From patchwork Wed Sep 22 11:12:46 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Selva Nair X-Patchwork-Id: 1972 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director7.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id UFL9FK+cS2GTCQAAIUCqbw (envelope-from ) for ; Wed, 22 Sep 2021 17:14:23 -0400 Received: from proxy15.mail.ord1d.rsapps.net ([172.30.191.6]) by director7.mail.ord1d.rsapps.net with LMTP id mCCwFK+cS2GtOgAAovjBpQ (envelope-from ) for ; Wed, 22 Sep 2021 17:14:23 -0400 Received: from smtp12.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy15.mail.ord1d.rsapps.net with LMTPS id QNJ5FK+cS2HNYgAAAY1PeQ (envelope-from ) for ; Wed, 22 Sep 2021 17:14:23 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp12.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=gmail.com; dmarc=fail (p=none; dis=none) header.from=gmail.com X-Suspicious-Flag: YES X-Classification-ID: 0ebb1118-1bea-11ec-8dce-52540070b731-1-1 Received: from [216.105.38.7] ([216.105.38.7:49780] helo=lists.sourceforge.net) by smtp12.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 4D/0C-02441-EAC9B416; Wed, 22 Sep 2021 17:14:23 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.92.3) (envelope-from ) id 1mT9YJ-0006sI-NT; Wed, 22 Sep 2021 21:13:15 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) (envelope-from ) id 1mT9YI-0006s5-Gk for openvpn-devel@lists.sourceforge.net; Wed, 22 Sep 2021 21:13:14 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=UKo9+1zYjl91+Jn+l+Ijkx9vpbStFUfewUGAYbT8yC8=; b=O3cKyA5QoV7aU9xbDIuPQfUfzt ds9Zpa/4yz87KgBQMdyV5pAAlDtKS7IZDiLi2uBrEnwVJc9AWNkvxOPR1jbBv5HNGrFJWlPwl+swm gFMUilaeHLQVt5FQzZGzvd86uUY8q+ij1jet/hvCrlkt4NiwdN9asihgI6nX/2PN+OxQ=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=UKo9+1zYjl91+Jn+l+Ijkx9vpbStFUfewUGAYbT8yC8=; b=hpZQAa+L13+j+rCxAXEzTrkK/E 0NwECYQ5HTnVPHx4sxhTGGCASrok2uVg+L7I3ziJEA8plgKMBsUCfulqqViy58+mvNC0oaHf+mylZ Ih3BpsHpY+mIIztrDkHTeJaqI2oCu+mZRAFECfd+QhFv4jQKH2CtrqlkWm/UkY6DkLYA=; Received: from mail-qk1-f179.google.com ([209.85.222.179]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92.3) id 1mT9YC-0022xr-Oz for openvpn-devel@lists.sourceforge.net; Wed, 22 Sep 2021 21:13:14 +0000 Received: by mail-qk1-f179.google.com with SMTP id t4so14453911qkb.9 for ; Wed, 22 Sep 2021 14:13:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=UKo9+1zYjl91+Jn+l+Ijkx9vpbStFUfewUGAYbT8yC8=; b=I5GV1YORg/1Tc1BbJD3ud7+WI8PRJu+ue2BBQksZFj4MEvlc0QuokhAHdAdy2iSTYE eycZcQURRUPRF9i2vJ1qSU9wnTkx0gLum2yENTAu76S3mQniO5SZW7GkzeYZlrkiOoyg Y7Vbo+W29VGvEVr0QPQLSfayq2n6GYh1JZHVXmDv7z99JDAb1spF/QEGM9OxLsyGtbcV z93MkuXpF0Irc3Gu+hLxTnT74BzBMn60Thj+puPb+nkNm8ADFy+dwG9juLFWLIlXr5/V EImC4FXDcckHWf+6/pgzw5wJdZu4U42obGRjhQhf+9yBYyM9hsKiADM4bkfi32VBFHBO e1sQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=UKo9+1zYjl91+Jn+l+Ijkx9vpbStFUfewUGAYbT8yC8=; b=PwIG/T30ZFCrUvXP+JAjQ5Qz+9u5XIKrYfvoa7Sh34p51+g+Aai4+61/jrQVdkb+5I fQOfpiS5P55ecPKS24jc/v6CuM2l0p/zZWYXCjN2z6NABLQYdKvPbOg5sfkmdeomg02M +ecjEAs739O7JhMJpdUcP5A0ozNYqMPnx+kvMTcKLZVGVfEYi3GChhR9D62EDkTrtbKe ooZgx8ipNmxCZ8sI2968CwAFvIwML7MSyLGDQw1yqzHsyBOAoh6bfFyI7gTePIFk7oz7 CH1fTeWkIbrCd2uIc0XeXQqIkfcy3X+MOzz/uxMRjAmt+84XRODuekluW2fewhsEOUlH A9Dg== X-Gm-Message-State: AOAM533dHXe/+mXzAGEvciLeLoJ83Yasu+8jm7TEP5o6l0bzCzY8Akc0 /tApwlJ/xvGVwuLR6aE/1b5FBDr04uM= X-Google-Smtp-Source: ABdhPJzrOBmIzwpbIrumBSze7PbnNoulstpKv5Zf9GF6xyZi4T4Hbw2BHAjynES5tYicmOXQwthraw== X-Received: by 2002:a37:8044:: with SMTP id b65mr1498914qkd.150.1632345182769; Wed, 22 Sep 2021 14:13:02 -0700 (PDT) Received: from uranus.home.sansel.ca (bras-vprn-tnhlon4053w-lp130-02-70-51-223-227.dsl.bell.ca. [70.51.223.227]) by smtp.gmail.com with ESMTPSA id l7sm2185243qth.19.2021.09.22.14.13.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 22 Sep 2021 14:13:02 -0700 (PDT) From: selva.nair@gmail.com To: openvpn-devel@lists.sourceforge.net Date: Wed, 22 Sep 2021 17:12:46 -0400 Message-Id: <20210922211254.7570-2-selva.nair@gmail.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20210922211254.7570-1-selva.nair@gmail.com> References: <20210922211254.7570-1-selva.nair@gmail.com> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Selva Nair Hooking into callbacks in RSA_METHOD and EVP_PKEY_METHOD structures is deprecated in OpenSSL 3.0. For signing with external keys that are not exportable (tokens, stores, etc.) requires a custom provid [...] Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.222.179 listed in list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [selva.nair[at]gmail.com] -0.0 SPF_PASS SPF: sender matches SPF record -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.222.179 listed in wl.mailspike.net] -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-Headers-End: 1mT9YC-0022xr-Oz Subject: [Openvpn-devel] [PATCH 1/9] A built-in provider for using external key with OpenSSL 3.0 X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Selva Nair Hooking into callbacks in RSA_METHOD and EVP_PKEY_METHOD structures is deprecated in OpenSSL 3.0. For signing with external keys that are not exportable (tokens, stores, etc.) requires a custom provider interface so that key operations are done under its context. A single provider is enough for handling all external keys we support -- management-external-key, cryptoapicert(CNG) and pkcs11-helper. The series of patches starting with this implement such a provider. To activate the use of the provider, essentially, the SSL_CTX object is created with property string set to to prioritize our provider. In the provider we implement only keymgmt and signature operations. All other operations get directly used from the default provider. However, signature operations include verify using peer's public key as well. In particular, we get called for both DigestVerify and DigestSign operations. For the former we call back OpenSSL, for the latter we compute the digest using OpenSSL and then pass it to the backend for signature. So a lot of glue code is needed and this makes the patches somewhat large even after splitting into many commits. This patch implements only the provider_init function so that it can be loaded, but has no capabilities. The required interfaces are added in following commits. Signed-off-by: Selva Nair --- configure.ac | 11 +++ src/openvpn/Makefile.am | 1 + src/openvpn/xkey_common.h | 42 +++++++++ src/openvpn/xkey_provider.c | 177 ++++++++++++++++++++++++++++++++++++ 4 files changed, 231 insertions(+) create mode 100644 src/openvpn/xkey_common.h create mode 100644 src/openvpn/xkey_provider.c diff --git a/configure.ac b/configure.ac index 7c2ead6a..0390a05e 100644 --- a/configure.ac +++ b/configure.ac @@ -821,6 +821,17 @@ if test "${with_crypto_library}" = "openssl"; then AC_DEFINE([HAVE_OPENSSL_ENGINE], [1], [OpenSSL engine support available]) fi + have_openssl_provider="yes" + AC_CHECK_FUNCS( + [OSSL_PROVIDER_load] + , + , + [have_openssl_provider="no"; break] + ) + if test "${have_openssl_provider}" = "yes"; then + AC_DEFINE([HAVE_XKEY_PROVIDER], [1], [External key loading provider can be used]) + fi + AC_CHECK_FUNC( [EVP_aes_256_gcm], , diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am index 5883c291..432efe73 100644 --- a/src/openvpn/Makefile.am +++ b/src/openvpn/Makefile.am @@ -128,6 +128,7 @@ openvpn_SOURCES = \ tls_crypt.c tls_crypt.h \ tun.c tun.h \ vlan.c vlan.h \ + xkey_provider.c xkey_common.h \ win32.h win32.c \ win32-util.h win32-util.c \ cryptoapi.h cryptoapi.c diff --git a/src/openvpn/xkey_common.h b/src/openvpn/xkey_common.h new file mode 100644 index 00000000..eb31604f --- /dev/null +++ b/src/openvpn/xkey_common.h @@ -0,0 +1,42 @@ +/* + * OpenVPN -- An application to securely tunnel IP networks + * over a single TCP/UDP port, with support for SSL/TLS-based + * session authentication and key exchange, + * packet encryption, packet authentication, and + * packet compression. + * + * Copyright (C) 2021 Selva Nair + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +#ifndef XKEY_PUBLIC_H_ +#define XKEY_PUBLIC_H_ + +#ifdef HAVE_XKEY_PROVIDER + +#include +#include + +/** + * Initialization function for OpenVPN external key provider for OpenSSL + * Follows the signature of OSSL_PROVIDER init + */ +OSSL_provider_init_fn xkey_provider_init; + +#endif /* HAVE_XKEY_PROVIDER */ + +#define XKEY_PROV_PROPS "provider=ovpn.xkey" + +#endif /* XKEY_PUBLIC_H_ */ diff --git a/src/openvpn/xkey_provider.c b/src/openvpn/xkey_provider.c new file mode 100644 index 00000000..9d19d37d --- /dev/null +++ b/src/openvpn/xkey_provider.c @@ -0,0 +1,177 @@ +/* + * OpenVPN -- An application to securely tunnel IP networks + * over a single TCP/UDP port, with support for SSL/TLS-based + * session authentication and key exchange, + * packet encryption, packet authentication, and + * packet compression. + * + * Copyright (C) 2021 Selva Nair + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +#ifdef HAVE_CONFIG_H +#include +#elif defined(_MSC_VER) +#include "config-msvc.h" +#endif + +#ifdef HAVE_XKEY_PROVIDER + +#include "syshead.h" +#include "error.h" +#include "buffer.h" +#include "xkey_common.h" + +#include +#include +#include +#include +#include +#include +#include +#include + +/* A descriptive name */ +static const char *provname = "OpenVPN External Key Provider"; + +typedef struct +{ + const OSSL_CORE_HANDLE *core; + OSSL_PROVIDER *deflt; /* default provider that we load for delegating some ops */ + OSSL_LIB_CTX *libctx; /* libctx of the core context in which we are running */ +} XKEY_PROVIDER_CTX; + +/* main provider interface */ + +/* provider callbacks we implement */ +static OSSL_FUNC_provider_query_operation_fn query_operation; +static OSSL_FUNC_provider_gettable_params_fn gettable_params; +static OSSL_FUNC_provider_get_params_fn get_params; +static OSSL_FUNC_provider_teardown_fn teardown; + +static const OSSL_ALGORITHM * +query_operation(void *provctx, int op, int *no_store) +{ + dmsg(D_LOW, "In xkey provider query op with op = %d", op); + + *no_store = 0; + + switch (op) + { + case OSSL_OP_SIGNATURE: + return NULL; + + case OSSL_OP_KEYMGMT: + return NULL; + + default: + break; + } + return NULL; +} + +static const OSSL_PARAM * +gettable_params(void *provctx) +{ + dmsg(D_LOW, "In xkey provider gettable_params"); + + static const OSSL_PARAM param_types[] = { + OSSL_PARAM_DEFN(OSSL_PROV_PARAM_NAME, OSSL_PARAM_UTF8_PTR, NULL, 0), + OSSL_PARAM_END + }; + + return param_types; +} +static int +get_params(void *provctx, OSSL_PARAM params[]) +{ + OSSL_PARAM *p; + + dmsg(D_LOW, "In xkey provider get_params"); + + p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME); + if (p) + { + return (OSSL_PARAM_set_utf8_ptr(p, provname) != 0); + } + + return 0; +} + +static void +teardown(void *provctx) +{ + dmsg(D_LOW, "In xkey provider teardown"); + + XKEY_PROVIDER_CTX *prov = provctx; + if (prov && prov->deflt) + { + OSSL_PROVIDER_unload(prov->deflt); + } + free(prov); +} + +static const OSSL_DISPATCH dispatch_table[] = { + {OSSL_FUNC_PROVIDER_GETTABLE_PARAMS, (void (*)(void))gettable_params}, + {OSSL_FUNC_PROVIDER_GET_PARAMS, (void (*)(void))get_params}, + {OSSL_FUNC_PROVIDER_QUERY_OPERATION, (void (*)(void))query_operation}, + {OSSL_FUNC_PROVIDER_TEARDOWN, (void (*)(void))teardown}, + {0, NULL} +}; + +int +xkey_provider_init(const OSSL_CORE_HANDLE *handle, const OSSL_DISPATCH *in, + const OSSL_DISPATCH **out, void **provctx) +{ + XKEY_PROVIDER_CTX *prov; + OSSL_FUNC_core_get_libctx_fn *c_get_libctx = NULL; + + dmsg(D_LOW, "In xkey provider init"); + + prov = calloc(sizeof(*prov), 1); + if (!prov) + { + msg(M_NONFATAL, "xkey_provider_init: out of memory"); + return 0; + } + + /* get our libctx */ + for (; in->function_id != 0; in++) + { + if (in->function_id == OSSL_FUNC_CORE_GET_LIBCTX) + { + c_get_libctx = OSSL_FUNC_core_get_libctx(in); + } + } + + if (c_get_libctx) + { + prov->libctx = (OSSL_LIB_CTX *)c_get_libctx(handle); + } + prov->core = handle; + + prov->deflt = OSSL_PROVIDER_load(prov->libctx, "default"); + if (!prov->deflt) + { + msg(M_NONFATAL, "xkey_provider_init: default provider could not be loaded"); + } + + *out = dispatch_table; + *provctx = prov; + + return 1; +} + +#endif /* HAVE_XKEY_PROVIDER */