[Openvpn-devel,0/2] Make cryptoapicert work with TLS 1.2

Message ID 1515378076-5774-1-git-send-email-selva.nair@gmail.com
Headers show
Series
  • Make cryptoapicert work with TLS 1.2
Related show

Message

Selva Nair Jan. 8, 2018, 2:21 a.m.
From: Selva Nair <selva.nair@gmail.com>

Hi,

I am not sure how receptive the crypto maintaineres are to the
idea of adding more code into cryptoapi.c, but here goes:

I've been wanting to add TLS 1.2 support for certs in the
Windows cert store using management external key. But that's
a lot more work than extending cryptoapicert support. And,
rather surprsingly, it turns out that the CNG API for signing is
easy to use (well after some groping in the dark..) and doesn't
take much to implement.

So these patches..

The first patch is not really related and to make the existing code
"openssl-1.1 ready" (missed by past patches as no one probably builds
Windows binary with 1.1..).

The second patch is not dependent on this, but close-by code paths
are touched by both.

Selva

Selva Nair (2):
  Bring cryptoapi.c upto speed with openssl 1.1
  TLS v1.2 support for cryptoapicert -- RSA only

 configure.ac                 |   1 +
 src/openvpn/Makefile.am      |   2 +-
 src/openvpn/cryptoapi.c      | 155 ++++++++++++++++++++++++++++++++++---------
 src/openvpn/openssl_compat.h |  14 ++++
 src/openvpn/options.c        |  18 -----
 5 files changed, 140 insertions(+), 50 deletions(-)

Comments

Илья Шипицин Jan. 9, 2018, 6 a.m. | #1
2018-01-08 7:21 GMT+05:00 <selva.nair@gmail.com>:

> From: Selva Nair <selva.nair@gmail.com>
>
> Hi,
>
> I am not sure how receptive the crypto maintaineres are to the
> idea of adding more code into cryptoapi.c, but here goes:
>
> I've been wanting to add TLS 1.2 support for certs in the
> Windows cert store using management external key. But that's
> a lot more work than extending cryptoapicert support. And,
> rather surprsingly, it turns out that the CNG API for signing is
> easy to use (well after some groping in the dark..) and doesn't
> take much to implement.
>
> So these patches..
>
> The first patch is not really related and to make the existing code
> "openssl-1.1 ready" (missed by past patches as no one probably builds
> Windows binary with 1.1..).
>

there was an agreement on one of the recent community meetings to
gracefully deprecate both libressl and openssl-1.0.X in favour of
openssl-1.1.X

so, we should learn how to build windows binary with 1.1.X :)




>
> The second patch is not dependent on this, but close-by code paths
> are touched by both.
>
> Selva
>
> Selva Nair (2):
>   Bring cryptoapi.c upto speed with openssl 1.1
>   TLS v1.2 support for cryptoapicert -- RSA only
>
>  configure.ac                 |   1 +
>  src/openvpn/Makefile.am      |   2 +-
>  src/openvpn/cryptoapi.c      | 155 ++++++++++++++++++++++++++++++
> ++++---------
>  src/openvpn/openssl_compat.h |  14 ++++
>  src/openvpn/options.c        |  18 -----
>  5 files changed, 140 insertions(+), 50 deletions(-)
>
> --
> 2.1.4
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Openvpn-devel mailing list
> Openvpn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-devel
>
<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">2018-01-08 7:21 GMT+05:00  <span dir="ltr">&lt;<a href="mailto:selva.nair@gmail.com" target="_blank">selva.nair@gmail.com</a>&gt;</span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">From: Selva Nair &lt;<a href="mailto:selva.nair@gmail.com">selva.nair@gmail.com</a>&gt;<br>
<br>
Hi,<br>
<br>
I am not sure how receptive the crypto maintaineres are to the<br>
idea of adding more code into cryptoapi.c, but here goes:<br>
<br>
I&#39;ve been wanting to add TLS 1.2 support for certs in the<br>
Windows cert store using management external key. But that&#39;s<br>
a lot more work than extending cryptoapicert support. And,<br>
rather surprsingly, it turns out that the CNG API for signing is<br>
easy to use (well after some groping in the dark..) and doesn&#39;t<br>
take much to implement.<br>
<br>
So these patches..<br>
<br>
The first patch is not really related and to make the existing code<br>
&quot;openssl-1.1 ready&quot; (missed by past patches as no one probably builds<br>
Windows binary with 1.1..).<br></blockquote><div><br></div><div>there was an agreement on one of the recent community meetings to</div><div>gracefully deprecate both libressl and openssl-1.0.X in favour of</div><div>openssl-1.1.X</div><div><br></div><div>so, we should learn how to build windows binary with 1.1.X :)<br></div><div><br></div><div><br></div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
The second patch is not dependent on this, but close-by code paths<br>
are touched by both.<br>
<br>
Selva<br>
<br>
Selva Nair (2):<br>
  Bring cryptoapi.c upto speed with openssl 1.1<br>
  TLS v1.2 support for cryptoapicert -- RSA only<br>
<br>
 <a href="http://configure.ac" rel="noreferrer" target="_blank">configure.ac</a>                 |   1 +<br>
 src/openvpn/Makefile.am      |   2 +-<br>
 src/openvpn/cryptoapi.c      | 155 ++++++++++++++++++++++++++++++<wbr>++++---------<br>
 src/openvpn/openssl_compat.h |  14 ++++<br>
 src/openvpn/options.c        |  18 -----<br>
 5 files changed, 140 insertions(+), 50 deletions(-)<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
2.1.4<br>
<br>
<br>
------------------------------<wbr>------------------------------<wbr>------------------<br>
Check out the vibrant tech community on one of the world&#39;s most<br>
engaging tech sites, Slashdot.org! <a href="http://sdm.link/slashdot" rel="noreferrer" target="_blank">http://sdm.link/slashdot</a><br>
______________________________<wbr>_________________<br>
Openvpn-devel mailing list<br>
<a href="mailto:Openvpn-devel@lists.sourceforge.net">Openvpn-devel@lists.<wbr>sourceforge.net</a><br>
<a href="https://lists.sourceforge.net/lists/listinfo/openvpn-devel" rel="noreferrer" target="_blank">https://lists.sourceforge.net/<wbr>lists/listinfo/openvpn-devel</a><br>
</font></span></blockquote></div><br></div></div>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Steffan Karger Jan. 9, 2018, 9:19 a.m. | #2
Hi,

On 8 January 2018 at 03:21,  <selva.nair@gmail.com> wrote:
> I am not sure how receptive the crypto maintaineres are to the
> idea of adding more code into cryptoapi.c, but here goes:
>
> I've been wanting to add TLS 1.2 support for certs in the
> Windows cert store using management external key. But that's
> a lot more work than extending cryptoapicert support. And,
> rather surprsingly, it turns out that the CNG API for signing is
> easy to use (well after some groping in the dark..) and doesn't
> take much to implement.
>
> So these patches..
>
> The first patch is not really related and to make the existing code
> "openssl-1.1 ready" (missed by past patches as no one probably builds
> Windows binary with 1.1..).
>
> The second patch is not dependent on this, but close-by code paths
> are touched by both.

This would fix a major shortcoming in our current cryptoapi code, so
I'm definitely open to accepting these patches. Just need to find some
time to do the review and dreaded windows testing :)

I actually tried this myself a while ago, but quickly gave up after
getting lost in and demotivated by the MSDN maze. So more than
grateful that you wrestled your way through!

-Steffan

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Selva Nair Jan. 10, 2018, 7:40 p.m. | #3
Hi,

On Tue, Jan 9, 2018 at 1:00 AM, Илья Шипицин <chipitsine@gmail.com> wrote:
>
>
>
> 2018-01-08 7:21 GMT+05:00 <selva.nair@gmail.com>:
>>
>> From: Selva Nair <selva.nair@gmail.com>
>>
>> Hi,
>>
>> I am not sure how receptive the crypto maintaineres are to the
>> idea of adding more code into cryptoapi.c, but here goes:
>>
>> I've been wanting to add TLS 1.2 support for certs in the
>> Windows cert store using management external key. But that's
>> a lot more work than extending cryptoapicert support. And,
>> rather surprsingly, it turns out that the CNG API for signing is
>> easy to use (well after some groping in the dark..) and doesn't
>> take much to implement.
>>
>> So these patches..
>>
>> The first patch is not really related and to make the existing code
>> "openssl-1.1 ready" (missed by past patches as no one probably builds
>> Windows binary with 1.1..).
>
>
> there was an agreement on one of the recent community meetings to
> gracefully deprecate both libressl and openssl-1.0.X in favour of
> openssl-1.1.X
>
> so, we should learn how to build windows binary with 1.1.X :)

I had tested the patch with 1.1 and needed only minor changes to build
script. See https://github.com/selvanair/openvpn-build

pkcs11-helper build showed some warnings but I did not check further
as I usually disable it.

Selva

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot