[Openvpn-devel] [PATCH] pkcs11_openssl.c: check EVP_get_digestbyname() != NULL

From: Selva Nair Reported-by: Arne Schwabe Signed-off-by: Selva Nair --- src/openvpn/pkcs11_openssl.c | 9 - 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/openvpn/pkcs11_openssl.c b/src/openvpn/pkcs11_openssl.c index a82b4b32..c4f88816 100644 ---

Re: [Openvpn-devel] [PATCH 2/2] crypto: move OpenSSL specific FIPS check to its backend

Hi, On 26/01/2022 17:28, Antonio Quartulli wrote: Our crypto API already provides a function performing a validity check on the specified ciphername. The OpenSSL counterpart also checks for the cipher being FIPS-enabled. This API is cipher_valid(). Extend it so that it can provide a reason

Re: [Openvpn-devel] [PATCH] crypto.c: remove (dead) OpenSSL specific code

Am 26.01.22 um 16:11 schrieb Antonio Quartulli: Originally we wanted to move this OpenSSL specific code to its own backend and use a proper abstraction in the crypto.c code. However, tests have revealed that OpenVPN will never try to print a cipher that is not supported by FIPS (assuming FIPS

[Openvpn-devel] [PATCH 1/2] crypto: move validation logic from cipher_get to cipher_valid

With cipher validation performed in cipher_get(), a cipher is never returned in any case if some check fails. This prevents OpenVPN from operating on all ciphers provided by the SSL library, like printing them to the user. Move the validation logic to cipher_valid() so that checks are performed

[Openvpn-devel] [PATCH 2/2] crypto: move OpenSSL specific FIPS check to its backend

Our crypto API already provides a function performing a validity check on the specified ciphername. The OpenSSL counterpart also checks for the cipher being FIPS-enabled. This API is cipher_valid(). Extend it so that it can provide a reason whenever the cipher is not valid and use it in crypto.c.

[Openvpn-devel] [PATCH] crypto.c: remove (dead) OpenSSL specific code

Originally we wanted to move this OpenSSL specific code to its own backend and use a proper abstraction in the crypto.c code. However, tests have revealed that OpenVPN will never try to print a cipher that is not supported by FIPS (assuming FIPS is enabled), because along the chain of calls we

Re: [Openvpn-devel] [PATCH 3/3] Support PSS signing using pkcs11-helper >= 1.28

Hi, On Wed, Jan 26, 2022 at 09:23:29AM -0500, Selva Nair wrote: > P.S. If the commit is not pushed yet, I can send a v2 for review, or follow > up with a fixup. I only noticed it after pushing, so yes, messed-up. Sorry again. gert -- "If was one thing all people took for granted, was

Re: [Openvpn-devel] [PATCH 3/3] Support PSS signing using pkcs11-helper >= 1.28

On Wed, Jan 26, 2022 at 6:50 AM Arne Schwabe wrote: > Am 25.01.22 um 03:51 schrieb selva.n...@gmail.com: > > From: Selva Nair > > > > - Call pkcs11h_certificate_signAny_ex() when available > >so that the signature mechanism parameters can be pased. > >(Required for RSA-PSS signature). >

[Openvpn-devel] [PATCH applied] Re: Fix a potential memory leak in tls_ctx_use_management_external_key

Thanks. Even if, as Antonio noticed, we will only leak memory for a very short time before hitting the M_FATAL message in "cleanup"... Your patch has been applied to the master branch. commit 0f7cd474118deeced48168ed9cec0806e7f4cc15 Author: Selva Nair Date: Thu Jan 20 11:26:45 2022 -0500

[Openvpn-devel] [PATCH applied] Re: GitHub Actions: update script to same version as master

Thanks. Your patch has been applied to the release/2.5 branch. commit f1f8eb5f88caf72937a95dc797ab0d26c563f280 Author: Antonio Quartulli Date: Fri Jan 21 21:49:33 2022 +0100 GitHub Actions: update script to same version as master Signed-off-by: Antonio Quartulli Acked-by:

[Openvpn-devel] [PATCH applied] Re: Do not error when md_kt_size() is called with mdname=none

Patch + explanation make sense and Arne indeed ACKed this. Thanks. Reproduced the problem (GCM + verb7): 2022-01-26 14:40:34 us=15705 Data Channel: using negotiated cipher 'AES-256-GCM' ... 2022-01-26 14:40:34 us=15829 Message hash algorithm 'none' not found 2022-01-26 14:40:34

[Openvpn-devel] [PATCH applied] Re: xkey: fix msvc build

This time I'm sure I have an ACK :-) - and the changes look reasonable. Compile tested on linux/3.0.1, just to avoid typos that went unnoticed (all fine). Your patch has been applied to the master branch. commit 627d1a3d286386067a93b755def308ea70060310 Author: Lev Stipakov Date: Fri Jan 21

Re: [Openvpn-devel] [PATCH applied] Re: Support PSS signing using pkcs11-helper >= 1.28

Hi, On Wed, Jan 26, 2022 at 02:26:46PM +0100, Gert Doering wrote: > I'm not claiming to understand any of this... so I have test compiled > on Linux/3.0.1, and also bumped my MinGW test rig to pkcs11-helper 1.28 > (though only 1.1.1 yet). So maybe I tested something useful, or maybe > not... but

[Openvpn-devel] [PATCH applied] Re: Support PSS signing using pkcs11-helper >= 1.28

I'm not claiming to understand any of this... so I have test compiled on Linux/3.0.1, and also bumped my MinGW test rig to pkcs11-helper 1.28 (though only 1.1.1 yet). So maybe I tested something useful, or maybe not... but at least these combinations still compile fine :-) Your patch has been

[Openvpn-devel] [PATCH applied] Re: Fix max saltlen calculation in cryptoapi.c

I won't claim to understand this, but if Arne says the math is (now) fine, I'm happy to believe this :-) - only compile tested on 3.0.1 / Linux. Your patch has been applied to the master branch. commit 72daac6973c304b93e6516879948c5470d0c805a Author: Selva Nair Date: Mon Jan 24 21:51:27 2022

[Openvpn-devel] [PATCH applied] Re: xkey: Use a custom error level for debug messages

Looks good, compile tested on 3.0.1/Linux (no surprises, straightforward enough). Your patch has been applied to the master branch. commit dfb9cd62dc8b643c95f862d3f75c53f36aecd2da Author: Selva Nair Date: Mon Jan 24 21:51:26 2022 -0500 xkey: Use a custom error level for debug messages

[Openvpn-devel] [PATCH applied] Re: update copyright year to 2022

Verified that this patch indeed only touches "copyright" lines (git show -I Copyright). Your patch has been applied to the master branch. commit 1800d77ec54dc8608c4933a46d3d23437cf224c1 Author: Antonio Quartulli Date: Tue Jan 25 15:24:56 2022 +0100 update copyright year to 2022

[Openvpn-devel] [PATCH 2.5] update copyright year to 2022

Cc: David Sommerseth Signed-off-by: Antonio Quartulli --- COPYING | 2 +- ChangeLog | 2 +- Makefile.am | 4 ++-- PORTS

[Openvpn-devel] [PATCH v2 2/2] msvc: switch to openssl3

From: Lev Stipakov Add openssl3 vcpkg port, which is slightly modified version of openssl1.1.1 port from official vcpkg repo. Signed-off-by: Lev Stipakov --- v2: - rewrite openssl3 port based on upstream's openssl1.1.1 port and statically link legacy provider into it

Re: [Openvpn-devel] [PATCH 3/3] Support PSS signing using pkcs11-helper >= 1.28

Am 25.01.22 um 03:51 schrieb selva.n...@gmail.com: From: Selva Nair - Call pkcs11h_certificate_signAny_ex() when available so that the signature mechanism parameters can be pased. (Required for RSA-PSS signature). Signed-off-by: Selva Nair --- src/openvpn/pkcs11_openssl.c | 123

Re: [Openvpn-devel] [PATCH 2/3] Fix max saltlen calculation in cryptoapi.c

Am 25.01.22 um 03:51 schrieb selva.n...@gmail.com: From: Selva Nair (nbits - 1)/8 should have been rounded up. Fix and move it to an inlined function for reuse in pkcs11_openssl.c (used in the next commit). Note: The error is not triggered in normal use as OpenSSL always seems to use

Re: [Openvpn-devel] [PATCH 1/3] xkey: Use a custom error level for debug messages

Am 25.01.22 um 03:51 schrieb selva.n...@gmail.com: From: Selva Nair D_XKEY = loglev(6, 69, M_DEBUG) is defined and used for all low level debug messages from xkey_provider.c and xkey_helper.c As suggested by Arne Schwabe Thanks for that. Acked-By: Arne Schwabe

Re: [Openvpn-devel] [PATCH] update copyright year to 2022

On 25/01/2022 15:24, Antonio Quartulli wrote: Update performed by means of: dev-tools/update-copyright.sh Cc: David Sommerseth Signed-off-by: Antonio Quartulli --- COPYING | 2 +- ChangeLog