size_t key_id_size = sizeof(key_id);
char name[80];
+ certinfo->vpninfo = vpninfo;
fdata.data = NULL;
key_is_p11 = !strncmp(certinfo->key, "pkcs11:", 7);
goto out;
}
- gnutls_x509_crt_set_pin_function(cert, gnutls_pin_callback, vpninfo);
+ gnutls_x509_crt_set_pin_function(cert, gnutls_pin_callback, certinfo);
/* Yes, even for *system* URLs the only API GnuTLS offers us is
...import_pkcs11_url(). */
goto out;
}
- gnutls_privkey_set_pin_function(gci->pkey, gnutls_pin_callback, vpninfo);
+ gnutls_privkey_set_pin_function(gci->pkey, gnutls_pin_callback, certinfo);
err = gnutls_privkey_import_url(gci->pkey, certinfo->key, 0);
if (err) {
goto out;
}
- gnutls_pkcs11_privkey_set_pin_function(p11key, gnutls_pin_callback, vpninfo);
+ gnutls_pkcs11_privkey_set_pin_function(p11key, gnutls_pin_callback, certinfo);
err = gnutls_pkcs11_privkey_import_url(p11key, key_url, 0);
_("This version of OpenConnect was built without TPM2 support\n"));
return -EINVAL;
#else
- ret = load_tpm2_key(vpninfo, &fdata, &gci->pkey, &pkey_sig);
+ ret = load_tpm2_key(vpninfo, certinfo, &fdata, &gci->pkey, &pkey_sig);
if (ret)
goto out;
const char *token_label, unsigned int flags,
char *pin, size_t pin_max)
{
- struct openconnect_info *vpninfo = priv;
+ struct cert_info *certinfo = priv;
+ struct openconnect_info *vpninfo = certinfo->vpninfo;
struct pin_cache **cache = &vpninfo->pin_cache;
struct oc_auth_form f;
struct oc_form_opt o;
(*cache)->token = strdup(uri);
}
- if (!attempt && vpninfo->certinfo[0].password) {
- snprintf(pin, pin_max, "%s", vpninfo->certinfo[0].password);
- (*cache)->pin = vpninfo->certinfo[0].password;
- vpninfo->certinfo[0].password = NULL;
+ if (!attempt && certinfo->password) {
+ snprintf(pin, pin_max, "%s", certinfo->password);
+ (*cache)->pin = certinfo->password;
+ certinfo->password = NULL;
return 0;
}
gnutls_datum_t *fdata, gnutls_privkey_t *pkey, gnutls_datum_t *pkey_sig);
void release_tpm1_ctx(struct openconnect_info *info);
-int load_tpm2_key(struct openconnect_info *vpninfo, gnutls_datum_t *fdata,
- gnutls_privkey_t *pkey, gnutls_datum_t *pkey_sig);
+int load_tpm2_key(struct openconnect_info *vpninfo, struct cert_info *certinfo,
+ gnutls_datum_t *fdata, gnutls_privkey_t *pkey, gnutls_datum_t *pkey_sig);
void release_tpm2_ctx(struct openconnect_info *info);
-int install_tpm2_key(struct openconnect_info *vpninfo, gnutls_privkey_t *pkey, gnutls_datum_t *pkey_sig,
+int install_tpm2_key(struct openconnect_info *vpninfo, struct cert_info *certinfo,
+ gnutls_privkey_t *pkey, gnutls_datum_t *pkey_sig,
unsigned int parent, int emptyauth, int legacy,
gnutls_datum_t *privdata, gnutls_datum_t *pubdata);
int tpm2_rsa_sign_hash_fn(gnutls_privkey_t key, gnutls_sign_algorithm_t algo,
- void *_vpninfo, unsigned int flags,
+ void *_certinfo, unsigned int flags,
const gnutls_datum_t *data, gnutls_datum_t *sig);
int tpm2_ec_sign_hash_fn(gnutls_privkey_t key, gnutls_sign_algorithm_t algo,
- void *_vpninfo, unsigned int flags,
+ void *_certinfo, unsigned int flags,
const gnutls_datum_t *data, gnutls_datum_t *sig);
int oc_pkcs1_pad(struct openconnect_info *vpninfo,
unsigned char *buf, int size, const gnutls_datum_t *data);
static const char OID_loadableKey[] = "2.23.133.10.1.3";
#if GNUTLS_VERSION_NUMBER < 0x030600
-static int tpm2_rsa_sign_fn(gnutls_privkey_t key, void *_vpninfo,
+static int tpm2_rsa_sign_fn(gnutls_privkey_t key, void *_certinfo,
const gnutls_datum_t *data, gnutls_datum_t *sig)
{
- return tpm2_rsa_sign_hash_fn(key, GNUTLS_SIGN_UNKNOWN, _vpninfo, 0, data, sig);
+ return tpm2_rsa_sign_hash_fn(key, GNUTLS_SIGN_UNKNOWN, _certinfo, 0, data, sig);
}
-static int tpm2_ec_sign_fn(gnutls_privkey_t key, void *_vpninfo,
+static int tpm2_ec_sign_fn(gnutls_privkey_t key, void *_certinfo,
const gnutls_datum_t *data, gnutls_datum_t *sig)
{
- struct openconnect_info *vpninfo = _vpninfo;
+ struct cert_info *certinfo = _certinfo;
+ struct openconnect_info *vpninfo = certinfo->vpninfo;
gnutls_sign_algorithm_t algo;
switch (data->size) {
return GNUTLS_E_PK_SIGN_FAILED;
}
- return tpm2_ec_sign_hash_fn(key, algo, vpninfo, 0, data, sig);
+ return tpm2_ec_sign_hash_fn(key, algo, certinfo, 0, data, sig);
}
#endif
#if GNUTLS_VERSION_NUMBER >= 0x030600
-static int rsa_key_info(gnutls_privkey_t key, unsigned int flags, void *_vpninfo)
+static int rsa_key_info(gnutls_privkey_t key, unsigned int flags, void *_certinfo)
{
if (flags & GNUTLS_PRIVKEY_INFO_PK_ALGO)
return GNUTLS_PK_RSA;
#endif
#if GNUTLS_VERSION_NUMBER >= 0x030400
-static int ec_key_info(gnutls_privkey_t key, unsigned int flags, void *_vpninfo)
+static int ec_key_info(gnutls_privkey_t key, unsigned int flags, void *_certinfo)
{
if (flags & GNUTLS_PRIVKEY_INFO_PK_ALGO)
return GNUTLS_PK_EC;
return 0;
}
-int load_tpm2_key(struct openconnect_info *vpninfo, gnutls_datum_t *fdata,
- gnutls_privkey_t *pkey, gnutls_datum_t *pkey_sig)
+int load_tpm2_key(struct openconnect_info *vpninfo, struct cert_info *certinfo,
+ gnutls_datum_t *fdata, gnutls_privkey_t *pkey, gnutls_datum_t *pkey_sig)
{
gnutls_datum_t asn1, pubdata, privdata;
ASN1_TYPE tpmkey_def = ASN1_TYPE_EMPTY, tpmkey = ASN1_TYPE_EMPTY;
/* Now we've extracted what we need from the ASN.1, invoke the
* actual TPM2 code (whichever implementation we end up with */
- ret = install_tpm2_key(vpninfo, pkey, pkey_sig, parent, emptyauth,
+ ret = install_tpm2_key(vpninfo, certinfo, pkey, pkey_sig, parent, emptyauth,
asn1tab == tpmkey_asn1_tab_old, &privdata, &pubdata);
if (ret < 0)
goto out_tpmkey;
switch(ret) {
case GNUTLS_PK_RSA:
#if GNUTLS_VERSION_NUMBER >= 0x030600
- gnutls_privkey_import_ext4(*pkey, vpninfo, NULL, tpm2_rsa_sign_hash_fn, NULL, NULL, rsa_key_info, 0);
+ gnutls_privkey_import_ext4(*pkey, certinfo, NULL, tpm2_rsa_sign_hash_fn, NULL, NULL, rsa_key_info, 0);
#else
- gnutls_privkey_import_ext(*pkey, GNUTLS_PK_RSA, vpninfo, tpm2_rsa_sign_fn, NULL, 0);
+ gnutls_privkey_import_ext(*pkey, GNUTLS_PK_RSA, certinfo, tpm2_rsa_sign_fn, NULL, 0);
#endif
break;
case GNUTLS_PK_ECC:
#if GNUTLS_VERSION_NUMBER >= 0x030600
- gnutls_privkey_import_ext4(*pkey, vpninfo, NULL, tpm2_ec_sign_hash_fn, NULL, NULL, ec_key_info, 0);
+ gnutls_privkey_import_ext4(*pkey, certinfo, NULL, tpm2_ec_sign_hash_fn, NULL, NULL, ec_key_info, 0);
#elif GNUTLS_VERSION_NUMBER >= 0x030400
- gnutls_privkey_import_ext3(*pkey, vpninfo, tpm2_ec_sign_fn, NULL, NULL, ec_key_info, 0);
+ gnutls_privkey_import_ext3(*pkey, certinfo, tpm2_ec_sign_fn, NULL, NULL, ec_key_info, 0);
#else
- gnutls_privkey_import_ext(*pkey, GNUTLS_PK_EC, vpninfo, tpm2_ec_sign_fn, NULL, 0);
+ gnutls_privkey_import_ext(*pkey, GNUTLS_PK_EC, certinfo, tpm2_ec_sign_fn, NULL, 0);
#endif
break;
}
return -EIO;
}
-static int auth_tpm2_key(struct openconnect_info *vpninfo, ESYS_CONTEXT *ctx, ESYS_TR key_handle)
+static int auth_tpm2_key(struct openconnect_info *vpninfo, struct cert_info *certinfo,
+ ESYS_CONTEXT *ctx, ESYS_TR key_handle)
{
TSS2_RC r;
- if (vpninfo->tpm2->need_userauth || vpninfo->certinfo[0].password) {
+ if (vpninfo->tpm2->need_userauth || certinfo->password) {
char *pass = NULL;
- if (vpninfo->certinfo[0].password) {
- pass = vpninfo->certinfo[0].password;
- vpninfo->certinfo[0].password = NULL;
+ if (certinfo->password) {
+ pass = certinfo->password;
+ certinfo->password = NULL;
} else {
int err = request_passphrase(vpninfo, "openconnect_tpm2_key",
&pass, _("Enter TPM2 key password:"));
}
int tpm2_rsa_sign_hash_fn(gnutls_privkey_t key, gnutls_sign_algorithm_t algo,
- void *_vpninfo, unsigned int flags,
+ void *_certinfo, unsigned int flags,
const gnutls_datum_t *data, gnutls_datum_t *sig)
{
- struct openconnect_info *vpninfo = _vpninfo;
+ struct cert_info *certinfo = _certinfo;
+ struct openconnect_info *vpninfo = certinfo->vpninfo;
int ret = GNUTLS_E_PK_SIGN_FAILED;
ESYS_CONTEXT *ectx = NULL;
TPM2B_PUBLIC_KEY_RSA digest, *tsig = NULL;
if (init_tpm2_key(&ectx, &key_handle, vpninfo))
goto out;
reauth:
- if (auth_tpm2_key(vpninfo, ectx, key_handle))
+ if (auth_tpm2_key(vpninfo, certinfo, ectx, key_handle))
goto out;
r = Esys_RSA_Decrypt(ectx, key_handle,
}
int tpm2_ec_sign_hash_fn(gnutls_privkey_t key, gnutls_sign_algorithm_t algo,
- void *_vpninfo, unsigned int flags,
+ void *_certinfo, unsigned int flags,
const gnutls_datum_t *data, gnutls_datum_t *sig)
{
- struct openconnect_info *vpninfo = _vpninfo;
+ struct cert_info *certinfo = _certinfo;
+ struct openconnect_info *vpninfo = certinfo->vpninfo;
int ret = GNUTLS_E_PK_SIGN_FAILED;
ESYS_CONTEXT *ectx = NULL;
TPM2B_DIGEST digest;
if (init_tpm2_key(&ectx, &key_handle, vpninfo))
goto out;
reauth:
- if (auth_tpm2_key(vpninfo, ectx, key_handle))
+ if (auth_tpm2_key(vpninfo, certinfo, ectx, key_handle))
goto out;
r = Esys_Sign(ectx, key_handle,
return ret;
}
-int install_tpm2_key(struct openconnect_info *vpninfo, gnutls_privkey_t *pkey, gnutls_datum_t *pkey_sig,
- unsigned int parent, int emptyauth, int legacy, gnutls_datum_t *privdata, gnutls_datum_t *pubdata)
+int install_tpm2_key(struct openconnect_info *vpninfo, struct cert_info *certinfo,
+ gnutls_privkey_t *pkey, gnutls_datum_t *pkey_sig,
+ unsigned int parent, int emptyauth, int legacy,
+ gnutls_datum_t *privdata, gnutls_datum_t *pubdata)
{
TSS2_RC r;
}
int tpm2_rsa_sign_hash_fn(gnutls_privkey_t key, gnutls_sign_algorithm_t algo,
- void *_vpninfo, unsigned int flags,
+ void *_certinfo, unsigned int flags,
const gnutls_datum_t *data, gnutls_datum_t *sig)
{
- struct openconnect_info *vpninfo = _vpninfo;
+ struct cert_info *certinfo = _certinfo;
+ struct openconnect_info *vpninfo = certinfo->vpninfo;
TSS_CONTEXT *tssContext = NULL;
RSA_Decrypt_In in;
RSA_Decrypt_Out out;
}
int tpm2_ec_sign_hash_fn(gnutls_privkey_t key, gnutls_sign_algorithm_t algo,
- void *_vpninfo, unsigned int flags,
+ void *_certinfo, unsigned int flags,
const gnutls_datum_t *data, gnutls_datum_t *sig)
{
- struct openconnect_info *vpninfo = _vpninfo;
+ struct cert_info *certinfo = _certinfo;
+ struct openconnect_info *vpninfo = certinfo->vpninfo;
TSS_CONTEXT *tssContext = NULL;
Sign_In in;
Sign_Out out;
return ret;
}
-int install_tpm2_key(struct openconnect_info *vpninfo, gnutls_privkey_t *pkey, gnutls_datum_t *pkey_sig,
+int install_tpm2_key(struct openconnect_info *vpninfo, struct cert_info *certinfo,
+ gnutls_privkey_t *pkey, gnutls_datum_t *pkey_sig,
unsigned int parent, int emptyauth, int legacy,
gnutls_datum_t *privdata, gnutls_datum_t *pubdata)
{
projects / users / dwmw2 / openconnect.git / commitdiff