From ac75523593dc7ac638f75142c75284c6ff22b61a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 19 Aug 2013 14:10:16 +0200 Subject: [PATCH] Adapt ssl_set_own_cert() to generic keys --- include/polarssl/ssl.h | 33 +++++++++++++++++++++++++-------- library/ssl_tls.c | 31 ++++++++++++++++++++++--------- programs/ssl/ssl_client2.c | 14 +++++++------- programs/ssl/ssl_fork_server.c | 14 +++++++------- programs/ssl/ssl_mail_client.c | 14 +++++++------- programs/ssl/ssl_server.c | 14 +++++++------- programs/ssl/ssl_server2.c | 14 +++++++------- programs/test/ssl_test.c | 12 ++++++------ programs/x509/cert_app.c | 8 ++++---- 9 files changed, 92 insertions(+), 62 deletions(-) diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h index 65a7c53c3..b98551b4a 100644 --- a/include/polarssl/ssl.h +++ b/include/polarssl/ssl.h @@ -578,6 +578,7 @@ struct _ssl_context /* * PKI layer */ + pk_context *pk_key; /*!< own private key */ #if defined(POLARSSL_RSA_C) void *rsa_key; /*!< own RSA private key */ rsa_decrypt_func rsa_decrypt; /*!< function for RSA decrypt*/ @@ -903,13 +904,29 @@ void ssl_set_ca_chain( ssl_context *ssl, x509_cert *ca_chain, * * \param ssl SSL context * \param own_cert own public certificate chain - * \param rsa_key own private RSA key + * \param pk_key own private key */ void ssl_set_own_cert( ssl_context *ssl, x509_cert *own_cert, - rsa_context *rsa_key ); + pk_context *rsa_key ); + +#if defined(POLARSSL_RSA_C) +/** + * \brief Set own certificate chain and private RSA key + * + * Note: own_cert should contain IN order from the bottom + * up your certificate chain. The top certificate (self-signed) + * can be omitted. + * + * \param ssl SSL context + * \param own_cert own public certificate chain + * \param rsa_key own private RSA key + */ +void ssl_set_own_cert_rsa( ssl_context *ssl, x509_cert *own_cert, + rsa_context *rsa_key ); +#endif /* POLARSSL_RSA_C */ /** - * \brief Set own certificate and alternate non-PolarSSL private + * \brief Set own certificate and alternate non-PolarSSL RSA private * key and handling callbacks, such as the PKCS#11 wrappers * or any other external private key handler. * (see the respective RSA functions in rsa.h for documentation @@ -927,11 +944,11 @@ void ssl_set_own_cert( ssl_context *ssl, x509_cert *own_cert, * \param rsa_sign_func alternate implementation of \c rsa_pkcs1_sign() * \param rsa_key_len_func function returning length of RSA key in bytes */ -void ssl_set_own_cert_alt( ssl_context *ssl, x509_cert *own_cert, - void *rsa_key, - rsa_decrypt_func rsa_decrypt, - rsa_sign_func rsa_sign, - rsa_key_len_func rsa_key_len ); +void ssl_set_own_cert_alt_rsa( ssl_context *ssl, x509_cert *own_cert, + void *rsa_key, + rsa_decrypt_func rsa_decrypt, + rsa_sign_func rsa_sign, + rsa_key_len_func rsa_key_len ); #endif /* POLARSSL_X509_PARSE_C */ #if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 033c9faf6..4e5b3e6ae 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -3143,22 +3143,35 @@ void ssl_set_ca_chain( ssl_context *ssl, x509_cert *ca_chain, } void ssl_set_own_cert( ssl_context *ssl, x509_cert *own_cert, - rsa_context *rsa_key ) + pk_context *pk_key ) +{ + ssl->own_cert = own_cert; + ssl->pk_key = pk_key; + + /* Temporary, until everything is moved to PK */ + if( pk_key->pk_info->type == POLARSSL_PK_RSA ) + ssl->rsa_key = pk_key->pk_ctx; +} + +#if defined(POLARSSL_RSA_C) +void ssl_set_own_cert_rsa( ssl_context *ssl, x509_cert *own_cert, + rsa_context *rsa_key ) { ssl->own_cert = own_cert; ssl->rsa_key = rsa_key; } +#endif /* POLARSSL_RSA_C */ -void ssl_set_own_cert_alt( ssl_context *ssl, x509_cert *own_cert, - void *rsa_key, - rsa_decrypt_func rsa_decrypt, - rsa_sign_func rsa_sign, - rsa_key_len_func rsa_key_len ) +void ssl_set_own_cert_alt_rsa( ssl_context *ssl, x509_cert *own_cert, + void *rsa_key, + rsa_decrypt_func rsa_decrypt, + rsa_sign_func rsa_sign, + rsa_key_len_func rsa_key_len ) { - ssl->own_cert = own_cert; - ssl->rsa_key = rsa_key; + ssl->own_cert = own_cert; + ssl->rsa_key = rsa_key; ssl->rsa_decrypt = rsa_decrypt; - ssl->rsa_sign = rsa_sign; + ssl->rsa_sign = rsa_sign; ssl->rsa_key_len = rsa_key_len; } #endif /* POLARSSL_X509_PARSE_C */ diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index dd7fc465e..e5adef725 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -257,7 +257,7 @@ int main( int argc, char *argv[] ) #if defined(POLARSSL_X509_PARSE_C) x509_cert cacert; x509_cert clicert; - rsa_context rsa; + pk_context pkey; #endif char *p, *q; const int *list; @@ -271,7 +271,7 @@ int main( int argc, char *argv[] ) #if defined(POLARSSL_X509_PARSE_C) memset( &cacert, 0, sizeof( x509_cert ) ); memset( &clicert, 0, sizeof( x509_cert ) ); - memset( &rsa, 0, sizeof( rsa_context ) ); + pk_init( &pkey ); #endif if( argc == 0 ) @@ -626,11 +626,11 @@ int main( int argc, char *argv[] ) #if defined(POLARSSL_FS_IO) if( strlen( opt.key_file ) ) - ret = x509parse_keyfile_rsa( &rsa, opt.key_file, "" ); + ret = x509parse_keyfile( &pkey, opt.key_file, "" ); else #endif #if defined(POLARSSL_CERTS_C) - ret = x509parse_key_rsa( &rsa, (const unsigned char *) test_cli_key, + ret = x509parse_key( &pkey, (const unsigned char *) test_cli_key, strlen( test_cli_key ), NULL, 0 ); #else { @@ -640,7 +640,7 @@ int main( int argc, char *argv[] ) #endif if( ret != 0 ) { - printf( " failed\n ! x509parse_key_rsa returned -0x%x\n\n", -ret ); + printf( " failed\n ! x509parse_key returned -0x%x\n\n", -ret ); goto exit; } @@ -711,7 +711,7 @@ int main( int argc, char *argv[] ) #if defined(POLARSSL_X509_PARSE_C) ssl_set_ca_chain( &ssl, &cacert, NULL, opt.server_name ); - ssl_set_own_cert( &ssl, &clicert, &rsa ); + ssl_set_own_cert( &ssl, &clicert, &pkey ); #endif #if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED) @@ -911,7 +911,7 @@ exit: #if defined(POLARSSL_X509_PARSE_C) x509_free( &clicert ); x509_free( &cacert ); - rsa_free( &rsa ); + pk_free( &pkey ); #endif ssl_session_free( &saved_session ); ssl_free( &ssl ); diff --git a/programs/ssl/ssl_fork_server.c b/programs/ssl/ssl_fork_server.c index 986458b5e..98a518c14 100644 --- a/programs/ssl/ssl_fork_server.c +++ b/programs/ssl/ssl_fork_server.c @@ -104,7 +104,7 @@ int main( int argc, char *argv[] ) ctr_drbg_context ctr_drbg; ssl_context ssl; x509_cert srvcert; - rsa_context rsa; + pk_context pkey; ((void) argc); ((void) argv); @@ -139,7 +139,7 @@ int main( int argc, char *argv[] ) /* * This demonstration program uses embedded test certificates. * Instead, you may want to use x509parse_crtfile() to read the - * server and CA certificates, as well as x509parse_keyfile_rsa(). + * server and CA certificates, as well as x509parse_keyfile(). */ ret = x509parse_crt( &srvcert, (const unsigned char *) test_srv_crt, strlen( test_srv_crt ) ); @@ -157,12 +157,12 @@ int main( int argc, char *argv[] ) goto exit; } - rsa_init( &rsa, RSA_PKCS_V15, 0 ); - ret = x509parse_key_rsa( &rsa, (const unsigned char *) test_srv_key, + pk_init( &pkey ); + ret = x509parse_key( &pkey, (const unsigned char *) test_srv_key, strlen( test_srv_key ), NULL, 0 ); if( ret != 0 ) { - printf( " failed\n ! x509parse_key_rsa returned %d\n\n", ret ); + printf( " failed\n ! x509parse_key returned %d\n\n", ret ); goto exit; } @@ -265,7 +265,7 @@ int main( int argc, char *argv[] ) net_send, &client_fd ); ssl_set_ca_chain( &ssl, srvcert.next, NULL, NULL ); - ssl_set_own_cert( &ssl, &srvcert, &rsa ); + ssl_set_own_cert( &ssl, &srvcert, &pkey ); /* * 5. Handshake @@ -363,7 +363,7 @@ exit: net_close( client_fd ); x509_free( &srvcert ); - rsa_free( &rsa ); + pk_free( &pkey ); ssl_free( &ssl ); #if defined(_WIN32) diff --git a/programs/ssl/ssl_mail_client.c b/programs/ssl/ssl_mail_client.c index 665cdbfe8..6333d170c 100644 --- a/programs/ssl/ssl_mail_client.c +++ b/programs/ssl/ssl_mail_client.c @@ -352,7 +352,7 @@ int main( int argc, char *argv[] ) ssl_context ssl; x509_cert cacert; x509_cert clicert; - rsa_context rsa; + pk_context pkey; int i; size_t n; char *p, *q; @@ -364,7 +364,7 @@ int main( int argc, char *argv[] ) server_fd = 0; memset( &cacert, 0, sizeof( x509_cert ) ); memset( &clicert, 0, sizeof( x509_cert ) ); - memset( &rsa, 0, sizeof( rsa_context ) ); + pk_init( &pkey ); if( argc == 0 ) { @@ -532,11 +532,11 @@ int main( int argc, char *argv[] ) #if defined(POLARSSL_FS_IO) if( strlen( opt.key_file ) ) - ret = x509parse_keyfile_rsa( &rsa, opt.key_file, "" ); + ret = x509parse_keyfile( &pkey, opt.key_file, "" ); else #endif #if defined(POLARSSL_CERTS_C) - ret = x509parse_key_rsa( &rsa, (const unsigned char *) test_cli_key, + ret = x509parse_key( &pkey, (const unsigned char *) test_cli_key, strlen( test_cli_key ), NULL, 0 ); #else { @@ -546,7 +546,7 @@ int main( int argc, char *argv[] ) #endif if( ret != 0 ) { - printf( " failed\n ! x509parse_key_rsa returned %d\n\n", ret ); + printf( " failed\n ! x509parse_key returned %d\n\n", ret ); goto exit; } @@ -594,7 +594,7 @@ int main( int argc, char *argv[] ) ssl_set_ciphersuites( &ssl, opt.force_ciphersuite ); ssl_set_ca_chain( &ssl, &cacert, NULL, opt.server_name ); - ssl_set_own_cert( &ssl, &clicert, &rsa ); + ssl_set_own_cert( &ssl, &clicert, &pkey ); ssl_set_hostname( &ssl, opt.server_name ); @@ -789,7 +789,7 @@ exit: net_close( server_fd ); x509_free( &clicert ); x509_free( &cacert ); - rsa_free( &rsa ); + pk_free( &pkey ); ssl_free( &ssl ); #if defined(_WIN32) diff --git a/programs/ssl/ssl_server.c b/programs/ssl/ssl_server.c index dbb193ba4..801c0c6dc 100644 --- a/programs/ssl/ssl_server.c +++ b/programs/ssl/ssl_server.c @@ -94,7 +94,7 @@ int main( int argc, char *argv[] ) ctr_drbg_context ctr_drbg; ssl_context ssl; x509_cert srvcert; - rsa_context rsa; + pk_context pkey; #if defined(POLARSSL_SSL_CACHE_C) ssl_cache_context cache; #endif @@ -117,7 +117,7 @@ int main( int argc, char *argv[] ) /* * This demonstration program uses embedded test certificates. * Instead, you may want to use x509parse_crtfile() to read the - * server and CA certificates, as well as x509parse_keyfile_rsa(). + * server and CA certificates, as well as x509parse_keyfile(). */ ret = x509parse_crt( &srvcert, (const unsigned char *) test_srv_crt, strlen( test_srv_crt ) ); @@ -135,12 +135,12 @@ int main( int argc, char *argv[] ) goto exit; } - rsa_init( &rsa, RSA_PKCS_V15, 0 ); - ret = x509parse_key_rsa( &rsa, (const unsigned char *) test_srv_key, + pk_init( &pkey ); + ret = x509parse_key( &pkey, (const unsigned char *) test_srv_key, strlen( test_srv_key ), NULL, 0 ); if( ret != 0 ) { - printf( " failed\n ! x509parse_key_rsa returned %d\n\n", ret ); + printf( " failed\n ! x509parse_key returned %d\n\n", ret ); goto exit; } @@ -201,7 +201,7 @@ int main( int argc, char *argv[] ) #endif ssl_set_ca_chain( &ssl, srvcert.next, NULL, NULL ); - ssl_set_own_cert( &ssl, &srvcert, &rsa ); + ssl_set_own_cert( &ssl, &srvcert, &pkey ); printf( " ok\n" ); @@ -364,7 +364,7 @@ exit: net_close( client_fd ); x509_free( &srvcert ); - rsa_free( &rsa ); + pk_free( &pkey ); ssl_free( &ssl ); #if defined(POLARSSL_SSL_CACHE_C) ssl_cache_free( &cache ); diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 681850bee..8831190b0 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -215,7 +215,7 @@ int main( int argc, char *argv[] ) #if defined(POLARSSL_X509_PARSE_C) x509_cert cacert; x509_cert srvcert; - rsa_context rsa; + pk_context pkey; #endif #if defined(POLARSSL_SSL_CACHE_C) ssl_cache_context cache; @@ -239,7 +239,7 @@ int main( int argc, char *argv[] ) #if defined(POLARSSL_X509_PARSE_C) memset( &cacert, 0, sizeof( x509_cert ) ); memset( &srvcert, 0, sizeof( x509_cert ) ); - memset( &rsa, 0, sizeof( rsa_context ) ); + pk_init( &pkey ); #endif #if defined(POLARSSL_SSL_CACHE_C) ssl_cache_init( &cache ); @@ -575,11 +575,11 @@ int main( int argc, char *argv[] ) #if defined(POLARSSL_FS_IO) if( strlen( opt.key_file ) ) - ret = x509parse_keyfile_rsa( &rsa, opt.key_file, "" ); + ret = x509parse_keyfile( &pkey, opt.key_file, "" ); else #endif #if defined(POLARSSL_CERTS_C) - ret = x509parse_key_rsa( &rsa, (const unsigned char *) test_srv_key, + ret = x509parse_key( &pkey, (const unsigned char *) test_srv_key, strlen( test_srv_key ), NULL, 0 ); #else { @@ -589,7 +589,7 @@ int main( int argc, char *argv[] ) #endif if( ret != 0 ) { - printf( " failed\n ! x509parse_key_rsa returned -0x%x\n\n", -ret ); + printf( " failed\n ! x509parse_key returned -0x%x\n\n", -ret ); goto exit; } @@ -649,7 +649,7 @@ int main( int argc, char *argv[] ) #if defined(POLARSSL_X509_PARSE_C) ssl_set_ca_chain( &ssl, &cacert, NULL, NULL ); - ssl_set_own_cert( &ssl, &srvcert, &rsa ); + ssl_set_own_cert( &ssl, &srvcert, &pkey ); #endif #if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED) @@ -877,7 +877,7 @@ exit: #if defined(POLARSSL_X509_PARSE_C) x509_free( &srvcert ); x509_free( &cacert ); - rsa_free( &rsa ); + pk_free( &pkey ); #endif ssl_free( &ssl ); diff --git a/programs/test/ssl_test.c b/programs/test/ssl_test.c index ce45ccf87..797226bb1 100644 --- a/programs/test/ssl_test.c +++ b/programs/test/ssl_test.c @@ -166,7 +166,7 @@ static int ssl_test( struct options *opt ) ctr_drbg_context ctr_drbg; ssl_context ssl; x509_cert srvcert; - rsa_context rsa; + pk_context pkey; ret = 1; @@ -187,7 +187,7 @@ static int ssl_test( struct options *opt ) memset( write_state, 0, sizeof( write_state ) ); memset( &srvcert, 0, sizeof( x509_cert ) ); - memset( &rsa, 0, sizeof( rsa_context ) ); + pk_init( &pkey ); if( opt->opmode == OPMODE_CLIENT ) { @@ -229,11 +229,11 @@ static int ssl_test( struct options *opt ) goto exit; } - ret = x509parse_key_rsa( &rsa, (const unsigned char *) test_srv_key, + ret = x509parse_key( &pkey, (const unsigned char *) test_srv_key, strlen( test_srv_key ), NULL, 0 ); if( ret != 0 ) { - printf( " ! x509parse_key_rsa returned %d\n\n", ret ); + printf( " ! x509parse_key returned %d\n\n", ret ); goto exit; } #endif @@ -262,7 +262,7 @@ static int ssl_test( struct options *opt ) ssl_set_endpoint( &ssl, SSL_IS_SERVER ); ssl_set_ca_chain( &ssl, srvcert.next, NULL, NULL ); - ssl_set_own_cert( &ssl, &srvcert, &rsa ); + ssl_set_own_cert( &ssl, &srvcert, &pkey ); } ssl_set_authmode( &ssl, SSL_VERIFY_NONE ); @@ -400,7 +400,7 @@ exit: ssl_close_notify( &ssl ); x509_free( &srvcert ); - rsa_free( &rsa ); + pk_free( &pkey ); ssl_free( &ssl ); net_close( client_fd ); diff --git a/programs/x509/cert_app.c b/programs/x509/cert_app.c index d7cacdb88..40d76d8e8 100644 --- a/programs/x509/cert_app.c +++ b/programs/x509/cert_app.c @@ -157,7 +157,7 @@ int main( int argc, char *argv[] ) ssl_context ssl; x509_cert cacert; x509_cert clicert; - rsa_context rsa; + pk_context pkey; int i, j, n; int flags, verify = 0; char *p, *q; @@ -169,7 +169,7 @@ int main( int argc, char *argv[] ) server_fd = 0; memset( &cacert, 0, sizeof( x509_cert ) ); memset( &clicert, 0, sizeof( x509_cert ) ); - memset( &rsa, 0, sizeof( rsa_context ) ); + pk_init( &pkey ); if( argc == 0 ) { @@ -404,7 +404,7 @@ int main( int argc, char *argv[] ) ssl_set_bio( &ssl, net_recv, &server_fd, net_send, &server_fd ); - ssl_set_own_cert( &ssl, &clicert, &rsa ); + ssl_set_own_cert( &ssl, &clicert, &pkey ); ssl_set_hostname( &ssl, opt.server_name ); @@ -450,7 +450,7 @@ exit: net_close( server_fd ); x509_free( &cacert ); x509_free( &clicert ); - rsa_free( &rsa ); + pk_free( &pkey ); #if defined(_WIN32) printf( " + Press Enter to exit this program.\n" );