From patchwork Sat Feb 10 11:48:04 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Bottomley X-Patchwork-Id: 230 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director4.mail.ord1d.rsapps.net ([172.30.191.6]) by backend31.mail.ord1d.rsapps.net (Dovecot) with LMTP id q8WhE952f1pJSwAAgoeIoA for ; Sat, 10 Feb 2018 17:49:02 -0500 Received: from proxy16.mail.ord1d.rsapps.net ([172.30.191.6]) by director4.mail.ord1d.rsapps.net (Dovecot) with LMTP id Y0OPE952f1rXHgAAHDmxtw ; Sat, 10 Feb 2018 17:49:02 -0500 Received: from smtp21.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy16.mail.ord1d.rsapps.net (Dovecot) with LMTP id 48NnA952f1otVgAAetu3IA ; Sat, 10 Feb 2018 17:49:02 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.34.181.88] Authentication-Results: smtp21.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.34.181.88"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=hansenpartnership.com; dmarc=fail (p=none; dis=none) header.from=hansenpartnership.com X-Classification-ID: 961cec68-0eb4-11e8-9563-525400a98691-1-1 Received: from [216.34.181.88] ([216.34.181.88:64675] helo=lists.sourceforge.net) by smtp21.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.1.56364 r(Core:4.2.1.14)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 08/79-18110-DD67F7A5; Sat, 10 Feb 2018 17:49:01 -0500 Received: from localhost ([127.0.0.1] helo=sfs-ml-4.v29.ch3.sourceforge.com) by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.89) (envelope-from ) id 1ekdwP-0006qV-Ei; Sat, 10 Feb 2018 22:48:17 +0000 Received: from sfi-mx-1.v28.ch3.sourceforge.com ([172.29.28.191] helo=mx.sourceforge.net) by sfs-ml-4.v29.ch3.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) (envelope-from ) id 1ekdwO-0006qO-4w for openvpn-devel@lists.sourceforge.net; Sat, 10 Feb 2018 22:48:16 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:Mime-Version:Content-Type :Date:To:From:Subject:Message-ID:Sender:Reply-To:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=luNzwK4cWW5E6ZOB08yDYiUyoluzKi+rjEDMu6olggw=; b=PHaO/Oy0PqWQ2fnv/YiA0Daj1J syfDMaQ3azuIIkvBJDyaPgSpi+M9aNFqpgOMHmt2qRSCDxmmWvofG7AZoa0eGDjkBy2xQwEM2vAzG mnVKdG1DqQPFstw6/gQRRQ8XhjFx1t2YPnUhUxMTNZMvN/ufn7qHOvU+9rR+HPlJSGQU=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:Mime-Version:Content-Type:Date:To:From:Subject: Message-ID:Sender:Reply-To:Cc:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=luNzwK4cWW5E6ZOB08yDYiUyoluzKi+rjEDMu6olggw=; b=B FAibOvprp8wgXkWe8EdrY6jtJkMuJlY/KPstHMI+r789V4lDJh4hyEFNYJo+TspXyHhlHpnREUoVF FgV4K5yqXN9TWM1Y8BVQLp+Il9UhG0O48ca6HSncEPPAtAxIvjl2Thty+fFruRfo55nggEGFkjmLZ 65/HJx1Lk3cJa4FE=; Received: from bedivere.hansenpartnership.com ([66.63.167.143]) by sfi-mx-1.v28.ch3.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) id 1ekdwL-0002mT-2l for openvpn-devel@lists.sourceforge.net; Sat, 10 Feb 2018 22:48:16 +0000 Received: from localhost (localhost [127.0.0.1]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id 1608A8EE0DD for ; Sat, 10 Feb 2018 14:48:06 -0800 (PST) Received: from bedivere.hansenpartnership.com ([127.0.0.1]) by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xXjYGf43EcKk for ; Sat, 10 Feb 2018 14:48:05 -0800 (PST) Received: from [153.66.254.194] (unknown [50.35.65.221]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id B2EC08EE0BA for ; Sat, 10 Feb 2018 14:48:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=hansenpartnership.com; s=20151216; t=1518302885; bh=Y2I0BErfi48Zf5qXcH6pYMbkD84YvNM3XVkdaZDbh4Q=; h=Subject:From:To:Date:From; b=pqP4cw2XSzddfWw5+kDq8HvPsuS4Os2Pp10IVqN3fGeH7L9UWZki3tj+SMvNkyHqA ZxdJ04bARn5ce0Qcrge0RI2pOrLuJ0VCq1Dqm46RdcCLR1Y9FbRCc/7lp68gNkUN+6 cR82YbWxQzDk19h8H8lNWMZtZ4y1IHG1g8sRZBto= Message-ID: <1518302884.3072.1.camel@HansenPartnership.com> From: James Bottomley To: openvpn-devel@lists.sourceforge.net Date: Sat, 10 Feb 2018 14:48:04 -0800 X-Mailer: Evolution 3.20.5 Mime-Version: 1.0 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1ekdwL-0002mT-2l Subject: [Openvpn-devel] [PATCH v4 0/2] add engine keys keys X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Engine keys are an openssl concept for a key file which can only be understood by an engine (usually because it's been wrapped by the engine itself). We use this for TPM engine keys, so you can either generate them within your TPM or wrap them from existing private keys. Once wrapped, the keys will only function in the TPM that generated them, so it means the VPN keys are tied to the physical platform, which is very useful. Engine keys have to be loaded via a specific callback, so use this as a fallback in openvpn if an engine is specified and if the PEM read of the private key fails. Adding a unit test for this type of key proved particularly problematic: there's apparently no simple engine you can use to check the functionality, so after a bit of googling, I just wrote one as part of the test. You can see that the unit test converts an existing key to engine format (which is simply changing the PEM guards), tries to start openvpn with the key and verifies that the engine methods are called and the password correctly retrieved. To make the test simple, it relies on openssl detecting a mismatch between the certificate and the key after the key has been loaded rather than going on to bring up an openvpn loop, but I think that's sufficient to test out the engine patch fully. James Bottomley (2): openssl: add engine method for loading the key Add unit tests for engine keys configure.ac | 2 + src/openvpn/crypto_openssl.c | 54 ++++++++++++ src/openvpn/crypto_openssl.h | 12 +++ src/openvpn/ssl_openssl.c | 6 +- tests/unit_tests/Makefile.am | 6 +- tests/unit_tests/engine-key/Makefile.am | 14 ++++ tests/unit_tests/engine-key/check_engine_keys.sh | 30 +++++++ tests/unit_tests/engine-key/libtestengine.c | 102 +++++++++++++++++++++++ tests/unit_tests/engine-key/openssl.cnf | 12 +++ 9 files changed, 236 insertions(+), 2 deletions(-) create mode 100644 tests/unit_tests/engine-key/Makefile.am create mode 100755 tests/unit_tests/engine-key/check_engine_keys.sh create mode 100644 tests/unit_tests/engine-key/libtestengine.c create mode 100644 tests/unit_tests/engine-key/openssl.cnf