Browse code
Refactor ssl_openssl.c in prep for external EC key support
- Move setting of key method callbacks into a function
No change in functionality.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1515959073-10376-2-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg16227.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Selva Nair authored on 2018/01/15 04:44:31Showing 1 changed files
| ... | ... |
@@ -1097,20 +1097,17 @@ done: |
| 1097 | 1097 |
return ret; |
| 1098 | 1098 |
} |
| 1099 | 1099 |
|
| 1100 |
-int |
|
| 1101 |
-tls_ctx_use_external_private_key(struct tls_root_ctx *ctx, |
|
| 1102 |
- const char *cert_file, const char *cert_file_inline) |
|
| 1100 |
+static int |
|
| 1101 |
+tls_ctx_use_external_rsa_key(struct tls_root_ctx *ctx, EVP_PKEY *pkey) |
|
| 1103 | 1102 |
{
|
| 1104 | 1103 |
RSA *rsa = NULL; |
| 1105 | 1104 |
RSA *pub_rsa; |
| 1106 | 1105 |
RSA_METHOD *rsa_meth; |
| 1107 |
- X509 *cert = NULL; |
|
| 1108 | 1106 |
|
| 1109 | 1107 |
ASSERT(NULL != ctx); |
| 1110 | 1108 |
|
| 1111 |
- tls_ctx_load_cert_file_and_copy(ctx, cert_file, cert_file_inline, &cert); |
|
| 1112 |
- |
|
| 1113 |
- ASSERT(NULL != cert); |
|
| 1109 |
+ pub_rsa = EVP_PKEY_get0_RSA(pkey); |
|
| 1110 |
+ ASSERT(NULL != pub_rsa); |
|
| 1114 | 1111 |
|
| 1115 | 1112 |
/* allocate custom RSA method object */ |
| 1116 | 1113 |
rsa_meth = RSA_meth_new("OpenVPN external private key RSA Method",
|
| ... | ... |
@@ -1132,18 +1129,6 @@ tls_ctx_use_external_private_key(struct tls_root_ctx *ctx, |
| 1132 | 1132 |
goto err; |
| 1133 | 1133 |
} |
| 1134 | 1134 |
|
| 1135 |
- /* get the public key */ |
|
| 1136 |
- EVP_PKEY *pkey = X509_get0_pubkey(cert); |
|
| 1137 |
- ASSERT(pkey); /* NULL before SSL_CTX_use_certificate() is called */ |
|
| 1138 |
- pub_rsa = EVP_PKEY_get0_RSA(pkey); |
|
| 1139 |
- |
|
| 1140 |
- /* Certificate might not be RSA but DSA or EC */ |
|
| 1141 |
- if (!pub_rsa) |
|
| 1142 |
- {
|
|
| 1143 |
- crypto_msg(M_WARN, "management-external-key requires a RSA certificate"); |
|
| 1144 |
- goto err; |
|
| 1145 |
- } |
|
| 1146 |
- |
|
| 1147 | 1135 |
/* initialize RSA object */ |
| 1148 | 1136 |
const BIGNUM *n = NULL; |
| 1149 | 1137 |
const BIGNUM *e = NULL; |
| ... | ... |
@@ -1152,8 +1137,10 @@ tls_ctx_use_external_private_key(struct tls_root_ctx *ctx, |
| 1152 | 1152 |
RSA_set_flags(rsa, RSA_flags(rsa) | RSA_FLAG_EXT_PKEY); |
| 1153 | 1153 |
if (!RSA_set_method(rsa, rsa_meth)) |
| 1154 | 1154 |
{
|
| 1155 |
+ RSA_meth_free(rsa_meth); |
|
| 1155 | 1156 |
goto err; |
| 1156 | 1157 |
} |
| 1158 |
+ /* from this point rsa_meth will get freed with rsa */ |
|
| 1157 | 1159 |
|
| 1158 | 1160 |
/* bind our custom RSA object to ssl_ctx */ |
| 1159 | 1161 |
if (!SSL_CTX_use_RSAPrivateKey(ctx->ctx, rsa)) |
| ... | ... |
@@ -1161,15 +1148,10 @@ tls_ctx_use_external_private_key(struct tls_root_ctx *ctx, |
| 1161 | 1161 |
goto err; |
| 1162 | 1162 |
} |
| 1163 | 1163 |
|
| 1164 |
- X509_free(cert); |
|
| 1165 | 1164 |
RSA_free(rsa); /* doesn't necessarily free, just decrements refcount */ |
| 1166 | 1165 |
return 1; |
| 1167 | 1166 |
|
| 1168 | 1167 |
err: |
| 1169 |
- if (cert) |
|
| 1170 |
- {
|
|
| 1171 |
- X509_free(cert); |
|
| 1172 |
- } |
|
| 1173 | 1168 |
if (rsa) |
| 1174 | 1169 |
{
|
| 1175 | 1170 |
RSA_free(rsa); |
| ... | ... |
@@ -1181,6 +1163,41 @@ err: |
| 1181 | 1181 |
RSA_meth_free(rsa_meth); |
| 1182 | 1182 |
} |
| 1183 | 1183 |
} |
| 1184 |
+ return 0; |
|
| 1185 |
+} |
|
| 1186 |
+ |
|
| 1187 |
+int |
|
| 1188 |
+tls_ctx_use_external_private_key(struct tls_root_ctx *ctx, |
|
| 1189 |
+ const char *cert_file, const char *cert_file_inline) |
|
| 1190 |
+{
|
|
| 1191 |
+ X509 *cert = NULL; |
|
| 1192 |
+ |
|
| 1193 |
+ ASSERT(NULL != ctx); |
|
| 1194 |
+ |
|
| 1195 |
+ tls_ctx_load_cert_file_and_copy(ctx, cert_file, cert_file_inline, &cert); |
|
| 1196 |
+ |
|
| 1197 |
+ ASSERT(NULL != cert); |
|
| 1198 |
+ |
|
| 1199 |
+ /* get the public key */ |
|
| 1200 |
+ EVP_PKEY *pkey = X509_get0_pubkey(cert); |
|
| 1201 |
+ ASSERT(pkey); /* NULL before SSL_CTX_use_certificate() is called */ |
|
| 1202 |
+ X509_free(cert); |
|
| 1203 |
+ |
|
| 1204 |
+ if (EVP_PKEY_get0_RSA(pkey)) |
|
| 1205 |
+ {
|
|
| 1206 |
+ if (!tls_ctx_use_external_rsa_key(ctx, pkey)) |
|
| 1207 |
+ {
|
|
| 1208 |
+ goto err; |
|
| 1209 |
+ } |
|
| 1210 |
+ } |
|
| 1211 |
+ else |
|
| 1212 |
+ {
|
|
| 1213 |
+ crypto_msg(M_WARN, "management-external-key requires a RSA certificate"); |
|
| 1214 |
+ goto err; |
|
| 1215 |
+ } |
|
| 1216 |
+ return 1; |
|
| 1217 |
+ |
|
| 1218 |
+err: |
|
| 1184 | 1219 |
crypto_msg(M_FATAL, "Cannot enable SSL external private key capability"); |
| 1185 | 1220 |
return 0; |
| 1186 | 1221 |
} |