From patchwork Wed Sep 22 11:12:51 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Selva Nair X-Patchwork-Id: 1966 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director11.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net with LMTP id WOmnFqmcS2FVCQAAIUCqbw (envelope-from ) for ; Wed, 22 Sep 2021 17:14:17 -0400 Received: from proxy8.mail.iad3b.rsapps.net ([172.31.255.6]) by director11.mail.ord1d.rsapps.net with LMTP id SIlyFqmcS2FQBQAAvGGmqA (envelope-from ) for ; Wed, 22 Sep 2021 17:14:17 -0400 Received: from smtp24.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy8.mail.iad3b.rsapps.net with LMTPS id GCyYD6mcS2ELWwAAoCsc3g (envelope-from ) for ; Wed, 22 Sep 2021 17:14:17 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp24.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=gmail.com; dmarc=fail (p=none; dis=none) header.from=gmail.com X-Suspicious-Flag: YES X-Classification-ID: 0aefeb08-1bea-11ec-90e5-525400892b35-1-1 Received: from [216.105.38.7] ([216.105.38.7:50940] helo=lists.sourceforge.net) by smtp24.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id DA/86-16254-8AC9B416; Wed, 22 Sep 2021 17:14:16 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1mT9YM-00079n-Gp; Wed, 22 Sep 2021 21:13:18 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mT9YJ-00079L-NL for openvpn-devel@lists.sourceforge.net; Wed, 22 Sep 2021 21:13:15 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=5Udp+C5tDRt1lzebYBvHUlhRjlVGp7phXwn/EGjQcFY=; b=PtkJyPYQw55RahdzjjDXLkWARv EbePAXV6c4cr0/nmYldpDZZnwLhYuDCjPzx9Lv7ZuvMTCUw0v+hcQspe7dylIyFx6Uu5VzoVg4JrF GDhFwg1PM+6HGrlkMkItfHvRLMWo1ARnpc0bJ3FOkv8MklaCZPiMJTiwjG1uIL0LJjSU=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=5Udp+C5tDRt1lzebYBvHUlhRjlVGp7phXwn/EGjQcFY=; b=Y8VpTDAkfUEX9g5JzCM8njHM/R NSr8cRhKLz/iMUMPCCraZaxr2mnFOtCCVS0DUYVsR/YC3SfBxM6l/TEcboJRKeV3uYFv7/TXrNdFC Pu+NTW3PSLn9TxZcfwamhfRJAKYfVJQI7c7KoUUCPikDAeyGqDsrY/8fvE2Uoeq1VAe4=; Received: from mail-qk1-f176.google.com ([209.85.222.176]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92.3) id 1mT9YH-0022yk-8N for openvpn-devel@lists.sourceforge.net; Wed, 22 Sep 2021 21:13:15 +0000 Received: by mail-qk1-f176.google.com with SMTP id c7so14865486qka.2 for ; Wed, 22 Sep 2021 14:13:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=5Udp+C5tDRt1lzebYBvHUlhRjlVGp7phXwn/EGjQcFY=; b=pH9B7w5sSHEZvGJbBuu6g2doyKmbWkQG27XgRtgtvXuhZgWrrylhYP+B3E919wWwSB 2YkP1Xg6Xa1nrh7fKqFXHYqFow0cGTouPA2tqgbOqp1ADdsr3YR7HWaA2fiZQxyD2aib HJN/+hyozkgBLmmEScw420khyw7tsLg9UzNehL3l1t0cb41O+d1g5eX5mbgprMRoDUcf 8TkL4GQtUE//JFaTC/4BjBwhSY2AOg0jUFCGveEQG7ksomuoi1st0GEhMUGvK/HTgl0w IrJ9lPWc1j8B+WZ+JwEkFTx40lwOLBOO+WdNV+wV0b3TDFDwp6UO4Kl8/PJjrbuPDaah G4Rw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=5Udp+C5tDRt1lzebYBvHUlhRjlVGp7phXwn/EGjQcFY=; b=CdYHVU5xX8lnmkM9ysPVDTKxJHUVNsPsYYAqoH9QW3lSZmXMNJQGLCMHgGUVNFtqTd itYyzYX/vl2G4wLA1AC1GmGCzQu9pNcMHCqUPcNHCCsztV8y29747l7PT++uV8hgQ90b iShxXzm3bv7AIoo076KnJFq3FdRX2SG9FtsKQ8w/G31rxgSWyWG51BBXyqE9Xhiobui1 PZ4HZTmgYFbnM1c0afoiLqMreuR5W55e36xvNIVqusnkvPg4/zF3HwT2dB/i4A1DS24Y xIxakNEPIoL53xPWJFpp/ogI5P+UUkQTaLe7YUKCvGmb3Yuxw9kDDTztwgAyDSf+xdss TCww== X-Gm-Message-State: AOAM532iPWpXL/QknwZPGl2xbEUKqSlSGBrQuQ6cakq9uyu+E05vS7dH sYnh2EsJP7YiiOGQ3oUt7E6XAQIPeoo= X-Google-Smtp-Source: ABdhPJwu3GNy9Ahmtt+TUo3ezJAH9ywdCAL8mopZ/N+0c5//UIbH04FKVXPqlRCbferq9Do5lLmkNw== X-Received: by 2002:a37:2f81:: with SMTP id v123mr1502827qkh.494.1632345187321; Wed, 22 Sep 2021 14:13:07 -0700 (PDT) Received: from uranus.home.sansel.ca (bras-vprn-tnhlon4053w-lp130-02-70-51-223-227.dsl.bell.ca. [70.51.223.227]) by smtp.gmail.com with ESMTPSA id l7sm2185243qth.19.2021.09.22.14.13.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 22 Sep 2021 14:13:06 -0700 (PDT) From: selva.nair@gmail.com To: openvpn-devel@lists.sourceforge.net Date: Wed, 22 Sep 2021 17:12:51 -0400 Message-Id: <20210922211254.7570-7-selva.nair@gmail.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20210922211254.7570-1-selva.nair@gmail.com> References: <20210922211254.7570-1-selva.nair@gmail.com> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Selva Nair - A wrapper around the keymgmt import of xkey provider - When the provider is available, use this to set SSL_CTX_use_PrivateKey for management-external-key Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.222.176 listed in wl.mailspike.net] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.222.176 listed in list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [selva.nair[at]gmail.com] -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-Headers-End: 1mT9YH-0022yk-8N Subject: [Openvpn-devel] [PATCH 6/9] A helper function to load key for management-external-key X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Selva Nair - A wrapper around the keymgmt import of xkey provider - When the provider is available, use this to set SSL_CTX_use_PrivateKey for management-external-key sign_op is not implemented yet. This will error out while signing with --management-external-key. The next commit fixes that. Signed-off-by: Selva Nair --- src/openvpn/Makefile.am | 1 + src/openvpn/ssl_openssl.c | 10 ++++ src/openvpn/xkey_common.h | 11 +++++ src/openvpn/xkey_helper.c | 96 +++++++++++++++++++++++++++++++++++++++ 4 files changed, 118 insertions(+) create mode 100644 src/openvpn/xkey_helper.c diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am index 432efe73..0331298b 100644 --- a/src/openvpn/Makefile.am +++ b/src/openvpn/Makefile.am @@ -129,6 +129,7 @@ openvpn_SOURCES = \ tun.c tun.h \ vlan.c vlan.h \ xkey_provider.c xkey_common.h \ + xkey_helper.c \ win32.h win32.c \ win32-util.h win32-util.c \ cryptoapi.h cryptoapi.c diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 61256620..b9453653 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -1450,6 +1450,14 @@ tls_ctx_use_management_external_key(struct tls_root_ctx *ctx) EVP_PKEY *pkey = X509_get0_pubkey(cert); ASSERT(pkey); /* NULL before SSL_CTX_use_certificate() is called */ +#ifdef HAVE_XKEY_PROVIDER + EVP_PKEY *privkey = xkey_load_management_key(NULL, pkey); + if (!privkey + || !SSL_CTX_use_PrivateKey(ctx->ctx, privkey)) + { + goto cleanup; + } +#else if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA) { if (!tls_ctx_use_external_rsa_key(ctx, pkey)) @@ -1478,6 +1486,8 @@ tls_ctx_use_management_external_key(struct tls_root_ctx *ctx) } #endif /* OPENSSL_VERSION_NUMBER > 1.1.0 dev && !defined(OPENSSL_NO_EC) */ +#endif /* HAVE_XKEY_PROVIDER */ + ret = 0; cleanup: if (ret) diff --git a/src/openvpn/xkey_common.h b/src/openvpn/xkey_common.h index 466b2b8d..751f18a0 100644 --- a/src/openvpn/xkey_common.h +++ b/src/openvpn/xkey_common.h @@ -82,4 +82,15 @@ typedef int (XKEY_EXTERNAL_SIGN_fn)(void *handle, unsigned char *sig, size_t *si */ typedef void (XKEY_PRIVKEY_FREE_fn)(void *handle); +/** + * Generate an encapsulated EVP_PKEY for management-external-key + * + * @param libctx library context in which xkey provider has been loaded + * @param pubkey corresponding pubkey in the default provider's context + * + * @returns a new EVP_PKEY in the provider's keymgmt context. + * The pubkey is up-refd if retained -- the caller can free it after return + */ +EVP_PKEY *xkey_load_management_key(OSSL_LIB_CTX *libctx, EVP_PKEY *pubkey); + #endif /* XKEY_PUBLIC_H_ */ diff --git a/src/openvpn/xkey_helper.c b/src/openvpn/xkey_helper.c new file mode 100644 index 00000000..aa9f23b8 --- /dev/null +++ b/src/openvpn/xkey_helper.c @@ -0,0 +1,96 @@ +/* + * OpenVPN -- An application to securely tunnel IP networks + * over a single TCP/UDP port, with support for SSL/TLS-based + * session authentication and key exchange, + * packet encryption, packet authentication, and + * packet compression. + * + * Copyright (C) 2021 Selva Nair + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +#ifdef HAVE_CONFIG_H +#include +#elif defined(_MSC_VER) +#include "config-msvc.h" +#endif + +#ifdef HAVE_XKEY_PROVIDER + +#include "syshead.h" +#include "error.h" +#include "buffer.h" +#include "xkey_common.h" + +#include +#include +#include +#include +#include +#include +#include +#include + +static const char *const props = XKEY_PROV_PROPS; + +XKEY_EXTERNAL_SIGN_fn xkey_management_sign; + +/** + * Load external key for signing via management interface. + * The public key must be passed in by the caller as we may not + * be able to get it from the management. + * Returns an EVP_PKEY object attached to xkey provider. + * Caller must free it when no longer needed. + */ +EVP_PKEY * +xkey_load_management_key(OSSL_LIB_CTX *libctx, EVP_PKEY *pubkey) +{ + EVP_PKEY *pkey = NULL; + ASSERT(pubkey); + + /* Management interface doesnt require any handle to be + * stored in the key. We use a dummy pointer as we do need a + * non-NULL value to indicate private key is avaialble. + */ + void *dummy = & "dummy"; + + const char *origin = "management"; + XKEY_EXTERNAL_SIGN_fn *sign_op = xkey_management_sign; + + /* UTF8 string pointers in here are only read from, so cast is safe */ + OSSL_PARAM params[] = { + {"origin", OSSL_PARAM_UTF8_STRING, (char *) origin, 0, 0}, + {"pubkey", OSSL_PARAM_OCTET_STRING, &pubkey, sizeof(pubkey), 0}, + {"handle", OSSL_PARAM_OCTET_PTR, &dummy, sizeof(dummy), 0}, + {"sign_op", OSSL_PARAM_OCTET_PTR, (void **) &sign_op, sizeof(sign_op), 0}, + {NULL, 0, NULL, 0, 0}}; + + EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pubkey, props); + EVP_PKEY_fromdata_init(ctx); + EVP_PKEY_fromdata(ctx, &pkey, EVP_PKEY_KEYPAIR, params); + + return pkey; +} + +/* not yet implemented */ +int +xkey_management_sign(void *unused, unsigned char *sig, size_t *siglen, + const unsigned char *tbs, size_t tbslen, XKEY_SIGALG alg) +{ + msg(M_FATAL, "FATAL ERROR: A sign callback for this key is not implemented."); + return 0; +} + +#endif /* HAVE_XKEY_PROVIDER */