From patchwork Tue Dec 14 05:59:16 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Selva Nair X-Patchwork-Id: 2176 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director10.mail.ord1d.rsapps.net ([172.30.191.6]) by backend41.mail.ord1d.rsapps.net with LMTP id EArFG+jNuGHTWAAAqwncew (envelope-from ) for ; Tue, 14 Dec 2021 12:01:28 -0500 Received: from proxy11.mail.ord1d.rsapps.net ([172.30.191.6]) by director10.mail.ord1d.rsapps.net with LMTP id yM9IAenNuGG9egAApN4f7A (envelope-from ) for ; Tue, 14 Dec 2021 12:01:29 -0500 Received: from smtp33.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy11.mail.ord1d.rsapps.net with LMTPS id 6FwGANbNuGHZLgAAgKDEHA (envelope-from ) for ; Tue, 14 Dec 2021 12:01:10 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp33.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=gmail.com; dmarc=fail (p=none; dis=none) header.from=gmail.com X-Suspicious-Flag: YES X-Classification-ID: 7a3c1c6a-5cff-11ec-9884-525400041ef2-1-1 Received: from [216.105.38.7] ([216.105.38.7:60408] helo=lists.sourceforge.net) by smtp33.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 92/D8-00840-8EDC8B16; Tue, 14 Dec 2021 12:01:28 -0500 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1mxB9q-0003JT-E9; Tue, 14 Dec 2021 17:00:06 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1mxB9l-0003It-Ip for openvpn-devel@lists.sourceforge.net; Tue, 14 Dec 2021 17:00:01 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=GaLVAg0dh/p91U84nxGjr+E/B8mFPHvEnszT42dnLPA=; b=iVY2VnGCpWcMpsWtbMesLc2sjC vb4UMZNXnyVffVYOeNf/ZZrYPvvYKTOl4rsqk6r0Shqz9cZp8UZRSR/TZsPCAt6XyQk1r1UbSQ4xo GGQtrxufBV5gwuFyLnfhDVQB5gKHFKSujvoYgAheX9P6UnRxS9wSz0PuHA22FSbPlmAE=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=GaLVAg0dh/p91U84nxGjr+E/B8mFPHvEnszT42dnLPA=; b=CzKe8uXzBYtjQVOeZHU7CFaQjb uZoW9+GJVUyTxImOWkTja14dgP0zLTI0KBV9TFurOQ1acpxK8isDnGyuEiU7uJkTYEy7tncXTCoHO xXoL40qiVaXw3VFVKUtMAyyUdMHaUarhMVBcQCpw/afRpJdCCqcWyWQqBGpgwdGdW+y8=; Received: from mail-io1-f45.google.com ([209.85.166.45]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92.3) id 1mxB9k-0000b3-Qx for openvpn-devel@lists.sourceforge.net; Tue, 14 Dec 2021 17:00:01 +0000 Received: by mail-io1-f45.google.com with SMTP id 14so25234720ioe.2 for ; Tue, 14 Dec 2021 09:00:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=GaLVAg0dh/p91U84nxGjr+E/B8mFPHvEnszT42dnLPA=; b=bIMDvRW9BPq30EJ+Cd9JVBWpzuvJ5xwBR2VkZGKmTgd96bjYwspf2stVyHq0tg1Y+g wtObbpPwQtUP0qr+dSj7zZkZe1koQflchsd52LPBpLBWFbUE5UtzIsH+F4YhmmVgL9ja Vw7Eazt5djfqbXzn//McOo+N8g2slkuhZP32FEm3bojMFA0FTQxmNz+4BGQr5BMy0neQ sWlQn5pBQvzw4Ml1iA0ogBM2paYutul/eXyFS21YMvOg31LF52LYyXR+WNX5k/CfMsnx fQvD0u/lCJKgeapxbH/X0qsSRdm3+Kkz2iuYcM+Q4V+BM90Zv5bK3TjP50v78gYl0G5L YEPA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=GaLVAg0dh/p91U84nxGjr+E/B8mFPHvEnszT42dnLPA=; b=dmHYZSSdNM/MCcPo5LIn7u+sny70wKlVsbU2+fdTn0YyYrlfc9CtjnR3q1Domrxthi LCi7BJ+0rdwsf1MFHJq6lJ6jbAa3VK0SQ3FEoX/q8qxIUH6pQVFlv39JjzGg6p1w8uUY DYAoAgusxuLMVFtoVmIOzaC/uOIcGSpzHJX7iNWkwdnlPUsU59AtHNpuQL8NJeLqa5zp q/73xLjIwiBWUiPIEFICBoux10arUwUqnvMmp6ps4RfWaMF9tYQ+ENmtsQihF+FXPeVc 2P3RDdvnx7SM3iCSDyWmKuAB3FLW6f0CBcjnAd+HR0GxeeRvWvvV1ulWcV7goBBGFmK6 cChw== X-Gm-Message-State: AOAM530osiCbuTkBx01yTh2LAI++5nPDBFs9HfPc6tHdQhX88xMr5FsR ks6BbZv9bRHgTkf+rO0DxL8+m8St/rk= X-Google-Smtp-Source: ABdhPJytU4vj+Ai/8NKSBXuGyigjvnoosDrAaaDGZkjIsH/+azou2fGiG2lwagbsQkOuh4KpEwW6zg== X-Received: by 2002:a05:6638:22c2:: with SMTP id j2mr3550205jat.105.1639501194940; Tue, 14 Dec 2021 08:59:54 -0800 (PST) Received: from uranus.home.sansel.ca (bras-vprn-tnhlon4053w-lp130-02-70-51-223-8.dsl.bell.ca. [70.51.223.8]) by smtp.gmail.com with ESMTPSA id e9sm178778ilm.44.2021.12.14.08.59.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 Dec 2021 08:59:54 -0800 (PST) From: selva.nair@gmail.com To: openvpn-devel@lists.sourceforge.net Date: Tue, 14 Dec 2021 11:59:16 -0500 Message-Id: <20211214165928.30676-7-selva.nair@gmail.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20211214165928.30676-1-selva.nair@gmail.com> References: <20211214165928.30676-1-selva.nair@gmail.com> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Selva Nair - Leverage keymgmt_import through EVP_PKEY_new_fromdata() to import "management-external-key" - When required, use this to set SSL_CTX_use_PrivateKey Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.166.45 listed in list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [selva.nair[at]gmail.com] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.166.45 listed in wl.mailspike.net] -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1mxB9k-0000b3-Qx Subject: [Openvpn-devel] [PATCH v3 06/18] A helper function to import private key for management-external-key X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Selva Nair - Leverage keymgmt_import through EVP_PKEY_new_fromdata() to import "management-external-key" - When required, use this to set SSL_CTX_use_PrivateKey The sign_op is not implemented yet. This will error out while signing with --management-external-key. The next commit fixes that. Signed-off-by: Selva Nair Acked-By: Arne Schwabe --- src/openvpn/Makefile.am | 1 + src/openvpn/ssl_openssl.c | 11 ++++ src/openvpn/xkey_common.h | 11 ++++ src/openvpn/xkey_helper.c | 106 ++++++++++++++++++++++++++++++++++++++ 4 files changed, 129 insertions(+) create mode 100644 src/openvpn/xkey_helper.c diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am index 432efe73..0331298b 100644 --- a/src/openvpn/Makefile.am +++ b/src/openvpn/Makefile.am @@ -129,6 +129,7 @@ openvpn_SOURCES = \ tun.c tun.h \ vlan.c vlan.h \ xkey_provider.c xkey_common.h \ + xkey_helper.c \ win32.h win32.c \ win32-util.h win32-util.c \ cryptoapi.h cryptoapi.c diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index bdaa7a2b..23c74f55 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -1486,6 +1486,15 @@ tls_ctx_use_management_external_key(struct tls_root_ctx *ctx) EVP_PKEY *pkey = X509_get0_pubkey(cert); ASSERT(pkey); /* NULL before SSL_CTX_use_certificate() is called */ +#ifdef HAVE_XKEY_PROVIDER + EVP_PKEY *privkey = xkey_load_management_key(tls_libctx, pkey); + if (!privkey + || !SSL_CTX_use_PrivateKey(ctx->ctx, privkey)) + { + goto cleanup; + } + EVP_PKEY_free(privkey); +#else if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA) { if (!tls_ctx_use_external_rsa_key(ctx, pkey)) @@ -1514,6 +1523,8 @@ tls_ctx_use_management_external_key(struct tls_root_ctx *ctx) } #endif /* OPENSSL_VERSION_NUMBER > 1.1.0 dev && !defined(OPENSSL_NO_EC) */ +#endif /* HAVE_XKEY_PROVIDER */ + ret = 0; cleanup: if (ret) diff --git a/src/openvpn/xkey_common.h b/src/openvpn/xkey_common.h index f46bacd2..5bda5e30 100644 --- a/src/openvpn/xkey_common.h +++ b/src/openvpn/xkey_common.h @@ -82,6 +82,17 @@ typedef int (XKEY_EXTERNAL_SIGN_fn)(void *handle, unsigned char *sig, size_t *si */ typedef void (XKEY_PRIVKEY_FREE_fn)(void *handle); +/** + * Generate an encapsulated EVP_PKEY for management-external-key + * + * @param libctx library context in which xkey provider has been loaded + * @param pubkey corresponding pubkey in the default provider's context + * + * @returns a new EVP_PKEY in the provider's keymgmt context. + * The pubkey is up-refd if retained -- the caller can free it after return + */ +EVP_PKEY *xkey_load_management_key(OSSL_LIB_CTX *libctx, EVP_PKEY *pubkey); + #endif /* HAVE_XKEY_PROVIDER */ #endif /* XKEY_COMMON_H_ */ diff --git a/src/openvpn/xkey_helper.c b/src/openvpn/xkey_helper.c new file mode 100644 index 00000000..51cfb12b --- /dev/null +++ b/src/openvpn/xkey_helper.c @@ -0,0 +1,106 @@ +/* + * OpenVPN -- An application to securely tunnel IP networks + * over a single TCP/UDP port, with support for SSL/TLS-based + * session authentication and key exchange, + * packet encryption, packet authentication, and + * packet compression. + * + * Copyright (C) 2021 Selva Nair + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by the + * Free Software Foundation, either version 2 of the License, + * or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +#ifdef HAVE_CONFIG_H +#include +#elif defined(_MSC_VER) +#include "config-msvc.h" +#endif + +#include "syshead.h" +#include "error.h" +#include "buffer.h" +#include "xkey_common.h" + +#ifdef HAVE_XKEY_PROVIDER + +#include +#include +#include +#include +#include +#include +#include +#include + +static const char *const props = XKEY_PROV_PROPS; + +XKEY_EXTERNAL_SIGN_fn xkey_management_sign; + +/** + * Load external key for signing via management interface. + * The public key must be passed in by the caller as we may not + * be able to get it from the management. + * Returns an EVP_PKEY object attached to xkey provider. + * Caller must free it when no longer needed. + */ +EVP_PKEY * +xkey_load_management_key(OSSL_LIB_CTX *libctx, EVP_PKEY *pubkey) +{ + EVP_PKEY *pkey = NULL; + ASSERT(pubkey); + + /* Management interface doesnt require any handle to be + * stored in the key. We use a dummy pointer as we do need a + * non-NULL value to indicate private key is avaialble. + */ + void *dummy = & "dummy"; + + const char *origin = "management"; + XKEY_EXTERNAL_SIGN_fn *sign_op = xkey_management_sign; + + /* UTF8 string pointers in here are only read from, so cast is safe */ + OSSL_PARAM params[] = { + {"xkey-origin", OSSL_PARAM_UTF8_STRING, (char *) origin, 0, 0}, + {"pubkey", OSSL_PARAM_OCTET_STRING, &pubkey, sizeof(pubkey), 0}, + {"handle", OSSL_PARAM_OCTET_PTR, &dummy, sizeof(dummy), 0}, + {"sign_op", OSSL_PARAM_OCTET_PTR, (void **) &sign_op, sizeof(sign_op), 0}, + {NULL, 0, NULL, 0, 0}}; + + /* Do not use EVP_PKEY_new_from_pkey as that will take keymgmt from pubkey */ + EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_from_name(libctx, EVP_PKEY_get0_type_name(pubkey), props); + if (!ctx + || EVP_PKEY_fromdata_init(ctx) != 1 + || EVP_PKEY_fromdata(ctx, &pkey, EVP_PKEY_KEYPAIR, params) != 1) + { + msg(M_NONFATAL, "Error loading key into ovpn.xkey provider"); + } + if (ctx) + { + EVP_PKEY_CTX_free(ctx); + } + + return pkey; +} + +/* not yet implemented */ +int +xkey_management_sign(void *unused, unsigned char *sig, size_t *siglen, + const unsigned char *tbs, size_t tbslen, XKEY_SIGALG alg) +{ + msg(M_FATAL, "FATAL ERROR: A sign callback for this key is not implemented."); + return 0; +} + +#endif /* HAVE_XKEY_PROVIDER */