From patchwork Thu Jan 25 08:41:01 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Selva Nair X-Patchwork-Id: 213 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director6.mail.ord1d.rsapps.net ([172.30.191.6]) by backend31.mail.ord1d.rsapps.net (Dovecot) with LMTP id Q3BrIBAzalrJRgAAgoeIoA for ; Thu, 25 Jan 2018 14:42:08 -0500 Received: from proxy4.mail.ord1d.rsapps.net ([172.30.191.6]) by director6.mail.ord1d.rsapps.net (Dovecot) with LMTP id NPDfABAzaloXGwAAhgvE6Q ; Thu, 25 Jan 2018 14:42:08 -0500 Received: from smtp5.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy4.mail.ord1d.rsapps.net (Dovecot) with LMTP id opdUChAzalpQIAAAiYrejw ; Thu, 25 Jan 2018 14:42:08 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.34.181.88] Authentication-Results: smtp5.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.34.181.88"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=gmail.com; dmarc=fail (p=none; dis=none) header.from=gmail.com X-Classification-ID: d355b466-0207-11e8-bd6a-525400d73c44-1-1 Received: from [216.34.181.88] ([216.34.181.88:36760] helo=lists.sourceforge.net) by smtp5.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.1.56364 r(Core:4.2.1.14)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 08/05-02812-E033A6A5; Thu, 25 Jan 2018 14:42:06 -0500 Received: from localhost ([127.0.0.1] helo=sfs-ml-1.v29.ch3.sourceforge.com) by sfs-ml-1.v29.ch3.sourceforge.com with esmtp (Exim 4.89) (envelope-from ) id 1eenOn-00083d-3p; Thu, 25 Jan 2018 19:41:25 +0000 Received: from sfi-mx-1.v28.ch3.sourceforge.com ([172.29.28.191] helo=mx.sourceforge.net) by sfs-ml-1.v29.ch3.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) (envelope-from ) id 1eenOl-00083L-Hr for openvpn-devel@lists.sourceforge.net; Thu, 25 Jan 2018 19:41:23 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:Cc: To:From:Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=TB1Gl9mDErhzGrQTNjcRU1cFSA/J78/81HGSpOOZgiI=; b=OzrcntYdsXIgnQ0iJhw8tZm0C3 xazXMQ2n3V/8kl/eRx8o5Dzzm8r8GcLjJG0y8U+glT1RD0ESl4ojkrr04V6S3gZa5vMDvL+FK/Twz anMCgLrJsCIlS/CsIroJ0V88iV/wJg56lSY3tBen8fXry+pDKGsrSDkKWzxXjzMYRvWs=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=TB1Gl9mDErhzGrQTNjcRU1cFSA/J78/81HGSpOOZgiI=; b=l4+SX/z3lwJu7bdo8UFw5kUyHx on9xilo7LUklYvZkdvNF0e0qDasWwYUPcApeDOiAGWMbETRaSBsaTvLCL3VYuKpQWgkoNXf8WPkn0 ffNWNTFcetFYIWt5a5/cO0hzkkCeHWTOAxPyCWpLw+a7fq7Z/NghOL1EoXeWhuHAdqL4=; Received: from mail-it0-f46.google.com ([209.85.214.46]) by sfi-mx-1.v28.ch3.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.89) id 1eenOk-0006z6-Dy for openvpn-devel@lists.sourceforge.net; Thu, 25 Jan 2018 19:41:23 +0000 Received: by mail-it0-f46.google.com with SMTP id w14so11166337itc.3 for ; Thu, 25 Jan 2018 11:41:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=TB1Gl9mDErhzGrQTNjcRU1cFSA/J78/81HGSpOOZgiI=; b=Hf5rev+tzicbHLc+WbzuRO5+sgZYkj2hO35Lmnz+xQTaCrsL4yG06M5B+j+Y4brJ16 lXiiRNem6QSKm3hY9rtBo20CQJnvMJZaN0SfNZPwWJDR2S6fTxrqMVStY6ZzFnMt3ZOr cSd977tSLtfZa2znO34oprB8zxIskKNKxmQ2lRjxEM6N4Czs3WFk7v+wUBCtTHLA60gC mVG+hzLuawolQAJd4KuGi0tKvl0+6yHlifij9sHKSIyYh+nkclwNvLnGlT7dTECxVv2s mK1zXcJK3FGkYKHrGTWX6wO3KEG8WhlI+lRs2FW6/V4jPO70Hp62T8wf/fF8QLVsQgTG A6DA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=TB1Gl9mDErhzGrQTNjcRU1cFSA/J78/81HGSpOOZgiI=; b=D6/KSwgae1lYMAmwCpoU7uE4rXtDc8+HQdNmjOK6eNlqTWK89LnyNyKgQXdYXPWJnR Y0ctVMQq6CuuL3v6z2XhbSNHY0fQcgGDaGOJHXElA0hhB9W2Y78MeW0uvDe4d7lDPwfQ 8sx/aRg5/ghYQNJu7f6epBTKXWAC7aIzysKIE/41bmPZWfODWAXRf/uZJathg/nSr/pc DajlbXwWWOm5LipOytAi8j91nO2US1xCklf3Osrm5LWSt2nGbBlX6HTbgY6cqhYyMEmf kNybrLvGEcA1ISjWGT25kH9DQ24HI9RgyYUzGc3Uij2JpmWPAQnLM7tCaW7DbIX2CzTC v8dg== X-Gm-Message-State: AKwxytc5ca2eVCtRAc5ZcbsWQoI6S/7GOgbd9eUnBP6O8eKU/Lqx8HZE iqpjsXz5gVPukma3VYM1e9j3pQqo X-Google-Smtp-Source: AH8x2250Gb7RZjCcFKX6vEC5cmN4/HODfDyYT0QMw9RGMj0CWjPyY41CDznElANUOX5jbcPDz0VXrA== X-Received: by 10.36.77.139 with SMTP id l133mr13574323itb.52.1516909272084; Thu, 25 Jan 2018 11:41:12 -0800 (PST) Received: from saturn.home.sansel.ca (CPE40167ea0e1c2-CM788df74daaa0.cpe.net.cable.rogers.com. [99.228.215.92]) by smtp.gmail.com with ESMTPSA id i78sm2113784ioe.45.2018.01.25.11.41.11 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 25 Jan 2018 11:41:11 -0800 (PST) From: selva.nair@gmail.com To: openvpn-devel@lists.sourceforge.net Date: Thu, 25 Jan 2018 14:41:01 -0500 Message-Id: <1516909261-31623-2-git-send-email-selva.nair@gmail.com> X-Mailer: git-send-email 2.1.4 In-Reply-To: <1516909261-31623-1-git-send-email-selva.nair@gmail.com> References: <1516909261-31623-1-git-send-email-selva.nair@gmail.com> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (selva.nair[at]gmail.com) -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [209.85.214.46 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.0 AWL AWL: Adjusted score from AWL reputation of From: address X-Headers-End: 1eenOk-0006z6-Dy Subject: [Openvpn-devel] [PATCH 2/2] Prompt for signature using '>PK_SIGN' if the client supports it X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Selva Nair - Increase the management version from 1 to 2 - If the client announces support for management version > 1 prompt for signature using >PK_SIGN to which the client responds using 'pk-sig' Older (current) clients will be continued to be prompted by '>RSA_SIGN' and can respond using 'rsa-sig' - Remove an unused rsa_sig buffer-list variable This facilitates a transparent transition to PK_SIG and future deprecation of RSA_SIGN Signed-off-by: Selva Nair Acked-by: Arne Schwabe --- doc/management-notes.txt | 13 +++++++++---- src/openvpn/manage.c | 32 ++++++++++++++++++++++---------- src/openvpn/manage.h | 8 +++----- src/openvpn/ssl_mbedtls.c | 2 +- src/openvpn/ssl_openssl.c | 2 +- 5 files changed, 36 insertions(+), 21 deletions(-) diff --git a/doc/management-notes.txt b/doc/management-notes.txt index e03cd39..070c2d6 100644 --- a/doc/management-notes.txt +++ b/doc/management-notes.txt @@ -773,8 +773,9 @@ To accept connecting to the host and port directly, use this command: proxy NONE -COMMAND -- rsa-sig (OpenVPN 2.3 or higher) ------------------------------------------- +COMMAND -- pk-sig (OpenVPN 2.5 or higher, management version > 1) +COMMAND -- rsa-sig (OpenVPN 2.3 or higher, management version <= 1) +----------------------------------------------------------------- Provides support for external storage of the private key. Requires the --management-external-key option. This option can be used instead of "key" in client mode, and allows the client to run without the need to load the @@ -782,13 +783,14 @@ actual private key. When the SSL protocol needs to perform an RSA sign operation, the data to be signed will be sent to the management interface via a notification as follows: ->RSA_SIGN:[BASE64_DATA] +>PK_SIGN:[BASE64_DATA] (if client announces support for management version > 1) +>RSA_SIGN:[BASE64_DATA] (only older clients will be prompted like this) The management interface client should then create a PKCS#1 v1.5 signature of the (decoded) BASE64_DATA using the private key and return the SSL signature as follows: -rsa-sig +pk-sig (or rsa-sig) [BASE64_SIG_LINE] . . @@ -801,6 +803,9 @@ Base64 encoded output of RSA_private_encrypt() (OpenSSL) or mbedtls_pk_sign() This capability is intended to allow the use of arbitrary cryptographic service providers with OpenVPN via the management interface. +New and updated clients are expected to use the version command to announce +a version > 1 and handle '>PK_SIGN' prompt and respond with 'pk-sig'. + COMMAND -- certificate (OpenVPN 2.4 or higher) ---------------------------------------------- Provides support for external storage of the certificate. Requires the diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c index c36d94d..ca793a9 100644 --- a/src/openvpn/manage.c +++ b/src/openvpn/manage.c @@ -111,7 +111,9 @@ man_help(void) #endif #endif #ifdef MANAGMENT_EXTERNAL_KEY - msg(M_CLIENT, "rsa-sig : Enter an RSA signature in response to >RSA_SIGN challenge"); + msg(M_CLIENT, "rsa-sig : Enter a signature in response to >RSA_SIGN challenge"); + msg(M_CLIENT, " Enter signature base64 on subsequent lines followed by END"); + msg(M_CLIENT, "pk-sig : Enter a signature in response to >PK_SIGN challenge"); msg(M_CLIENT, " Enter signature base64 on subsequent lines followed by END"); msg(M_CLIENT, "certificate : Enter a client certificate in response to >NEED-CERT challenge"); msg(M_CLIENT, " Enter certificate base64 on subsequent lines followed by END"); @@ -935,7 +937,7 @@ in_extra_dispatch(struct management *man) #endif /* ifdef MANAGEMENT_PF */ #ifdef MANAGMENT_EXTERNAL_KEY - case IEC_RSA_SIGN: + case IEC_PK_SIGN: man->connection.ext_key_state = EKS_READY; buffer_list_free(man->connection.ext_key_input); man->connection.ext_key_input = man->connection.in_extra; @@ -1103,18 +1105,18 @@ man_client_pf(struct management *man, const char *cid_str) #ifdef MANAGMENT_EXTERNAL_KEY static void -man_rsa_sig(struct management *man) +man_pk_sig(struct management *man, const char *cmd_name) { struct man_connection *mc = &man->connection; if (mc->ext_key_state == EKS_SOLICIT) { mc->ext_key_state = EKS_INPUT; - mc->in_extra_cmd = IEC_RSA_SIGN; + mc->in_extra_cmd = IEC_PK_SIGN; in_extra_reset(mc, IER_NEW); } else { - msg(M_CLIENT, "ERROR: The rsa-sig command is not currently available"); + msg(M_CLIENT, "ERROR: The %s command is not currently available", cmd_name); } } @@ -1527,7 +1529,11 @@ man_dispatch_command(struct management *man, struct status_output *so, const cha #ifdef MANAGMENT_EXTERNAL_KEY else if (streq(p[0], "rsa-sig")) { - man_rsa_sig(man); + man_pk_sig(man, "rsa-sig"); + } + else if (streq(p[0], "pk-sig")) + { + man_pk_sig(man, "pk-sig"); } else if (streq(p[0], "certificate")) { @@ -3663,14 +3669,20 @@ management_query_multiline_flatten(struct management *man, char * /* returns allocated base64 signature */ -management_query_rsa_sig(struct management *man, +management_query_pk_sig(struct management *man, const char *b64_data) { - return management_query_multiline_flatten(man, b64_data, "RSA_SIGN", "rsa-sign", - &man->connection.ext_key_state, &man->connection.ext_key_input); + const char *prompt = "PK_SIGN"; + const char *desc = "pk-sign"; + if (man->connection.client_version <= 1) + { + prompt = "RSA_SIGN"; + desc = "rsa-sign"; + } + return management_query_multiline_flatten(man, b64_data, prompt, desc, + &man->connection.ext_key_state, &man->connection.ext_key_input); } - char * management_query_cert(struct management *man, const char *cert_name) { diff --git a/src/openvpn/manage.h b/src/openvpn/manage.h index 3bd4e50..1b3a393 100644 --- a/src/openvpn/manage.h +++ b/src/openvpn/manage.h @@ -31,7 +31,7 @@ #include "socket.h" #include "mroute.h" -#define MANAGEMENT_VERSION 1 +#define MANAGEMENT_VERSION 2 #define MANAGEMENT_N_PASSWORD_RETRIES 3 #define MANAGEMENT_LOG_HISTORY_INITIAL_SIZE 100 #define MANAGEMENT_ECHO_BUFFER_SIZE 100 @@ -281,6 +281,7 @@ struct man_connection { #define IEC_CLIENT_PF 2 #define IEC_RSA_SIGN 3 #define IEC_CERTIFICATE 4 +#define IEC_PK_SIGN 5 int in_extra_cmd; struct buffer_list *in_extra; #ifdef MANAGEMENT_DEF_AUTH @@ -311,9 +312,6 @@ struct man_connection { int up_query_mode; struct user_pass up_query; -#ifdef MANAGMENT_EXTERNAL_KEY - struct buffer_list *rsa_sig; -#endif #ifdef TARGET_ANDROID int fdtosend; int lastfdreceived; @@ -440,7 +438,7 @@ void management_learn_addr(struct management *management, #ifdef MANAGMENT_EXTERNAL_KEY -char *management_query_rsa_sig(struct management *man, const char *b64_data); +char *management_query_pk_sig(struct management *man, const char *b64_data); char *management_query_cert(struct management *man, const char *cert_name); diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index d503162..b65db3f 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -583,7 +583,7 @@ external_pkcs1_sign( void *ctx_voidptr, /* call MI for signature */ if (management) { - out_b64 = management_query_rsa_sig(management, in_b64); + out_b64 = management_query_pk_sig(management, in_b64); } if (!out_b64) { diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 01be656..242b464 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -1068,7 +1068,7 @@ rsa_priv_enc(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, i /* call MI for signature */ if (management) { - out_b64 = management_query_rsa_sig(management, in_b64); + out_b64 = management_query_pk_sig(management, in_b64); } if (!out_b64) {