diff options
| author | Adriaan de Jong <dejong@fox-it.com> | 2011-06-27 14:01:22 +0200 |
|---|---|---|
| committer | David Sommerseth <davids@redhat.com> | 2011-10-19 22:45:01 +0200 |
| commit | d1013cfe957ab3961b8b78486704ddcdecba513b (patch) | |
| tree | 425bbef72d6410c0eb80cf50f300c0ab898c9edf | |
| parent | 289a8bb806150b418abb64abea26cb4106811850 (diff) | |
| download | openvpn-d1013cfe957ab3961b8b78486704ddcdecba513b.tar.gz openvpn-d1013cfe957ab3961b8b78486704ddcdecba513b.tar.xz openvpn-d1013cfe957ab3961b8b78486704ddcdecba513b.zip | |
Refactored PKCS#11 loading
Signed-off-by: Adriaan de Jong <dejong@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Signed-off-by: David Sommerseth <davids@redhat.com>
| -rw-r--r-- | ssl.c | 29 | ||||
| -rw-r--r-- | ssl_backend.h | 11 | ||||
| -rw-r--r-- | ssl_openssl.c | 17 |
3 files changed, 37 insertions, 20 deletions
@@ -1993,32 +1993,22 @@ init_ssl (const struct options *options, struct tls_root_ctx *new_ctx) options->pkcs12_file_inline, !options->ca_file)) goto err; } - else - { - /* Use seperate PEM files for key, cert and CA certs */ - #ifdef ENABLE_PKCS11 - if (options->pkcs11_providers[0]) - { - /* Load Certificate and Private Key */ - if (!SSL_CTX_use_pkcs11 (ctx, options->pkcs11_id_management, options->pkcs11_id)) - { - msg (M_WARN, "Cannot load certificate \"%s\" using PKCS#11 interface", options->pkcs11_id); - goto err; - } - } - else + else if (options->pkcs11_providers[0]) + { + if (0 != tls_ctx_load_pkcs11(new_ctx, options->pkcs11_id_management, options->pkcs11_id)) + goto err; + } #endif - #ifdef WIN32 - if (options->cryptoapi_cert) - { + else if (options->cryptoapi_cert) + { /* Load Certificate and Private Key */ if (!SSL_CTX_use_CryptoAPI_certificate (ctx, options->cryptoapi_cert)) msg (M_SSLERR, "Cannot load certificate \"%s\" from Microsoft Certificate Store", options->cryptoapi_cert); - } - else + } + else #endif { X509 *my_cert = NULL; @@ -2088,7 +2078,6 @@ init_ssl (const struct options *options, struct tls_root_ctx *new_ctx) msg (M_SSLERR, "Private key does not match the certificate"); } } - } if (options->ca_file || options->ca_path) { diff --git a/ssl_backend.h b/ssl_backend.h index 1bce80d..027026b 100644 --- a/ssl_backend.h +++ b/ssl_backend.h @@ -150,6 +150,17 @@ int tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file, bool load_ca_file ); +/* + * Load PKCS #11 information for key and cert, and add to library-specific TLS + * context. + * + * TODO: document + */ +#ifdef ENABLE_PKCS11 +int tls_ctx_load_pkcs11(struct tls_root_ctx *ctx, + bool pkcs11_id_management, const char *pkcs11_id); +#endif /* ENABLE_PKCS11 */ + /** * Show the TLS ciphers that are available for us to use in the OpenSSL * library. diff --git a/ssl_openssl.c b/ssl_openssl.c index 1ba73ef..8f5fa98 100644 --- a/ssl_openssl.c +++ b/ssl_openssl.c @@ -313,6 +313,23 @@ tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file, return 0; } +#ifdef ENABLE_PKCS11 +int +tls_ctx_load_pkcs11(struct tls_root_ctx *ctx, bool pkcs11_id_management, + const char *pkcs11_id) +{ + ASSERT(NULL != ctx); + + /* Load Certificate and Private Key */ + if (!SSL_CTX_use_pkcs11 (ctx->ctx, pkcs11_id_management, pkcs11_id)) + { + msg (M_WARN, "Cannot load certificate \"%s\" using PKCS#11 interface", pkcs11_id); + return 1; + } + return 0; +} +#endif /* ENABLE_PKCS11 */ + void show_available_tls_ciphers () { |