From patchwork Tue Dec 14 05:59:12 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Selva Nair X-Patchwork-Id: 2173 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director10.mail.ord1d.rsapps.net ([172.27.255.56]) by backend41.mail.ord1d.rsapps.net with LMTP id UNK3KuXNuGHOWAAAqwncew (envelope-from ) for ; Tue, 14 Dec 2021 12:01:25 -0500 Received: from proxy14.mail.iad3a.rsapps.net ([172.27.255.56]) by director10.mail.ord1d.rsapps.net with LMTP id 4G48EObNuGHAegAApN4f7A (envelope-from ) for ; Tue, 14 Dec 2021 12:01:26 -0500 Received: from smtp10.gate.iad3a ([172.27.255.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy14.mail.iad3a.rsapps.net with LMTPS id 8G0YJezNuGHdOQAA1+b4IQ (envelope-from ) for ; Tue, 14 Dec 2021 12:01:32 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp10.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=gmail.com; dmarc=fail (p=none; dis=none) header.from=gmail.com X-Suspicious-Flag: YES X-Classification-ID: 7868232a-5cff-11ec-b071-525400a8203f-1-1 Received: from [216.105.38.7] ([216.105.38.7:52856] helo=lists.sourceforge.net) by smtp10.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 35/BF-17083-5EDC8B16; Tue, 14 Dec 2021 12:01:25 -0500 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1mxB9p-0003JN-W2; Tue, 14 Dec 2021 17:00:06 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1mxB9j-0003In-Rm for openvpn-devel@lists.sourceforge.net; Tue, 14 Dec 2021 16:59:59 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=yzM4VHzjDr0B8T9U3BDrrhIC3VZxUTXuW1LhR1bLl6o=; b=TuU7AKqzROd4LH7Y2ZByDJ7rjz RgbpvXAjCeOY5oQOMRz259sSLHAgcRJ/TXJVyTS47PN8hjJsJY9OaEhxwM9Yqv59TzL7hKzHgbzqV hu0IB6F7W1UWONsd9yL41FQvqw8/0jUtv6oVC+Pnj0brtmPxLn+WhEhqq5V+XUZcqqWU=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=yzM4VHzjDr0B8T9U3BDrrhIC3VZxUTXuW1LhR1bLl6o=; b=YUJRstv8po9jz9HRVjEg/98ar6 T8Z2HOG9Al3Nv4GRycY6UQPExmS1jSaRt3nWVqcb3jox57QQdjl+5Yne0B2F3RnWKC70UmISdWKpH v1tB8xh2z4gLRm/l84irMDmvfvREnDSWuREQKwUREvLGveGAaF/z6d8vxUbneIrLEN3Y=; Received: from mail-io1-f46.google.com ([209.85.166.46]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92.3) id 1mxB9i-0000ax-VH for openvpn-devel@lists.sourceforge.net; Tue, 14 Dec 2021 16:59:59 +0000 Received: by mail-io1-f46.google.com with SMTP id 14so25234225ioe.2 for ; Tue, 14 Dec 2021 08:59:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=yzM4VHzjDr0B8T9U3BDrrhIC3VZxUTXuW1LhR1bLl6o=; b=omGtLfhOSnm4C3hVo1VMFF2mQHk6DSHaq9Ua2uEWwAfV/bcdRoqFUw5gSDXX9gtrcs 02S4am3LZH0wmch1pcBRboQuz0AN8HcdkkZIfMCaANw2E++AgWhsxISiM6ZHNpRNatvw zYTzCoL6QGHHbke/Vdx3sbQBCZtp1F0LmyYLm2LIExu6CvJkffjKAgb06NYrbNFq+CSB zCbdBfQFco+J0DsRQtm3e0H7yISTAQEkD81y75QNC7DVZUMEdkT2yfXH+hiP/FPnIDL9 hE5Kh8Y7O5s35ZcCKnxrUzdCX7SBb/FVEA9fXKfXAZbTgg7WRYQfqBpi/3iIfz9DRECI Jyow== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=yzM4VHzjDr0B8T9U3BDrrhIC3VZxUTXuW1LhR1bLl6o=; b=UF6P2FS2gtaZrTmS0GejtYKwL+JPBH7rD4KFyVCGUZxjX64RkzF1pa3DbbuTA0MRMC 7/x6jfOy25mk2rpANgECz4YTWdoSvobvdAg4ORIesecB7QO0c38Suofutd3yqbbP08B5 yUlQKd3mqejExqVLSaawPlqL536e5KJ420eyDYrrVrpJz+kTM1hNj6nDlTdfbUI3xTYf MU47pimM4UBqt8OCQyylqVWCIbN3N9zktzfW4H270dQVM67lAMdApg0WRkrG4288BH/U z/9fL3fSowBbQ0FhZpNHDEeGVC3DNYNxFIN/VoN4MMzzADclswWyZnoG4A6c59SeVmlb lNdA== X-Gm-Message-State: AOAM533K0oMAXSX/FBoiddNWHi7LKIADDwZuPBJDjt9EXmT5OvtkjtAC 1eFccsuJWeRTXdVRsZBU1eiS3llHIeM= X-Google-Smtp-Source: ABdhPJyuexA0x6KOBsOiS4bKylAlu2QY1PqakkDkV6wQ7MpA0JiW6a69vvHOsN7Q/5vQuIL8V9FK+g== X-Received: by 2002:a05:6638:3048:: with SMTP id u8mr3707956jak.207.1639501190194; Tue, 14 Dec 2021 08:59:50 -0800 (PST) Received: from uranus.home.sansel.ca (bras-vprn-tnhlon4053w-lp130-02-70-51-223-8.dsl.bell.ca. [70.51.223.8]) by smtp.gmail.com with ESMTPSA id e9sm178778ilm.44.2021.12.14.08.59.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 Dec 2021 08:59:49 -0800 (PST) From: selva.nair@gmail.com To: openvpn-devel@lists.sourceforge.net Date: Tue, 14 Dec 2021 11:59:12 -0500 Message-Id: <20211214165928.30676-3-selva.nair@gmail.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20211214165928.30676-1-selva.nair@gmail.com> References: <20211214165928.30676-1-selva.nair@gmail.com> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Selva Nair A minimal set of functions for keymgmt are implemented. No support for external key import as yet, only native keys. Support for native keys is required as keys may get imported into us for some opera [...] Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.166.46 listed in list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [selva.nair[at]gmail.com] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.166.46 listed in wl.mailspike.net] -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1mxB9i-0000ax-VH Subject: [Openvpn-devel] [PATCH v3 02/18] Implement KEYMGMT in the xkey provider X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Selva Nair A minimal set of functions for keymgmt are implemented. No support for external key import as yet, only native keys. Support for native keys is required as keys may get imported into us for some operations as well as for comparison with unexportable external keys that we hold. Implementation of signature callbacks is in the next commit. v2 changes: This was commit 3/9 in v1 v3 changes: When OpenSSL native key is imported instead of duplicating the whole key, use only the public components for public key. Signed-off-by: Selva Nair Acked-By: Arne Schwabe --- src/openvpn/xkey_provider.c | 375 +++++++++++++++++++++++++++++++++++- 1 file changed, 374 insertions(+), 1 deletion(-) diff --git a/src/openvpn/xkey_provider.c b/src/openvpn/xkey_provider.c index d47faf0a..a083ec2d 100644 --- a/src/openvpn/xkey_provider.c +++ b/src/openvpn/xkey_provider.c @@ -44,6 +44,9 @@ #include #include +/* propq set all on all ops we implement */ +static const char *const props = XKEY_PROV_PROPS; + /* A descriptive name */ static const char *provname = "OpenVPN External Key Provider"; @@ -59,6 +62,376 @@ typedef struct dmsg(f|M_NOPREFIX, __VA_ARGS__); \ } while(0) +typedef enum +{ + ORIGIN_UNDEFINED = 0, + OPENSSL_NATIVE, /* native key imported in */ + EXTERNAL_KEY +} XKEY_ORIGIN; + +/** + * XKEY_KEYDATA: Our keydata encapsulation: + * + * We keep an opaque handle provided by the backend for the loaded + * key. It's passed back to the backend for any operation on private + * keys --- in practice, sign() op only. + * + * We also keep the public key in the form of a native OpenSSL EVP_PKEY. + * This allows us to do all public ops by calling ops in the default provider. + */ +typedef struct +{ + /* opaque handle dependent on KEY_ORIGIN -- could be NULL */ + void *handle; + /* associated public key as an openvpn native key */ + EVP_PKEY *pubkey; + /* origin of key -- native or external */ + XKEY_ORIGIN origin; + XKEY_PROVIDER_CTX *prov; + int refcount; /* reference count */ +} XKEY_KEYDATA; + +#define KEYTYPE(key) ((key)->pubkey ? EVP_PKEY_get_id((key)->pubkey) : 0) +#define KEYSIZE(key) ((key)->pubkey ? EVP_PKEY_get_size((key)->pubkey) : 0) + +/* keymgmt provider */ + +/* keymgmt callbacks we implement */ +static OSSL_FUNC_keymgmt_new_fn keymgmt_new; +static OSSL_FUNC_keymgmt_free_fn keymgmt_free; +static OSSL_FUNC_keymgmt_load_fn keymgmt_load; +static OSSL_FUNC_keymgmt_has_fn keymgmt_has; +static OSSL_FUNC_keymgmt_match_fn keymgmt_match; +static OSSL_FUNC_keymgmt_import_fn rsa_keymgmt_import; +static OSSL_FUNC_keymgmt_import_fn ec_keymgmt_import; +static OSSL_FUNC_keymgmt_import_types_fn keymgmt_import_types; +static OSSL_FUNC_keymgmt_get_params_fn keymgmt_get_params; +static OSSL_FUNC_keymgmt_gettable_params_fn keymgmt_gettable_params; +static OSSL_FUNC_keymgmt_set_params_fn keymgmt_set_params; +static OSSL_FUNC_keymgmt_query_operation_name_fn rsa_keymgmt_name; +static OSSL_FUNC_keymgmt_query_operation_name_fn ec_keymgmt_name; + +static XKEY_KEYDATA * +keydata_new() +{ + xkey_dmsg(D_LOW, "entry"); + + XKEY_KEYDATA *key = OPENSSL_zalloc(sizeof(*key)); + if (!key) + { + msg(M_NONFATAL, "xkey_keydata_new: out of memory"); + } + + return key; +} + +static void +keydata_free(XKEY_KEYDATA *key) +{ + xkey_dmsg(D_LOW, "entry"); + + if (!key || key->refcount-- > 0) /* free when refcount goes to zero */ + { + return; + } + if (key->pubkey) + { + EVP_PKEY_free(key->pubkey); + } + OPENSSL_free(key); +} + +static void * +keymgmt_new(void *provctx) +{ + xkey_dmsg(D_LOW, "entry"); + + XKEY_KEYDATA *key = keydata_new(); + if (key) + { + key->prov = provctx; + } + + return key; +} + +static void * +keymgmt_load(const void *reference, size_t reference_sz) +{ + xkey_dmsg(D_LOW, "entry"); + + return NULL; +} + +/** + * Key import function + * When key operations like sign/verify are done in our context + * the key gets imported into us. We will also use import to + * load an external key into the provider. + * + * For native keys we get called with standard OpenSSL params + * appropriate for the key. We just use it to create a native + * EVP_PKEY from params and assign to keydata->handle. + * + * Import of external keys -- to be implemented + */ +static int +keymgmt_import(void *keydata, int selection, const OSSL_PARAM params[], const char *name) +{ + xkey_dmsg(D_LOW, "entry"); + + XKEY_KEYDATA *key = keydata; + ASSERT(key); + + /* Our private key is immutable -- we import only if keydata is empty */ + if (key->handle || key->pubkey) + { + msg(M_WARN, "Error: keymgmt_import: keydata not empty -- our keys are immutable"); + return 0; + } + + /* create a native public key and assign it to key->pubkey */ + EVP_PKEY *pkey = NULL; + int selection_pub = selection & ~OSSL_KEYMGMT_SELECT_PRIVATE_KEY; + + EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_from_name(key->prov->libctx, name, NULL); + if (!ctx + || (EVP_PKEY_fromdata_init(ctx) != 1) + || (EVP_PKEY_fromdata(ctx, &pkey, selection_pub, (OSSL_PARAM*) params) !=1)) + { + msg(M_WARN, "Error: keymgmt_import failed for key type <%s>", name); + if (pkey) + { + EVP_PKEY_free(pkey); + } + if (ctx) + { + EVP_PKEY_CTX_free(ctx); + } + return 0; + } + + key->pubkey = pkey; + key->origin = OPENSSL_NATIVE; + if (selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) + { + /* create private key */ + pkey = NULL; + if (EVP_PKEY_fromdata(ctx, &pkey, selection, (OSSL_PARAM*) params) == 1) + { + key->handle = pkey; + key->free = (XKEY_PRIVKEY_FREE_fn *) EVP_PKEY_free; + } + } + EVP_PKEY_CTX_free(ctx); + + xkey_dmsg(D_LOW, "imported native %s key", EVP_PKEY_get0_type_name(pkey)); + return 1; +} + +static int +rsa_keymgmt_import(void *keydata, int selection, const OSSL_PARAM params[]) +{ + xkey_dmsg(D_LOW, "entry"); + + return keymgmt_import(keydata, selection, params, "RSA"); +} + +static int +ec_keymgmt_import(void *keydata, int selection, const OSSL_PARAM params[]) +{ + xkey_dmsg(D_LOW, "entry"); + + return keymgmt_import(keydata, selection, params, "EC"); +} + +/* This function has to exist for key import to work + * though we do not support import of individual params + * like n or e. We simply return an empty list here for + * both rsa and ec, which works. + */ +static const OSSL_PARAM * +keymgmt_import_types(int selection) +{ + xkey_dmsg(D_LOW, "entry"); + + static const OSSL_PARAM key_types[] = { OSSL_PARAM_END }; + + if (selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) + { + return key_types; + } + return NULL; +} + +static void +keymgmt_free(void *keydata) +{ + xkey_dmsg(D_LOW, "entry"); + + keydata_free(keydata); +} + +static int +keymgmt_has(const void *keydata, int selection) +{ + xkey_dmsg(D_LOW, "selection = %d", selection); + + const XKEY_KEYDATA *key = keydata; + int ok = (key != NULL); + + if (selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) + { + ok = ok && key->pubkey; + } + if (selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) + { + ok = ok && key->handle; + } + + return ok; +} + +static int +keymgmt_match(const void *keydata1, const void *keydata2, int selection) +{ + const XKEY_KEYDATA *key1 = keydata1; + const XKEY_KEYDATA *key2 = keydata2; + + xkey_dmsg(D_LOW, "entry"); + + int ret = key1 && key2 && key1->pubkey && key2->pubkey; + + /* our keys always have pubkey -- we only match them */ + + if (selection & OSSL_KEYMGMT_SELECT_KEYPAIR) + { + ret = ret && EVP_PKEY_eq(key1->pubkey, key2->pubkey); + xkey_dmsg(D_LOW, "checking key pair match: res = %d", ret); + } + + if (selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) + { + ret = ret && EVP_PKEY_parameters_eq(key1->pubkey, key2->pubkey); + xkey_dmsg(D_LOW, "checking parameter match: res = %d", ret); + } + + return ret; +} + +/* A minimal set of key params that we can return */ +static const OSSL_PARAM * +keymgmt_gettable_params(void *provctx) +{ + xkey_dmsg(D_LOW, "entry"); + + static OSSL_PARAM gettable[] = { + OSSL_PARAM_int(OSSL_PKEY_PARAM_BITS, NULL), + OSSL_PARAM_int(OSSL_PKEY_PARAM_SECURITY_BITS, NULL), + OSSL_PARAM_int(OSSL_PKEY_PARAM_MAX_SIZE, NULL), + OSSL_PARAM_END + }; + return gettable; +} + +static int +keymgmt_get_params(void *keydata, OSSL_PARAM *params) +{ + xkey_dmsg(D_LOW, "entry"); + + XKEY_KEYDATA *key = keydata; + if (!key || !key->pubkey) + { + return 0; + } + + return EVP_PKEY_get_params(key->pubkey, params); +} + +/** + * If the key is an encapsulated native key, we just call + * EVP_PKEY_set_params in the default context. Only those params + * supported by the default provider would work in this case. + */ +static int +keymgmt_set_params(void *keydata, const OSSL_PARAM *params) +{ + XKEY_KEYDATA *key = keydata; + ASSERT(key); + + xkey_dmsg(D_LOW, "entry"); + + if (key->origin != OPENSSL_NATIVE) + { + return 0; /* to be implemented */ + } + else if (key->handle == NULL) /* once handle is set our key is immutable */ + { + /* pubkey is always native -- just delegate */ + return EVP_PKEY_set_params(key->pubkey, (OSSL_PARAM *)params); + } + else + { + msg(M_WARN, "xkey keymgmt_set_params: key is immutable"); + } + return 1; +} + +static const char * +rsa_keymgmt_name(int id) +{ + xkey_dmsg(D_LOW, "entry"); + + return "RSA"; +} + +static const char * +ec_keymgmt_name(int id) +{ + xkey_dmsg(D_LOW, "entry"); + + return "EC"; +} + +static const OSSL_DISPATCH rsa_keymgmt_functions[] = { + {OSSL_FUNC_KEYMGMT_NEW, (void (*)(void)) keymgmt_new}, + {OSSL_FUNC_KEYMGMT_FREE, (void (*)(void)) keymgmt_free}, + {OSSL_FUNC_KEYMGMT_LOAD, (void (*)(void)) keymgmt_load}, + {OSSL_FUNC_KEYMGMT_HAS, (void (*)(void)) keymgmt_has}, + {OSSL_FUNC_KEYMGMT_MATCH, (void (*)(void)) keymgmt_match}, + {OSSL_FUNC_KEYMGMT_IMPORT, (void (*)(void)) rsa_keymgmt_import}, + {OSSL_FUNC_KEYMGMT_IMPORT_TYPES, (void (*)(void)) keymgmt_import_types}, + {OSSL_FUNC_KEYMGMT_GETTABLE_PARAMS, (void (*) (void)) keymgmt_gettable_params}, + {OSSL_FUNC_KEYMGMT_GET_PARAMS, (void (*) (void)) keymgmt_get_params}, + {OSSL_FUNC_KEYMGMT_SET_PARAMS, (void (*) (void)) keymgmt_set_params}, + {OSSL_FUNC_KEYMGMT_SETTABLE_PARAMS, (void (*) (void)) keymgmt_gettable_params}, /* same as gettable */ + {OSSL_FUNC_KEYMGMT_QUERY_OPERATION_NAME, (void (*)(void)) rsa_keymgmt_name}, + {0, NULL } +}; + +static const OSSL_DISPATCH ec_keymgmt_functions[] = { + {OSSL_FUNC_KEYMGMT_NEW, (void (*)(void)) keymgmt_new}, + {OSSL_FUNC_KEYMGMT_FREE, (void (*)(void)) keymgmt_free}, + {OSSL_FUNC_KEYMGMT_LOAD, (void (*)(void)) keymgmt_load}, + {OSSL_FUNC_KEYMGMT_HAS, (void (*)(void)) keymgmt_has}, + {OSSL_FUNC_KEYMGMT_MATCH, (void (*)(void)) keymgmt_match}, + {OSSL_FUNC_KEYMGMT_IMPORT, (void (*)(void)) ec_keymgmt_import}, + {OSSL_FUNC_KEYMGMT_IMPORT_TYPES, (void (*)(void)) keymgmt_import_types}, + {OSSL_FUNC_KEYMGMT_GETTABLE_PARAMS, (void (*) (void)) keymgmt_gettable_params}, + {OSSL_FUNC_KEYMGMT_GET_PARAMS, (void (*) (void)) keymgmt_get_params}, + {OSSL_FUNC_KEYMGMT_SET_PARAMS, (void (*) (void)) keymgmt_set_params}, + {OSSL_FUNC_KEYMGMT_SETTABLE_PARAMS, (void (*) (void)) keymgmt_gettable_params}, /* same as gettable */ + {OSSL_FUNC_KEYMGMT_QUERY_OPERATION_NAME, (void (*)(void)) ec_keymgmt_name}, + {0, NULL } +}; + +const OSSL_ALGORITHM keymgmts[] = { + {"RSA:rsaEncryption", props, rsa_keymgmt_functions, "OpenVPN xkey RSA Key Manager"}, + {"RSA-PSS:RSASSA-PSS", props, rsa_keymgmt_functions, "OpenVPN xkey RSA-PSS Key Manager"}, + {"EC:id-ecPublicKey", props, ec_keymgmt_functions, "OpenVPN xkey EC Key Manager"}, + {NULL, NULL, NULL, NULL} +}; + /* main provider interface */ /* provider callbacks we implement */ @@ -80,7 +453,7 @@ query_operation(void *provctx, int op, int *no_store) return NULL; case OSSL_OP_KEYMGMT: - return NULL; + return keymgmts; default: xkey_dmsg(D_LOW, "op not supported");