From patchwork Fri Jan 26 09:29:28 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: James Bottomley X-Patchwork-Id: 219 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director4.mail.ord1d.rsapps.net ([172.27.255.56]) by backend31.mail.ord1d.rsapps.net (Dovecot) with LMTP id 1Pe4CeuPa1o2ewAAgoeIoA for ; Fri, 26 Jan 2018 15:30:35 -0500 Received: from proxy13.mail.iad3a.rsapps.net ([172.27.255.56]) by director4.mail.ord1d.rsapps.net (Dovecot) with LMTP id C4KeDuuPa1p5ZQAAHDmxtw ; Fri, 26 Jan 2018 15:30:35 -0500 Received: from smtp35.gate.iad3a ([172.27.255.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy13.mail.iad3a.rsapps.net (Dovecot) with LMTP id YN43DOuPa1paEAAAwhxzoA ; Fri, 26 Jan 2018 15:30:35 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.34.181.88] Authentication-Results: smtp35.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.34.181.88"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=hansenpartnership.com; dmarc=fail (p=none; dis=none) header.from=hansenpartnership.com X-Classification-ID: c255ef7a-02d7-11e8-a20d-bc305bf5a7c0-1-1 Received: from [216.34.181.88] ([216.34.181.88:56369] helo=lists.sourceforge.net) by smtp35.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.1.56364 r(Core:4.2.1.14)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 42/0C-00490-9EF8B6A5; Fri, 26 Jan 2018 15:30:34 -0500 Received: from localhost ([127.0.0.1] helo=sfs-ml-3.v29.ch3.sourceforge.com) by sfs-ml-3.v29.ch3.sourceforge.com with esmtp (Exim 4.89) (envelope-from ) id 1efAd1-0007Ky-9g; Fri, 26 Jan 2018 20:29:39 +0000 Received: from sfi-mx-3.v28.ch3.sourceforge.com ([172.29.28.193] helo=mx.sourceforge.net) by sfs-ml-3.v29.ch3.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) (envelope-from ) id 1efAd0-0007Ks-2i for openvpn-devel@lists.sourceforge.net; Fri, 26 Jan 2018 20:29:38 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:Mime-Version:Content-Type :Date:To:From:Subject:Message-ID:Sender:Reply-To:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=H6BzSYdpetJcTzK/+MahxJ7OlUbA/u2Iw7BuLaX4fJM=; b=YSCWYTy3J6j5o5i5P0sm0bkrS8 /EGmWMJiB+5lisZYVrMsWhCkuZCQdlrn7NgcG0T4IevWS6EmuMcPga5oJISslM/XVTf/zkMxsQyrR 9VYxQVIaZJurfYDR0joj+iDwLPsAIxtVIJkSNqARPKsYgg4RlGpwZ760sFqt/jwrQBYQ=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:Mime-Version:Content-Type:Date:To:From:Subject: Message-ID:Sender:Reply-To:Cc:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=H6BzSYdpetJcTzK/+MahxJ7OlUbA/u2Iw7BuLaX4fJM=; b=E m1CqwIYfKyNhwv2UYsU2sTe9AqscSyoFmnX4arf/hq2S7IB4EsyKaMiTnhdkf2I6qGB8cRZjZhaBw 4mVe+S0EVzDVdz8OETs9kzMdKTWbsatirRchJ3nR+tGbpbt+j36dlsaJZAzsEbOEGUEnZKIGPZgqN QnQXFI9AVDy/Dj3Q=; Received: from bedivere.hansenpartnership.com ([66.63.167.143]) by sfi-mx-3.v28.ch3.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) id 1efAcy-0000iL-51 for openvpn-devel@lists.sourceforge.net; Fri, 26 Jan 2018 20:29:38 +0000 Received: from localhost (localhost [127.0.0.1]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id 318D88EE3BE for ; Fri, 26 Jan 2018 12:29:30 -0800 (PST) Received: from bedivere.hansenpartnership.com ([127.0.0.1]) by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UKtNFwvtc08w for ; Fri, 26 Jan 2018 12:29:29 -0800 (PST) Received: from [153.66.254.194] (unknown [50.35.65.221]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id 334B78EE0EF for ; Fri, 26 Jan 2018 12:29:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=hansenpartnership.com; s=20151216; t=1516998569; bh=atdX6csbnyyWz+rzxPbNKwYwJRmcrXdgvh1Z85AJvRo=; h=Subject:From:To:Date:From; b=B73hyvbHqrHYQCceTIjPaKrCnldgBXg0IE5t7vYX1gDlBdaMoRGvvD21b9TMoB3dC 3QKrGu7jTrHfbRjU2sWgcCfzQTrEfmZ7Gv8sjzNQhMEP/rLY0srZ+3Zm4vbbBCFOcs R0VG6Fxw/kptly1ORaHdnBGUc08Gdo9blVOdgXuA= Message-ID: <1516998568.3034.15.camel@HansenPartnership.com> From: James Bottomley To: openvpn-devel@lists.sourceforge.net Date: Fri, 26 Jan 2018 12:29:28 -0800 X-Mailer: Evolution 3.20.5 Mime-Version: 1.0 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1efAcy-0000iL-51 Subject: [Openvpn-devel] [PATCH v3 0/2] add engine keys keys X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Engine keys are an openssl concept for a key file which can only be understood by an engine (usually because it's been wrapped by the engine itself). We use this for TPM engine keys, so you can either generate them within your TPM or wrap them from existing private keys. Once wrapped, the keys will only function in the TPM that generated them, so it means the VPN keys are tied to the physical platform, which is very useful. Engine keys have to be loaded via a specific callback, so use this as a fallback in openvpn if an engine is specified and if the PEM read of the private key fails. Adding a unit test for this type of key proved particularly problematic: there's apparently no simple engine you can use to check the functionality, so after a bit of googling, I just wrote one as part of the test.  You can see that the unit test converts an existing key to engine format (which is simply changing the PEM guards), tries to start openvpn with the key and verifies that the engine methods are called and the password correctly retrieved.  To make the test simple, it relies on openssl detecting a mismatch between the certificate and the key after the key has been loaded rather than going on to bring up an openvpn loop, but I think that's sufficient to test out the engine patch fully. James Bottomley (2): openssl: add engine method for loading the key Add unit tests for engine keys configure.ac | 2 + src/openvpn/crypto_openssl.c | 55 ++++++++++++ src/openvpn/crypto_openssl.h | 12 +++ src/openvpn/ssl_openssl.c | 6 +- tests/unit_tests/Makefile.am | 6 +- tests/unit_tests/engine-key/Makefile.am | 14 ++++ tests/unit_tests/engine-key/check_engine_keys.sh | 30 +++++++ tests/unit_tests/engine-key/libtestengine.c | 102 +++++++++++++++++++++++ tests/unit_tests/engine-key/openssl.cnf | 12 +++ 9 files changed, 237 insertions(+), 2 deletions(-) create mode 100644 tests/unit_tests/engine-key/Makefile.am create mode 100755 tests/unit_tests/engine-key/check_engine_keys.sh create mode 100644 tests/unit_tests/engine-key/libtestengine.c create mode 100644 tests/unit_tests/engine-key/openssl.cnf