On Wed, 2017-11-08 at 13:27 +0100, David Sommerseth wrote:
> I need to spend a bit more time to fully grasp the UI get/set calls
> and the related implementation. But what is done in regards to
> password retrieving in ui_read() makes sense to me.
How to use UI methods is (unsurprisingly) badly
.
James Bottomley (1):
openssl: add engine method for loading the key
src/openvpn/crypto_openssl.c | 55
src/openvpn/crypto_openssl.h | 12 ++
src/openvpn/ssl_openssl.c| 6 -
3 files changed, 72 insertions(+), 1 deletion(-)
--
2.12.3
with the openssl tpm engines to make openvpn use a
TPM wrapped key file.
Signed-off-by: James Bottomley <james.bottom...@hansenpartnership.com>
---
v2: add better configuration guarding
---
src/openvpn/crypto_openssl.c | 55
src/openvpn/crypto_ope
On Sun, 2017-10-29 at 17:34 +0500, Илья Шипицин wrote:
> 2017-10-28 17:03 GMT+05:00 James Bottomley <
> james.bottom...@hansenpartnership.com>:
>
> >
> > As well as doing crypto acceleration, engines can also be used to
> > load
> > key files. If the eng
On Sun, 2017-10-29 at 17:03 -0400, Selva wrote:
> Hi,
>
> On Sun, Oct 29, 2017 at 12:04 PM, James Bottomley <James.Bottomley@
> hansenpartnership.com> wrote:
>
> >
> > On Sun, 2017-10-29 at 16:24 +0100, Gert Doering wrote:
> > >
> > > Hi,
&g
On Sun, 2017-10-29 at 16:24 +0100, Gert Doering wrote:
> Hi,
>
> On Sat, Oct 28, 2017 at 01:02:27PM +0100, James Bottomley wrote:
> >
> > Engine keys are an openssl concept for a key file which can only be
> > understood by an engine (usually because it's been wrapp
On Sun, 2017-10-29 at 23:15 +0800, Antonio Quartulli wrote:
> James,
>
> could you please resend a full patch, so to have a better overview of
> the whole change?
Sure thing. It's below.
James
---
From d55d6f50cd156ac8e5cdead1b5c03569885158f6 Mon Sep 17 00:00:00 2001
From: Jam
In openssl 1.1, ENGINE_cleanup became a #define instead of a function
(because it's no longer needed as engines are self cleaning). Update
the autoconf.ac script to check for ENGINE_cleanup as a declaration to
avoid falsely underfinig HAVE_OPENSSL_ENGINE in openssl 1.1+
Signed-off-by: James
.
James
---
James Bottomley (1):
openssl: add engine method for loading the key
src/openvpn/crypto_backend.h | 13
src/openvpn/crypto_openssl.c | 49
src/openvpn/ssl_openssl.c| 6 +-
3 files changed, 67 insertions(+), 1 deletion
with the openssl tpm engines to make openvpn use a
TPM wrapped key file.
Signed-off-by: James Bottomley <james.bottom...@hansenpartnership.com>
---
src/openvpn/crypto_backend.h | 13
src/openvpn/crypto_openssl.c | 49
src/openvpn/ssl_ope
On Tue, 2018-01-16 at 00:07 +0100, Emmanuel Deloget wrote:
> While the number of required changes were quite small (and have no
> impact on openvpn), this was quite a journey. I guess some of the
> merits should go to RSA, Microsoft and Intel, for their incredible
> effort in building
going on to bring up
an openvpn loop, but I think that's sufficient to test out the engine
patch fully.
James Bottomley (2):
openssl: add engine method for loading the key
Add unit tests for engine keys
configure.ac | 2 +
src/openvpn/crypto_openssl.c
with the openssl tpm engines to make openvpn use a
TPM wrapped key file.
Signed-off-by: James Bottomley <james.bottom...@hansenpartnership.com>
---
v2: add better configuration guarding
---
src/openvpn/crypto_openssl.c | 55
src/openvpn/crypto_ope
operations and we check for these
in the log to make sure the engine was used to load the key and that
it correctly got the password.
Signed-off-by: James Bottomley <james.bottom...@hansenpartnership.com>
---
configure.ac | 2 +
tests/unit_tests/Makef
On Mon, 2018-01-29 at 08:43 +0100, Arne Schwabe wrote:
> Am 26.01.18 um 21:30 schrieb James Bottomley:
> >
> > As well as doing crypto acceleration, engines can also be used to
> > load key files. If the engine is set, and the private key loading
> > fails for bi
going on to bring up
an openvpn loop, but I think that's sufficient to test out the engine
patch fully.
James Bottomley (2):
openssl: add engine method for loading the key
Add unit tests for engine keys
configure.ac | 2 +
src/openvpn/crypto_openssl.c
with the openssl tpm engines to make openvpn use a
TPM wrapped key file.
Signed-off-by: James Bottomley <james.bottom...@hansenpartnership.com>
---
v2: add better configuration guarding
v4: - use crypto_msg() instead of raw openssl prints
- remove ENGINE_init/finish(). Openvpn a
On Thu, 2020-02-13 at 19:18 +0100, Arne Schwabe wrote:
> Am 10.02.18 um 23:50 schrieb James Bottomley:
> > Testing engines is problematic, so one of the prerequisites built
> > for the tests is a simple openssl engine that reads a non-standard
> > PEM guarded key. The test
On Fri, 2020-02-14 at 18:33 +0500, Илья Шипицин wrote:
> пт, 14 февр. 2020 г. в 18:05, James Bottomley <
> james.bottom...@hansenpartnership.com>:
>
> > On Thu, 2020-02-13 at 19:18 +0100, Arne Schwabe wrote:
> > > Am 10.02.18 um 23:50 schrieb James Bott
On Mon, 2020-05-25 at 08:04 +0200, Gert Doering wrote:
> Hi,
>
> I see the granularity of your patch set as "not right":
>
> On Sun, May 24, 2020 at 01:33:22PM -0700, James Bottomley wrote:
> > Testing engines is problematic, so one of the prerequisites built
&g
On Mon, 2020-05-25 at 14:52 +0200, Arne Schwabe wrote:
> Am 25.05.20 um 08:04 schrieb Gert Doering:
> > Hi,
> >
> > I see the granularity of your patch set as "not right":
> >
> > On Sun, May 24, 2020 at 01:33:22PM -0700, James Bottomley wrote:
&
the key has been loaded rather than going on to bring up
an openvpn loop, but I think that's sufficient to test out the engine
patch fully.
---
James Bottomley (2):
openssl: add engine method for loading the key
Add unit tests for engine keys
configure.ac
the key has been loaded rather than going on to bring up
an openvpn loop, but I think that's sufficient to test out the engine
patch fully.
---
James Bottomley (2):
openssl: add engine method for loading the key
Add unit tests for engine keys
configure.ac
operations and we check for these
in the log to make sure the engine was used to load the key and that
it correctly got the password.
Signed-off-by: James Bottomley
---
v5: do not hard code dynamic library extension into openssl.cnf (MacOS)
v4: add OPENSSL_config(NULL) so debian checks will work
with the openssl tpm engines to make openvpn use a
TPM wrapped key file.
Signed-off-by: James Bottomley
---
v2: add better configuration guarding
v4: - use crypto_msg() instead of raw openssl prints
- remove ENGINE_init/finish(). Openvpn already initializes the engine
so doing a second
operations and we check for these
in the log to make sure the engine was used to load the key and that
it correctly got the password.
Signed-off-by: James Bottomley
---
v5: do not hard code dynamic library extension into openssl.cnf (MacOS)
v4: add OPENSSL_config(NULL) so debian checks will work
I'm getting this failure of test_ncp.c
[ RUN ] test_check_ncp_ciphers_list
[ ERROR ] --- 0x7d67e8 != 0
[ LINE ] --- test_ncp.c:65: error: Failure!
[ FAILED ] test_check_ncp_ciphers_list
I'm building under openssl-1.1.0i
The problem seems to be openssl uses a mixed case name for
configuration file with the OPENSSL_CONF environment
variable.
Signed-off-by: James Bottomley
---
src/openvpn/crypto_openssl.c | 5 +
1 file changed, 5 insertions(+)
diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index 4ac77fde..fd57edd2 100644
--- a/src/openvpn
with the openssl tpm engines to make openvpn use a
TPM wrapped key file.
Signed-off-by: James Bottomley
---
v2: add better configuration guarding
v4: - use crypto_msg() instead of raw openssl prints
- remove ENGINE_init/finish(). Openvpn already initializes the engine
so doing a second
the certificate and
the key after the key has been loaded rather than going on to bring up
an openvpn loop, but I think that's sufficient to test out the engine
patch fully.
---
James Bottomley (3):
openssl: add engine method for loading the key
crypto_openssl: add initialization to pick up local
On Mon, 2020-06-29 at 19:51 +0200, Gert Doering wrote:
> The rules to generate $(builddir)/openssl.cnf from
> $(srcdir)/openssl.cnf.in only worked for GNU Make. BSD make needs
> the rules more explicit, and the target must not have a directory
> specification (fixes commit 542c69c37).
This
On Mon, 2020-06-22 at 19:28 +0200, Gert Doering wrote:
> Hi,
>
> On Mon, Jun 22, 2020 at 10:06:44AM -0700, James Bottomley wrote:
> > > [..]
> > > > Right, that's what the patch in the url does: uses .so on both
> > > > mac
> > > > and linux
operations and we check for these
in the log to make sure the engine was used to load the key and that
it correctly got the password.
Signed-off-by: James Bottomley
---
v8: Fix openssl.cnf.in build rule for BSD
v7: Hard code .so for dll
v6: add absolute path instead of env variable
This is the version that should work on Linux, Mac and BSD (famous
last words ...). I've checked it on the Linux platforms (Ubuntu and
OpenSUSE).
James
---
James Bottomley (1):
Add unit tests for engine keys
configure.ac | 2 +
tests/unit_tests
On Sun, 2020-06-21 at 10:53 +0200, Gert Doering wrote:
> Hi,
>
> On Thu, May 28, 2020 at 03:59:20PM -0700, James Bottomley wrote:
> > Testing engines is problematic, so one of the prerequisites built
> > for the tests is a simple openssl engine that reads a non-standar
, needed
> by 'openssl.cnf'. Stop.
> 3673make[6]: Leaving directory
> '/home/travis/build/OpenVPN/openvpn/openvpn-
> 2.5_git/_build/sub/tests/unit_tests/engine-key'
> 3674
>
> (so now the source file is missing)
>
> Please... :-)
Sorry about that ... it's missin
On Tue, 2020-06-23 at 21:43 +0500, Илья Шипицин wrote:
> as far as I understand, openssl-1.0.2 does not support engines ?
No, it does. Engines were a pre 0.9.8 thing. I support openssl in my
builds for the TPM engine down to 1.0.1
However, the failure:
> Key mismatch not detected
>
> FAIL:
On Mon, 2020-06-22 at 18:23 +0200, Gert Doering wrote:
> Hi,
>
> On Sun, Jun 21, 2020 at 08:10:34AM -0700, James Bottomley wrote:
> > > Arne, James, can we converge on something here?
> >
> > Could someone just test the proposed updated v6 patch on a Mac?
>
On Tue, 2020-06-23 at 21:26 +0200, Gert Doering wrote:
> Hi,
>
> On Tue, Jun 23, 2020 at 08:47:33PM +0200, Gert Doering wrote:
> > On Tue, Jun 23, 2020 at 11:36:49PM +0500, ??
> > wrote:
> > > Also, I think we should out log.txt in case of failure.
> >
> > Indeed, this would
On Wed, 2020-06-24 at 01:18 +0500, Илья Шипицин wrote:
[...]
> I've added output of log.txt, if you are going to modify "grep"
> magic, can you adopt something like that, please ?
OK, I folded this into the --enable-small correction
James
---8>8>8><8<8<8
l/conf.h. You don't need that today because pretty much every
other openssl header includes it, but that may not always have been so.
Does the below patch fix it? If it does, it should probably be folded
into the other patch. It should be safe because openssl/conf.h has
existed for every version of openss
On Fri, 2020-06-05 at 09:28 -0700, James Bottomley wrote:
> On Fri, 2020-06-05 at 13:31 +0200, Arne Schwabe wrote:
> [...]
> > Somehow this turns into a autoconf/automake nightmare:
>
> Heh, got to say autoconf is a bit of a nightmare for its more
> esoteric features bec
nment variable support
in MAC openssl which I'll fix by using the absolute path. If it works
I think below is the replacement patch.
James
---8>8>8><8<8<8
From: James Bottomley
Subject: [PATCH v7 3/3] Add unit tests for engine keys
Testing engines is problematic, so on
On Fri, 2020-06-05 at 13:31 +0200, Arne Schwabe wrote:
[...]
> Somehow this turns into a autoconf/automake nightmare:
Heh, got to say autoconf is a bit of a nightmare for its more esoteric
features because the docs usually don't cover them and you end up
having to take the opinion of the
On Sat, 2020-06-06 at 20:16 +0200, Gert Doering wrote:
> Hi,
>
> On Sat, Jun 06, 2020 at 08:22:51AM -0700, James Bottomley wrote:
> > The only remaining problem is the lack of environment variable
> > support
> > in MAC openssl which I'll fix by using the absolute p
On Fri, 2020-06-05 at 00:37 +0200, Arne Schwabe wrote:
> Am 29.05.20 um 01:46 schrieb James Bottomley:
> > I'm getting this failure of test_ncp.c
> >
> > [ RUN ] test_check_ncp_ciphers_list
> > [ ERROR ] --- 0x7d67e8 != 0
> > [ LINE ] --- test_ncp.c:
On Fri, 2020-06-12 at 08:23 +0200, Gert Doering wrote:
> Hi,
>
> On Thu, May 28, 2020 at 04:46:51PM -0700, James Bottomley wrote:
> > diff --git a/tests/unit_tests/openvpn/test_ncp.c
> > b/tests/unit_tests/openvpn/test_ncp.c
> > index 19432410..f58fa2ea 100644
> &g
On Sat, 2021-12-11 at 13:58 +0100, Matthias Andree wrote:
> Greetings,
>
> I am seeking clarification on licensing, judging from OpenVPN 2.5.X
> (meaning latest 2.5).
>
> 1. mbedTLS licensing compatibility. AFAICS, mbedTLS is currently
> under dual Apache License 2.0 and GPLv2,
>
On Sat, 2023-01-14 at 18:29 +0100, Arne Schwabe wrote:
> Hey,
>
> This is the first round and will be only to the openvpn-devel list.
> After that I will also write to individuals email addresses but I
> want to start with sending this to the devel list.
>
> We are writing to you since you are
On Sat, 2023-01-14 at 21:34 +0100, Arne Schwabe wrote:
> Am 14.01.2023 um 20:57 schrieb James Bottomley:
> > On Sat, 2023-01-14 at 18:29 +0100, Arne Schwabe wrote:
> > > Hey,
> > >
> > > This is the first round and will be only to the openvpn-devel
>
On Sun, 2023-01-15 at 16:34 +0100, Arne Schwabe wrote:
> Am 15.01.23 um 16:22 schrieb James Bottomley:
> > On Sun, 2023-01-15 at 15:22 +0100, Arne Schwabe wrote:
[...]
> > > So you are right in the sense that the Apache2 is just
> > > a normal library to link for most
On Sun, 2023-01-15 at 14:12 +0100, Arne Schwabe wrote:
> Am 15.01.23 um 14:10 schrieb Matthias Andree:
> > Am 15.01.23 um 12:44 schrieb Gert Doering:
> > > Hi,
> > >
> > > On Sat, Jan 14, 2023 at 05:28:09PM -0500, James Bottomley wrote:
> > > > Wh
On Sun, 2023-01-15 at 05:23 +0100, Arne Schwabe wrote:
> > Even if, for the sake of argument, I assume that what you're doing
> > isn't covered by the system library exception, then what you're
> > proposing doesn't fix your problem. Your problem becomes section 2
> > of the GPLv2: you must
On Sun, 2023-01-15 at 16:04 +0100, Gert Doering wrote:
> Hi,
>
> On Sun, Jan 15, 2023 at 08:37:00AM -0500, James Bottomley wrote:
> > The GNU project began in 1982. Static libraries for SYS-V were
> > initially proposed around 1986 and didn't become widespread until
> >
On Sun, 2023-01-15 at 15:22 +0100, Arne Schwabe wrote:
>
> > If that's the source of this issue, then I think there's a
> > misunderstanding about the problem the OpenSSL exception is
> > addressing. The problem was that the OpenSSL licence required
> > additional conditions be imposed on the
55 matches
Mail list logo