From 3a2bbdb05ca6a6996e424c9fb225cb0d53804125 Mon Sep 17 00:00:00 2001 From: Alberto Gonzalez Iniesta Date: Tue, 27 Dec 2016 18:25:47 +0100 Subject: New upstream version 2.4.0 --- src/openvpn/pkcs11_mbedtls.c | 123 +++++++++++++++++++++++-------------------- 1 file changed, 65 insertions(+), 58 deletions(-) (limited to 'src/openvpn/pkcs11_mbedtls.c') diff --git a/src/openvpn/pkcs11_mbedtls.c b/src/openvpn/pkcs11_mbedtls.c index e208b61..bdca893 100644 --- a/src/openvpn/pkcs11_mbedtls.c +++ b/src/openvpn/pkcs11_mbedtls.c @@ -5,8 +5,8 @@ * packet encryption, packet authentication, and * packet compression. * - * Copyright (C) 2002-2010 OpenVPN Technologies, Inc. - * Copyright (C) 2010 Fox Crypto B.V. + * Copyright (C) 2002-2017 OpenVPN Technologies, Inc. + * Copyright (C) 2010-2017 Fox Crypto B.V. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 @@ -44,86 +44,93 @@ int pkcs11_init_tls_session(pkcs11h_certificate_t certificate, - struct tls_root_ctx * const ssl_ctx) + struct tls_root_ctx *const ssl_ctx) { - int ret = 1; - - ASSERT (NULL != ssl_ctx); - - ALLOC_OBJ_CLEAR (ssl_ctx->crt_chain, mbedtls_x509_crt); - if (mbedtls_pkcs11_x509_cert_bind(ssl_ctx->crt_chain, certificate)) { - msg (M_FATAL, "PKCS#11: Cannot retrieve mbed TLS certificate object"); - goto cleanup; - } - - ALLOC_OBJ_CLEAR (ssl_ctx->priv_key_pkcs11, mbedtls_pkcs11_context); - if (mbedtls_pkcs11_priv_key_bind(ssl_ctx->priv_key_pkcs11, certificate)) { - msg (M_FATAL, "PKCS#11: Cannot initialize mbed TLS private key object"); - goto cleanup; - } - - ALLOC_OBJ_CLEAR (ssl_ctx->priv_key, mbedtls_pk_context); - if (!mbed_ok(mbedtls_pk_setup_rsa_alt(ssl_ctx->priv_key, - ssl_ctx->priv_key_pkcs11, mbedtls_ssl_pkcs11_decrypt, - mbedtls_ssl_pkcs11_sign, mbedtls_ssl_pkcs11_key_len))) { - goto cleanup; - } - - ret = 0; + int ret = 1; + + ASSERT(NULL != ssl_ctx); + + ALLOC_OBJ_CLEAR(ssl_ctx->crt_chain, mbedtls_x509_crt); + if (mbedtls_pkcs11_x509_cert_bind(ssl_ctx->crt_chain, certificate)) + { + msg(M_FATAL, "PKCS#11: Cannot retrieve mbed TLS certificate object"); + goto cleanup; + } + + ALLOC_OBJ_CLEAR(ssl_ctx->priv_key_pkcs11, mbedtls_pkcs11_context); + if (mbedtls_pkcs11_priv_key_bind(ssl_ctx->priv_key_pkcs11, certificate)) + { + msg(M_FATAL, "PKCS#11: Cannot initialize mbed TLS private key object"); + goto cleanup; + } + + ALLOC_OBJ_CLEAR(ssl_ctx->priv_key, mbedtls_pk_context); + if (!mbed_ok(mbedtls_pk_setup_rsa_alt(ssl_ctx->priv_key, + ssl_ctx->priv_key_pkcs11, mbedtls_ssl_pkcs11_decrypt, + mbedtls_ssl_pkcs11_sign, mbedtls_ssl_pkcs11_key_len))) + { + goto cleanup; + } + + ret = 0; cleanup: - return ret; + return ret; } char * -pkcs11_certificate_dn (pkcs11h_certificate_t cert, struct gc_arena *gc) +pkcs11_certificate_dn(pkcs11h_certificate_t cert, struct gc_arena *gc) { - char *ret = NULL; - char dn[1024] = {0}; + char *ret = NULL; + char dn[1024] = {0}; - mbedtls_x509_crt mbed_crt = {0}; + mbedtls_x509_crt mbed_crt = {0}; - if (mbedtls_pkcs11_x509_cert_bind(&mbed_crt, cert)) { - msg (M_FATAL, "PKCS#11: Cannot retrieve mbed TLS certificate object"); - goto cleanup; - } + if (mbedtls_pkcs11_x509_cert_bind(&mbed_crt, cert)) + { + msg(M_FATAL, "PKCS#11: Cannot retrieve mbed TLS certificate object"); + goto cleanup; + } - if (-1 == mbedtls_x509_dn_gets (dn, sizeof(dn), &mbed_crt.subject)) { - msg (M_FATAL, "PKCS#11: mbed TLS cannot parse subject"); - goto cleanup; - } + if (-1 == mbedtls_x509_dn_gets(dn, sizeof(dn), &mbed_crt.subject)) + { + msg(M_FATAL, "PKCS#11: mbed TLS cannot parse subject"); + goto cleanup; + } - ret = string_alloc(dn, gc); + ret = string_alloc(dn, gc); cleanup: - mbedtls_x509_crt_free(&mbed_crt); + mbedtls_x509_crt_free(&mbed_crt); - return ret; + return ret; } int -pkcs11_certificate_serial (pkcs11h_certificate_t cert, char *serial, - size_t serial_len) +pkcs11_certificate_serial(pkcs11h_certificate_t cert, char *serial, + size_t serial_len) { - int ret = 1; + int ret = 1; - mbedtls_x509_crt mbed_crt = {0}; + mbedtls_x509_crt mbed_crt = {0}; - if (mbedtls_pkcs11_x509_cert_bind(&mbed_crt, cert)) { - msg (M_FATAL, "PKCS#11: Cannot retrieve mbed TLS certificate object"); - goto cleanup; - } + if (mbedtls_pkcs11_x509_cert_bind(&mbed_crt, cert)) + { + msg(M_FATAL, "PKCS#11: Cannot retrieve mbed TLS certificate object"); + goto cleanup; + } - if (-1 == mbedtls_x509_serial_gets (serial, serial_len, &mbed_crt.serial)) { - msg (M_FATAL, "PKCS#11: mbed TLS cannot parse serial"); - goto cleanup; - } + if (-1 == mbedtls_x509_serial_gets(serial, serial_len, &mbed_crt.serial)) + { + msg(M_FATAL, "PKCS#11: mbed TLS cannot parse serial"); + goto cleanup; + } - ret = 0; + ret = 0; cleanup: - mbedtls_x509_crt_free(&mbed_crt); + mbedtls_x509_crt_free(&mbed_crt); - return ret; + return ret; } #endif /* defined(ENABLE_PKCS11) && defined(ENABLE_CRYPTO_MBEDTLS) */ -- cgit v1.2.3