From patchwork Wed Sep 22 11:12:45 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Selva Nair <selva.nair@gmail.com>
X-Patchwork-Id: 1968
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Delivered-To: patchwork@openvpn.net
Received: from director11.mail.ord1d.rsapps.net ([172.31.255.6])
	by backend30.mail.ord1d.rsapps.net with LMTP
	id WMaqE6qcS2FOCQAAIUCqbw
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	for <patchwork@openvpn.net>; Wed, 22 Sep 2021 17:14:18 -0400
Received: from proxy12.mail.iad3b.rsapps.net ([172.31.255.6])
	by director11.mail.ord1d.rsapps.net with LMTP
	id uIA2E6qcS2HaAwAAvGGmqA
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	for <patchwork@openvpn.net>; Wed, 22 Sep 2021 17:14:18 -0400
Received: from smtp26.gate.iad3b ([172.31.255.6])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	by proxy12.mail.iad3b.rsapps.net with LMTPS
	id 8F2HDKqcS2FYBgAAEsW3lA
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	for <patchwork@openvpn.net>; Wed, 22 Sep 2021 17:14:18 -0400
X-Spam-Threshold: 95
X-Spam-Score: 0
X-Spam-Flag: NO
X-Virus-Scanned: OK
X-Orig-To: openvpnslackdevel@openvpn.net
X-Originating-Ip: [216.105.38.7]
Authentication-Results: smtp26.gate.iad3b.rsapps.net;
 iprev=pass policy.iprev="216.105.38.7";
 spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net"
 smtp.helo="lists.sourceforge.net";
 dkim=fail (signature verification failed) header.d=sourceforge.net;
 dkim=fail (signature verification failed) header.d=sf.net;
 dkim=fail (signature verification failed) header.d=gmail.com;
 dmarc=fail (p=none; dis=none) header.from=gmail.com
X-Suspicious-Flag: YES
X-Classification-ID: 0b973b6a-1bea-11ec-96d4-5254001088d3-1-1
Received: from [216.105.38.7] ([216.105.38.7:57134]
 helo=lists.sourceforge.net)
	by smtp26.gate.iad3b.rsapps.net (envelope-from
 <openvpn-devel-bounces@lists.sourceforge.net>)
	(ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384)
	id C1/25-18258-9AC9B416; Wed, 22 Sep 2021 17:14:18 -0400
Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com)
	by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1mT9YR-0005Ai-Mg; Wed, 22 Sep 2021 21:13:23 +0000
Received: from [172.30.20.202] (helo=mx.sourceforge.net)
 by sfs-ml-4.v29.lw.sourceforge.com with esmtps
 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1)
 (envelope-from <selva.nair@gmail.com>) id 1mT9YI-00059n-Gu
 for openvpn-devel@lists.sourceforge.net; Wed, 22 Sep 2021 21:13:14 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id:
 Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=TGNeY/4RhK3M3a8mA6nDMc+xXQ87yLUeg7UtacqS5ko=; b=nUJ+ib+NorHnyM/Am5f8Zyhpng
 wNg19ofDb6MqC9lKBHrvxxmSdOhCa/j3O1C30qJX/4YmApkE90zxAAC0YLRgd0bL8/iPhHFprLxno
 z68tOi+NzhrVsM6lH/pNZ/cnBcNW9hR3k0pNAL35gGsisR2qXZIY3nxkTE7/hNeDtw+4=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:Cc:To:From
 :Sender:Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date:
 Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:
 References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:
 List-Owner:List-Archive; bh=TGNeY/4RhK3M3a8mA6nDMc+xXQ87yLUeg7UtacqS5ko=; b=a
 wNyrpaA01FwwrWWDtcYkWOsYPGPth4BIeP9A1i3doXplXUGvkuet+pAbz81b0GrZ0BQnfwdKmGJs9
 m/YL5McaOf3p9rdh94B/zhRzA+bZz2/nE/6o/Wz6RKNq6TbjK45so55g2JLcoaNxPZG0ghi/SiPXr
 O2Qamtygcdf0ngRg=;
Received: from mail-qk1-f176.google.com ([209.85.222.176])
 by sfi-mx-2.v28.lw.sourceforge.com with esmtps
 (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92.3)
 id 1mT9YB-0005zV-94
 for openvpn-devel@lists.sourceforge.net; Wed, 22 Sep 2021 21:13:14 +0000
Received: by mail-qk1-f176.google.com with SMTP id b65so14271770qkc.13
 for <openvpn-devel@lists.sourceforge.net>;
 Wed, 22 Sep 2021 14:13:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
 h=from:to:cc:subject:date:message-id:mime-version
 :content-transfer-encoding;
 bh=TGNeY/4RhK3M3a8mA6nDMc+xXQ87yLUeg7UtacqS5ko=;
 b=exogxTudxFViUY4IxjZ5fSxoWluPh71dGn7RI+W5/zQ4skLrtHTKkFibye/xZBgfXY
 T609o5Bo0y7OXhXB7clCVFo/BQ8YtLlnqLJooWq6ikoLn4O77SnIPAIW3clXMxyiZv+R
 UV82ZeAg2nwr8NeSY7uyoY9l/FyV3etWTvvNUWP0nEo6RcyGY0NdeXIpsEtQPCxAJI5/
 Sw/ztiJFRVBbrLVzr0c6J34adZK27crmOhcBjdub4nm2AsvrBWi/cm9MVgNTmht2UwGV
 cI3+OA7mBgdUgZdsHPrV7BGDSjaverKEliegeavcy/XjXKkJ9Nkm6D+QQ8k/Y7UttAlX
 j4YA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
 :content-transfer-encoding;
 bh=TGNeY/4RhK3M3a8mA6nDMc+xXQ87yLUeg7UtacqS5ko=;
 b=Ud9IU/YnXOVSnoEdvidkJFthB9MeqsGQkZ6tBBp1R2cU2uwNPz07e82c6WxM4NcMTp
 1DSOeqFsqTt48j9fVCg4yrugv6tYivNSkFZdVJoW+D2sRqcMxun0hMrP7N9JdkDycJde
 m2Ce/5h8yyomKMNYMLXJBobxuSQo8LUne+G48NXFkLgV7xl3Uc5TEVQwM2z1VTrgv7rV
 VE7GodSvWmNyDgQhU/gp+0LrGU2J2k3KU0XFLRxfA0E2KFGBPD6mZx4ERezCLjRHFJ7Q
 TJ6qQ8/h00lrm/yrtJEgDnbcQSaQuSZZWpWrrs59adg8D77TEmX3KaYKT2iPMMfgvcKN
 3rCg==
X-Gm-Message-State: AOAM531raPjjrm/APRu8HuDRsAKKHDvO/PFy0kGRDWvHktfUTw+UBMcx
 R6d2Tu5D1HNvzDqgd+VKaeeMH2xCukU=
X-Google-Smtp-Source: 
 ABdhPJzO53dDbP1HIw000F140lVUA7H3gXwRyfgPoQR1wTFYFdtHjzmfM/rtr8XSyFYGVJJCcLDNGg==
X-Received: by 2002:a37:c0c:: with SMTP id 12mr1422081qkm.471.1632345181348;
 Wed, 22 Sep 2021 14:13:01 -0700 (PDT)
Received: from uranus.home.sansel.ca
 (bras-vprn-tnhlon4053w-lp130-02-70-51-223-227.dsl.bell.ca. [70.51.223.227])
 by smtp.gmail.com with ESMTPSA id l7sm2185243qth.19.2021.09.22.14.13.00
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Wed, 22 Sep 2021 14:13:01 -0700 (PDT)
From: selva.nair@gmail.com
To: openvpn-devel@lists.sourceforge.net
Date: Wed, 22 Sep 2021 17:12:45 -0400
Message-Id: <20210922211254.7570-1-selva.nair@gmail.com>
X-Mailer: git-send-email 2.20.1
MIME-Version: 1.0
X-Spam-Report: Spam detection software,
 running on the system "util-spamd-1.v13.lw.sourceforge.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  From: Selva Nair The following series of patches implement
 a built-in provider for interfacing OpenSSL 3.0 when external keys are in
 use. Essentially, to intercept the sign operation, the SSL_CTX object has
 to be created with properties string set to prioritize our provider. In the
 provider we implement only keymgmt and signature operat [...]
 Content analysis details:   (-0.2 points, 6.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 -0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at https://www.dnswl.org/,
 no trust [209.85.222.176 listed in list.dnswl.org]
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 0.0 FREEMAIL_FROM          Sender email is commonly abused enduser mail
 provider [selva.nair[at]gmail.com]
 -0.0 SPF_PASS               SPF: sender matches SPF record
 -0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from
 author's domain
 -0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature from
 envelope-from domain
 -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
 not necessarily
 valid -0.0 RCVD_IN_MSPIKE_H2      RBL: Average reputation (+2)
 [209.85.222.176 listed in wl.mailspike.net]
X-Headers-End: 1mT9YB-0005zV-94
Subject: [Openvpn-devel] [PATCH 0/9] A built-in OpenSSL3.0 provider for
 external-keys
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox

From: Selva Nair <selva.nair@gmail.com>

The following series of patches implement a built-in
provider for interfacing OpenSSL 3.0 when external 
keys are in use.

Essentially, to intercept the sign operation, the SSL_CTX
object has to be created with properties string set to 
prioritize our provider. In the provider we implement
only keymgmt and signature operations and specify the
property string as optional. That allows all operations
we do not provide to be used from the default provider.

This patch set stops at interfacing the provider with
management-external-key. For pkcs11-helper, only some glue
code is needed and is in the works. Same with cryptoapicert
 aka CNG, but I want to cleanup the old code a bit before
hooking to the provider.

I haven't attempted to remove any of the deprecated interfaces.
That is better done along with Arne's patches. There will be
only minor, if at all any, conflicts between that and this 
patch set. 

Selva Nair (9):
  A built-in provider for using external key with OpenSSL 3.0
  Initialize the xkey provider and use it in SSL context
  Implement keymgmt in the xkey provider
  Implement provider interface for signature operations
  Implement import of custom external keys
  A helper function to load key for management-external-key
  Enable signing via provider for management-external-key
  Add a function to encode digests with PKCS1 DigestInfo wrapper
  Allow management client to announce pss padding support

 configure.ac                            |   11 +
 doc/man-sections/management-options.rst |    8 +-
 doc/management-notes.txt                |   15 +-
 src/openvpn/Makefile.am                 |    2 +
 src/openvpn/crypto_openssl.c            |   19 +
 src/openvpn/manage.h                    |    1 +
 src/openvpn/openssl_compat.h            |   12 +
 src/openvpn/options.c                   |    7 +-
 src/openvpn/ssl_openssl.c               |   17 +-
 src/openvpn/xkey_common.h               |  120 +++
 src/openvpn/xkey_helper.c               |  285 ++++++
 src/openvpn/xkey_provider.c             | 1158 +++++++++++++++++++++++
 12 files changed, 1647 insertions(+), 8 deletions(-)
 create mode 100644 src/openvpn/xkey_common.h
 create mode 100644 src/openvpn/xkey_helper.c
 create mode 100644 src/openvpn/xkey_provider.c