From patchwork Tue Dec 14 05:59:17 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Selva Nair X-Patchwork-Id: 2175 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director14.mail.ord1d.rsapps.net ([172.27.255.55]) by backend41.mail.ord1d.rsapps.net with LMTP id 6LYwNefNuGHTWAAAqwncew (envelope-from ) for ; Tue, 14 Dec 2021 12:01:27 -0500 Received: from proxy20.mail.iad3a.rsapps.net ([172.27.255.55]) by director14.mail.ord1d.rsapps.net with LMTP id MPqwGujNuGHfewAAeJ7fFg (envelope-from ) for ; Tue, 14 Dec 2021 12:01:28 -0500 Received: from smtp3.gate.iad3a ([172.27.255.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy20.mail.iad3a.rsapps.net with LMTPS id uE7lE+jNuGEUGQAAtfLT2w (envelope-from ) for ; Tue, 14 Dec 2021 12:01:28 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp3.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=gmail.com; dmarc=fail (p=none; dis=none) header.from=gmail.com X-Suspicious-Flag: YES X-Classification-ID: 79b3b442-5cff-11ec-a14c-525400af4d07-1-1 Received: from [216.105.38.7] ([216.105.38.7:49108] helo=lists.sourceforge.net) by smtp3.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 79/51-02819-7EDC8B16; Tue, 14 Dec 2021 12:01:27 -0500 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1mxB9q-00026n-LU; Tue, 14 Dec 2021 17:00:06 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1mxB9n-00026b-Rn for openvpn-devel@lists.sourceforge.net; Tue, 14 Dec 2021 17:00:03 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=fy+zJsosYhr4I7fCorvtm7lv9vJ9PG/xon7sXTQ3GjM=; b=Xvh9ln1WqDgWV4LQ4cmqGpNeQR CKAFSrWzg76L3orF/eTaOjW6940Hh1dHU0lYNDvn1UTbOtFoAuuvjmdK3P3xwd7+zjRkorWJNdIiT Nn43Gt5QNfKFEi9K+12cOOjmcHQJeCm/igJsN9+RwSCz6TQlgSwtdkTet8vZJTXwamCc=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=fy+zJsosYhr4I7fCorvtm7lv9vJ9PG/xon7sXTQ3GjM=; b=ObolN2dF+YewWPVkH00wb+quiF lq4ciX2vI35Sru2x93GkDnitapkGS8SoAcDgYYRxw+9SEt7tuaCNm4orXf1K8sZrODCn5HYildwu+ U/W11GlxGv0+kRmHmlM7pRCh8eTJB5AS1OakvzhY8PCRzM76zpyYxNLdt8f9311Vuv4g=; Received: from mail-io1-f42.google.com ([209.85.166.42]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92.3) id 1mxB9m-0000b7-5L for openvpn-devel@lists.sourceforge.net; Tue, 14 Dec 2021 17:00:03 +0000 Received: by mail-io1-f42.google.com with SMTP id z18so25333434iof.5 for ; Tue, 14 Dec 2021 09:00:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=fy+zJsosYhr4I7fCorvtm7lv9vJ9PG/xon7sXTQ3GjM=; b=Sl8/+CxOFpUKwR5GxFC1vknUGnIQrEvSVTAnRGtGM7CROfGgw07xpQJ/8H6anCfGYh LjqZGLY3C4gRpEKJEGoYQVUKr0rsRVx2a6W64HFO+A2Z++sTmV8+8gY0IVJHJHAt4Kyq gylFRsZeXRs6N4fLHvt1or6p5XMyhnpDo6kmIjyTEj3TJegohxY5NvxRmGdk+yaM4eyS RAhP9W2yyIMsm6pHoNutj1OOVagINPVy2blGUjQzER3Ts+YVgG3pZX5Xuq6wVLaQRixK tBG0SWZoH9H1agixy90fFxFrFklOCPt6DRDBXinUMLtyU0HPb5nqPqQpBuVv3x9/niYr m8Wg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=fy+zJsosYhr4I7fCorvtm7lv9vJ9PG/xon7sXTQ3GjM=; b=neqzTLsNr9PhiRc8SCGGuQEtGWan5BOf3LnmAc8bRZvhUngH3E2ObrnD76gfJaDzRf Mq0ph5X0os6GLJfAo5Lb9zb2sfg0UpihSWQMoCS/sI/SPytHS4dGzbDMcruOpLcZpRgc AgJoqj5T46FcujdJKvELVq4rZBrn4jfFr8adBlxpWhMhy02ITRkH3Me/AqP+u4u7Zcie Q1anjoHnBKQVY2xjrbd/7issp06jSpR5oj6mdejTXc7Di6MPCW7GECTGhJkPrbZXJkph GUqNAyH50dCa5lU4opRo6QokocAsKbppBvwoSFC0IvExhPkSzZirHM8rOjskWbzvTa9f segw== X-Gm-Message-State: AOAM533WzIuJavtu82MeLkyaMIH474XJMf14eT9B87vdEdqierdhgkM9 /j4itPpwAjskLykSZRrLZx3/Zau2NvU= X-Google-Smtp-Source: ABdhPJzRuvGdh3MuRvtjemmjseCdlL2PxCdGa0eeCllRHyuLKGyuK0BkhiyzYja/acLoghQPnZ3N8A== X-Received: by 2002:a05:6638:378e:: with SMTP id w14mr3642313jal.219.1639501196083; Tue, 14 Dec 2021 08:59:56 -0800 (PST) Received: from uranus.home.sansel.ca (bras-vprn-tnhlon4053w-lp130-02-70-51-223-8.dsl.bell.ca. [70.51.223.8]) by smtp.gmail.com with ESMTPSA id e9sm178778ilm.44.2021.12.14.08.59.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 Dec 2021 08:59:55 -0800 (PST) From: selva.nair@gmail.com To: openvpn-devel@lists.sourceforge.net Date: Tue, 14 Dec 2021 11:59:17 -0500 Message-Id: <20211214165928.30676-8-selva.nair@gmail.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20211214165928.30676-1-selva.nair@gmail.com> References: <20211214165928.30676-1-selva.nair@gmail.com> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Selva Nair - Add a function to set as sign_op during key import. The function passes the signature request to management interface, and returns the result to the provider. v2 changes: Method to do digest added to match the changes in the provider signature callback. TODO: - Allow passing the undigested message to management interface - Add pkcs1 DigestInfo header when r [...] Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.166.42 listed in list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [selva.nair[at]gmail.com] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.166.42 listed in wl.mailspike.net] -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1mxB9m-0000b7-5L Subject: [Openvpn-devel] [PATCH v3 07/18] Enable signing via provider for management-external-key X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Selva Nair - Add a function to set as sign_op during key import. The function passes the signature request to management interface, and returns the result to the provider. v2 changes: Method to do digest added to match the changes in the provider signature callback. TODO: - Allow passing the undigested message to management interface - Add pkcs1 DigestInfo header when required Signed-off-by: Selva Nair Acked-By: Arne Schwabe --- src/openvpn/ssl_openssl.c | 4 +- src/openvpn/xkey_common.h | 7 ++- src/openvpn/xkey_helper.c | 108 ++++++++++++++++++++++++++++++++++++-- 3 files changed, 113 insertions(+), 6 deletions(-) diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 23c74f55..8f0281b1 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -1169,7 +1169,7 @@ end: } -#ifdef ENABLE_MANAGEMENT +#if defined(ENABLE_MANAGEMENT) && !defined(HAVE_XKEY_PROVIDER) /* encrypt */ static int @@ -1470,7 +1470,9 @@ err: return 0; } #endif /* OPENSSL_VERSION_NUMBER > 1.1.0 dev && !defined(OPENSSL_NO_EC) */ +#endif /* ENABLE_MANAGEMENT && !HAVE_XKEY_PROVIDER */ +#ifdef ENABLE_MANAGEMENT int tls_ctx_use_management_external_key(struct tls_root_ctx *ctx) { diff --git a/src/openvpn/xkey_common.h b/src/openvpn/xkey_common.h index 5bda5e30..608afe99 100644 --- a/src/openvpn/xkey_common.h +++ b/src/openvpn/xkey_common.h @@ -67,10 +67,13 @@ typedef struct { * * @returns 1 on success, 0 on error. * - * The data in tbs is just the digest with no DigestInfo header added. This is + * If sigalg.op = "Sign", the data in tbs is the digest. If sigalg.op = "DigestSign" + * it is the message that the backend should hash wih appropriate hash algorithm before + * signing. In the former case no DigestInfo header is added to tbs. This is * unlike the deprecated RSA_sign callback which provides encoded digest. * For RSA_PKCS1 signatures, the external signing function must encode the digest - * before signing. The digest algorithm used is passed in the sigalg structure. + * before signing. The digest algorithm used (or to be used) is passed in the sigalg + * structure. */ typedef int (XKEY_EXTERNAL_SIGN_fn)(void *handle, unsigned char *sig, size_t *siglen, const unsigned char *tbs, size_t tbslen, diff --git a/src/openvpn/xkey_helper.c b/src/openvpn/xkey_helper.c index 51cfb12b..aac78a2c 100644 --- a/src/openvpn/xkey_helper.c +++ b/src/openvpn/xkey_helper.c @@ -32,6 +32,8 @@ #include "error.h" #include "buffer.h" #include "xkey_common.h" +#include "manage.h" +#include "base64.h" #ifdef HAVE_XKEY_PROVIDER @@ -48,6 +50,31 @@ static const char *const props = XKEY_PROV_PROPS; XKEY_EXTERNAL_SIGN_fn xkey_management_sign; +/** helper to compute digest */ +static int +xkey_digest(const unsigned char *src, size_t srclen, unsigned char *buf, + size_t *buflen, const char *mdname) +{ + dmsg(D_LOW, "In xkey_digest"); + EVP_MD *md = EVP_MD_fetch(NULL, mdname, NULL); /* from default context */ + if (!md) + { + msg(M_WARN, "WARN: xkey_digest: MD_fetch failed for <%s>", mdname); + return 0; + } + + unsigned int len = (unsigned int) *buflen; + if (EVP_Digest(src, srclen, buf, &len, md, NULL) != 1) + { + msg(M_WARN, "WARN: xkey_digest: EVP_Digest failed"); + return 0; + } + EVP_MD_free(md); + + *buflen = len; + return 1; +} + /** * Load external key for signing via management interface. * The public key must be passed in by the caller as we may not @@ -94,13 +121,88 @@ xkey_load_management_key(OSSL_LIB_CTX *libctx, EVP_PKEY *pubkey) return pkey; } -/* not yet implemented */ +/** + * Signature callback for xkey_provider with management-external-key + * + * @param handle Unused -- may be null + * @param sig On successful return signature is in sig. + * @param siglen On entry *siglen has length of buffer sig, + * on successful return size of signature + * @param tbs hash or message to be signed + * @param tbslen len of data in dgst + * @param sigalg extra signature parameters + * + * @return signature length or -1 on error. + */ int xkey_management_sign(void *unused, unsigned char *sig, size_t *siglen, const unsigned char *tbs, size_t tbslen, XKEY_SIGALG alg) { - msg(M_FATAL, "FATAL ERROR: A sign callback for this key is not implemented."); - return 0; + (void) unused; + char alg_str[128]; + unsigned char buf[EVP_MAX_MD_SIZE]; /* for computing digest if required */ + size_t buflen = sizeof(buf); + + if (!strcmp(alg.op, "DigestSign")) + { + dmsg(D_LOW, "xkey_management_sign: computing digest"); + if (xkey_digest(tbs, tbslen, buf, &buflen, alg.mdname)) + { + tbs = buf; + tbslen = buflen; + alg.op = "Sign"; + } + else + { + return 0; + } + } + + if (!strcmp(alg.keytype, "EC")) + { + strncpynt(alg_str, "ECDSA", sizeof(alg_str)); + } + /* else assume RSA key */ + else if (!strcmp(alg.padmode, "pkcs1")) + { + strncpynt(alg_str, "RSA_PKCS1_PADDING", sizeof(alg_str)); + } + else if (!strcmp(alg.padmode, "none")) + { + strncpynt(alg_str, "RSA_NO_PADDING", sizeof(alg_str)); + } + else if (!strcmp(alg.padmode, "pss")) + { + openvpn_snprintf(alg_str, sizeof(alg_str), "%s,hashalg=%s,saltlen=%s", + "RSA_PKCS1_PSS_PADDING", alg.mdname,alg.saltlen); + } + else { + msg(M_NONFATAL, "Unsupported RSA padding mode in signature request<%s>", + alg.padmode); + return 0; + } + dmsg(D_LOW, "xkey management_sign: requesting sig with algorithm <%s>", alg_str); + + char *in_b64 = NULL; + char *out_b64 = NULL; + int len = -1; + + int bencret = openvpn_base64_encode(tbs, (int) tbslen, &in_b64); + + if (management && bencret > 0) + { + out_b64 = management_query_pk_sig(management, in_b64, alg_str); + } + if (out_b64) + { + len = openvpn_base64_decode(out_b64, sig, (int) *siglen); + } + free(in_b64); + free(out_b64); + + *siglen = (len > 0) ? len : 0; + + return (*siglen > 0); } #endif /* HAVE_XKEY_PROVIDER */