git.ipfire.org Git - thirdparty/openvpn.git/commit

author	Selva Nair <selva.nair@gmail.com>
	Tue, 14 Mar 2023 12:21:34 +0000 (08:21 -0400)
committer	Gert Doering <gert@greenie.muc.de>
	Wed, 15 Mar 2023 12:42:45 +0000 (13:42 +0100)
commit	b7cf18f750f2a020032e09b6c4184579896876ee
tree	00cb6dce99da278c2c43ffd2eadc9a07b8100dc7	tree \| snapshot
parent	021952705ba4b77a1d94bec85f6f02e6c612a37e	commit \| diff

Bugfix: Convert ECDSA signature form pkcs11-helper to DER encoded form

With OpenSSL 3.0 and xkey-provider, we use pkcs11h_certificate_signAny_ex()
which returns EC signature as raw r|s concatenated. But OpenSSL expects
a DER encoded ASN.1 structure.

Do this conversion as done in cryptoapi.c. For code re-use, ecdsa_bin2sig()
is consolidated with sig to DER conversion as ecdsa_bin2der() and
moved to xkey_helper.c

In the past when we used OpenSSL hooks installed by pkcs11-helper,
such a conversion was not required as it was internally handled by
the library.

Reported by: Tom <openvpn@sup-logistik.de>
Also see: https://bugzilla.redhat.com/show_bug.cgi?id=2177834
Tested-by: Florian Apolloner <florian@apolloner.eu>
Change-Id: Ie20cf81edd643ab8ef3c41321353d11fd66c188c
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20230314122134.1248576-1-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26406.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

src/openvpn/cryptoapi.c		diff \| blob \| blame \| history
src/openvpn/pkcs11_openssl.c		diff \| blob \| blame \| history
src/openvpn/xkey_common.h		diff \| blob \| blame \| history
src/openvpn/xkey_helper.c		diff \| blob \| blame \| history