[pkg-opensc-commit] [pkcs11-helper] 239/253: crypto: add support for mbed TLS 2.x
Eric Dorland
eric at moszumanska.debian.org
Fri Jan 6 23:39:24 UTC 2017
This is an automated email from the git hooks/post-receive script.
eric pushed a commit to branch master
in repository pkcs11-helper.
commit 5bc33a0110e8c1b30971680199f8c91ecf5dd1be
Author: Alon Bar-Lev <alon.barlev at gmail.com>
Date: Sat Jun 11 18:06:59 2016 +0300
crypto: add support for mbed TLS 2.x
Remove support for polarssl-1.2 api as no longer maintained.
Add support for polarssl-1.3 api.
Add support for mbed TLS 2.x api.
Rename all polarssl references to mbed tls while retain backward
compatibility.
Thanks-To: Steffan Karger <steffan at karger.me>
Signed-off-by: Steffan Karger <steffan at karger.me>
Signed-off-by: Alon Bar-Lev <alon.barlev at gmail.com>
---
configure.ac | 72 ++++++++++++++++------
include/pkcs11-helper-1.0/pkcs11h-core.h | 4 +-
include/pkcs11-helper-1.0/pkcs11h-engines.h | 4 +-
lib/Makefile.am | 2 +-
...crypto-polarssl.c => _pkcs11h-crypto-mbedtls.c} | 70 ++++++++++-----------
lib/pkcs11h-core.c | 4 +-
lib/pkcs11h-crypto.c | 18 +++---
7 files changed, 105 insertions(+), 69 deletions(-)
diff --git a/configure.ac b/configure.ac
index e905d5a..150a6b2 100644
--- a/configure.ac
+++ b/configure.ac
@@ -202,9 +202,16 @@ AC_ARG_ENABLE(
AC_ARG_ENABLE(
[crypto-engine-polarssl],
- [AS_HELP_STRING([--disable-crypto-engine-polarssl],[disable PolarSSL crypto engine])],
+ [AS_HELP_STRING([--disable-crypto-engine-polarssl],[disable mbed TLS crypto engine])],
,
- [enable_crypto_engine_polarssl="yes"]
+ [enable_crypto_engine_mbedtls="yes"]
+)
+
+AC_ARG_ENABLE(
+ [crypto-engine-mbedtls],
+ [AS_HELP_STRING([--disable-crypto-engine-mbedtls],[disable mbed TLS crypto engine])],
+ ,
+ [enable_crypto_engine_mbedtls="yes"]
)
AC_ARG_ENABLE(
@@ -348,20 +355,47 @@ fi
PKG_CHECK_MODULES([GNUTLS], [gnutls >= 1.4], [have_gnutls="yes"], [have_gnutls="no"])
PKG_CHECK_MODULES([NSS], [nss >= 3.11], [have_nss="yes"], [have_nss="no"])
-AC_ARG_VAR([POLARSSL_CFLAGS], [C compiler flags for PolarSSL])
-AC_ARG_VAR([POLARSSL_LIBS], [linker flags for PolarSSL])
-if test -z "${POLARSSL_LIBS}"; then
+AC_ARG_VAR([MBEDTLS_CFLAGS], [C compiler flags for mbed TLS])
+AC_ARG_VAR([MBEDTLS_LIBS], [linker flags for mbed TLS])
+if test -z "${MBEDTLS_LIBS}"; then
AC_CHECK_LIB(
- [polarssl],
- [x509parse_crt],
+ [mbedx509],
+ [mbedtls_x509_crt_init],
[
- POLARSSL_LIBS="-lpolarssl"
- have_polarssl="yes"
+ AC_CHECK_HEADERS(
+ [mbedtls/x509_crt.h],
+ ,
+ [AC_MSG_ERROR([Cannot find mbed TLS headers])]
+ )
+ MBEDTLS_LIBS="-lmbedx509 -lmbedtls -lmbedcrypto"
+ have_mbedtls="yes"
],
- [have_polarssl="no"]
+ [AC_CHECK_LIB(
+ [polarssl],
+ [x509_crt_parse],
+ [
+ AC_CHECK_HEADERS(
+ [polarssl/x509_crt.h],
+ ,
+ [AC_MSG_ERROR([Cannot find PolarSSL headers])]
+ )
+ MBEDTLS_LIBS="-lpolarssl"
+ have_mbedtls="yes"
+ ],
+ [have_mbedtls="no"]
+ )],
+ [-lmbedtls -lmbedcrypto]
)
else
- have_polarssl="yes"
+ have_mbedtls="yes"
+fi
+
+if test -n "${MBEDTLS_CFLAGS}" -a "${have_mbedtls}" = "yes"; then
+ old_CFLAGS="${CFLAGS}"
+ CFLAGS="${CFLAGS} ${MBEDTLS_CFLAGS}"
+ AC_CHECK_HEADERS([mbedtls/x509_crt.h])
+ AC_CHECK_HEADERS([polarssl/x509_crt.h])
+ CFLAGS="${old_CFLAGS}"
fi
# Checks for header files.
@@ -463,13 +497,13 @@ else
AC_MSG_RESULT([no])
fi
-AC_MSG_CHECKING([PolarSSL crypto engine])
-if test "${enable_crypto_engine_polarssl}" = "yes"; then
- if test "${have_polarssl}" = "yes"; then
+AC_MSG_CHECKING([mbed TLS crypto engine])
+if test "${enable_crypto_engine_mbedtls}" = "yes"; then
+ if test "${have_mbedtls}" = "yes"; then
AC_MSG_RESULT([yes])
- AC_DEFINE([ENABLE_PKCS11H_ENGINE_POLARSSL], [1], [Enable PolarSSL crypto engine])
- CFLAGS="${CFLAGS} ${POLARSSL_CFLAGS}"
- LIBS="${LIBS} ${POLARSSL_LIBS}"
+ AC_DEFINE([ENABLE_PKCS11H_ENGINE_MBEDTLS], [1], [Enable mbed TLS crypto engine])
+ CFLAGS="${CFLAGS} ${MBEDTLS_CFLAGS}"
+ LIBS="${LIBS} ${MBEDTLS_LIBS}"
else
AC_MSG_RESULT([no])
fi
@@ -530,9 +564,9 @@ if test "${enable_crypto_engine_nss}" = "yes"; then
crypto_engine=1
PKCS11H_FEATURES="${PKCS11H_FEATURES} engine_crypto_nss"
fi
-if test "${enable_crypto_engine_polarssl}" = "yes"; then
+if test "${enable_crypto_engine_mbedtls}" = "yes"; then
crypto_engine=1
- PKCS11H_FEATURES="${PKCS11H_FEATURES} engine_crypto_polarssl"
+ PKCS11H_FEATURES="${PKCS11H_FEATURES} engine_crypto_mbedtls"
fi
if test "${enable_crypto_engine_cryptoapi}" = "yes"; then
crypto_engine=1
diff --git a/include/pkcs11-helper-1.0/pkcs11h-core.h b/include/pkcs11-helper-1.0/pkcs11h-core.h
index 6e705ab..62541cc 100644
--- a/include/pkcs11-helper-1.0/pkcs11h-core.h
+++ b/include/pkcs11-helper-1.0/pkcs11h-core.h
@@ -109,8 +109,10 @@ extern "C" {
#define PKCS11H_FEATURE_MASK_SLOTEVENT (1<< 8)
/** OpenSSL interface is enabled. */
#define PKCS11H_FEATURE_MASK_OPENSSL (1<< 9)
-/** Engine PolarSSL is enabled. */
+/** Engine mbed TLS is enabled. */
#define PKCS11H_FEATURE_MASK_ENGINE_CRYPTO_POLARSSL (1<< 10)
+/** Engine mbed TLS is enabled. */
+#define PKCS11H_FEATURE_MASK_ENGINE_CRYPTO_MBEDTLS (1<< 10)
/** @} */
/**
diff --git a/include/pkcs11-helper-1.0/pkcs11h-engines.h b/include/pkcs11-helper-1.0/pkcs11h-engines.h
index 415d84b..156ced6 100644
--- a/include/pkcs11-helper-1.0/pkcs11h-engines.h
+++ b/include/pkcs11-helper-1.0/pkcs11h-engines.h
@@ -213,8 +213,10 @@ typedef struct pkcs11h_crypto_engine_s {
#define PKCS11H_ENGINE_CRYPTO_WIN32 ((pkcs11h_engine_crypto_t *)3)
/** Select NSS. */
#define PKCS11H_ENGINE_CRYPTO_NSS ((pkcs11h_engine_crypto_t *)4)
-/** Select PolarSSL. */
+/** Select mbed TLS. */
#define PKCS11H_ENGINE_CRYPTO_POLARSSL ((pkcs11h_engine_crypto_t *)5)
+/** Select mbed TLS. */
+#define PKCS11H_ENGINE_CRYPTO_MBEDTLS ((pkcs11h_engine_crypto_t *)5)
/** Auto select GPL enigne. */
#define PKCS11H_ENGINE_CRYPTO_GPL ((pkcs11h_engine_crypto_t *)10)
/** @} */
diff --git a/lib/Makefile.am b/lib/Makefile.am
index 2e6b11c..eceab26 100644
--- a/lib/Makefile.am
+++ b/lib/Makefile.am
@@ -79,7 +79,7 @@ libpkcs11_helper_la_SOURCES= \
_pkcs11h-sys.h pkcs11h-sys.c \
_pkcs11h-crypto.h pkcs11h-crypto.c \
_pkcs11h-crypto-openssl.c _pkcs11h-crypto-nss.c \
- _pkcs11h-crypto-gnutls.c _pkcs11h-crypto-polarssl.c \
+ _pkcs11h-crypto-gnutls.c _pkcs11h-crypto-mbedtls.c \
_pkcs11h-crypto-cryptoapi.c \
_pkcs11h-threading.h pkcs11h-threading.c \
_pkcs11h-util.h pkcs11h-util.c \
diff --git a/lib/_pkcs11h-crypto-polarssl.c b/lib/_pkcs11h-crypto-mbedtls.c
similarity index 77%
rename from lib/_pkcs11h-crypto-polarssl.c
rename to lib/_pkcs11h-crypto-mbedtls.c
index c004111..215798e 100644
--- a/lib/_pkcs11h-crypto-polarssl.c
+++ b/lib/_pkcs11h-crypto-mbedtls.c
@@ -53,14 +53,17 @@
#include "_pkcs11h-crypto.h"
-#if defined(ENABLE_PKCS11H_ENGINE_POLARSSL)
-#include <polarssl/compat-1.2.h>
-#include <polarssl/x509.h>
-#include <polarssl/version.h>
+#if defined(ENABLE_PKCS11H_ENGINE_MBEDTLS)
+#ifdef HAVE_MBEDTLS_X509_CRT_H
+#include <mbedtls/compat-1.3.h>
+#include <mbedtls/x509_crt.h>
+#else
+#include <polarssl/x509_crt.h>
+#endif
static
int
-__pkcs11h_crypto_polarssl_initialize (
+__pkcs11h_crypto_mbedtls_initialize (
IN void * const global_data
) {
(void)global_data;
@@ -70,7 +73,7 @@ __pkcs11h_crypto_polarssl_initialize (
static
int
-__pkcs11h_crypto_polarssl_uninitialize (
+__pkcs11h_crypto_mbedtls_uninitialize (
IN void * const global_data
) {
(void)global_data;
@@ -80,13 +83,13 @@ __pkcs11h_crypto_polarssl_uninitialize (
static
int
-__pkcs11h_crypto_polarssl_certificate_get_expiration (
+__pkcs11h_crypto_mbedtls_certificate_get_expiration (
IN void * const global_data,
IN const unsigned char * const blob,
IN const size_t blob_size,
OUT time_t * const expiration
) {
- x509_cert x509;
+ x509_crt x509;
(void)global_data;
@@ -97,11 +100,11 @@ __pkcs11h_crypto_polarssl_certificate_get_expiration (
*expiration = (time_t)0;
memset(&x509, 0, sizeof(x509));
- if (0 != x509parse_crt (&x509, blob, blob_size)) {
+ if (0 != x509_crt_parse (&x509, blob, blob_size)) {
goto cleanup;
}
- if (0 == x509parse_time_expired(&x509.valid_to)) {
+ if (0 == x509_time_expired(&x509.valid_to)) {
struct tm tm1;
memset (&tm1, 0, sizeof (tm1));
@@ -118,21 +121,21 @@ __pkcs11h_crypto_polarssl_certificate_get_expiration (
cleanup:
- x509_free(&x509);
+ x509_crt_free(&x509);
return *expiration != (time_t)0;
}
static
int
-__pkcs11h_crypto_polarssl_certificate_get_dn (
+__pkcs11h_crypto_mbedtls_certificate_get_dn (
IN void * const global_data,
IN const unsigned char * const blob,
IN const size_t blob_size,
OUT char * const dn,
IN const size_t dn_max
) {
- x509_cert x509;
+ x509_crt x509;
int ret = FALSE;
(void)global_data;
@@ -145,11 +148,11 @@ __pkcs11h_crypto_polarssl_certificate_get_dn (
dn[0] = '\x0';
memset(&x509, 0, sizeof(x509));
- if (0 != x509parse_crt (&x509, blob, blob_size)) {
+ if (0 != x509_crt_parse (&x509, blob, blob_size)) {
goto cleanup;
}
- if (-1 == x509parse_dn_gets(dn, dn_max, &x509.subject)) {
+ if (-1 == x509_dn_gets(dn, dn_max, &x509.subject)) {
goto cleanup;
}
@@ -157,22 +160,22 @@ __pkcs11h_crypto_polarssl_certificate_get_dn (
cleanup:
- x509_free(&x509);
+ x509_crt_free(&x509);
return ret;
}
static
int
-__pkcs11h_crypto_polarssl_certificate_is_issuer (
+__pkcs11h_crypto_mbedtls_certificate_is_issuer (
IN void * const global_data,
IN const unsigned char * const issuer_blob,
IN const size_t issuer_blob_size,
IN const unsigned char * const cert_blob,
IN const size_t cert_blob_size
) {
- x509_cert x509_issuer;
- x509_cert x509_cert;
+ x509_crt x509_issuer;
+ x509_crt x509_cert;
int verify_flags = 0;
PKCS11H_BOOL is_issuer = FALSE;
@@ -184,37 +187,32 @@ __pkcs11h_crypto_polarssl_certificate_is_issuer (
_PKCS11H_ASSERT (cert_blob!=NULL);
memset(&x509_issuer, 0, sizeof(x509_issuer));
- if (0 != x509parse_crt (&x509_issuer, issuer_blob, issuer_blob_size)) {
+ if (0 != x509_crt_parse (&x509_issuer, issuer_blob, issuer_blob_size)) {
goto cleanup;
}
memset(&x509_cert, 0, sizeof(x509_cert));
- if (0 != x509parse_crt (&x509_cert, cert_blob, cert_blob_size)) {
+ if (0 != x509_crt_parse (&x509_cert, cert_blob, cert_blob_size)) {
goto cleanup;
}
-#if (POLARSSL_VERSION_MAJOR == 0)
- if ( 0 == x509parse_verify(&x509_cert, &x509_issuer, NULL, NULL,
- &verify_flags ))
-#else
- if ( 0 == x509parse_verify(&x509_cert, &x509_issuer, NULL, NULL,
+ if ( 0 == x509_crt_verify(&x509_cert, &x509_issuer, NULL, NULL,
&verify_flags, NULL, NULL ))
-#endif
cleanup:
- x509_free(&x509_cert);
- x509_free(&x509_issuer);
+ x509_crt_free(&x509_cert);
+ x509_crt_free(&x509_issuer);
return is_issuer;
}
-const pkcs11h_engine_crypto_t _g_pkcs11h_crypto_engine_polarssl = {
+const pkcs11h_engine_crypto_t _g_pkcs11h_crypto_engine_mbedtls = {
NULL,
- __pkcs11h_crypto_polarssl_initialize,
- __pkcs11h_crypto_polarssl_uninitialize,
- __pkcs11h_crypto_polarssl_certificate_get_expiration,
- __pkcs11h_crypto_polarssl_certificate_get_dn,
- __pkcs11h_crypto_polarssl_certificate_is_issuer
+ __pkcs11h_crypto_mbedtls_initialize,
+ __pkcs11h_crypto_mbedtls_uninitialize,
+ __pkcs11h_crypto_mbedtls_certificate_get_expiration,
+ __pkcs11h_crypto_mbedtls_certificate_get_dn,
+ __pkcs11h_crypto_mbedtls_certificate_is_issuer
};
-#endif /* ENABLE_PKCS11H_ENGINE_POLARSSL */
+#endif /* ENABLE_PKCS11H_ENGINE_MBEDTLS */
diff --git a/lib/pkcs11h-core.c b/lib/pkcs11h-core.c
index 6aee495..1761620 100644
--- a/lib/pkcs11h-core.c
+++ b/lib/pkcs11h-core.c
@@ -244,8 +244,8 @@ pkcs11h_getFeatures (void) {
#if defined(ENABLE_PKCS11H_ENGINE_WIN32)
PKCS11H_FEATURE_MASK_ENGINE_CRYPTO_WIN32 |
#endif
-#if defined(ENABLE_PKCS11H_ENGINE_POLARSSL)
- PKCS11H_FEATURE_MASK_ENGINE_CRYPTO_POLARSSL |
+#if defined(ENABLE_PKCS11H_ENGINE_MBEDTLS)
+ PKCS11H_FEATURE_MASK_ENGINE_CRYPTO_MBEDTLS |
#endif
#if defined(ENABLE_PKCS11H_DEBUG)
PKCS11H_FEATURE_MASK_DEBUG |
diff --git a/lib/pkcs11h-crypto.c b/lib/pkcs11h-crypto.c
index e61588d..7675912 100644
--- a/lib/pkcs11h-crypto.c
+++ b/lib/pkcs11h-crypto.c
@@ -62,8 +62,8 @@ extern const pkcs11h_engine_crypto_t _g_pkcs11h_crypto_engine_openssl;
#if defined(ENABLE_PKCS11H_ENGINE_NSS)
extern const pkcs11h_engine_crypto_t _g_pkcs11h_crypto_engine_nss;
#endif
-#if defined(ENABLE_PKCS11H_ENGINE_POLARSSL)
-extern const pkcs11h_engine_crypto_t _g_pkcs11h_crypto_engine_polarssl;
+#if defined(ENABLE_PKCS11H_ENGINE_MBEDTLS)
+extern const pkcs11h_engine_crypto_t _g_pkcs11h_crypto_engine_mbedtls;
#endif
#if defined(ENABLE_PKCS11H_ENGINE_GNUTLS)
extern const pkcs11h_engine_crypto_t _g_pkcs11h_crypto_engine_gnutls;
@@ -94,8 +94,8 @@ pkcs11h_engine_setCrypto (
_engine = &_g_pkcs11h_crypto_engine_openssl;
#elif defined(ENABLE_PKCS11H_ENGINE_NSS)
_engine = &_g_pkcs11h_crypto_engine_nss;
-#elif defined(ENABLE_PKCS11H_ENGINE_POLARSSL)
- _engine = &_g_pkcs11h_crypto_engine_polarssl;
+#elif defined(ENABLE_PKCS11H_ENGINE_MBEDTLS)
+ _engine = &_g_pkcs11h_crypto_engine_mbedtls;
#elif defined(ENABLE_PKCS11H_ENGINE_GNUTLS)
_engine = &_g_pkcs11h_crypto_engine_gnutls;
#else
@@ -106,8 +106,8 @@ pkcs11h_engine_setCrypto (
else if (engine == PKCS11H_ENGINE_CRYPTO_GPL) {
#if defined(ENABLE_PKCS11H_ENGINE_CRYPTOAPI)
_engine = &_g_pkcs11h_crypto_engine_cryptoapi;
-#elif defined(ENABLE_PKCS11H_ENGINE_POLARSSL)
- _engine = &_g_pkcs11h_crypto_engine_polarssl;
+#elif defined(ENABLE_PKCS11H_ENGINE_MBEDTLS)
+ _engine = &_g_pkcs11h_crypto_engine_mbedtls;
#elif defined(ENABLE_PKCS11H_ENGINE_GNUTLS)
_engine = &_g_pkcs11h_crypto_engine_gnutls;
#else
@@ -147,9 +147,9 @@ pkcs11h_engine_setCrypto (
goto cleanup;
#endif
}
- else if (engine == PKCS11H_ENGINE_CRYPTO_POLARSSL) {
-#if defined(ENABLE_PKCS11H_ENGINE_POLARSSL)
- _engine = &_g_pkcs11h_crypto_engine_polarssl;
+ else if (engine == PKCS11H_ENGINE_CRYPTO_MBEDTLS) {
+#if defined(ENABLE_PKCS11H_ENGINE_MBEDTLS)
+ _engine = &_g_pkcs11h_crypto_engine_mbedtls;
#else
rv = CKR_ATTRIBUTE_VALUE_INVALID;
goto cleanup;
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-opensc/pkcs11-helper.git
More information about the pkg-opensc-commit
mailing list