The EVP_PKEY interface as well as provider passes the raw
digest to the sign() function. In case of RSA_PKCS1,
our management interface expects an encoded hash, which
has the DigestInfo header added as per PKCSv1.5 specs,
unless the hash algorithm is legacy MD5_SHA1.
Fix this by
- add a function to perform the pkcs1 encoding before passing the
data to sign to the management interface. The implementation
is not pretty, but should work.
(Unfortunately OpenSSL does not expose a function for this).
Note:
1. cryptoki interface used by pkcs11-helper also requires this to be
done before calling the Sign op. This will come handy there too.
2. We have a similar function in ssl_mbedtls.c but its not prettier,
and require porting.
v2 changes: Use hard-coded headers for known hash algorithms instead
of assembling it from the ASN.1 objects.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20211214165928.30676-9-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23433.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
- Add a function to set as sign_op during key import. The
function passes the signature request to management interface,
and returns the result to the provider.
v2 changes: Method to do digest added to match the changes in
the provider signature callback.
TODO:
- Allow passing the undigested message to management interface
- Add pkcs1 DigestInfo header when required
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20211214165928.30676-8-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23428.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
- Leverage keymgmt_import through EVP_PKEY_new_fromdata() to
import "management-external-key"
- When required, use this to set SSL_CTX_use_PrivateKey
The sign_op is not implemented yet. This will error out while
signing with --management-external-key. The next commit
fixes that.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20211214165928.30676-7-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23443.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
- Add function to check when external key is in use
- Load xkey provider into a custom library context when required
- Use the custom libctx in SSL CTX when external key is in use
As no keys are yet loaded through the provider,
no functionality gets delegated to it as yet.
v2 changes: Provider loading is reworked to activate only when external
keys are in use
This was 2/9 in v1
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20211214165928.30676-6-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23432.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Our key object retains info about the external
key as an opaque handle to the backend. We also
need the public key as an EVP_PKEY *.
For native keys we use OpenSSL API to import
data into the key. The 'handle' representing the
private key in that case is the OpenSSL EVP_PKEY
object itself.
For importing custom keys, we define custom
parameters describing the key using OSSL_PARAM
structure. We define 4 required and 1 optional
parameters for loading the key:
Required params of type OSSL_PARAM:
{.key="xkey-origin", .data_type = OSSL_PARAM_UTF8_STRING
.data = "foobar", .data_size = 0 }
Note: data_size = 0 refer to NUL terminated string in OpenSSL.
This parameter is only used to identify that the key as non-native
with an opaque handle. We really do not check the content of
the string. Should not be NULL.
{.key="handle", .data_type = OSSL_PARAM_OCTET_PTR,
.data = &handle, .data_size = sizeof(handle)}
{.key="pubkey", .data_type = OSSL_PARAM_OCTET_STRING,
.data = &pubkey, .data_size = sizeof(pubkey)}
{.key="sign_op", .data_type = OSSL_PARAM_OCTET_PTR,
.data = &sign_op_ptr, .data_size = sizeof(sign_op_ptr)}
Optional param:
{.key="free_op", .data_type = OSSL_PARAM_OCTET_PTR,
.data = &free_op_ptr, .data_size = sizeof(free_op_ptr)}
The 'handle' is opaque to us and is retained. The caller
should not free it. We will free it when no longer required
by calling 'free_op()', if provided. The 'handle' should
not be NULL as that indicates missing private key.
The 'pubkey' must be an 'EVP_PKEY *' variable, and is duplicated
by us. The caller may free it after return from import.
The 'sign_op' and 'free_op' function pointers should be of type
'XKEY_EXTERNAL_SIGN_fn' and 'XKEY_PRIVKEY_FREE_fn' defined
in xkey_common.h
For example, for management-external-key, we really do not
need any 'handle'. Pass anything that will live long and
won't dereference to NULL. We do not use it for any other
purpose. Pointer to a const string could be a choice.
In this case, free_op = NULL is the safest choice.
For a usage of keymgmt_import(), see the helper function
implemented using it to load the management key in the next commit.
v2 changes: "origin" --> "xkey-origin"
This was 5/9 in v1
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20211214165928.30676-5-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23439.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
- Basic frame work for announcing support for signature
operations
- DigestSign and Sign functions for native keys are also
implemented. Though strictly not needed, these functions
for native keys sets up the framework for signature operations.
They also help loading an exportable key from a file through
the provider for testing.
Subsequent commits will add support for signing with
external keys.
v2 changes:
- Remove verify operations which are no longer
required with proposed changes in OpenSSL 3.0.1 that we target.
- Undigested message is passed to the backend sign operation when
possible. This would allow more flexibility as some backends
prefer to do the hash operation internally.
This was 4/9 in v1
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20211214165928.30676-4-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23437.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
A minimal set of functions for keymgmt are implemented.
No support for external key import as yet, only native
keys. Support for native keys is required as keys may
get imported into us for some operations as well as
for comparison with unexportable external keys that we hold.
Implementation of signature callbacks is in the next commit.
v2 changes: This was commit 3/9 in v1
v3 changes: When OpenSSL native key is imported instead of duplicating
the whole key, use only the public components for public key.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20211214165928.30676-3-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23438.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Hooking into callbacks in RSA_METHOD and EVP_PKEY_METHOD
structures is deprecated in OpenSSL 3.0. For signing with
external keys that are not exportable (tokens, stores, etc.)
requires a custom provider interface so that key operations
are done under its context.
A single provider is enough for handling all external keys
we support -- management-external-key, cryptoapicert(CNG) and
pkcs11-helper. The series of patches starting with this implement
such a provider.
This patch implements only the provider_init function so
that it can be loaded, but has no capabilities. The required
interfaces are added in following commits.
v2 changes:
- Require OpenSSL 3.0.1 or newer: 3.0.0 is "buggy" as it
does not preferentially fetch operations from the keymgmt
of the key. This causes either an unsuccessful attempt at
exporting unexportable keys or an onerous requirement that
the external key's KEYMGMT should support a whole lot
of unrelated functionalities including key generation and
key exchange.
Fixed by PR #16725 in OpenSSL.
- Use a child libctx for internal use in the provider
v3 changes:
- Move OpenSSL version check for 3.0.1+ from configure to
xkey_common.h
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20211214165928.30676-2-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23446.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
There are 2 occurrences where the order 'inline static' is used when
defining a function, while the rest of the code uses the definitely
more common form 'static inline'.
Convert those 2 occurrences to the common format.
Reported-by: Lev Stipakov <lev@openvpn.net>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <20220117093508.17681-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23554.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This code has been dead for years and also does not seem that
useful anymore since we already have a proper unit_test for the
buffer code.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220101160632.2250072-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23492.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The arrow operator exists exactly to perform a pointer dereference
implicitly
while accessing a member.
while at it, add whitespaces around the '-' operator on the same line.
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220110144510.17769-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23521.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The configure parameter was appended to the stage name but not to the
actual command. Fix this.
Cc: Arne Schwabe <arne@rfc2549.org>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220114122538.24662-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23539.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
signal_handler() is unused on Windows and generates a warning.
Confine it within "ifdef _WIN32" in order to reduce the compilation
noise.
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220113101434.30223-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23530.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
PF (Packet Filter) has been dropped from the OpenVPN code base, however
some bits and pieces are left in the documentation.
Erase them all.
Reported-by: Arne Schwabe <arne@rfc2549.org>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20220113200030.18656-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23531.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Indentation is wrong and triggers the following:
rst2man.py openvpn.8.rst > openvpn.8
man-sections/cipher-negotiation.rst:20: (WARNING/2) Definition list ends
without a blank line; unexpected unindent.
rst2man.py openvpn-examples.5.rst > openvpn-examples.5
rst2html.py openvpn.8.rst > openvpn.8.html
man-sections/cipher-negotiation.rst:20: (WARNING/2) Definition list ends
without a blank line; unexpected unindent.
Get rid of it.
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20220110144013.7233-1-a@unstable.cc>
URL: https://www.mail-archive.com/search?l=mid&q=20220110144013.7233-1-a@unstable.cc
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This fixes
error C4703: potentially uninitialized local pointer variable
'b64output' used
found by arm64 msvc compiler with SDL enabled.
Not sure why this is not triggered on x86/x64.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20220107123550.188-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23511.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This function is static and just calls another functions.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20211207170211.3275837-12-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23337.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Use the functions that directly compute the link mtu instead relying on the
frame logic.
Patch V2: rebase on master
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20211230172136.2017215-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/search?l=mid&q=20211230172136.2017215-1-arne@rfc2549.org
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This consolidates the MSS fix calculation into a single function
instead having it distributed all over the code. It also calculates
the real wire overhead without extra sizes for buffer etc.
Patch v2: improve comment
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20211214150901.4118886-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23423.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
These functions are intended to lay the groundwork to later replace
the distributed frame calculations and centralise the calculation in
one place.
Patch v2.2: clarify that the socks comments is assuming IPv4 and improve
other comments
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20211229163445.1893687-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23476.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
BF-CBC is the default value for the --cipher option in OpenVPN <2.5
and not <2.6. However, the warning printed to screen talks about
"OpenVPN before 2.6", which is wrong and needs to be fixed.
Fix message by saying ".. before 2.5"
Cc: Arne Schwabe <arne@rfc2549.org>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20211229172714.6424-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23477.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Also let other variants finish if one fails (fail-fast: false)
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20211215123449.53818-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23452.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This code is probably from a time when we could not set the MTU on
the Windows tap6 driver. Nowadays we can set the MTU on this device,
so this code is a noop now.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20211207170211.3275837-7-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23327.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
When tls_deauthenticate is called (e.g. by management kicking of a client)
the key auth state is changed to KS_AUTH_FALSE while the key state is
still in S_GENERATED_KEYS. This triggers the assertion.
Remove the assertions and instead check that the auth state is KS_AUTH_TRUE
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20211207170211.3275837-5-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23340.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The align_adjust variable was only set to a non-zero value when
no cipher was used for the data channel. Since we no longer want to
optimise non encrypted data channel traffic, remove this optimisation
and simplify the code.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20211207170211.3275837-4-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23331.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This avoids special casing the cipher none/auth none case in other
parts, e.g. in the upcoming buffer/frame rework.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20211201180727.2496903-9-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23272.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
As with the removal of cipher_kt_t, this is allows better support of
OpenSSL 3.0 and mbed TLS 3.0
Patch v2: rebase
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20211213150654.3993358-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/search?l=mid&q=20211213150654.3993358-2-arne@rfc2549.org
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This explains that 2.6 will ignore --cipher without --compat-mode and
restructures the whole paragraph to better readable.
Patch V2: Adjust grammar, use consistently "and later"
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20211213152529.3995394-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23403.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
We originally wanted to deprecated these ciphers (especially BF-CBC) with
2.6 but currently these ciphers are still too widespread to make this
transition for 2.6.
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20211213150950.3993881-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23402.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Make the external crypto consumer oblivious to the internal cipher
type that both mbed TLS and OpenSSL use. This change is mainly done
so the cipher type that is used can be stay a const type but instead
of an SSL library type, we now use a simple string to identify a
cipher. This has the disadvantages that we do a cipher lookup every
time a function is called that needs to query properties of a cipher.
But none of these queries are in a critical path.
This patch also fixes the memory leaks introduced by the
EVP_fetch_cipher commit by always freeing the EVP_CIPHER.
This also changes kt->cipher to be always defined with the name of
the cipher. This only affects the "none" cipher cipher which was
previously represented by kt->cipher to be NULL.
Patch v2: rebase on master
Patch v3: fix errors with mbed TLS without having md_kt to const char *
patch also applied, fix logic inversion in tls_crypt_tk
Patch v4: fix issue if cipher does not get changed by NCP that null cipher
is then used
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20211213150654.3993358-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/search?l=mid&q=20211213150654.3993358-1-arne@rfc2549.org
Signed-off-by: Gert Doering <gert@greenie.muc.de>
MSVC build uses OpenSSL from vcpkg, which at the moment
is 1.1.1l. Key material export was added to 1.1.1, so it is safe
to indicate its support unconditionally.
This enables Windows releases to benefit from tls-ekm
data channel keys derivation.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20211213135253.212-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23394.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
While --push-peer-info can be configured on the server, it's not really
intended for that, and it ended in the "SERVER OPTIONS" section by
mishap. Fix that.
Reported-by: Stella Ashburne <rewefie@gmx.com>
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20211207130436.22187-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23325.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
The unit test argv_insert_head__empty_argv__head_only was defined
but never used. Add it to the array of unit tests.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20211208170614.3404821-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23359.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This argument is never used apart from a unit test. Remove this
argument as a small cleanup.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20211207170211.3275837-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23329.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Currently we default to local binding with udp. But the majority of
configuration files actually uses --nobind in the configuration to
change the default for --client. And client protocols should normally
use a random source port. This changes the default. Local binding with
--client can still be done using --bind.
This commit refactors the current code to be more easy to add to understand
and adds the the o->pull condition as additional option to opt into setting
local binding to false.
Patch v2: add more commments
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Message-Id: <20211206010007.3072528-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23303.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
If an optional cipher was found at the end of --data-cipher that was
not available, it would reset the error and allow non optional ciphers
to be ignored.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20211206150852.3142891-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/search?l=mid&q=20211206150852.3142891-1-arne@rfc2549.org
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This field is only set once with md_kt_size and then only read. Remove this
field and replace the read accesses with md_kt_size.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20211201180727.2496903-6-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23274.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This field is only set once to cipher_kt_key_size(kt.cipher) at the same
time that kt.cipher is set and therefore completely redundant.
This field was useful in the past when we supported cipher with variable
key length as this field would then store the key length that we would use.
Now that we do not support this anymore, we can simplify the code.
Patch v2: correct print message that would print bytes instead bits.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20211206010151.3072787-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23304.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
We currently have a number of calls that fetch the cipher_kt from a
cipher_ctx to then do a query on the cipher_kt. Directly fetching the
desired property from the context is cleaner and helps for using the
proper APIs with OpenSSL 3.0 and mbed TLS 3.0
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20211201180727.2496903-3-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23278.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Starting from commit 21b2dbd3 "[scripts-audit] nmake buildsystem"
vcpkg has removed NO_DEBUG support from nmake buildsystem
and now builds debug variant unconditionally. Debug flags contradict
build options hardcoded in pkcs11 nmake script (like /O2).
Remove hardcoded release options and other options which
are (also) set by vcpkg nmake buildsystem.
Bump vcpkg commit in GitHub actions.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20211124100838.861-1-lstipakov@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23253.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Remove --keysize from the manual page and also remove mentioning
variable key size in output of ciphers as there is no longer a way to
change the keysize.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20211201180727.2496903-4-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23275.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
We always use the same tag size for all AEAD cipher, so instead
of doing a lookup, use the tag size directly.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20211201180727.2496903-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23273.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This allows to use the same configuration multiple platforms/ssl libraries
and include optional algorithms that are not available on all platforms
For example "AES-256-GCM:AES-128-GCM:?CHACHA20-POLY1305" can be used to
emulate the default behaviour of OpenVPN 2.6.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20211201180727.2496903-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23279.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
