Re: [Openvpn-devel] Paid Engagement

2014-10-09 Thread Steffan Karger 
Hi,

On 09-10-14 18:17, Arne Schwabe wrote:
>> So, it looks like running rsa_sign with a cert/key pair coming out of
>> the cryptostore store is causing some low level openssl problems.
>> Don't know how easy it is fix, but most likely it's not inside the
>> OpenVPN code...
>>
> Pretty easy (for OpenSSL standards...). You have to use the lowlevel
> functions instead of rsa_sign. See also
> https://code.google.com/p/ics-openvpn/source/browse/main/jni/jbcrypto.cpp
> 
> Basically for ics-openvpn the change was to replace
> 
> RSA_sign(NID_md5_sha1, (unsigned char*) data, datalen,
> sigret, , pkey->pkey.rsa) <= 0 )
> 
> with
> 
> siglen = RSA_private_encrypt(datalen,(unsigned char*)
> data,sigret,pkey->pkey.rsa,RSA_PKCS1_PADDING);
> 
> But I haven't looked at the OpenVPN source code yet which code path is
> called there.

I took a peek at the code, and I think it is the other way around. The
cryptoapi code (like e.g. openvpn's pkcs11 code), supplies openssl with
a signing function. OpenSSL then call thet function during the TLS
handshake to get a valid signature.

However, the sign function in openvpn's cryptoapi.c restricts the
possible signatures to tls 1.0/1.1 signatures and needs to be extended.
But here's the catch: Microsofts crypto API sign function does not
understand TLS 1.2 signatures either. Using the encrypt function might
work here too, but the API is quite different, so you'll have to figure
out how to retrieve the correct key (reference).

-Steffan

Re: [Openvpn-devel] Paid Engagement

2014-10-09 Thread Arne Schwabe 

>
> So, it looks like running rsa_sign with a cert/key pair coming out of
> the cryptostore store is causing some low level openssl problems.
> Don't know how easy it is fix, but most likely it's not inside the
> OpenVPN code...
>
Pretty easy (for OpenSSL standards...). You have to use the lowlevel
functions instead of rsa_sign. See also
https://code.google.com/p/ics-openvpn/source/browse/main/jni/jbcrypto.cpp

Basically for ics-openvpn the change was to replace

RSA_sign(NID_md5_sha1, (unsigned char*) data, datalen,
sigret, , pkey->pkey.rsa) <= 0 )

with

siglen = RSA_private_encrypt(datalen,(unsigned char*)
data,sigret,pkey->pkey.rsa,RSA_PKCS1_PADDING);

But I haven't looked at the OpenVPN source code yet which code path is
called there.

Arne

Re: [Openvpn-devel] Paid Engagement

2014-10-07 Thread Arne Schwabe 
Am 07.10.14 16:32, schrieb Sio Poh Tan:
> Hi Samuli,
>
> Thanks for your reply. I've checked on the link that you provided.
However, it does not mention whether the Windows Crypto API integration
supports TLS 1.2 implementation. I understand that it does support TLS
1.0 implementation, similar to the OpenVPN community version. If the
OpenVPN Connect client is based on the community version, then I doubt
it supports TLS 1.2 using cryptoapicert as I've tested with the
community version. Please correct me if I'm wrong.
>
> I hope someone will be interested to work on this implementation as my
team is having a tight schedule implementing this for a project.

Probably it uses the management-api and the external-key-management API
of the management interface. My Android client (OpenVPN for Android)
uses that API to work with the Android keystore and does TLS 1.2 just
fine. That OpenVPN Connect can use the MAC Crypto store which OpenVPN
does not support kind of confirms that theory.

For anyone who wants to pick up  this work. This probably only replacing
the api calls which do RSA signing of the SHA1 checksum with an API call
that can do signing of SHA1 + SHA* variants (basicialy signing longer
bitstrings).

Arne

Re: [Openvpn-devel] Paid Engagement

2014-10-07 Thread Sio Poh Tan 
Hi Samuli,

Thanks for your reply. I've checked on the link that you provided. However,
it does not mention whether the Windows Crypto API integration supports TLS
1.2 implementation. I understand that it does support TLS 1.0
implementation, similar to the OpenVPN community version. If the OpenVPN
Connect client is based on the community version, then I doubt it supports
TLS 1.2 using cryptoapicert as I've tested with the community version.
Please correct me if I'm wrong.

I hope someone will be interested to work on this implementation as my team
is having a tight schedule implementing this for a project.

Regards,
Isaac


On Tue, Oct 7, 2014 at 7:34 PM, Samuli Seppänen  wrote:

>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Hi,
>
> Have you checked if the OpenVPN Connect client (bundled with the Access
> Server) meets your requirements? See section 5 in here:
>
> 
> 
>
> - --
> Samuli Seppänen
> Community Manager
> OpenVPN Technologies, Inc
>
> irc freenode net: mattock
>
>
>
>
> > Hello OpenVPN Developers,
> >
> > I understand that the current version of OpenVPN supports implementation
> of TLS 1.2 using exported cert and key. However, I have a project that
> requires implementation of TLS 1.2 using cryptoapicert.
> >
> > If any developer is interested to work on this implementation in
> OpenVPN, please email me specifying the cost of doing this. I do respect
> the developer's time and effort and hence, this will be a paid engagement.
> >
> > Thank you.
> >
> > Best Regards,
> > Isaac
> >
> >
> >
> --
> > Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
> > Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
> > Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
> > Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
> >
> http://pubads.g.doubleclick.net/gampad/clk?id=154622311=/4140/ostg.clktrk
> >
> >
> > ___
> > Openvpn-devel mailing list
> > Openvpn-devel@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>
>
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1
>
> iEYEARECAAYFAlQzz9UACgkQwp2X7RmNIqMnpwCdGkTeOe9UFqutDBcJz+ZOK38s
> KgIAoIK1FKWFCHZdu2sTiN5laqVkClWD
> =dC3b
> -END PGP SIGNATURE-
>
>

Re: [Openvpn-devel] Paid Engagement

2014-10-07 Thread Samuli Seppänen 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi,

Have you checked if the OpenVPN Connect client (bundled with the Access
Server) meets your requirements? See section 5 in here:



- -- 
Samuli Seppänen
Community Manager
OpenVPN Technologies, Inc

irc freenode net: mattock




> Hello OpenVPN Developers,
>
> I understand that the current version of OpenVPN supports
implementation of TLS 1.2 using exported cert and key. However, I have a
project that requires implementation of TLS 1.2 using cryptoapicert.
>
> If any developer is interested to work on this implementation in
OpenVPN, please email me specifying the cost of doing this. I do respect
the developer's time and effort and hence, this will be a paid engagement.
>
> Thank you.
>
> Best Regards,
> Isaac
>
>
>
--
> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
>
http://pubads.g.doubleclick.net/gampad/clk?id=154622311=/4140/ostg.clktrk
>
>
> ___
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel


-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iEYEARECAAYFAlQzz9UACgkQwp2X7RmNIqMnpwCdGkTeOe9UFqutDBcJz+ZOK38s
KgIAoIK1FKWFCHZdu2sTiN5laqVkClWD
=dC3b
-END PGP SIGNATURE-

[Openvpn-devel] Paid Engagement

2014-10-03 Thread Sio Poh Tan 
Hello OpenVPN Developers,

I understand that the current version of OpenVPN supports implementation of
TLS 1.2 using exported cert and key. However, I have a project that
requires implementation of TLS 1.2 using cryptoapicert.

If any developer is interested to work on this implementation in OpenVPN,
please email me specifying the cost of doing this. I do respect the
developer's time and effort and hence, this will be a paid engagement.

Thank you.

Best Regards,
Isaac