILES
+    , const char *priv_key_file_inline
+#endif
+    );
+
 /**
  * Show the TLS ciphers that are available for us to use in the OpenSSL
  * library.
diff --git a/ssl_openssl.c b/ssl_openssl.c
index 5980080ef..a53bcdbfa 100644
--- a/ssl_openssl.c
+++ b/ssl_openssl.c
@@ -438,6 +438,75 @@ tls_ctx_load_cert_file (struct tls_root_ctx *ctx, const char *cert_file,
     }
 }
 
+#if ENABLE_INLINE_FILES
+static int
+use_inline_PrivateKey_file (SSL_CTX *ctx, const char *key_string)
+{
+  BIO *in = NULL;
+  EVP_PKEY *pkey = NULL;
+  int ret = 0;
+
+  in = BIO_new_mem_buf ((char *)key_string, -1);
+  if (!in)
+    goto end;
+
+  pkey = PEM_read_bio_PrivateKey (in,
+				  NULL,
+				  ctx->default_passwd_callback,
+				  ctx->default_passwd_callback_userdata);
+  if (!pkey)
+    goto end;
+
+  ret = SSL_CTX_use_PrivateKey (ctx, pkey);
+
+ end:
+  if (pkey)
+    EVP_PKEY_free (pkey);
+  if (in)
+    BIO_free (in);
+  return ret;
+}
+#endif /* ENABLE_INLINE_FILES */
+
+int
+tls_ctx_load_priv_file (struct tls_root_ctx *ctx, const char *priv_key_file
+#if ENABLE_INLINE_FILES
+    , const char *priv_key_file_inline
+#endif
+    )
+{
+  ASSERT(NULL != ctx);
+
+  int status;
+
+#if ENABLE_INLINE_FILES
+  if (!strcmp (priv_key_file, INLINE_FILE_TAG) && priv_key_file_inline)
+    {
+      status = use_inline_PrivateKey_file (ctx->ctx, priv_key_file_inline);
+    }
+  else
+#endif /* ENABLE_INLINE_FILES */
+    {
+      status = SSL_CTX_use_PrivateKey_file (ctx->ctx, priv_key_file, SSL_FILETYPE_PEM);
+    }
+  if (!status)
+    {
+#ifdef ENABLE_MANAGEMENT
+      if (management && (ERR_GET_REASON (ERR_peek_error()) == EVP_R_BAD_DECRYPT))
+	  management_auth_failure (management, UP_TYPE_PRIVATE_KEY, NULL);
+#endif
+      msg (M_WARN|M_SSL, "Cannot load private key file %s", priv_key_file);
+      return 1;
+    }
+  warn_if_group_others_accessible (priv_key_file);
+
+  /* Check Private Key */
+  if (!SSL_CTX_check_private_key (ctx->ctx))
+    msg (M_SSLERR, "Private key does not match the certificate");
+  return 0;
+
+}
+
 void
 show_available_tls_ciphers ()
 {