diff options
author | Alberto Gonzalez Iniesta <agi@inittab.org> | 2016-12-27 18:25:47 +0100 |
---|---|---|
committer | Alberto Gonzalez Iniesta <agi@inittab.org> | 2016-12-27 18:25:47 +0100 |
commit | 79f3537f69e125f19f59c36aa090120a63186a54 (patch) | |
tree | 2089a3b7dac990841dbc2e4d9b2f535b82dbb0af /src/openvpn/pkcs11_mbedtls.c | |
parent | f2137fedb30cb87448eb03b2f288920df6187571 (diff) | |
parent | 3a2bbdb05ca6a6996e424c9fb225cb0d53804125 (diff) |
Merge tag 'upstream/2.4.0'
Upstream version 2.4.0
Diffstat (limited to 'src/openvpn/pkcs11_mbedtls.c')
-rw-r--r-- | src/openvpn/pkcs11_mbedtls.c | 123 |
1 files changed, 65 insertions, 58 deletions
diff --git a/src/openvpn/pkcs11_mbedtls.c b/src/openvpn/pkcs11_mbedtls.c index e208b61..bdca893 100644 --- a/src/openvpn/pkcs11_mbedtls.c +++ b/src/openvpn/pkcs11_mbedtls.c @@ -5,8 +5,8 @@ * packet encryption, packet authentication, and * packet compression. * - * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net> - * Copyright (C) 2010 Fox Crypto B.V. <openvpn@fox-it.com> + * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net> + * Copyright (C) 2010-2017 Fox Crypto B.V. <openvpn@fox-it.com> * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 @@ -44,86 +44,93 @@ int pkcs11_init_tls_session(pkcs11h_certificate_t certificate, - struct tls_root_ctx * const ssl_ctx) + struct tls_root_ctx *const ssl_ctx) { - int ret = 1; - - ASSERT (NULL != ssl_ctx); - - ALLOC_OBJ_CLEAR (ssl_ctx->crt_chain, mbedtls_x509_crt); - if (mbedtls_pkcs11_x509_cert_bind(ssl_ctx->crt_chain, certificate)) { - msg (M_FATAL, "PKCS#11: Cannot retrieve mbed TLS certificate object"); - goto cleanup; - } - - ALLOC_OBJ_CLEAR (ssl_ctx->priv_key_pkcs11, mbedtls_pkcs11_context); - if (mbedtls_pkcs11_priv_key_bind(ssl_ctx->priv_key_pkcs11, certificate)) { - msg (M_FATAL, "PKCS#11: Cannot initialize mbed TLS private key object"); - goto cleanup; - } - - ALLOC_OBJ_CLEAR (ssl_ctx->priv_key, mbedtls_pk_context); - if (!mbed_ok(mbedtls_pk_setup_rsa_alt(ssl_ctx->priv_key, - ssl_ctx->priv_key_pkcs11, mbedtls_ssl_pkcs11_decrypt, - mbedtls_ssl_pkcs11_sign, mbedtls_ssl_pkcs11_key_len))) { - goto cleanup; - } - - ret = 0; + int ret = 1; + + ASSERT(NULL != ssl_ctx); + + ALLOC_OBJ_CLEAR(ssl_ctx->crt_chain, mbedtls_x509_crt); + if (mbedtls_pkcs11_x509_cert_bind(ssl_ctx->crt_chain, certificate)) + { + msg(M_FATAL, "PKCS#11: Cannot retrieve mbed TLS certificate object"); + goto cleanup; + } + + ALLOC_OBJ_CLEAR(ssl_ctx->priv_key_pkcs11, mbedtls_pkcs11_context); + if (mbedtls_pkcs11_priv_key_bind(ssl_ctx->priv_key_pkcs11, certificate)) + { + msg(M_FATAL, "PKCS#11: Cannot initialize mbed TLS private key object"); + goto cleanup; + } + + ALLOC_OBJ_CLEAR(ssl_ctx->priv_key, mbedtls_pk_context); + if (!mbed_ok(mbedtls_pk_setup_rsa_alt(ssl_ctx->priv_key, + ssl_ctx->priv_key_pkcs11, mbedtls_ssl_pkcs11_decrypt, + mbedtls_ssl_pkcs11_sign, mbedtls_ssl_pkcs11_key_len))) + { + goto cleanup; + } + + ret = 0; cleanup: - return ret; + return ret; } char * -pkcs11_certificate_dn (pkcs11h_certificate_t cert, struct gc_arena *gc) +pkcs11_certificate_dn(pkcs11h_certificate_t cert, struct gc_arena *gc) { - char *ret = NULL; - char dn[1024] = {0}; + char *ret = NULL; + char dn[1024] = {0}; - mbedtls_x509_crt mbed_crt = {0}; + mbedtls_x509_crt mbed_crt = {0}; - if (mbedtls_pkcs11_x509_cert_bind(&mbed_crt, cert)) { - msg (M_FATAL, "PKCS#11: Cannot retrieve mbed TLS certificate object"); - goto cleanup; - } + if (mbedtls_pkcs11_x509_cert_bind(&mbed_crt, cert)) + { + msg(M_FATAL, "PKCS#11: Cannot retrieve mbed TLS certificate object"); + goto cleanup; + } - if (-1 == mbedtls_x509_dn_gets (dn, sizeof(dn), &mbed_crt.subject)) { - msg (M_FATAL, "PKCS#11: mbed TLS cannot parse subject"); - goto cleanup; - } + if (-1 == mbedtls_x509_dn_gets(dn, sizeof(dn), &mbed_crt.subject)) + { + msg(M_FATAL, "PKCS#11: mbed TLS cannot parse subject"); + goto cleanup; + } - ret = string_alloc(dn, gc); + ret = string_alloc(dn, gc); cleanup: - mbedtls_x509_crt_free(&mbed_crt); + mbedtls_x509_crt_free(&mbed_crt); - return ret; + return ret; } int -pkcs11_certificate_serial (pkcs11h_certificate_t cert, char *serial, - size_t serial_len) +pkcs11_certificate_serial(pkcs11h_certificate_t cert, char *serial, + size_t serial_len) { - int ret = 1; + int ret = 1; - mbedtls_x509_crt mbed_crt = {0}; + mbedtls_x509_crt mbed_crt = {0}; - if (mbedtls_pkcs11_x509_cert_bind(&mbed_crt, cert)) { - msg (M_FATAL, "PKCS#11: Cannot retrieve mbed TLS certificate object"); - goto cleanup; - } + if (mbedtls_pkcs11_x509_cert_bind(&mbed_crt, cert)) + { + msg(M_FATAL, "PKCS#11: Cannot retrieve mbed TLS certificate object"); + goto cleanup; + } - if (-1 == mbedtls_x509_serial_gets (serial, serial_len, &mbed_crt.serial)) { - msg (M_FATAL, "PKCS#11: mbed TLS cannot parse serial"); - goto cleanup; - } + if (-1 == mbedtls_x509_serial_gets(serial, serial_len, &mbed_crt.serial)) + { + msg(M_FATAL, "PKCS#11: mbed TLS cannot parse serial"); + goto cleanup; + } - ret = 0; + ret = 0; cleanup: - mbedtls_x509_crt_free(&mbed_crt); + mbedtls_x509_crt_free(&mbed_crt); - return ret; + return ret; } #endif /* defined(ENABLE_PKCS11) && defined(ENABLE_CRYPTO_MBEDTLS) */ |