[Openvpn-devel] [PATCH] unit-test: fix test_crypto when USE_COMP is not defined

2022-01-20 Thread Antonio Quartulli
This unit-test did not consider the case when USE_COMP is not defined, thus generating a compiler error. Adapt the test to the case when no compression is available and while at it, decompose the expected MTU values by featureso that it is easier to understand. Cc: Arne Schwabe Signed-off-by: An

Re: [Openvpn-devel] [PATCH v3 01/18] A built-in provider for using external key with OpenSSL 3.0

2022-01-20 Thread Arne Schwabe
Am 14.12.21 um 17:59 schrieb selva.n...@gmail.com: From: Selva Nair Acked-By: Arne Schwabe ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH v3 02/18] Implement KEYMGMT in the xkey provider

2022-01-20 Thread Arne Schwabe
Am 14.12.21 um 17:59 schrieb selva.n...@gmail.com: From: Selva Nair A minimal set of functions for keymgmt are implemented. No support for external key import as yet, only native keys. Support for native keys is required as keys may get imported into us for some operations as well as for compar

Re: [Openvpn-devel] [PATCH v3 03/18] Implement SIGNATURE operations in xkey provider

2022-01-20 Thread Arne Schwabe
Am 14.12.21 um 17:59 schrieb selva.n...@gmail.com: From: Selva Nair - Basic frame work for announcing support for signature operations - DigestSign and Sign functions for native keys are also implemented. Though strictly not needed, these functions for native keys sets up the framewo

Re: [Openvpn-devel] [PATCH v3 04/18] Implement import of custom external keys

2022-01-20 Thread Arne Schwabe
Am 14.12.21 um 17:59 schrieb selva.n...@gmail.com: From: Selva Nair Our key object retains info about the external key as an opaque handle to the backend. We also need the public key as an EVP_PKEY *. For native keys we use OpenSSL API to import data into the key. The 'handle' r

Re: [Openvpn-devel] [PATCH v3 05/18] Initialize the xkey provider and use it in SSL context

2022-01-20 Thread Arne Schwabe
Am 14.12.21 um 17:59 schrieb selva.n...@gmail.com: From: Selva Nair - Add function to check when external key is in use - Load xkey provider into a custom library context when required - Use the custom libctx in SSL CTX when external key is in use As no keys are yet loaded through the provid

Re: [Openvpn-devel] [PATCH v3 06/18] A helper function to import private key for management-external-key

2022-01-20 Thread Arne Schwabe
Am 14.12.21 um 17:59 schrieb selva.n...@gmail.com: From: Selva Nair - Leverage keymgmt_import through EVP_PKEY_new_fromdata() to import "management-external-key" - When required, use this to set SSL_CTX_use_PrivateKey The sign_op is not implemented yet. This will error out while signing wi

Re: [Openvpn-devel] [PATCH v3 07/18] Enable signing via provider for management-external-key

2022-01-20 Thread Arne Schwabe
Am 14.12.21 um 17:59 schrieb selva.n...@gmail.com: From: Selva Nair - Add a function to set as sign_op during key import. The function passes the signature request to management interface, and returns the result to the provider. v2 changes: Method to do digest added to match the changes

Re: [Openvpn-devel] [PATCH v3 08/18] Add a function to encode digests with PKCS1 DigestInfo wrapper

2022-01-20 Thread Arne Schwabe
Am 14.12.21 um 17:59 schrieb selva.n...@gmail.com: From: Selva Nair The EVP_PKEY interface as well as provider passes the raw digest to the sign() function. In case of RSA_PKCS1, our management interface expects an encoded hash, which has the DigestInfo header added as per PKCSv1.5 specs, unles

Re: [Openvpn-devel] [PATCH v3 09/18] Allow management client to announce pss padding support

2022-01-20 Thread Arne Schwabe
Am 14.12.21 um 17:59 schrieb selva.n...@gmail.com: From: Selva Nair The --management-external-key option can currently indicate support for 'nopadding' or 'pkcs1' signatures in the client. Add 'pss' as an option to announce that PSS signing requests are accepted. To match, extend the algorithm

Re: [Openvpn-devel] [PATCH v3 10/18] Respect algorithm support announced by management client

2022-01-20 Thread Arne Schwabe
Am 14.12.21 um 17:59 schrieb selva.n...@gmail.com: From: Selva Nair Support for padding algorithms in management-client is indicated in the optional argument to --management-external-key as "pkcs1", "pss" etc. We currently use it only for an early exit based on heuristics that a required algori

Re: [Openvpn-devel] [PATCH v3 11/18] Support sending DigestSign request to management client

2022-01-20 Thread Arne Schwabe
Am 14.12.21 um 17:59 schrieb selva.n...@gmail.com: From: Selva Nair To receive undigested message for signing, indicate support for handling message digesting in the client using an argument "digest" to --management-external-key. For example, to announce pkcs1 padding and digesting support use

Re: [Openvpn-devel] [PATCH v3 13/18] Add a generic key loading helper function for xkey provider

2022-01-20 Thread Arne Schwabe
Am 14.12.21 um 17:59 schrieb selva.n...@gmail.com: From: Selva Nair - Load keys by specifying the opaque privtae key handle, public key, sign-op and free-op required for loading keys from Windows store and pkcs11. - xkey_load_management_key is refactored to use the new function - Also m

Re: [Openvpn-devel] [PATCH v3 12/18] Increase ERR_BUF_SIZE when management interface support is enabled

2022-01-20 Thread Arne Schwabe
Am 14.12.21 um 17:59 schrieb selva.n...@gmail.com: From: Selva Nair Sending largish messages to the management interface errors due to the limited size used for the "error" buffer in x_msg_va(). Although all intermediate steps allocate required space for the data to send, it gets truncated at t

Re: [Openvpn-devel] [PATCH v3 14/18] pkcs11: Interface the xkey provider with pkcs11-helper

2022-01-20 Thread Arne Schwabe
Am 14.12.21 um 17:59 schrieb selva.n...@gmail.com: From: Selva Nair - Load the 'private key' handle through the provider and set it in SSL_CTX - Add a sign op function to interface provider with pkcs11-helper. Previously we used its "OpenSSL Session" which internally sets up callbacks

Re: [Openvpn-devel] [PATCH v3 15/18] Enable signing using CNG through xkey provider

2022-01-20 Thread Arne Schwabe
Am 14.12.21 um 17:59 schrieb selva.n...@gmail.com: From: Selva Nair - Add xkey_cng_sign() as sign_op for the provider and load the key using xkey_generic_load. - Enable/Disable old code when provider is available or not. - xkey_digest is made non-static for use in cryptoapi.c One function

Re: [Openvpn-devel] [PATCH v3 16/18] Add a unit test for external key provider

2022-01-20 Thread Arne Schwabe
Am 14.12.21 um 17:59 schrieb selva.n...@gmail.com: From: Selva Nair Tests: - Check SIGNATURE and KEYMGMT methods can be fetched from the provider - Load sample RSA and EC keys as management-external-key and check that their sign callbacks are correctly exercised: with and without diges

Re: [Openvpn-devel] [PATCH v3 17/18] xkey-provider: Add a test for generic key load and signature

2022-01-20 Thread Arne Schwabe
Am 14.12.21 um 17:59 schrieb selva.n...@gmail.com: From: Selva Nair Signed-off-by: Selva Nair --- configure.ac | 2 - tests/unit_tests/openvpn/Makefile.am | 4 - tests/unit_tests/openvpn/test_provider.c | 112 +-- 3 files changed, 10

Re: [Openvpn-devel] [PATCH v3 18/18] Add xkey_provider sources and includes to MSVC project

2022-01-20 Thread Arne Schwabe
Am 14.12.21 um 17:59 schrieb selva.n...@gmail.com: From: Selva Nair Acked-By: Arne Schwabe This could be merged/squashed into the commits that introduce those files. Arne ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https:/

[Openvpn-devel] [PATCH applied] Re: A built-in provider for using external key with OpenSSL 3.0

2022-01-20 Thread Gert Doering
There is not much to test here yet - so what I did was "test that it does not break with ossl 1.x" (it doesn't), that it does not compile anything into xkey_provider.o when compiled with 3.0.0 (it doesn't) and that it *does* with 3.0.1 3.0.0$ size src/openvpn/xkey_provider.o textdata b

[Openvpn-devel] [PATCH applied] Re: Implement KEYMGMT in the xkey provider

2022-01-20 Thread Gert Doering
Only compile-tested on Linux / OpenSSL 3.0.1 (and briefly glanced over the code to see what happens). It breaks... xkey_provider.c:223:16: error: 'XKEY_KEYDATA' has no member named 'free' 223 | key->free = (XKEY_PRIVKEY_FREE_fn *) EVP_PKEY_free; |^~ xkey_provid

[Openvpn-devel] [PATCH applied] Re: Implement SIGNATURE operations in xkey provider

2022-01-20 Thread Gert Doering
This fixes compilation again. Compile-tested, briefly glanced at the code. Your patch has been applied to the master branch. commit 25f9c47127190c487eb3b4b4a3f5553fb2d62b21 Author: Selva Nair Date: Tue Dec 14 11:59:13 2021 -0500 Implement SIGNATURE operations in xkey provider Signe

[Openvpn-devel] [PATCH applied] Re: Implement import of custom external keys

2022-01-20 Thread Gert Doering
Compile-tested only (and glanced over the code). Your patch has been applied to the master branch. commit ab3a8e5c28c433fd405f964d55bb754571191b9c Author: Selva Nair Date: Tue Dec 14 11:59:14 2021 -0500 Implement import of custom external keys Signed-off-by: Selva Nair Acked-b

Re: [Openvpn-devel] [PATCH] unit-test: fix test_crypto when USE_COMP is not defined

2022-01-20 Thread Arne Schwabe
Am 20.01.22 um 11:11 schrieb Antonio Quartulli: This unit-test did not consider the case when USE_COMP is not defined, thus generating a compiler error. Adapt the test to the case when no compression is available and while at it, decompose the expected MTU values by featureso that it is easier t

[Openvpn-devel] [PATCH applied] Re: Initialize the xkey provider and use it in SSL context

2022-01-20 Thread Gert Doering
This is the first truly "interesting" patch in the series, that brings stuff to be tested :-) Tested on OSSL 1.1.1 and mbedTLS builds ("so nothing breaks with the old stuff"), and on 3.0.1 - but only with regular keys, so no "key_is_external() = true" yet. Your patch has been applied to the maste

[Openvpn-devel] [PATCH applied] Re: A helper function to import private key for management-external-key

2022-01-20 Thread Gert Doering
Compile tested with 3.0.1 and glanced over the code. Not actually tested (no management-external-key here) but I know that Arne is using *this* in his Android app, so it got a good beating :-) There might be a memory leak lurking here: +#ifdef HAVE_XKEY_PROVIDER +EVP_PKEY *privkey = xkey_loa

[Openvpn-devel] [PATCH applied] Re: Add xkey_provider sources and includes to MSVC project

2022-01-20 Thread Gert Doering
One should read all of the patch series before complaining about "this will break MSVC compilation" :-) - so here we go, MSVC fixed. (Applying out of order, so MSVC is repaired quickly). Your patch has been applied to the master branch. commit 57abdcfc3885b3c127bb3d07e9c8ccdbffcf2548 Author: Sel

Re: [Openvpn-devel] [PATCH v3 17/18] xkey-provider: Add a test for generic key load and signature

2022-01-20 Thread Gert Doering
Hi, On Tue, Dec 14, 2021 at 11:59:27AM -0500, selva.n...@gmail.com wrote: > From: Selva Nair > > Signed-off-by: Selva Nair Is it OK if I squash 16+17 together? I dislike the "history churn" of modifying configure.ac and Makefile.am in 16 just to remove the AM_CONDITIONAL bits again in 17...

[Openvpn-devel] [PATCH applied] Re: Enable signing via provider for management-external-key

2022-01-20 Thread Gert Doering
Compile and client tested on 1.1.1 and 3.0.1. Glancing at the code related to management_external_key() does not make me very happy... too many build time variants. Maybe we should look into "external key is only supported with OpenSSL 3.0.1+ builds" for 2.7 and get rid of all the #ifdef'ed c

Re: [Openvpn-devel] [PATCH v3 17/18] xkey-provider: Add a test for generic key load and signature

2022-01-20 Thread Selva Nair
Hi On Thu, Jan 20, 2022 at 9:51 AM Gert Doering wrote: > Hi, > > On Tue, Dec 14, 2021 at 11:59:27AM -0500, selva.n...@gmail.com wrote: > > From: Selva Nair > > > > Signed-off-by: Selva Nair > > Is it OK if I squash 16+17 together? I dislike the "history churn" > of modifying configure.ac and

[Openvpn-devel] [PATCH applied] Re: Add a function to encode digests with PKCS1 DigestInfo wrapper

2022-01-20 Thread Gert Doering
Looked at the code, did client tests on 3.0.1, added a few spaces in code like "if(nid == NID_undef)" :-) As for the actual digest / encoding parts, no idea what that does, but the code looks safe wrt memcpy(), length of things, etc. Your patch has been applied to the master branch. commit cf704

[Openvpn-devel] [PATCH applied] Re: Allow management client to announce pss padding support

2022-01-20 Thread Gert Doering
Client-tested with OpenSSL 1.1.1 and 3.0.1. This patch looks trivial enough, but the intricacies of all these flag bits and padding are well beyond me :-) - good that Arne tested all this for real. Fixed one remaining occurence of "hashlag" in the commit message. Your patch has been applied to t

[Openvpn-devel] [PATCH applied] Re: Respect algorithm support announced by management client

2022-01-20 Thread Gert Doering
Glanced a bit at the code and compile-tested on 3.0.1 - looks straightforward enough :-) (and yes to the comment about "such a check would be appropriate always", but I'm leaning more to "drop support for OpenSSL < 3.0.1 for external-key features" :-) ). Your patch has been applied to the master

Re: [Openvpn-devel] [PATCH v3 17/18] xkey-provider: Add a test for generic key load and signature

2022-01-20 Thread Gert Doering
Hi, On Thu, Jan 20, 2022 at 10:21:19AM -0500, Selva Nair wrote: > Yeah, a previous version had checking for OpenSSL version in configure.ac > and the AM_CONDITIONAL made sense only in that case. I can send a > new 16/18 or please do squash 16 with 17. If you could send a new "16+17 v4" that woul

[Openvpn-devel] [PATCH v4 16+17/18] Add a unit test for external key provider

2022-01-20 Thread selva . nair
From: Selva Nair Tests: - Check SIGNATURE and KEYMGMT methods can be fetched from the provider - Load sample RSA and EC keys as management-external-key and check that their sign callbacks are correctly exercised: with and without digest support mocked in the client capability flag. -Test

[Openvpn-devel] [PATCH applied] Re: Support sending DigestSign request to management client

2022-01-20 Thread Gert Doering
Compile-tested on 3.0.1 and stared at the code for a bit. The "global" change is trivial enough, the xkey_helper changes look safe wrt memory overflows etc, though I lack the greater understanding on how all the wheels work together (so it's good that Arne tested and ACKed this). Your patch has

[Openvpn-devel] [PATCH] Fix a potential memory leak in tls_ctx_use_management_external_key

2022-01-20 Thread selva . nair
From: Selva Nair As pointed out by Gert Doering Signed-off-by: Selva Nair --- To be applied after 06/18 of xkey patchset src/openvpn/ssl_openssl.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index b48845eb..3f8c3091 100644 --- a/s

Re: [Openvpn-devel] [PATCH applied] Re: Enable signing via provider for management-external-key

2022-01-20 Thread Selva Nair
Hi, On Thu, Jan 20, 2022 at 10:18 AM Gert Doering wrote: > Compile and client tested on 1.1.1 and 3.0.1. > > Glancing at the code related to management_external_key() does > not make me very happy... too many build time variants. "Happiness" is never a word that comes to mind while reading Ope

[Openvpn-devel] [PATCH applied] Re: Increase ERR_BUF_SIZE when management interface support is enabled

2022-01-20 Thread Gert Doering
I seem to have seen a similar patch in Arne's series, and we didn't like it there much either :-) - so yeah, smarter fix, eventually. That said, this is "only" wasting another 2048 byte as the buffer is already at 8k if PKCS11 is enabled, and it's not static but gc_malloc(). Pretty weird to use *

[Openvpn-devel] [PATCH applied] Re: Add a generic key loading helper function for xkey provider

2022-01-20 Thread Gert Doering
I knew fixing that "avaiable" typo would come back and bite me :-) Client tested with 3.0.1, and glanced at the code a bit. Fixed a comment typo ("callng free_op"). Your patch has been applied to the master branch. commit b64c9eb31824dd46c949d071751f8aebc008004c Author: Selva Nair Date: Tue D

[Openvpn-devel] [PATCH applied] Re: Enable signing using CNG through xkey provider

2022-01-20 Thread Gert Doering
Compile-tested on Linux with OpenSSL 3.0.1, and on Ubuntu/MinGW (though with older OpenSSL) to ensure it doesn't break windows builds. Your patch has been applied to the master branch. commit 7ae282ca23e5a17cd9f2eb4801deed64ca64c704 Author: Selva Nair Date: Tue Dec 14 11:59:25 2021 -0500

[Openvpn-devel] [PATCH applied] Re: pkcs11: Interface the xkey provider with pkcs11-helper

2022-01-20 Thread Gert Doering
client tested with 3.0.1 (no pkcs#11 though), and stared at the code a bit. This change looks like it really wants an "#else" and move the #endif to the end of the function... (though the compiler does not warn) pkcs11_init_tls_session(pkcs11h_certificate_t certificate,

Re: [Openvpn-devel] [PATCH applied] Re: Enable signing via provider for management-external-key

2022-01-20 Thread Gert Doering
Hi, On Thu, Jan 20, 2022 at 11:32:40AM -0500, Selva Nair wrote: > On Thu, Jan 20, 2022 at 10:18 AM Gert Doering wrote: > > > Compile and client tested on 1.1.1 and 3.0.1. > > > > Glancing at the code related to management_external_key() does > > not make me very happy... too many build time vari

[Openvpn-devel] [PATCH applied] Re: Add a unit test for external key provider

2022-01-20 Thread Gert Doering
Combining Arne's ACK for 16+17 into this one. As far as I can see (not checked line-by-line) this is indeed the same code, just squashed into one commit, not touching configure.ac (thanks). And indeed, it now tests something :-) [==] Running 3 test(s). [ RUN ] xkey_provider_test_fet

[Openvpn-devel] [PATCH applied] Re: crypto: Fix OPENSSL_FIPS enabled builds

2022-01-20 Thread Gert Doering
Acked-by: Gert Doering We'll add build tests on Fedora / CentOS, as soon as September brings the new buildbot infrastructure... so we get the "looks like FIPS but isn't" stuff tested as well. (cipher) changed as instructed on IRC. Your patch has been applied to the master branch. commit 544330

Re: [Openvpn-devel] [PATCH v3] tun: remove tun_finalize()

2022-01-20 Thread Selva Nair
Hi, On Mon, Jan 17, 2022 at 4:51 AM Lev Stipakov wrote: > From: Lev Stipakov > > tun_finalize() is essentially subset of socket_finalize() apart from: > > - using WSAFoo() functions instead of Foo() > > - "from" address is not returned > > There is no clear official statement that one can use