|
 |
e6e66c |
--- neon-0.30.0/macros/neon.m4.pkcs11
|
|
|
e6e66c |
+++ neon-0.30.0/macros/neon.m4
|
|
|
e6e66c |
@@ -982,10 +982,11 @@
|
|
|
e6e66c |
|
|
|
e6e66c |
# Check for functions in later releases
|
|
|
e6e66c |
NE_CHECK_FUNCS([gnutls_session_get_data2 gnutls_x509_dn_get_rdn_ava \
|
|
|
e6e66c |
- gnutls_sign_callback_set \
|
|
|
e6e66c |
gnutls_certificate_get_issuer \
|
|
|
e6e66c |
gnutls_certificate_get_x509_cas \
|
|
|
e6e66c |
- gnutls_x509_crt_sign2])
|
|
|
e6e66c |
+ gnutls_x509_crt_sign2 \
|
|
|
e6e66c |
+ gnutls_certificate_set_retrieve_function2 \
|
|
|
e6e66c |
+ gnutls_privkey_import_ext])
|
|
|
e6e66c |
|
|
|
e6e66c |
# fail if gnutls_x509_crt_sign2 is not found (it was introduced in 1.2.0, which is required)
|
|
|
e6e66c |
if test x${ac_cv_func_gnutls_x509_crt_sign2} != xyes; then
|
|
|
e6e66c |
@@ -1039,7 +1040,7 @@
|
|
|
e6e66c |
;;
|
|
|
e6e66c |
esac
|
|
|
e6e66c |
|
|
|
e6e66c |
-case ${with_pakchois}X${ac_cv_func_gnutls_sign_callback_set}Y${ne_cv_lib_ssl097} in
|
|
|
e6e66c |
+case ${with_pakchois}X${ac_cv_func_gnutls_privkey_import_ext}Y${ne_cv_lib_ssl097} in
|
|
|
e6e66c |
noX*Y*) ;;
|
|
|
e6e66c |
*X*Yyes|*XyesY*)
|
|
|
e6e66c |
# PKCS#11... ho!
|
|
|
e6e66c |
--- neon-0.30.0/src/ne_gnutls.c.pkcs11
|
|
|
e6e66c |
+++ neon-0.30.0/src/ne_gnutls.c
|
|
|
e6e66c |
@@ -89,6 +89,13 @@
|
|
|
e6e66c |
ne_ssl_certificate cert;
|
|
|
e6e66c |
gnutls_x509_privkey_t pkey;
|
|
|
e6e66c |
char *friendly_name;
|
|
|
e6e66c |
+#ifdef HAVE_GNUTLS_PRIVKEY_IMPORT_EXT
|
|
|
e6e66c |
+ /* Signing callback & userdata provided by ne_pkcs11.c. It would
|
|
|
e6e66c |
+ * be better to rewrite the whole module to use gnutls_privkey_t
|
|
|
e6e66c |
+ * directly, but it seems impossible to dup such an object. */
|
|
|
e6e66c |
+ gnutls_privkey_sign_func sign_func;
|
|
|
e6e66c |
+ void *sign_ud;
|
|
|
e6e66c |
+#endif
|
|
|
e6e66c |
};
|
|
|
e6e66c |
|
|
|
e6e66c |
/* Returns the highest used index in subject (or issuer) DN of
|
|
|
e6e66c |
@@ -189,7 +196,7 @@
|
|
|
e6e66c |
char *ne_ssl_readable_dname(const ne_ssl_dname *name)
|
|
|
e6e66c |
{
|
|
|
e6e66c |
gnutls_x509_dn_t dn;
|
|
|
e6e66c |
- int ret, rdn = 0, flag = 0;
|
|
|
e6e66c |
+ int ret, rdn = 0;
|
|
|
e6e66c |
ne_buffer *buf;
|
|
|
e6e66c |
gnutls_x509_ava_st val;
|
|
|
e6e66c |
|
|
|
e6e66c |
@@ -227,7 +234,6 @@
|
|
|
e6e66c |
&& ((!CMPOID(&val, OID_emailAddress)
|
|
|
e6e66c |
&& !CMPOID(&val, OID_commonName))
|
|
|
e6e66c |
|| (buf->used == 1 && rdn == 0))) {
|
|
|
e6e66c |
- flag = 1;
|
|
|
e6e66c |
if (buf->used > 1) ne_buffer_append(buf, ", ", 2);
|
|
|
e6e66c |
|
|
|
e6e66c |
append_dirstring(buf, &val.value, val.value_tag);
|
|
|
e6e66c |
@@ -526,6 +532,10 @@
|
|
|
e6e66c |
|
|
|
e6e66c |
if (cc->keyless) {
|
|
|
e6e66c |
newcc->keyless = 1;
|
|
|
e6e66c |
+#ifdef HAVE_GNUTLS_PRIVKEY_IMPORT_EXT
|
|
|
e6e66c |
+ newcc->sign_func = cc->sign_func;
|
|
|
e6e66c |
+ newcc->sign_ud = cc->sign_ud;
|
|
|
e6e66c |
+#endif
|
|
|
e6e66c |
}
|
|
|
e6e66c |
else {
|
|
|
e6e66c |
ret = gnutls_x509_privkey_init(&newcc->pkey);
|
|
|
e6e66c |
@@ -554,7 +564,15 @@
|
|
|
e6e66c |
static int provide_client_cert(gnutls_session_t session,
|
|
|
e6e66c |
const gnutls_datum_t *req_ca_rdn, int nreqs,
|
|
|
e6e66c |
const gnutls_pk_algorithm_t *sign_algos,
|
|
|
e6e66c |
- int sign_algos_length, gnutls_retr_st *st)
|
|
|
e6e66c |
+ int sign_algos_length,
|
|
|
e6e66c |
+#ifdef HAVE_GNUTLS_CERTIFICATE_SET_RETRIEVE_FUNCTION2
|
|
|
e6e66c |
+ gnutls_pcert_st **pcert,
|
|
|
e6e66c |
+ unsigned int *pcert_length,
|
|
|
e6e66c |
+ gnutls_privkey_t *pkey
|
|
|
e6e66c |
+#else
|
|
|
e6e66c |
+ gnutls_retr2_st *st
|
|
|
e6e66c |
+#endif
|
|
|
e6e66c |
+ )
|
|
|
e6e66c |
{
|
|
|
e6e66c |
ne_session *sess = gnutls_session_get_ptr(session);
|
|
|
e6e66c |
|
|
|
e6e66c |
@@ -612,27 +630,58 @@
|
|
|
e6e66c |
if (sess->client_cert) {
|
|
|
e6e66c |
gnutls_certificate_type_t type = gnutls_certificate_type_get(session);
|
|
|
e6e66c |
if (type == GNUTLS_CRT_X509
|
|
|
e6e66c |
-#if LIBGNUTLS_VERSION_NUMBER > 0x030000
|
|
|
e6e66c |
- /* Ugly hack; prevent segfaults w/GnuTLS 3.0. */
|
|
|
e6e66c |
- && sess->client_cert->pkey != NULL
|
|
|
e6e66c |
+ && (sess->client_cert->pkey || sess->client_cert->keyless)) {
|
|
|
e6e66c |
+ int ret;
|
|
|
e6e66c |
+
|
|
|
e6e66c |
+#ifdef HAVE_GNUTLS_CERTIFICATE_SET_RETRIEVE_FUNCTION2
|
|
|
e6e66c |
+ gnutls_privkey_init(pkey);
|
|
|
e6e66c |
+
|
|
|
e6e66c |
+#ifdef HAVE_GNUTLS_PRIVKEY_IMPORT_EXT
|
|
|
e6e66c |
+ if (sess->client_cert->sign_func) {
|
|
|
e6e66c |
+ int algo = gnutls_x509_crt_get_pk_algorithm(sess->client_cert->cert.subject, NULL);
|
|
|
e6e66c |
+ NE_DEBUG(NE_DBG_SSL, "ssl: Signing for %s.\n", gnutls_pk_algorithm_get_name(algo));
|
|
|
e6e66c |
+
|
|
|
e6e66c |
+ ret = gnutls_privkey_import_ext(*pkey, algo, sess->client_cert->sign_ud,
|
|
|
e6e66c |
+ sess->client_cert->sign_func, NULL, 0);
|
|
|
e6e66c |
+ }
|
|
|
e6e66c |
+ else
|
|
|
e6e66c |
#endif
|
|
|
e6e66c |
- ) {
|
|
|
e6e66c |
- NE_DEBUG(NE_DBG_SSL, "Supplying client certificate.\n");
|
|
|
e6e66c |
+ if (sess->client_cert->keyless) {
|
|
|
e6e66c |
+ ret = GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE;
|
|
|
e6e66c |
+ }
|
|
|
e6e66c |
+ else {
|
|
|
e6e66c |
+ ret = gnutls_privkey_import_x509(*pkey, sess->client_cert->pkey, 0);
|
|
|
e6e66c |
+ }
|
|
|
e6e66c |
|
|
|
e6e66c |
- st->type = type;
|
|
|
e6e66c |
+ if (ret) {
|
|
|
e6e66c |
+ NE_DEBUG(NE_DBG_SSL, "ssl: Failed to import private key: %s.\n", gnutls_strerror(ret));
|
|
|
e6e66c |
+ ne_set_error(sess, _("Failed to import private key: %s"), gnutls_strerror(ret));
|
|
|
e6e66c |
+ return ret;
|
|
|
e6e66c |
+ }
|
|
|
e6e66c |
+
|
|
|
e6e66c |
+ *pcert = gnutls_calloc(1, sizeof **pcert);
|
|
|
e6e66c |
+ gnutls_pcert_import_x509(*pcert, sess->client_cert->cert.subject, 0);
|
|
|
e6e66c |
+ *pcert_length = 1;
|
|
|
e6e66c |
+#else /* !HAVE_GNUTLS_CERTIFICATE_SET_RETRIEVE_FUNCTION2 */
|
|
|
e6e66c |
+ st->cert_type = type;
|
|
|
e6e66c |
st->ncerts = 1;
|
|
|
e6e66c |
st->cert.x509 = &sess->client_cert->cert.subject;
|
|
|
e6e66c |
st->key.x509 = sess->client_cert->pkey;
|
|
|
e6e66c |
|
|
|
e6e66c |
/* tell GNU TLS not to deallocate the certs. */
|
|
|
e6e66c |
st->deinit_all = 0;
|
|
|
e6e66c |
+#endif
|
|
|
e6e66c |
} else {
|
|
|
e6e66c |
return GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE;
|
|
|
e6e66c |
}
|
|
|
e6e66c |
}
|
|
|
e6e66c |
else {
|
|
|
e6e66c |
- NE_DEBUG(NE_DBG_SSL, "No client certificate supplied.\n");
|
|
|
e6e66c |
+ NE_DEBUG(NE_DBG_SSL, "ssl: No client certificate supplied.\n");
|
|
|
e6e66c |
+#ifdef HAVE_GNUTLS_CERTIFICATE_SET_RETRIEVE_FUNCTION2
|
|
|
e6e66c |
+ *pcert_length = 0;
|
|
|
e6e66c |
+#else
|
|
|
e6e66c |
st->ncerts = 0;
|
|
|
e6e66c |
+#endif
|
|
|
e6e66c |
sess->ssl_cc_requested = 1;
|
|
|
e6e66c |
return 0;
|
|
|
e6e66c |
}
|
|
|
e6e66c |
@@ -650,8 +699,12 @@
|
|
|
e6e66c |
ne_ssl_context *ctx = ne_calloc(sizeof *ctx);
|
|
|
e6e66c |
gnutls_certificate_allocate_credentials(&ctx->cred);
|
|
|
e6e66c |
if (flags == NE_SSL_CTX_CLIENT) {
|
|
|
e6e66c |
+#ifdef HAVE_GNUTLS_CERTIFICATE_SET_RETRIEVE_FUNCTION2
|
|
|
e6e66c |
+ gnutls_certificate_set_retrieve_function2(ctx->cred, provide_client_cert);
|
|
|
e6e66c |
+#else
|
|
|
e6e66c |
gnutls_certificate_client_set_retrieve_function(ctx->cred,
|
|
|
e6e66c |
provide_client_cert);
|
|
|
e6e66c |
+#endif
|
|
|
e6e66c |
}
|
|
|
e6e66c |
gnutls_certificate_set_verify_flags(ctx->cred,
|
|
|
e6e66c |
GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT);
|
|
|
e6e66c |
@@ -694,7 +747,11 @@
|
|
|
e6e66c |
{
|
|
|
e6e66c |
gnutls_certificate_free_credentials(ctx->cred);
|
|
|
e6e66c |
if (ctx->cache.client.data) {
|
|
|
e6e66c |
+#if defined(HAVE_GNUTLS_SESSION_GET_DATA2)
|
|
|
e6e66c |
+ gnutls_free(ctx->cache.client.data);
|
|
|
e6e66c |
+#else
|
|
|
e6e66c |
ne_free(ctx->cache.client.data);
|
|
|
e6e66c |
+#endif
|
|
|
e6e66c |
} else if (ctx->cache.server.key.data) {
|
|
|
e6e66c |
gnutls_free(ctx->cache.server.key.data);
|
|
|
e6e66c |
gnutls_free(ctx->cache.server.data.data);
|
|
|
e6e66c |
@@ -1164,7 +1221,9 @@
|
|
|
e6e66c |
gnutls_x509_crt_t cert = NULL;
|
|
|
e6e66c |
gnutls_x509_privkey_t pkey = NULL;
|
|
|
e6e66c |
|
|
|
e6e66c |
- data.data = buffer;
|
|
|
e6e66c |
+ /* The datum structure is not modified by gnutls_pkcs12_import,
|
|
|
e6e66c |
+ * cast safely: */
|
|
|
e6e66c |
+ data.data = (unsigned char *)buffer;
|
|
|
e6e66c |
data.size = buflen;
|
|
|
e6e66c |
|
|
|
e6e66c |
if (gnutls_pkcs12_init(&p12) != 0) {
|
|
|
e6e66c |
@@ -1201,8 +1260,10 @@
|
|
|
e6e66c |
}
|
|
|
e6e66c |
}
|
|
|
e6e66c |
|
|
|
e6e66c |
-ne_ssl_client_cert *ne__ssl_clicert_exkey_import(const unsigned char *der,
|
|
|
e6e66c |
- size_t der_len)
|
|
|
e6e66c |
+#ifdef HAVE_GNUTLS_PRIVKEY_IMPORT_EXT
|
|
|
e6e66c |
+ne_ssl_client_cert *ne__ssl_clicert_exkey_import(const unsigned char *der, size_t der_len,
|
|
|
e6e66c |
+ gnutls_privkey_sign_func sign_func,
|
|
|
e6e66c |
+ void *userdata)
|
|
|
e6e66c |
{
|
|
|
e6e66c |
ne_ssl_client_cert *cc;
|
|
|
e6e66c |
gnutls_x509_crt_t x5;
|
|
|
e6e66c |
@@ -1221,9 +1282,12 @@
|
|
|
e6e66c |
cc->keyless = 1;
|
|
|
e6e66c |
cc->decrypted = 1;
|
|
|
e6e66c |
populate_cert(&cc->cert, x5);
|
|
|
e6e66c |
+ cc->sign_func = sign_func;
|
|
|
e6e66c |
+ cc->sign_ud = userdata;
|
|
|
e6e66c |
|
|
|
e6e66c |
- return cc;
|
|
|
e6e66c |
+ return cc;
|
|
|
e6e66c |
}
|
|
|
e6e66c |
+#endif
|
|
|
e6e66c |
|
|
|
e6e66c |
int ne_ssl_clicert_encrypted(const ne_ssl_client_cert *cc)
|
|
|
e6e66c |
{
|
|
|
e6e66c |
--- neon-0.30.0/src/ne_pkcs11.c.pkcs11
|
|
|
e6e66c |
+++ neon-0.30.0/src/ne_pkcs11.c
|
|
|
e6e66c |
@@ -160,6 +160,13 @@
|
|
|
e6e66c |
}
|
|
|
e6e66c |
#endif
|
|
|
e6e66c |
|
|
|
e6e66c |
+#ifdef HAVE_GNUTLS
|
|
|
e6e66c |
+static int pk11_sign_callback(gnutls_privkey_t pkey,
|
|
|
e6e66c |
+ void *userdata,
|
|
|
e6e66c |
+ const gnutls_datum_t *raw_data,
|
|
|
e6e66c |
+ gnutls_datum_t *signature);
|
|
|
e6e66c |
+#endif
|
|
|
e6e66c |
+
|
|
|
e6e66c |
static int pk11_find_x509(ne_ssl_pkcs11_provider *prov,
|
|
|
e6e66c |
pakchois_session_t *pks,
|
|
|
e6e66c |
unsigned char *certid, unsigned long *cid_len)
|
|
|
e6e66c |
@@ -207,9 +214,9 @@
|
|
|
e6e66c |
ne_ssl_client_cert *cc;
|
|
|
e6e66c |
|
|
|
e6e66c |
#ifdef HAVE_GNUTLS
|
|
|
e6e66c |
- cc = ne__ssl_clicert_exkey_import(value, a[0].value_len);
|
|
|
e6e66c |
+ cc = ne__ssl_clicert_exkey_import(value, a[0].value_len, pk11_sign_callback, prov);
|
|
|
e6e66c |
#else
|
|
|
e6e66c |
- cc = ne__ssl_clicert_exkey_import(value, a[0].value_len, pk11_rsa_method(prov));
|
|
|
e6e66c |
+ cc = ne__ssl_clicert_exkey_import(value, a[0].value_len, prov->method);
|
|
|
e6e66c |
#endif
|
|
|
e6e66c |
if (cc) {
|
|
|
e6e66c |
NE_DEBUG(NE_DBG_SSL, "pk11: Imported X.509 cert.\n");
|
|
|
e6e66c |
@@ -302,10 +309,8 @@
|
|
|
e6e66c |
#ifdef HAVE_GNUTLS
|
|
|
e6e66c |
/* Callback invoked by GnuTLS to provide the signature. The signature
|
|
|
e6e66c |
* operation is handled here by the PKCS#11 provider. */
|
|
|
e6e66c |
-static int pk11_sign_callback(gnutls_session_t session,
|
|
|
e6e66c |
+static int pk11_sign_callback(gnutls_privkey_t pkey,
|
|
|
e6e66c |
void *userdata,
|
|
|
e6e66c |
- gnutls_certificate_type_t cert_type,
|
|
|
e6e66c |
- const gnutls_datum_t *cert,
|
|
|
e6e66c |
const gnutls_datum_t *hash,
|
|
|
e6e66c |
gnutls_datum_t *signature)
|
|
|
e6e66c |
{
|
|
|
e6e66c |
@@ -575,11 +580,6 @@
|
|
|
e6e66c |
void ne_ssl_set_pkcs11_provider(ne_session *sess,
|
|
|
e6e66c |
ne_ssl_pkcs11_provider *provider)
|
|
|
e6e66c |
{
|
|
|
e6e66c |
-#ifdef HAVE_GNUTLS
|
|
|
e6e66c |
- sess->ssl_context->sign_func = pk11_sign_callback;
|
|
|
e6e66c |
- sess->ssl_context->sign_data = provider;
|
|
|
e6e66c |
-#endif
|
|
|
e6e66c |
-
|
|
|
e6e66c |
ne_ssl_provide_clicert(sess, pk11_provide, provider);
|
|
|
e6e66c |
}
|
|
|
e6e66c |
|
|
|
e6e66c |
--- neon-0.30.0/src/ne_privssl.h.pkcs11
|
|
|
e6e66c |
+++ neon-0.30.0/src/ne_privssl.h
|
|
|
e6e66c |
@@ -58,6 +58,10 @@
|
|
|
e6e66c |
|
|
|
e6e66c |
#include <gnutls/gnutls.h>
|
|
|
e6e66c |
|
|
|
e6e66c |
+#ifdef HAVE_GNUTLS_PRIVKEY_IMPORT_EXT
|
|
|
e6e66c |
+#include <gnutls/abstract.h>
|
|
|
e6e66c |
+#endif
|
|
|
e6e66c |
+
|
|
|
e6e66c |
struct ne_ssl_context_s {
|
|
|
e6e66c |
gnutls_certificate_credentials_t cred;
|
|
|
e6e66c |
int verify; /* non-zero if client cert verification required */
|
|
|
e6e66c |
@@ -78,17 +82,13 @@
|
|
|
e6e66c |
} client;
|
|
|
e6e66c |
#endif
|
|
|
e6e66c |
} cache;
|
|
|
e6e66c |
-
|
|
|
e6e66c |
-#ifdef HAVE_GNUTLS_SIGN_CALLBACK_SET
|
|
|
e6e66c |
- gnutls_sign_func sign_func;
|
|
|
e6e66c |
- void *sign_data;
|
|
|
e6e66c |
-#endif
|
|
|
e6e66c |
};
|
|
|
e6e66c |
|
|
|
e6e66c |
typedef gnutls_session_t ne_ssl_socket;
|
|
|
e6e66c |
|
|
|
e6e66c |
NE_PRIVATE ne_ssl_client_cert *
|
|
|
e6e66c |
-ne__ssl_clicert_exkey_import(const unsigned char *der, size_t der_len);
|
|
|
e6e66c |
+ne__ssl_clicert_exkey_import(const unsigned char *der, size_t der_len,
|
|
|
e6e66c |
+ gnutls_privkey_sign_func sign_func, void *userdata);
|
|
|
e6e66c |
|
|
|
e6e66c |
#endif /* HAVE_GNUTLS */
|
|
|
e6e66c |
|