git.ipfire.org Git - thirdparty/openvpn.git/commit

author	Steffan Karger <steffan.karger@fox-it.com>
	Fri, 14 Sep 2018 09:14:19 +0000 (11:14 +0200)
committer	Gert Doering <gert@greenie.muc.de>
	Wed, 26 Sep 2018 10:08:10 +0000 (12:08 +0200)
commit	03c8bfc90fbc63007f62d3ed165942d149225551
tree	d312c002d08f5aab894f62a131dc9bfbd1d07cf2	tree
parent	03defa3b29eafc954304532d766aff11712ff9de	commit \| diff

mbedtls: remove dependency on mbedtls pkcs11 module

Instead of using mbedtls's pkcs11 module, reuse the code we already have
for management-external-key to also do pkcs11 signatures.  As far as mbed
is concerned, we simply provide an external signature.

This has the following advantages:
* We no longer need mbed TLS to be compiled with the pkcs11 modules
   enabled (which is not enabled by default).  This makes it easier to use
   a system/distribution-provided mbed shared library.
* We no longer have a dependency on pkcs11-helper through mbed TLS.  So if
   we want to migrate to some other pkcs11 lib (see e.g. trac #491, #538
   and #549 for reason why), this will be easier.

While touching this code, switch from M_FATAL to M_WARN and proper error
handling.  This improves the error reporting, and helps prevent potential
future DoS attacks if someone starts using these functions on peer input.

Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <1536916459-25900-3-git-send-email-steffan.karger@fox-it.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17463.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

configure.ac		diff \| blob \| blame \| history
src/openvpn/pkcs11_mbedtls.c		diff \| blob \| blame \| history
src/openvpn/ssl_mbedtls.c		diff \| blob \| blame \| history
src/openvpn/ssl_mbedtls.h		diff \| blob \| blame \| history