Hi,
Using --auth-user-pass, --auth-nocache and --reneg-sec , no
auth-tokens in use, I see that username/password is prompted on the first
connection attempt and at first renegotiation. After that reneg completes
without prompting for user/pass.
Looking at the server it shows the previously entere
On Wed, Oct 19, 2022 at 1:05 AM Arne Schwabe wrote:
>
>
> If we can conjure up usernames (like with empty --> token-user) why not
> allow other username
> changes too?
>
> In general the current authentication system in OpenVPN is ill equipped to
> handle them. On renegotiation we only do auth bu
Hi,
On Mon, Oct 10, 2022 at 3:14 AM Gert Doering wrote:
> We do not permit username changes on renegotiation (= username is
> "locked" after successful initial authentication).
>
> Unfortunately the way this is written this gets in the way of using
> auth-user-pass-optional + pushing "auth-token
This may be extreme nitpicking...
+l = ["detached\n"]
> +branch = "/" .join(l)[:-1]
>
Use "none" instead of "detached"? The logic being: we are trying to add the
branch name to the version, so "none" if not on a branch, "unknown' if the
branch cannot be determined.
By the way, autoto
Hi,
On Thu, Sep 22, 2022 at 10:39 AM Lev Stipakov wrote:
> From: Lev Stipakov
>
> Add a simple python script which generates header with
> branch name and commit hash #defines.
>
> While on it, fix filename in msvc-generate.vcxproj
> and add proper copyright header to Makefile.mak.
>
> Signed-o
Hi,
On Thu, Sep 22, 2022 at 8:59 AM Lev Stipakov wrote:
> From: Lev Stipakov
>
> Add a simple python script which generates header with
> branch name and commit hash #defines.
>
> While on it, fix filename in msvc-generate.vcxproj
> and add proper copyright header to Makefile.mak.
>
> Signed-of
On Tue, Sep 20, 2022 at 3:26 PM Antonio Quartulli wrote:
> Hi,
>
> On 20/09/2022 18:42, Gert Doering wrote:
> > Hi,
> >
> > On Mon, Sep 19, 2022 at 12:06:18AM +0200, Antonio Quartulli wrote:
> >> +switch (session->opt->push_peer_info_detail)
> >> {
> >> -/* push version */
> >>
On Sat, Sep 17, 2022 at 10:09 AM Antonio Quartulli wrote:
> From: Michael Karvan
>
> Signed-off-by: Michael Karvan
> ---
> src/plugins/auth-pam/auth-pam.c | 9 -
> 1 file changed, 8 insertions(+), 1 deletion(-)
>
> diff --git a/src/plugins/auth-pam/auth-pam.c
> b/src/plugins/auth-pam/a
On Wed, Sep 14, 2022 at 3:30 PM Antonio Quartulli wrote:
> Hi,
>
> On 14/09/2022 21:26, Selva Nair wrote:
> > diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c
> > index 07f6e202..50f7f975 100644
> > --- a/src/openvpn/misc.c
> > +++ b/src
On Wed, Sep 14, 2022 at 3:02 PM Antonio Quartulli wrote:
> Until now, when HTTP proxy user and password were specified inline,
> it was assumed that both creds were specified. A missing password would
> result in an empty password being stored.
>
> This behaviour is not ideal, as we want to allow
On Thu, Aug 25, 2022 at 4:37 PM Gert Doering wrote:
> Hi,
>
> On Wed, Aug 24, 2022 at 06:57:18PM +0200, Arne Schwabe wrote:
> > Error: test_provider.c(74): error C2099: initializer is not a constant
> >
> > Fix this issue by making the const char* to const char[]. This is
> probably
> > of one
In case this request was lost, here goes again. Can we have this
cherry-picked into 2.5 before the next release?
Selva
On Thu, Aug 11, 2022 at 4:03 PM Selva Nair wrote:
> Hi,
>
> On Tue, Aug 2, 2022 at 8:02 AM Gert Doering wrote:
>
>> Acked-by: Gert Doering
>>
>&
Hi,
Did a quick test on Windows 10 and appears to work as expected. Some minor
things:
(i) I had persist-tun which caused a fatal error that required opening the
log file to find what's wrong and then fix the config file -- unfortunately
the GUI status window cannot display such early errors. Isn
Hi,
On Tue, Aug 2, 2022 at 8:02 AM Gert Doering wrote:
> Acked-by: Gert Doering
>
> I cannot test this (beyond "compile", but that is trivial) but the
> description in
>
>
> https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24738.html
>
> makes sense, so allowing "a limited am
se changes to installer, we don't need this code
> in openvpnmsica.
>
> Signed-off-by: Lev Stipakov
> ---
> src/openvpnmsica/openvpnmsica.c | 115
> 1 file changed, 115 deletions(-)
>
With PR261 in openvpn-build merged, this is now read
From: Selva Nair
Without this, replies to commands from the management client
are sometimes lost if the server is writing when a command
comes in and leads to a recursive call to this function.
For some reason I've not been able to trigger this on Linux,
but it does sometimes happen on Wi
From: Selva Nair
Generally we expect a response of SUCCESS: or ERROR: to every
command sent to the management interface. But, while in
the management-hold state, sending "signal foo" returns only
the following reply (with foo = SIGHUP, SIGUSR1 etc.):
>HOLD:Waiting for hold rele
From: Selva Nair
v2: also fix building test_provider
- ifdefs in test_provider.c
- include integer.h for min_int as manage.h
may not always pull it in
Too many ifdefs, unfortunately..
Signed-off-by: Selva Nair
---
src/openvpn/xkey_helper.c| 4
tests/unit_tests
From: Selva Nair
Signed-off-by: Selva Nair
---
src/openvpn/xkey_helper.c | 4
1 file changed, 4 insertions(+)
diff --git a/src/openvpn/xkey_helper.c b/src/openvpn/xkey_helper.c
index 81dd71dc..27e87d79 100644
--- a/src/openvpn/xkey_helper.c
+++ b/src/openvpn/xkey_helper.c
@@ -85,6 +85,7
Hi,
On Tue, Jul 26, 2022 at 2:59 AM Gert Doering wrote:
>
> I'm just relaying what buildbot found, not suggesting a particular fix
> - not very familiar with these new code paths (do we need xkey at all
> if management is disabled?).
>
xkey handles all external keys including pkcs11 and cryptoa
Hi,
Generally we expect a response of "SUCCESS: " or "ERROR: ..." to every
command sent to the management interface (in mult-line cases, a terminating
line with "END" too). I've noticed a couple of situations where this is
either missing or gets lost.
(i) While in the hold state, sending "sig
From: Selva Nair
The correct errno can get overwritten by the call to
format_extended_socket_error() which may set errno to EAGAIN
losing the original error and cause to bypass the error reporting
below. Fix by reading the errno of interest at the top of the
function.
Reported by: Gert Doering
On Fri, Jul 22, 2022 at 12:17 PM Gert Doering wrote:
> Hi,
>
> On Tue, May 03, 2022 at 03:28:40AM +0300, Lev Stipakov wrote:
> > From: Lev Stipakov
> >
> > We use M_ERRNO flag in logging to display error code
> > and error message. This has been broken on Windows,
> > where we use error code fro
Hi,
Any thoughts on this? Apart from the broken msvc builds that led to this,
looks like the right thing to do, isn't it?
Selva
On Wed, Jul 6, 2022 at 11:52 PM wrote:
> From: Selva Nair
>
> The function signature for xkey_load_generic_key had
> function pointers defined
From: Selva Nair
The function signature for xkey_load_generic_key had
function pointers defined as function types that seems
to work in gcc but not in msvc.
Fix it by changing the function signatures to what was
intended.
Also revert part of commit 627d1a3d28638... as that work-
around should
Hi,
As reported by Lev here:
https://github.com/OpenVPN/openvpn-gui/pull/508#issuecomment-1174057372
I think its due to this in xkey-provider:
typedef void (XKEY_PRIVKEY_FREE_fn)(void *handle);
(and a similar one for SIGN_fn)
EVP_PKEY *
xkey_load_generic_key(OSSL_LIB_CTX *libctx, void *handle,
Hi
On Mon, Jul 4, 2022 at 5:50 AM Arne Schwabe wrote:
> Am 04.07.22 um 04:58 schrieb selva.n...@gmail.com:
> > From: Selva Nair
> >
> > When auth-token verify succeeds during a reauth, other auth
> > methods (plugin, script, management) are skipped unless
>
From: Selva Nair
When auth-token verify succeeds during a reauth, other auth
methods (plugin, script, management) are skipped unless
external-auth is in effect (skip_auth gets set to true).
However, in this case, the status of management-def-auth
(ks->mda_satus) stays at its default value
From: Selva Nair
Use of this has never been documented and the code was
dead for a long while now.
Signed-off-by: Selva Nair
---
Alternative for [PATCH 2/3] Reactivate record_peer_info in manage.c
src/openvpn/init.c| 1 -
src/openvpn/manage.c | 49
From: Selva Nair
Currently when we are listening on the management
interface, the local address/port is logged as that of
the connecting client.
Fix it.
Signed-off-by: Selva Nair
---
src/openvpn/manage.c | 24 +---
1 file changed, 21 insertions(+), 3 deletions(-)
diff
From: Selva Nair
--management-client has an obscure and undocumented feature
to take a file argument where the peer's address and port are
recorded. This has become dead code over time.
- reactivate the dead code
- make it work with v6 addresses as well
- do not exit on error in writin
From: Selva Nair
When the port is specified as zero, log the actual port
bound to, instead of 0.
Signed-off-by: Selva Nair
---
src/openvpn/manage.c | 18 --
1 file changed, 16 insertions(+), 2 deletions(-)
diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c
index
Hi,
On Fri, Jun 24, 2022 at 5:10 AM Antonio Quartulli wrote:
> GetOverlappedResultEx is not available on ming32 therefore we must
> provide some compat layer before being able to use this function.
>
I suppose "mingw32" here refers to I mingw-w64 for 32 bit (i686) target.
This symbol has been
Hi,
On Thu, Jun 23, 2022 at 8:43 AM David Sommerseth <
open...@sf.lists.topphemmelig.net> wrote:
> On 19/6/2022 19:28, Selva Nair wrote:
> > Hi,0
> >
> > On Thu, Sep 30, 2021 at 7:34 AM Petr Mikhalicin via Openvpn-devel
> > > <mailto:openvpn-devel@lists.s
Hi,
On Thu, Sep 30, 2021 at 7:34 AM Petr Mikhalicin via Openvpn-devel <
openvpn-devel@lists.sourceforge.net> wrote:
> New pkcs11-helper interface allows to setup pkcs11 provider via
> properties:
> https://github.com/alonbl/pkcs11-helper/commit/b78d21c7e26041746aa4ae3d08b95469e1714a85
>
> Also pk
Hi,
Thanks for the new version. Looks good (only compile tested).
Acked-by: Selva Nair
Selva
On Mon, May 16, 2022 at 6:49 AM Arne Schwabe wrote:
>
> OpenSSL's implementation of ED448 and ED25519 has a few idiosyncrasies.
> Instead of belonging to the elliptic curve type
Hi,
Thanks for the v2. I'm ready to ack this but for one issue (NULL
passed to OSSL_PARAM_construct_utf8_string).
On Fri, May 13, 2022 at 9:05 AM Arne Schwabe wrote:
>
> OpenSSL's implementation of ED448 and ED25519 has a few idiosyncrasies.
> Instead of belonging to the eliptic curve type or to
Acked-by: Selva Nair
Same as the patch 2429 <https://patchwork.openvpn.net/patch/2429/> for
master except for the minor change in x_check_status() to match 2.5.
On Wed, May 4, 2022 at 5:13 AM Lev Stipakov wrote:
> From: Lev Stipakov
>
> We use M_ERRNO flag in logging to dis
Hi,
On Tue, May 10, 2022 at 7:32 AM Arne Schwabe wrote:
> OpenSSL's implementation of ED448 and ED25519 has a few idiosyncrasies.
> Instead of belonging to the eliptic curve type or to a common Edwards
> curve type, ED448 and ED25519 have each their own type.
>
> Also, OpenSSL excepts singatures
+if (!ignore_sys_error(err, crt_error))
> {
> struct gc_arena gc = gc_new();
> msg(D_MANAGEMENT, "MANAGEMENT: TCP %s error: %s", prefix,
> diff --git a/src/openvpn/platform.c b/src/openvpn/platform.c
> index 61afee83..ae1678d
Hi,
Sorry for the long delay in getting back to this..
On Tue, Feb 22, 2022 at 9:13 AM Lev Stipakov wrote:
> From: Lev Stipakov
>
> We use M_ERRNO flag in logging to display error code
> and error message. This has been broken on Windows,
> where we use error code from GetLastError() and
> err
Hi Jacob,
On Fri, Mar 11, 2022 at 3:52 AM Jakob Curdes wrote:
> Hello Selva, hello all,
>
> I have tested the executable in the circumstances described earlier. I
> confirm the problem described (username/password auth succeeds, but second
> auth with 2FA data fails as the backslash in the usern
Hi,
On Thu, Mar 10, 2022 at 4:23 PM Gert Doering wrote:
> Hi,
>
> On Thu, Mar 10, 2022 at 12:51:51PM -0500, Selva Nair wrote:
> > I missed this follow up on the devel list. Please see my reply to
> > openvpn-users. If @ doesnt work there is no easy fix short of patching
>
Hi,
On Thu, Mar 10, 2022 at 9:15 AM Jakob Curdes wrote:
> Hello all,
>
> I think I have found a bug in the OpenVPN Windows client , can you help me
> to determine if this is true and how to proceed?
>
> We are trying to implement 2FA for several existing Firebox SSL VPNs
> (which essentially use
Hi
On Mon, Feb 21, 2022 at 4:24 AM Lev Stipakov wrote:
> We had a long discussion with ordex about this patch and came to the
> conclusion that error printing is currently broken on Windows and
> needs a proper fixing.
>
>
+1
> What we propose:
>
> - M_ERRNO prints only C runtime errors on al
From: Selva Nair
Reported-by: Arne Schwabe
Signed-off-by: Selva Nair
---
src/openvpn/pkcs11_openssl.c | 9 -
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/src/openvpn/pkcs11_openssl.c b/src/openvpn/pkcs11_openssl.c
index a82b4b32..c4f88816 100644
--- a/src/openvpn
On Wed, Jan 26, 2022 at 6:50 AM Arne Schwabe wrote:
> Am 25.01.22 um 03:51 schrieb selva.n...@gmail.com:
> > From: Selva Nair
> >
> > - Call pkcs11h_certificate_signAny_ex() when available
> >so that the signature mechanism parameters can be pased.
> >
On Sun, Aug 15, 2021 at 6:26 PM wrote:
> From: Selva Nair
>
> v2 changes
> - do not allow so-path embedded in cert and key uri
> - add --pkcs11-engine option to optionally specify the
> engine and provider module to use
> v3: rebase to master
>
> I
Hi,
On Tue, Jan 25, 2022 at 11:35 AM Antonio Quartulli wrote:
> Hi,
>
> On 25/01/2022 17:30, Arne Schwabe wrote:
> > Am 25.01.22 um 17:27 schrieb Antonio Quartulli:
> >> Hi,
> >>
> >> On 21/01/2022 19:57, selva.n...@gmail.com wrote:
> >>> diff --git a/src/openvpn/crypto_openssl.c
> b/src/openvpn
From: Selva Nair
D_XKEY = loglev(6, 69, M_DEBUG) is defined and used for
all low level debug messages from xkey_provider.c and
xkey_helper.c
As suggested by Arne Schwabe
Signed-off-by: Selva Nair
---
src/openvpn/errlevel.h | 1 +
src/openvpn/xkey_helper.c | 8 +--
src/openvpn
From: Selva Nair
(nbits - 1)/8 should have been rounded up. Fix and move it to
an inlined function for reuse in pkcs11_openssl.c (used in the
next commit).
Note: The error is not triggered in normal use as OpenSSL
always seems to use saltlen="digest" for signing.
Signed-off-by:
From: Selva Nair
- Call pkcs11h_certificate_signAny_ex() when available
so that the signature mechanism parameters can be pased.
(Required for RSA-PSS signature).
Signed-off-by: Selva Nair
---
src/openvpn/pkcs11_openssl.c | 123 +--
1 file changed, 118
71,8 @@ static const OSSL_DISPATCH signature_functions[] = {
> };
>
> const OSSL_ALGORITHM signatures[] = {
> -{"RSA:rsaEncryption", props, signature_functions, "OpenVPN xkey RSA
> Signature"},
> -{"ECDSA", props, signature_functions, "OpenVPN xkey ECDSA Signature"},
> +{"RSA:rsaEncryption", XKEY_PROV_PROPS, signature_functions, "OpenVPN
> xkey RSA Signature"},
> +{"ECDSA", XKEY_PROV_PROPS, signature_functions, "OpenVPN xkey ECDSA
> Signature"},
> {NULL, NULL, NULL, NULL}
> };
Acked-by: Selva Nair
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Hi
On Mon, Jan 24, 2022 at 1:56 PM Lev Stipakov wrote:
> Hi,
>
> > A whole patch in the commit message is not very helpful and makes it
> hard to read. Why not include this patch + the original, and apply the
> patch during build?
> >
> > Or just add a pointer to the original file in the changed
Hi
On Mon, Jan 24, 2022 at 4:47 AM Lev Stipakov wrote:
> From: Lev Stipakov
>
> - add openssl3 port from
> https://github.com/microsoft/vcpkg/pull/20428/files
> with small changes:
>
> --- portfile.cmake.orig 2022-01-24 11:04:44.914467900 +0200
> +++ portfile.cmake 2022-01-24 11:02:46.066
Hi
On Fri, Jan 21, 2022 at 12:10 PM Gert Doering wrote:
> Hi,
>
> On Wed, Jan 19, 2022 at 07:21:26PM +0100, David Sommerseth wrote:
> > index 5626e2b6..eb0b1254 100644
> > --- a/src/openvpn/crypto.c
> > +++ b/src/openvpn/crypto.c
> > @@ -34,6 +34,7 @@
> > #include "error.h"
> > #include "integ
From: Selva Nair
An easy way to trigger this error is to run an otherwise working setup
(at say verb = 4) with increased verbosity of verb >= 7 and using a GCM
cipher (e.g., AES-256-GCM). It will cause a fatal exit while printing the
cipher and hmac in key2_print().
Signed-off-by: Selva N
SetLastError(err);
> +return status;
> +}
> +else
> +{
> +return BLEN(buf);
> }
> - return ret;
> }
>
> static const struct device_instance_id_interface *
> diff --git a/src/openvpn/tun.h b/src/openvpn/tun.h
> index d4657537..a6
Hi,
On Thu, Jan 20, 2022 at 10:18 AM Gert Doering wrote:
> Compile and client tested on 1.1.1 and 3.0.1.
>
> Glancing at the code related to management_external_key() does
> not make me very happy... too many build time variants.
"Happiness" is never a word that comes to mind while reading Ope
From: Selva Nair
As pointed out by Gert Doering
Signed-off-by: Selva Nair
---
To be applied after 06/18 of xkey patchset
src/openvpn/ssl_openssl.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index b48845eb..3f8c3091 100644
--- a
From: Selva Nair
Tests:
- Check SIGNATURE and KEYMGMT methods can be fetched
from the provider
- Load sample RSA and EC keys as management-external-key
and check that their sign callbacks are correctly exercised:
with and without digest support mocked in the client
capability flag
Hi
On Thu, Jan 20, 2022 at 9:51 AM Gert Doering wrote:
> Hi,
>
> On Tue, Dec 14, 2021 at 11:59:27AM -0500, selva.n...@gmail.com wrote:
> > From: Selva Nair
> >
> > Signed-off-by: Selva Nair
>
> Is it OK if I squash 16+17 together? I dislike the "history
Hi,
Sorry for chiming in late:
On Wed, Jan 19, 2022 at 10:20 AM David Sommerseth <
open...@sf.lists.topphemmelig.net> wrote:
> From: David Sommerseth
>
> On Fedora and RHEL/CentOS, the standard OpenSSL library has the FIPS
> module enabled by default. On these platforms, the OPENSSL_FIPS macro
Hi,
On Sat, Jan 15, 2022 at 3:25 AM Antonio Quartulli wrote:
>
> Hi Selva,
>
> we were hoping to hear your opinion on this :-)
>
> We spent quite some time figuring out if we have to use both the non-WSA
> and the WSA variant of the API in our code, and it seems we have to.
>
> (not because using
Acked-By: Selva Nair
On Mon, Dec 27, 2021 at 3:17 PM Gert Doering wrote:
>
> - 2.5.3 had a typo in the CVE ID (CVE-2121-3606 should be -2021-)
> - 2.5.5 had windows paths with backslashes, which need to be doubled
>
> (CVE ID typo also reported by "@attritionorg" in G
Hi
On Mon, Dec 27, 2021 at 6:16 AM Gert Doering wrote:
>
> - 2.5.3 had a typo in the CVE ID (CVE-2121-3606 should be -2021-)
> - 2.5.5 had windows paths with backslashes, which need to be doubled
>
> (CVE ID typo also reported by "@attritionorg" in Github PR 165)
>
> Signed-off-by: Gert Doering
From: Selva Nair
Signed-off-by: Selva Nair
---
src/openvpn/openvpn.vcxproj | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/openvpn/openvpn.vcxproj b/src/openvpn/openvpn.vcxproj
index 65ee6839..2f0cee60 100644
--- a/src/openvpn/openvpn.vcxproj
+++ b/src/openvpn/openvpn.vcxproj
From: Selva Nair
- Load the 'private key' handle through the provider and set it in
SSL_CTX
- Add a sign op function to interface provider with pkcs11-helper.
Previously we used its "OpenSSL Session" which internally sets up
callbacks in RSA and EC key methods. Not use
From: Selva Nair
- Add xkey_cng_sign() as sign_op for the provider
and load the key using xkey_generic_load.
- Enable/Disable old code when provider is available or not.
- xkey_digest is made non-static for use in cryptoapi.c
One function cng_padding_type() is moved down to reduce number
of
From: Selva Nair
Sending largish messages to the management interface errors due to
the limited size used for the "error" buffer in x_msg_va(). Although
all intermediate steps allocate required space for the data to
send, it gets truncated at the last step.
This really requires a s
From: Selva Nair
Our key object retains info about the external
key as an opaque handle to the backend. We also
need the public key as an EVP_PKEY *.
For native keys we use OpenSSL API to import
data into the key. The 'handle' representing the
private key in that case is t
From: Selva Nair
A minimal set of functions for keymgmt are implemented.
No support for external key import as yet, only native
keys. Support for native keys is required as keys may
get imported into us for some operations as well as
for comparison with unexportable external keys that we hold
From: Selva Nair
- Leverage keymgmt_import through EVP_PKEY_new_fromdata() to
import "management-external-key"
- When required, use this to set SSL_CTX_use_PrivateKey
The sign_op is not implemented yet. This will error out while
signing with --management-external-key. The next co
From: Selva Nair
- Load keys by specifying the opaque privtae key handle,
public key, sign-op and free-op required for loading keys
from Windows store and pkcs11.
- xkey_load_management_key is refactored to use the new function
- Also make xkey_digest non-static
Used in following commits
From: Selva Nair
- Basic frame work for announcing support for signature
operations
- DigestSign and Sign functions for native keys are also
implemented. Though strictly not needed, these functions
for native keys sets up the framework for signature operations.
They also help loading
From: Selva Nair
Support for padding algorithms in management-client is indicated
in the optional argument to --management-external-key as "pkcs1",
"pss" etc. We currently use it only for an early exit based on heuristics
that a required algorithm may not be handled by the cl
From: Selva Nair
Hooking into callbacks in RSA_METHOD and EVP_PKEY_METHOD
structures is deprecated in OpenSSL 3.0. For signing with
external keys that are not exportable (tokens, stores, etc.)
requires a custom provider interface so that key operations
are done under its context.
A single
From: Selva Nair
To receive undigested message for signing, indicate support
for handling message digesting in the client using an argument
"digest" to --management-external-key.
For example, to announce pkcs1 padding and digesting support use:
--management-external-key pkcs1 pss
From: Selva Nair
The --management-external-key option can currently indicate support
for 'nopadding' or 'pkcs1' signatures in the client. Add 'pss' as an
option to announce that PSS signing requests are accepted.
To match, extend the algorithm string in PK_SIGN re
From: Selva Nair
The following series of patches implement a built-in
provider for interfacing OpenSSL 3.0 when external
keys are in use.
Essentially, to intercept the sign operation, the SSL_CTX
object has to be created with properties string set to
prioritize our provider. In the provider
From: Selva Nair
- Add function to check when external key is in use
- Load xkey provider into a custom library context when required
- Use the custom libctx in SSL CTX when external key is in use
As no keys are yet loaded through the provider,
no functionality gets delegated to it as yet
From: Selva Nair
The EVP_PKEY interface as well as provider passes the raw
digest to the sign() function. In case of RSA_PKCS1,
our management interface expects an encoded hash, which
has the DigestInfo header added as per PKCSv1.5 specs,
unless the hash algorithm is legacy MD5_SHA1.
Fix this
From: Selva Nair
Tests:
- Check SIGNATURE and KEYMGMT methods can be fetched
from the provider
- Load sample RSA and EC keys as management-external-key
and check that their sign callbacks are correctly exercised:
with and without digest support mocked in the client
capability flag
From: Selva Nair
- Add a function to set as sign_op during key import. The
function passes the signature request to management interface,
and returns the result to the provider.
v2 changes: Method to do digest added to match the changes in
the provider signature callback.
TODO
From: Selva Nair
Signed-off-by: Selva Nair
---
configure.ac | 2 -
tests/unit_tests/openvpn/Makefile.am | 4 -
tests/unit_tests/openvpn/test_provider.c | 112 +--
3 files changed, 105 insertions(+), 13 deletions(-)
diff --git a
Hi,
On Fri, Dec 10, 2021 at 8:09 AM Arne Schwabe wrote:
>
> Make the external crypto consumer oblivious to the internal cipher
> type that both mbed TLS and OpenSSL use. This change is mainly done
> so the cipher type that is used can be stay a const type but instead
> of an SSL library type, we
On Fri, Dec 10, 2021 at 10:09 AM Gert Doering wrote:
>
> Hi,
>
> On Fri, Dec 10, 2021 at 02:06:51PM +0100, Arne Schwabe wrote:
> > Patch v3: fix errors with mbed TLS without having md_kt to const char *
> > patch
> > also applied, fix logic inversion in tls_crypt_tk
>
> Thanks, this is
Hi
On Tue, Dec 7, 2021 at 1:07 PM Arne Schwabe wrote:
>
> Make the external crypto consumer oblivious to the internal cipher
> type that both mbed TLS and OpenSSL use. This change is mainly done
> so the cipher type that is used can be stay a const type but instead
> of an SSL library type, we no
Hi,
On Wed, Nov 24, 2021 at 9:28 AM Lev Stipakov wrote:
> Do we need this fix in openvpn-gui? It only (?) uses openssl to change
> private key password, could this functionality be affected by config?
>
I do not know.. We do not call any functions that would lead to a config
loading, so probabl
Hi
On Wed, Nov 24, 2021 at 5:06 AM Gert Doering wrote:
> Your patch has been applied to the master and release/2.5 branch
> (I consider this a bugfix since the "do not load config!" CVE patch
> unintendedly broke functionality for people)
>
What would be a good location in the man page where we
+
> +_wgetenv_s(&size, NULL, 0, ossl_env[i].name);
> +if (size == 0)
> +{
> +WCHAR val[MAX_PATH] = {0};
> +openvpn_swprintf(val, _countof(val), L"%ls\\ssl\\%ls",
> install_path, ossl_env[i].value);
> +
Hi,
On Tue, Nov 23, 2021 at 1:37 PM Lev Stipakov wrote:
> I don't have a setup to properly test it, like actually loading the
> config - I only checked that the openvpn.exe attempted to access
> openssl.cnf at the correct location.
>
> If someone wants to test - binary artifacts could be found h
On Tue, Nov 23, 2021 at 1:46 PM Gert Doering wrote:
> Hi,
>
> On Fri, Nov 19, 2021 at 02:53:06AM +0200, Lev Stipakov wrote:
> > +if ((install_path[wcslen(install_path) - 1]) == L'\\')
> > +{
> > +install_path[wcslen(install_path) - 1] = L'\0';
> > +}
> > +
> > +WCHAR opens
Hi,
+1 for setting these env vars. I will test this but some quick comments
On Tue, Nov 23, 2021 at 10:08 AM Lev Stipakov wrote:
> From: Lev Stipakov
>
> Commit 7e33127d5 ("contrib/vcpkg-ports: remove openssl port")
> disabled OpenSSL config loading to prevent loading config
> from untrusted l
On Mon, Nov 22, 2021 at 4:37 PM Gert Doering wrote:
> Hi,
>
> On Mon, Nov 22, 2021 at 04:33:36PM -0500, Selva Nair wrote:
> > I think setting env vars would give us extra protection as we can detect
> > the actual location of Program Files or executable's path at run t
Hi,
On Mon, Nov 22, 2021 at 3:27 PM Lev Stipakov wrote:
> Hi,
>
> I added
>
> _putenv("OPENSSL_CONF=c:\\Temp\\lol.conf");
>
> to openvpn_main() and see
>
> 22:01:38,9512311 openvpn.exe 27668 CreateFile C:\Temp\lol.conf
> NAME NOT FOUND
>
> in procmon. So would it be enough to set config/
Hi,
On Mon, Nov 22, 2021 at 12:20 PM Lev Stipakov wrote:
> I added a commit to vcpkg/openssl PR
> (https://github.com/microsoft/vcpkg/pull/21540) which gives an option
> to customize ENGINESDIR. Unfortunately openssl doesn't make it easy -
> ENGINESDIR is built based on --prefix, which is set to
Hi,
On Fri, Nov 19, 2021 at 3:04 PM wrote:
> Ok, my idea was to fix only config loading dir. Apparently this is not
> enough, so I’ll look into ENGINESDIR too.
What we need is a proper build that can be safely distributed. Whatever
that takes. My understanding is that if we have to get with pr
Hi
On Fri, Nov 19, 2021 at 11:16 AM Lev Stipakov wrote:
> Hi,
>
> Here is what output of openssl.exe built with abovementioned patch on
> my machine:
>
>
> c:\Users\lev\Projects\vcpkg\packages\openssl_x64-windows-ovpn\tools\openssl>openssl.exe
> version -a
> OpenSSL 1.1.1l 24 Aug 2021
> built o
Hi,
On Fri, Nov 19, 2021 at 6:43 AM Lev Stipakov wrote:
> Hi,
>
> I've submitted PR to vcpkg's openssl port:
> https://github.com/microsoft/vcpkg/pull/21540
>
> With that PR merged, we could specify proper location of config like
> this (extracted from custom triplet):
>
> set(OPENSSL_OPENSSLD
201 - 300 of 1452 matches
Mail list logo
