Re: [Openvpn-devel] [PATCH 3/9] Implement keymgmt in the xkey provider

Hi, hmm.. there is some cruft in the commit message referring to a non-existent function, in case anyone reads it. The code itself is fine. On Wed, Sep 22, 2021 at 5:13 PM wrote: > From: Selva Nair > > A minimal set of functions for keymgmt are implemented. > No support for external key import

[Openvpn-devel] [PATCH 0/9] A built-in OpenSSL3.0 provider for external-keys

From: Selva Nair The following series of patches implement a built-in provider for interfacing OpenSSL 3.0 when external keys are in use. Essentially, to intercept the sign operation, the SSL_CTX object has to be created with properties string set to prioritize our provider. In the provider we

[Openvpn-devel] [PATCH 3/9] Implement keymgmt in the xkey provider

From: Selva Nair A minimal set of functions for keymgmt are implemented. No support for external key import as yet, only native keys. Support for native keys is required as all public key ops will get delegated to us once SSL_CTX is initialized in our context. This will include digest-verify usin

[Openvpn-devel] [PATCH 7/9] Enable signing via provider for management-external-key

From: Selva Nair - Add a function to set as sign_op during key import. The function passes the signature request to management interface, and returns the result to the provider. Signed-off-by: Selva Nair --- src/openvpn/xkey_common.h | 4 +++ src/openvpn/xkey_helper.c | 68 +++

[Openvpn-devel] [PATCH 9/9] Allow management client to announce pss padding support

From: Selva Nair pk-sig request from management can currently indicate support for 'nopadding' or 'pkcs1i' signatures. Add 'pss' as an option to indicate that PSS signing requests are accepted. To match, extend the algorithm string in PK_SIGN request to include the following format: - RSA_PKCS1

[Openvpn-devel] [PATCH 8/9] Add a function to encode digests with PKCS1 DigestInfo wrapper

From: Selva Nair The EVP_PKEY interface as well as provider provides the raw digest to the sign() function. In case of RSA_PKCS1, our management interface expects expects an encoded hash, which has the DigestInfo header added as per PKCSv1.5 specs, unless the hash algorithm is legacy MD5_SHA1. F

[Openvpn-devel] [PATCH 4/9] Implement provider interface for signature operations

From: Selva Nair - DigestVerify and Sign operations for native keys are implemented. DigestVerify ops for native keys are needed because operations on peer's public key will get delegated to us. Sign operations on native keys are also implemented which now allows us to enable the prov

[Openvpn-devel] [PATCH 5/9] Implement import of custom external keys

From: Selva Nair Our key object retains info about the external key as an opaque handle to the backend. We also need the public key as an EVP_PKEY *. For native keys we use OpenSSL API to import data into the key. In fact the 'handle' in that case is the OpenSSL EVP_PKEY object itsel

[Openvpn-devel] [PATCH 2/9] Initialize the xkey provider and use it in SSL context

From: Selva Nair - The provider is loaded during crypto initialization and unloaded in uninit. The SSL server and client context are created with properties indicating preference for this provider. This could be made conditional on use of external keys, but it can't hurt if loaded and used

[Openvpn-devel] [PATCH 1/9] A built-in provider for using external key with OpenSSL 3.0

From: Selva Nair Hooking into callbacks in RSA_METHOD and EVP_PKEY_METHOD structures is deprecated in OpenSSL 3.0. For signing with external keys that are not exportable (tokens, stores, etc.) requires a custom provider interface so that key operations are done under its context. A single provid

[Openvpn-devel] [PATCH 6/9] A helper function to load key for management-external-key

From: Selva Nair - A wrapper around the keymgmt import of xkey provider - When the provider is available, use this to set SSL_CTX_use_PrivateKey for management-external-key sign_op is not implemented yet. This will error out while signing with --management-external-key. The next commit fixes

[Openvpn-devel] [PATCH v2] BUILD: enable CFG and Spectre mitigation for MSVC

found by BinSkim Signed-off-by: Ilya Shipitsin --- src/compat/Release.props| 1 + src/compat/compat.vcxproj | 6 ++ src/openvpn/openvpn.vcxproj | 9 + src/openvpnmsica/openvpnmsica-Release.props | 1 + src/openvpnmsica/openvpnmsic

Re: [Openvpn-devel] Summary of the community meeting (15th September 2021)

On Sat, Sep 18, 2021 at 3:22 PM Arne Schwabe wrote: > > > https://github.com/selvanair/openvpn/tree/xkey-provider-v2 > > > > > > It should build on linux without errors, though with lots of deprecation > > warnings in old files. The exe