From patchwork Tue Dec 14 05:59:11 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Selva Nair X-Patchwork-Id: 2174 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director11.mail.ord1d.rsapps.net ([172.27.255.53]) by backend41.mail.ord1d.rsapps.net with LMTP id 8CoUK+bNuGGtWAAAqwncew (envelope-from ) for ; Tue, 14 Dec 2021 12:01:26 -0500 Received: from proxy8.mail.iad3a.rsapps.net ([172.27.255.53]) by director11.mail.ord1d.rsapps.net with LMTP id mHPPEOfNuGEPcgAAvGGmqA (envelope-from ) for ; Tue, 14 Dec 2021 12:01:27 -0500 Received: from smtp1.gate.iad3a ([172.27.255.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy8.mail.iad3a.rsapps.net with LMTPS id qC6UCOfNuGExdAAAsBr/qg (envelope-from ) for ; Tue, 14 Dec 2021 12:01:27 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp1.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=gmail.com; dmarc=fail (p=none; dis=none) header.from=gmail.com X-Suspicious-Flag: YES X-Classification-ID: 790e66cc-5cff-11ec-8909-52540091dea5-1-1 Received: from [216.105.38.7] ([216.105.38.7:49096] helo=lists.sourceforge.net) by smtp1.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 4E/FF-26689-6EDC8B16; Tue, 14 Dec 2021 12:01:26 -0500 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1mxB9l-00026P-C1; Tue, 14 Dec 2021 17:00:01 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1mxB9k-00025x-2l for openvpn-devel@lists.sourceforge.net; Tue, 14 Dec 2021 17:00:00 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=sC4cq3g0k9x3QwTJ1Oz3GIchm/rpLcL8HuUGi7nH1cU=; b=H+7PAaCTPYRUBrE9/2UsS+iLUC PUAmTPAf6W1jzqKQd7dRJyKUD0bGJkZa9YjsQYOdMRga+hDuaxb5jL7vW0nC4itkfoP19z5h/GXRF Jw1w7Inht/4J80IU01Wz/4QjriFJ8cgIsg9E13ZdpMl7dCpSD6n4ueYhDZe+PLF4gzXE=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=sC4cq3g0k9x3QwTJ1Oz3GIchm/rpLcL8HuUGi7nH1cU=; b=T4HU9U/PEZZpyfVQgPDC4HmU+f RUpF8HP04xD7crimDaWP4F/pHLRUAUyde2qrIIW6PIh1dbF7ZxkBmrAbFghfX58lwwYzKIdswMybk tccKwJBHOaAHe0tufe6yOVK2iJbFOGzDUg1zfj3gHctxerI8k/aBTUTo/iQQ3pV+WHNY=; Received: from mail-io1-f46.google.com ([209.85.166.46]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92.3) id 1mxB9i-0000aq-UJ for openvpn-devel@lists.sourceforge.net; Tue, 14 Dec 2021 17:00:00 +0000 Received: by mail-io1-f46.google.com with SMTP id y16so25331812ioc.8 for ; Tue, 14 Dec 2021 08:59:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=sC4cq3g0k9x3QwTJ1Oz3GIchm/rpLcL8HuUGi7nH1cU=; b=lmZMIlGq0as3F7eIx7G2U1WVW3XOwV5tXpBKdJlwMBi9OH1AcR2BiMatsTfHeWHatX vMg7/mwoE8BxxaUFgSGqQfyRwA3g7I+Foo1vYp2YgYILyPUqf8Sk26XDQfp6SrIsPEGT z6CIH3OedQO+dCOxZ4BINK6g4N/z/9v7Bon5X3z0yh6HGXbhjvIj8EcMFXwJburEEmRs l2q1hvPDhORKs3WQ1g4vdBfsLgtOQF5vvFxRQ36H0qJfBoM0dnFZTJP24kR6+J28eKFb A9TO1I3px0pDKiSL05IPTfm9hlwlWamLD0IniFT3H7xMWWBw59joyFHO6K9fcjUdWM4m Q2Bg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=sC4cq3g0k9x3QwTJ1Oz3GIchm/rpLcL8HuUGi7nH1cU=; b=H966UmSgyTCiDJceezglDe2EJctnNgC4eyHpvuf9YYa1QzsBkk5NVpDNXsVxndPCZq /aJlHe45WftOuj8PU88+aepmQ+b8SXVol+LI8o3ku+LT1x6XserqmF2ZP43w4LlqQcGs RVXCdHZPsU84IzPR6D5asQyEtxGLyD3Y1j01NPUJiDjZo7vqZLzlmWvZjSsurCQvICR3 1mTwG1bhapghzzkAbBLCxv4H+v0MT7xyBLs6gKBaoQE8LWWbh0tSJ6GsDbMYR/poiXfS XetiR8DD1k4eRS2S6u46cVzQe7CzqdSymoIwVctkwSQH0I1z9uu368evA1XUd0SeUOf1 oDXA== X-Gm-Message-State: AOAM533Vx1HCWSyhGKbwKj/ZNjEJMFB6mPd9WweD68aXDIrfowb0iUKa 8woUtFmqvIzOKu7PhAjQLkRpid121j8= X-Google-Smtp-Source: ABdhPJx9uPgNNfnfeBOiYMLe65EiU3kF85z2SUnlRKJCb3OMDFcXl6s6aUzxacweucTTZkboJ5Kktg== X-Received: by 2002:a02:9344:: with SMTP id e4mr3533290jah.634.1639501188918; Tue, 14 Dec 2021 08:59:48 -0800 (PST) Received: from uranus.home.sansel.ca (bras-vprn-tnhlon4053w-lp130-02-70-51-223-8.dsl.bell.ca. [70.51.223.8]) by smtp.gmail.com with ESMTPSA id e9sm178778ilm.44.2021.12.14.08.59.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 Dec 2021 08:59:48 -0800 (PST) From: selva.nair@gmail.com To: openvpn-devel@lists.sourceforge.net Date: Tue, 14 Dec 2021 11:59:11 -0500 Message-Id: <20211214165928.30676-2-selva.nair@gmail.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20211214165928.30676-1-selva.nair@gmail.com> References: <20211214165928.30676-1-selva.nair@gmail.com> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Selva Nair Hooking into callbacks in RSA_METHOD and EVP_PKEY_METHOD structures is deprecated in OpenSSL 3.0. For signing with external keys that are not exportable (tokens, stores, etc.) requires a custom provid [...] Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.166.46 listed in wl.mailspike.net] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.166.46 listed in list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [selva.nair[at]gmail.com] -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1mxB9i-0000aq-UJ Subject: [Openvpn-devel] [PATCH v3 01/18] A built-in provider for using external key with OpenSSL 3.0 X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Selva Nair Hooking into callbacks in RSA_METHOD and EVP_PKEY_METHOD structures is deprecated in OpenSSL 3.0. For signing with external keys that are not exportable (tokens, stores, etc.) requires a custom provider interface so that key operations are done under its context. A single provider is enough for handling all external keys we support -- management-external-key, cryptoapicert(CNG) and pkcs11-helper. The series of patches starting with this implement such a provider. This patch implements only the provider_init function so that it can be loaded, but has no capabilities. The required interfaces are added in following commits. v2 changes: - Require OpenSSL 3.0.1 or newer: 3.0.0 is "buggy" as it does not preferentially fetch operations from the keymgmt of the key. This causes either an unsuccessful attempt at exporting unexportable keys or an onerous requirement that the external key's KEYMGMT should support a whole lot of unrelated functionalities including key generation and key exchange. Fixed by PR #16725 in OpenSSL. - Use a child libctx for internal use in the provider v3 changes: - Move OpenSSL version check for 3.0.1+ from configure to xkey_common.h Signed-off-by: Selva Nair Acked-By: Arne Schwabe --- src/openvpn/Makefile.am | 1 + src/openvpn/xkey_common.h | 45 ++++++++++ src/openvpn/xkey_provider.c | 169 ++++++++++++++++++++++++++++++++++++ 3 files changed, 215 insertions(+) create mode 100644 src/openvpn/xkey_common.h create mode 100644 src/openvpn/xkey_provider.c diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am index 5883c291..432efe73 100644 --- a/src/openvpn/Makefile.am +++ b/src/openvpn/Makefile.am @@ -128,6 +128,7 @@ openvpn_SOURCES = \ tls_crypt.c tls_crypt.h \ tun.c tun.h \ vlan.c vlan.h \ + xkey_provider.c xkey_common.h \ win32.h win32.c \ win32-util.h win32-util.c \ cryptoapi.h cryptoapi.c diff --git a/src/openvpn/xkey_common.h b/src/openvpn/xkey_common.h new file mode 100644 index 00000000..a3bc3f2a --- /dev/null +++ b/src/openvpn/xkey_common.h @@ -0,0 +1,45 @@ +/* + * OpenVPN -- An application to securely tunnel IP networks + * over a single TCP/UDP port, with support for SSL/TLS-based + * session authentication and key exchange, + * packet encryption, packet authentication, and + * packet compression. + * + * Copyright (C) 2021 Selva Nair + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by the + * Free Software Foundation, either version 2 of the License, + * or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +#ifndef XKEY_COMMON_H_ +#define XKEY_COMMON_H_ + +#include +#if OPENSSL_VERSION_NUMBER >= 0x30000010L && !defined(DISABLE_XKEY_PROVIDER) +#define HAVE_XKEY_PROVIDER 1 + +#include +#include + +/** + * Initialization function for OpenVPN external key provider for OpenSSL + * Follows the function signature of OSSL_PROVIDER init() + */ +OSSL_provider_init_fn xkey_provider_init; + +#define XKEY_PROV_PROPS "provider=ovpn.xkey" + +#endif /* HAVE_XKEY_PROVIDER */ + +#endif /* XKEY_COMMON_H_ */ diff --git a/src/openvpn/xkey_provider.c b/src/openvpn/xkey_provider.c new file mode 100644 index 00000000..d47faf0a --- /dev/null +++ b/src/openvpn/xkey_provider.c @@ -0,0 +1,169 @@ +/* + * OpenVPN -- An application to securely tunnel IP networks + * over a single TCP/UDP port, with support for SSL/TLS-based + * session authentication and key exchange, + * packet encryption, packet authentication, and + * packet compression. + * + * Copyright (C) 2021 Selva Nair + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by the + * Free Software Foundation, either version 2 of the License, + * or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +#ifdef HAVE_CONFIG_H +#include +#elif defined(_MSC_VER) +#include "config-msvc.h" +#endif + +#include "syshead.h" +#include "error.h" +#include "buffer.h" +#include "xkey_common.h" + +#ifdef HAVE_XKEY_PROVIDER + +#include +#include +#include +#include +#include +#include +#include +#include + +/* A descriptive name */ +static const char *provname = "OpenVPN External Key Provider"; + +typedef struct +{ + OSSL_LIB_CTX *libctx; /**< a child libctx for our own use */ +} XKEY_PROVIDER_CTX; + +/* helper to print debug messages */ +#define xkey_dmsg(f, ...) \ + do { \ + dmsg(f|M_NOLF, "xkey_provider: In %s: ", __func__); \ + dmsg(f|M_NOPREFIX, __VA_ARGS__); \ + } while(0) + +/* main provider interface */ + +/* provider callbacks we implement */ +static OSSL_FUNC_provider_query_operation_fn query_operation; +static OSSL_FUNC_provider_gettable_params_fn gettable_params; +static OSSL_FUNC_provider_get_params_fn get_params; +static OSSL_FUNC_provider_teardown_fn teardown; + +static const OSSL_ALGORITHM * +query_operation(void *provctx, int op, int *no_store) +{ + xkey_dmsg(D_LOW, "op = %d", op); + + *no_store = 0; + + switch (op) + { + case OSSL_OP_SIGNATURE: + return NULL; + + case OSSL_OP_KEYMGMT: + return NULL; + + default: + xkey_dmsg(D_LOW, "op not supported"); + break; + } + return NULL; +} + +static const OSSL_PARAM * +gettable_params(void *provctx) +{ + xkey_dmsg(D_LOW, "entry"); + + static const OSSL_PARAM param_types[] = { + OSSL_PARAM_DEFN(OSSL_PROV_PARAM_NAME, OSSL_PARAM_UTF8_PTR, NULL, 0), + OSSL_PARAM_END + }; + + return param_types; +} +static int +get_params(void *provctx, OSSL_PARAM params[]) +{ + OSSL_PARAM *p; + + xkey_dmsg(D_LOW, "entry"); + + p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME); + if (p) + { + return (OSSL_PARAM_set_utf8_ptr(p, provname) != 0); + } + + return 0; +} + +static void +teardown(void *provctx) +{ + xkey_dmsg(D_LOW, "entry"); + + XKEY_PROVIDER_CTX *prov = provctx; + if (prov && prov->libctx) + { + OSSL_LIB_CTX_free(prov->libctx); + } + OPENSSL_free(prov); +} + +static const OSSL_DISPATCH dispatch_table[] = { + {OSSL_FUNC_PROVIDER_GETTABLE_PARAMS, (void (*)(void)) gettable_params}, + {OSSL_FUNC_PROVIDER_GET_PARAMS, (void (*)(void)) get_params}, + {OSSL_FUNC_PROVIDER_QUERY_OPERATION, (void (*)(void)) query_operation}, + {OSSL_FUNC_PROVIDER_TEARDOWN, (void (*)(void)) teardown}, + {0, NULL} +}; + +int +xkey_provider_init(const OSSL_CORE_HANDLE *handle, const OSSL_DISPATCH *in, + const OSSL_DISPATCH **out, void **provctx) +{ + XKEY_PROVIDER_CTX *prov; + + xkey_dmsg(D_LOW, "entry"); + + prov = OPENSSL_zalloc(sizeof(*prov)); + if (!prov) + { + msg(M_NONFATAL, "xkey_provider_init: out of memory"); + return 0; + } + + /* Make a child libctx for our use and set default prop query + * on it to ensure calls we delegate won't loop back to us. + */ + prov->libctx = OSSL_LIB_CTX_new_child(handle, in); + + EVP_set_default_properties(prov->libctx, "provider!=ovpn.xkey"); + + *out = dispatch_table; + *provctx = prov; + + return 1; +} + +#endif /* HAVE_XKEY_PROVIDER */