From patchwork Tue Oct 19 07:31:18 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Arne Schwabe <arne@rfc2549.org>
X-Patchwork-Id: 2043
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Delivered-To: patchwork@openvpn.net
Received: from director10.mail.ord1d.rsapps.net ([172.30.191.6])
	by backend30.mail.ord1d.rsapps.net with LMTP
	id IMydDEEPb2FQQwAAIUCqbw
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	for <patchwork@openvpn.net>; Tue, 19 Oct 2021 14:32:33 -0400
Received: from proxy2.mail.ord1d.rsapps.net ([172.30.191.6])
	by director10.mail.ord1d.rsapps.net with LMTP
	id WMOWDEEPb2FOGAAApN4f7A
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	for <patchwork@openvpn.net>; Tue, 19 Oct 2021 14:32:33 -0400
Received: from smtp6.gate.ord1d ([172.30.191.6])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	by proxy2.mail.ord1d.rsapps.net with LMTPS
	id KM9CDEEPb2EIfwAAfawv4w
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	for <patchwork@openvpn.net>; Tue, 19 Oct 2021 14:32:33 -0400
X-Spam-Threshold: 95
X-Spam-Score: 0
X-Spam-Flag: NO
X-Virus-Scanned: OK
X-Orig-To: openvpnslackdevel@openvpn.net
X-Originating-Ip: [216.105.38.7]
Authentication-Results: smtp6.gate.ord1d.rsapps.net;
 iprev=pass policy.iprev="216.105.38.7";
 spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net"
 smtp.helo="lists.sourceforge.net";
 dkim=fail (signature verification failed) header.d=sourceforge.net;
 dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil;
 dis=none) header.from=rfc2549.org
X-Suspicious-Flag: YES
X-Classification-ID: ec078f76-310a-11ec-9193-52540050e3e0-1-1
Received: from [216.105.38.7] ([216.105.38.7:44176]
 helo=lists.sourceforge.net)
	by smtp6.gate.ord1d.rsapps.net (envelope-from
 <openvpn-devel-bounces@lists.sourceforge.net>)
	(ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384)
	id 77/98-02365-04F0F616; Tue, 19 Oct 2021 14:32:32 -0400
Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com)
	by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.92.3)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1mctts-0001cd-AC; Tue, 19 Oct 2021 18:31:48 +0000
Received: from [172.30.20.202] (helo=mx.sourceforge.net)
 by sfs-ml-2.v29.lw.sourceforge.com with esmtps
 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3)
 (envelope-from <arne@kamera.blinkt.de>) id 1mcttf-0001Za-VR
 for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 18:31:35 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References:
 In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=qzIs6SbXq/K+KE5KHkFXTF4+MXufP0yNdcR9tPYNbRk=; b=aPiUCvIc51qCSUjZdeLv661Iwo
 q49HRcyHUtzgYdz05IrMVkXzQ5Hds7YHvpvP3iu3z5uu3sqr3VdkA1UfhYd13PGjVNucd7daTfaJf
 dWsPpWpmEcOkQjph8G0y9XtaVdX1MEPXqfAS73eA2WSIQ7EXaKQFy90vUkaNf1+ljCU4=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id:
 Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=qzIs6SbXq/K+KE5KHkFXTF4+MXufP0yNdcR9tPYNbRk=; b=MDMb/J4CbzuXMwqslSS1sb3xCP
 ETzV10YUEMSkdPPVicxi7Zo/JEuyNZK1HKu6zJ0rROqfd9ima6NIjo3WJhP+vEG/xA6RWw7VKM/jL
 tnjV+VlVz23iPzEPuvoSNrSXhu/VN+yvBU8gvO4HlQweqm/qXzXZQJ+YGMHSO6N7afgs=;
Received: from mail.blinkt.de ([192.26.174.232])
 by sfi-mx-2.v28.lw.sourceforge.com with esmtps
 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3)
 id 1mctte-0005ty-Vq
 for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 18:31:35 +0000
Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c])
 by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD))
 (envelope-from <arne@kamera.blinkt.de>) id 1mcttX-0008iC-VC
 for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 20:31:27 +0200
Received: (nullmailer pid 614259 invoked by uid 10006);
 Tue, 19 Oct 2021 18:31:28 -0000
From: Arne Schwabe <arne@rfc2549.org>
To: openvpn-devel@lists.sourceforge.net
Date: Tue, 19 Oct 2021 20:31:18 +0200
Message-Id: <20211019183127.614175-13-arne@rfc2549.org>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20211019183127.614175-1-arne@rfc2549.org>
References: <20211019183127.614175-1-arne@rfc2549.org>
MIME-Version: 1.0
X-Spam-Report: Spam detection software,
 running on the system "util-spamd-1.v13.lw.sourceforge.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  This allows OpenVPN to load non-default providers. This is
 mainly useful for loading the legacy provider with --provider legacy:default
 Signed-off-by: Arne Schwabe <arne@rfc2549.org> ---
 doc/man-sections/generic-options.rst
 | 10 ++++++++++ src/openvpn/crypto_backend.h | 7 +++++++
 src/openvpn/crypto_mbedtls.c | 8 ++++++++ src/openvpn/c [...]
 Content analysis details:   (0.3 points, 6.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
 mail domains are different
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 0.0 SPF_NONE               SPF: sender does not publish an SPF Record
X-Headers-End: 1mctte-0005ty-Vq
Subject: [Openvpn-devel] [PATCH v3 12/21] [OSSL 3.0] Allow loading of non
 default providers
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox

This allows OpenVPN to load non-default providers. This is mainly
useful for loading the legacy provider with --provider legacy:default

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Signed-off-by: Arne Schwabe &lt;<a href="mailto:arne@rfc2549.org" target="_blank">arne@rfc2549.org</a>&gt;<br>
---
 doc/man-sections/generic-options.rst | 10 ++++++++++
 src/openvpn/crypto_backend.h         |  7 +++++++
 src/openvpn/crypto_mbedtls.c         |  8 ++++++++
 src/openvpn/crypto_openssl.c         | 29 ++++++++++++++++++++++++++++
 src/openvpn/openvpn.c                |  4 ++++
 src/openvpn/options.c                |  4 ++++
 src/openvpn/options.h                |  1 +
 7 files changed, 63 insertions(+)

diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst
index e6c1fe455..f5b8a9135 100644
--- a/doc/man-sections/generic-options.rst
+++ b/doc/man-sections/generic-options.rst
@@ -280,6 +280,16 @@ which mode OpenVPN is configured as.
   This option solves the problem by persisting keys across :code:`SIGUSR1`
   resets, so they don't need to be re-read.
 
+--provider providers
+  Load the : separated list of (OpenSSL) providers. This is mainly useful for
+  using an external provider for key management like tpm2-openssl or to load
+  the legacy provider with
+
+  ::
+
+      --provider "legacy:default"
+
+
 --remap-usr1 signal
   Control whether internally or externally generated :code:`SIGUSR1` signals
   are remapped to :code:`SIGHUP` (restart without persisting state) or
diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h
index cc897acf4..fa265e6c2 100644
--- a/src/openvpn/crypto_backend.h
+++ b/src/openvpn/crypto_backend.h
@@ -78,6 +78,13 @@ void crypto_clear_error(void);
  */
 void crypto_init_lib_engine(const char *engine_name);
 
+
+/**
+ * Load the given (OpenSSL) providers
+ * @param providers list of providers to load, seperated by :
+ */
+void crypto_init_lib_provider(const char *providers);
+
 #ifdef DMALLOC
 /*
  * OpenSSL memory debugging.  If dmalloc debugging is enabled, tell
diff --git a/src/openvpn/crypto_mbedtls.c b/src/openvpn/crypto_mbedtls.c
index 2f7f00d19..e6ed1ae99 100644
--- a/src/openvpn/crypto_mbedtls.c
+++ b/src/openvpn/crypto_mbedtls.c
@@ -70,6 +70,14 @@ crypto_init_lib_engine(const char *engine_name)
         "available");
 }
 
+void crypto_init_lib_provider(const char *providers)
+{
+    if (providers)
+    {
+        msg(M_WARN, "Note: mbed TLS provider functionality is not available");
+    }
+}
+
 /*
  *
  * Functions related to the core crypto library
diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index 407ea4a7c..1900ccc1b 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -54,6 +54,9 @@
 #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER)
 #include <openssl/kdf.h>
 #endif
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+#include <openssl/provider.h>
+#endif
 
 /*
  * Check for key size creepage.
@@ -145,6 +148,32 @@ crypto_init_lib_engine(const char *engine_name)
 #endif
 }
 
+void
+crypto_init_lib_provider(const char *providers)
+{
+    if (!providers)
+    {
+        return;
+    }
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+    struct gc_arena gc = gc_new();
+    char *tmp_providers = string_alloc(providers, &gc);
+
+    const char *provname;
+    while ((provname = strsep(&tmp_providers, ":")))
+    {
+        /* Load providers into the default (NULL) library context */
+        OSSL_PROVIDER* provider = OSSL_PROVIDER_load(NULL, provname);
+        if (!provider)
+        {
+            crypto_msg(M_FATAL, "failed to load provider '%s'", provname);
+        }
+    }
+#else  /* OPENSSL_VERSION_NUMBER >= 0x30000000L */
+    msg(M_WARN, "Note: OpenSSL hardware crypto engine functionality is not available");
+#endif
+}
+
 /*
  *
  * Functions related to the core crypto library
diff --git a/src/openvpn/openvpn.c b/src/openvpn/openvpn.c
index f8e94509f..3c9bcf885 100644
--- a/src/openvpn/openvpn.c
+++ b/src/openvpn/openvpn.c
@@ -112,6 +112,10 @@ void init_early(struct context *c)
     /* init verbosity and mute levels */
     init_verb_mute(c, IVM_LEVEL_1);
 
+    /* Initialise OpenVPN provider, this needs to be intialised this
+    * early since option post processing and also openssl info
+    * printing depends on it */
+    crypto_init_lib_provider((*c).options.providers);
 }
 
 static void uninit_early(struct context *c)
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index ed2dcd53d..ab7b00783 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -8178,6 +8178,10 @@ add_option(struct options *options,
             options->engine = "auto";
         }
     }
+    else if (streq(p[0], "provider") && p[1] && !p[2])
+    {
+        options->providers = p[1];
+    }
 #endif /* ENABLE_CRYPTO_MBEDTLS */
 #ifdef ENABLE_PREDICTION_RESISTANCE
     else if (streq(p[0], "use-prediction-resistance") && !p[1])
diff --git a/src/openvpn/options.h b/src/openvpn/options.h
index 98c21a2a8..6759f1950 100644
--- a/src/openvpn/options.h
+++ b/src/openvpn/options.h
@@ -521,6 +521,7 @@ struct options
     const char *prng_hash;
     int prng_nonce_secret_len;
     const char *engine;
+    const char *providers;
     bool replay;
     bool mute_replay_warnings;
     int replay_window;