James, could you please resend a full patch, so to have a better overview of the whole change?
Thanks! On 29/10/17 23:07, James Bottomley wrote: > On Sun, 2017-10-29 at 17:34 +0500, Илья Шипицин wrote: >> 2017-10-28 17:03 GMT+05:00 James Bottomley < >> [email protected]>: >> >>> >>> As well as doing crypto acceleration, engines can also be used to >>> load >>> key files. If the engine is set, and the private key loading fails >>> for bio methods, this patch makes openvpn try to get the engine to >>> load the key. If that succeeds, we end up using an engine based >>> key. >>> This can be used with the openssl tpm engines to make openvpn use a >>> TPM wrapped key file. >>> >> >> >> it fails on mbedtls and openssl-1.1.0 >> >> https://travis-ci.org/chipitsine/openvpn/builds/294429659 > > It looks like it needs better config guarding; incremental attached > below. > > However, it exposes an openvpn problem: engines aren't built with > openssl-1.1 because the configure.ac check for ENGINE_cleanup doesn't > find the function (it became a #define). I'll see if I can fix that. > > The mbedtls one looks like the function def needs to be in > crypto_openssl.h; I've moved it but can't compile check > > James > > --- > > diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h > index 0b4a9ce9..cc8f138f 100644 > --- a/src/openvpn/crypto_backend.h > +++ b/src/openvpn/crypto_backend.h > @@ -669,17 +669,5 @@ const char *translate_cipher_name_from_openvpn(const > char *cipher_name); > */ > const char *translate_cipher_name_to_openvpn(const char *cipher_name); > > -/** > - * Load a key file from an engine > - * > - * @param file The engine file to load > - * @param ui The UI method for the password prompt > - * @param data The data to pass to the UI method > - * > - * @return The private key if successful or NULL if not > - */ > -EVP_PKEY * > -engine_load_key(const char *file, SSL_CTX *ctx); > - > > #endif /* CRYPTO_BACKEND_H_ */ > diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c > index ee16a496..1fcb80a6 100644 > --- a/src/openvpn/crypto_openssl.c > +++ b/src/openvpn/crypto_openssl.c > @@ -969,6 +969,7 @@ hmac_ctx_final(HMAC_CTX *ctx, uint8_t *dst) > HMAC_Final(ctx, dst, &in_hmac_len); > } > > +#ifdef HAVE_OPENSSL_ENGINE > static int > ui_read(UI *ui, UI_STRING *uis) > { > @@ -986,10 +987,12 @@ ui_read(UI *ui, UI_STRING *uis) > } > return 0; > } > +#endif > > EVP_PKEY * > engine_load_key(const char *file, SSL_CTX *ctx) > { > +#ifdef HAVE_OPENSSL_ENGINE > UI_METHOD *ui; > EVP_PKEY *pkey; > > @@ -1016,6 +1019,9 @@ engine_load_key(const char *file, SSL_CTX *ctx) > out: > UI_destroy_method(ui); > return pkey; > +#else > + return NULL; > +#endif > } > > #endif /* ENABLE_CRYPTO && ENABLE_CRYPTO_OPENSSL */ > diff --git a/src/openvpn/crypto_openssl.h b/src/openvpn/crypto_openssl.h > index 60a28123..759dc927 100644 > --- a/src/openvpn/crypto_openssl.h > +++ b/src/openvpn/crypto_openssl.h > @@ -101,5 +101,17 @@ void crypto_print_openssl_errors(const unsigned int > flags); > msg((flags), __VA_ARGS__); \ > } while (false) > > +/** > + * Load a key file from an engine > + * > + * @param file The engine file to load > + * @param ui The UI method for the password prompt > + * @param data The data to pass to the UI method > + * > + * @return The private key if successful or NULL if not > + */ > +EVP_PKEY * > +engine_load_key(const char *file, SSL_CTX *ctx); > + > > #endif /* CRYPTO_OPENSSL_H_ */ > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Openvpn-devel mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openvpn-devel > -- Antonio Quartulli
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
