Am 14.09.18 um 11:14 schrieb Steffan Karger: > Instead of using mbedtls's pkcs11 module, reuse the code we already have > for management-external-key to also do pkcs11 signatures. As far as mbed > is concerned, we simply provide an external signature. > > This has the following advantages: > * We no longer need mbed TLS to be compiled with the pkcs11 modules > enabled (which is not enabled by default). This makes it easier to use > a system/distribution-provided mbed shared library. > * We no longer have a dependency on pkcs11-helper through mbed TLS. So if > we want to migrate to some other pkcs11 lib (see e.g. trac #491, #538 > and #549 for reason why), this will be easier. > > While touching this code, switch from M_FATAL to M_WARN and proper error > handling. This improves the error reporting, and helps prevent potential > future DoS attacks if someone starts using these functions on peer input. >
Ack. The code makes sense. I could not really test it since I don't have a PCKS#11 environement to test it but it looks good enough and I assume Steffan has already tested it. Acked-By: Arne Schwabe <a...@rfc2549.org> _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
