From patchwork Sat Feb 10 11:49:32 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Bottomley X-Patchwork-Id: 231 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director3.mail.ord1d.rsapps.net ([172.27.255.8]) by backend31.mail.ord1d.rsapps.net (Dovecot) with LMTP id Q2xUHTd3f1rDUgAAgoeIoA for ; Sat, 10 Feb 2018 17:50:31 -0500 Received: from proxy5.mail.iad3a.rsapps.net ([172.27.255.8]) by director3.mail.ord1d.rsapps.net (Dovecot) with LMTP id sTcHADd3f1pcGwAAkXNnRw ; Sat, 10 Feb 2018 17:50:31 -0500 Received: from smtp45.gate.iad3a ([172.27.255.8]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy5.mail.iad3a.rsapps.net (Dovecot) with LMTP id 2yl5Ajd3f1qKFgAAhn5joQ ; Sat, 10 Feb 2018 17:50:31 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.34.181.88] Authentication-Results: smtp45.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.34.181.88"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=hansenpartnership.com; dmarc=fail (p=none; dis=none) header.from=hansenpartnership.com X-Classification-ID: ca825c68-0eb4-11e8-93a0-782bcb788684-1-1 Received: from [216.34.181.88] ([216.34.181.88:19830] helo=lists.sourceforge.net) by smtp45.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.1.56364 r(Core:4.2.1.14)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 3B/63-04369-5377F7A5; Sat, 10 Feb 2018 17:50:29 -0500 Received: from localhost ([127.0.0.1] helo=sfs-ml-1.v29.ch3.sourceforge.com) by sfs-ml-1.v29.ch3.sourceforge.com with esmtp (Exim 4.89) (envelope-from ) id 1ekdxo-00066m-I9; Sat, 10 Feb 2018 22:49:44 +0000 Received: from sfi-mx-2.v28.ch3.sourceforge.com ([172.29.28.192] helo=mx.sourceforge.net) by sfs-ml-1.v29.ch3.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) (envelope-from ) id 1ekdxk-000660-SO for openvpn-devel@lists.sourceforge.net; Sat, 10 Feb 2018 22:49:40 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:Mime-Version:Content-Type :References:In-Reply-To:Date:To:From:Subject:Message-ID:Sender:Reply-To:Cc: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=G/PyDMY8TiZcQ8y4vlErc5Q8iAjKbSn/x58FH3flawQ=; b=jJo5Q42GsPxLpa2gogxYFKbx2a AqS+qXLY5cHE7adjd3GSTMixRBbdBPBJ2vadbGU9Q8Ao/4WLhXL2sIE68iIn/qwL1DkbcjozCABZY VgwfWctIiGhR2t3Q4flh27lTJqCTDGjdPLFKfZtPiN/GKXQPSzzyPPAZ5fFgWDZ6ukeQ=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:Mime-Version:Content-Type:References: In-Reply-To:Date:To:From:Subject:Message-ID:Sender:Reply-To:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=G/PyDMY8TiZcQ8y4vlErc5Q8iAjKbSn/x58FH3flawQ=; b=SkkYqM79gtzfasIpiWkJBZYBht fPrEv24P2u6bMXNCiwIJHmb8KH/8a6q2Eg7k52KEa3OM74Q3VhN/OxgPn4U/Iifb9bqk+D3aecTIk G+86E5SQP7qOY+6EKgST0LQKPdqFZcAtzv6eAGGZ/OstTJbBaM4AIPwSVKkLoFqnE8+0=; Received: from bedivere.hansenpartnership.com ([66.63.167.143]) by sfi-mx-2.v28.ch3.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) id 1ekdxj-0002e9-TS for openvpn-devel@lists.sourceforge.net; Sat, 10 Feb 2018 22:49:40 +0000 Received: from localhost (localhost [127.0.0.1]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id 1EF3C8EE0DD for ; Sat, 10 Feb 2018 14:49:34 -0800 (PST) Received: from bedivere.hansenpartnership.com ([127.0.0.1]) by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6JY-pE-lAAbS for ; Sat, 10 Feb 2018 14:49:34 -0800 (PST) Received: from [153.66.254.194] (unknown [50.35.65.221]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id CF54C8EE0BA for ; Sat, 10 Feb 2018 14:49:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=hansenpartnership.com; s=20151216; t=1518302973; bh=z5ITDjMQUoiDymdtdl2Jr4b5diqd/vg3oMBKahLrMgc=; h=Subject:From:To:Date:In-Reply-To:References:From; b=P+cGoZcoO1//oNOpy1VSrDlYoGQv/ajaeJIVm4ji7cf2plZNOrLxEMs/heBY5pA9+ 3zYJ36AOW7BGpb+WXXanPUaLwvSq0T6PaQlA6o4YohIimRnBSBDI1hyHieE0V/+KFc GO9d5XyLKywdpPLr5O0HrQ7oNB5jLM6rUCd1tD+4= Message-ID: <1518302972.3072.3.camel@HansenPartnership.com> From: James Bottomley To: openvpn-devel@lists.sourceforge.net Date: Sat, 10 Feb 2018 14:49:32 -0800 In-Reply-To: <1518302884.3072.1.camel@HansenPartnership.com> References: <1518302884.3072.1.camel@HansenPartnership.com> X-Mailer: Evolution 3.20.5 Mime-Version: 1.0 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1ekdxj-0002e9-TS Subject: [Openvpn-devel] [PATCH v4 1/2] openssl: add engine method for loading the key X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox As well as doing crypto acceleration, engines can also be used to load key files. If the engine is set, and the private key loading fails for bio methods, this patch makes openvpn try to get the engine to load the key. If that succeeds, we end up using an engine based key. This can be used with the openssl tpm engines to make openvpn use a TPM wrapped key file. Signed-off-by: James Bottomley --- v2: add better configuration guarding v4: - use crypto_msg() instead of raw openssl prints - remove ENGINE_init/finish(). Openvpn already initializes the engine so doing a second initialization is wrong. - don't clear the openssl errors from the BIO_read failure just in case they might be useful. - ad ui.h include for openssl 1.1 build failure --- src/openvpn/crypto_openssl.c | 53 ++++++++++++++++++++++++++++++++++++++++++++ src/openvpn/crypto_openssl.h | 12 ++++++++++ src/openvpn/ssl_openssl.c | 6 ++++- 3 files changed, 70 insertions(+), 1 deletion(-) diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index 4fb2f6d6..936cbb0d 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -63,6 +63,7 @@ #endif #if HAVE_OPENSSL_ENGINE +#include #include static bool engine_initialized = false; /* GLOBAL */ @@ -969,4 +970,56 @@ hmac_ctx_final(HMAC_CTX *ctx, uint8_t *dst) HMAC_Final(ctx, dst, &in_hmac_len); } +#if HAVE_OPENSSL_ENGINE +static int +ui_reader(UI *ui, UI_STRING *uis) +{ + SSL_CTX *ctx = UI_get0_user_data(ui); + + if (UI_get_string_type(uis) == UIT_PROMPT) { + pem_password_cb *cb = SSL_CTX_get_default_passwd_cb(ctx); + void *d = SSL_CTX_get_default_passwd_cb_userdata(ctx); + char password[64]; + + cb(password, sizeof(password), 0, d); + UI_set_result(ui, uis, password); + + return 1; + } + return 0; +} +#endif + +EVP_PKEY * +engine_load_key(const char *file, SSL_CTX *ctx) +{ +#if HAVE_OPENSSL_ENGINE + UI_METHOD *ui; + EVP_PKEY *pkey; + + if (!engine_persist) + return NULL; + + /* this will print out the error from BIO_read */ + crypto_msg(M_INFO, "PEM_read_bio failed, now trying engine method to load private key"); + + ui = UI_create_method("openvpn"); + if (!ui) { + crypto_msg(M_FATAL, "Engine UI creation failed"); + return NULL; + } + + UI_method_set_reader(ui, ui_reader); + + pkey = ENGINE_load_private_key(engine_persist, file, ui, ctx); + if (!pkey) + crypto_msg(M_FATAL, "Engine could not load key file"); + out: + UI_destroy_method(ui); + return pkey; +#else + return NULL; +#endif +} + #endif /* ENABLE_CRYPTO_OPENSSL */ diff --git a/src/openvpn/crypto_openssl.h b/src/openvpn/crypto_openssl.h index 0a413705..98be36d5 100644 --- a/src/openvpn/crypto_openssl.h +++ b/src/openvpn/crypto_openssl.h @@ -101,5 +101,17 @@ void crypto_print_openssl_errors(const unsigned int flags); msg((flags), __VA_ARGS__); \ } while (false) +/** + * Load a key file from an engine + * + * @param file The engine file to load + * @param ui The UI method for the password prompt + * @param data The data to pass to the UI method + * + * @return The private key if successful or NULL if not + */ +EVP_PKEY * +engine_load_key(const char *file, SSL_CTX *ctx); + #endif /* CRYPTO_OPENSSL_H_ */ diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 26c1e608..76ce6939 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -907,7 +907,11 @@ tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file, SSL_CTX_get_default_passwd_cb_userdata(ctx->ctx)); if (!pkey) { - goto end; + pkey = engine_load_key(priv_key_file, ctx->ctx); + if (!pkey) + { + goto end; + } } if (!SSL_CTX_use_PrivateKey(ssl_ctx, pkey))