From patchwork Wed Sep 22 11:12:47 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Selva Nair X-Patchwork-Id: 1967 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director11.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net with LMTP id 4J3GEKqcS2FVCQAAIUCqbw (envelope-from ) for ; Wed, 22 Sep 2021 17:14:18 -0400 Received: from proxy19.mail.iad3b.rsapps.net ([172.31.255.6]) by director11.mail.ord1d.rsapps.net with LMTP id CGqWEKqcS2HjBAAAvGGmqA (envelope-from ) for ; Wed, 22 Sep 2021 17:14:18 -0400 Received: from smtp38.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy19.mail.iad3b.rsapps.net with LMTPS id SDtWCKqcS2EaRAAAIG4riQ (envelope-from ) for ; Wed, 22 Sep 2021 17:14:18 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp38.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=gmail.com; dmarc=fail (p=none; dis=none) header.from=gmail.com X-Suspicious-Flag: YES X-Classification-ID: 0b85b61a-1bea-11ec-8d84-5254006f0979-1-1 Received: from [216.105.38.7] ([216.105.38.7:57132] helo=lists.sourceforge.net) by smtp38.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 78/DE-22704-9AC9B416; Wed, 22 Sep 2021 17:14:17 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1mT9YQ-0005AU-Ip; Wed, 22 Sep 2021 21:13:22 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mT9YJ-00059p-3K for openvpn-devel@lists.sourceforge.net; Wed, 22 Sep 2021 21:13:15 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=lYsWRtl2z2UL7JnDOuImU+1f8DfKkaXEIZPrJueeVR8=; b=P6jOcSFkjzNdxusYqin3clcCnF j+MgkxhmOYUkPJyP00JwwExsWGh4rpwytwtS5JKncWnN6gSMR4yI6he1P21iXMFMS91WTbn1fuvwy njPm9UbJZvC/Xap9eTQNpyjWOS55aP8RV1uBFpUWnTzjJ2W8Xq8cWhISNI65g/UEyly0=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=lYsWRtl2z2UL7JnDOuImU+1f8DfKkaXEIZPrJueeVR8=; b=iLSPZHXFKH154G/5CmmAuYdeyn q7wBXfjGaTmrqtQ8OR1ktCMAmT7rXfyuA2RsVtJNiwPbIKwFdsyq8yYdvq23x7Pf7ftN/5QrX+O1J O4Qaio0a7yiaxbF9WrxzeuubgFcUdR99feguipPL+OzZ3sXYAw47YKzKtMnjFcm+ylEI=; Received: from mail-qk1-f175.google.com ([209.85.222.175]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92.3) id 1mT9YD-0005zl-UQ for openvpn-devel@lists.sourceforge.net; Wed, 22 Sep 2021 21:13:15 +0000 Received: by mail-qk1-f175.google.com with SMTP id q81so10975876qke.5 for ; Wed, 22 Sep 2021 14:13:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=lYsWRtl2z2UL7JnDOuImU+1f8DfKkaXEIZPrJueeVR8=; b=WxjZE+YVXTRLkjLZ6YEZkyLW9Os/OrYms40MITpqTrIcuBx6T1mVhGwN9lmrEbK2sc W3PGvwxa46C5qahYMwoDxu9NNVpztznbkHwtW8HpFgw6nW70WGpVtAox7JrRusIt3igC BX9JUKS23fdEKMJM4wSxjsikRx2nGiafuQEEVlR46WDkPjDJli94dAF/hJadVStS6Qiv DKkAi2BnfmHwHpd7M6Sha+T442yFYQQJ/0/X2Q0iMMbxdo6ARptJ9PF9YznPWxXj6Rte 4u7/73etFf88Ovm8F1FZb+71qeT5eDcN4UuRxgU8l6s0lcF1cv7z6XIHlPqvure/E9kP ZhdA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=lYsWRtl2z2UL7JnDOuImU+1f8DfKkaXEIZPrJueeVR8=; b=s/onYUQlbEujOaBcXmKmRRxyz3dFtceKKDzePvG0MjAo7AslaQzNvCqsWcXe2K4lRR 5A+6IuUxNbuZbsT9pPVvRVOArVXlxwqGvT3HHXmIEOAu40hf/yjoe6KO2mmvpDFZrWaL 6rhiiav0O8jbAYTAdGFhMOIZtJ3khSN1us5sWALGtNN9d+55hM+H9+AzaeaF8QoVuJuo u+Gv5MEYTTlF8V5xmKCClH1Sn7pheqMzajpusFdSOMmbcckgzZv9xCp/KjhPPRZ3Ngg+ pMK9LjgHVFrHU5YA0MtppUMUmz3esMV4vfPIWoJnPj7PbA7xWbavzQi4HTPWnHD1pAoS ZePA== X-Gm-Message-State: AOAM5337ZFOnm5beOSID8s2g9EZ71tJuXAD/lL/rRHOb+F2lQbS9QOvA esIbI4KGmjiHVjzi0G4+3FQ6kTla2Xw= X-Google-Smtp-Source: ABdhPJzmAsXN4vdo8tVbpBoVQqxoMt0qeqpqsOfK8QocM3zy1EYqGPrEGRsSZthsTVj7iD7R8WjxQg== X-Received: by 2002:a37:6146:: with SMTP id v67mr1482065qkb.242.1632345183854; Wed, 22 Sep 2021 14:13:03 -0700 (PDT) Received: from uranus.home.sansel.ca (bras-vprn-tnhlon4053w-lp130-02-70-51-223-227.dsl.bell.ca. [70.51.223.227]) by smtp.gmail.com with ESMTPSA id l7sm2185243qth.19.2021.09.22.14.13.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 22 Sep 2021 14:13:03 -0700 (PDT) From: selva.nair@gmail.com To: openvpn-devel@lists.sourceforge.net Date: Wed, 22 Sep 2021 17:12:47 -0400 Message-Id: <20210922211254.7570-3-selva.nair@gmail.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20210922211254.7570-1-selva.nair@gmail.com> References: <20210922211254.7570-1-selva.nair@gmail.com> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Selva Nair - The provider is loaded during crypto initialization and unloaded in uninit. The SSL server and client context are created with properties indicating preference for this provider. Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [selva.nair[at]gmail.com] -0.0 SPF_PASS SPF: sender matches SPF record -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.222.175 listed in wl.mailspike.net] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.222.175 listed in list.dnswl.org] -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-Headers-End: 1mT9YD-0005zl-UQ Subject: [Openvpn-devel] [PATCH 2/9] Initialize the xkey provider and use it in SSL context X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Selva Nair - The provider is loaded during crypto initialization and unloaded in uninit. The SSL server and client context are created with properties indicating preference for this provider. This could be made conditional on use of external keys, but it can't hurt if loaded and used otherwise too. Useful to get the code exercised at least for a period of testing. As the provider is empty, no functionality gets delegated to it as yet. Verb 4 logs with enable-debug will just show the provider_init and teardown called. Signed-off-by: Selva Nair --- src/openvpn/crypto_openssl.c | 19 +++++++++++++++++++ src/openvpn/openssl_compat.h | 12 ++++++++++++ src/openvpn/ssl_openssl.c | 7 +++++-- 3 files changed, 36 insertions(+), 2 deletions(-) diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index 419265a5..5d7fa847 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -42,6 +42,7 @@ #include "crypto.h" #include "crypto_backend.h" #include "openssl_compat.h" +#include "xkey_common.h" #include #include @@ -75,6 +76,8 @@ static bool engine_initialized = false; /* GLOBAL */ static ENGINE *engine_persist = NULL; /* GLOBAL */ +static void *xkey_prov; + /* Try to load an engine in a shareable library */ static ENGINE * try_load_engine(const char *engine) @@ -161,6 +164,15 @@ crypto_init_lib(void) OPENSSL_config(NULL); #endif #endif /* _WIN32 */ + +#ifdef HAVE_XKEY_PROVIDER + if (!xkey_prov) + { + OSSL_PROVIDER_add_builtin(NULL, "ovpn.xkey", xkey_provider_init); + xkey_prov = OSSL_PROVIDER_load(NULL, "ovpn.xkey"); + } +#endif + /* * If you build the OpenSSL library and OpenVPN with * CRYPTO_MDEBUG, you will get a listing of OpenSSL @@ -190,6 +202,13 @@ crypto_uninit_lib(void) engine_initialized = false; } #endif +#ifdef HAVE_XKEY_PROVIDER + if (xkey_prov) + { + OSSL_PROVIDER_unload(xkey_prov); + } +#endif + xkey_prov = NULL; } void diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h index ce8e2b36..3dcdde4d 100644 --- a/src/openvpn/openssl_compat.h +++ b/src/openvpn/openssl_compat.h @@ -718,4 +718,16 @@ SSL_CTX_set_max_proto_version(SSL_CTX *ctx, long tls_ver_max) return 1; } #endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(ENABLE_CRYPTO_WOLFSSL) */ + +/** Mimics SSL_CTX_new_ex for OpenSSL < 3 */ +#if OPENSSL_VERSION_NUMBER < 0x30000000L +static inline SSL_CTX * +SSL_CTX_new_ex(void *libctx, const char *propq, const SSL_METHOD *method) +{ + (void) libctx; + (void) propq; + return SSL_CTX_new(method); +} +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ + #endif /* OPENSSL_COMPAT_H_ */ diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 241206fb..61256620 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -45,6 +45,7 @@ #include "ssl_common.h" #include "base64.h" #include "openssl_compat.h" +#include "xkey_common.h" #ifdef ENABLE_CRYPTOAPI #include "cryptoapi.h" @@ -109,7 +110,8 @@ tls_ctx_server_new(struct tls_root_ctx *ctx) { ASSERT(NULL != ctx); - ctx->ctx = SSL_CTX_new(SSLv23_server_method()); + const char *propq = "?" XKEY_PROV_PROPS; + ctx->ctx = SSL_CTX_new_ex(NULL, propq, SSLv23_server_method()); if (ctx->ctx == NULL) { @@ -127,7 +129,8 @@ tls_ctx_client_new(struct tls_root_ctx *ctx) { ASSERT(NULL != ctx); - ctx->ctx = SSL_CTX_new(SSLv23_client_method()); + const char *propq = "?" XKEY_PROV_PROPS; + ctx->ctx = SSL_CTX_new_ex(NULL, propq, SSLv23_client_method()); if (ctx->ctx == NULL) {