From patchwork Wed Sep 22 11:12:52 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Selva Nair X-Patchwork-Id: 1965 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director7.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net with LMTP id +NkJC6mcS2FZCQAAIUCqbw (envelope-from ) for ; Wed, 22 Sep 2021 17:14:17 -0400 Received: from proxy3.mail.iad3b.rsapps.net ([172.31.255.6]) by director7.mail.ord1d.rsapps.net with LMTP id oIXUCqmcS2HRPAAAovjBpQ (envelope-from ) for ; Wed, 22 Sep 2021 17:14:17 -0400 Received: from smtp27.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy3.mail.iad3b.rsapps.net with LMTPS id WN2SBamcS2ElJwAAM8Wetg (envelope-from ) for ; Wed, 22 Sep 2021 17:14:17 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp27.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=gmail.com; dmarc=fail (p=none; dis=none) header.from=gmail.com X-Suspicious-Flag: YES X-Classification-ID: 0ad70f98-1bea-11ec-9ee9-5254006b1ac1-1-1 Received: from [216.105.38.7] ([216.105.38.7:57114] helo=lists.sourceforge.net) by smtp27.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 22/18-06611-8AC9B416; Wed, 22 Sep 2021 17:14:16 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1mT9YU-0005BT-MJ; Wed, 22 Sep 2021 21:13:26 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mT9YM-0005AK-HG for openvpn-devel@lists.sourceforge.net; Wed, 22 Sep 2021 21:13:18 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=XboY7RgldvWYdd/iJW/wW8Nt3gvSwkqJmp4MnkTCRRc=; b=PuAgNJIxOI1p+GuIFBYTb1kx1H piB40g9wAZL3dBCuTzQFHD4yI3lIsWWszmox1vovloRFbCeu8d3+u9UHJiuzshTvQVW5dDSBl+gNd x2lU1d712dolJcqO0TKnxx3CGMCrjuIPpJxqMhpu3AH1bbh0eM7dfgXQXSCdqIWt6huY=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=XboY7RgldvWYdd/iJW/wW8Nt3gvSwkqJmp4MnkTCRRc=; b=Q8ORq7aevzq5rrDs2hlbZeRmSl 0voCFSY33VMjO0BsL/IeGZRrZYBBEqRjiAEyb9TpiR98wykrGD4813HC7PMiZ90PV78g0F8JeTAXS tSkWAXf0U9DP4acNAKfDC5rCmgoMUnatjzVZPHh0R+haHzMq0b1Wjujz91mSD5Jo5Tec=; Received: from mail-qt1-f178.google.com ([209.85.160.178]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92.3) id 1mT9YL-00060J-Rm for openvpn-devel@lists.sourceforge.net; Wed, 22 Sep 2021 21:13:18 +0000 Received: by mail-qt1-f178.google.com with SMTP id 2so4206784qtw.1 for ; Wed, 22 Sep 2021 14:13:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=XboY7RgldvWYdd/iJW/wW8Nt3gvSwkqJmp4MnkTCRRc=; b=hRH8R/QjzhmR1eUUjvRKg4IueWyWc098WiM8mXZm1XrGjCkMssCrA2afsj4kapoXX0 1xFMAkSdDHLGpPmzgV6yzsjBq7p9YJ4sb6txkqdG6ZEWLpk53fMO01xJfxINGbWujMZF yjX9nIozInS0wPP13bksaY4xRJXPM7zdP+6kS4LPhLHWtChY9I4WQVNr9v8dI0C+JlTM WmwffqQ9ZlXXmuO7OJzK/lElehGO69ZKOlku38WCeWxbUb0DlPLhOh6KKs+A+Kq0YiP3 NtKW6BFhx9aGuqnkcQoMtamney9T/MCMiF4hwwFUqpv8zd7VEHr8Y5h32VW/d02hHqpo uriQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=XboY7RgldvWYdd/iJW/wW8Nt3gvSwkqJmp4MnkTCRRc=; b=T0p+fjTzG0GcmqliW6hZTCTBzV6yzu/+8uDLx7vee2A2zOh9k3t2kmb9z/q0KMZseb kbddhHKh0wD8Iu1ilhPfOcHc0JitAfM4q31QCU+7Q5ljBoKMMjQ0d4FBDtrdIbdq8YT9 biIdQnf0M6LIGlMjBbDw+p6s3EeuLSM354EmkBD1zjxA/OeoIBppzSKXNFKflr1HWCxC MTlgXDWs7lllQvVtOMJsA93jJoV/PF9svsjDoX7V9ejGdhp6g92ttPv6qi1i3IaJdCtG /1Atyzx1itsMz28RZcqhRYDcxEZgLvIULVlrma+DgI6mUGBkxRoxVychEvVat9HUo/Zq 5YPw== X-Gm-Message-State: AOAM533PnU6u2sFCS/oq8sN4JmF1Qmck4G6SQbOPwEQRUzZjDYB+hyLu +jdOgUeuIL3HyfbQlNpeUV5zKiHsOcs= X-Google-Smtp-Source: ABdhPJwAeYrNrxpIPauGBDxbM+bGXLBs2fCEU4kcoeshbMK12+BQqB/IwYXW5iCkjiHmKjkw7luHmQ== X-Received: by 2002:ac8:4d48:: with SMTP id x8mr1427991qtv.415.1632345188640; Wed, 22 Sep 2021 14:13:08 -0700 (PDT) Received: from uranus.home.sansel.ca (bras-vprn-tnhlon4053w-lp130-02-70-51-223-227.dsl.bell.ca. [70.51.223.227]) by smtp.gmail.com with ESMTPSA id l7sm2185243qth.19.2021.09.22.14.13.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 22 Sep 2021 14:13:08 -0700 (PDT) From: selva.nair@gmail.com To: openvpn-devel@lists.sourceforge.net Date: Wed, 22 Sep 2021 17:12:52 -0400 Message-Id: <20210922211254.7570-8-selva.nair@gmail.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20210922211254.7570-1-selva.nair@gmail.com> References: <20210922211254.7570-1-selva.nair@gmail.com> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Selva Nair - Add a function to set as sign_op during key import. The function passes the signature request to management interface, and returns the result to the provider. Signed-off-by: Selva Nair --- src/openvpn/xkey_common.h | 4 +++ src/openvpn/xkey_helper.c | 68 +++++++++++++++++++++++++++++++++++++-- 2 files changed, 69 insertions(+), 3 deletions(-) Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [selva.nair[at]gmail.com] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [209.85.160.178 listed in wl.mailspike.net] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.160.178 listed in list.dnswl.org] -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders X-Headers-End: 1mT9YL-00060J-Rm Subject: [Openvpn-devel] [PATCH 7/9] Enable signing via provider for management-external-key X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Selva Nair - Add a function to set as sign_op during key import. The function passes the signature request to management interface, and returns the result to the provider. Signed-off-by: Selva Nair --- src/openvpn/xkey_common.h | 4 +++ src/openvpn/xkey_helper.c | 68 +++++++++++++++++++++++++++++++++++++-- 2 files changed, 69 insertions(+), 3 deletions(-) diff --git a/src/openvpn/xkey_common.h b/src/openvpn/xkey_common.h index 751f18a0..6a00c382 100644 --- a/src/openvpn/xkey_common.h +++ b/src/openvpn/xkey_common.h @@ -35,6 +35,10 @@ */ OSSL_provider_init_fn xkey_provider_init; +#else + +#define OSSL_LIB_CTX void + #endif /* HAVE_XKEY_PROVIDER */ #define XKEY_PROV_PROPS "provider=ovpn.xkey" diff --git a/src/openvpn/xkey_helper.c b/src/openvpn/xkey_helper.c index aa9f23b8..c9e8d218 100644 --- a/src/openvpn/xkey_helper.c +++ b/src/openvpn/xkey_helper.c @@ -33,6 +33,8 @@ #include "error.h" #include "buffer.h" #include "xkey_common.h" +#include "manage.h" +#include "base64.h" #include #include @@ -84,13 +86,73 @@ xkey_load_management_key(OSSL_LIB_CTX *libctx, EVP_PKEY *pubkey) return pkey; } -/* not yet implemented */ +/** + * Signature callback for xkey_provider with management-external-key + * + * @param handle Unused -- may be null + * @param sig On successful return signature is in sig. + * @param siglen On entry *siglen has length of buffer sig, + * on successful return size of signature + * @param tbs hash to be signed + * @param tbslen len of data in dgst + * @param sigalg extra signature parameters + * + * @return signature length or -1 on error. + * For PKCS1 signature, the passed in hash is pure messaged digest + * not encoded with digest info even for the TLS 1.1 MD5_SHA hashes. + */ int xkey_management_sign(void *unused, unsigned char *sig, size_t *siglen, const unsigned char *tbs, size_t tbslen, XKEY_SIGALG alg) { - msg(M_FATAL, "FATAL ERROR: A sign callback for this key is not implemented."); - return 0; + (void) unused; + char alg_str[64]; + + if (!strcmp(alg.keytype, "EC")) + { + strncpynt(alg_str, "ECDSA", sizeof(alg_str)); + } + /* else assume RSA key */ + else if (!strcmp(alg.padmode, "pkcs1")) + { + strncpynt(alg_str, "RSA_PKCS1_PADDING", sizeof(alg_str)); + } + else if (!strcmp(alg.padmode, "none")) + { + strncpynt(alg_str, "RSA_NO_PADDING", sizeof(alg_str)); + } + else if (!strcmp(alg.padmode, "pss")) + { + openvpn_snprintf(alg_str, sizeof(alg_str), "%s,hashalg=%s,saltlen=%s", + "RSA_PKCS1_PSS_PADDING", alg.mdname,alg.saltlen); + } + else { + msg(M_NONFATAL, "Unsupported RSA padding mode in signature request<%s>", + alg.padmode); + return 0; + } + dmsg(D_LOW, "xkey management_sign: requesting sig with algorithm <%s>", alg_str); + + char *in_b64 = NULL; + char *out_b64 = NULL; + int len = -1; + + int bencret = openvpn_base64_encode(tbs, (int) tbslen, &in_b64); + + if (management && bencret > 0) + { + out_b64 = management_query_pk_sig(management, in_b64, alg_str); + } + if (out_b64) + { + len = openvpn_base64_decode(out_b64, sig, (int) *siglen); + } + free(in_b64); + free(out_b64); + + *siglen = (len > 0) ? len : 0; + + return (*siglen > 0); } #endif /* HAVE_XKEY_PROVIDER */