On Sat, Sep 18, 2021 at 3:22 PM Arne Schwabe <a...@rfc2549.org> wrote:
> > > https://github.com/selvanair/openvpn/tree/xkey-provider-v2 > > <https://github.com/selvanair/openvpn/tree/xkey-provider-v2> > > > > It should build on linux without errors, though with lots of deprecation > > warnings in old files. The executable will work and allow one to test > > key loading and some of other internals by running as tls-client with a > > normal key in a file -- not inlined key or external key. The key will > > get loaded into the provider and treated as opaque and still pass > > signature etc.. This is only for testing. See the last commit message > > for some details on this. > > I won't have time on the weekend to look at it but I will definitively > take a look next week. But that sounds very promising. > > > > > Build with --enable debug. Note that the last commit made for testing > > will break signing with external keys until callbacks are connected plus > > some more. > > > > I should have a more complete version ready to hook up with > > backend callbacks by the end of the weekend. > > > > I skimmed through your branch. You need keymgmt_load to get the loading > > through store to work. As for other ops, implementing > > signature_sign_init and sign are not enough -- one needs digest_verify > > methods and digest_sign methods as well. This is because ssl-ctx has to > > be created in the context of our provider for sign to work, but then all > > public key ops also get delegated to us. It took a while for me to sort > > that out. > > > > Unfortunately this provider framework makes us write a metric ton of > > glue code code. > > I noticed ..... > > > > Please feel free to nit-pick or otherwise-pick on the code. > > > > Updated & improved version with commits broken into smaller chunks is here https://github.com/selvanair/openvpn/pull/new/xkey-provider-v3 I'm ready to submit the patches to the list for review. As I touch only one or two contexts in the core I haven't rebased to your OpenSSL 3.0 deprecation patches. Any minor conflicts should be easy to fix. Thanks, Selva
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
