- Generalized external private key implementation handling (like PKCS#11) in SSL/TLS
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index b44af2b..3e1b056 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -30,10 +30,6 @@
#include "polarssl/debug.h"
#include "polarssl/ssl.h"
-#if defined(POLARSSL_PKCS11_C)
-#include "polarssl/pkcs11.h"
-#endif /* defined(POLARSSL_PKCS11_C) */
-
#include <stdlib.h>
#include <stdio.h>
#include <time.h>
@@ -1115,15 +1111,8 @@
if( ssl->rsa_key == NULL )
{
-#if defined(POLARSSL_PKCS11_C)
- if( ssl->pkcs11_key == NULL )
- {
-#endif /* defined(POLARSSL_PKCS11_C) */
- SSL_DEBUG_MSG( 1, ( "got no private key" ) );
- return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
-#if defined(POLARSSL_PKCS11_C)
- }
-#endif /* defined(POLARSSL_PKCS11_C) */
+ SSL_DEBUG_MSG( 1, ( "got no private key" ) );
+ return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
}
/*
@@ -1132,11 +1121,7 @@
ssl->handshake->calc_verify( ssl, hash );
if ( ssl->rsa_key )
- n = ssl->rsa_key->len;
-#if defined(POLARSSL_PKCS11_C)
- else
- n = ssl->pkcs11_key->len;
-#endif /* defined(POLARSSL_PKCS11_C) */
+ n = ssl->rsa_key_len ( ssl->rsa_key );
if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
{
@@ -1164,14 +1149,9 @@
if( ssl->rsa_key )
{
- ret = rsa_pkcs1_sign( ssl->rsa_key, ssl->f_rng, ssl->p_rng,
- RSA_PRIVATE, hash_id,
- hashlen, hash, ssl->out_msg + 6 + offset );
- } else {
-#if defined(POLARSSL_PKCS11_C)
- ret = pkcs11_sign( ssl->pkcs11_key, RSA_PRIVATE, hash_id,
- hashlen, hash, ssl->out_msg + 6 + offset );
-#endif /* defined(POLARSSL_PKCS11_C) */
+ ret = ssl->rsa_sign( ssl->rsa_key, ssl->f_rng, ssl->p_rng,
+ RSA_PRIVATE, hash_id,
+ hashlen, hash, ssl->out_msg + 6 + offset );
}
if (ret != 0)
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 64b0d2d..e311458 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -30,10 +30,6 @@
#include "polarssl/debug.h"
#include "polarssl/ssl.h"
-#if defined(POLARSSL_PKCS11_C)
-#include "polarssl/pkcs11.h"
-#endif /* defined(POLARSSL_PKCS11_C) */
-
#include <stdlib.h>
#include <stdio.h>
#include <time.h>
@@ -644,15 +640,8 @@
if( ssl->rsa_key == NULL )
{
-#if defined(POLARSSL_PKCS11_C)
- if( ssl->pkcs11_key == NULL )
- {
-#endif /* defined(POLARSSL_PKCS11_C) */
- SSL_DEBUG_MSG( 1, ( "got no private key" ) );
- return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
-#if defined(POLARSSL_PKCS11_C)
- }
-#endif /* defined(POLARSSL_PKCS11_C) */
+ SSL_DEBUG_MSG( 1, ( "got no private key" ) );
+ return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
}
/*
@@ -738,11 +727,7 @@
SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen );
if ( ssl->rsa_key )
- rsa_key_len = ssl->rsa_key->len;
-#if defined(POLARSSL_PKCS11_C)
- else
- rsa_key_len = ssl->pkcs11_key->len;
-#endif /* defined(POLARSSL_PKCS11_C) */
+ rsa_key_len = ssl->rsa_key_len( ssl->rsa_key );
if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
{
@@ -758,16 +743,11 @@
if ( ssl->rsa_key )
{
- ret = rsa_pkcs1_sign( ssl->rsa_key, ssl->f_rng, ssl->p_rng,
- RSA_PRIVATE,
- hash_id, hashlen, hash, ssl->out_msg + 6 + n );
+ ret = ssl->rsa_sign( ssl->rsa_key, ssl->f_rng, ssl->p_rng,
+ RSA_PRIVATE,
+ hash_id, hashlen, hash,
+ ssl->out_msg + 6 + n );
}
-#if defined(POLARSSL_PKCS11_C)
- else {
- ret = pkcs11_sign( ssl->pkcs11_key, RSA_PRIVATE,
- hash_id, hashlen, hash, ssl->out_msg + 6 + n );
- }
-#endif /* defined(POLARSSL_PKCS11_C) */
if( ret != 0 )
{
@@ -898,15 +878,8 @@
{
if( ssl->rsa_key == NULL )
{
-#if defined(POLARSSL_PKCS11_C)
- if( ssl->pkcs11_key == NULL )
- {
-#endif
- SSL_DEBUG_MSG( 1, ( "got no private key" ) );
- return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
-#if defined(POLARSSL_PKCS11_C)
- }
-#endif
+ SSL_DEBUG_MSG( 1, ( "got no private key" ) );
+ return( POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED );
}
/*
@@ -914,11 +887,7 @@
*/
i = 4;
if( ssl->rsa_key )
- n = ssl->rsa_key->len;
-#if defined(POLARSSL_PKCS11_C)
- else
- n = ssl->pkcs11_key->len;
-#endif
+ n = ssl->rsa_key_len( ssl->rsa_key );
ssl->handshake->pmslen = 48;
if( ssl->minor_ver != SSL_MINOR_VERSION_0 )
@@ -939,21 +908,12 @@
}
if( ssl->rsa_key ) {
- ret = rsa_pkcs1_decrypt( ssl->rsa_key, RSA_PRIVATE,
- &ssl->handshake->pmslen,
- ssl->in_msg + i,
- ssl->handshake->premaster,
- sizeof(ssl->handshake->premaster) );
+ ret = ssl->rsa_decrypt( ssl->rsa_key, RSA_PRIVATE,
+ &ssl->handshake->pmslen,
+ ssl->in_msg + i,
+ ssl->handshake->premaster,
+ sizeof(ssl->handshake->premaster) );
}
-#if defined(POLARSSL_PKCS11_C)
- else {
- ret = pkcs11_decrypt( ssl->pkcs11_key, RSA_PRIVATE,
- &ssl->handshake->pmslen,
- ssl->in_msg + i,
- ssl->handshake->premaster,
- sizeof(ssl->handshake->premaster) );
- }
-#endif /* defined(POLARSSL_PKCS11_C) */
if( ret != 0 || ssl->handshake->pmslen != 48 ||
ssl->handshake->premaster[0] != ssl->max_major_ver ||
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 6192004..cc0f65c 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -65,6 +65,28 @@
int (*ssl_hw_record_finish)(ssl_context *ssl) = NULL;
#endif
+static int ssl_rsa_decrypt( void *ctx, int mode, size_t *olen,
+ const unsigned char *input, unsigned char *output,
+ size_t output_max_len )
+{
+ return rsa_pkcs1_decrypt( (rsa_context *) ctx, mode, olen, input, output,
+ output_max_len );
+}
+
+static int ssl_rsa_sign( void *ctx,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+ int mode, int hash_id, unsigned int hashlen,
+ const unsigned char *hash, unsigned char *sig )
+{
+ return rsa_pkcs1_sign( (rsa_context *) ctx, f_rng, p_rng, mode, hash_id,
+ hashlen, hash, sig );
+}
+
+static size_t ssl_rsa_key_len( void *ctx )
+{
+ return ( (rsa_context *) ctx )->len;
+}
+
/*
* Key material generation
*/
@@ -2826,6 +2848,10 @@
memset( ssl, 0, sizeof( ssl_context ) );
+ ssl->rsa_decrypt = ssl_rsa_decrypt;
+ ssl->rsa_sign = ssl_rsa_sign;
+ ssl->rsa_key_len = ssl_rsa_key_len;
+
ssl->in_ctr = (unsigned char *) malloc( len );
ssl->in_hdr = ssl->in_ctr + 8;
ssl->in_msg = ssl->in_ctr + 13;
@@ -3002,14 +3028,19 @@
ssl->rsa_key = rsa_key;
}
-#if defined(POLARSSL_PKCS11_C)
-void ssl_set_own_cert_pkcs11( ssl_context *ssl, x509_cert *own_cert,
- pkcs11_context *pkcs11_key )
+void ssl_set_own_cert_alt( ssl_context *ssl, x509_cert *own_cert,
+ void *rsa_key,
+ rsa_decrypt_func rsa_decrypt,
+ rsa_sign_func rsa_sign,
+ rsa_key_len_func rsa_key_len )
{
ssl->own_cert = own_cert;
- ssl->pkcs11_key = pkcs11_key;
+ ssl->rsa_key = rsa_key;
+ ssl->rsa_decrypt = rsa_decrypt;
+ ssl->rsa_sign = rsa_sign;
+ ssl->rsa_key_len = rsa_key_len;
}
-#endif
+
#if defined(POLARSSL_DHM_C)
int ssl_set_dh_param( ssl_context *ssl, const char *dhm_P, const char *dhm_G )