[Openvpn-devel] [PATCH] msvc: switch to openssl3
From: Lev Stipakov - add openssl3 port from https://github.com/microsoft/vcpkg/pull/20428/files with small changes: --- portfile.cmake.orig 2022-01-24 11:04:44.914467900 +0200 +++ portfile.cmake 2022-01-24 11:02:46.066088800 +0200 @@ -5,8 +5,8 @@ vcpkg_from_github( OUT_SOURCE_PATH SOURCE_PATH REPO openssl/openssl -REF openssl-3.0.0 -SHA512 50b4fefa3e5a3359e7b06bfbc4ecc525ef9d76e13d087aa8e2d29880f08f74cc9d0c76b9bf1895c118def2bb0e4db0095e799a752b64b60721a423bd2cf989da +REF openssl-3.0.1 +SHA512 7f303769a3a796b88478399d42aa2a9a70dc74f62c975bbb93e8903e3bb8e25f16ecfc436186c2d4aa7383302c73ad1dd8ac4fccaa589062bbce6059d6073f18 ) if(VCPKG_LIBRARY_LINKAGE STREQUAL "dynamic") @@ -114,13 +114,13 @@ if(VCPKG_TARGET_IS_UWP OR VCPKG_TARGET_IS_WINDOWS) message(STATUS "Building ${TARGET_TRIPLET}-dbg") vcpkg_execute_required_process( -COMMAND ${JOM} /K /J ${VCPKG_CONCURRENCY} /F makefile install_dev +COMMAND ${JOM} /K /J ${VCPKG_CONCURRENCY} /F makefile install_dev install_runtime WORKING_DIRECTORY "${CURRENT_BUILDTREES_DIR}/${TARGET_TRIPLET}-dbg" LOGNAME install-${TARGET_TRIPLET}-dbg ) message(STATUS "Building ${TARGET_TRIPLET}-rel") vcpkg_execute_required_process( -COMMAND ${JOM} /K /J ${VCPKG_CONCURRENCY} /F makefile install_dev +COMMAND ${JOM} /K /J ${VCPKG_CONCURRENCY} /F makefile install_dev install_runtime WORKING_DIRECTORY "${CURRENT_BUILDTREES_DIR}/${TARGET_TRIPLET}-rel" LOGNAME install-${TARGET_TRIPLET}-rel ) @@ -129,13 +129,13 @@ else() message(STATUS "Building ${TARGET_TRIPLET}-dbg") vcpkg_execute_required_process( -COMMAND ${MAKE} -j ${VCPKG_CONCURRENCY} install_dev +COMMAND ${MAKE} -j ${VCPKG_CONCURRENCY} install_dev install_runtime WORKING_DIRECTORY "${CURRENT_BUILDTREES_DIR}/${TARGET_TRIPLET}-dbg" LOGNAME install-${TARGET_TRIPLET}-dbg ) message(STATUS "Building ${TARGET_TRIPLET}-rel") vcpkg_execute_required_process( -COMMAND ${MAKE} -j ${VCPKG_CONCURRENCY} install_dev +COMMAND ${MAKE} -j ${VCPKG_CONCURRENCY} install_dev install_runtime WORKING_DIRECTORY "${CURRENT_BUILDTREES_DIR}/${TARGET_TRIPLET}-rel" LOGNAME install-${TARGET_TRIPLET}-rel ) @@ -161,6 +161,17 @@ endif() +if(VCPKG_TARGET_IS_WINDOWS) +file(MAKE_DIRECTORY "${CURRENT_PACKAGES_DIR}/tools/openssl/") +file(RENAME "${CURRENT_PACKAGES_DIR}/bin/openssl.exe" "${CURRENT_PACKAGES_DIR}/tools/openssl/openssl.exe") + +file(REMOVE +"${CURRENT_PACKAGES_DIR}/debug/bin/openssl.exe" +) +endif() + +vcpkg_copy_tool_dependencies("${CURRENT_PACKAGES_DIR}/tools/openssl") + if(VCPKG_LIBRARY_LINKAGE STREQUAL "dynamic") file(REMOVE "${CURRENT_PACKAGES_DIR}/debug/lib/libcrypto.a" "${CURRENT_PACKAGES_DIR}/debug/lib/libssl.a" @@ -184,4 +195,4 @@ ) file(INSTALL "${CURRENT_PORT_DIR}/usage" DESTINATION "${CURRENT_PACKAGES_DIR}/share/${PORT}" -) \ No newline at end of file +) - use sizeof(void *) since msvc doesn't support sizeof of function ptr - use XKEY_PROV_PROPS macro instead of props since msvc requires constant expression in aggregate initializers Signed-off-by: Lev Stipakov --- .github/workflows/build.yaml | 2 +- .../openssl3/detect_platform.cmake| 86 contrib/vcpkg-ports/openssl3/portfile.cmake | 198 ++ contrib/vcpkg-ports/openssl3/usage| 11 + contrib/vcpkg-ports/openssl3/vcpkg.json | 7 + .../vcpkg-ports/pkcs11-helper/portfile.cmake | 2 +- src/openvpn/xkey_helper.c | 4 +- src/openvpn/xkey_provider.c | 13 +- 8 files changed, 311 insertions(+), 12 deletions(-) create mode 100644 contrib/vcpkg-ports/openssl3/detect_platform.cmake create mode 100644 contrib/vcpkg-ports/openssl3/portfile.cmake create mode 100644 contrib/vcpkg-ports/openssl3/usage create mode 100644 contrib/vcpkg-ports/openssl3/vcpkg.json diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 9f884ac2..f1a75736 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -294,7 +294,7 @@ jobs: uses: lukka/run-vcpkg@v7.4 with: vcpkgGitCommitId: 'a2fcb03749ff5897b5985092934dc6057680c789' - vcpkgArguments: 'openssl lz4 lzo pkcs11-helper tap-windows6' + vcpkgArguments: 'openssl3 lz4 lzo pkcs11-helper tap-windows6' vcpkgTriplet: '${{ matrix.triplet }}-windows-ovpn' cleanAfterBuild: false diff --git a/contrib/vcpkg-ports/openssl3/detect_platform.cmake b/contrib/vcpkg-ports/openssl3/detect_platform.cmake new file mode 100644 index ..5f67f8d5 --- /dev/null +++ b/contrib/vcpkg-ports/openssl3/detect_platform.cmake @@ -0,0 +1,86 @@ +if(VCPKG_TARGET_IS_ANDROID) +# ${SOURCE_PATH}/Configuration/15-android.conf +if(VCPKG_TARGET_ARCHITECTURE STREQUAL
[Openvpn-devel] [PATCH 0/2] *** msvc: switch to openssl3 ***
From: Lev Stipakov These two patches add openssl3 support for msvc build. The first one contains fixes to xkey code to make it compilable by msvc. Second one adds openssl3 port. Lev Stipakov (2): xkey: fix msvc build msvc: switch to openssl3 .github/workflows/build.yaml | 2 +- .../openssl3/detect_platform.cmake| 86 contrib/vcpkg-ports/openssl3/portfile.cmake | 204 ++ contrib/vcpkg-ports/openssl3/usage| 11 + contrib/vcpkg-ports/openssl3/vcpkg.json | 7 + .../vcpkg-ports/pkcs11-helper/portfile.cmake | 2 +- src/openvpn/xkey_helper.c | 4 +- src/openvpn/xkey_provider.c | 13 +- 8 files changed, 317 insertions(+), 12 deletions(-) create mode 100644 contrib/vcpkg-ports/openssl3/detect_platform.cmake create mode 100644 contrib/vcpkg-ports/openssl3/portfile.cmake create mode 100644 contrib/vcpkg-ports/openssl3/usage create mode 100644 contrib/vcpkg-ports/openssl3/vcpkg.json -- 2.23.0.windows.1 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH 1/2] xkey: fix msvc build
From: Lev Stipakov - use sizeof(void *) since msvc doesn't support sizeof of function ptr - use XKEY_PROV_PROPS macro instead of props since msvc requires constant expression in aggregate initializers Signed-off-by: Lev Stipakov --- src/openvpn/xkey_helper.c | 4 ++-- src/openvpn/xkey_provider.c | 13 + 2 files changed, 7 insertions(+), 10 deletions(-) diff --git a/src/openvpn/xkey_helper.c b/src/openvpn/xkey_helper.c index c667f7be..50231335 100644 --- a/src/openvpn/xkey_helper.c +++ b/src/openvpn/xkey_helper.c @@ -125,8 +125,8 @@ xkey_load_generic_key(OSSL_LIB_CTX *libctx, void *handle, EVP_PKEY *pubkey, {"xkey-origin", OSSL_PARAM_UTF8_STRING, (char *) origin, 0, 0}, {"pubkey", OSSL_PARAM_OCTET_STRING, , sizeof(pubkey), 0}, {"handle", OSSL_PARAM_OCTET_PTR, , sizeof(handle), 0}, -{"sign_op", OSSL_PARAM_OCTET_PTR, (void **) _op, sizeof(sign_op), 0}, -{"free_op", OSSL_PARAM_OCTET_PTR, (void **) _op, sizeof(free_op), 0}, +{"sign_op", OSSL_PARAM_OCTET_PTR, (void **) _op, sizeof(void *), 0}, +{"free_op", OSSL_PARAM_OCTET_PTR, (void **) _op, sizeof(void *), 0}, {NULL, 0, NULL, 0, 0}}; /* Do not use EVP_PKEY_new_from_pkey as that will take keymgmt from pubkey */ diff --git a/src/openvpn/xkey_provider.c b/src/openvpn/xkey_provider.c index c2d560c5..115b9931 100644 --- a/src/openvpn/xkey_provider.c +++ b/src/openvpn/xkey_provider.c @@ -44,9 +44,6 @@ #include #include -/* propq set all on all ops we implement */ -static const char *const props = XKEY_PROV_PROPS; - /* A descriptive name */ static const char *provname = "OpenVPN External Key Provider"; @@ -592,9 +589,9 @@ static const OSSL_DISPATCH ec_keymgmt_functions[] = { }; const OSSL_ALGORITHM keymgmts[] = { -{"RSA:rsaEncryption", props, rsa_keymgmt_functions, "OpenVPN xkey RSA Key Manager"}, -{"RSA-PSS:RSASSA-PSS", props, rsa_keymgmt_functions, "OpenVPN xkey RSA-PSS Key Manager"}, -{"EC:id-ecPublicKey", props, ec_keymgmt_functions, "OpenVPN xkey EC Key Manager"}, +{"RSA:rsaEncryption", XKEY_PROV_PROPS, rsa_keymgmt_functions, "OpenVPN xkey RSA Key Manager"}, +{"RSA-PSS:RSASSA-PSS", XKEY_PROV_PROPS, rsa_keymgmt_functions, "OpenVPN xkey RSA-PSS Key Manager"}, +{"EC:id-ecPublicKey", XKEY_PROV_PROPS, ec_keymgmt_functions, "OpenVPN xkey EC Key Manager"}, {NULL, NULL, NULL, NULL} }; @@ -1074,8 +1071,8 @@ static const OSSL_DISPATCH signature_functions[] = { }; const OSSL_ALGORITHM signatures[] = { -{"RSA:rsaEncryption", props, signature_functions, "OpenVPN xkey RSA Signature"}, -{"ECDSA", props, signature_functions, "OpenVPN xkey ECDSA Signature"}, +{"RSA:rsaEncryption", XKEY_PROV_PROPS, signature_functions, "OpenVPN xkey RSA Signature"}, +{"ECDSA", XKEY_PROV_PROPS, signature_functions, "OpenVPN xkey ECDSA Signature"}, {NULL, NULL, NULL, NULL} }; -- 2.23.0.windows.1 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH 2/2] msvc: switch to openssl3
From: Lev Stipakov Add openssl3 vcpkg port from https://github.com/microsoft/vcpkg/pull/20428/files with some changes: - switch to openssl 3.0.1 - add install_runtime make target to build openssl.exe - create tools/openssl and copy there openssl.exe with dependency dlls Signed-off-by: Lev Stipakov --- .github/workflows/build.yaml | 2 +- .../openssl3/detect_platform.cmake| 86 contrib/vcpkg-ports/openssl3/portfile.cmake | 204 ++ contrib/vcpkg-ports/openssl3/usage| 11 + contrib/vcpkg-ports/openssl3/vcpkg.json | 7 + .../vcpkg-ports/pkcs11-helper/portfile.cmake | 2 +- 6 files changed, 310 insertions(+), 2 deletions(-) create mode 100644 contrib/vcpkg-ports/openssl3/detect_platform.cmake create mode 100644 contrib/vcpkg-ports/openssl3/portfile.cmake create mode 100644 contrib/vcpkg-ports/openssl3/usage create mode 100644 contrib/vcpkg-ports/openssl3/vcpkg.json diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 9f884ac2..f1a75736 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -294,7 +294,7 @@ jobs: uses: lukka/run-vcpkg@v7.4 with: vcpkgGitCommitId: 'a2fcb03749ff5897b5985092934dc6057680c789' - vcpkgArguments: 'openssl lz4 lzo pkcs11-helper tap-windows6' + vcpkgArguments: 'openssl3 lz4 lzo pkcs11-helper tap-windows6' vcpkgTriplet: '${{ matrix.triplet }}-windows-ovpn' cleanAfterBuild: false diff --git a/contrib/vcpkg-ports/openssl3/detect_platform.cmake b/contrib/vcpkg-ports/openssl3/detect_platform.cmake new file mode 100644 index ..5f67f8d5 --- /dev/null +++ b/contrib/vcpkg-ports/openssl3/detect_platform.cmake @@ -0,0 +1,86 @@ +if(VCPKG_TARGET_IS_ANDROID) +# ${SOURCE_PATH}/Configuration/15-android.conf +if(VCPKG_TARGET_ARCHITECTURE STREQUAL "arm64") +set(PLATFORM "android-arm64") +elseif(VCPKG_TARGET_ARCHITECTURE STREQUAL "arm") +set(PLATFORM "android-arm") +elseif(VCPKG_TARGET_ARCHITECTURE STREQUAL "x64") +set(PLATFORM "android-x86_64") +elseif(VCPKG_TARGET_ARCHITECTURE STREQUAL "x86") +set(PLATFORM "android-x86") +endif() + +elseif(VCPKG_TARGET_IS_LINUX) +if(VCPKG_TARGET_ARCHITECTURE STREQUAL "arm64") +set(PLATFORM "linux-aarch64") +elseif(VCPKG_TARGET_ARCHITECTURE STREQUAL "arm") +set(PLATFORM "linux-armv4") +elseif(VCPKG_TARGET_ARCHITECTURE STREQUAL "x64") +set(PLATFORM "linux-x86_64") +elseif(VCPKG_TARGET_ARCHITECTURE STREQUAL "x86") +set(PLATFORM "linux-x86") +elseif(VCPKG_TARGET_ARCHITECTURE STREQUAL "ppc64le") +set(PLATFORM "linux-ppc64le") +endif() + +elseif(VCPKG_TARGET_IS_IOS) +# ${SOURCE_PATH}/Configuration/15-ios.conf +if(VCPKG_TARGET_ARCHITECTURE STREQUAL "arm64") +set(PLATFORM "ios64-xcrun") +elseif(VCPKG_TARGET_ARCHITECTURE STREQUAL "arm") +set(PLATFORM "ios-xcrun") +elseif(VCPKG_TARGET_ARCHITECTURE STREQUAL "x86" OR + VCPKG_TARGET_ARCHITECTURE STREQUAL "x64") +set(PLATFORM "iossimulator-xcrun") +endif() + +elseif(VCPKG_TARGET_IS_OSX) +if(VCPKG_TARGET_ARCHITECTURE STREQUAL "arm64") +set(PLATFORM "darwin64-arm64-cc") +elseif(VCPKG_TARGET_ARCHITECTURE STREQUAL "x64") +set(PLATFORM "darwin64-x86_64-cc") +endif() + +elseif(VCPKG_TARGET_IS_FREEBSD OR VCPKG_TARGET_IS_OPENBSD) +if(VCPKG_TARGET_ARCHITECTURE STREQUAL "x64") +set(PLATFORM "BSD-x86_64") +elseif(VCPKG_TARGET_ARCHITECTURE STREQUAL "x86") +set(PLATFORM "BSD-x86") +endif() + +elseif(VCPKG_TARGET_IS_MINGW) +if(VCPKG_TARGET_ARCHITECTURE STREQUAL "x64") +set(PLATFORM "mingw64") +elseif(VCPKG_TARGET_ARCHITECTURE STREQUAL "x86") +set(PLATFORM "mingw") +endif() + +elseif(VCPKG_TARGET_IS_UWP) +# ${SOURCE_PATH}/Configuration/50-win-onecore.conf +if(VCPKG_TARGET_ARCHITECTURE STREQUAL "x86") +set(PLATFORM "VC-WIN32-UWP") +elseif(VCPKG_TARGET_ARCHITECTURE STREQUAL "x64") +set(PLATFORM "VC-WIN64A-UWP") +elseif(VCPKG_TARGET_ARCHITECTURE STREQUAL "arm") +set(PLATFORM "VC-WIN32-ARM-UWP") +elseif(VCPKG_TARGET_ARCHITECTURE STREQUAL "arm64") +set(PLATFORM "VC-WIN64-ARM-UWP") +endif() + +elseif(VCPKG_TARGET_IS_WINDOWS) +# ${SOURCE_PATH}/Configuration/50-win-onecore.conf +if(VCPKG_TARGET_ARCHITECTURE STREQUAL "x86") +set(PLATFORM "VC-WIN32") +elseif(VCPKG_TARGET_ARCHITECTURE STREQUAL "x64") +set(PLATFORM "VC-WIN64A") +elseif(VCPKG_TARGET_ARCHITECTURE STREQUAL "arm") +set(PLATFORM "VC-WIN32-ARM") +elseif(VCPKG_TARGET_ARCHITECTURE STREQUAL "arm64") +set(PLATFORM "VC-WIN64-ARM") +endif() + +endif() + +if(NOT DEFINED PLATFORM) +message(FATAL_ERROR "PLATFORM is unknown for the target platform/architecture") +endif() diff --git
Re: [Openvpn-devel] [PATCH] msvc: switch to openssl3
Hi, > A whole patch in the commit message is not very helpful and makes it hard to > read. Why not include this patch + the original, and apply the patch during > build? > > Or just add a pointer to the original file in the changed file so that it > could be diff-ed against if need be, Yeah, I was not sure what is the best way to indicate difference between this one and original one, so I added it to commit message. Not sure what do you mean by "apply the patch during build" - you can have patches for port sources but I don't think you can patch the port script. Like you proposed I could add a comment to the patched file which points to original one. > These changes look sane though I think this should be a separate commit. I could do that, but then commit without those changes will break the build. -- -Lev ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] msvc: switch to openssl3
Hi On Mon, Jan 24, 2022 at 4:47 AM Lev Stipakov wrote: > From: Lev Stipakov > > - add openssl3 port from > https://github.com/microsoft/vcpkg/pull/20428/files > with small changes: > > --- portfile.cmake.orig 2022-01-24 11:04:44.914467900 +0200 > +++ portfile.cmake 2022-01-24 11:02:46.066088800 +0200 > @@ -5,8 +5,8 @@ > vcpkg_from_github( > OUT_SOURCE_PATH SOURCE_PATH > REPO openssl/openssl > -REF openssl-3.0.0 > -SHA512 > > 50b4fefa3e5a3359e7b06bfbc4ecc525ef9d76e13d087aa8e2d29880f08f74cc9d0c76b9bf1895c118def2bb0e4db0095e799a752b64b60721a423bd2cf989da > +REF openssl-3.0.1 > +SHA512 > > 7f303769a3a796b88478399d42aa2a9a70dc74f62c975bbb93e8903e3bb8e25f16ecfc436186c2d4aa7383302c73ad1dd8ac4fccaa589062bbce6059d6073f18 > ) > > if(VCPKG_LIBRARY_LINKAGE STREQUAL "dynamic") > @@ -114,13 +114,13 @@ > if(VCPKG_TARGET_IS_UWP OR VCPKG_TARGET_IS_WINDOWS) > message(STATUS "Building ${TARGET_TRIPLET}-dbg") > vcpkg_execute_required_process( > -COMMAND ${JOM} /K /J ${VCPKG_CONCURRENCY} /F makefile > install_dev > +COMMAND ${JOM} /K /J ${VCPKG_CONCURRENCY} /F makefile > install_dev install_runtime > WORKING_DIRECTORY > "${CURRENT_BUILDTREES_DIR}/${TARGET_TRIPLET}-dbg" > LOGNAME install-${TARGET_TRIPLET}-dbg > ) > message(STATUS "Building ${TARGET_TRIPLET}-rel") > vcpkg_execute_required_process( > -COMMAND ${JOM} /K /J ${VCPKG_CONCURRENCY} /F makefile > install_dev > +COMMAND ${JOM} /K /J ${VCPKG_CONCURRENCY} /F makefile > install_dev install_runtime > WORKING_DIRECTORY > "${CURRENT_BUILDTREES_DIR}/${TARGET_TRIPLET}-rel" > LOGNAME install-${TARGET_TRIPLET}-rel > ) > @@ -129,13 +129,13 @@ > else() > message(STATUS "Building ${TARGET_TRIPLET}-dbg") > vcpkg_execute_required_process( > -COMMAND ${MAKE} -j ${VCPKG_CONCURRENCY} install_dev > +COMMAND ${MAKE} -j ${VCPKG_CONCURRENCY} install_dev > install_runtime > WORKING_DIRECTORY > "${CURRENT_BUILDTREES_DIR}/${TARGET_TRIPLET}-dbg" > LOGNAME install-${TARGET_TRIPLET}-dbg > ) > message(STATUS "Building ${TARGET_TRIPLET}-rel") > vcpkg_execute_required_process( > -COMMAND ${MAKE} -j ${VCPKG_CONCURRENCY} install_dev > +COMMAND ${MAKE} -j ${VCPKG_CONCURRENCY} install_dev > install_runtime > WORKING_DIRECTORY > "${CURRENT_BUILDTREES_DIR}/${TARGET_TRIPLET}-rel" > LOGNAME install-${TARGET_TRIPLET}-rel > ) > @@ -161,6 +161,17 @@ > > endif() > > +if(VCPKG_TARGET_IS_WINDOWS) > +file(MAKE_DIRECTORY "${CURRENT_PACKAGES_DIR}/tools/openssl/") > +file(RENAME "${CURRENT_PACKAGES_DIR}/bin/openssl.exe" > "${CURRENT_PACKAGES_DIR}/tools/openssl/openssl.exe") > + > +file(REMOVE > +"${CURRENT_PACKAGES_DIR}/debug/bin/openssl.exe" > +) > +endif() > + > +vcpkg_copy_tool_dependencies("${CURRENT_PACKAGES_DIR}/tools/openssl") > + > if(VCPKG_LIBRARY_LINKAGE STREQUAL "dynamic") > file(REMOVE "${CURRENT_PACKAGES_DIR}/debug/lib/libcrypto.a" > "${CURRENT_PACKAGES_DIR}/debug/lib/libssl.a" > @@ -184,4 +195,4 @@ > ) > file(INSTALL "${CURRENT_PORT_DIR}/usage" > DESTINATION "${CURRENT_PACKAGES_DIR}/share/${PORT}" > -) > \ No newline at end of file > +) > A whole patch in the commit message is not very helpful and makes it hard to read. Why not include this patch + the original, and apply the patch during build? Or just add a pointer to the original file in the changed file so that it could be diff-ed against if need be, > - use sizeof(void *) since msvc doesn't support sizeof of function ptr > - use XKEY_PROV_PROPS macro instead of props since msvc > requires constant expression in aggregate initializers > These changes look sane though I think this should be a separate commit. Selva ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH 3/3] Support PSS signing using pkcs11-helper >= 1.28
From: Selva Nair - Call pkcs11h_certificate_signAny_ex() when available so that the signature mechanism parameters can be pased. (Required for RSA-PSS signature). Signed-off-by: Selva Nair --- src/openvpn/pkcs11_openssl.c | 123 +-- 1 file changed, 118 insertions(+), 5 deletions(-) diff --git a/src/openvpn/pkcs11_openssl.c b/src/openvpn/pkcs11_openssl.c index 9cf46b2c..5d1a5de6 100644 --- a/src/openvpn/pkcs11_openssl.c +++ b/src/openvpn/pkcs11_openssl.c @@ -45,10 +45,112 @@ #ifdef HAVE_XKEY_PROVIDER static XKEY_EXTERNAL_SIGN_fn xkey_pkcs11h_sign; +#if PKCS11H_VERSION > ((1<<16) | (27<<8)) /* version > 1.27 */ + +/* Table linking OpenSSL digest NID with CKM and CKG constants in PKCS#11 */ +#define MD_TYPE(n) {NID_sha##n, CKM_SHA##n, CKG_MGF1_SHA##n} +static const struct +{ + int nid; + unsigned long ckm_id; + unsigned long mgf_id; +} mdtypes[] = {MD_TYPE(224), MD_TYPE(256), MD_TYPE(384), MD_TYPE(512), + {NID_sha1, CKM_SHA_1, CKG_MGF1_SHA1}, /* SHA_1 naming is an oddity */ + {NID_undef, 0, 0}}; + +/* From sigalg, derive parameters for pss signature and fill in pss_params. + * Its of type CK_RSA_PKCS_PSS_PARAMS struct with three fields to be filled in: + * {enum hashAlg, enum mgf, ulong sLen} + * where hashAlg is CKM_SHA256 etc., mgf is CKG_MGF1_SHA256 etc. + */ +static int +set_pss_params(CK_RSA_PKCS_PSS_PARAMS *pss_params, XKEY_SIGALG sigalg, + pkcs11h_certificate_t cert) +{ +int ret = 0; +X509 *x509 = NULL; +EVP_PKEY *pubkey = NULL; + +if ((x509 = pkcs11h_openssl_getX509(cert)) == NULL +|| (pubkey = X509_get0_pubkey(x509)) == NULL) +{ +msg(M_WARN, "PKCS#11: Unable get public key"); +goto cleanup; +} + +/* map mdname to CKM and CKG constants for hash and mgf algorithms */ +int i = 0; +int nid = OBJ_sn2nid(sigalg.mdname); +while (mdtypes[i].nid != NID_undef && mdtypes[i].nid != nid) +{ +i++; +} +pss_params->hashAlg = mdtypes[i].ckm_id; +pss_params->mgf = mdtypes[i].mgf_id; + +/* determine salt length */ +int mdsize = EVP_MD_size(EVP_get_digestbyname(sigalg.mdname)); + +int saltlen = -1; +if (!strcmp(sigalg.saltlen, "digest")) /* same as digest size */ +{ +saltlen = mdsize; +} +else if (!strcmp(sigalg.saltlen, "max")) /* maximum possible value */ +{ +saltlen = xkey_max_saltlen(EVP_PKEY_get_bits(pubkey), mdsize); +} + +if (saltlen < 0 || pss_params->hashAlg == 0) +{ +msg(M_WARN, "WARN: invalid RSA_PKCS1_PSS parameters: saltlen = <%s> " +"mdname = <%s>.", sigalg.saltlen, sigalg.mdname); +goto cleanup; +} +pss_params->sLen = (unsigned long) saltlen; /* saltlen >= 0 at this point */ + +msg(D_XKEY, "set_pss_params: sLen = %lu, hashAlg = %lu, mgf = %lu", +pss_params->sLen, pss_params->hashAlg, pss_params->mgf); + +ret = 1; + +cleanup: +if (x509) +{ +X509_free(x509); +} +return ret; +} + +#else + +/* Make set_pss_params a no-op that always succeeds */ +#define set_pss_params(...) (1) + +/* Use a wrapper for pkcs11h_certificate_signAny_ex() for versions < 1.28 + * where its not available. + * We just call pkcs11h_certificate_signAny() unless the padding + * is PSS in which case we return an error. + */ +static CK_RV +pkcs11h_certificate_signAny_ex(const pkcs11h_certificate_t cert, +const CK_MECHANISM *mech, const unsigned char *tbs, +size_t tbslen, unsigned char *sig, size_t *siglen) +{ +if (mech->mechanism == CKM_RSA_PKCS_PSS) +{ +msg(M_NONFATAL, "PKCS#11: Error: PSS padding is not supported by " +"this version of pkcs11-helper library."); +return CKR_MECHANISM_INVALID; +} +return pkcs11h_certificate_signAny(cert, mech->mechanism, tbs, tbslen, sig, siglen); +} +#endif /* PKCS11H_VERSION > 1.27 */ + /** * Sign op called from xkey provider * - * We support ECDSA, RSA_NO_PADDING, RSA_PKCS1_PADDING + * We support ECDSA, RSA_NO_PADDING, RSA_PKCS1_PADDING, RSA_PKCS_PSS_PADDING */ static int xkey_pkcs11h_sign(void *handle, unsigned char *sig, @@ -62,7 +164,7 @@ xkey_pkcs11h_sign(void *handle, unsigned char *sig, if (!strcmp(sigalg.op, "DigestSign")) { -dmsg(D_LOW, "xkey_pkcs11h_sign: computing digest"); +msg(D_XKEY, "xkey_pkcs11h_sign: computing digest"); if (xkey_digest(tbs, tbslen, buf, , sigalg.mdname)) { tbs = buf; @@ -77,18 +179,29 @@ xkey_pkcs11h_sign(void *handle, unsigned char *sig, if (!strcmp(sigalg.keytype, "EC")) { +msg(D_XKEY, "xkey_pkcs11h_sign: signing with EC key"); mech.mechanism = CKM_ECDSA; } else if (!strcmp(sigalg.keytype, "RSA")) { +msg(D_XKEY, "xkey_pkcs11h_sign: signing with RSA key: padmode = %s", +sigalg.padmode); if (!strcmp(sigalg.padmode,"none")) {
[Openvpn-devel] [PATCH 2/3] Fix max saltlen calculation in cryptoapi.c
From: Selva Nair (nbits - 1)/8 should have been rounded up. Fix and move it to an inlined function for reuse in pkcs11_openssl.c (used in the next commit). Note: The error is not triggered in normal use as OpenSSL always seems to use saltlen="digest" for signing. Signed-off-by: Selva Nair --- src/openvpn/cryptoapi.c | 2 +- src/openvpn/xkey_common.h | 14 ++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/src/openvpn/cryptoapi.c b/src/openvpn/cryptoapi.c index 8e0ceba7..56cab962 100644 --- a/src/openvpn/cryptoapi.c +++ b/src/openvpn/cryptoapi.c @@ -843,7 +843,7 @@ xkey_cng_rsa_sign(CAPI_DATA *cd, unsigned char *sig, size_t *siglen, const unsig int saltlen = tbslen; /* digest size by default */ if (!strcmp(sigalg.saltlen, "max")) { -saltlen = (EVP_PKEY_bits(cd->pubkey) - 1)/8 - tbslen - 2; +saltlen = xkey_max_saltlen(EVP_PKEY_bits(cd->pubkey), tbslen); if (saltlen < 0) { msg(M_NONFATAL, "Error in cryptoapicert: invalid salt length (%d)", saltlen); diff --git a/src/openvpn/xkey_common.h b/src/openvpn/xkey_common.h index 75ca5011..1e51e672 100644 --- a/src/openvpn/xkey_common.h +++ b/src/openvpn/xkey_common.h @@ -153,6 +153,20 @@ xkey_load_generic_key(OSSL_LIB_CTX *libctx, void *handle, EVP_PKEY *pubkey, extern OSSL_LIB_CTX *tls_libctx; /* Global */ +/** + * Maximum salt length for PSS signature. + * + * @param modBitsNumber of bits in RSA modulus + * @param hLen Length of digest to be signed + * @returns the maximum allowed salt length. Caller must check it's not < 0. + */ +static inline int +xkey_max_saltlen(int modBits, int hLen) +{ +int emLen = (modBits - 1 + 7)/8; /* ceil((modBits - 1)/8) */ + +return emLen - hLen - 2; +} #endif /* HAVE_XKEY_PROVIDER */ #endif /* XKEY_COMMON_H_ */ -- 2.30.2 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH 1/3] xkey: Use a custom error level for debug messages
From: Selva Nair D_XKEY = loglev(6, 69, M_DEBUG) is defined and used for all low level debug messages from xkey_provider.c and xkey_helper.c As suggested by Arne Schwabe Signed-off-by: Selva Nair --- src/openvpn/errlevel.h | 1 + src/openvpn/xkey_helper.c | 8 +-- src/openvpn/xkey_provider.c | 98 ++--- 3 files changed, 54 insertions(+), 53 deletions(-) diff --git a/src/openvpn/errlevel.h b/src/openvpn/errlevel.h index 602e48a8..94c6c282 100644 --- a/src/openvpn/errlevel.h +++ b/src/openvpn/errlevel.h @@ -113,6 +113,7 @@ #define D_TUN_RW LOGLEV(6, 69, M_DEBUG) /* show TUN/TAP reads/writes */ #define D_TAP_WIN_DEBUG LOGLEV(6, 69, M_DEBUG) /* show TAP-Windows driver debug info */ #define D_CLIENT_NAT LOGLEV(6, 69, M_DEBUG) /* show client NAT debug info */ +#define D_XKEY LOGLEV(6, 69, M_DEBUG) /* show xkey-provider debug info */ #define D_SHOW_KEYS LOGLEV(7, 70, M_DEBUG) /* show data channel encryption keys */ #define D_SHOW_KEY_SOURCELOGLEV(7, 70, M_DEBUG) /* show data channel key source entropy */ diff --git a/src/openvpn/xkey_helper.c b/src/openvpn/xkey_helper.c index c667f7be..582bec5d 100644 --- a/src/openvpn/xkey_helper.c +++ b/src/openvpn/xkey_helper.c @@ -65,7 +65,7 @@ int xkey_digest(const unsigned char *src, size_t srclen, unsigned char *buf, size_t *buflen, const char *mdname) { -dmsg(D_LOW, "In xkey_digest"); +dmsg(D_XKEY, "In xkey_digest"); EVP_MD *md = EVP_MD_fetch(NULL, mdname, NULL); /* from default context */ if (!md) { @@ -163,7 +163,7 @@ int xkey_management_sign(void *unused, unsigned char *sig, size_t *siglen, const unsigned char *tbs, size_t tbslen, XKEY_SIGALG alg) { -dmsg(D_LOW, "In xkey_management_sign with keytype = %s, op = %s", +dmsg(D_XKEY, "In xkey_management_sign with keytype = %s, op = %s", alg.keytype, alg.op); (void) unused; @@ -180,7 +180,7 @@ xkey_management_sign(void *unused, unsigned char *sig, size_t *siglen, /* if management client cannot do digest -- we do it here */ if (!strcmp(alg.op, "DigestSign") && !(flags & MF_EXTERNAL_KEY_DIGEST)) { -dmsg(D_LOW, "xkey_management_sign: computing digest"); +dmsg(D_XKEY, "xkey_management_sign: computing digest"); if (xkey_digest(tbs, tbslen, buf, , alg.mdname)) { tbs = buf; @@ -379,7 +379,7 @@ encode_pkcs1(unsigned char *enc, size_t *enc_len, const char *mdname, /* combine header and digest */ memcpy(enc, di->header, di->sz); memcpy(enc + di->sz, tbs, tbslen); -dmsg(D_LOW, "encode_pkcs1: digest length = %d encoded length = %d", +dmsg(D_XKEY, "encode_pkcs1: digest length = %d encoded length = %d", (int) tbslen, (int) out_len); ret = true; } diff --git a/src/openvpn/xkey_provider.c b/src/openvpn/xkey_provider.c index c2d560c5..9a02ed13 100644 --- a/src/openvpn/xkey_provider.c +++ b/src/openvpn/xkey_provider.c @@ -146,7 +146,7 @@ keymgmt_import_helper(XKEY_KEYDATA *key, const OSSL_PARAM params[]); static XKEY_KEYDATA * keydata_new() { -xkey_dmsg(D_LOW, "entry"); +xkey_dmsg(D_XKEY, "entry"); XKEY_KEYDATA *key = OPENSSL_zalloc(sizeof(*key)); if (!key) @@ -160,7 +160,7 @@ keydata_new() static void keydata_free(XKEY_KEYDATA *key) { -xkey_dmsg(D_LOW, "entry"); +xkey_dmsg(D_XKEY, "entry"); if (!key || key->refcount-- > 0) /* free when refcount goes to zero */ { @@ -181,7 +181,7 @@ keydata_free(XKEY_KEYDATA *key) static void * keymgmt_new(void *provctx) { -xkey_dmsg(D_LOW, "entry"); +xkey_dmsg(D_XKEY, "entry"); XKEY_KEYDATA *key = keydata_new(); if (key) @@ -195,7 +195,7 @@ keymgmt_new(void *provctx) static void * keymgmt_load(const void *reference, size_t reference_sz) { -xkey_dmsg(D_LOW, "entry"); +xkey_dmsg(D_XKEY, "entry"); return NULL; } @@ -235,7 +235,7 @@ keymgmt_load(const void *reference, size_t reference_sz) static int keymgmt_import(void *keydata, int selection, const OSSL_PARAM params[], const char *name) { -xkey_dmsg(D_LOW, "entry"); +xkey_dmsg(D_XKEY, "entry"); XKEY_KEYDATA *key = keydata; ASSERT(key); @@ -252,11 +252,11 @@ keymgmt_import(void *keydata, int selection, const OSSL_PARAM params[], const ch if (p && p->data_type == OSSL_PARAM_UTF8_STRING) { key->origin = EXTERNAL_KEY; -xkey_dmsg(D_LOW, "importing external key"); +xkey_dmsg(D_XKEY, "importing external key"); return keymgmt_import_helper(key, params); } -xkey_dmsg(D_LOW, "importing native key"); +xkey_dmsg(D_XKEY, "importing native key"); /* create a native public key and assign it to key->pubkey */ EVP_PKEY *pkey = NULL; @@ -293,14 +293,14 @@ keymgmt_import(void *keydata, int selection, const OSSL_PARAM params[], const ch }
Re: [Openvpn-devel] [PATCH 1/2] xkey: fix msvc build
On Mon, Jan 24, 2022 at 2:22 PM Lev Stipakov wrote: > From: Lev Stipakov > > - use sizeof(void *) since msvc doesn't support sizeof of function ptr > This is not just an msvc problem, but signals a bigger issue it seems. In retrospect, passing function pointers pickled this was probably a bad design decision on my part though we are forced by OpenSSL 3's design of using OSSL_PARAMs to pass data to providers. For now, The proposed fix (i.e., to use void*) looks okay to me especially since its handled like a normal pointer during key import. But we may have to find a better way for passing these function pointers if this comes back to bite us. > > - use XKEY_PROV_PROPS macro instead of props since msvc > requires constant expression in aggregate initializers > Makes sense. > Signed-off-by: Lev Stipakov > --- > src/openvpn/xkey_helper.c | 4 ++-- > src/openvpn/xkey_provider.c | 13 + > 2 files changed, 7 insertions(+), 10 deletions(-) > > diff --git a/src/openvpn/xkey_helper.c b/src/openvpn/xkey_helper.c > index c667f7be..50231335 100644 > --- a/src/openvpn/xkey_helper.c > +++ b/src/openvpn/xkey_helper.c > @@ -125,8 +125,8 @@ xkey_load_generic_key(OSSL_LIB_CTX *libctx, void > *handle, EVP_PKEY *pubkey, > {"xkey-origin", OSSL_PARAM_UTF8_STRING, (char *) origin, 0, 0}, > {"pubkey", OSSL_PARAM_OCTET_STRING, , sizeof(pubkey), 0}, > {"handle", OSSL_PARAM_OCTET_PTR, , sizeof(handle), 0}, > -{"sign_op", OSSL_PARAM_OCTET_PTR, (void **) _op, > sizeof(sign_op), 0}, > -{"free_op", OSSL_PARAM_OCTET_PTR, (void **) _op, > sizeof(free_op), 0}, > +{"sign_op", OSSL_PARAM_OCTET_PTR, (void **) _op, sizeof(void > *), 0}, > +{"free_op", OSSL_PARAM_OCTET_PTR, (void **) _op, sizeof(void > *), 0}, > {NULL, 0, NULL, 0, 0}}; > > /* Do not use EVP_PKEY_new_from_pkey as that will take keymgmt from > pubkey */ > diff --git a/src/openvpn/xkey_provider.c b/src/openvpn/xkey_provider.c > index c2d560c5..115b9931 100644 > --- a/src/openvpn/xkey_provider.c > +++ b/src/openvpn/xkey_provider.c > @@ -44,9 +44,6 @@ > #include > #include > > -/* propq set all on all ops we implement */ > -static const char *const props = XKEY_PROV_PROPS; > - > /* A descriptive name */ > static const char *provname = "OpenVPN External Key Provider"; > > @@ -592,9 +589,9 @@ static const OSSL_DISPATCH ec_keymgmt_functions[] = { > }; > > const OSSL_ALGORITHM keymgmts[] = { > -{"RSA:rsaEncryption", props, rsa_keymgmt_functions, "OpenVPN xkey RSA > Key Manager"}, > -{"RSA-PSS:RSASSA-PSS", props, rsa_keymgmt_functions, "OpenVPN xkey > RSA-PSS Key Manager"}, > -{"EC:id-ecPublicKey", props, ec_keymgmt_functions, "OpenVPN xkey EC > Key Manager"}, > +{"RSA:rsaEncryption", XKEY_PROV_PROPS, rsa_keymgmt_functions, > "OpenVPN xkey RSA Key Manager"}, > +{"RSA-PSS:RSASSA-PSS", XKEY_PROV_PROPS, rsa_keymgmt_functions, > "OpenVPN xkey RSA-PSS Key Manager"}, > +{"EC:id-ecPublicKey", XKEY_PROV_PROPS, ec_keymgmt_functions, "OpenVPN > xkey EC Key Manager"}, > {NULL, NULL, NULL, NULL} > }; > > @@ -1074,8 +1071,8 @@ static const OSSL_DISPATCH signature_functions[] = { > }; > > const OSSL_ALGORITHM signatures[] = { > -{"RSA:rsaEncryption", props, signature_functions, "OpenVPN xkey RSA > Signature"}, > -{"ECDSA", props, signature_functions, "OpenVPN xkey ECDSA Signature"}, > +{"RSA:rsaEncryption", XKEY_PROV_PROPS, signature_functions, "OpenVPN > xkey RSA Signature"}, > +{"ECDSA", XKEY_PROV_PROPS, signature_functions, "OpenVPN xkey ECDSA > Signature"}, > {NULL, NULL, NULL, NULL} > }; Acked-by: Selva Nair ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH] msvc: switch to openssl3
Hi On Mon, Jan 24, 2022 at 1:56 PM Lev Stipakov wrote: > Hi, > > > A whole patch in the commit message is not very helpful and makes it > hard to read. Why not include this patch + the original, and apply the > patch during build? > > > > Or just add a pointer to the original file in the changed file so that > it could be diff-ed against if need be, > > Yeah, I was not sure what is the best way to indicate difference > between this one and original one, so I added it to commit message. > Not sure what do you mean by "apply the patch during build" - you can > have patches for port sources but I don't think you can patch the port > script. > Like you proposed I could add a comment to the patched file which > points to original one. > As mentioned in my response to the GUI PR, I just can't bring myself to like this idea of matching vcpkg ports in OpenVPN core and GUI and the need to keep them in sync, keep them updated etc. Feels like a wrong approach though I do not know enough to suggest a better way. > > > These changes look sane though I think this should be a separate commit. > > I could do that, but then commit without those changes will break the > build. > Your fix to the xkey patch set is actually a generic one, not just a work-around for msvc. It could be applied first before fixing the msvc build. Selva ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel