| Message ID | 20210922211254.7570-1-selva.nair@gmail.com |
|---|---|
| Headers | show
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net> Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director11.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net with LMTP id WMaqE6qcS2FOCQAAIUCqbw (envelope-from <openvpn-devel-bounces@lists.sourceforge.net>) for <patchwork@openvpn.net>; Wed, 22 Sep 2021 17:14:18 -0400 Received: from proxy12.mail.iad3b.rsapps.net ([172.31.255.6]) by director11.mail.ord1d.rsapps.net with LMTP id uIA2E6qcS2HaAwAAvGGmqA (envelope-from <openvpn-devel-bounces@lists.sourceforge.net>) for <patchwork@openvpn.net>; Wed, 22 Sep 2021 17:14:18 -0400 Received: from smtp26.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy12.mail.iad3b.rsapps.net with LMTPS id 8F2HDKqcS2FYBgAAEsW3lA (envelope-from <openvpn-devel-bounces@lists.sourceforge.net>) for <patchwork@openvpn.net>; Wed, 22 Sep 2021 17:14:18 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp26.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=gmail.com; dmarc=fail (p=none; dis=none) header.from=gmail.com X-Suspicious-Flag: YES X-Classification-ID: 0b973b6a-1bea-11ec-96d4-5254001088d3-1-1 Received: from [216.105.38.7] ([216.105.38.7:57134] helo=lists.sourceforge.net) by smtp26.gate.iad3b.rsapps.net (envelope-from <openvpn-devel-bounces@lists.sourceforge.net>) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id C1/25-18258-9AC9B416; Wed, 22 Sep 2021 17:14:18 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from <openvpn-devel-bounces@lists.sourceforge.net>) id 1mT9YR-0005Ai-Mg; Wed, 22 Sep 2021 21:13:23 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from <selva.nair@gmail.com>) id 1mT9YI-00059n-Gu for openvpn-devel@lists.sourceforge.net; Wed, 22 Sep 2021 21:13:14 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=TGNeY/4RhK3M3a8mA6nDMc+xXQ87yLUeg7UtacqS5ko=; b=nUJ+ib+NorHnyM/Am5f8Zyhpng wNg19ofDb6MqC9lKBHrvxxmSdOhCa/j3O1C30qJX/4YmApkE90zxAAC0YLRgd0bL8/iPhHFprLxno z68tOi+NzhrVsM6lH/pNZ/cnBcNW9hR3k0pNAL35gGsisR2qXZIY3nxkTE7/hNeDtw+4=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:Cc:To:From :Sender:Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=TGNeY/4RhK3M3a8mA6nDMc+xXQ87yLUeg7UtacqS5ko=; b=a wNyrpaA01FwwrWWDtcYkWOsYPGPth4BIeP9A1i3doXplXUGvkuet+pAbz81b0GrZ0BQnfwdKmGJs9 m/YL5McaOf3p9rdh94B/zhRzA+bZz2/nE/6o/Wz6RKNq6TbjK45so55g2JLcoaNxPZG0ghi/SiPXr O2Qamtygcdf0ngRg=; Received: from mail-qk1-f176.google.com ([209.85.222.176]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92.3) id 1mT9YB-0005zV-94 for openvpn-devel@lists.sourceforge.net; Wed, 22 Sep 2021 21:13:14 +0000 Received: by mail-qk1-f176.google.com with SMTP id b65so14271770qkc.13 for <openvpn-devel@lists.sourceforge.net>; Wed, 22 Sep 2021 14:13:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=TGNeY/4RhK3M3a8mA6nDMc+xXQ87yLUeg7UtacqS5ko=; b=exogxTudxFViUY4IxjZ5fSxoWluPh71dGn7RI+W5/zQ4skLrtHTKkFibye/xZBgfXY T609o5Bo0y7OXhXB7clCVFo/BQ8YtLlnqLJooWq6ikoLn4O77SnIPAIW3clXMxyiZv+R UV82ZeAg2nwr8NeSY7uyoY9l/FyV3etWTvvNUWP0nEo6RcyGY0NdeXIpsEtQPCxAJI5/ Sw/ztiJFRVBbrLVzr0c6J34adZK27crmOhcBjdub4nm2AsvrBWi/cm9MVgNTmht2UwGV cI3+OA7mBgdUgZdsHPrV7BGDSjaverKEliegeavcy/XjXKkJ9Nkm6D+QQ8k/Y7UttAlX j4YA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=TGNeY/4RhK3M3a8mA6nDMc+xXQ87yLUeg7UtacqS5ko=; b=Ud9IU/YnXOVSnoEdvidkJFthB9MeqsGQkZ6tBBp1R2cU2uwNPz07e82c6WxM4NcMTp 1DSOeqFsqTt48j9fVCg4yrugv6tYivNSkFZdVJoW+D2sRqcMxun0hMrP7N9JdkDycJde m2Ce/5h8yyomKMNYMLXJBobxuSQo8LUne+G48NXFkLgV7xl3Uc5TEVQwM2z1VTrgv7rV VE7GodSvWmNyDgQhU/gp+0LrGU2J2k3KU0XFLRxfA0E2KFGBPD6mZx4ERezCLjRHFJ7Q TJ6qQ8/h00lrm/yrtJEgDnbcQSaQuSZZWpWrrs59adg8D77TEmX3KaYKT2iPMMfgvcKN 3rCg== X-Gm-Message-State: AOAM531raPjjrm/APRu8HuDRsAKKHDvO/PFy0kGRDWvHktfUTw+UBMcx R6d2Tu5D1HNvzDqgd+VKaeeMH2xCukU= X-Google-Smtp-Source: ABdhPJzO53dDbP1HIw000F140lVUA7H3gXwRyfgPoQR1wTFYFdtHjzmfM/rtr8XSyFYGVJJCcLDNGg== X-Received: by 2002:a37:c0c:: with SMTP id 12mr1422081qkm.471.1632345181348; Wed, 22 Sep 2021 14:13:01 -0700 (PDT) Received: from uranus.home.sansel.ca (bras-vprn-tnhlon4053w-lp130-02-70-51-223-227.dsl.bell.ca. [70.51.223.227]) by smtp.gmail.com with ESMTPSA id l7sm2185243qth.19.2021.09.22.14.13.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 22 Sep 2021 14:13:01 -0700 (PDT) From: selva.nair@gmail.com To: openvpn-devel@lists.sourceforge.net Date: Wed, 22 Sep 2021 17:12:45 -0400 Message-Id: <20210922211254.7570-1-selva.nair@gmail.com> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Selva Nair The following series of patches implement a built-in provider for interfacing OpenSSL 3.0 when external keys are in use. Essentially, to intercept the sign operation, the SSL_CTX object has to be created with properties string set to prioritize our provider. In the provider we implement only keymgmt and signature operat [...] Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.222.176 listed in list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [selva.nair[at]gmail.com] -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.222.176 listed in wl.mailspike.net] X-Headers-End: 1mT9YB-0005zV-94 Subject: [Openvpn-devel] [PATCH 0/9] A built-in OpenSSL3.0 provider for external-keys X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: <openvpn-devel.lists.sourceforge.net> List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>, <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe> List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel> List-Post: <mailto:openvpn-devel@lists.sourceforge.net> List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help> List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>, <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox |
From: Selva Nair <selva.nair@gmail.com> The following series of patches implement a built-in provider for interfacing OpenSSL 3.0 when external keys are in use. Essentially, to intercept the sign operation, the SSL_CTX object has to be created with properties string set to prioritize our provider. In the provider we implement only keymgmt and signature operations and specify the property string as optional. That allows all operations we do not provide to be used from the default provider. This patch set stops at interfacing the provider with management-external-key. For pkcs11-helper, only some glue code is needed and is in the works. Same with cryptoapicert aka CNG, but I want to cleanup the old code a bit before hooking to the provider. I haven't attempted to remove any of the deprecated interfaces. That is better done along with Arne's patches. There will be only minor, if at all any, conflicts between that and this patch set. Selva Nair (9): A built-in provider for using external key with OpenSSL 3.0 Initialize the xkey provider and use it in SSL context Implement keymgmt in the xkey provider Implement provider interface for signature operations Implement import of custom external keys A helper function to load key for management-external-key Enable signing via provider for management-external-key Add a function to encode digests with PKCS1 DigestInfo wrapper Allow management client to announce pss padding support configure.ac | 11 + doc/man-sections/management-options.rst | 8 +- doc/management-notes.txt | 15 +- src/openvpn/Makefile.am | 2 + src/openvpn/crypto_openssl.c | 19 + src/openvpn/manage.h | 1 + src/openvpn/openssl_compat.h | 12 + src/openvpn/options.c | 7 +- src/openvpn/ssl_openssl.c | 17 +- src/openvpn/xkey_common.h | 120 +++ src/openvpn/xkey_helper.c | 285 ++++++ src/openvpn/xkey_provider.c | 1158 +++++++++++++++++++++++ 12 files changed, 1647 insertions(+), 8 deletions(-) create mode 100644 src/openvpn/xkey_common.h create mode 100644 src/openvpn/xkey_helper.c create mode 100644 src/openvpn/xkey_provider.c