From patchwork Wed Aug 14 22:19:32 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "cron2 (Code Review)" X-Patchwork-Id: 3787 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:77d2:b0:5a1:d4fc:4ac6 with SMTP id r18csp1065669mau; Wed, 14 Aug 2024 15:20:27 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCXsnjaVXQFGEFLe+ToAeWkZY0XlO30q/kAH7KGQKj2DY/UoCh867FdHn1ZXGUWYEEQ7pVY06xf6++hyboLrDVI95g8tWQo= X-Google-Smtp-Source: AGHT+IEhPeoKFK5nLBGCdek4YUEAvSgcMqcLyqt0KDBUPwWbSUmDOqSyl5s3u6uMTGyxVWYMq/dP X-Received: by 2002:a17:902:f2d2:b0:1fc:4377:afa4 with SMTP id d9443c01a7336-201ef992c07mr4024495ad.8.1723674026721; Wed, 14 Aug 2024 15:20:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1723674026; cv=none; d=google.com; s=arc-20160816; b=OUjMe/xEOQ3ZsVwvkb95Rb7DKMxSmA6gKz6zA+QdYISOSvOoW9fdl8GIkLNNI1cuJ7 0O8qMroXhmyicE5RxQeSBkDF0DJnKb8cAXmqT59nsLGQ9f1b8P1jFpY+tCy5Lx26b8Mj UQl/lIdWC+XdX7z3QmNQErfIQHRk+JMLuA1krY0v3zutty/zP7HrnBWMLzINfAJmZR2u JoPXoR84grcEVMjD/qIKv7VW7ToaMLlK8TimgQc/bFOlP7OLTt4wGKzOi2UFzx7r2Noj RmQDgab8onPQTEpwfApW878UkQ0eAM1m1OdUNAdXNLy94kZmQ+h4NlF5HAKFIgMV56F6 SDJQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:cc:reply-to:list-subscribe:list-help:list-post :list-archive:list-unsubscribe:list-id:precedence:subject:user-agent :mime-version:message-id:references:auto-submitted:to:date:from :dkim-signature:dkim-signature:dkim-signature; bh=oaWsPBTgtxVY2H7EUnLJwTZWIjKhjUhBlVbw+zf/g2k=; fh=U7wEyxtwz2o5+UdevFSA47vNeG9knhWH0KV//QhD5a0=; b=0L49y96/JGVE0y39OIEJ2Y9wUcfVWYUYHTx3v37IPxn00CULFypsPt8MLkf57ncdLs 8GNQsfG9vX0FFW0imZb6U9NZojL3VWzNiXX+kJzUV1IlygpkB1MUOOQZKwLyJUBrVNfZ x99YiwhXBGfYFg1LZqXJZBXYWssDRXYSc+ZTkS3u7fswQJtbTMntfPUztGKRC1efSVNh kBgNX+vy6aYMUPmCP8gDtQm1i+d1j9cuzrDmIwBA8yfyd2JQ6Kpi/mg/21oypAr9lN8I jV66J6TzTttSULV3Kmd6Xhi2A1p10rUEg5NVU4QwsoFQBa3n2vRHQzDrA2gSxcI/zCEc 5WnA==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=bLDeTFA3; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=NlsjKw+z; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=X6VA7Rqv; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net; dara=fail header.i=@openvpn.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id d9443c01a7336-201f0323620si2135615ad.161.2024.08.14.15.20.26 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 14 Aug 2024 15:20:26 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=bLDeTFA3; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=NlsjKw+z; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=X6VA7Rqv; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net; dara=fail header.i=@openvpn.net Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1seMLP-0001aZ-2s; Wed, 14 Aug 2024 22:19:51 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1seMLN-0001aS-8q for openvpn-devel@lists.sourceforge.net; Wed, 14 Aug 2024 22:19:49 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:Content-Transfer-Encoding:MIME-Version :Message-ID:Reply-To:References:Subject:List-Unsubscribe:List-Id:Cc:To:Date: From:Sender:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help: List-Subscribe:List-Post:List-Owner:List-Archive; bh=zNtM30DdjCxjezXO0rBGX4ou3fMiE9lrsOvFRU7IJHs=; b=bLDeTFA3sIajfKZiS+zEWvxQqU WEFvXypG4m59ULVpOovGUlrennworuYZPs/A5hyX6hVa9JdQ+sK6friDXcoTGXfYcO07rCLSProS4 ktSFMFjUfiIiVhuADgOL9hvIhzyC0kIPV5P8DLGYK9q1v2+fN6+ZApVIjCD38PSliLcM=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:Content-Transfer-Encoding:MIME-Version:Message-ID:Reply-To: References:Subject:List-Unsubscribe:List-Id:Cc:To:Date:From:Sender:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help:List-Subscribe:List-Post: List-Owner:List-Archive; bh=zNtM30DdjCxjezXO0rBGX4ou3fMiE9lrsOvFRU7IJHs=; b=N lsjKw+z2KFqIl9B4cw38Gjgxp1JUXvmDl6CS2ki6aOFTVNhXHbUEzRn40vwyChM1EkIA4mBQVvero nkKf2TpbwSsx0sRQGytvtAUFbzNnTlAMmtIZsyJV+MFzkDDjphVs1yqKvyf8AVsdAkNsI6/GgHSh6 tTZDYA1EP9R6rYL8=; Received: from mail-wm1-f49.google.com ([209.85.128.49]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1seMLJ-0002TY-2E for openvpn-devel@lists.sourceforge.net; Wed, 14 Aug 2024 22:19:49 +0000 Received: by mail-wm1-f49.google.com with SMTP id 5b1f17b1804b1-4280bbdad3dso1544005e9.0 for ; Wed, 14 Aug 2024 15:19:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openvpn.net; s=google; t=1723673973; x=1724278773; darn=lists.sourceforge.net; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from:from:to:cc :subject:date:message-id:reply-to; bh=zNtM30DdjCxjezXO0rBGX4ou3fMiE9lrsOvFRU7IJHs=; b=X6VA7RqvNFCGHJFUlXA1R5c9SHvXvbeipKOKKyYT8alGRnH5bpNQorbqzvP8oLvTKq 0jKHSoZMJKcC2aaIXLENicfb0sdOE1Zj/j8k7/3aYcF7aV5xpaQsYxdOaSH8BJhGuPNV N3IRAgEmivFMi0yYTijO0DFE3W1Eh9RUDnhLLrOuEkPflGnJPvt9h6mZSrZUl+rFAzG0 LGXNLnnQzhLxrR9wG4fNQe+NY2lupWp2v5OSQ5UJzr6o4JQ/hq/jacRyOLDfuWMCmJws O4jvfqY91D6zU1NYBmhi+KFpyhlIfOdqrGxbEOCtYW9AUxVN+cWpGsnFqm7LaWJHlk7u tf/A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723673973; x=1724278773; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=zNtM30DdjCxjezXO0rBGX4ou3fMiE9lrsOvFRU7IJHs=; b=lQWT0j2vk6Ju7RYwmQLRk+A2S5lMBmD5NUhtglg8EixF9wQpUbMSsg6P/eMpTYh1n0 PL/h80Sw2ZNb9LbehGQyTKXuLuJ7xH/4ddmLUN5dvUkNW+/ScBA7Sft14o2F8jbwlrjY JbimALyhNqHRL3fzk4BPJoDR5Jbhfuu9euRzz0AQLmwLtC+LWRPH54RlC9F40jgGI6yg zpGxCPW0UggNaMKfmQs3T9zxO8SzzozZyFBeV3N4NkmwwVG5SEfqyy9VdsvnP8Sa7Ij7 N2ISMWpc2GCNOB/OMlEob0bfy2FgL95Ajy6VColeZ9Ib85QEWAqnf7AWpIOKO2k5JVrn 7nFw== X-Gm-Message-State: AOJu0YzkgvUfq2ohPctTqJ/xVZjoQ7WQkjnohCVV3LMVaXZkeY77kugR fYtywdXABxtiUfCKy+SRrA689WY87nTqg8Vt1R5JBdeEZqHaa0OP3LJOCm9iQViGMDn2YbKVnU4 u X-Received: by 2002:a5d:5223:0:b0:367:99d8:70 with SMTP id ffacd0b85a97d-3717782761emr2556774f8f.61.1723673972996; Wed, 14 Aug 2024 15:19:32 -0700 (PDT) Received: from gerrit.openvpn.in (ec2-18-159-0-78.eu-central-1.compute.amazonaws.com. [18.159.0.78]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-429d877f822sm54265685e9.1.2024.08.14.15.19.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 14 Aug 2024 15:19:32 -0700 (PDT) From: "selvanair (Code Review)" X-Google-Original-From: "selvanair (Code Review)" X-Gerrit-PatchSet: 1 Date: Wed, 14 Aug 2024 22:19:32 +0000 To: plaisthos , flichtenheld Auto-Submitted: auto-generated X-Gerrit-MessageType: newchange X-Gerrit-Change-Id: I82b32d5ab472926e7889a5f4a90caba14231879a X-Gerrit-Change-Number: 726 X-Gerrit-Project: openvpn X-Gerrit-ChangeURL: X-Gerrit-Commit: ad47f142c541f0dbe9676baa966c90ab32e710bf References: Message-ID: <1e7f00068be1a2a2ea036ab40f128f65c04d53e5-HTML@gerrit.openvpn.net> MIME-Version: 1.0 User-Agent: Gerrit/3.8.2 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Attention is currently required from: flichtenheld, plaisthos. Hello plaisthos, flichtenheld, I'd like you to do a code review. Please visit Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: openvpn.net] 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [209.85.128.49 listed in sa-accredit.habeas.com] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.128.49 listed in wl.mailspike.net] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.0 WEIRD_PORT URI: Uses non-standard port number for HTTP 0.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1seMLJ-0002TY-2E Subject: [Openvpn-devel] [L] Change in openvpn[master]: Interpret --key and --cert option argument as URI X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: selva.nair@gmail.com, arne-openvpn@rfc2549.org, openvpn-devel@lists.sourceforge.net, frank@lichtenheld.com Cc: openvpn-devel Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1807403216263967176?= X-GMAIL-MSGID: =?utf-8?q?1807403216263967176?= X-getmail-filter-classifier: gerrit message type newchange Attention is currently required from: flichtenheld, plaisthos. Hello plaisthos, flichtenheld, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/726?usp=email to review the following change. Change subject: Interpret --key and --cert option argument as URI ...................................................................... Interpret --key and --cert option argument as URI OpenSSL 3 has providers which can load keys and certificates from various key stores and HSMs using a provider-specific URI. While certificates are generally exportable, and some providers support a PEM file that acts as a proxy for non-exportable private keys, not all providers are expected to do so. A generic capability to read keys and certificates from URIs appears useful. This patch does this by extending the scope of the argument for "--key" and "--cert" options to include URIs. Many of OpenSSL 3 utilities also work the same way: e.g., the "-in" option for "openssl pkey" or "openssl x509" could be a filename or URI. Other applications have started emulating this behaviour: e.g., pkcs11: URI works as an alternative to a file name for certificates and keys in apache. Even for files, this has a nice side effect that non-PEM files get transparently parsed. E.g., a pkcs12 file could be used in place of a PEM file without needing any extra options. This is backward compatible as OpenSSL falls back to treating URIs with no scheme or unrecognized scheme as file names. Parsing of inlined keys and certificates is unchanged (those should be in PEM format). Specification of URIs that OpenSSL accepts depends on the providers that support them. Some are standard URIs such as "file:/path", but providers may support non-standard URIs with arbitrary scheme names. OpenSSL by itself recognizes only file URI. However, the implementation is agnostic to the URI specification as parsing is done by the provider that supports the URI. A new URI gets automatically recognized when the provider that supports it is loaded. Below are some usage examples: Relative or absolute path to a file or as a URI "file:/absolute/path": --key mykey.pem (same as what is currently supported) --key file:/path/to/mykey.pem --cert file:/path/to/mycert.pem Other file types supported by OpenSSL would also work: --key client.p12 --cert client.p12 pkcs11-provider supports "pkcs11:" URI (RFC 7512): --key pkcs11:token=Foo;id=%01 --cert pkcs11:token=Foo;id=%01 tpm2-provider recognizes a custom URI "handle:": --key handle:0x81000000 These examples assume that required providers, if any, are loaded and configured. Change-Id: I82b32d5ab472926e7889a5f4a90caba14231879a Signed-off-by: Selva Nair --- M doc/man-sections/tls-options.rst M src/openvpn/options.c M src/openvpn/ssl_openssl.c M tests/unit_tests/openvpn/test_ssl.c 4 files changed, 280 insertions(+), 27 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/26/726/1 diff --git a/doc/man-sections/tls-options.rst b/doc/man-sections/tls-options.rst index de74c0d..cdb8571 100644 --- a/doc/man-sections/tls-options.rst +++ b/doc/man-sections/tls-options.rst @@ -85,10 +85,17 @@ OpenVPN will log the usual warning in the logs if the relevant CRL is missing, but the connection will be allowed. ---cert file - Local peer's signed certificate in .pem format -- must be signed by a - certificate authority whose certificate is in ``--ca file``. Each peer - in an OpenVPN link running in TLS mode should have its own certificate +--cert file|uri + Local peer's signed certificate in .pem format or as a URI -- must be + signed by a certificate authority whose certificate is in ``--ca file`` + in the peer configuration. URI is supported only when built with + OpenSSL 3.0 or later and any required providers are loaded. Types + of URIs supported and their syntax depends on providers. OpenSSL has + internal support for "file:/absolute/path" URI in which case the scheme + "file:" is optional, and any file format recognized by OpenSSL (e.g., PEM, + PKCS12) is supported. PKCS#11 URI (RFC 7512) is supported by pkcs11-provider. + + Each peer in an OpenVPN link running in TLS mode should have its own certificate and private key file. In addition, each certificate should have been signed by the key of a certificate authority whose public key resides in the ``--ca`` certificate authority file. You can easily make your own @@ -203,10 +210,11 @@ The ``--hand-window`` parameter also controls the amount of time that the OpenVPN client repeats the pull request until it times out. ---key file - Local peer's private key in .pem format. Use the private key which was - generated when you built your peer's certificate (see ``--cert file`` - above). +--key file|uri + Local peer's private key in .pem format or a URI. Use the private key + which was generated when you built your peer's certificate (see + ``--cert file`` above). URI is supported only when built with OpenSSL 3.0 + or later and any required providers are loaded. (See `--cert` for more details). --pkcs12 file Specify a PKCS #12 file containing local private key, local certificate, diff --git a/src/openvpn/options.c b/src/openvpn/options.c index ba9b05e..a5f0784 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -567,10 +567,10 @@ "--dh file : File containing Diffie Hellman parameters\n" " in .pem format (for --tls-server only).\n" " Use \"openssl dhparam -out dh1024.pem 1024\" to generate.\n" - "--cert file : Local certificate in .pem format -- must be signed\n" - " by a Certificate Authority in --ca file.\n" + "--cert file : Local certificate in .pem format or a URI -- must be signed\n" + " by a Certificate Authority in --ca file used by the peer.\n" "--extra-certs file : one or more PEM certs that complete the cert chain.\n" - "--key file : Local private key in .pem format.\n" + "--key file : Local private key in .pem format or a URI.\n" "--tls-version-min ['or-highest'] : sets the minimum TLS version we\n" " will accept from the peer. If version is unrecognized and 'or-highest'\n" " is specified, require max TLS version supported by SSL implementation.\n" @@ -3851,6 +3851,7 @@ #define CHKACC_FILEXSTWR (1<<2) /** If file exists, is it writable? */ #define CHKACC_ACPTSTDIN (1<<3) /** If filename is stdin, it's allowed and "exists" */ #define CHKACC_PRIVATE (1<<4) /** Warn if this (private) file is group/others accessible */ +#define CHKACC_ACCEPT_URI (1<<5) /** If filename is a URI, no check is done unless it starts with file: */ static bool check_file_access(const int type, const char *file, const int mode, const char *opt) @@ -3871,6 +3872,21 @@ return false; } + /* file name is a URI if its first segment has ":" (i.e., before any "/") + * Then no checks done if CHKACC_ACCEPT_URI is set and the URI does not start with "file:" + */ + if ((type & CHKACC_ACCEPT_URI) && strchr(file, ':')) + { + if (!strncmp(file, "file:", 5)) + { + file += 5; + } + else if (!strchr(file, '/') || strchr(file, '/') > strchr(file, ':')) + { + return false; + } + } + /* Is the directory path leading to the given file accessible? */ if (type & CHKACC_DIRPATH) { @@ -4069,7 +4085,7 @@ errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->ca_path, R_OK, "--capath"); - errs |= check_file_access_inline(options->cert_file_inline, CHKACC_FILE, + errs |= check_file_access_inline(options->cert_file_inline, CHKACC_FILE|CHKACC_ACCEPT_URI, options->cert_file, R_OK, "--cert"); errs |= check_file_access_inline(options->extra_certs_file, CHKACC_FILE, @@ -4079,7 +4095,7 @@ if (!(options->management_flags & MF_EXTERNAL_KEY)) { errs |= check_file_access_inline(options->priv_key_file_inline, - CHKACC_FILE|CHKACC_PRIVATE, + CHKACC_FILE|CHKACC_PRIVATE|CHKACC_ACCEPT_URI, options->priv_key_file, R_OK, "--key"); } diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index e8a30a3..05555a3 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -65,6 +65,12 @@ #include #endif +#if OPENSSL_VERSION_NUMBER >= 0x30000000L +#define HAVE_OPENSSL_STORE_API +#include +#include +#endif + #if defined(_MSC_VER) && !defined(_M_ARM64) #include #endif @@ -768,6 +774,111 @@ #endif /* OPENSSL_NO_EC */ } +#if defined(HAVE_OPENSSL_STORE_API) +/** + * A wrapper for pem_password_callback for use with OpenSSL UI_METHOD. + */ +static int +ui_reader(UI *ui, UI_STRING *uis) +{ + SSL_CTX *ctx = UI_get0_user_data(ui); + + if (UI_get_string_type(uis) == UIT_PROMPT) + { + const char *prompt = UI_get0_output_string(uis); + + /* If pkcs#11 Use custom prompt similar to pkcs11-helper */ + if (strstr(prompt, "PKCS#11")) + { + struct user_pass up; + get_user_pass(&up, NULL, "PKCS#11 token", GET_USER_PASS_MANAGEMENT|GET_USER_PASS_PASSWORD_ONLY); + UI_set_result(ui, uis, up.password); + purge_user_pass(&up, true); + } + else /* use our generic 'Private Key' passphrase callback */ + { + char password[64]; + pem_password_cb *cb = SSL_CTX_get_default_passwd_cb(ctx); + void *d = SSL_CTX_get_default_passwd_cb_userdata(ctx); + + cb(password, sizeof(password), 0, d); + UI_set_result(ui, uis, password); + secure_memzero(password, sizeof(password)); + } + + return 1; + } + return 0; +} +#endif /* defined(HAVE_OPENSSL_STORE_API) */ + +/** + * Load private key from OSSL_STORE URI or file + * uri : URI of object or filename + * ssl_ctx : SSL_CTX for UI prompt + * + * Return a pointer to the key or NULL if not found. + * Caller must free the key after use. + */ +static void * +load_pkey_from_uri(const char *uri, SSL_CTX *ssl_ctx) +{ + EVP_PKEY *pkey = NULL; + +#if !defined(HAVE_OPENSSL_STORE_API) + + /* Treat the uri as file name */ + BIO *in = BIO_new_file(uri, "r"); + if (!in) + { + return NULL; + } + pkey = PEM_read_bio_PrivateKey(in, NULL, + SSL_CTX_get_default_passwd_cb(ssl_ctx), + SSL_CTX_get_default_passwd_cb_userdata(ssl_ctx)); + BIO_free(in); + +#else /* defined(HAVE_OPENSSL_STORE_API) */ + + OSSL_STORE_CTX *store_ctx = NULL; + OSSL_STORE_INFO *info = NULL; + + UI_METHOD *ui_method = UI_create_method("openvpn"); + if (!ui_method) + { + msg(M_WARN, "OpenSSL UI creation failed"); + return NULL; + } + UI_method_set_reader(ui_method, ui_reader); + + store_ctx = OSSL_STORE_open_ex(uri, tls_libctx, NULL, ui_method, ssl_ctx, + NULL, NULL, NULL); + if (!store_ctx) + { + goto end; + } + if (OSSL_STORE_expect(store_ctx, OSSL_STORE_INFO_PKEY) != 1) + { + goto end; + } + info = OSSL_STORE_load(store_ctx); + if (!info) + { + goto end; + } + pkey = OSSL_STORE_INFO_get1_PKEY(info); + OSSL_STORE_INFO_free(info); + msg(D_TLS_DEBUG_MED, "Found pkey in store using URI: %s", uri); + +end: + OSSL_STORE_close(store_ctx); + UI_destroy_method(ui_method); + +#endif /* defined(HAVE_OPENSSL_STORE_API) */ + + return pkey; +} + int tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file, bool pkcs12_file_inline, bool load_ca_file) @@ -945,9 +1056,103 @@ } } -void -tls_ctx_load_cert_file(struct tls_root_ctx *ctx, const char *cert_file, - bool cert_file_inline) +static bool +cert_uri_supported(void) +{ +#if defined(HAVE_OPENSSL_STORE_API) + return 1; +#else + return 0; +#endif +} + +static void +tls_ctx_load_cert_uri(struct tls_root_ctx *tls_ctx, const char *uri) +{ +#if defined(HAVE_OPENSSL_STORE_API) + X509 *x = NULL; + int ret = 0; + OSSL_STORE_CTX *store_ctx = NULL; + OSSL_STORE_INFO *info = NULL; + + ASSERT(NULL != tls_ctx); + + UI_METHOD *ui_method = UI_create_method("openvpn"); + if (!ui_method) + { + msg(M_WARN, "OpenSSL UI method creation failed"); + goto end; + } + UI_method_set_reader(ui_method, ui_reader); + + store_ctx = OSSL_STORE_open_ex(uri, tls_libctx, NULL, ui_method, tls_ctx->ctx, + NULL, NULL, NULL); + if (!store_ctx) + { + goto end; + } + if (OSSL_STORE_expect(store_ctx, OSSL_STORE_INFO_CERT) != 1) + { + goto end; + } + + info = OSSL_STORE_load(store_ctx); + if (!info) + { + goto end; + } + + x = OSSL_STORE_INFO_get0_CERT(info); + if (x == NULL) + { + goto end; + } + msg(D_TLS_DEBUG_MED, "Found cert in store using URI: %s", uri); + + ret = SSL_CTX_use_certificate(tls_ctx->ctx, x); + if (!ret) + { + goto end; + } + OSSL_STORE_INFO_free(info); + + /* iterate through the store and add extra certificates if any to the chain */ + info = OSSL_STORE_load(store_ctx); + while (info && !OSSL_STORE_eof(store_ctx)) + { + x = OSSL_STORE_INFO_get1_CERT(info); + if (x && SSL_CTX_add_extra_chain_cert(tls_ctx->ctx, x) != 1) + { + X509_free(x); + crypto_msg(M_FATAL, "Error adding extra certificate"); + break; + } + OSSL_STORE_INFO_free(info); + info = OSSL_STORE_load(store_ctx); + } + +end: + if (!ret) + { + crypto_print_openssl_errors(M_WARN); + crypto_msg(M_FATAL, "Cannot load certificate from URI <%s>", uri); + } + else + { + crypto_print_openssl_errors(M_DEBUG); + } + + UI_destroy_method(ui_method); + OSSL_STORE_INFO_free(info); + OSSL_STORE_close(store_ctx); +#else /* defined(HAVE_OPENSSL_STORE_API */ + ASSERT(0); +#endif /* defined(HAVE_OPENSSL_STORE_API */ +} + +static void +tls_ctx_load_cert_pem_file(struct tls_root_ctx *ctx, const char *cert_file, + bool cert_file_inline) { BIO *in = NULL; X509 *x = NULL; @@ -961,7 +1166,7 @@ } else { - in = BIO_new_file(cert_file, "r"); + in = BIO_new_file((char *) cert_file, "r"); } if (in == NULL) @@ -1007,6 +1212,20 @@ X509_free(x); } +void +tls_ctx_load_cert_file(struct tls_root_ctx *ctx, const char *cert_file, + bool cert_file_inline) +{ + if (cert_uri_supported() && !cert_file_inline) + { + tls_ctx_load_cert_uri(ctx, cert_file); + } + else + { + tls_ctx_load_cert_pem_file(ctx, cert_file, cert_file_inline); + } +} + int tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file, bool priv_key_file_inline) @@ -1023,21 +1242,19 @@ if (priv_key_file_inline) { in = BIO_new_mem_buf((char *) priv_key_file, -1); + if (in == NULL) + { + goto end; + } + pkey = PEM_read_bio_PrivateKey(in, NULL, + SSL_CTX_get_default_passwd_cb(ctx->ctx), + SSL_CTX_get_default_passwd_cb_userdata(ctx->ctx)); } else { - in = BIO_new_file(priv_key_file, "r"); + pkey = load_pkey_from_uri(priv_key_file, ssl_ctx); } - if (!in) - { - goto end; - } - - pkey = PEM_read_bio_PrivateKey(in, NULL, - SSL_CTX_get_default_passwd_cb(ctx->ctx), - SSL_CTX_get_default_passwd_cb_userdata(ctx->ctx)); - if (!pkey || !SSL_CTX_use_PrivateKey(ssl_ctx, pkey)) { #ifdef ENABLE_MANAGEMENT diff --git a/tests/unit_tests/openvpn/test_ssl.c b/tests/unit_tests/openvpn/test_ssl.c index 5da5b1c..da375af 100644 --- a/tests/unit_tests/openvpn/test_ssl.c +++ b/tests/unit_tests/openvpn/test_ssl.c @@ -66,6 +66,18 @@ } #endif +/* stubs for some unused functions instead of pulling in too many dependencies */ +bool +get_user_pass_cr(struct user_pass *up, const char *auth_file, const char *prefix, + const unsigned int flags, const char *auth_challenge) +{ + return false; +} +void +purge_user_pass(struct user_pass *up, bool force) +{ + return; +} const char *unittest_cert = "-----BEGIN CERTIFICATE-----\n" "MIIBuTCCAUCgAwIBAgIUTLtjSBzx53qZRvZ6Ur7D9kgoOHkwCgYIKoZIzj0EAwIw\n"