From patchwork Thu May 28 12:59:17 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Bottomley X-Patchwork-Id: 1125 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director10.mail.ord1d.rsapps.net ([172.27.255.53]) by backend30.mail.ord1d.rsapps.net with LMTP id uL1FNahC0F71ZQAAIUCqbw for ; Thu, 28 May 2020 19:00:56 -0400 Received: from proxy9.mail.iad3a.rsapps.net ([172.27.255.53]) by director10.mail.ord1d.rsapps.net with LMTP id YOU3MqhC0F7nVgAApN4f7A ; Thu, 28 May 2020 19:00:56 -0400 Received: from smtp34.gate.iad3a ([172.27.255.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy9.mail.iad3a.rsapps.net with LMTP id ILGjK6hC0F6lFQAAGuSQww ; Thu, 28 May 2020 19:00:56 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp34.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=hansenpartnership.com; dmarc=fail (p=none; dis=none) header.from=hansenpartnership.com X-Suspicious-Flag: YES X-Classification-ID: 14fd6d7a-a137-11ea-ad3d-525400865cc7-1-1 Received: from [216.105.38.7] ([216.105.38.7:48720] helo=lists.sourceforge.net) by smtp34.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 34/B3-15487-6A240DE5; Thu, 28 May 2020 19:00:54 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1jeRV1-0002Ps-9w; Thu, 28 May 2020 22:59:43 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jeRUz-0002Pl-Cg for openvpn-devel@lists.sourceforge.net; Thu, 28 May 2020 22:59:41 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=EOFj+BadBixTssa3Aj7PhCvDRkybleKkqVAcn1KI+LA=; b=HE1OabKPp/mIsCUjzHdjM2XP+R b6rV5E+rsjR7ne5vevTb24+HoWMwPHh4BNfDFfgtQt3PrSLFFBQq4HPIoJe2h+iprPVK0ZKhetb0K 7z19/9qCStl4yKelt5bvY4AgshVGfhu0n3Z3mIO4zh3ubvaqmXTLfJCV+IB+gGD878nA=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=EOFj+BadBixTssa3Aj7PhCvDRkybleKkqVAcn1KI+LA=; b=W 8RUOwI3+tBIq2tOnfeTjS4SOR0qVg1suAyfeIw5Tl+/QP9PJEL/i0ujBfPsRaunSQjOjmbGfFScNj K3Kzh4tbJVYkM6raV41dFtEXPmMnxvAsh1+55c3QI8d4jP83kdxe4SK4ODXMPA+2DGAdT6lUWtLFy PAJy05AzvbIpAiwY=; Received: from bedivere.hansenpartnership.com ([66.63.167.143]) by sfi-mx-3.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1jeRUv-00GaLr-1c for openvpn-devel@lists.sourceforge.net; Thu, 28 May 2020 22:59:41 +0000 Received: from localhost (localhost [127.0.0.1]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id A9D4C8EE10F for ; Thu, 28 May 2020 15:59:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=hansenpartnership.com; s=20151216; t=1590706771; bh=48EPIAlsjw7R082UIaEFYtn0sv4rZo4ktML+tP1mlsQ=; h=From:To:Subject:Date:From; b=JbKVaf2xuI26u9Yc+d3qGCuIT1yjYksw98eIjPueDFZP2jtzBZzwOY8DXvHOKXMdL pFTvS40+TLIkZSeAslX/tHYWdCrJ/XO6TjJWpHcs+8SsNQKXKABVz5MMrZqYYJm/K8 Jj6KK67FfPRj5+NIzbS1xVEmTUyCMwyN86aZGYW0= Received: from bedivere.hansenpartnership.com ([127.0.0.1]) by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0OkgBWqgGVQ1 for ; Thu, 28 May 2020 15:59:31 -0700 (PDT) Received: from jarvis.lan (jarvis.ext.hansenpartnership.com [153.66.160.226]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id 577478EE0F8 for ; Thu, 28 May 2020 15:59:31 -0700 (PDT) From: James Bottomley To: openvpn-devel@lists.sourceforge.net Date: Thu, 28 May 2020 15:59:17 -0700 Message-Id: <20200528225920.6983-1-James.Bottomley@HansenPartnership.com> X-Mailer: git-send-email 2.26.2 MIME-Version: 1.0 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: check_engine_keys.sh] -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-Headers-End: 1jeRUv-00GaLr-1c Subject: [Openvpn-devel] [PATCH v6 0/3] add support for engine keys X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This update exposes the new configuration file addition to the openssl initialization as a separate patch. This means that the behaviour of pontentially reading from a configuration file is global rather than contingent on the engine parameter being present and thus is now fully consistent. I've added this as a separate patch, since it's a separate feature. --- Engine keys are an openssl concept for a key file which can only be understood by an engine (usually because it's been wrapped by the engine itself). We use this for TPM engine keys, so you can either generate them within your TPM or wrap them from existing private keys. Once wrapped, the keys will only function in the TPM that generated them, so it means the VPN keys are tied to the physical platform, which is very useful. Engine keys have to be loaded via a specific callback, so use this as a fallback in openvpn if an engine is specified and if the PEM read of the private key fails. Adding a unit test for this type of key proved particularly problematic: there's apparently no simple engine you can use to check the functionality, so after a bit of googling, I just wrote one as part of the test. You can see that the unit test converts an existing key to engine format (which is simply changing the PEM guards), tries to start openvpn with the key and verifies that the engine methods are called and the password correctly retrieved. To make the test simple, it relies on openssl detecting a mismatch between the certificate and the key after the key has been loaded rather than going on to bring up an openvpn loop, but I think that's sufficient to test out the engine patch fully. --- James Bottomley (3): openssl: add engine method for loading the key crypto_openssl: add initialization to pick up local configuration Add unit tests for engine keys configure.ac | 5 + src/openvpn/crypto_openssl.c | 61 +++++++++++ src/openvpn/crypto_openssl.h | 12 +++ src/openvpn/ssl_openssl.c | 5 + tests/unit_tests/Makefile.am | 3 + tests/unit_tests/engine-key/Makefile.am | 24 +++++ .../engine-key/check_engine_keys.sh | 30 ++++++ tests/unit_tests/engine-key/libtestengine.c | 101 ++++++++++++++++++ tests/unit_tests/engine-key/openssl.cnf.in | 12 +++ 9 files changed, 253 insertions(+) create mode 100644 tests/unit_tests/engine-key/Makefile.am create mode 100755 tests/unit_tests/engine-key/check_engine_keys.sh create mode 100644 tests/unit_tests/engine-key/libtestengine.c create mode 100644 tests/unit_tests/engine-key/openssl.cnf.in