From patchwork Thu Sep 13 23:14:17 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steffan Karger X-Patchwork-Id: 462 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director11.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net (Dovecot) with LMTP id q7YKN1V8m1s7eAAAIUCqbw for ; Fri, 14 Sep 2018 05:16:05 -0400 Received: from proxy19.mail.ord1d.rsapps.net ([172.30.191.6]) by director11.mail.ord1d.rsapps.net with LMTP id gKUHN1V8m1v4HQAAvGGmqA ; Fri, 14 Sep 2018 05:16:05 -0400 Received: from smtp2.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy19.mail.ord1d.rsapps.net with LMTP id wOAyNlV8m1sdCAAAyH2SIw ; Fri, 14 Sep 2018 05:16:05 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp2.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=fox-it.com X-Suspicious-Flag: YES X-Classification-ID: ce9d7a1e-b7fe-11e8-94e1-5254004a0287-1-1 Received: from [216.105.38.7] ([216.105.38.7:7010] helo=lists.sourceforge.net) by smtp2.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id D9/46-14295-55C7B9B5; Fri, 14 Sep 2018 05:16:05 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1g0kBh-0001Od-A6; Fri, 14 Sep 2018 09:14:53 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1g0kBg-0001OR-0l for openvpn-devel@lists.sourceforge.net; Fri, 14 Sep 2018 09:14:52 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:CC:To:From:Sender:Reply-To:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=zA4XPpG+wZmvyr4s7AphEvgkndgE1R5gq1NQoDNzjMI=; b=T/wWGLa3+4ArcQghIjnCf5X3tO 7fpv6QhhE2IKh5wppHf1jdZwM8/XBUTukgNZ8P9oeW5DB4w0zjKzk0NqnhxjjZrtIUo46PVF+QxNj 2Z8AlOuacxzYzWJlNtNPVGYmMyDtC9mJejujgapVlpzh9JBhJAAteVF8W7nqX4iyd7/I=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:MIME-Version:References:In-Reply-To:Message-ID:Date:Subject: CC:To:From:Sender:Reply-To:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=zA4XPpG+wZmvyr4s7AphEvgkndgE1R5gq1NQoDNzjMI=; b=hnsloNBbie67EOHzv+ZKW7ur1Q paxBexX9qZnBBisgdDS9oeHMF8S1E5SpHe2VBRprpyBE+Uezpp6HZcgzWo4ShiRYVDF5GTGUWldi+ 42xjscxjSmmvfYWNNWOS43ybkAY7ng6WJ8mfEVAbtQ7m5eW12JljscTEog61m/wc+gds=; Received: from ns2.fox-it.com ([178.250.144.131]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1:ECDHE-RSA-AES256-SHA:256) (Exim 4.90_1) id 1g0kBd-00BBl4-RX for openvpn-devel@lists.sourceforge.net; Fri, 14 Sep 2018 09:14:51 +0000 Received: from FOXDFT52.FOX.local (unknown [10.0.0.129]) by ns2.fox-it.com (Postfix) with ESMTPS id 1D4911AF871 for ; Fri, 14 Sep 2018 11:14:42 +0200 (CEST) Received: from steffan-fox.fox.local (172.16.5.172) by FOXDFT52.FOX.local (10.0.0.129) with Microsoft SMTP Server (TLS) id 15.0.1293.2; Fri, 14 Sep 2018 11:14:41 +0200 From: Steffan Karger To: Date: Fri, 14 Sep 2018 11:14:17 +0200 Message-ID: <1536916459-25900-1-git-send-email-steffan.karger@fox-it.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1505166722-5409-1-git-send-email-steffan.karger@fox-it.com> References: <1505166722-5409-1-git-send-email-steffan.karger@fox-it.com> MIME-Version: 1.0 X-ClientProxiedBy: FOXDFT52.FOX.local (10.0.0.129) To FOXDFT52.FOX.local (10.0.0.129) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.0 SPF_PASS SPF: sender matches SPF record X-Headers-End: 1g0kBd-00BBl4-RX Subject: [Openvpn-devel] [PATCH v2 1/3] Do not load certificate from tls_ctx_use_external_private_key() X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox The cert and key loading logic surrounding management-external-key and management-external cert was somewhat intertwined. Untangle these to prepare for making the external key code more reusable. The best part is that this even reduces the number of lines of code. Signed-off-by: Steffan Karger Acked-By: Arne Schwabe --- v2: rebase onto current master src/openvpn/ssl.c | 48 ++++++++++++++++------------------- src/openvpn/ssl_backend.h | 15 +++-------- src/openvpn/ssl_mbedtls.c | 6 ++--- src/openvpn/ssl_openssl.c | 64 +++++++++++++++++++++++------------------------ 4 files changed, 59 insertions(+), 74 deletions(-) diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index dcb5445..4257c33 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -657,41 +657,37 @@ init_ssl(const struct options *options, struct tls_root_ctx *new_ctx) } #endif #ifdef MANAGMENT_EXTERNAL_KEY - else if ((options->management_flags & MF_EXTERNAL_KEY) - && (options->cert_file || options->management_flags & MF_EXTERNAL_CERT)) + else if (options->management_flags & MF_EXTERNAL_CERT) { - if (options->cert_file) - { - tls_ctx_use_external_private_key(new_ctx, options->cert_file, - options->cert_file_inline); - } - else - { - char *external_certificate = management_query_cert(management, - options->management_certificate); - tls_ctx_use_external_private_key(new_ctx, INLINE_FILE_TAG, - external_certificate); - free(external_certificate); - } + char *cert = management_query_cert(management, + options->management_certificate); + tls_ctx_load_cert_file(new_ctx, INLINE_FILE_TAG, cert); + free(cert); } #endif - else + else if (options->cert_file) + { + tls_ctx_load_cert_file(new_ctx, options->cert_file, options->cert_file_inline); + } + + if (options->priv_key_file) { - /* Load Certificate */ - if (options->cert_file) + if (0 != tls_ctx_load_priv_file(new_ctx, options->priv_key_file, + options->priv_key_file_inline)) { - tls_ctx_load_cert_file(new_ctx, options->cert_file, options->cert_file_inline); + goto err; } - - /* Load Private Key */ - if (options->priv_key_file) + } +#ifdef MANAGMENT_EXTERNAL_KEY + else if (options->management_flags & MF_EXTERNAL_KEY) + { + if (tls_ctx_use_management_external_key(new_ctx)) { - if (0 != tls_ctx_load_priv_file(new_ctx, options->priv_key_file, options->priv_key_file_inline)) - { - goto err; - } + msg (M_WARN, "Cannot initialize mamagement-external-key"); + goto err; } } +#endif if (options->ca_file || options->ca_path) { diff --git a/src/openvpn/ssl_backend.h b/src/openvpn/ssl_backend.h index 202fe3f..5023c02 100644 --- a/src/openvpn/ssl_backend.h +++ b/src/openvpn/ssl_backend.h @@ -270,8 +270,7 @@ void tls_ctx_load_cert_file(struct tls_root_ctx *ctx, const char *cert_file, * successful. */ int tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file, - const char *priv_key_file_inline - ); + const char *priv_key_file_inline); #ifdef MANAGMENT_EXTERNAL_KEY @@ -280,18 +279,12 @@ int tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file, * private key matching the given certificate. * * @param ctx TLS context to use - * @param cert_file The file name to load the certificate from, or - * "[[INLINE]]" in the case of inline files. - * @param cert_file_inline A string containing the certificate * - * @return 1 if an error occurred, 0 if parsing was - * successful. + * @return 1 if an error occurred, 0 if successful. */ -int tls_ctx_use_external_private_key(struct tls_root_ctx *ctx, - const char *cert_file, const char *cert_file_inline); - -#endif +int tls_ctx_use_management_external_key(struct tls_root_ctx *ctx); +#endif /* MANAGMENT_EXTERNAL_KEY */ /** * Load certificate authority certificates from the given file or path. diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index ef83e65..3c6d872 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -621,15 +621,13 @@ external_key_len(void *vctx) } int -tls_ctx_use_external_private_key(struct tls_root_ctx *ctx, - const char *cert_file, const char *cert_file_inline) +tls_ctx_use_management_external_key(struct tls_root_ctx *ctx) { ASSERT(NULL != ctx); - tls_ctx_load_cert_file(ctx, cert_file, cert_file_inline); - if (ctx->crt_chain == NULL) { + msg (M_WARN, "ERROR: external key requires a certificate."); return 1; } diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 012668a..bf00a38 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -795,11 +795,9 @@ tls_ctx_add_extra_certs(struct tls_root_ctx *ctx, BIO *bio) } } -/* Like tls_ctx_load_cert, but returns a copy of the certificate in **X509 */ -static void -tls_ctx_load_cert_file_and_copy(struct tls_root_ctx *ctx, - const char *cert_file, const char *cert_file_inline, X509 **x509 - ) +void +tls_ctx_load_cert_file(struct tls_root_ctx *ctx, const char *cert_file, + const char *cert_file_inline) { BIO *in = NULL; X509 *x = NULL; @@ -807,10 +805,6 @@ tls_ctx_load_cert_file_and_copy(struct tls_root_ctx *ctx, bool inline_file = false; ASSERT(NULL != ctx); - if (NULL != x509) - { - ASSERT(NULL == *x509); - } inline_file = (strcmp(cert_file, INLINE_FILE_TAG) == 0); @@ -861,23 +855,12 @@ end: { BIO_free(in); } - if (x509) - { - *x509 = x; - } else if (x) { X509_free(x); } } -void -tls_ctx_load_cert_file(struct tls_root_ctx *ctx, const char *cert_file, - const char *cert_file_inline) -{ - tls_ctx_load_cert_file_and_copy(ctx, cert_file, cert_file_inline, NULL); -} - int tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file, const char *priv_key_file_inline @@ -1039,7 +1022,7 @@ rsa_priv_dec(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, i static int openvpn_extkey_rsa_finish(RSA *rsa) { - /* meth was allocated in tls_ctx_use_external_private_key() ; since + /* meth was allocated in tls_ctx_use_management_external_key() ; since * this function is called when the parent RSA object is destroyed, * it is no longer used after this point so kill it. */ const RSA_METHOD *meth = RSA_get_method(rsa); @@ -1288,14 +1271,20 @@ err: #endif /* OPENSSL_VERSION_NUMBER > 1.1.0 dev */ int -tls_ctx_use_external_private_key(struct tls_root_ctx *ctx, - const char *cert_file, const char *cert_file_inline) +tls_ctx_use_management_external_key(struct tls_root_ctx *ctx) { - X509 *cert = NULL; + int ret = 1; ASSERT(NULL != ctx); - tls_ctx_load_cert_file_and_copy(ctx, cert_file, cert_file_inline, &cert); +#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) + /* OpenSSL 1.0.2 and up */ + X509 *cert = SSL_CTX_get0_certificate(ctx->ctx); +#else + /* OpenSSL 1.0.1 and earlier need an SSL object to get at the certificate */ + SSL *ssl = SSL_new(ctx->ctx); + X509 *cert = SSL_get_certificate(ssl); +#endif ASSERT(NULL != cert); @@ -1308,7 +1297,7 @@ tls_ctx_use_external_private_key(struct tls_root_ctx *ctx, { if (!tls_ctx_use_external_rsa_key(ctx, pkey)) { - goto err; + goto cleanup; } } #if OPENSSL_VERSION_NUMBER > 0x10100000L && !defined(OPENSSL_NO_EC) && !defined(LIBRESSL_VERSION_NUMBER) @@ -1316,26 +1305,35 @@ tls_ctx_use_external_private_key(struct tls_root_ctx *ctx, { if (!tls_ctx_use_external_ec_key(ctx, pkey)) { - goto err; + goto cleanup; } } else { crypto_msg(M_WARN, "management-external-key requires an RSA or EC certificate"); - goto err; + goto cleanup; } #else else { crypto_msg(M_WARN, "management-external-key requires an RSA certificate"); - goto err; + goto cleanup; } #endif /* OPENSSL_VERSION_NUMBER > 1.1.0 dev */ - return 0; -err: - crypto_msg(M_FATAL, "Cannot enable SSL external private key capability"); - return 1; + ret = 0; +cleanup: +#if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER) + if (ssl) + { + SSL_free(ssl); + } +#endif + if (ret) + { + crypto_msg(M_FATAL, "Cannot enable SSL external private key capability"); + } + return ret; } #endif /* ifdef MANAGMENT_EXTERNAL_KEY */ From patchwork Thu Sep 13 23:14:18 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steffan Karger X-Patchwork-Id: 461 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director8.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net (Dovecot) with LMTP id S8tPGkl8m1tBeAAAIUCqbw for ; Fri, 14 Sep 2018 05:15:53 -0400 Received: from proxy18.mail.ord1d.rsapps.net ([172.30.191.6]) by director8.mail.ord1d.rsapps.net with LMTP id gBw6Gkl8m1u9EgAAfY0hYg ; Fri, 14 Sep 2018 05:15:53 -0400 Received: from smtp7.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy18.mail.ord1d.rsapps.net with LMTP id YDsTGkl8m1umSAAATCaURg ; Fri, 14 Sep 2018 05:15:53 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp7.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=fox-it.com X-Suspicious-Flag: YES X-Classification-ID: c6f18760-b7fe-11e8-9907-525400d28ed9-1-1 Received: from [216.105.38.7] ([216.105.38.7:30150] helo=lists.sourceforge.net) by smtp7.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 38/66-28849-84C7B9B5; Fri, 14 Sep 2018 05:15:52 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1g0kBh-0001Ol-CB; Fri, 14 Sep 2018 09:14:53 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1g0kBg-0001OX-ET for openvpn-devel@lists.sourceforge.net; Fri, 14 Sep 2018 09:14:52 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:CC:To:From:Sender:Reply-To:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=UbPn88KuEaGsVgUAf9Mhr/Gdbqts5m+T8rcrWTjpI5w=; b=blXmic1chfn2xI6AvlWEduEEyl fvb2OXtWygsoVCe8UT4OK+uwkPR8oQe6FguCsn1GXJ84nRcZ2edP790An8itDNsWugw00psLkNZ73 xJQ4xuG95+hRl0q/Ly4KxflTqfZrgGU2L/tPdQWeSYC7BmPHhRs+ievneZuDIWYRhSZs=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:MIME-Version:References:In-Reply-To:Message-ID:Date:Subject: CC:To:From:Sender:Reply-To:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=UbPn88KuEaGsVgUAf9Mhr/Gdbqts5m+T8rcrWTjpI5w=; b=GTY6gb+qnk6lH/Fr/zvLCyp8ML mlRsiDOIP6pXotxbeUQete0/s6wlFOAYM4fRCWVLTLkzJEHjV8k+D4nB4vQrGoH+UfSH6uJnIjqBs edjdmKaumgo00WKOGJfPRrFzkNdXfDkypjNK8KHhRUCMuYZO3xVmP1raOeC5nAYlauXY=; Received: from ns2.fox-it.com ([178.250.144.131]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1:ECDHE-RSA-AES256-SHA:256) (Exim 4.90_1) id 1g0kBe-001Zu1-HH for openvpn-devel@lists.sourceforge.net; Fri, 14 Sep 2018 09:14:52 +0000 Received: from FOXDFT52.FOX.local (unknown [10.0.0.129]) by ns2.fox-it.com (Postfix) with ESMTPS id 27FEF1AF876 for ; Fri, 14 Sep 2018 11:14:42 +0200 (CEST) Received: from steffan-fox.fox.local (172.16.5.172) by FOXDFT52.FOX.local (10.0.0.129) with Microsoft SMTP Server (TLS) id 15.0.1293.2; Fri, 14 Sep 2018 11:14:41 +0200 From: Steffan Karger To: Date: Fri, 14 Sep 2018 11:14:18 +0200 Message-ID: <1536916459-25900-2-git-send-email-steffan.karger@fox-it.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1536916459-25900-1-git-send-email-steffan.karger@fox-it.com> References: <1505166722-5409-1-git-send-email-steffan.karger@fox-it.com> <1536916459-25900-1-git-send-email-steffan.karger@fox-it.com> MIME-Version: 1.0 X-ClientProxiedBy: FOXDFT52.FOX.local (10.0.0.129) To FOXDFT52.FOX.local (10.0.0.129) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.0 SPF_PASS SPF: sender matches SPF record X-Headers-End: 1g0kBe-001Zu1-HH Subject: [Openvpn-devel] [PATCH v2 2/3] mbedtls: make external signing code generic X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This prepares for reusing this code from the mbedtls pkcs11 implementation. The change itself should not have any functional impact. Signed-off-by: Steffan Karger Acked-By: Arne Schwabe --- v2: rebase onto current master src/openvpn/ssl_mbedtls.c | 115 ++++++++++++++++++++++++---------------------- src/openvpn/ssl_mbedtls.h | 41 +++++++++++++++-- 2 files changed, 98 insertions(+), 58 deletions(-) diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index 3c6d872..4c39cf3 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -173,12 +173,6 @@ tls_ctx_free(struct tls_root_ctx *ctx) free(ctx->priv_key_pkcs11); } #endif -#if defined(MANAGMENT_EXTERNAL_KEY) - if (ctx->external_key != NULL) - { - free(ctx->external_key); - } -#endif if (ctx->allowed_ciphers) { @@ -462,13 +456,6 @@ tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file, return 0; } -#ifdef MANAGMENT_EXTERNAL_KEY - - -struct external_context { - size_t signature_length; -}; - /** * external_pkcs1_sign implements a mbed TLS rsa_sign_func callback, that uses * the management interface to request an RSA signature for the supplied hash. @@ -495,11 +482,9 @@ external_pkcs1_sign( void *ctx_voidptr, unsigned char *sig ) { struct external_context *const ctx = ctx_voidptr; - char *in_b64 = NULL; - char *out_b64 = NULL; int rv; - unsigned char *p = sig; - size_t asn_len = 0, oid_size = 0, sig_len = 0; + uint8_t *to_sign = NULL; + size_t asn_len = 0, oid_size = 0; const char *oid = NULL; if (NULL == ctx) @@ -535,12 +520,14 @@ external_pkcs1_sign( void *ctx_voidptr, asn_len = 10 + oid_size; } - sig_len = ctx->signature_length; - if ( (SIZE_MAX - hashlen) < asn_len || (hashlen + asn_len) > sig_len) + if ((SIZE_MAX - hashlen) < asn_len + || ctx->signature_length < (asn_len + hashlen)) { return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; } + ALLOC_ARRAY_CLEAR(to_sign, uint8_t, asn_len + hashlen); + uint8_t *p = to_sign; if (md_alg != MBEDTLS_MD_NONE) { /* @@ -565,34 +552,16 @@ external_pkcs1_sign( void *ctx_voidptr, *p++ = MBEDTLS_ASN1_OCTET_STRING; *p++ = hashlen; - /* Determine added ASN length */ - asn_len = p - sig; + /* Double-check ASN length */ + ASSERT(asn_len == p - to_sign); } /* Copy the hash to be signed */ - memcpy( p, hash, hashlen ); - - /* convert 'from' to base64 */ - if (openvpn_base64_encode(sig, asn_len + hashlen, &in_b64) <= 0) - { - rv = MBEDTLS_ERR_RSA_BAD_INPUT_DATA; - goto done; - } + memcpy(p, hash, hashlen); - /* call MI for signature */ - if (management) - { - out_b64 = management_query_pk_sig(management, in_b64); - } - if (!out_b64) - { - rv = MBEDTLS_ERR_RSA_PRIVATE_FAILED; - goto done; - } - - /* decode base64 signature to binary and verify length */ - if (openvpn_base64_decode(out_b64, sig, ctx->signature_length) != - ctx->signature_length) + /* Call external signature function */ + if (!ctx->sign(ctx->sign_ctx, to_sign, asn_len + hashlen, sig, + ctx->signature_length)) { rv = MBEDTLS_ERR_RSA_PRIVATE_FAILED; goto done; @@ -601,14 +570,7 @@ external_pkcs1_sign( void *ctx_voidptr, rv = 0; done: - if (in_b64) - { - free(in_b64); - } - if (out_b64) - { - free(out_b64); - } + free(to_sign); return rv; } @@ -621,7 +583,8 @@ external_key_len(void *vctx) } int -tls_ctx_use_management_external_key(struct tls_root_ctx *ctx) +tls_ctx_use_external_signing_func(struct tls_root_ctx *ctx, + external_sign_func sign_func, void *sign_ctx) { ASSERT(NULL != ctx); @@ -631,11 +594,12 @@ tls_ctx_use_management_external_key(struct tls_root_ctx *ctx) return 1; } - ALLOC_OBJ_CLEAR(ctx->external_key, struct external_context); - ctx->external_key->signature_length = mbedtls_pk_get_len(&ctx->crt_chain->pk); + ctx->external_key.signature_length = mbedtls_pk_get_len(&ctx->crt_chain->pk); + ctx->external_key.sign = sign_func; + ctx->external_key.sign_ctx = sign_ctx; ALLOC_OBJ_CLEAR(ctx->priv_key, mbedtls_pk_context); - if (!mbed_ok(mbedtls_pk_setup_rsa_alt(ctx->priv_key, ctx->external_key, + if (!mbed_ok(mbedtls_pk_setup_rsa_alt(ctx->priv_key, &ctx->external_key, NULL, external_pkcs1_sign, external_key_len))) { return 1; @@ -643,6 +607,47 @@ tls_ctx_use_management_external_key(struct tls_root_ctx *ctx) return 0; } + +#ifdef MANAGMENT_EXTERNAL_KEY + +/** Query the management interface for a signature, see external_sign_func. */ +static bool +management_sign_func(void *sign_ctx, const void *src, size_t src_len, + void *dst, size_t dst_len) +{ + bool ret = false; + char *src_b64 = NULL; + char *dst_b64 = NULL; + + if (!management || (openvpn_base64_encode(src, src_len, &src_b64) <= 0)) + { + goto cleanup; + } + + if (!(dst_b64 = management_query_pk_sig(management, src_b64))) + { + goto cleanup; + } + + if (openvpn_base64_decode(dst_b64, dst, dst_len) != dst_len) + { + goto cleanup; + } + + ret = true; +cleanup: + free (src_b64); + free (dst_b64); + + return ret; +} + +int +tls_ctx_use_management_external_key(struct tls_root_ctx *ctx) +{ + return tls_ctx_use_external_signing_func(ctx, management_sign_func, NULL); +} + #endif /* ifdef MANAGMENT_EXTERNAL_KEY */ void diff --git a/src/openvpn/ssl_mbedtls.h b/src/openvpn/ssl_mbedtls.h index dd8ca75..73b4c1a 100644 --- a/src/openvpn/ssl_mbedtls.h +++ b/src/openvpn/ssl_mbedtls.h @@ -58,6 +58,30 @@ typedef struct { } bio_ctx; /** + * External signing function prototype. A function pointer to a function + * implementing this prototype is provided to + * tls_ctx_use_external_signing_func(). + * + * @param sign_ctx The context for the signing function. + * @param src The data to be signed, + * @param src_len The length of src, in bytes. + * @param dst The destination buffer for the signature. + * @param dst_len The length of the destination buffer. + * + * @return true if signing succeeded, false otherwise. + */ +typedef bool (*external_sign_func)( + void *sign_ctx, const void *src, size_t src_size, + void *dst, size_t dst_size); + +/** Context used by external_pkcs1_sign() */ +struct external_context { + size_t signature_length; + external_sign_func sign; + void *sign_ctx; +}; + +/** * Structure that wraps the TLS context. Contents differ depending on the * SSL library used. * @@ -78,9 +102,7 @@ struct tls_root_ctx { #if defined(ENABLE_PKCS11) mbedtls_pkcs11_context *priv_key_pkcs11; /**< PKCS11 private key */ #endif -#ifdef MANAGMENT_EXTERNAL_KEY - struct external_context *external_key; /**< Management external key */ -#endif + struct external_context external_key; /**< External key context */ int *allowed_ciphers; /**< List of allowed ciphers for this connection */ mbedtls_x509_crt_profile cert_profile; /**< Allowed certificate types */ }; @@ -91,5 +113,18 @@ struct key_state_ssl { bio_ctx bio_ctx; }; +/** + * Call the supplied signing function to create a TLS signature during the + * TLS handshake. + * + * @param ctx TLS context to use. + * @param sign_func Signing function to call. + * @param sign_ctx Context for the sign function. + * + * @return 0 if successful, 1 if an error occurred. + */ +int tls_ctx_use_external_signing_func(struct tls_root_ctx *ctx, + external_sign_func sign_func, + void *sign_ctx); #endif /* SSL_MBEDTLS_H_ */ From patchwork Thu Sep 13 23:14:19 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steffan Karger X-Patchwork-Id: 463 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director8.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net (Dovecot) with LMTP id rNtaFVd8m1tBeAAAIUCqbw for ; Fri, 14 Sep 2018 05:16:07 -0400 Received: from proxy12.mail.ord1d.rsapps.net ([172.30.191.6]) by director8.mail.ord1d.rsapps.net with LMTP id cCz9M1d8m1vfEgAAfY0hYg ; Fri, 14 Sep 2018 05:16:07 -0400 Received: from smtp6.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy12.mail.ord1d.rsapps.net with LMTP id sD//M1d8m1tWFAAA7PHxkg ; Fri, 14 Sep 2018 05:16:07 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp6.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=fox-it.com X-Suspicious-Flag: YES X-Classification-ID: cf9ed048-b7fe-11e8-a772-52540050e3e0-1-1 Received: from [216.105.38.7] ([216.105.38.7:2398] helo=lists.sourceforge.net) by smtp6.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 1B/07-08843-75C7B9B5; Fri, 14 Sep 2018 05:16:07 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1g0kBi-0001UJ-Nn; Fri, 14 Sep 2018 09:14:54 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1g0kBh-0001UC-9U for openvpn-devel@lists.sourceforge.net; Fri, 14 Sep 2018 09:14:53 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:MIME-Version:References:In-Reply-To: Message-ID:Date:Subject:CC:To:From:Sender:Reply-To:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=Ow88uVTB0Z3bF+xUs9nj3NV3cNrQRbSzdYqYTO6DC18=; b=Gr46gtta2XyxtuPZM94+Fcj7o2 gXxnH4AiAyUe0aa7ToxWrJkVBHTiViiXK8ovomUSp9lLtehszbXvvCVtCePkvjfbiknyGkegvoEy3 A8VIDNyOtOgvVUq2Q/LwD8XK+3Ku7pyhvlIGIitCAwV7CGsFOSVsk3TSLJuCKf2DZdnM=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:MIME-Version:References:In-Reply-To:Message-ID:Date:Subject: CC:To:From:Sender:Reply-To:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=Ow88uVTB0Z3bF+xUs9nj3NV3cNrQRbSzdYqYTO6DC18=; b=CRvGF4hzArVVT/1ytvh+ygILxU e5pf9936H7Y93tnmVSVjMWYqbVBXCjr7JJn2Wz1X8AP4sSkj3o1FrYPvGw0l8unwvnFSTkx5h2Vmf Aienh0MecLYmmtEEpENKqUeDIdQhzfIrSEYhXq8bI2gC6zaP/nxFyEGcgOWFwjnx7nqs=; Received: from ns2.fox-it.com ([178.250.144.131]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1:ECDHE-RSA-AES256-SHA:256) (Exim 4.90_1) id 1g0kBe-001Zu2-HU for openvpn-devel@lists.sourceforge.net; Fri, 14 Sep 2018 09:14:52 +0000 Received: from FOXDFT52.FOX.local (unknown [10.0.0.129]) by ns2.fox-it.com (Postfix) with ESMTPS id 7ABCB1AF87C for ; Fri, 14 Sep 2018 11:14:42 +0200 (CEST) Received: from steffan-fox.fox.local (172.16.5.172) by FOXDFT52.FOX.local (10.0.0.129) with Microsoft SMTP Server (TLS) id 15.0.1293.2; Fri, 14 Sep 2018 11:14:42 +0200 From: Steffan Karger To: Date: Fri, 14 Sep 2018 11:14:19 +0200 Message-ID: <1536916459-25900-3-git-send-email-steffan.karger@fox-it.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1536916459-25900-1-git-send-email-steffan.karger@fox-it.com> References: <1505166722-5409-1-git-send-email-steffan.karger@fox-it.com> <1536916459-25900-1-git-send-email-steffan.karger@fox-it.com> MIME-Version: 1.0 X-ClientProxiedBy: FOXDFT52.FOX.local (10.0.0.129) To FOXDFT52.FOX.local (10.0.0.129) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.0 SPF_PASS SPF: sender matches SPF record X-Headers-End: 1g0kBe-001Zu2-HU Subject: [Openvpn-devel] [PATCH v2 3/3] mbedtls: remove dependency on mbedtls pkcs11 module X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Instead of using mbedtls's pkcs11 module, reuse the code we already have for management-external-key to also do pkcs11 signatures. As far as mbed is concerned, we simply provide an external signature. This has the following advantages: * We no longer need mbed TLS to be compiled with the pkcs11 modules enabled (which is not enabled by default). This makes it easier to use a system/distribution-provided mbed shared library. * We no longer have a dependency on pkcs11-helper through mbed TLS. So if we want to migrate to some other pkcs11 lib (see e.g. trac #491, #538 and #549 for reason why), this will be easier. While touching this code, switch from M_FATAL to M_WARN and proper error handling. This improves the error reporting, and helps prevent potential future DoS attacks if someone starts using these functions on peer input. Signed-off-by: Steffan Karger Acked-By: Arne Schwabe --- v2: rebase onto current master configure.ac | 29 --------------- src/openvpn/pkcs11_mbedtls.c | 87 +++++++++++++++++++++++++++++--------------- src/openvpn/ssl_mbedtls.c | 7 +--- src/openvpn/ssl_mbedtls.h | 6 +-- 4 files changed, 62 insertions(+), 67 deletions(-) diff --git a/configure.ac b/configure.ac index 9c31435..3d8e15b 100644 --- a/configure.ac +++ b/configure.ac @@ -994,35 +994,6 @@ elif test "${with_crypto_library}" = "mbedtls"; then [AC_MSG_ERROR([mbed TLS 2.y.z required])] ) - mbedtls_with_pkcs11="no" - AC_COMPILE_IFELSE( - [AC_LANG_PROGRAM( - [[ -#include - ]], - [[ -#ifndef MBEDTLS_PKCS11_C -#error pkcs11 wrapper missing -#endif - ]] - )], - mbedtls_with_pkcs11="yes") - - AC_MSG_CHECKING([mbedtls pkcs11 support]) - if test "${enable_pkcs11}" = "yes"; then - if test "${mbedtls_with_pkcs11}" = "yes"; then - AC_MSG_RESULT([ok]) - else - AC_MSG_ERROR([mbedtls has no pkcs11 wrapper compiled in]) - fi - else - if test "${mbedtls_with_pkcs11}" != "yes"; then - AC_MSG_RESULT([ok]) - else - AC_MSG_ERROR([mbed TLS compiled with PKCS11, while OpenVPN is not]) - fi - fi - have_crypto_aead_modes="yes" AC_CHECK_FUNCS( [ \ diff --git a/src/openvpn/pkcs11_mbedtls.c b/src/openvpn/pkcs11_mbedtls.c index 7620624..bd704e0 100644 --- a/src/openvpn/pkcs11_mbedtls.c +++ b/src/openvpn/pkcs11_mbedtls.c @@ -39,60 +39,89 @@ #include "errlevel.h" #include "pkcs11_backend.h" #include "ssl_verify_backend.h" -#include #include -int -pkcs11_init_tls_session(pkcs11h_certificate_t certificate, - struct tls_root_ctx *const ssl_ctx) +static bool +pkcs11_get_x509_cert(pkcs11h_certificate_t pkcs11_cert, mbedtls_x509_crt *cert) { - int ret = 1; + unsigned char *cert_blob = NULL; + size_t cert_blob_size = 0; + bool ret = false; - ASSERT(NULL != ssl_ctx); - - ALLOC_OBJ_CLEAR(ssl_ctx->crt_chain, mbedtls_x509_crt); - if (mbedtls_pkcs11_x509_cert_bind(ssl_ctx->crt_chain, certificate)) + if (pkcs11h_certificate_getCertificateBlob(pkcs11_cert, NULL, + &cert_blob_size) != CKR_OK) { - msg(M_FATAL, "PKCS#11: Cannot retrieve mbed TLS certificate object"); + msg(M_WARN, "PKCS#11: Cannot retrieve certificate object size"); goto cleanup; } - ALLOC_OBJ_CLEAR(ssl_ctx->priv_key_pkcs11, mbedtls_pkcs11_context); - if (mbedtls_pkcs11_priv_key_bind(ssl_ctx->priv_key_pkcs11, certificate)) + check_malloc_return((cert_blob = calloc(1, cert_blob_size))); + if (pkcs11h_certificate_getCertificateBlob(pkcs11_cert, cert_blob, + &cert_blob_size) != CKR_OK) { - msg(M_FATAL, "PKCS#11: Cannot initialize mbed TLS private key object"); + msg(M_WARN, "PKCS#11: Cannot retrieve certificate object"); goto cleanup; } - ALLOC_OBJ_CLEAR(ssl_ctx->priv_key, mbedtls_pk_context); - if (!mbed_ok(mbedtls_pk_setup_rsa_alt(ssl_ctx->priv_key, - ssl_ctx->priv_key_pkcs11, mbedtls_ssl_pkcs11_decrypt, - mbedtls_ssl_pkcs11_sign, mbedtls_ssl_pkcs11_key_len))) + if (!mbed_ok(mbedtls_x509_crt_parse(cert, cert_blob, cert_blob_size))) { + msg(M_WARN, "PKCS#11: Could not parse certificate"); goto cleanup; } - ret = 0; - + ret = true; cleanup: + free(cert_blob); return ret; } +static bool +pkcs11_sign(void *pkcs11_cert, const void *src, size_t src_len, + void *dst, size_t dst_len) +{ + return CKR_OK == pkcs11h_certificate_signAny(pkcs11_cert, CKM_RSA_PKCS, + src, src_len, dst, &dst_len); +} + +int +pkcs11_init_tls_session(pkcs11h_certificate_t certificate, + struct tls_root_ctx *const ssl_ctx) +{ + ASSERT(NULL != ssl_ctx); + + ssl_ctx->pkcs11_cert = certificate; + + ALLOC_OBJ_CLEAR(ssl_ctx->crt_chain, mbedtls_x509_crt); + if (!pkcs11_get_x509_cert(certificate, ssl_ctx->crt_chain)) + { + msg(M_WARN, "PKCS#11: Cannot initialize certificate"); + return 1; + } + + if (tls_ctx_use_external_signing_func(ssl_ctx, pkcs11_sign, certificate)) + { + msg(M_WARN, "PKCS#11: Cannot register signing function"); + return 1; + } + + return 0; +} + char * pkcs11_certificate_dn(pkcs11h_certificate_t cert, struct gc_arena *gc) { char *ret = NULL; - mbedtls_x509_crt mbed_crt = {0}; + mbedtls_x509_crt mbed_crt = { 0 }; - if (mbedtls_pkcs11_x509_cert_bind(&mbed_crt, cert)) + if (!pkcs11_get_x509_cert(cert, &mbed_crt)) { - msg(M_FATAL, "PKCS#11: Cannot retrieve mbed TLS certificate object"); + msg(M_WARN, "PKCS#11: Cannot retrieve mbed TLS certificate object"); goto cleanup; } if (!(ret = x509_get_subject(&mbed_crt, gc))) { - msg(M_FATAL, "PKCS#11: mbed TLS cannot parse subject"); + msg(M_WARN, "PKCS#11: mbed TLS cannot parse subject"); goto cleanup; } @@ -107,23 +136,21 @@ pkcs11_certificate_serial(pkcs11h_certificate_t cert, char *serial, size_t serial_len) { int ret = 1; + mbedtls_x509_crt mbed_crt = { 0 }; - mbedtls_x509_crt mbed_crt = {0}; - - if (mbedtls_pkcs11_x509_cert_bind(&mbed_crt, cert)) + if (!pkcs11_get_x509_cert(cert, &mbed_crt)) { - msg(M_FATAL, "PKCS#11: Cannot retrieve mbed TLS certificate object"); + msg(M_WARN, "PKCS#11: Cannot retrieve mbed TLS certificate object"); goto cleanup; } - if (-1 == mbedtls_x509_serial_gets(serial, serial_len, &mbed_crt.serial)) + if (mbedtls_x509_serial_gets(serial, serial_len, &mbed_crt.serial) < 0) { - msg(M_FATAL, "PKCS#11: mbed TLS cannot parse serial"); + msg(M_WARN, "PKCS#11: mbed TLS cannot parse serial"); goto cleanup; } ret = 0; - cleanup: mbedtls_x509_crt_free(&mbed_crt); diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index 4c39cf3..e4850cb 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -43,6 +43,7 @@ #include "buffer.h" #include "misc.h" #include "manage.h" +#include "pkcs11_backend.h" #include "ssl_common.h" #include @@ -167,11 +168,7 @@ tls_ctx_free(struct tls_root_ctx *ctx) } #if defined(ENABLE_PKCS11) - if (ctx->priv_key_pkcs11 != NULL) - { - mbedtls_pkcs11_priv_key_free(ctx->priv_key_pkcs11); - free(ctx->priv_key_pkcs11); - } + pkcs11h_certificate_freeCertificate(ctx->pkcs11_cert); #endif if (ctx->allowed_ciphers) diff --git a/src/openvpn/ssl_mbedtls.h b/src/openvpn/ssl_mbedtls.h index 73b4c1a..998d6f2 100644 --- a/src/openvpn/ssl_mbedtls.h +++ b/src/openvpn/ssl_mbedtls.h @@ -35,7 +35,7 @@ #include #if defined(ENABLE_PKCS11) -#include +#include #endif typedef struct _buffer_entry buffer_entry; @@ -99,8 +99,8 @@ struct tls_root_ctx { mbedtls_x509_crl *crl; /**< Certificate Revocation List */ time_t crl_last_mtime; /**< CRL last modification time */ off_t crl_last_size; /**< size of last loaded CRL */ -#if defined(ENABLE_PKCS11) - mbedtls_pkcs11_context *priv_key_pkcs11; /**< PKCS11 private key */ +#ifdef ENABLE_PKCS11 + pkcs11h_certificate_t pkcs11_cert; /**< PKCS11 certificate */ #endif struct external_context external_key; /**< External key context */ int *allowed_ciphers; /**< List of allowed ciphers for this connection */