summaryrefslogtreecommitdiff
path: root/src/openvpn/pkcs11_mbedtls.c
diff options
context:
space:
mode:
authorAlberto Gonzalez Iniesta <agi@inittab.org>2016-12-27 18:25:47 +0100
committerAlberto Gonzalez Iniesta <agi@inittab.org>2016-12-27 18:25:47 +0100
commit79f3537f69e125f19f59c36aa090120a63186a54 (patch)
tree2089a3b7dac990841dbc2e4d9b2f535b82dbb0af /src/openvpn/pkcs11_mbedtls.c
parentf2137fedb30cb87448eb03b2f288920df6187571 (diff)
parent3a2bbdb05ca6a6996e424c9fb225cb0d53804125 (diff)
Merge tag 'upstream/2.4.0'
Upstream version 2.4.0
Diffstat (limited to 'src/openvpn/pkcs11_mbedtls.c')
-rw-r--r--src/openvpn/pkcs11_mbedtls.c123
1 files changed, 65 insertions, 58 deletions
diff --git a/src/openvpn/pkcs11_mbedtls.c b/src/openvpn/pkcs11_mbedtls.c
index e208b61..bdca893 100644
--- a/src/openvpn/pkcs11_mbedtls.c
+++ b/src/openvpn/pkcs11_mbedtls.c
@@ -5,8 +5,8 @@
* packet encryption, packet authentication, and
* packet compression.
*
- * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
- * Copyright (C) 2010 Fox Crypto B.V. <openvpn@fox-it.com>
+ * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net>
+ * Copyright (C) 2010-2017 Fox Crypto B.V. <openvpn@fox-it.com>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2
@@ -44,86 +44,93 @@
int
pkcs11_init_tls_session(pkcs11h_certificate_t certificate,
- struct tls_root_ctx * const ssl_ctx)
+ struct tls_root_ctx *const ssl_ctx)
{
- int ret = 1;
-
- ASSERT (NULL != ssl_ctx);
-
- ALLOC_OBJ_CLEAR (ssl_ctx->crt_chain, mbedtls_x509_crt);
- if (mbedtls_pkcs11_x509_cert_bind(ssl_ctx->crt_chain, certificate)) {
- msg (M_FATAL, "PKCS#11: Cannot retrieve mbed TLS certificate object");
- goto cleanup;
- }
-
- ALLOC_OBJ_CLEAR (ssl_ctx->priv_key_pkcs11, mbedtls_pkcs11_context);
- if (mbedtls_pkcs11_priv_key_bind(ssl_ctx->priv_key_pkcs11, certificate)) {
- msg (M_FATAL, "PKCS#11: Cannot initialize mbed TLS private key object");
- goto cleanup;
- }
-
- ALLOC_OBJ_CLEAR (ssl_ctx->priv_key, mbedtls_pk_context);
- if (!mbed_ok(mbedtls_pk_setup_rsa_alt(ssl_ctx->priv_key,
- ssl_ctx->priv_key_pkcs11, mbedtls_ssl_pkcs11_decrypt,
- mbedtls_ssl_pkcs11_sign, mbedtls_ssl_pkcs11_key_len))) {
- goto cleanup;
- }
-
- ret = 0;
+ int ret = 1;
+
+ ASSERT(NULL != ssl_ctx);
+
+ ALLOC_OBJ_CLEAR(ssl_ctx->crt_chain, mbedtls_x509_crt);
+ if (mbedtls_pkcs11_x509_cert_bind(ssl_ctx->crt_chain, certificate))
+ {
+ msg(M_FATAL, "PKCS#11: Cannot retrieve mbed TLS certificate object");
+ goto cleanup;
+ }
+
+ ALLOC_OBJ_CLEAR(ssl_ctx->priv_key_pkcs11, mbedtls_pkcs11_context);
+ if (mbedtls_pkcs11_priv_key_bind(ssl_ctx->priv_key_pkcs11, certificate))
+ {
+ msg(M_FATAL, "PKCS#11: Cannot initialize mbed TLS private key object");
+ goto cleanup;
+ }
+
+ ALLOC_OBJ_CLEAR(ssl_ctx->priv_key, mbedtls_pk_context);
+ if (!mbed_ok(mbedtls_pk_setup_rsa_alt(ssl_ctx->priv_key,
+ ssl_ctx->priv_key_pkcs11, mbedtls_ssl_pkcs11_decrypt,
+ mbedtls_ssl_pkcs11_sign, mbedtls_ssl_pkcs11_key_len)))
+ {
+ goto cleanup;
+ }
+
+ ret = 0;
cleanup:
- return ret;
+ return ret;
}
char *
-pkcs11_certificate_dn (pkcs11h_certificate_t cert, struct gc_arena *gc)
+pkcs11_certificate_dn(pkcs11h_certificate_t cert, struct gc_arena *gc)
{
- char *ret = NULL;
- char dn[1024] = {0};
+ char *ret = NULL;
+ char dn[1024] = {0};
- mbedtls_x509_crt mbed_crt = {0};
+ mbedtls_x509_crt mbed_crt = {0};
- if (mbedtls_pkcs11_x509_cert_bind(&mbed_crt, cert)) {
- msg (M_FATAL, "PKCS#11: Cannot retrieve mbed TLS certificate object");
- goto cleanup;
- }
+ if (mbedtls_pkcs11_x509_cert_bind(&mbed_crt, cert))
+ {
+ msg(M_FATAL, "PKCS#11: Cannot retrieve mbed TLS certificate object");
+ goto cleanup;
+ }
- if (-1 == mbedtls_x509_dn_gets (dn, sizeof(dn), &mbed_crt.subject)) {
- msg (M_FATAL, "PKCS#11: mbed TLS cannot parse subject");
- goto cleanup;
- }
+ if (-1 == mbedtls_x509_dn_gets(dn, sizeof(dn), &mbed_crt.subject))
+ {
+ msg(M_FATAL, "PKCS#11: mbed TLS cannot parse subject");
+ goto cleanup;
+ }
- ret = string_alloc(dn, gc);
+ ret = string_alloc(dn, gc);
cleanup:
- mbedtls_x509_crt_free(&mbed_crt);
+ mbedtls_x509_crt_free(&mbed_crt);
- return ret;
+ return ret;
}
int
-pkcs11_certificate_serial (pkcs11h_certificate_t cert, char *serial,
- size_t serial_len)
+pkcs11_certificate_serial(pkcs11h_certificate_t cert, char *serial,
+ size_t serial_len)
{
- int ret = 1;
+ int ret = 1;
- mbedtls_x509_crt mbed_crt = {0};
+ mbedtls_x509_crt mbed_crt = {0};
- if (mbedtls_pkcs11_x509_cert_bind(&mbed_crt, cert)) {
- msg (M_FATAL, "PKCS#11: Cannot retrieve mbed TLS certificate object");
- goto cleanup;
- }
+ if (mbedtls_pkcs11_x509_cert_bind(&mbed_crt, cert))
+ {
+ msg(M_FATAL, "PKCS#11: Cannot retrieve mbed TLS certificate object");
+ goto cleanup;
+ }
- if (-1 == mbedtls_x509_serial_gets (serial, serial_len, &mbed_crt.serial)) {
- msg (M_FATAL, "PKCS#11: mbed TLS cannot parse serial");
- goto cleanup;
- }
+ if (-1 == mbedtls_x509_serial_gets(serial, serial_len, &mbed_crt.serial))
+ {
+ msg(M_FATAL, "PKCS#11: mbed TLS cannot parse serial");
+ goto cleanup;
+ }
- ret = 0;
+ ret = 0;
cleanup:
- mbedtls_x509_crt_free(&mbed_crt);
+ mbedtls_x509_crt_free(&mbed_crt);
- return ret;
+ return ret;
}
#endif /* defined(ENABLE_PKCS11) && defined(ENABLE_CRYPTO_MBEDTLS) */