This unit-test did not consider the case when USE_COMP is not defined,
thus generating a compiler error.
Adapt the test to the case when no compression is available and while at
it, decompose the expected MTU values by featureso that it is easier to
understand.
Cc: Arne Schwabe
Signed-off-by: An
Am 14.12.21 um 17:59 schrieb selva.n...@gmail.com:
From: Selva Nair
Acked-By: Arne Schwabe
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Am 14.12.21 um 17:59 schrieb selva.n...@gmail.com:
From: Selva Nair
A minimal set of functions for keymgmt are implemented.
No support for external key import as yet, only native
keys. Support for native keys is required as keys may
get imported into us for some operations as well as
for compar
Am 14.12.21 um 17:59 schrieb selva.n...@gmail.com:
From: Selva Nair
- Basic frame work for announcing support for signature
operations
- DigestSign and Sign functions for native keys are also
implemented. Though strictly not needed, these functions
for native keys sets up the framewo
Am 14.12.21 um 17:59 schrieb selva.n...@gmail.com:
From: Selva Nair
Our key object retains info about the external
key as an opaque handle to the backend. We also
need the public key as an EVP_PKEY *.
For native keys we use OpenSSL API to import
data into the key. The 'handle' r
Am 14.12.21 um 17:59 schrieb selva.n...@gmail.com:
From: Selva Nair
- Add function to check when external key is in use
- Load xkey provider into a custom library context when required
- Use the custom libctx in SSL CTX when external key is in use
As no keys are yet loaded through the provid
Am 14.12.21 um 17:59 schrieb selva.n...@gmail.com:
From: Selva Nair
- Leverage keymgmt_import through EVP_PKEY_new_fromdata() to
import "management-external-key"
- When required, use this to set SSL_CTX_use_PrivateKey
The sign_op is not implemented yet. This will error out while
signing wi
Am 14.12.21 um 17:59 schrieb selva.n...@gmail.com:
From: Selva Nair
- Add a function to set as sign_op during key import. The
function passes the signature request to management interface,
and returns the result to the provider.
v2 changes: Method to do digest added to match the changes
Am 14.12.21 um 17:59 schrieb selva.n...@gmail.com:
From: Selva Nair
The EVP_PKEY interface as well as provider passes the raw
digest to the sign() function. In case of RSA_PKCS1,
our management interface expects an encoded hash, which
has the DigestInfo header added as per PKCSv1.5 specs,
unles
Am 14.12.21 um 17:59 schrieb selva.n...@gmail.com:
From: Selva Nair
The --management-external-key option can currently indicate support
for 'nopadding' or 'pkcs1' signatures in the client. Add 'pss' as an
option to announce that PSS signing requests are accepted.
To match, extend the algorithm
Am 14.12.21 um 17:59 schrieb selva.n...@gmail.com:
From: Selva Nair
Support for padding algorithms in management-client is indicated
in the optional argument to --management-external-key as "pkcs1",
"pss" etc. We currently use it only for an early exit based on heuristics
that a required algori
Am 14.12.21 um 17:59 schrieb selva.n...@gmail.com:
From: Selva Nair
To receive undigested message for signing, indicate support
for handling message digesting in the client using an argument
"digest" to --management-external-key.
For example, to announce pkcs1 padding and digesting support use
Am 14.12.21 um 17:59 schrieb selva.n...@gmail.com:
From: Selva Nair
- Load keys by specifying the opaque privtae key handle,
public key, sign-op and free-op required for loading keys
from Windows store and pkcs11.
- xkey_load_management_key is refactored to use the new function
- Also m
Am 14.12.21 um 17:59 schrieb selva.n...@gmail.com:
From: Selva Nair
Sending largish messages to the management interface errors due to
the limited size used for the "error" buffer in x_msg_va(). Although
all intermediate steps allocate required space for the data to
send, it gets truncated at t
Am 14.12.21 um 17:59 schrieb selva.n...@gmail.com:
From: Selva Nair
- Load the 'private key' handle through the provider and set it in
SSL_CTX
- Add a sign op function to interface provider with pkcs11-helper.
Previously we used its "OpenSSL Session" which internally sets up
callbacks
Am 14.12.21 um 17:59 schrieb selva.n...@gmail.com:
From: Selva Nair
- Add xkey_cng_sign() as sign_op for the provider
and load the key using xkey_generic_load.
- Enable/Disable old code when provider is available or not.
- xkey_digest is made non-static for use in cryptoapi.c
One function
Am 14.12.21 um 17:59 schrieb selva.n...@gmail.com:
From: Selva Nair
Tests:
- Check SIGNATURE and KEYMGMT methods can be fetched
from the provider
- Load sample RSA and EC keys as management-external-key
and check that their sign callbacks are correctly exercised:
with and without diges
Am 14.12.21 um 17:59 schrieb selva.n...@gmail.com:
From: Selva Nair
Signed-off-by: Selva Nair
---
configure.ac | 2 -
tests/unit_tests/openvpn/Makefile.am | 4 -
tests/unit_tests/openvpn/test_provider.c | 112 +--
3 files changed, 10
Am 14.12.21 um 17:59 schrieb selva.n...@gmail.com:
From: Selva Nair
Acked-By: Arne Schwabe
This could be merged/squashed into the commits that introduce those files.
Arne
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https:/
There is not much to test here yet - so what I did was "test that it
does not break with ossl 1.x" (it doesn't), that it does not compile
anything into xkey_provider.o when compiled with 3.0.0 (it doesn't)
and that it *does* with 3.0.1
3.0.0$ size src/openvpn/xkey_provider.o
textdata b
Only compile-tested on Linux / OpenSSL 3.0.1 (and briefly glanced over
the code to see what happens). It breaks...
xkey_provider.c:223:16: error: 'XKEY_KEYDATA' has no member named 'free'
223 | key->free = (XKEY_PRIVKEY_FREE_fn *) EVP_PKEY_free;
|^~
xkey_provid
This fixes compilation again. Compile-tested, briefly glanced at the code.
Your patch has been applied to the master branch.
commit 25f9c47127190c487eb3b4b4a3f5553fb2d62b21
Author: Selva Nair
Date: Tue Dec 14 11:59:13 2021 -0500
Implement SIGNATURE operations in xkey provider
Signe
Compile-tested only (and glanced over the code).
Your patch has been applied to the master branch.
commit ab3a8e5c28c433fd405f964d55bb754571191b9c
Author: Selva Nair
Date: Tue Dec 14 11:59:14 2021 -0500
Implement import of custom external keys
Signed-off-by: Selva Nair
Acked-b
Am 20.01.22 um 11:11 schrieb Antonio Quartulli:
This unit-test did not consider the case when USE_COMP is not defined,
thus generating a compiler error.
Adapt the test to the case when no compression is available and while at
it, decompose the expected MTU values by featureso that it is easier t
This is the first truly "interesting" patch in the series, that brings
stuff to be tested :-)
Tested on OSSL 1.1.1 and mbedTLS builds ("so nothing breaks with the
old stuff"), and on 3.0.1 - but only with regular keys, so no
"key_is_external() = true" yet.
Your patch has been applied to the maste
Compile tested with 3.0.1 and glanced over the code. Not actually
tested (no management-external-key here) but I know that Arne is using
*this* in his Android app, so it got a good beating :-)
There might be a memory leak lurking here:
+#ifdef HAVE_XKEY_PROVIDER
+EVP_PKEY *privkey = xkey_loa
One should read all of the patch series before complaining about "this
will break MSVC compilation" :-) - so here we go, MSVC fixed. (Applying
out of order, so MSVC is repaired quickly).
Your patch has been applied to the master branch.
commit 57abdcfc3885b3c127bb3d07e9c8ccdbffcf2548
Author: Sel
Hi,
On Tue, Dec 14, 2021 at 11:59:27AM -0500, selva.n...@gmail.com wrote:
> From: Selva Nair
>
> Signed-off-by: Selva Nair
Is it OK if I squash 16+17 together? I dislike the "history churn"
of modifying configure.ac and Makefile.am in 16 just to remove
the AM_CONDITIONAL bits again in 17...
Compile and client tested on 1.1.1 and 3.0.1.
Glancing at the code related to management_external_key() does
not make me very happy... too many build time variants.
Maybe we should look into "external key is only supported with
OpenSSL 3.0.1+ builds" for 2.7 and get rid of all the #ifdef'ed
c
Hi
On Thu, Jan 20, 2022 at 9:51 AM Gert Doering wrote:
> Hi,
>
> On Tue, Dec 14, 2021 at 11:59:27AM -0500, selva.n...@gmail.com wrote:
> > From: Selva Nair
> >
> > Signed-off-by: Selva Nair
>
> Is it OK if I squash 16+17 together? I dislike the "history churn"
> of modifying configure.ac and
Looked at the code, did client tests on 3.0.1, added a few spaces
in code like "if(nid == NID_undef)" :-)
As for the actual digest / encoding parts, no idea what that does,
but the code looks safe wrt memcpy(), length of things, etc.
Your patch has been applied to the master branch.
commit cf704
Client-tested with OpenSSL 1.1.1 and 3.0.1.
This patch looks trivial enough, but the intricacies of all these
flag bits and padding are well beyond me :-) - good that Arne tested
all this for real.
Fixed one remaining occurence of "hashlag" in the commit message.
Your patch has been applied to t
Glanced a bit at the code and compile-tested on 3.0.1 - looks
straightforward enough :-) (and yes to the comment about "such
a check would be appropriate always", but I'm leaning more to
"drop support for OpenSSL < 3.0.1 for external-key features" :-) ).
Your patch has been applied to the master
Hi,
On Thu, Jan 20, 2022 at 10:21:19AM -0500, Selva Nair wrote:
> Yeah, a previous version had checking for OpenSSL version in configure.ac
> and the AM_CONDITIONAL made sense only in that case. I can send a
> new 16/18 or please do squash 16 with 17.
If you could send a new "16+17 v4" that woul
From: Selva Nair
Tests:
- Check SIGNATURE and KEYMGMT methods can be fetched
from the provider
- Load sample RSA and EC keys as management-external-key
and check that their sign callbacks are correctly exercised:
with and without digest support mocked in the client
capability flag.
-Test
Compile-tested on 3.0.1 and stared at the code for a bit. The "global"
change is trivial enough, the xkey_helper changes look safe wrt memory
overflows etc, though I lack the greater understanding on how all
the wheels work together (so it's good that Arne tested and ACKed this).
Your patch has
From: Selva Nair
As pointed out by Gert Doering
Signed-off-by: Selva Nair
---
To be applied after 06/18 of xkey patchset
src/openvpn/ssl_openssl.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index b48845eb..3f8c3091 100644
--- a/s
Hi,
On Thu, Jan 20, 2022 at 10:18 AM Gert Doering wrote:
> Compile and client tested on 1.1.1 and 3.0.1.
>
> Glancing at the code related to management_external_key() does
> not make me very happy... too many build time variants.
"Happiness" is never a word that comes to mind while reading Ope
I seem to have seen a similar patch in Arne's series, and we didn't
like it there much either :-) - so yeah, smarter fix, eventually.
That said, this is "only" wasting another 2048 byte as the buffer is
already at 8k if PKCS11 is enabled, and it's not static but gc_malloc().
Pretty weird to use *
I knew fixing that "avaiable" typo would come back and bite me :-)
Client tested with 3.0.1, and glanced at the code a bit.
Fixed a comment typo ("callng free_op").
Your patch has been applied to the master branch.
commit b64c9eb31824dd46c949d071751f8aebc008004c
Author: Selva Nair
Date: Tue D
Compile-tested on Linux with OpenSSL 3.0.1, and on Ubuntu/MinGW
(though with older OpenSSL) to ensure it doesn't break windows builds.
Your patch has been applied to the master branch.
commit 7ae282ca23e5a17cd9f2eb4801deed64ca64c704
Author: Selva Nair
Date: Tue Dec 14 11:59:25 2021 -0500
client tested with 3.0.1 (no pkcs#11 though), and stared at the code a bit.
This change looks like it really wants an "#else" and move the #endif
to the end of the function... (though the compiler does not warn)
pkcs11_init_tls_session(pkcs11h_certificate_t certificate,
Hi,
On Thu, Jan 20, 2022 at 11:32:40AM -0500, Selva Nair wrote:
> On Thu, Jan 20, 2022 at 10:18 AM Gert Doering wrote:
>
> > Compile and client tested on 1.1.1 and 3.0.1.
> >
> > Glancing at the code related to management_external_key() does
> > not make me very happy... too many build time vari
Combining Arne's ACK for 16+17 into this one. As far as I can see
(not checked line-by-line) this is indeed the same code, just squashed
into one commit, not touching configure.ac (thanks).
And indeed, it now tests something :-)
[==] Running 3 test(s).
[ RUN ] xkey_provider_test_fet
Acked-by: Gert Doering
We'll add build tests on Fedora / CentOS, as soon as September brings
the new buildbot infrastructure... so we get the "looks like FIPS but
isn't" stuff tested as well. (cipher) changed as instructed on IRC.
Your patch has been applied to the master branch.
commit 544330
Hi,
On Mon, Jan 17, 2022 at 4:51 AM Lev Stipakov wrote:
> From: Lev Stipakov
>
> tun_finalize() is essentially subset of socket_finalize() apart from:
>
> - using WSAFoo() functions instead of Foo()
>
> - "from" address is not returned
>
> There is no clear official statement that one can use
46 matches
Mail list logo