From patchwork Tue Dec 14 05:59:23 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Selva Nair X-Patchwork-Id: 2172 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director15.mail.ord1d.rsapps.net ([172.30.191.6]) by backend41.mail.ord1d.rsapps.net with LMTP id x1LGG+XNuGHOWAAAqwncew (envelope-from ) for ; Tue, 14 Dec 2021 12:01:25 -0500 Received: from proxy5.mail.ord1d.rsapps.net ([172.30.191.6]) by director15.mail.ord1d.rsapps.net with LMTP id aNQ7AObNuGEYEwAAIcMcQg (envelope-from ) for ; Tue, 14 Dec 2021 12:01:26 -0500 Received: from smtp20.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy5.mail.ord1d.rsapps.net with LMTPS id cJbxOeXNuGGEKAAA8Zzt7w (envelope-from ) for ; Tue, 14 Dec 2021 12:01:25 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp20.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=gmail.com; dmarc=fail (p=none; dis=none) header.from=gmail.com X-Suspicious-Flag: YES X-Classification-ID: 7855e976-5cff-11ec-84f6-525400b8bfda-1-1 Received: from [216.105.38.7] ([216.105.38.7:38874] helo=lists.sourceforge.net) by smtp20.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 0F/88-20620-5EDC8B16; Tue, 14 Dec 2021 12:01:25 -0500 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1mxBAD-0003Fm-V4; Tue, 14 Dec 2021 17:00:31 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1mxBAC-0003Ey-QT for openvpn-devel@lists.sourceforge.net; Tue, 14 Dec 2021 17:00:29 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=BgN+n6Y+4tD2jVCYBc8R1WYi1raX8FtGRB8i26EZ0CA=; b=BHDYRlUwiLc9yt2fxyPkg9gAUb GMkfj27Sn2RzU8DBU/AsQ0gojQanLt2Lw4n+C+YtA2YMnCpBZVCsQ4gsXeZomHLQzpkoc2WBMQD6N dS/A9MniiLd3XzctdEWKWud+PKHRr5fotJxZvheCwK5N+CghO/m84mJnoFnxboGLSLns=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=BgN+n6Y+4tD2jVCYBc8R1WYi1raX8FtGRB8i26EZ0CA=; b=Cc2xTAB0FmzS0059m8Xkv0jJb1 cuen1YksiFSpICp81dneDqdEz8wwpkNOp2N9iQXbC6z51j61yKWcGFkTtwUTQcuO0mKXgzfn4zZHA +Rip2152qzq0W7Tq2CD8P6/kkoPuYbC2pfqPmUAFVZvW/034GtucC7t/uUI8mcNJPKPc=; Received: from mail-io1-f52.google.com ([209.85.166.52]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92.3) id 1mxBAD-0000bw-0P for openvpn-devel@lists.sourceforge.net; Tue, 14 Dec 2021 17:00:29 +0000 Received: by mail-io1-f52.google.com with SMTP id p65so25391502iof.3 for ; Tue, 14 Dec 2021 09:00:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=BgN+n6Y+4tD2jVCYBc8R1WYi1raX8FtGRB8i26EZ0CA=; b=hTrMwr47Q67rYNdyRiSrA9esr+U2XYplWXgepl5oR2cokfmJO7oGKUWxNouJNJUKlf N099lOOs6Pvzp18ubyb7q9GSJspUnYFhHZZrVOMpcFxQ1+4nf9sI0FtAe0ML/9w4Z8qh lMzOv7dUMMojfdkFdlK3Qz2eDi2Fh2RNtpG8xZwvEZTUWzGlg6XtEOrJ4X7NK/B9jTqp sWYLXk8uPhZGNkjiHA3cYU3rP/rn40LRdLV5046ForikWx9D5JiMxXGw+YVD1agYtusm AW4vtfSYa6pXRWnnR938C3yp9KmvZ5hjx5miT9asz1IFLpOh9HR9kbgpiYx2+VXGwX4b 2RnA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=BgN+n6Y+4tD2jVCYBc8R1WYi1raX8FtGRB8i26EZ0CA=; b=E40y9Ixa2P2EALIDgGweb5dojfQl/bvOZSEfMWdVG8wSYwZQvgdXizZrqILaFndST4 cKwJk5skkMHeH/HdsteXnNDK+tnXyif6sL8KgsRRJfOigt3lP2pRjisbw6acZ1sBsGdb kBwwBdqjHFTiPukBxuRVHAoN5SG+3PMEasdbEdZnoFDZEHbxEIVzQ1DqghgYy8hFWalZ pwy2270jszpp7VPYk3jr8LpmeZe+Uv8FUJnEPoRLujwUMLArlZgRI/MwP+ZE2c3m42kv OHhrM0W4aSxDzmLg6EyqTCNSS/mq3jszJO7Gt68Omh9pOBod4/RUOl0C58NGQ8alXG3H WvBQ== X-Gm-Message-State: AOAM531gmeqETqUvW38zFdY14J/jaDDA5gzIcMvXG0IYwPK54vvlK1bu efqlSfejGygHeZ/uCNRWDqmjs6UWDTE= X-Google-Smtp-Source: ABdhPJxVCtUdZ+iCnmtSQe++ubgcrIIMhNUBF+ZU8M3zVdW4TDuiHuGJ2sSozuYq+7e7lNdfuKJlxQ== X-Received: by 2002:a5e:9b07:: with SMTP id j7mr4380711iok.136.1639501202689; Tue, 14 Dec 2021 09:00:02 -0800 (PST) Received: from uranus.home.sansel.ca (bras-vprn-tnhlon4053w-lp130-02-70-51-223-8.dsl.bell.ca. [70.51.223.8]) by smtp.gmail.com with ESMTPSA id e9sm178778ilm.44.2021.12.14.09.00.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 Dec 2021 09:00:02 -0800 (PST) From: selva.nair@gmail.com To: openvpn-devel@lists.sourceforge.net Date: Tue, 14 Dec 2021 11:59:23 -0500 Message-Id: <20211214165928.30676-14-selva.nair@gmail.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20211214165928.30676-1-selva.nair@gmail.com> References: <20211214165928.30676-1-selva.nair@gmail.com> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Selva Nair - Load keys by specifying the opaque privtae key handle, public key, sign-op and free-op required for loading keys from Windows store and pkcs11. - xkey_load_management_key is refactored to use the new function Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.166.52 listed in wl.mailspike.net] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.166.52 listed in list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [selva.nair[at]gmail.com] -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1mxBAD-0000bw-0P Subject: [Openvpn-devel] [PATCH v3 13/18] Add a generic key loading helper function for xkey provider X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Selva Nair - Load keys by specifying the opaque privtae key handle, public key, sign-op and free-op required for loading keys from Windows store and pkcs11. - xkey_load_management_key is refactored to use the new function - Also make xkey_digest non-static Used in following commits to load CNG and pkcs11 keys Signed-off-by: Selva Nair Acked-By: Arne Schwabe --- src/openvpn/xkey_common.h | 35 +++++++++++++++++++++++++++++++++++ src/openvpn/xkey_helper.c | 37 +++++++++++++++++++++++++++++++------ 2 files changed, 66 insertions(+), 6 deletions(-) diff --git a/src/openvpn/xkey_common.h b/src/openvpn/xkey_common.h index c04c9c5c..e2ddc178 100644 --- a/src/openvpn/xkey_common.h +++ b/src/openvpn/xkey_common.h @@ -116,6 +116,41 @@ bool encode_pkcs1(unsigned char *enc, size_t *enc_len, const char *mdname, const unsigned char *tbs, size_t tbslen); +/** + * Compute message digest + * + * @param src pointer to message to be hashed + * @param srclen length of data in bytes + * @param buf pointer to output buffer + * @param buflen *buflen = capacity in bytes of output buffer + * @param mdname name of the hash algorithm (SHA256, SHA1 etc.) + * + * @return false on error, true on success + * + * On successful return *buflen is set to the actual size of the result. + * TIP: EVP_MD_MAX_SIZE should be enough capacity of buf for al algorithms. + */ +int +xkey_digest(const unsigned char *src, size_t srclen, unsigned char *buf, + size_t *buflen, const char *mdname); + +/** + * Load a generic external key with custom sign and free ops + * + * @param libctx library context in which xkey provider has been loaded + * @param handle an opaque handle to the backend -- passed to alll callbacks + * @param pubkey corresponding pubkey in the default provider's context + * @param sign_op private key signature operation to callback + * @param sign_op private key signature operation to callback + * + * @returns a new EVP_PKEY in the provider's keymgmt context. + * IMPORTANT: a reference to the handle is retained by the provider and + * relased by callng free_op. The caller should not free it. + */ +EVP_PKEY * +xkey_load_generic_key(OSSL_LIB_CTX *libctx, void *handle, EVP_PKEY *pubkey, + XKEY_EXTERNAL_SIGN_fn sign_op, XKEY_PRIVKEY_FREE_fn free_op); + #endif /* HAVE_XKEY_PROVIDER */ #endif /* XKEY_COMMON_H_ */ diff --git a/src/openvpn/xkey_helper.c b/src/openvpn/xkey_helper.c index d09ad635..19de64ff 100644 --- a/src/openvpn/xkey_helper.c +++ b/src/openvpn/xkey_helper.c @@ -50,8 +50,18 @@ static const char *const props = XKEY_PROV_PROPS; XKEY_EXTERNAL_SIGN_fn xkey_management_sign; +static void +print_openssl_errors() +{ + unsigned long e; + while ((e = ERR_get_error())) + { + msg(M_WARN, "OpenSSL error %lu: %s\n", e, ERR_error_string(e, NULL)); + } +} + /** helper to compute digest */ -static int +int xkey_digest(const unsigned char *src, size_t srclen, unsigned char *buf, size_t *buflen, const char *mdname) { @@ -85,24 +95,38 @@ xkey_digest(const unsigned char *src, size_t srclen, unsigned char *buf, EVP_PKEY * xkey_load_management_key(OSSL_LIB_CTX *libctx, EVP_PKEY *pubkey) { - EVP_PKEY *pkey = NULL; ASSERT(pubkey); - /* Management interface doesnt require any handle to be + /* Management interface doesn't require any handle to be * stored in the key. We use a dummy pointer as we do need a * non-NULL value to indicate private key is avaialble. */ void *dummy = & "dummy"; - const char *origin = "management"; XKEY_EXTERNAL_SIGN_fn *sign_op = xkey_management_sign; + return xkey_load_generic_key(libctx, dummy, pubkey, sign_op, NULL); +} + +/** + * Load a generic key into the xkey provider. + * Returns an EVP_PKEY object attached to xkey provider. + * Caller must free it when no longer needed. + */ +EVP_PKEY * +xkey_load_generic_key(OSSL_LIB_CTX *libctx, void *handle, EVP_PKEY *pubkey, + XKEY_EXTERNAL_SIGN_fn sign_op, XKEY_PRIVKEY_FREE_fn free_op) +{ + EVP_PKEY *pkey = NULL; + const char *origin = "external"; + /* UTF8 string pointers in here are only read from, so cast is safe */ OSSL_PARAM params[] = { {"xkey-origin", OSSL_PARAM_UTF8_STRING, (char *) origin, 0, 0}, {"pubkey", OSSL_PARAM_OCTET_STRING, &pubkey, sizeof(pubkey), 0}, - {"handle", OSSL_PARAM_OCTET_PTR, &dummy, sizeof(dummy), 0}, + {"handle", OSSL_PARAM_OCTET_PTR, &handle, sizeof(handle), 0}, {"sign_op", OSSL_PARAM_OCTET_PTR, (void **) &sign_op, sizeof(sign_op), 0}, + {"free_op", OSSL_PARAM_OCTET_PTR, (void **) &free_op, sizeof(free_op), 0}, {NULL, 0, NULL, 0, 0}}; /* Do not use EVP_PKEY_new_from_pkey as that will take keymgmt from pubkey */ @@ -111,7 +135,8 @@ xkey_load_management_key(OSSL_LIB_CTX *libctx, EVP_PKEY *pubkey) || EVP_PKEY_fromdata_init(ctx) != 1 || EVP_PKEY_fromdata(ctx, &pkey, EVP_PKEY_KEYPAIR, params) != 1) { - msg(M_NONFATAL, "Error loading key into ovpn.xkey provider"); + print_openssl_errors(); + msg(M_FATAL, "OpenSSL error: failed to load key into ovpn.xkey provider"); } if (ctx) {