From patchwork Fri Jan 26 09:30:20 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: James Bottomley <James.Bottomley@HansenPartnership.com>
X-Patchwork-Id: 220
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Delivered-To: patchwork@openvpn.net
Received: from director3.mail.ord1d.rsapps.net ([172.27.255.1])
	by backend31.mail.ord1d.rsapps.net (Dovecot) with LMTP id
 VGykCwmQa1pIOQAAgoeIoA
	for <patchwork@openvpn.net>; Fri, 26 Jan 2018 15:31:05 -0500
Received: from proxy7.mail.iad3a.rsapps.net ([172.27.255.1])
	by director3.mail.ord1d.rsapps.net (Dovecot) with LMTP id
 8yIcHAmQa1qNZgAAkXNnRw
	; Fri, 26 Jan 2018 15:31:05 -0500
Received: from smtp51.gate.iad3a ([172.27.255.1])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	by proxy7.mail.iad3a.rsapps.net (Dovecot) with LMTP id 0QmyBQmQa1ohOAAAnPvY+A
	; Fri, 26 Jan 2018 15:31:05 -0500
X-Spam-Threshold: 95
X-Spam-Score: 0
X-Spam-Flag: NO
X-Virus-Scanned: OK
X-Orig-To: openvpnslackdevel@openvpn.net
X-Originating-Ip: [216.34.181.88]
Authentication-Results: smtp51.gate.iad3a.rsapps.net;
 iprev=pass policy.iprev="216.34.181.88";
 spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net"
 smtp.helo="lists.sourceforge.net";
 dkim=fail (signature verification failed) header.d=sourceforge.net;
 dkim=fail (signature verification failed) header.d=sf.net;
 dkim=fail (signature verification failed) header.d=hansenpartnership.com;
 dmarc=fail (p=none; dis=none) header.from=hansenpartnership.com
X-Classification-ID: d34ebe42-02d7-11e8-834a-525400aaff7b-1-1
Received: from [216.34.181.88] ([216.34.181.88:60026]
 helo=lists.sourceforge.net)
	by smtp51.gate.iad3a.rsapps.net (envelope-from
 <openvpn-devel-bounces@lists.sourceforge.net>)
	(ecelerity 4.2.1.56364 r(Core:4.2.1.14)) with ESMTPS
 (cipher=DHE-RSA-AES256-GCM-SHA384)
	id 00/A8-09829-6009B6A5; Fri, 26 Jan 2018 15:31:02 -0500
Received: from localhost ([127.0.0.1] helo=sfs-ml-4.v29.ch3.sourceforge.com)
	by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.89)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1efAdr-0002B2-Un; Fri, 26 Jan 2018 20:30:31 +0000
Received: from sfi-mx-4.v28.ch3.sourceforge.com ([172.29.28.194]
 helo=mx.sourceforge.net)
 by sfs-ml-4.v29.ch3.sourceforge.com with esmtps
 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89)
 (envelope-from <James.Bottomley@HansenPartnership.com>)
 id 1efAdq-0002Aw-S9
 for openvpn-devel@lists.sourceforge.net; Fri, 26 Jan 2018 20:30:30 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:Mime-Version:Content-Type
 :References:In-Reply-To:Date:To:From:Subject:Message-ID:Sender:Reply-To:Cc:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=Es9OqD0VNC5MhU3jV0P72mJfoXrvMKySxnwoM1hjNbI=; b=BHTkrelKikkzhdfSTwrFSld9Zm
 0zNYqihbjXmfQ79jZ9BAy5h+VbHjgWc1HkR7nthGVl7rQMHhPSn9A9+6u8wNWwVmTn+H9F23RrRPZ
 prstlfx1iVjWn5iM/tuBV8y2aSSwfAnn6eGr5tlCsltryNyZhjBOG85o86HVEOOlSKms=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:Mime-Version:Content-Type:References:
 In-Reply-To:Date:To:From:Subject:Message-ID:Sender:Reply-To:Cc:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=Es9OqD0VNC5MhU3jV0P72mJfoXrvMKySxnwoM1hjNbI=; b=doBxnzXQK2ZxCEl/hP/qeWolgi
 pu/9jBIh7/0pMGPsqUy31xecLJJkesUCL/x8M6ivACaKfwj0fTddYm9uyZx5nbtcK5IAS/onCKp+V
 mof18vA0WruJYoQtGySl6nOnuvY2aDmiib1fwHBQwx2sKi1EHKdCQhlCNbweR+lKzdh8=;
Received: from bedivere.hansenpartnership.com ([66.63.167.143])
 by sfi-mx-4.v28.ch3.sourceforge.com with esmtps
 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89)
 id 1efAdn-0005Ug-N4
 for openvpn-devel@lists.sourceforge.net; Fri, 26 Jan 2018 20:30:30 +0000
Received: from localhost (localhost [127.0.0.1])
 by bedivere.hansenpartnership.com (Postfix) with ESMTP id D65BB8EE3BE
 for <openvpn-devel@lists.sourceforge.net>;
 Fri, 26 Jan 2018 12:30:21 -0800 (PST)
Received: from bedivere.hansenpartnership.com ([127.0.0.1])
 by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavisd-new,
 port 10024)
 with ESMTP id aDlLXQhmyZyZ for <openvpn-devel@lists.sourceforge.net>;
 Fri, 26 Jan 2018 12:30:21 -0800 (PST)
Received: from [153.66.254.194] (unknown [50.35.65.221])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id 8F89E8EE0EF
 for <openvpn-devel@lists.sourceforge.net>;
 Fri, 26 Jan 2018 12:30:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=hansenpartnership.com;
 s=20151216; t=1516998621;
 bh=PTWgjWxzCBhdHg7rZTs3mfDKkUKK+/lcjY/ZSOw6uUw=;
 h=Subject:From:To:Date:In-Reply-To:References:From;
 b=nDsjVHtczINZZqkZiVdet7mbSoL4gCTouWMMxdOM2mMaR97lECtpHhLwGqKtlWqzt
 ppCwqw4d/ThybMG7ItnJ2P1NHixBf+Uz+1qxcH5kWPSVzD0WYUZfmF6U8exmUgKA/i
 3SjPZa7aPeESEgYpNgxYkIejzLKcTUe7gd9jlUZI=
Message-ID: <1516998620.3034.16.camel@HansenPartnership.com>
From: James Bottomley <James.Bottomley@HansenPartnership.com>
To: openvpn-devel@lists.sourceforge.net
Date: Fri, 26 Jan 2018 12:30:20 -0800
In-Reply-To: <1516998568.3034.15.camel@HansenPartnership.com>
References: <1516998568.3034.15.camel@HansenPartnership.com>
X-Mailer: Evolution 3.20.5 
Mime-Version: 1.0
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
 See http://spamassassin.org/tag/ for more details.
 -0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
 -0.0 T_RP_MATCHES_RCVD      Envelope sender domain matches handover relay
 domain
 -0.0 SPF_PASS               SPF: sender matches SPF record
 -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
 domain
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
 not necessarily valid
 -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-Headers-End: 1efAdn-0005Ug-N4
Subject: [Openvpn-devel] PATCH v3 1/2] openssl: add engine method for
 loading the key
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox

As well as doing crypto acceleration, engines can also be used to load
key files.  If the engine is set, and the private key loading fails
for bio methods, this patch makes openvpn try to get the engine to
load the key.  If that succeeds, we end up using an engine based key.
This can be used with the openssl tpm engines to make openvpn use a
TPM wrapped key file.

Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
---

v2: add better configuration guarding
---
 src/openvpn/crypto_openssl.c | 55 ++++++++++++++++++++++++++++++++++++++++++++
 src/openvpn/crypto_openssl.h | 12 ++++++++++
 src/openvpn/ssl_openssl.c    |  6 ++++-
 3 files changed, 72 insertions(+), 1 deletion(-)

diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index 20a519ec..d3f35030 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -969,4 +969,59 @@ hmac_ctx_final(HMAC_CTX *ctx, uint8_t *dst)
     HMAC_Final(ctx, dst, &in_hmac_len);
 }
 
+#if HAVE_OPENSSL_ENGINE
+static int
+ui_read(UI *ui, UI_STRING *uis)
+{
+    SSL_CTX *ctx = UI_get0_user_data(ui);
+
+    if (UI_get_string_type(uis) == UIT_PROMPT) {
+        pem_password_cb *cb = SSL_CTX_get_default_passwd_cb(ctx);
+        void *d = SSL_CTX_get_default_passwd_cb_userdata(ctx);
+        char password[64];
+
+        cb(password, sizeof(password), 0, d);
+        UI_set_result(ui, uis, password);
+
+        return 1;
+    }
+    return 0;
+}
+#endif
+
+EVP_PKEY *
+engine_load_key(const char *file, SSL_CTX *ctx)
+{
+#if HAVE_OPENSSL_ENGINE
+    UI_METHOD *ui;
+    EVP_PKEY *pkey;
+
+    if (!engine_persist)
+        return NULL;
+
+    ui = UI_create_method("openvpn");
+
+    if (!ui)
+        return NULL;
+
+    UI_method_set_reader(ui, ui_read);
+
+    ERR_clear_error();		/* BIO read failure */
+    if (!ENGINE_init(engine_persist)) {
+	ERR_print_errors_fp(stderr);
+	pkey = NULL;
+	goto out;
+    }
+    pkey = ENGINE_load_private_key(engine_persist, file, ui, ctx);
+    ENGINE_finish(engine_persist);
+    if (!pkey)
+	ERR_print_errors_fp(stderr);
+ out:
+    UI_destroy_method(ui);
+    return pkey;
+#else
+    return NULL;
+#endif
+}
+
 #endif /* ENABLE_CRYPTO_OPENSSL */
diff --git a/src/openvpn/crypto_openssl.h b/src/openvpn/crypto_openssl.h
index 60a28123..759dc927 100644
--- a/src/openvpn/crypto_openssl.h
+++ b/src/openvpn/crypto_openssl.h
@@ -101,5 +101,17 @@ void crypto_print_openssl_errors(const unsigned int flags);
         msg((flags), __VA_ARGS__); \
     } while (false)
 
+/**
+ * Load a key file from an engine
+ *
+ * @param file	The engine file to load
+ * @param ui	The UI method for the password prompt
+ * @param data	The data to pass to the UI method
+ *
+ * @return	The private key if successful or NULL if not
+ */
+EVP_PKEY *
+engine_load_key(const char *file, SSL_CTX *ctx);
+
 
 #endif /* CRYPTO_OPENSSL_H_ */
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index cc1f8f15..200c0189 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -907,7 +907,11 @@ tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file,
                                    SSL_CTX_get_default_passwd_cb_userdata(ctx->ctx));
     if (!pkey)
     {
-        goto end;
+        pkey = engine_load_key(priv_key_file, ctx->ctx);
+        if (!pkey)
+        {
+            goto end;
+        }
     }
 
     if (!SSL_CTX_use_PrivateKey(ssl_ctx, pkey))