From patchwork Sun May 24 10:15:50 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Bottomley X-Patchwork-Id: 1121 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director7.mail.ord1d.rsapps.net ([172.27.255.53]) by backend30.mail.ord1d.rsapps.net with LMTP id yDC9Jt3Zyl7aMgAAIUCqbw for ; Sun, 24 May 2020 16:32:29 -0400 Received: from proxy18.mail.iad3a.rsapps.net ([172.27.255.53]) by director7.mail.ord1d.rsapps.net with LMTP id aGhvJN3Zyl7vFQAAovjBpQ ; Sun, 24 May 2020 16:32:29 -0400 Received: from smtp50.gate.iad3a ([172.27.255.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy18.mail.iad3a.rsapps.net with LMTP id AApoH93Zyl6eBQAAon3hFg ; Sun, 24 May 2020 16:32:29 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp50.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=hansenpartnership.com; dmarc=fail (p=none; dis=none) header.from=hansenpartnership.com X-Suspicious-Flag: YES X-Classification-ID: aeefbdbc-9dfd-11ea-9a96-525400c2fb51-1-1 Received: from [216.105.38.7] ([216.105.38.7:47110] helo=lists.sourceforge.net) by smtp50.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id B3/36-22762-CD9DACE5; Sun, 24 May 2020 16:32:28 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1jcxHJ-00068d-My; Sun, 24 May 2020 20:31:25 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jcxHI-00068S-NQ for openvpn-devel@lists.sourceforge.net; Sun, 24 May 2020 20:31:24 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=1xbalLfqNY/F1Kzs7HmvZoCOa9/WTPomOMBb82grdW4=; b=gKVhe9vMmLfGA1BhoUVmza7ctZ dtfzgWz6mPCCbfQ6did2TNbIwhnUaFc89QqZfPvYvC3ZPPKyKg4RHJgaWcXqwiCe8BaYbSBapqtnw 9iiILK1dkk9yF0mrSmpmM0+oYb6Kvalv+tGRr1/stNPixEC2XR6QRohdl36GFgfMQ85s=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=1xbalLfqNY/F1Kzs7HmvZoCOa9/WTPomOMBb82grdW4=; b=Y Ze+NizZpWz9DFnSrURnZ6gthmkUTXud1EmLjz/jQ41ZzGh78UxprmWEOosNoAZs3F3127nMb4yuQ2 rLQGfIePd9knfpzzxmanuNCGI98xERlEtr/TeGMe98tVJzwxM66rMGJSvjSnzAOCVyqmTY4qZ3vgm HYpkRDiLkbAEiG8k=; Received: from bedivere.hansenpartnership.com ([66.63.167.143]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1jcxHE-002CRE-EH for openvpn-devel@lists.sourceforge.net; Sun, 24 May 2020 20:31:24 +0000 Received: from localhost (localhost [127.0.0.1]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id AF1378EE17F for ; Sun, 24 May 2020 13:16:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=hansenpartnership.com; s=20151216; t=1590351365; bh=dquQ2lkIqwqhN7KwYJxTzeF4cfHDrN53oE9BW16eaKg=; h=From:To:Subject:Date:From; b=tkk27wcZ49XW/f0XwNeefroMLdK5Eo0eqNHQp3CfstUJk3AGfleIODcH2udH9OoED ClBSU0gy1NLWhaw1FqXABr9NoGUXX0kW5g9gJ2HgEsw0jfLammMpzYvdVoxuq05FUd r9bEhxxJkicYmqq3JvfaogGCdGyaF8VV8LlfPhXs= Received: from bedivere.hansenpartnership.com ([127.0.0.1]) by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LEj_guCbwGxT for ; Sun, 24 May 2020 13:16:05 -0700 (PDT) Received: from jarvis.lan (jarvis.ext.hansenpartnership.com [153.66.160.226]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id 491AF8EE173 for ; Sun, 24 May 2020 13:16:05 -0700 (PDT) From: James Bottomley To: openvpn-devel@lists.sourceforge.net Date: Sun, 24 May 2020 13:15:50 -0700 Message-Id: <20200524201552.15321-1-James.Bottomley@HansenPartnership.com> X-Mailer: git-send-email 2.26.2 MIME-Version: 1.0 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-Headers-End: 1jcxHE-002CRE-EH Subject: [Openvpn-devel] [PATCH v5 0/2] add engine keys X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This update tries to cope with the fact that the test engine dynamic extension is different on macos (.dylib) and linux (.so) by dynamically building the openssl.cnf file with the correct one Note: I don't have any MacOS machines to test this on, so I only know it works on Linux if someone with a Mac could check, I'd be grateful. --- Engine keys are an openssl concept for a key file which can only be understood by an engine (usually because it's been wrapped by the engine itself). We use this for TPM engine keys, so you can either generate them within your TPM or wrap them from existing private keys. Once wrapped, the keys will only function in the TPM that generated them, so it means the VPN keys are tied to the physical platform, which is very useful. Engine keys have to be loaded via a specific callback, so use this as a fallback in openvpn if an engine is specified and if the PEM read of the private key fails. Adding a unit test for this type of key proved particularly problematic: there's apparently no simple engine you can use to check the functionality, so after a bit of googling, I just wrote one as part of the test. You can see that the unit test converts an existing key to engine format (which is simply changing the PEM guards), tries to start openvpn with the key and verifies that the engine methods are called and the password correctly retrieved. To make the test simple, it relies on openssl detecting a mismatch between the certificate and the key after the key has been loaded rather than going on to bring up an openvpn loop, but I think that's sufficient to test out the engine patch fully. --- James Bottomley (2): openssl: add engine method for loading the key Add unit tests for engine keys configure.ac | 5 + src/openvpn/crypto_openssl.c | 57 ++++++++++ src/openvpn/crypto_openssl.h | 12 +++ src/openvpn/ssl_openssl.c | 5 + tests/unit_tests/Makefile.am | 3 + tests/unit_tests/engine-key/Makefile.am | 24 +++++ .../engine-key/check_engine_keys.sh | 30 ++++++ tests/unit_tests/engine-key/libtestengine.c | 101 ++++++++++++++++++ tests/unit_tests/engine-key/openssl.cnf.in | 12 +++ 9 files changed, 249 insertions(+) create mode 100644 tests/unit_tests/engine-key/Makefile.am create mode 100755 tests/unit_tests/engine-key/check_engine_keys.sh create mode 100644 tests/unit_tests/engine-key/libtestengine.c create mode 100644 tests/unit_tests/engine-key/openssl.cnf.in