Am 26.01.18 um 21:30 schrieb James Bottomley: > As well as doing crypto acceleration, engines can also be used to load > key files. If the engine is set, and the private key loading fails > for bio methods, this patch makes openvpn try to get the engine to > load the key. If that succeeds, we end up using an engine based key. > This can be used with the openssl tpm engines to make openvpn use a > TPM wrapped key file. > > Signed-off-by: James Bottomley <james.bottom...@hansenpartnership.com> > > --- > > v2: add better configuration guarding > --- > src/openvpn/crypto_openssl.c | 55 > ++++++++++++++++++++++++++++++++++++++++++++ > src/openvpn/crypto_openssl.h | 12 ++++++++++ > src/openvpn/ssl_openssl.c | 6 ++++- > 3 files changed, 72 insertions(+), 1 deletion(-) > > diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c > index 20a519ec..d3f35030 100644 > --- a/src/openvpn/crypto_openssl.c > +++ b/src/openvpn/crypto_openssl.c > @@ -969,4 +969,59 @@ hmac_ctx_final(HMAC_CTX *ctx, uint8_t *dst) > HMAC_Final(ctx, dst, &in_hmac_len); > } > > +#if HAVE_OPENSSL_ENGINE > +static int > +ui_read(UI *ui, UI_STRING *uis)
I would rather a bit more verbose method name here. ui_read seems a bit too generic. > +{ > + SSL_CTX *ctx = UI_get0_user_data(ui); > + > + if (UI_get_string_type(uis) == UIT_PROMPT) { > + pem_password_cb *cb = SSL_CTX_get_default_passwd_cb(ctx); > + void *d = SSL_CTX_get_default_passwd_cb_userdata(ctx); This pointer is never used and the function also seem to have no side effects. So seem like this can be removed. > + char password[64]; > + > + cb(password, sizeof(password), 0, d); > + UI_set_result(ui, uis, password); > + > + return 1; > + } > + return 0; > +} > +#endif > + > +EVP_PKEY * > +engine_load_key(const char *file, SSL_CTX *ctx) > +{ > +#if HAVE_OPENSSL_ENGINE > + UI_METHOD *ui; > + EVP_PKEY *pkey; > + > + if (!engine_persist) > + return NULL; > + > + ui = UI_create_method("openvpn"); > + > + if (!ui) > + return NULL; > + > + UI_method_set_reader(ui, ui_read); > + > + ERR_clear_error(); /* BIO read failure */ > + if (!ENGINE_init(engine_persist)) { > + ERR_print_errors_fp(stderr); This should use our standard openssl error reporting. Not directly writing to stderr. > + pkey = NULL; > + goto out; > + } > + pkey = ENGINE_load_private_key(engine_persist, file, ui, ctx); > + ENGINE_finish(engine_persist); > + if (!pkey) > + ERR_print_errors_fp(stderr); Same as above. > + out: > + UI_destroy_method(ui); > + return pkey; > +#else > + return NULL; > +#endif > +} ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel