Hi Selva,
On 17/04/19 17:52, Selva Nair wrote:
On Wed, Apr 17, 2019 at 10:50 AM Jan Just Keijser <janj...@nikhef.nl
<mailto:janj...@nikhef.nl>> wrote:
On 10/04/19 19:09, Selva Nair wrote:
On Wed, Apr 10, 2019 at 12:59 PM Jan Just Keijser
<janj...@nikhef.nl <mailto:janj...@nikhef.nl>> wrote:
snipped...
patching pkcs11-helper does not seem too difficult for this
particular case - but how can we test it? I have access to hw
tokens but I don't know how to trigger the "raw signature" bit.
If both server and client are built with OpenSSL 1.1.1 and TLS
version is >= 1.2, PSS padding will get used and trigger this.
OpenSSL does PSS padding internally and passes the padded data to
the rsa_priv_enc calback for raw signature.
This is based on my tests for our Windows cryptoapi and
management-external-key patches for the same -- never tried this
using pkcs11-helper, but I expect the same behaviour.
The good news: I can reproduce this with
- openvpn 2.4.7
- openssl 1.1.1b
- pkcs11helper 1.25.1
- Safenet etoken
- client+server CentOS 7
The bad news: I don't have a fix yet.
What I has in mind was a very simple patch like the one attached
(totally untested).
But I guess you tried that already and it doesn't work? Is it because
the token
does not support raw signature (not all do) or something else?
I had not written a patch when I wrote my earlier email, but your patch
is exactly what I had in mind; getting it all to compile and run with
OpenSSL 1.1.1b + OpenVPN 2.4.7 was a bit of a challenge, but I finally
managed...
and yes, your patch works admirably - I can connect again using TLSv1.3
+ token. If I comment out your patch, do a rebuild of
libpkcs11helper.so then it fails again, proving your patch works.
Can you do a pull request for your pkcs11-helper patch on the
pkcs11helper github page? or shall we simply patch pkcs11-helper ourselves?
cheers,
JJK
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
