Hi,
Not a code review but a general comment as this is a new option that
warrants some discussion.
On Tue, Oct 19, 2021 at 2:32 PM Arne Schwabe <a...@rfc2549.org> wrote:
> This allows OpenVPN to load non-default providers. This is mainly
> useful for loading the legacy provider with --provider legacy:default
>
While this format looks okay, we need to consider a few things to get this
option right and possibly extensible in future without causing a regression.
(i) Provider name may not be a simple word like legacy -- could also be the
path to a shared object with possible embedded space in the path name. A
single option with optional quotes, picked apart using ":" as separator can
still work.
Ideally I would have preferred space separated provider names with
each quoted if needed, but the format proposed here may be easier to parse.
Need clear documentation, though.
(ii) We may want to attach some meaning to the order in which providers are
specified. Here is why:
When multiple providers implement the same method (say, KEYEXCH), there is
no guarantee in OpenSSL as to which will get used. Unless a property query
like "?provider=my-fast-aes" is also used. Here the prefix "?" to mean
preferred but not exclusive. In cases like an pkcs11 token provider, one
would need to say the opposite like "?provider=default" to ensure default
is preferred and the token provider is to be used only when required -- say
when the key is in a token. Same would be the case with our proposed
built-in "external-key provider" which should be used only for certain
operations that handle the external key.
How this relates to the --provider option is like this: in some cases we
want to know which provider the user prefers. Instead of hard-coding the
preferred provider to "default" which the user may not even want to load.
We could state that the first provider specified will become the preferred
one when there are multiple choices for a method or when a preferred
fallback is required. In that case the option for legacy would be
--provider default:legacy
And, if this option is absent, we take it to mean that the "default"
provider should be loaded. This explicit loading of providers takes away
some ambiguity regarding which one's are made available. However, this
could conflict with what is in the OpenSSL config file. Which is not a bad
thing as we probably should not use the config file to load providers
(which we currently do) -- it's not supported on some platforms (Windows as
of now) and can lead to broken setups due to user error.
At the same time, provider paths and their names could be set up in OpenSSL
config files, so loading them through config has some advantages. So, an
alternate option is to not add this option at all and require the use of a
config file to load additional providers like "legacy + default". Loading a
custom config file is possible with OpenSSL 3.0 and could be enabled on
Windows in a safe manner.
Or always load providers from OPENSSL config and use the "--provider foo"
on top of that.
We could also consider a separate option to specify a preferred property
query ("?provider=myprov") that could be added later and not rely on any
ordering here.
The above is just meant for further discussion -- I'm not entirely sure
what the best approach is.
Regards,
Selva
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
