On Sun, 2017-10-29 at 17:34 +0500, Илья Шипицин wrote:
> 2017-10-28 17:03 GMT+05:00 James Bottomley <
> james.bottom...@hansenpartnership.com>:
>
> >
> > As well as doing crypto acceleration, engines can also be used to
> > load
> > key files. If the engine is set, and the private key loading fails
> > for bio methods, this patch makes openvpn try to get the engine to
> > load the key. If that succeeds, we end up using an engine based
> > key.
> > This can be used with the openssl tpm engines to make openvpn use a
> > TPM wrapped key file.
> >
>
>
> it fails on mbedtls and openssl-1.1.0
>
> https://travis-ci.org/chipitsine/openvpn/builds/294429659
It looks like it needs better config guarding; incremental attached
below.
However, it exposes an openvpn problem: engines aren't built with
openssl-1.1 because the configure.ac check for ENGINE_cleanup doesn't
find the function (it became a #define). I'll see if I can fix that.
The mbedtls one looks like the function def needs to be in
crypto_openssl.h; I've moved it but can't compile check
James
---
diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h
index 0b4a9ce9..cc8f138f 100644
--- a/src/openvpn/crypto_backend.h
+++ b/src/openvpn/crypto_backend.h
@@ -669,17 +669,5 @@ const char *translate_cipher_name_from_openvpn(const char
*cipher_name);
*/
const char *translate_cipher_name_to_openvpn(const char *cipher_name);
-/**
- * Load a key file from an engine
- *
- * @param file The engine file to load
- * @param ui The UI method for the password prompt
- * @param data The data to pass to the UI method
- *
- * @return The private key if successful or NULL if not
- */
-EVP_PKEY *
-engine_load_key(const char *file, SSL_CTX *ctx);
-
#endif /* CRYPTO_BACKEND_H_ */
diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index ee16a496..1fcb80a6 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -969,6 +969,7 @@ hmac_ctx_final(HMAC_CTX *ctx, uint8_t *dst)
HMAC_Final(ctx, dst, &in_hmac_len);
}
+#ifdef HAVE_OPENSSL_ENGINE
static int
ui_read(UI *ui, UI_STRING *uis)
{
@@ -986,10 +987,12 @@ ui_read(UI *ui, UI_STRING *uis)
}
return 0;
}
+#endif
EVP_PKEY *
engine_load_key(const char *file, SSL_CTX *ctx)
{
+#ifdef HAVE_OPENSSL_ENGINE
UI_METHOD *ui;
EVP_PKEY *pkey;
@@ -1016,6 +1019,9 @@ engine_load_key(const char *file, SSL_CTX *ctx)
out:
UI_destroy_method(ui);
return pkey;
+#else
+ return NULL;
+#endif
}
#endif /* ENABLE_CRYPTO && ENABLE_CRYPTO_OPENSSL */
diff --git a/src/openvpn/crypto_openssl.h b/src/openvpn/crypto_openssl.h
index 60a28123..759dc927 100644
--- a/src/openvpn/crypto_openssl.h
+++ b/src/openvpn/crypto_openssl.h
@@ -101,5 +101,17 @@ void crypto_print_openssl_errors(const unsigned int flags);
msg((flags), __VA_ARGS__); \
} while (false)
+/**
+ * Load a key file from an engine
+ *
+ * @param file The engine file to load
+ * @param ui The UI method for the password prompt
+ * @param data The data to pass to the UI method
+ *
+ * @return The private key if successful or NULL if not
+ */
+EVP_PKEY *
+engine_load_key(const char *file, SSL_CTX *ctx);
+
#endif /* CRYPTO_OPENSSL_H_ */
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
