From patchwork Sun May 24 10:33:20 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Bottomley X-Patchwork-Id: 1122 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director8.mail.ord1d.rsapps.net ([172.27.255.50]) by backend30.mail.ord1d.rsapps.net with LMTP id IN41CFXayl7aMgAAIUCqbw for ; Sun, 24 May 2020 16:34:29 -0400 Received: from proxy4.mail.iad3a.rsapps.net ([172.27.255.50]) by director8.mail.ord1d.rsapps.net with LMTP id OIR/BVXayl51IwAAfY0hYg ; Sun, 24 May 2020 16:34:29 -0400 Received: from smtp53.gate.iad3a ([172.27.255.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy4.mail.iad3a.rsapps.net with LMTP id qGIAO1Tayl4QHAAA8Zvu4w ; Sun, 24 May 2020 16:34:28 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp53.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=hansenpartnership.com; dmarc=fail (p=none; dis=none) header.from=hansenpartnership.com X-Suspicious-Flag: YES X-Classification-ID: f5a9c0e0-9dfd-11ea-a430-5254009c3572-1-1 Received: from [216.105.38.7] ([216.105.38.7:55960] helo=lists.sourceforge.net) by smtp53.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id FE/13-29948-25ADACE5; Sun, 24 May 2020 16:34:27 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1jcxJY-0003Ev-ES; Sun, 24 May 2020 20:33:44 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jcxJX-0003Eo-5I for openvpn-devel@lists.sourceforge.net; Sun, 24 May 2020 20:33:43 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=1xbalLfqNY/F1Kzs7HmvZoCOa9/WTPomOMBb82grdW4=; b=Uxmq3zHM6OouHmrMsmPfFbw0yj K716lK1KVPaiWDVKFp6cRpIFgAC8kxmTs4XbVo+DTGmsXw7nqxfhm5MmGP+mm5bGg4+kZtq8lEQdu L3r05O20v4vPAIGbzuO3q0OGKQtzQV3stDgiAJ3UQnLpYo/ipccMF1RpO7rdn3gRE70k=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=1xbalLfqNY/F1Kzs7HmvZoCOa9/WTPomOMBb82grdW4=; b=a jjvsE8jSRF464pv2aO99fJCgkJdBrEc1zGZTPzwIhSF/+2eyPcCQcQI59Uevh9Fp+DrDotNvevOtu IbCWNqxbGIyvxXALyCCXaShQN2wafQS7Bi4nceLiaamsK3Ekp9kxxrlVRrRQLsRD7ZMh/Vu2y623t yZvBJy/jn2sHg9Sg=; Received: from bedivere.hansenpartnership.com ([66.63.167.143]) by sfi-mx-4.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1jcxJS-00Bc1R-Pb for openvpn-devel@lists.sourceforge.net; Sun, 24 May 2020 20:33:43 +0000 Received: from localhost (localhost [127.0.0.1]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id 7E6A28EE17F for ; Sun, 24 May 2020 13:33:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=hansenpartnership.com; s=20151216; t=1590352409; bh=dquQ2lkIqwqhN7KwYJxTzeF4cfHDrN53oE9BW16eaKg=; h=From:To:Subject:Date:From; b=SfvXNy1pcaFHe9yfI3H6SjSgBKlPu+1AmzAMThvqCxALNUDxjV0JA3jeCuUnuV0Tj udpy2OwkZfKd0ICHzzbOSva4XCUgPNXmVNZitH0Jcpquy0cBCLTSUi00d2a4osuGb0 afyC8sK2VF4kVlZlU3SzJYzLh0xwzi6xBJzbO7X0= Received: from bedivere.hansenpartnership.com ([127.0.0.1]) by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aaoYSjh2F2w9 for ; Sun, 24 May 2020 13:33:29 -0700 (PDT) Received: from jarvis.lan (jarvis.ext.hansenpartnership.com [153.66.160.226]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id 26F3E8EE173 for ; Sun, 24 May 2020 13:33:29 -0700 (PDT) From: James Bottomley To: openvpn-devel@lists.sourceforge.net Date: Sun, 24 May 2020 13:33:20 -0700 Message-Id: <20200524203322.15885-1-James.Bottomley@HansenPartnership.com> X-Mailer: git-send-email 2.26.2 MIME-Version: 1.0 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-Headers-End: 1jcxJS-00Bc1R-Pb Subject: [Openvpn-devel] [PATCH v5 0/2] add engine keys X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This update tries to cope with the fact that the test engine dynamic extension is different on macos (.dylib) and linux (.so) by dynamically building the openssl.cnf file with the correct one Note: I don't have any MacOS machines to test this on, so I only know it works on Linux if someone with a Mac could check, I'd be grateful. --- Engine keys are an openssl concept for a key file which can only be understood by an engine (usually because it's been wrapped by the engine itself). We use this for TPM engine keys, so you can either generate them within your TPM or wrap them from existing private keys. Once wrapped, the keys will only function in the TPM that generated them, so it means the VPN keys are tied to the physical platform, which is very useful. Engine keys have to be loaded via a specific callback, so use this as a fallback in openvpn if an engine is specified and if the PEM read of the private key fails. Adding a unit test for this type of key proved particularly problematic: there's apparently no simple engine you can use to check the functionality, so after a bit of googling, I just wrote one as part of the test. You can see that the unit test converts an existing key to engine format (which is simply changing the PEM guards), tries to start openvpn with the key and verifies that the engine methods are called and the password correctly retrieved. To make the test simple, it relies on openssl detecting a mismatch between the certificate and the key after the key has been loaded rather than going on to bring up an openvpn loop, but I think that's sufficient to test out the engine patch fully. --- James Bottomley (2): openssl: add engine method for loading the key Add unit tests for engine keys configure.ac | 5 + src/openvpn/crypto_openssl.c | 57 ++++++++++ src/openvpn/crypto_openssl.h | 12 +++ src/openvpn/ssl_openssl.c | 5 + tests/unit_tests/Makefile.am | 3 + tests/unit_tests/engine-key/Makefile.am | 24 +++++ .../engine-key/check_engine_keys.sh | 30 ++++++ tests/unit_tests/engine-key/libtestengine.c | 101 ++++++++++++++++++ tests/unit_tests/engine-key/openssl.cnf.in | 12 +++ 9 files changed, 249 insertions(+) create mode 100644 tests/unit_tests/engine-key/Makefile.am create mode 100755 tests/unit_tests/engine-key/check_engine_keys.sh create mode 100644 tests/unit_tests/engine-key/libtestengine.c create mode 100644 tests/unit_tests/engine-key/openssl.cnf.in