From patchwork Tue Dec 5 08:46:24 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Bottomley X-Patchwork-Id: 134 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director6.mail.ord1d.rsapps.net ([172.28.255.1]) by backend31.mail.ord1d.rsapps.net (Dovecot) with LMTP id y+MZKxb4JlqrZwAAgoeIoA for ; Tue, 05 Dec 2017 14:48:38 -0500 Received: from director3.mail.ord1c.rsapps.net ([172.28.255.1]) by director6.mail.ord1d.rsapps.net (Dovecot) with LMTP id G7zYKhb4JlraaAAAhgvE6Q ; Tue, 05 Dec 2017 14:48:38 -0500 Received: from smtp36.gate.ord1a ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by director3.mail.ord1c.rsapps.net (Dovecot) with LMTP id QrIaAhb4JlqiVgAAdSFV8w ; Tue, 05 Dec 2017 14:48:38 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.34.181.88] Authentication-Results: smtp36.gate.ord1a.rsapps.net; iprev=pass policy.iprev="216.34.181.88"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=hansenpartnership.com; dmarc=fail (p=none; dis=none) header.from=hansenpartnership.com X-Classification-ID: 487bfe3e-d9f5-11e7-a88e-0024e8565f91-1-1 Received: from [216.34.181.88] ([216.34.181.88:10848] helo=lists.sourceforge.net) by smtp36.gate.ord1a.rsapps.net (envelope-from ) (ecelerity 4.2.1.56364 r(Core:4.2.1.14)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 4C/B6-08342-418F62A5; Tue, 05 Dec 2017 14:48:36 -0500 Received: from localhost ([127.0.0.1] helo=sfs-ml-4.v29.ch3.sourceforge.com) by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.89) (envelope-from ) id 1eMJAp-0004sq-SY; Tue, 05 Dec 2017 19:46:35 +0000 Received: from sfi-mx-1.v28.ch3.sourceforge.com ([172.29.28.191] helo=mx.sourceforge.net) by sfs-ml-4.v29.ch3.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) (envelope-from ) id 1eMJAo-0004sk-5A for openvpn-devel@lists.sourceforge.net; Tue, 05 Dec 2017 19:46:34 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:Mime-Version:Content-Type :Date:To:From:Subject:Message-ID:Sender:Reply-To:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=0RGdMmIeAScHlL/kHTZFCO08C3ihX7FaAR/ObWD/6JQ=; b=R1fq9iNC9kzj3lHf36Cz1N4qv0 ujoG5+IPibbiCUbxDT6D7aujouTmX0JKtwYYpUZNqlTZzCsPPHridp0gK4R/IXEWxPMJEGqhc9C13 mZA3e2xVdg4fsorBpDk6J9s6BqaXNBDRo2l6uKwb4tsV+rCwDdLkou5SZsI4hWC0Nlxc=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:Mime-Version:Content-Type:Date:To:From:Subject: Message-ID:Sender:Reply-To:Cc:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=0RGdMmIeAScHlL/kHTZFCO08C3ihX7FaAR/ObWD/6JQ=; b=a Oakh4V9TBxQLfh+aU/7aP+pNGxksbFIc7TSoS1WS/o0+qhDOuMpUO7GunwdU0uB/tOL4+LZ2paLq2 v0enlU568YSfLUD0vuXe0gb3fD3CH3gn5A6QQTVk0/mgLdkt17zXBSq7Ib082XYPZXeewRNglzDsu kOKNFkxLJ+d5WU7M=; Received: from bedivere.hansenpartnership.com ([66.63.167.143]) by sfi-mx-1.v28.ch3.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) id 1eMJAm-00048f-Uu for openvpn-devel@lists.sourceforge.net; Tue, 05 Dec 2017 19:46:34 +0000 Received: from localhost (localhost [127.0.0.1]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id E34718EE29D for ; Tue, 5 Dec 2017 11:46:26 -0800 (PST) Received: from bedivere.hansenpartnership.com ([127.0.0.1]) by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tTcY0xzcvK3G for ; Tue, 5 Dec 2017 11:46:26 -0800 (PST) Received: from [153.66.254.194] (unknown [50.35.65.221]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id 08C688EE0D2 for ; Tue, 5 Dec 2017 11:46:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=hansenpartnership.com; s=20151216; t=1512503186; bh=ArKbN0L3+GUC2DObAuPkapzTVpFtYnEl0AePRqEX+hc=; h=Subject:From:To:Date:From; b=KKgouC/8stYtdNQ7tb3U+3/odO9Ku+JNEnCoCHInLHXQpz9pjgDPbo00RDQ6wa7i0 XVJF58d36UI5PRqY4dm57PlkUjSuI0wiT5KFFmtWVlAo5CV2H1lb4xYmjaBL+BmRCT pxtDIYfQKrAvcqTwll+GKVRLBA4g+BZimBDVmlrQ= Message-ID: <1512503184.3019.29.camel@HansenPartnership.com> From: James Bottomley To: openvpn-devel@lists.sourceforge.net Date: Tue, 05 Dec 2017 11:46:24 -0800 X-Mailer: Evolution 3.20.5 Mime-Version: 1.0 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1eMJAm-00048f-Uu Subject: [Openvpn-devel] [PATCH v2 0/1] add engine keys keys X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Engine keys are an openssl concept for a key file which can only be understood by an engine (usually because it's been wrapped by the engine itself). We use this for TPM engine keys, so you can either generate them within your TPM or wrap them from existing private keys. Once wrapped, the keys will only function in the TPM that generated them, so it means the VPN keys are tied to the physical platform, which is very useful. Engine keys have to be loaded via a specific callback, so use this as a fallback in openvpn if an engine is specified and if the PEM read of the private key fails. James Bottomley (1): openssl: add engine method for loading the key src/openvpn/crypto_openssl.c | 55 ++++++++++++++++++++++++++++++++++++++++++++ src/openvpn/crypto_openssl.h | 12 ++++++++++ src/openvpn/ssl_openssl.c | 6 ++++- 3 files changed, 72 insertions(+), 1 deletion(-)