- Generalized external private key implementation handling (like PKCS#11) in SSL/TLS

include/polarssl/config.h

@@ -612,7 +612,7 @@
 /**
  * \def POLARSSL_PKCS11_C
  *
- * Enable support for PKCS#11 smartcard support.
+ * Enable wrapper for PKCS#11 smartcard support.
  *
  * Module:  library/ssl_srv.c
  * Caller:  library/ssl_cli.c
@@ -620,7 +620,7 @@
  *
  * Requires: POLARSSL_SSL_TLS_C
  *
- * This module is required for SSL/TLS PKCS #11 smartcard support.
+ * This module enables SSL/TLS PKCS #11 smartcard support.
  * Requires the presence of the PKCS#11 helper library (libpkcs11-helper)
 #define POLARSSL_PKCS11_C
  */

include/polarssl/pkcs11.h

@@ -37,6 +37,14 @@
 
 #include <pkcs11-helper-1.0/pkcs11h-certificate.h>
 
+#if defined(_MSC_VER) && !defined(inline)
+#define inline _inline
+#else
+#if defined(__ARMCC_VERSION) && !defined(inline)
+#define inline __inline
+#endif /* __ARMCC_VERSION */
+#endif /*_MSC_VER */
+
 /**
  * Context for PKCS #11 private keys.
  */
@@ -121,6 +129,33 @@ int pkcs11_sign( pkcs11_context *ctx,
                     const unsigned char *hash,
                     unsigned char *sig );
 
+/**
+ * SSL/TLS wrappers for PKCS#11 functions
+ */
+static inline int ssl_pkcs11_decrypt( void *ctx, int mode, size_t *olen,
+                        const unsigned char *input, unsigned char *output,
+                        unsigned int output_max_len )
+{
+    return pkcs11_decrypt( (pkcs11_context *) ctx, mode, olen, input, output,
+                           output_max_len );
+}
+
+static inline int ssl_pkcs11_sign( void *ctx, 
+                     int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+                     int mode, int hash_id, unsigned int hashlen,
+                     const unsigned char *hash, unsigned char *sig )
+{
+    ((void) f_rng);
+    ((void) p_rng);
+    return pkcs11_sign( (pkcs11_context *) ctx, mode, hash_id,
+                        hashlen, hash, sig );
+}
+
+static inline size_t ssl_pkcs11_key_len( void *ctx )
+{
+    return ( (pkcs11_context *) ctx )->len;
+}
+
 #endif /* POLARSSL_PKCS11_C */
 
 #endif /* POLARSSL_PKCS11_H */

include/polarssl/ssl.h

@@ -42,10 +42,6 @@
 #include "dhm.h"
 #endif
 
-#if defined(POLARSSL_PKCS11_C)
-#include "pkcs11.h"
-#endif
-
 #if defined(POLARSSL_ZLIB_SUPPORT)
 #include "zlib.h"
 #endif
@@ -253,6 +249,20 @@
 
 #define TLS_EXT_RENEGOTIATION_INFO 0xFF01
 
+
+/*
+ * Generic function pointers for allowing external RSA private key
+ * implementations.
+ */
+typedef int (*rsa_decrypt_func)( void *ctx, int mode, size_t *olen,
+                        const unsigned char *input, unsigned char *output,
+                        size_t output_max_len ); 
+typedef int (*rsa_sign_func)( void *ctx,
+                     int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+                     int mode, int hash_id, unsigned int hashlen,
+                     const unsigned char *hash, unsigned char *sig );
+typedef size_t (*rsa_key_len_func)( void *ctx );
+
 /*
  * SSL state machine
  */
@@ -446,10 +456,11 @@ struct _ssl_context
     /*
      * PKI layer
      */
-    rsa_context *rsa_key;               /*!<  own RSA private key     */
-#if defined(POLARSSL_PKCS11_C)
-    pkcs11_context *pkcs11_key;         /*!<  own PKCS#11 RSA private key */
-#endif
+    void *rsa_key;                      /*!<  own RSA private key     */
+    rsa_decrypt_func rsa_decrypt;       /*!<  function for RSA decrypt*/
+    rsa_sign_func rsa_sign;             /*!<  function for RSA sign   */
+    rsa_key_len_func rsa_key_len;       /*!<  function for RSA key len*/
+
     x509_cert *own_cert;                /*!<  own X.509 certificate   */
     x509_cert *ca_chain;                /*!<  own trusted CA chain    */
     x509_crl *ca_crl;                   /*!<  trusted CA CRLs         */
@@ -722,17 +733,26 @@ void ssl_set_ca_chain( ssl_context *ssl, x509_cert *ca_chain,
 void ssl_set_own_cert( ssl_context *ssl, x509_cert *own_cert,
                        rsa_context *rsa_key );
 
-#if defined(POLARSSL_PKCS11_C)
 /**
- * \brief          Set own certificate and PKCS#11 private key
+ * \brief          Set own certificate and alternate non-PolarSSL private
+ *                 key and handling callbacks, such as the PKCS#11 wrappers
+ *                 or any other external private key handler.
+ *                 (see the respective RSA functions in rsa.h for documentation
+ *                 of the callback parameters, with the only change being
+ *                 that the rsa_context * is a void * in the callbacks)
  *
  * \param ssl      SSL context
  * \param own_cert own public certificate
- * \param pkcs11_key    own PKCS#11 RSA key
+ * \param rsa_key  alternate implementation private RSA key
+ * \param rsa_decrypt_func  alternate implementation of \c rsa_pkcs1_decrypt()
+ * \param rsa_sign_func     alternate implementation of \c rsa_pkcs1_sign()
+ * \param rsa_key_len_func  function returning length of RSA key in bytes
  */
-void ssl_set_own_cert_pkcs11( ssl_context *ssl, x509_cert *own_cert,
-                       pkcs11_context *pkcs11_key );
-#endif
+void ssl_set_own_cert_alt( ssl_context *ssl, x509_cert *own_cert,
+                           void *rsa_key,
+                           rsa_decrypt_func rsa_decrypt,
+                           rsa_sign_func rsa_sign,
+                           rsa_key_len_func rsa_key_len );
 
 #if defined(POLARSSL_DHM_C)
 /**