From: Selva Nair
Reported-by: Arne Schwabe
Signed-off-by: Selva Nair
---
src/openvpn/pkcs11_openssl.c | 9 -
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/src/openvpn/pkcs11_openssl.c b/src/openvpn/pkcs11_openssl.c
index a82b4b32..c4f88816 100644
---
Hi,
On 26/01/2022 17:28, Antonio Quartulli wrote:
Our crypto API already provides a function performing a validity check
on the specified ciphername. The OpenSSL counterpart also checks for the
cipher being FIPS-enabled.
This API is cipher_valid(). Extend it so that it can provide a reason
Am 26.01.22 um 16:11 schrieb Antonio Quartulli:
Originally we wanted to move this OpenSSL specific code to its own
backend and use a proper abstraction in the crypto.c code.
However, tests have revealed that OpenVPN will never try to print a
cipher that is not supported by FIPS (assuming FIPS
With cipher validation performed in cipher_get(), a cipher is never
returned in any case if some check fails.
This prevents OpenVPN from operating on all ciphers provided by the SSL
library, like printing them to the user.
Move the validation logic to cipher_valid() so that checks are performed
Our crypto API already provides a function performing a validity check
on the specified ciphername. The OpenSSL counterpart also checks for the
cipher being FIPS-enabled.
This API is cipher_valid(). Extend it so that it can provide a reason
whenever the cipher is not valid and use it in crypto.c.
Originally we wanted to move this OpenSSL specific code to its own
backend and use a proper abstraction in the crypto.c code.
However, tests have revealed that OpenVPN will never try to print a
cipher that is not supported by FIPS (assuming FIPS is enabled), because
along the chain of calls we
Hi,
On Wed, Jan 26, 2022 at 09:23:29AM -0500, Selva Nair wrote:
> P.S. If the commit is not pushed yet, I can send a v2 for review, or follow
> up with a fixup.
I only noticed it after pushing, so yes, messed-up. Sorry again.
gert
--
"If was one thing all people took for granted, was
On Wed, Jan 26, 2022 at 6:50 AM Arne Schwabe wrote:
> Am 25.01.22 um 03:51 schrieb selva.n...@gmail.com:
> > From: Selva Nair
> >
> > - Call pkcs11h_certificate_signAny_ex() when available
> >so that the signature mechanism parameters can be pased.
> >(Required for RSA-PSS signature).
>
Thanks.
Even if, as Antonio noticed, we will only leak memory for a very short
time before hitting the M_FATAL message in "cleanup"...
Your patch has been applied to the master branch.
commit 0f7cd474118deeced48168ed9cec0806e7f4cc15
Author: Selva Nair
Date: Thu Jan 20 11:26:45 2022 -0500
Thanks.
Your patch has been applied to the release/2.5 branch.
commit f1f8eb5f88caf72937a95dc797ab0d26c563f280
Author: Antonio Quartulli
Date: Fri Jan 21 21:49:33 2022 +0100
GitHub Actions: update script to same version as master
Signed-off-by: Antonio Quartulli
Acked-by:
Patch + explanation make sense and Arne indeed ACKed this. Thanks.
Reproduced the problem (GCM + verb7):
2022-01-26 14:40:34 us=15705 Data Channel: using negotiated cipher
'AES-256-GCM'
...
2022-01-26 14:40:34 us=15829 Message hash algorithm 'none' not found
2022-01-26 14:40:34
This time I'm sure I have an ACK :-) - and the changes look reasonable.
Compile tested on linux/3.0.1, just to avoid typos that went unnoticed
(all fine).
Your patch has been applied to the master branch.
commit 627d1a3d286386067a93b755def308ea70060310
Author: Lev Stipakov
Date: Fri Jan 21
Hi,
On Wed, Jan 26, 2022 at 02:26:46PM +0100, Gert Doering wrote:
> I'm not claiming to understand any of this... so I have test compiled
> on Linux/3.0.1, and also bumped my MinGW test rig to pkcs11-helper 1.28
> (though only 1.1.1 yet). So maybe I tested something useful, or maybe
> not... but
I'm not claiming to understand any of this... so I have test compiled
on Linux/3.0.1, and also bumped my MinGW test rig to pkcs11-helper 1.28
(though only 1.1.1 yet). So maybe I tested something useful, or maybe
not... but at least these combinations still compile fine :-)
Your patch has been
I won't claim to understand this, but if Arne says the math is (now)
fine, I'm happy to believe this :-) - only compile tested on 3.0.1 / Linux.
Your patch has been applied to the master branch.
commit 72daac6973c304b93e6516879948c5470d0c805a
Author: Selva Nair
Date: Mon Jan 24 21:51:27 2022
Looks good, compile tested on 3.0.1/Linux (no surprises, straightforward
enough).
Your patch has been applied to the master branch.
commit dfb9cd62dc8b643c95f862d3f75c53f36aecd2da
Author: Selva Nair
Date: Mon Jan 24 21:51:26 2022 -0500
xkey: Use a custom error level for debug messages
Verified that this patch indeed only touches "copyright" lines
(git show -I Copyright).
Your patch has been applied to the master branch.
commit 1800d77ec54dc8608c4933a46d3d23437cf224c1
Author: Antonio Quartulli
Date: Tue Jan 25 15:24:56 2022 +0100
update copyright year to 2022
Cc: David Sommerseth
Signed-off-by: Antonio Quartulli
---
COPYING | 2 +-
ChangeLog | 2 +-
Makefile.am | 4 ++--
PORTS
From: Lev Stipakov
Add openssl3 vcpkg port, which is slightly modified version of
openssl1.1.1 port from official vcpkg repo.
Signed-off-by: Lev Stipakov
---
v2:
- rewrite openssl3 port based on upstream's openssl1.1.1 port
and statically link legacy provider into it
Am 25.01.22 um 03:51 schrieb selva.n...@gmail.com:
From: Selva Nair
- Call pkcs11h_certificate_signAny_ex() when available
so that the signature mechanism parameters can be pased.
(Required for RSA-PSS signature).
Signed-off-by: Selva Nair
---
src/openvpn/pkcs11_openssl.c | 123
Am 25.01.22 um 03:51 schrieb selva.n...@gmail.com:
From: Selva Nair
(nbits - 1)/8 should have been rounded up. Fix and move it to
an inlined function for reuse in pkcs11_openssl.c (used in the
next commit).
Note: The error is not triggered in normal use as OpenSSL
always seems to use
Am 25.01.22 um 03:51 schrieb selva.n...@gmail.com:
From: Selva Nair
D_XKEY = loglev(6, 69, M_DEBUG) is defined and used for
all low level debug messages from xkey_provider.c and
xkey_helper.c
As suggested by Arne Schwabe
Thanks for that.
Acked-By: Arne Schwabe
On 25/01/2022 15:24, Antonio Quartulli wrote:
Update performed by means of: dev-tools/update-copyright.sh
Cc: David Sommerseth
Signed-off-by: Antonio Quartulli
---
COPYING | 2 +-
ChangeLog
23 matches
Mail list logo