On 14/03/2023 10:02, David Sommerseth wrote:
On 14/03/2023 09:45, David Sommerseth wrote:
On 11/03/2023 06:24, selva.n...@gmail.com wrote:
From: Selva Nair <selva.n...@gmail.com>
- With OpenSSL 3.0 and xkey-provider, we use
pkcs11h_certificate_signAny_ex()
which returns EC signature as raw r|s concatenated. But OpenSSL
expects
a DER encoded ASN.1 structure.
Do this conversion as done in cryptoapi.c. For code re-use,
ecdsa_bin2sig()
is consolidated with sig to DER conversion as ecdsa_bin2der() and
moved to xkey_helper.c
In the past when we used OpenSSL hooks installed by pkcs11-helper,
such a conversion was not required as it was internally handled by
the library.
Reported by: Tom <open...@sup-logistik.de>
Signed-off-by: Selva Nair <selva.n...@gmail.com>
Just FYI, this report appeared in the bugzilla for the Fedora
packaging. This seems related to this patch.
<https://bugzilla.redhat.com/show_bug.cgi?id=2177834>
I will try to prepare a Fedora build with this patch added, for
further testing.
Fedora Koji builds of OpenVPN 2.6.1 with this patch included:
Fedora 38: <https://koji.fedoraproject.org/koji/taskinfo?taskID=98680872>
x86_64 packages:
<https://koji.fedoraproject.org/koji/taskinfo?taskID=98680943>
Fedora 37: <https://koji.fedoraproject.org/koji/taskinfo?taskID=98680878>
x86_64 packages:
<https://koji.fedoraproject.org/koji/taskinfo?taskID=98680991>
Just got feedback from the reporter in the Fedora bugzilla; this patch
works well on Fedora 38.
I suggest adding this tag to the commit log. Feel free to add the URL
tag to the bugzilla ticket too.
Tested-by: flor...@apolloner.eu
--
kind regards,
David Sommerseth
OpenVPN Inc
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
