Added "management-external-key" option. This option can be used

instead of "key" in client mode, and allows the client to run
without the need to load the actual private key.  When the SSL
protocol needs to perform an RSA sign operation, the data to
be signed will be sent to the management interface via a
notification as follows:

  >RSA_SIGN:[BASE64_DATA]

The management interface client should then sign BASE64_DATA
using the private key and return the signature as follows:

  rsa-sig
  [BASE64_SIG_LINE]
  .
  .
  .
  END

This capability is intended to allow the use of arbitrary
cryptographic service providers with OpenVPN via the
management interface.


git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@6708 e7ae566f-a301-0410-adde-c780ea21d3b5

1 files changed, 15 insertions, 2 deletions

diff --git a/base64.c b/base64.c
index 3449ae5..8f0fb6c 100644
--- a/base64.c
+++ b/base64.c
@@ -33,7 +33,7 @@
 
 #include "syshead.h"
 
-#if defined(ENABLE_HTTP_PROXY) || defined(ENABLE_PKCS11) || defined(ENABLE_CLIENT_CR)
+#if defined(ENABLE_HTTP_PROXY) || defined(ENABLE_PKCS11) || defined(ENABLE_CLIENT_CR) || defined(MANAGMENT_EXTERNAL_KEY)
 
 #include "base64.h"
 
@@ -115,22 +115,35 @@ token_decode(const char *token)
 }
 
 int
-base64_decode(const char *str, void *data)
+base64_decode(const char *str, void *data, int size)
 {
     const char *p;
     unsigned char *q;
+    unsigned char *e = NULL;
 
     q = data;
+    if (size >= 0)
+      e = q + size;
     for (p = str; *p && (*p == '=' || strchr(base64_chars, *p)); p += 4) {
 	unsigned int val = token_decode(p);
 	unsigned int marker = (val >> 24) & 0xff;
 	if (val == DECODE_ERROR)
 	    return -1;
+	if (e && q >= e)
+	  return -1;
 	*q++ = (val >> 16) & 0xff;
 	if (marker < 2)
+	  {
+	    if (e && q >= e)
+	      return -1;
 	    *q++ = (val >> 8) & 0xff;
+	  }
 	if (marker < 1)
+	  {
+	    if (e && q >= e)
+	      return -1;
 	    *q++ = val & 0xff;
+	  }
     }
     return q - (unsigned char *) data;
 }