From patchwork Tue Jan 23 18:06:19 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Selva Nair X-Patchwork-Id: 209 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director5.mail.ord1d.rsapps.net ([172.30.191.6]) by backend31.mail.ord1d.rsapps.net (Dovecot) with LMTP id iyE/A5oUaFoAWAAAgoeIoA for ; Wed, 24 Jan 2018 00:07:38 -0500 Received: from proxy8.mail.ord1d.rsapps.net ([172.30.191.6]) by director5.mail.ord1d.rsapps.net (Dovecot) with LMTP id iwsZA5oUaFoieQAAsdCWiw ; Wed, 24 Jan 2018 00:07:38 -0500 Received: from smtp32.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy8.mail.ord1d.rsapps.net (Dovecot) with LMTP id 8jLlAZoUaFouUwAAGdz6CA ; Wed, 24 Jan 2018 00:07:38 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.34.181.88] Authentication-Results: smtp32.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.34.181.88"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=gmail.com; dmarc=fail (p=none; dis=none) header.from=gmail.com X-Classification-ID: 7ee78e02-00c4-11e8-a67f-52540099eaf5-1-1 Received: from [216.34.181.88] ([216.34.181.88:28170] helo=lists.sourceforge.net) by smtp32.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.1.56364 r(Core:4.2.1.14)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 72/39-05604-994186A5; Wed, 24 Jan 2018 00:07:37 -0500 Received: from localhost ([127.0.0.1] helo=sfs-ml-1.v29.ch3.sourceforge.com) by sfs-ml-1.v29.ch3.sourceforge.com with esmtp (Exim 4.89) (envelope-from ) id 1eeDGb-0006PU-Co; Wed, 24 Jan 2018 05:06:33 +0000 Received: from sfi-mx-4.v28.ch3.sourceforge.com ([172.29.28.194] helo=mx.sourceforge.net) by sfs-ml-1.v29.ch3.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) (envelope-from ) id 1eeDGa-0006P7-CR for openvpn-devel@lists.sourceforge.net; Wed, 24 Jan 2018 05:06:32 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:Cc: To:From:Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=XIxD68Ausd/XCTD1bHZStMwJhoPq103IuZL5BaU8kV0=; b=lfE7eiSWXJMJagdqkI0SlisDrZ jwSmETxIQ+WoVVWeIDh/6V+W632rYHumE7VQgMi3X/vTxWgHqE9oGfErSXrYw+gurTW9gON8BrRw3 3YWONkLyuX0lb1RJ41Vc+9hldNWq3WadKF+aH8F6lXIodu/+tlYdmgAfZyA1KqV9JqJo=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=XIxD68Ausd/XCTD1bHZStMwJhoPq103IuZL5BaU8kV0=; b=RfoAHTJUlUsER3JQVpzkTVqn44 wMHbEX0KnCvAJaRWChYRrgeEttt4fIK3/yd0j2ZR9CbV71aeHP38paHqmzodD8wjSroi0kuNg2ISG /7iWViqEhSk3ftDuePUS6/7tw+mKQ5PxcYOPrtb5+RxPh16oh4OV19aH5grimXUdHPBE=; Received: from mail-it0-f65.google.com ([209.85.214.65]) by sfi-mx-4.v28.ch3.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.89) id 1eeDGZ-0005Wm-Ix for openvpn-devel@lists.sourceforge.net; Wed, 24 Jan 2018 05:06:32 +0000 Received: by mail-it0-f65.google.com with SMTP id u62so3738142ita.2 for ; Tue, 23 Jan 2018 21:06:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=XIxD68Ausd/XCTD1bHZStMwJhoPq103IuZL5BaU8kV0=; b=B/419HMFZsW1dO2SSDAhYKnKnX3tPEAzc1OZ9Ty91R1DDrnQm4mSBcpzykKVvAIZmV knFQcivj/IM/L3wT7b0vTCaEivsNRYwa+MmQoBp/TaJlixow44WC5Hb+5LxSDwMeCYna llFNA4pXeqF7aSgQdLZvmtC5d+K7wqdBs+nuekHuCNxo3+608mm+PwPQgoM0AF3hJ0RI aNAhaReE4MFcQtF3Z9zeBJflB53IBh8j7StudY5HVizC9RuMA2WpnNjEXDO6IGuIMECB Y+oQ5pXufswQtKo53RZG132H5f9X002LvYXH0o0QpGklB+sgNek60qJ8foPqfYlOC0Af tfqg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=XIxD68Ausd/XCTD1bHZStMwJhoPq103IuZL5BaU8kV0=; b=XxNk6u31nnqZSNmxDxV2porFZnvr87t91rhsMdxuqKhsymHF67RrAHbHltigBImE3m RdWgQhUFEKSzckHS7Yhch74hWRNn7cIewwTx04I8QdOFhpgw2ho1ScHYE3tpPjfrjBsQ u/WClcSTnnoSUd751UvlKWghprBrimEEAggt/ktsWS/bl/VsOa5rROYnnpn1ia/LYRjF NjlQ+Rat13Q1EwsxQM/YUqMQkdsTwesA4vmoAU95XL9X9w9ELQJFi8UJaKm969SrjzY+ sS+BTpb2c36mKSiW8Fj39USsfCjivkiT+GJCUOqSmPRK1Y1i3Z0BQS6otujzl7E6yJbW 5Bsw== X-Gm-Message-State: AKwxytfpYNpxvU8l7OwxlhNSmZKRt0p9Lct/L1ILC8eypO/9uW9dWejA G+XeMr0v/4X9pDtYhvbRAdKfCakJ X-Google-Smtp-Source: AH8x227HGFFxyFj13SVq1dhL4seyUQg8uHoZCNwZjq/0DxQT/3zG351dHkV6opkr+m3fByT50JHACQ== X-Received: by 10.36.205.133 with SMTP id l127mr7088889itg.98.1516770386166; Tue, 23 Jan 2018 21:06:26 -0800 (PST) Received: from saturn.home.sansel.ca (CPE40167ea0e1c2-CM788df74daaa0.cpe.net.cable.rogers.com. [99.228.215.92]) by smtp.gmail.com with ESMTPSA id 140sm289669itx.3.2018.01.23.21.06.25 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 23 Jan 2018 21:06:25 -0800 (PST) From: selva.nair@gmail.com To: openvpn-devel@lists.sourceforge.net Date: Wed, 24 Jan 2018 00:06:19 -0500 Message-Id: <1516770381-29466-2-git-send-email-selva.nair@gmail.com> X-Mailer: git-send-email 2.1.4 In-Reply-To: <1516770381-29466-1-git-send-email-selva.nair@gmail.com> References: <1516770381-29466-1-git-send-email-selva.nair@gmail.com> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (selva.nair[at]gmail.com) -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [209.85.214.65 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1eeDGZ-0005Wm-Ix Subject: [Openvpn-devel] [PATCH 1/3] Move code to free cd to a function CAPI_DATA_free() X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Selva Nair - Avoids code-repetition especially so when support for more key types are added. Signed-off-by: Selva Nair Acked-by: Steffan Karger --- src/openvpn/cryptoapi.c | 63 ++++++++++++++++++++++--------------------------- 1 file changed, 28 insertions(+), 35 deletions(-) diff --git a/src/openvpn/cryptoapi.c b/src/openvpn/cryptoapi.c index f155123..00e78b6 100644 --- a/src/openvpn/cryptoapi.c +++ b/src/openvpn/cryptoapi.c @@ -108,6 +108,32 @@ typedef struct _CAPI_DATA { BOOL free_crypt_prov; } CAPI_DATA; +static void +CAPI_DATA_free(CAPI_DATA *cd) +{ + if (!cd) + { + return; + } + if (cd->free_crypt_prov && cd->crypt_prov) + { + if (cd->key_spec == CERT_NCRYPT_KEY_SPEC) + { + NCryptFreeObject(cd->crypt_prov); + } + else + { + CryptReleaseContext(cd->crypt_prov, 0); + } + } + if (cd->cert_context) + { + CertFreeCertificateContext(cd->cert_context); + } + free(cd); +} + + static char * ms_error_text(DWORD ms_err) { @@ -363,22 +389,7 @@ finish(RSA *rsa) { return 0; } - if (cd->crypt_prov && cd->free_crypt_prov) - { - if (cd->key_spec == CERT_NCRYPT_KEY_SPEC) - { - NCryptFreeObject(cd->crypt_prov); - } - else - { - CryptReleaseContext(cd->crypt_prov, 0); - } - } - if (cd->cert_context) - { - CertFreeCertificateContext(cd->cert_context); - } - free(cd); + CAPI_DATA_free(cd); RSA_meth_free((RSA_METHOD*) rsa_meth); return 1; } @@ -614,25 +625,7 @@ err: { free(my_rsa_method); } - if (cd) - { - if (cd->free_crypt_prov && cd->crypt_prov) - { - if (cd->key_spec == CERT_NCRYPT_KEY_SPEC) - { - NCryptFreeObject(cd->crypt_prov); - } - else - { - CryptReleaseContext(cd->crypt_prov, 0); - } - } - if (cd->cert_context) - { - CertFreeCertificateContext(cd->cert_context); - } - free(cd); - } + CAPI_DATA_free(cd); } return 0; } From patchwork Tue Jan 23 18:06:20 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Selva Nair X-Patchwork-Id: 207 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director2.mail.ord1d.rsapps.net ([172.30.191.6]) by backend31.mail.ord1d.rsapps.net (Dovecot) with LMTP id 5LGuJpkUaFo4dgAAgoeIoA for ; Wed, 24 Jan 2018 00:07:37 -0500 Received: from proxy6.mail.ord1d.rsapps.net ([172.30.191.6]) by director2.mail.ord1d.rsapps.net (Dovecot) with LMTP id 4wC4CpkUaFpncgAAgYhSiA ; Wed, 24 Jan 2018 00:07:37 -0500 Received: from smtp2.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy6.mail.ord1d.rsapps.net (Dovecot) with LMTP id 6kzYFZkUaFryRAAAQyIf0w ; Wed, 24 Jan 2018 00:07:37 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.34.181.88] Authentication-Results: smtp2.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.34.181.88"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=gmail.com; dmarc=fail (p=none; dis=none) header.from=gmail.com X-Classification-ID: 7e85e328-00c4-11e8-813a-5254004a0287-1-1 Received: from [216.34.181.88] ([216.34.181.88:15156] helo=lists.sourceforge.net) by smtp2.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.1.56364 r(Core:4.2.1.14)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id C1/0D-31706-994186A5; Wed, 24 Jan 2018 00:07:37 -0500 Received: from localhost ([127.0.0.1] helo=sfs-ml-2.v29.ch3.sourceforge.com) by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.89) (envelope-from ) id 1eeDGd-0006w3-Bb; Wed, 24 Jan 2018 05:06:35 +0000 Received: from sfi-mx-2.v28.ch3.sourceforge.com ([172.29.28.192] helo=mx.sourceforge.net) by sfs-ml-2.v29.ch3.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) (envelope-from ) id 1eeDGc-0006vx-6D for openvpn-devel@lists.sourceforge.net; Wed, 24 Jan 2018 05:06:34 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:Cc: To:From:Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=k934aPpBcJqnjT6LqZK5UO59YALMTAH0vpYwUU1Dywc=; b=mJ7QMT7ITTV8ja7IcrNe/No8cj XGU0IUUrbDrgp2uO1V0oaVabra7mf6chRp8LE2jbl5fNmVLtbAjdqW1Z9LYu/b4hlYbkmGVerOORw Qw96oTtdEi1u1SILMps3N3dO2dixxBgjlW7gsTaCnyPsQJrzB8pO3Vz91k+SsD7Q/hxI=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=k934aPpBcJqnjT6LqZK5UO59YALMTAH0vpYwUU1Dywc=; b=MUfMxDJCfw/4QP5JLXv3ZHLhng PXJvK7H7viWgAyXwKZ7M6qFV7gQHrQSp6NFQMImnQXHMpGyNf4RP3eHMPowcU0Bk2IM4CacvIOKPF LfwtoKbYxnmBMFQrKWEkjecn81B6McQQpeaA80w2heS2n2MGVP1nvaXPcUwk1MDAknmc=; Received: from mail-it0-f65.google.com ([209.85.214.65]) by sfi-mx-2.v28.ch3.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.89) id 1eeDGb-0007th-9S for openvpn-devel@lists.sourceforge.net; Wed, 24 Jan 2018 05:06:34 +0000 Received: by mail-it0-f65.google.com with SMTP id p139so3744266itb.1 for ; Tue, 23 Jan 2018 21:06:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=k934aPpBcJqnjT6LqZK5UO59YALMTAH0vpYwUU1Dywc=; b=OONO5DSV2FjhkmN169VsXNNQa3QaoHpe56fTZXHsIGnwvLQt7d64+I65drGr83lLWs 7OL5tJiETV03nDVIBpsHylaBVeNb1JXii14lcconJi0bMkINqlbzmGX8SRZCjZxEGUNq z908ifT8MoHQyAFMvhnnYVv5sJ08zMc/lvHQ1JCh8RUXyluVcTurbDlG1ljG5E29O6uK XC/U6QYIsaxeW+QjO/Rrn9a9Tv1E0jr5AMa5rFJL4Tt0VC7RYW4MNk0GZvOYXjsdOybF aWTzorABH43FuDVUNVYXXwtyf5/rWNvdwRP3qJFLvhHnj5zd/nrjGSM46inkaQ+oTA8n 9sRg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=k934aPpBcJqnjT6LqZK5UO59YALMTAH0vpYwUU1Dywc=; b=hWffXW+8cqEOJrQWK5u6/oYuVNaIRQrGCCd7yYpuMjslwYkkJH/KPmefsTrDc9QVwa A0JnvE42vSUcTWXwAoxIT1vzEWryZ56NftdkMiyYKlNadtr4I/vRlLT+qOSWNhkeWFfp 4vXuNO9vBXY4laaGeFJFKJBK2uRzhmWSxllw3QNourpViE4Ao6qM+kdkT9FKg1p4KcZM jyKjpesQZ+zlE2jqg05NpYGhYVI6vHfsqfMxZg2JKSF6cFp37dCMBKgQhxLNQRYe1fXU BDGQxO4hlB7HL32iz5FufPiJLue8fD0gN4nv+BVVkYXMWqyLPOGMcQkaVhI3oVzsKyVO uOOw== X-Gm-Message-State: AKwxytdAX/CrVrjmeKKTX8th4OskLKUEIikE8GzGYjC0m/w7RmztRDiH JFPPN/fggcnuNyHRJ5n0AwhSZsHX X-Google-Smtp-Source: AH8x225V283+qqFwu+twy6lAXTMjCBt4nv1QacRHIr0ktz2++YVSWENcaHoWZnnsqCvIlWBxkg8vsw== X-Received: by 10.36.253.204 with SMTP id m195mr7668739ith.66.1516770387726; Tue, 23 Jan 2018 21:06:27 -0800 (PST) Received: from saturn.home.sansel.ca (CPE40167ea0e1c2-CM788df74daaa0.cpe.net.cable.rogers.com. [99.228.215.92]) by smtp.gmail.com with ESMTPSA id 140sm289669itx.3.2018.01.23.21.06.26 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 23 Jan 2018 21:06:27 -0800 (PST) From: selva.nair@gmail.com To: openvpn-devel@lists.sourceforge.net Date: Wed, 24 Jan 2018 00:06:20 -0500 Message-Id: <1516770381-29466-3-git-send-email-selva.nair@gmail.com> X-Mailer: git-send-email 2.1.4 In-Reply-To: <1516770381-29466-1-git-send-email-selva.nair@gmail.com> References: <1516770381-29466-1-git-send-email-selva.nair@gmail.com> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [209.85.214.65 listed in list.dnswl.org] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (selva.nair[at]gmail.com) -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.0 AWL AWL: Adjusted score from AWL reputation of From: address X-Headers-End: 1eeDGb-0007th-9S Subject: [Openvpn-devel] [PATCH 2/3] Move setting private key to a function in prep for EC support X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Selva Nair - Also add reference counting to CAPI_DATA (application data): When the application data is assigned to the private key we free it in the key's finish method. Proper error handling requires to keep track of whether data is assigned to the key or not before an error occurs. For this purpose, add a reference count to CAPI_DATA struct and increment it when it is assigned to the key or its method. CAPI_DATA_free now frees the data only if ref_count <= 0 Signed-off-by: Selva Nair --- src/openvpn/cryptoapi.c | 140 ++++++++++++++++++++++++++++-------------------- 1 file changed, 81 insertions(+), 59 deletions(-) diff --git a/src/openvpn/cryptoapi.c b/src/openvpn/cryptoapi.c index 00e78b6..d6a9dd4 100644 --- a/src/openvpn/cryptoapi.c +++ b/src/openvpn/cryptoapi.c @@ -106,12 +106,13 @@ typedef struct _CAPI_DATA { HCRYPTPROV_OR_NCRYPT_KEY_HANDLE crypt_prov; DWORD key_spec; BOOL free_crypt_prov; + int ref_count; } CAPI_DATA; static void CAPI_DATA_free(CAPI_DATA *cd) { - if (!cd) + if (!cd || cd->ref_count-- > 0) { return; } @@ -467,14 +468,81 @@ find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store) return rv; } +static int +ssl_ctx_set_rsakey(SSL_CTX *ssl_ctx, CAPI_DATA *cd, EVP_PKEY *pkey) +{ + RSA *rsa = NULL, *pub_rsa; + RSA_METHOD *my_rsa_method = NULL; + bool rsa_method_set = false; + + my_rsa_method = RSA_meth_new("Microsoft Cryptography API RSA Method", + RSA_METHOD_FLAG_NO_CHECK); + check_malloc_return(my_rsa_method); + RSA_meth_set_pub_enc(my_rsa_method, rsa_pub_enc); + RSA_meth_set_pub_dec(my_rsa_method, rsa_pub_dec); + RSA_meth_set_priv_enc(my_rsa_method, rsa_priv_enc); + RSA_meth_set_priv_dec(my_rsa_method, rsa_priv_dec); + RSA_meth_set_init(my_rsa_method, NULL); + RSA_meth_set_finish(my_rsa_method, finish); + RSA_meth_set0_app_data(my_rsa_method, cd); + + rsa = RSA_new(); + if (rsa == NULL) + { + SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_MALLOC_FAILURE); + goto err; + } + + pub_rsa = EVP_PKEY_get0_RSA(pkey); + + /* Our private key is external, so we fill in only n and e from the public key */ + const BIGNUM *n = NULL; + const BIGNUM *e = NULL; + RSA_get0_key(pub_rsa, &n, &e, NULL); + BIGNUM *rsa_n = BN_dup(n); + BIGNUM *rsa_e = BN_dup(e); + if (!rsa_n || !rsa_e || !RSA_set0_key(rsa, rsa_n, rsa_e, NULL)) + { + BN_free(rsa_n); /* ok to free even if NULL */ + BN_free(rsa_e); + msg(M_NONFATAL, "ERROR: %s: out of memory", __func__); + goto err; + } + RSA_set_flags(rsa, RSA_flags(rsa) | RSA_FLAG_EXT_PKEY); + if (!RSA_set_method(rsa, my_rsa_method)) + { + goto err; + } + rsa_method_set = true; /* flag that method pointer will get freed with the key */ + cd->ref_count++; /* with method, cd gets assigned to the key as well */ + + if (!SSL_CTX_use_RSAPrivateKey(ssl_ctx, rsa)) + { + goto err; + } + /* SSL_CTX_use_RSAPrivateKey() increased the reference count in 'rsa', so + * we decrease it here with RSA_free(), or it will never be cleaned up. */ + RSA_free(rsa); + return 1; + +err: + if (rsa) + { + RSA_free(rsa); + } + if (my_rsa_method && !rsa_method_set) + { + RSA_meth_free(my_rsa_method); + } + return 0; +} + int SSL_CTX_use_CryptoAPI_certificate(SSL_CTX *ssl_ctx, const char *cert_prop) { HCERTSTORE cs; X509 *cert = NULL; - RSA *rsa = NULL, *pub_rsa; CAPI_DATA *cd = calloc(1, sizeof(*cd)); - RSA_METHOD *my_rsa_method = NULL; if (cd == NULL) { @@ -549,30 +617,13 @@ SSL_CTX_use_CryptoAPI_certificate(SSL_CTX *ssl_ctx, const char *cert_prop) } } - my_rsa_method = RSA_meth_new("Microsoft Cryptography API RSA Method", - RSA_METHOD_FLAG_NO_CHECK); - check_malloc_return(my_rsa_method); - RSA_meth_set_pub_enc(my_rsa_method, rsa_pub_enc); - RSA_meth_set_pub_dec(my_rsa_method, rsa_pub_dec); - RSA_meth_set_priv_enc(my_rsa_method, rsa_priv_enc); - RSA_meth_set_priv_dec(my_rsa_method, rsa_priv_dec); - RSA_meth_set_init(my_rsa_method, NULL); - RSA_meth_set_finish(my_rsa_method, finish); - RSA_meth_set0_app_data(my_rsa_method, cd); - - rsa = RSA_new(); - if (rsa == NULL) - { - SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_MALLOC_FAILURE); - goto err; - } - /* Public key in cert is NULL until we call SSL_CTX_use_certificate(), * so we do it here then... */ if (!SSL_CTX_use_certificate(ssl_ctx, cert)) { goto err; } + /* the public key */ EVP_PKEY *pkey = X509_get0_pubkey(cert); @@ -581,52 +632,23 @@ SSL_CTX_use_CryptoAPI_certificate(SSL_CTX *ssl_ctx, const char *cert_prop) X509_free(cert); cert = NULL; - if (!(pub_rsa = EVP_PKEY_get0_RSA(pkey))) - { - msg(M_WARN, "cryptoapicert requires an RSA certificate"); - goto err; - } - - /* Our private key is external, so we fill in only n and e from the public key */ - const BIGNUM *n = NULL; - const BIGNUM *e = NULL; - RSA_get0_key(pub_rsa, &n, &e, NULL); - if (!RSA_set0_key(rsa, BN_dup(n), BN_dup(e), NULL)) + if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA) { - goto err; - } - RSA_set_flags(rsa, RSA_flags(rsa) | RSA_FLAG_EXT_PKEY); - if (!RSA_set_method(rsa, my_rsa_method)) - { - goto err; + if (!ssl_ctx_set_rsakey(ssl_ctx, cd, pkey)) + { + goto err; + } } - - if (!SSL_CTX_use_RSAPrivateKey(ssl_ctx, rsa)) + else { + msg(M_WARN, "cryptoapicert requires an RSA certificate"); goto err; } - /* SSL_CTX_use_RSAPrivateKey() increased the reference count in 'rsa', so - * we decrease it here with RSA_free(), or it will never be cleaned up. */ - RSA_free(rsa); + cd->ref_count--; /* so that cd will get freed with the private key */ return 1; err: - if (cert) - { - X509_free(cert); - } - if (rsa) - { - RSA_free(rsa); - } - else - { - if (my_rsa_method) - { - free(my_rsa_method); - } - CAPI_DATA_free(cd); - } + CAPI_DATA_free(cd); return 0; } From patchwork Tue Jan 23 18:06:21 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Selva Nair X-Patchwork-Id: 208 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director1.mail.ord1d.rsapps.net ([172.30.191.6]) by backend31.mail.ord1d.rsapps.net (Dovecot) with LMTP id M8AsAZoUaFqmcwAAgoeIoA for ; Wed, 24 Jan 2018 00:07:38 -0500 Received: from proxy13.mail.ord1d.rsapps.net ([172.30.191.6]) by director1.mail.ord1d.rsapps.net (Dovecot) with LMTP id o7O1AJoUaFrXLgAANGzteQ ; Wed, 24 Jan 2018 00:07:38 -0500 Received: from smtp31.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy13.mail.ord1d.rsapps.net (Dovecot) with LMTP id sDflAJoUaFroVwAAgjf6aA ; Wed, 24 Jan 2018 00:07:38 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.34.181.88] Authentication-Results: smtp31.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.34.181.88"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=gmail.com; dmarc=fail (p=none; dis=none) header.from=gmail.com X-Classification-ID: 7ee2230e-00c4-11e8-9209-525400b3ac8c-1-1 Received: from [216.34.181.88] ([216.34.181.88:15160] helo=lists.sourceforge.net) by smtp31.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.1.56364 r(Core:4.2.1.14)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 23/3E-13117-994186A5; Wed, 24 Jan 2018 00:07:37 -0500 Received: from localhost ([127.0.0.1] helo=sfs-ml-2.v29.ch3.sourceforge.com) by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.89) (envelope-from ) id 1eeDGf-0006wL-EP; Wed, 24 Jan 2018 05:06:37 +0000 Received: from sfi-mx-2.v28.ch3.sourceforge.com ([172.29.28.192] helo=mx.sourceforge.net) by sfs-ml-2.v29.ch3.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) (envelope-from ) id 1eeDGf-0006wF-6I for openvpn-devel@lists.sourceforge.net; Wed, 24 Jan 2018 05:06:37 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:Cc: To:From:Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=1oKdYFxOikXRIsJwVMpgVxNTw9CfHq8GgfwcTbSt60E=; b=f+QzYPw/sj3hrNmrjlufJn99Tx s0PyNQnIte7Le4BcNZXCAbeHVIY+tvueVihv+Bhw1ckbr8Ev269fghPSTN8vrnNSnrbOxG9gkPpF0 KZ32Sx5tgAMkzOGlb7XllirSV7eFsri06FQMyQh2yvsZhJVNd9LdZSHCTrXkj1MeEn8g=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=1oKdYFxOikXRIsJwVMpgVxNTw9CfHq8GgfwcTbSt60E=; b=l1Vrr7SsnvbS2WFrNFCmx8KqPj xrcfucBJZ1ZGIKMJAYckyzNgUPreoHNpD0YLZF1GoClC469H611bzjbbpGrZ9/IeoqHCsIWAjASe+ nNqX35RE3ZcyU/cCInkZSVWsz7ZPdmdvJ7BeGc6bD3khnPQbzI/glx8nr2yjkY9hisMg=; Received: from mail-io0-f195.google.com ([209.85.223.195]) by sfi-mx-2.v28.ch3.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.89) id 1eeDGe-0007tn-10 for openvpn-devel@lists.sourceforge.net; Wed, 24 Jan 2018 05:06:37 +0000 Received: by mail-io0-f195.google.com with SMTP id f89so3475024ioj.4 for ; Tue, 23 Jan 2018 21:06:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=1oKdYFxOikXRIsJwVMpgVxNTw9CfHq8GgfwcTbSt60E=; b=ZnUC245xRFumXn2TONZiIO0AaWbJQ6iyjE7LoAuDzhLYtU1JxMwXRsgFLRZVb2MXU+ EV2+Afs3BE8IBkpcHZWPx/h5Vlr5BjkBTawXiGcn9pVysSMP+pwSDUbnF5HwDDddX5AA 7NIbjRORpV1ZYs6HBYbs/uEWdgeRgBh+puoJONCuDZtijxkQWEXeHaJs3NNXPe0QzhBS Rm1vURbsGsBmZRKgBLVVEtO8APmgwbF15eHsjeah54bvsyQGij0nzixiXMJ4xl5y0Oun PanAZw33Ho7QbZyDfQtX1UEFENC8NW+gHSkEZEnwocAf71ZhQU0HInhX/u4C/E+hIXD4 qe2g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=1oKdYFxOikXRIsJwVMpgVxNTw9CfHq8GgfwcTbSt60E=; b=Ry3EJC81HZCF8P414A+sBULHk/QEU350FQLNgyiWsbBKe25xvnVY07Qpgyl+tEC2jz bMZl/GQo4SRBkyv34Fy34QcBSOtdqWRv4whkdco4WBQGvUkpR/+b2sDZoruYAk4cXrxQ niSJalSWWvLZj9+bOJm0L/vtuNWaJT30+kf9mx0a4VUm+2TNkIoQjj6qsMwOh0k9WEJo qP0IX52fYXBiIe0PnHZlSkBQu86obZ3GSTX/aB5hFH4GsNxOhgy0jQbQfPfy5SXYPrMX H9+/qCjheutk8yvdDKcrGzizRwnrIXEucxc+9IOwzqjsdl5qAkLbIFYXRhviv7AWFWe6 Wi0Q== X-Gm-Message-State: AKwxytcKGNUw3PvIMYloJuN36J1+akanleKOBK00ItD34e2VHMGeImGD SDRbPkZ/mc76Uc4+yyuc3iFBjrOl X-Google-Smtp-Source: AH8x225ZCl2k/b1zRGkm14ULqMg0TiOlFy/HsVXpuC5UcPZh0Q6H79V2qV4jMDZrvfiAp+bc9UMqqQ== X-Received: by 10.107.184.198 with SMTP id i189mr7017884iof.137.1516770390554; Tue, 23 Jan 2018 21:06:30 -0800 (PST) Received: from saturn.home.sansel.ca (CPE40167ea0e1c2-CM788df74daaa0.cpe.net.cable.rogers.com. [99.228.215.92]) by smtp.gmail.com with ESMTPSA id 140sm289669itx.3.2018.01.23.21.06.29 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 23 Jan 2018 21:06:30 -0800 (PST) From: selva.nair@gmail.com To: openvpn-devel@lists.sourceforge.net Date: Wed, 24 Jan 2018 00:06:21 -0500 Message-Id: <1516770381-29466-4-git-send-email-selva.nair@gmail.com> X-Mailer: git-send-email 2.1.4 In-Reply-To: <1516770381-29466-1-git-send-email-selva.nair@gmail.com> References: <1516770381-29466-1-git-send-email-selva.nair@gmail.com> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [209.85.223.195 listed in list.dnswl.org] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (selva.nair[at]gmail.com) -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1eeDGe-0007tn-10 Subject: [Openvpn-devel] [PATCH 3/3] Support EC certificates with cryptoapicert X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Selva Nair Requires openssl 1.1.0 or higher Signed-off-by: Selva Nair --- src/openvpn/cryptoapi.c | 198 +++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 197 insertions(+), 1 deletion(-) diff --git a/src/openvpn/cryptoapi.c b/src/openvpn/cryptoapi.c index d6a9dd4..36faa63 100644 --- a/src/openvpn/cryptoapi.c +++ b/src/openvpn/cryptoapi.c @@ -101,6 +101,9 @@ static ERR_STRING_DATA CRYPTOAPI_str_functs[] = { { 0, NULL } }; +/* index for storing external data in EC_KEY: < 0 means uninitialized */ +static int ec_data_idx = -1; + typedef struct _CAPI_DATA { const CERT_CONTEXT *cert_context; HCRYPTPROV_OR_NCRYPT_KEY_HANDLE crypt_prov; @@ -395,6 +398,190 @@ finish(RSA *rsa) return 1; } +#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(OPENSSL_NO_EC) + +static EC_KEY_METHOD *ec_method = NULL; + +/** EC_KEY_METHOD callback: called when the key is freed */ +static void +ec_finish(EC_KEY *ec) +{ + EC_KEY_METHOD_free(ec_method); + ec_method = NULL; + CAPI_DATA *cd = EC_KEY_get_ex_data(ec, ec_data_idx); + CAPI_DATA_free(cd); + EC_KEY_set_ex_data(ec, ec_data_idx, NULL); +} + +/** EC_KEY_METHOD callback sign_setup(): we do nothing here */ +static int +ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) +{ + return 1; +} + +/** + * Helper to convert ECDSA signature returned by NCryptSignHash + * to an ECDSA_SIG structure. + * On entry 'buf[]' of length len contains r and s contcatenated. + * Returns a newly allocated ECDSA_SIG or NULL (on error). + */ +static ECDSA_SIG * +ecdsa_bin2sig(unsigned char *buf, int len) +{ + ECDSA_SIG *ecsig = NULL; + DWORD rlen = len/2; + BIGNUM *r = BN_bin2bn(buf, rlen, NULL); + BIGNUM *s = BN_bin2bn(buf+rlen, rlen, NULL); + if (!r || !s) + { + goto err; + } + ecsig = ECDSA_SIG_new(); /* in openssl 1.1 this does not allocate r, s */ + if (!ecsig) + { + goto err; + } + ECDSA_SIG_set0(ecsig, r, s); /* ecsig takes ownership of r and s */ + return ecsig; +err: + BN_free(r); /* it is ok to free NULL BN */ + BN_free(s); + return NULL; +} + +/** EC_KEY_METHOD callback sign_sig(): sign and return an ECDSA_SIG pointer. */ +static ECDSA_SIG* +ecdsa_sign_sig(const unsigned char *dgst, int dgstlen, + const BIGNUM *in_kinv, const BIGNUM *in_r, EC_KEY *ec) +{ + ECDSA_SIG *ecsig = NULL; + CAPI_DATA *cd = (CAPI_DATA *) EC_KEY_get_ex_data(ec, ec_data_idx); + + ASSERT(cd->key_spec == CERT_NCRYPT_KEY_SPEC); + + NCRYPT_KEY_HANDLE hkey = cd->crypt_prov; + BYTE buf[512]; /* large enough buffer for signature to avoid malloc */ + DWORD len = _countof(buf); + + msg(D_LOW, "Signing hash using EC key: data size = %d", dgstlen); + + DWORD status = NCryptSignHash(hkey, NULL, (BYTE*) dgst, dgstlen, (BYTE*) buf, len, &len, 0); + if (status != ERROR_SUCCESS) + { + SetLastError(status); + CRYPTOAPIerr(CRYPTOAPI_F_NCRYPT_SIGN_HASH); + } + else + { + /* NCryptSignHash returns r, s concatenated in buf[] */ + ecsig = ecdsa_bin2sig(buf, len); + } + return ecsig; +} + +/** EC_KEY_METHOD callback sign(): sign and return a DER encoded signature */ +static int +ecdsa_sign(int type, const unsigned char *dgst, int dgstlen, unsigned char *sig, + unsigned int *siglen, const BIGNUM *kinv, const BIGNUM *r, EC_KEY *ec) +{ + ECDSA_SIG *s; + + s = ecdsa_sign_sig(dgst, dgstlen, NULL, NULL, ec); + if (s == NULL) + { + *siglen = 0; + return 0; + } + + /* convert internal signature structure 's' to DER encoded byte array in sig */ + *siglen = i2d_ECDSA_SIG((ECDSA_SIG *)s, &sig); + ECDSA_SIG_free(s); + + return 1; +} + +static int +ssl_ctx_set_eckey(SSL_CTX *ssl_ctx, CAPI_DATA *cd, EVP_PKEY *pkey) +{ + EC_KEY *ec = NULL; + EVP_PKEY *privkey = NULL; + + if (cd->key_spec != CERT_NCRYPT_KEY_SPEC) + { + msg(M_NONFATAL, "ERROR: cryptoapicert with only legacy private key handle available." + " EC certificate not supported."); + goto err; + } + /* create a method struct with default callbacks filled in */ + ec_method = EC_KEY_METHOD_new(EC_KEY_OpenSSL()); + if (!ec_method) + { + goto err; + } + + /* We only need to set finish among init methods, and sign methods */ + EC_KEY_METHOD_set_init(ec_method, NULL, ec_finish, NULL, NULL, NULL, NULL); + EC_KEY_METHOD_set_sign(ec_method, ecdsa_sign, ecdsa_sign_setup, ecdsa_sign_sig); + + ec = EC_KEY_dup(EVP_PKEY_get0_EC_KEY(pkey)); + if (!ec) + { + goto err; + } + if (!EC_KEY_set_method(ec, ec_method)) + { + goto err; + } + + /* get an index to store cd as external data */ + if (ec_data_idx < 0) + { + ec_data_idx = EC_KEY_get_ex_new_index(0, "cryptapicert ec key", NULL, NULL, NULL); + if (ec_data_idx < 0) + { + goto err; + } + } + EC_KEY_set_ex_data(ec, ec_data_idx, cd); + + /* cd assigned to ec as ex_data, increase its refcount */ + cd->ref_count++; + + privkey = EVP_PKEY_new(); + if (!EVP_PKEY_assign_EC_KEY(privkey, ec)) + { + EC_KEY_free(ec); + goto err; + } + /* from here on ec will get freed with privkey */ + + if (!SSL_CTX_use_PrivateKey(ssl_ctx, privkey)) + { + goto err; + } + EVP_PKEY_free(privkey); /* this will dn_ref or free ec as well */ + return 1; + +err: + if (privkey) + { + EVP_PKEY_free(privkey); + } + else if (ec) + { + EC_KEY_free(ec); + } + if (ec_method) /* do always set ec_method = NULL after freeing it */ + { + EC_KEY_METHOD_free(ec_method); + ec_method = NULL; + } + return 0; +} + +#endif /* OPENSSL_VERSION_NUMBER >= 1.1.0 */ + static const CERT_CONTEXT * find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store) { @@ -639,9 +826,18 @@ SSL_CTX_use_CryptoAPI_certificate(SSL_CTX *ssl_ctx, const char *cert_prop) goto err; } } +#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(OPENSSL_NO_EC) + else if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) + { + if (!ssl_ctx_set_eckey(ssl_ctx, cd, pkey)) + { + goto err; + } + } +#endif /* OPENSSL_VERSION_NUMBER >= 1.1.0 */ else { - msg(M_WARN, "cryptoapicert requires an RSA certificate"); + msg(M_WARN, "WARNING: cryptoapicert: certificate type not supported"); goto err; } cd->ref_count--; /* so that cd will get freed with the private key */