From patchwork Tue Dec 14 05:59:10 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Selva Nair X-Patchwork-Id: 2171 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director7.mail.ord1d.rsapps.net ([172.27.255.7]) by backend41.mail.ord1d.rsapps.net with LMTP id QH1aH+XNuGFxWAAAqwncew (envelope-from ) for ; Tue, 14 Dec 2021 12:01:25 -0500 Received: from proxy18.mail.iad3a.rsapps.net ([172.27.255.7]) by director7.mail.ord1d.rsapps.net with LMTP id aCP8BObNuGHOewAAovjBpQ (envelope-from ) for ; Tue, 14 Dec 2021 12:01:26 -0500 Received: from smtp51.gate.iad3a ([172.27.255.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy18.mail.iad3a.rsapps.net with LMTPS id yHK9OeXNuGGKZQAAon3hFg (envelope-from ) for ; Tue, 14 Dec 2021 12:01:25 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp51.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=gmail.com; dmarc=fail (p=none; dis=none) header.from=gmail.com X-Suspicious-Flag: YES X-Classification-ID: 782f6670-5cff-11ec-86bd-525400aaff7b-1-1 Received: from [216.105.38.7] ([216.105.38.7:49084] helo=lists.sourceforge.net) by smtp51.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 99/63-16118-5EDC8B16; Tue, 14 Dec 2021 12:01:25 -0500 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1mxB9l-00026F-8x; Tue, 14 Dec 2021 17:00:01 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1mxB9e-00025l-1f for openvpn-devel@lists.sourceforge.net; Tue, 14 Dec 2021 16:59:54 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=HyonhaZ5+yioGtlQ6LD3pHtLTqQU+7VRwj5HVsQS0Nk=; b=A+6YKftG9udkYikNnLiqY+LAye azZ3KbRTMf2h6F3FZfVo61jAZkvvwijkrgq2M+e8Zo01Ru7gMf7l4ZA9m9oszm2XarnlVQS8XHngA S0WUVHJTunKl/66ksbRijP/DpV6EbSIBL2LyK+0OnpCcsqz2u6FKPMgTQ2iJ36hOIJx0=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:Cc:To:From :Sender:Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=HyonhaZ5+yioGtlQ6LD3pHtLTqQU+7VRwj5HVsQS0Nk=; b=b KVBNBUXog4QpLm7k4CRQsAguz1Tuv8Upaz6XJHt/w16RvZUo92HY9oQ6h5HpJzWEDoFWO7iEBc6Bk oOchiKuAsUTWk80/6ASevXvrJhfaQfETTl/McRNdsmymChMj1aQLIU4AIJrsaAT1tNqANHcf//sFj 6VgYU16Nllw2ACEU=; Received: from mail-io1-f54.google.com ([209.85.166.54]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92.3) id 1mxB9b-00FKWn-Tm for openvpn-devel@lists.sourceforge.net; Tue, 14 Dec 2021 16:59:53 +0000 Received: by mail-io1-f54.google.com with SMTP id p65so25389974iof.3 for ; Tue, 14 Dec 2021 08:59:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=HyonhaZ5+yioGtlQ6LD3pHtLTqQU+7VRwj5HVsQS0Nk=; b=MXz/0C6Gtr/xK+7IcGsQFsMoyrjsWLjqWsIPkR/BgHeAxvPp0+3MPA2eAnUQ3S8Mav xTdZLLrR5rZ2C7BpFReSW96klC8+K2aD5xnqIOXTXZ73GJKoGTuZ1bYIKb6gg4owtKUy c6ES0azFIBDKBqZVHWHqqoGMkuf1n6UJ0ukNRJnp0mGlkcLCr/gbiYqOowDlDtvowpRz KskfaNDAzMlvYaptTGISr/X5aABeetEgW/P7w6W7PpZV2b5H/l8ve99FoFqVGq8+vJMN p5Vgc/+TBw7MPNyvpjBHpbBa1DT18BfFifiH4CjiUNKZWMl2uNPvIRBW11WeHglHwlq8 O0vQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=HyonhaZ5+yioGtlQ6LD3pHtLTqQU+7VRwj5HVsQS0Nk=; b=BhOcocmYInWVR4ElkXYiAeB0/sxQFOgfMJvWgzpMoBJVhNquj5STGBI7VBlS4cNXYH d22TUB8WFLGP8MveJu3mo/KHKHYvYcCBSWS7FQH1jpo4QudbmO2FJHZSLPAiQ6TalnJb 1WEWtNjFUfOMC6so48ytszEj6m0nf4ZoEMlG8J5RXWBtUW4SZtlG8ezbM8pOnNpeuNvC UF/GsjFNNK4qT9D7m3d5T56uJQ/yH8+lRVdgEUO8j3Tuxh6cFvnD/9Ep2mesR7zUQ8o9 t771NecSNMCvV86nsHoprKAY75JeNGoKYZ1jcf59zRzgVKEgTVupJyU36alvneWQb11N ZmLg== X-Gm-Message-State: AOAM532r+mrif7gafi2TMSoQKVekfx/zt2usqroxMKqUjp3T3RDlSe+5 6QMs6MchmcoJYgGj3jOaoD1G/lI8oFI= X-Google-Smtp-Source: ABdhPJzkjgAvrnelVs6e7DUEFrLrSDG94D7MQWqSWCb4A3lw9MJ69lAWelw/M7qSVhjSkGP6DBQJyw== X-Received: by 2002:a02:b085:: with SMTP id v5mr3827240jah.776.1639501185388; Tue, 14 Dec 2021 08:59:45 -0800 (PST) Received: from uranus.home.sansel.ca (bras-vprn-tnhlon4053w-lp130-02-70-51-223-8.dsl.bell.ca. [70.51.223.8]) by smtp.gmail.com with ESMTPSA id e9sm178778ilm.44.2021.12.14.08.59.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 Dec 2021 08:59:45 -0800 (PST) From: selva.nair@gmail.com To: openvpn-devel@lists.sourceforge.net Date: Tue, 14 Dec 2021 11:59:10 -0500 Message-Id: <20211214165928.30676-1-selva.nair@gmail.com> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Selva Nair The following series of patches implement a built-in provider for interfacing OpenSSL 3.0 when external keys are in use. Essentially, to intercept the sign operation, the SSL_CTX object has to be created with properties string set to prioritize our provider. In the provider we implement only keymgmt and signature operat [...] Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.166.54 listed in list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [selva.nair[at]gmail.com] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.166.54 listed in wl.mailspike.net] -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1mxB9b-00FKWn-Tm Subject: [Openvpn-devel] [PATCH v3 00/18] External key provider for use with OpenSSL 3 X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Selva Nair The following series of patches implement a built-in provider for interfacing OpenSSL 3.0 when external keys are in use. Essentially, to intercept the sign operation, the SSL_CTX object has to be created with properties string set to prioritize our provider. In the provider we implement only keymgmt and signature operations and specify the property string as optional. That allows all operations we do not provide to be used from the default provider. Same as PR#161 https://github.com/OpenVPN/openvpn/pull/161 with fixup commits in there squashed and rebased to master. Requires OpenSSL 3.0.1 (released on Dec 14, 2021) or OpenSSL 3.0 or 3.1 dev branch post Oct 27. Selva Nair (18): A built-in provider for using external key with OpenSSL 3.0 Implement KEYMGMT in the xkey provider Implement SIGNATURE operations in xkey provider Implement import of custom external keys Initialize the xkey provider and use it in SSL context A helper function to import private key for management-external-key Enable signing via provider for management-external-key Add a function to encode digests with PKCS1 DigestInfo wrapper Allow management client to announce pss padding support Respect algorithm support announced by management client Support sending DigestSign request to management client Increase ERR_BUF_SIZE when management interface support is enabled Add a generic key loading helper function for xkey provider pkcs11: Interface the xkey provider with pkcs11-helper Enable signing using CNG through xkey provider Add a unit test for external key provider xkey-provider: Add a test for generic key load and signature Add xkey_provider sources and includes to MSVC project doc/man-sections/management-options.rst | 8 +- doc/management-notes.txt | 22 +- src/openvpn/Makefile.am | 2 + src/openvpn/cryptoapi.c | 241 ++++- src/openvpn/error.h | 4 +- src/openvpn/manage.h | 2 + src/openvpn/openssl_compat.h | 8 + src/openvpn/openvpn.vcxproj | 3 + src/openvpn/options.c | 31 +- src/openvpn/options.h | 2 + src/openvpn/pkcs11_openssl.c | 151 +++ src/openvpn/ssl.c | 5 + src/openvpn/ssl.h | 6 + src/openvpn/ssl_mbedtls.c | 6 + src/openvpn/ssl_openssl.c | 108 +- src/openvpn/xkey_common.h | 158 +++ src/openvpn/xkey_helper.c | 393 +++++++ src/openvpn/xkey_provider.c | 1189 ++++++++++++++++++++++ tests/unit_tests/openvpn/Makefile.am | 16 + tests/unit_tests/openvpn/test_provider.c | 403 ++++++++ 20 files changed, 2715 insertions(+), 43 deletions(-) create mode 100644 src/openvpn/xkey_common.h create mode 100644 src/openvpn/xkey_helper.c create mode 100644 src/openvpn/xkey_provider.c create mode 100644 tests/unit_tests/openvpn/test_provider.c