Message ID | 1516909261-31623-2-git-send-email-selva.nair@gmail.com |
---|---|
State | Accepted |
Headers | show |
Series | [Openvpn-devel,1/2] Add management client version | expand |
Am 25.01.18 um 20:41 schrieb selva.nair@gmail.com: > From: Selva Nair <selva.nair@gmail.com> > > - Increase the management version from 1 to 2 > - If the client announces support for management version > 1 > prompt for signature using >PK_SIGN to which the client > responds using 'pk-sig' > Older (current) clients will be continued to be prompted > by '>RSA_SIGN' and can respond using 'rsa-sig' > - Remove an unused rsa_sig buffer-list variable > Acked-by: Arne Schwabe <arne@rfc2549.org> Arne ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Hi, On Thu, Jan 25, 2018 at 02:41:01PM -0500, selva.nair@gmail.com wrote: > From: Selva Nair <selva.nair@gmail.com> > > - Increase the management version from 1 to 2 > - If the client announces support for management version > 1 > prompt for signature using >PK_SIGN to which the client > responds using 'pk-sig' > Older (current) clients will be continued to be prompted > by '>RSA_SIGN' and can respond using 'rsa-sig' > - Remove an unused rsa_sig buffer-list variable > > This facilitates a transparent transition to PK_SIG and future deprecation > of RSA_SIGN I'm a bit confused about the sequence of patches here. Is this one dependent on one of the other PK_SIGN related patches? Or standalone and could be applied to master "as is"? gert
Am 29.01.18 um 09:25 schrieb Gert Doering: > Hi, > > On Thu, Jan 25, 2018 at 02:41:01PM -0500, selva.nair@gmail.com wrote: >> From: Selva Nair <selva.nair@gmail.com> >> >> - Increase the management version from 1 to 2 >> - If the client announces support for management version > 1 >> prompt for signature using >PK_SIGN to which the client >> responds using 'pk-sig' >> Older (current) clients will be continued to be prompted >> by '>RSA_SIGN' and can respond using 'rsa-sig' >> - Remove an unused rsa_sig buffer-list variable >> >> This facilitates a transparent transition to PK_SIG and future deprecation >> of RSA_SIGN > > I'm a bit confused about the sequence of patches here. Is this one dependent > on one of the other PK_SIGN related patches? Or standalone and could be > applied to master "as is"? > These patches implement just PK_SIGN instead of RSA-SIGN but do not implement ec cert support. So yes these two patches are applied first and the EC patch comes third. Arne ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Hi, On Mon, Jan 29, 2018 at 3:25 AM, Gert Doering <gert@greenie.muc.de> wrote: > Hi, > > On Thu, Jan 25, 2018 at 02:41:01PM -0500, selva.nair@gmail.com wrote: >> From: Selva Nair <selva.nair@gmail.com> >> >> - Increase the management version from 1 to 2 >> - If the client announces support for management version > 1 >> prompt for signature using >PK_SIGN to which the client >> responds using 'pk-sig' >> Older (current) clients will be continued to be prompted >> by '>RSA_SIGN' and can respond using 'rsa-sig' >> - Remove an unused rsa_sig buffer-list variable >> >> This facilitates a transparent transition to PK_SIG and future deprecation >> of RSA_SIGN > > I'm a bit confused about the sequence of patches here. Is this one dependent > on one of the other PK_SIGN related patches? Or standalone and could be > applied to master "as is"? Yes this two-patch set is standalone. Here is a gist: A: change RSA_SIGN to PK_SIGN if client supports it (2 patches) - [Openvpn-devel,1/2] Add management client version - [Openvpn-devel,2/2] Prompt for signature using '>PK_SIGN' if the client supports it B: ecdsa signature via management (one patch) - [Openvpn-devel,v3,2/3] Allow external EC key through --management-external-key (patch 1 of this series already applied, patch 3 abandoned) A is standalone, B needs A. In retrospect, I should have just started a new series. The presence of similar patches for cryptoapicert adds even more to the confusion. Also getting patchwork to correctly identify v2 of a series would help a bit. Its failing likely because of the [Openvpn-devel] in our subject line; if so it could be fixed by a simple patch to patchwork. Selva ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
Your patch has been applied to the master branch. commit e7995f3c62597eb963483b96db619f3e5cd4cf13 Author: Selva Nair Date: Thu Jan 25 14:41:01 2018 -0500 Prompt for signature using '>PK_SIGN' if the client supports it Signed-off-by: Selva Nair <selva.nair@gmail.com> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <1516909261-31623-2-git-send-email-selva.nair@gmail.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg16364.html Signed-off-by: Gert Doering <gert@greenie.muc.de> -- kind regards, Gert Doering ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
diff --git a/doc/management-notes.txt b/doc/management-notes.txt index e03cd39..070c2d6 100644 --- a/doc/management-notes.txt +++ b/doc/management-notes.txt @@ -773,8 +773,9 @@ To accept connecting to the host and port directly, use this command: proxy NONE -COMMAND -- rsa-sig (OpenVPN 2.3 or higher) ------------------------------------------- +COMMAND -- pk-sig (OpenVPN 2.5 or higher, management version > 1) +COMMAND -- rsa-sig (OpenVPN 2.3 or higher, management version <= 1) +----------------------------------------------------------------- Provides support for external storage of the private key. Requires the --management-external-key option. This option can be used instead of "key" in client mode, and allows the client to run without the need to load the @@ -782,13 +783,14 @@ actual private key. When the SSL protocol needs to perform an RSA sign operation, the data to be signed will be sent to the management interface via a notification as follows: ->RSA_SIGN:[BASE64_DATA] +>PK_SIGN:[BASE64_DATA] (if client announces support for management version > 1) +>RSA_SIGN:[BASE64_DATA] (only older clients will be prompted like this) The management interface client should then create a PKCS#1 v1.5 signature of the (decoded) BASE64_DATA using the private key and return the SSL signature as follows: -rsa-sig +pk-sig (or rsa-sig) [BASE64_SIG_LINE] . . @@ -801,6 +803,9 @@ Base64 encoded output of RSA_private_encrypt() (OpenSSL) or mbedtls_pk_sign() This capability is intended to allow the use of arbitrary cryptographic service providers with OpenVPN via the management interface. +New and updated clients are expected to use the version command to announce +a version > 1 and handle '>PK_SIGN' prompt and respond with 'pk-sig'. + COMMAND -- certificate (OpenVPN 2.4 or higher) ---------------------------------------------- Provides support for external storage of the certificate. Requires the diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c index c36d94d..ca793a9 100644 --- a/src/openvpn/manage.c +++ b/src/openvpn/manage.c @@ -111,7 +111,9 @@ man_help(void) #endif #endif #ifdef MANAGMENT_EXTERNAL_KEY - msg(M_CLIENT, "rsa-sig : Enter an RSA signature in response to >RSA_SIGN challenge"); + msg(M_CLIENT, "rsa-sig : Enter a signature in response to >RSA_SIGN challenge"); + msg(M_CLIENT, " Enter signature base64 on subsequent lines followed by END"); + msg(M_CLIENT, "pk-sig : Enter a signature in response to >PK_SIGN challenge"); msg(M_CLIENT, " Enter signature base64 on subsequent lines followed by END"); msg(M_CLIENT, "certificate : Enter a client certificate in response to >NEED-CERT challenge"); msg(M_CLIENT, " Enter certificate base64 on subsequent lines followed by END"); @@ -935,7 +937,7 @@ in_extra_dispatch(struct management *man) #endif /* ifdef MANAGEMENT_PF */ #ifdef MANAGMENT_EXTERNAL_KEY - case IEC_RSA_SIGN: + case IEC_PK_SIGN: man->connection.ext_key_state = EKS_READY; buffer_list_free(man->connection.ext_key_input); man->connection.ext_key_input = man->connection.in_extra; @@ -1103,18 +1105,18 @@ man_client_pf(struct management *man, const char *cid_str) #ifdef MANAGMENT_EXTERNAL_KEY static void -man_rsa_sig(struct management *man) +man_pk_sig(struct management *man, const char *cmd_name) { struct man_connection *mc = &man->connection; if (mc->ext_key_state == EKS_SOLICIT) { mc->ext_key_state = EKS_INPUT; - mc->in_extra_cmd = IEC_RSA_SIGN; + mc->in_extra_cmd = IEC_PK_SIGN; in_extra_reset(mc, IER_NEW); } else { - msg(M_CLIENT, "ERROR: The rsa-sig command is not currently available"); + msg(M_CLIENT, "ERROR: The %s command is not currently available", cmd_name); } } @@ -1527,7 +1529,11 @@ man_dispatch_command(struct management *man, struct status_output *so, const cha #ifdef MANAGMENT_EXTERNAL_KEY else if (streq(p[0], "rsa-sig")) { - man_rsa_sig(man); + man_pk_sig(man, "rsa-sig"); + } + else if (streq(p[0], "pk-sig")) + { + man_pk_sig(man, "pk-sig"); } else if (streq(p[0], "certificate")) { @@ -3663,14 +3669,20 @@ management_query_multiline_flatten(struct management *man, char * /* returns allocated base64 signature */ -management_query_rsa_sig(struct management *man, +management_query_pk_sig(struct management *man, const char *b64_data) { - return management_query_multiline_flatten(man, b64_data, "RSA_SIGN", "rsa-sign", - &man->connection.ext_key_state, &man->connection.ext_key_input); + const char *prompt = "PK_SIGN"; + const char *desc = "pk-sign"; + if (man->connection.client_version <= 1) + { + prompt = "RSA_SIGN"; + desc = "rsa-sign"; + } + return management_query_multiline_flatten(man, b64_data, prompt, desc, + &man->connection.ext_key_state, &man->connection.ext_key_input); } - char * management_query_cert(struct management *man, const char *cert_name) { diff --git a/src/openvpn/manage.h b/src/openvpn/manage.h index 3bd4e50..1b3a393 100644 --- a/src/openvpn/manage.h +++ b/src/openvpn/manage.h @@ -31,7 +31,7 @@ #include "socket.h" #include "mroute.h" -#define MANAGEMENT_VERSION 1 +#define MANAGEMENT_VERSION 2 #define MANAGEMENT_N_PASSWORD_RETRIES 3 #define MANAGEMENT_LOG_HISTORY_INITIAL_SIZE 100 #define MANAGEMENT_ECHO_BUFFER_SIZE 100 @@ -281,6 +281,7 @@ struct man_connection { #define IEC_CLIENT_PF 2 #define IEC_RSA_SIGN 3 #define IEC_CERTIFICATE 4 +#define IEC_PK_SIGN 5 int in_extra_cmd; struct buffer_list *in_extra; #ifdef MANAGEMENT_DEF_AUTH @@ -311,9 +312,6 @@ struct man_connection { int up_query_mode; struct user_pass up_query; -#ifdef MANAGMENT_EXTERNAL_KEY - struct buffer_list *rsa_sig; -#endif #ifdef TARGET_ANDROID int fdtosend; int lastfdreceived; @@ -440,7 +438,7 @@ void management_learn_addr(struct management *management, #ifdef MANAGMENT_EXTERNAL_KEY -char *management_query_rsa_sig(struct management *man, const char *b64_data); +char *management_query_pk_sig(struct management *man, const char *b64_data); char *management_query_cert(struct management *man, const char *cert_name); diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index d503162..b65db3f 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -583,7 +583,7 @@ external_pkcs1_sign( void *ctx_voidptr, /* call MI for signature */ if (management) { - out_b64 = management_query_rsa_sig(management, in_b64); + out_b64 = management_query_pk_sig(management, in_b64); } if (!out_b64) { diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 01be656..242b464 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -1068,7 +1068,7 @@ rsa_priv_enc(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, i /* call MI for signature */ if (management) { - out_b64 = management_query_rsa_sig(management, in_b64); + out_b64 = management_query_pk_sig(management, in_b64); } if (!out_b64) {