git.ipfire.org Git - thirdparty/openvpn.git/commit

author	Selva Nair <selva.nair@gmail.com>
	Tue, 14 Dec 2021 16:59:18 +0000 (11:59 -0500)
committer	Gert Doering <gert@greenie.muc.de>
	Thu, 20 Jan 2022 15:22:22 +0000 (16:22 +0100)
commit	cf704eef472515e3d6469bd5377065a1378eb5c2
tree	0688031b9b9638238434cc56bde50098743fd68a	tree
parent	199df03bf57339661a853cb764ea41a0c8349b95	commit \| diff

Add a function to encode digests with PKCS1 DigestInfo wrapper

The EVP_PKEY interface as well as provider passes the raw
digest to the sign() function. In case of RSA_PKCS1,
our management interface expects an encoded hash, which
has the DigestInfo header added as per PKCSv1.5 specs,
unless the hash algorithm is legacy MD5_SHA1.

Fix this by
- add a function to perform the pkcs1 encoding before passing the
   data to sign to the management interface. The implementation
   is not pretty, but should work.
   (Unfortunately OpenSSL does not expose a function for this).

Note:
1. cryptoki interface used by pkcs11-helper also requires this to be
   done before calling the Sign op. This will come handy there too.
2. We have a similar function in ssl_mbedtls.c but its not prettier,
   and require porting.

v2 changes: Use hard-coded headers for known hash algorithms instead
of assembling it from the ASN.1 objects.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20211214165928.30676-9-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23433.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

src/openvpn/xkey_common.h		diff \| blob \| blame \| history
src/openvpn/xkey_helper.c		diff \| blob \| blame \| history