- Move setting of key method callbacks into a function
No change in functionality.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1515959073-10376-2-git-send-email-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg16227.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
... | ... |
@@ -1097,20 +1097,17 @@ done: |
1097 | 1097 |
return ret; |
1098 | 1098 |
} |
1099 | 1099 |
|
1100 |
-int |
|
1101 |
-tls_ctx_use_external_private_key(struct tls_root_ctx *ctx, |
|
1102 |
- const char *cert_file, const char *cert_file_inline) |
|
1100 |
+static int |
|
1101 |
+tls_ctx_use_external_rsa_key(struct tls_root_ctx *ctx, EVP_PKEY *pkey) |
|
1103 | 1102 |
{ |
1104 | 1103 |
RSA *rsa = NULL; |
1105 | 1104 |
RSA *pub_rsa; |
1106 | 1105 |
RSA_METHOD *rsa_meth; |
1107 |
- X509 *cert = NULL; |
|
1108 | 1106 |
|
1109 | 1107 |
ASSERT(NULL != ctx); |
1110 | 1108 |
|
1111 |
- tls_ctx_load_cert_file_and_copy(ctx, cert_file, cert_file_inline, &cert); |
|
1112 |
- |
|
1113 |
- ASSERT(NULL != cert); |
|
1109 |
+ pub_rsa = EVP_PKEY_get0_RSA(pkey); |
|
1110 |
+ ASSERT(NULL != pub_rsa); |
|
1114 | 1111 |
|
1115 | 1112 |
/* allocate custom RSA method object */ |
1116 | 1113 |
rsa_meth = RSA_meth_new("OpenVPN external private key RSA Method", |
... | ... |
@@ -1132,18 +1129,6 @@ tls_ctx_use_external_private_key(struct tls_root_ctx *ctx, |
1132 | 1132 |
goto err; |
1133 | 1133 |
} |
1134 | 1134 |
|
1135 |
- /* get the public key */ |
|
1136 |
- EVP_PKEY *pkey = X509_get0_pubkey(cert); |
|
1137 |
- ASSERT(pkey); /* NULL before SSL_CTX_use_certificate() is called */ |
|
1138 |
- pub_rsa = EVP_PKEY_get0_RSA(pkey); |
|
1139 |
- |
|
1140 |
- /* Certificate might not be RSA but DSA or EC */ |
|
1141 |
- if (!pub_rsa) |
|
1142 |
- { |
|
1143 |
- crypto_msg(M_WARN, "management-external-key requires a RSA certificate"); |
|
1144 |
- goto err; |
|
1145 |
- } |
|
1146 |
- |
|
1147 | 1135 |
/* initialize RSA object */ |
1148 | 1136 |
const BIGNUM *n = NULL; |
1149 | 1137 |
const BIGNUM *e = NULL; |
... | ... |
@@ -1152,8 +1137,10 @@ tls_ctx_use_external_private_key(struct tls_root_ctx *ctx, |
1152 | 1152 |
RSA_set_flags(rsa, RSA_flags(rsa) | RSA_FLAG_EXT_PKEY); |
1153 | 1153 |
if (!RSA_set_method(rsa, rsa_meth)) |
1154 | 1154 |
{ |
1155 |
+ RSA_meth_free(rsa_meth); |
|
1155 | 1156 |
goto err; |
1156 | 1157 |
} |
1158 |
+ /* from this point rsa_meth will get freed with rsa */ |
|
1157 | 1159 |
|
1158 | 1160 |
/* bind our custom RSA object to ssl_ctx */ |
1159 | 1161 |
if (!SSL_CTX_use_RSAPrivateKey(ctx->ctx, rsa)) |
... | ... |
@@ -1161,15 +1148,10 @@ tls_ctx_use_external_private_key(struct tls_root_ctx *ctx, |
1161 | 1161 |
goto err; |
1162 | 1162 |
} |
1163 | 1163 |
|
1164 |
- X509_free(cert); |
|
1165 | 1164 |
RSA_free(rsa); /* doesn't necessarily free, just decrements refcount */ |
1166 | 1165 |
return 1; |
1167 | 1166 |
|
1168 | 1167 |
err: |
1169 |
- if (cert) |
|
1170 |
- { |
|
1171 |
- X509_free(cert); |
|
1172 |
- } |
|
1173 | 1168 |
if (rsa) |
1174 | 1169 |
{ |
1175 | 1170 |
RSA_free(rsa); |
... | ... |
@@ -1181,6 +1163,41 @@ err: |
1181 | 1181 |
RSA_meth_free(rsa_meth); |
1182 | 1182 |
} |
1183 | 1183 |
} |
1184 |
+ return 0; |
|
1185 |
+} |
|
1186 |
+ |
|
1187 |
+int |
|
1188 |
+tls_ctx_use_external_private_key(struct tls_root_ctx *ctx, |
|
1189 |
+ const char *cert_file, const char *cert_file_inline) |
|
1190 |
+{ |
|
1191 |
+ X509 *cert = NULL; |
|
1192 |
+ |
|
1193 |
+ ASSERT(NULL != ctx); |
|
1194 |
+ |
|
1195 |
+ tls_ctx_load_cert_file_and_copy(ctx, cert_file, cert_file_inline, &cert); |
|
1196 |
+ |
|
1197 |
+ ASSERT(NULL != cert); |
|
1198 |
+ |
|
1199 |
+ /* get the public key */ |
|
1200 |
+ EVP_PKEY *pkey = X509_get0_pubkey(cert); |
|
1201 |
+ ASSERT(pkey); /* NULL before SSL_CTX_use_certificate() is called */ |
|
1202 |
+ X509_free(cert); |
|
1203 |
+ |
|
1204 |
+ if (EVP_PKEY_get0_RSA(pkey)) |
|
1205 |
+ { |
|
1206 |
+ if (!tls_ctx_use_external_rsa_key(ctx, pkey)) |
|
1207 |
+ { |
|
1208 |
+ goto err; |
|
1209 |
+ } |
|
1210 |
+ } |
|
1211 |
+ else |
|
1212 |
+ { |
|
1213 |
+ crypto_msg(M_WARN, "management-external-key requires a RSA certificate"); |
|
1214 |
+ goto err; |
|
1215 |
+ } |
|
1216 |
+ return 1; |
|
1217 |
+ |
|
1218 |
+err: |
|
1184 | 1219 |
crypto_msg(M_FATAL, "Cannot enable SSL external private key capability"); |
1185 | 1220 |
return 0; |
1186 | 1221 |
} |