From patchwork Wed Mar 15 01:35:15 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Selva Nair X-Patchwork-Id: 3132 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:2310:b0:9f:bfa4:120f with SMTP id r16csp2700352dye; Tue, 14 Mar 2023 18:36:21 -0700 (PDT) X-Google-Smtp-Source: AK7set/kyhN7WA8NUu1A5TRQdVAzVePzTRxDewXVEC5p50Mrxj8VrvrXg5JteQPkLVlyC8RiwPL8 X-Received: by 2002:a17:902:c651:b0:19f:8ad5:4331 with SMTP id s17-20020a170902c65100b0019f8ad54331mr753330pls.38.1678844181443; Tue, 14 Mar 2023 18:36:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1678844181; cv=none; d=google.com; s=arc-20160816; b=BTZjmvsoNleKHRKqIGfL6SwJ3+nvNJB4KPyh9PPWb8GQHMrxBaOPCQuVE4LsRKyNF7 5b3cNmmcGnJiCKDhU465qh25xKmPctZgiSrYDiMzuaIqO1MRjdjHv5XeV551CUOc+tex CInTNAoUwblviAkV8xzGAkTAWJr4qc2rHGcOwt3BOHLJATyxWIV5JzFSj5VdqHUz9z/b RLc5EgOJ9irSZV4wCdorIYnCVm+14Cel+Ad+p9GWZyNK5r4mCe/JMYwDR8XOcii6mpGx nXlGOEZc7UgjQ9PfA6U64FgeejF0bU6XcpaeUXRowmMzMTFIhNoBvdWXxXnkwa2tabW4 7XHA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=PZUiGCmbx9wWPHmWjan5CyRW0CHm0uT2OqkmTpr7Smc=; b=It0/vXHxgm2XJsYxSjCcQ6+yekGBUvCS24ak+3nTkOKsa5kjeOMNXYMlZh9zoXu1MI x5kiIzNQpKigEv1+8NIScu/VhQU3qRzHP9CGmmR75znTdA5/XKkCOpAoQeUzTgyuEPyF 18Fwp4Oad68hPmHTdiZhQ1/09w0K81oDw+c9vh90XLohW9CW28kwun8He9rowB3gIN9c 0IatAFwf9KR12YPC9d8XhaaOloSsH98fAeTpZ21RvT9VSw03CCuUWYHvjHJiAgQezSim MYWbALKJk2mJ8QDBRB5aMEUsYe8ntscZXbIvpu0/eEUtOH+qO9B90i716zK8xYAxvk43 WKyg== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=Tcd3KpY3; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=F1CQvYiZ; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20210112 header.b=akp9v8Kr; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id e8-20020a170902cf4800b0019f79ba4a01si3530991plg.443.2023.03.14.18.36.21 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 14 Mar 2023 18:36:21 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=Tcd3KpY3; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=F1CQvYiZ; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20210112 header.b=akp9v8Kr; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1pcG3D-0008OO-BU; Wed, 15 Mar 2023 01:35:36 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1pcG3B-0008OE-Cy for openvpn-devel@lists.sourceforge.net; Wed, 15 Mar 2023 01:35:34 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=DAA023TzhhAwjAitJG89dq2VaRB1IdXkhVmbi0+YDNU=; b=Tcd3KpY3gb4R8BLdqa32OK18Tl jICgXhMhdyNta79ylkzZ5z05q2BhS0PAGghHxThKn62LnmYWHbapQ6UZEovchK8wNjsGgTi11HRQK Yv6AvACSYr3XkO81waq2R7Vm9k29/gJGtNZXMYHigQ/c+Gr6nTvvtEBekXu9xQ/AgHiE=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=DAA023TzhhAwjAitJG89dq2VaRB1IdXkhVmbi0+YDNU=; b=F1CQvYiZdQqq0YV5ZwJDkLU/bd S8m0nNrrDyQVPOuv1o/HvFdUrW02Ily7w+FgXukSUenHvgYHFaxSu7j1ASP6P6UpZo/VY96dMZ3T8 INl+/g2Qqn4J643OWzViC3uiXfTeWrlbLpakSBLpmUDcHC3MwDXmI/fB1F57TDKPONj0=; Received: from mail-io1-f48.google.com ([209.85.166.48]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1pcG3B-008tLQ-C6 for openvpn-devel@lists.sourceforge.net; Wed, 15 Mar 2023 01:35:33 +0000 Received: by mail-io1-f48.google.com with SMTP id q6so7199111iot.2 for ; Tue, 14 Mar 2023 18:35:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1678844127; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=DAA023TzhhAwjAitJG89dq2VaRB1IdXkhVmbi0+YDNU=; b=akp9v8KrtfcDpg8+5bunO3XmIuJ5M/Lp47GKmfn4XHXAmki60/CHe+8CWGJS1sKj1S uwF8H0/TjcK0F9ffVIYavEQw2Ro9ZaeYfxJ/ZSpX5ry+XJXb7OBtJ11BLFfthRyyUgla chuI2vNSwSvmdGTDOgEVguHi6o2rxKNV8T9Bb1LLBAn5Ima0bp9Wo5F0f3Rtp7OCnjaT DgC9fY5xHbMNIP7MuoKd+qFII9B5jtIpr31omfFmmKHW6kjjOie/VRB2f1//5k+Igprr g2C/f+Z78JmiRWT3gAZ3GmwVMbum4qFSqbHbgcAs7bRbkMHc/vtRwqciJd6HC+2gG9fI QLBA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1678844127; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=DAA023TzhhAwjAitJG89dq2VaRB1IdXkhVmbi0+YDNU=; b=KUYKNn0F16LUVsLPs7ADC15ziyJCvg3M48PBqR0X7J45FlO4dx9cHU2MVGYHjP7kfC nmPd4WcP83uOBwTmIRxnKb8EpB1x3KggSPvqw1jw6Ugl6SHSke/6JgsTDJx4xa8nQhaT ukMSjXvzlzhe5PDVVCB1ElO0i4YLQAg0zXoCa06xSz7d/uqBm19w+wsDZUyjJSFb3zPL RDAhOwEmcME/oK79nH1k9ZXp/xrCUO3NWzFiZHKeJfJVgz4OtPffUg4X/ublTAsm8r/6 8E6qD032aKC+dxtvu04D6cXHnpwtQfTjfRD2JcIpKBiiDPJLWJ2y3PVoEThw6ypjfDrM u1Dg== X-Gm-Message-State: AO0yUKWPwAbSQOCuU2ZgHLajwFvALYwsnEqS85XnF1IfpEImUhXOUtey 3QCRFXxiccOq135zbPZc4hG7Nn3bPG8= X-Received: by 2002:a5d:9297:0:b0:74c:99e8:7f44 with SMTP id s23-20020a5d9297000000b0074c99e87f44mr8534008iom.2.1678844127620; Tue, 14 Mar 2023 18:35:27 -0700 (PDT) Received: from uranus.sansel.ca (bras-vprn-tnhlon4053w-lp130-01-70-51-222-66.dsl.bell.ca. [70.51.222.66]) by smtp.gmail.com with ESMTPSA id g2-20020a02c542000000b004054d7eede5sm816709jaj.22.2023.03.14.18.35.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 Mar 2023 18:35:27 -0700 (PDT) From: selva.nair@gmail.com To: openvpn-devel@lists.sourceforge.net Date: Tue, 14 Mar 2023 21:35:15 -0400 Message-Id: <20230315013516.1256700-4-selva.nair@gmail.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230315013516.1256700-1-selva.nair@gmail.com> References: <20230315013516.1256700-1-selva.nair@gmail.com> MIME-Version: 1.0 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Selva Nair - Loading the certificate and key into the provider is split out of setting up the SSL context. This allows testing of signing by cryptoapi-provider interface without dependence on SSL context or link [...] Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.166.48 listed in list.dnswl.org] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [selva.nair[at]gmail.com] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-Headers-End: 1pcG3B-008tLQ-C6 Subject: [Openvpn-devel] [PATCH 3/4] Refactor SSL_CTX_use_CryptoAPI_certificate() X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1760395716110951641?= X-GMAIL-MSGID: =?utf-8?q?1760395716110951641?= From: Selva Nair - Loading the certificate and key into the provider is split out of setting up the SSL context. This allows testing of signing by cryptoapi-provider interface without dependence on SSL context or link-time wrapping. Change-Id: I269b94589636425e1ba9bf953047d238fa830376 Signed-off-by: Selva Nair Acked-by: Gert Doering --- src/openvpn/cryptoapi.c | 63 +++++++++++++++++++++++++++-------------- 1 file changed, 41 insertions(+), 22 deletions(-) diff --git a/src/openvpn/cryptoapi.c b/src/openvpn/cryptoapi.c index 022f53d4..20b7d985 100644 --- a/src/openvpn/cryptoapi.c +++ b/src/openvpn/cryptoapi.c @@ -401,11 +401,17 @@ get_cert_name(const CERT_CONTEXT *cc, struct gc_arena *gc) return name; } -int -SSL_CTX_use_CryptoAPI_certificate(SSL_CTX *ssl_ctx, const char *cert_prop) +/** + * Load certificate matching 'cert_prop' from Windows cert store + * into xkey provider and return pointers to X509 cert and private key. + * Returns 1 on success, 0 on error. + * Caller must free 'cert' and 'privkey' after use. + */ +static int +Load_CryptoAPI_certificate(const char *cert_prop, X509 **cert, EVP_PKEY **privkey) { + HCERTSTORE cs; - X509 *cert = NULL; CAPI_DATA *cd = calloc(1, sizeof(*cd)); struct gc_arena gc = gc_new(); @@ -450,9 +456,9 @@ SSL_CTX_use_CryptoAPI_certificate(SSL_CTX *ssl_ctx, const char *cert_prop) } /* cert_context->pbCertEncoded is the cert X509 DER encoded. */ - cert = d2i_X509(NULL, (const unsigned char **) &cd->cert_context->pbCertEncoded, - cd->cert_context->cbCertEncoded); - if (cert == NULL) + *cert = d2i_X509(NULL, (const unsigned char **) &cd->cert_context->pbCertEncoded, + cd->cert_context->cbCertEncoded); + if (*cert == NULL) { msg(M_NONFATAL, "Error in cryptoapicert: X509 certificate decode failed"); goto err; @@ -468,28 +474,16 @@ SSL_CTX_use_CryptoAPI_certificate(SSL_CTX *ssl_ctx, const char *cert_prop) /* private key may be in a token not available, or incompatible with CNG */ msg(M_NONFATAL|M_ERRNO, "Error in cryptoapicert: failed to acquire key. Key not present or " "is in a legacy token not supported by Windows CNG API"); - goto err; - } - - /* Public key in cert is NULL until we call SSL_CTX_use_certificate(), - * so we do it here then... */ - if (!SSL_CTX_use_certificate(ssl_ctx, cert)) - { + X509_free(*cert); goto err; } /* the public key */ - EVP_PKEY *pkey = X509_get_pubkey(cert); + EVP_PKEY *pkey = X509_get_pubkey(*cert); cd->pubkey = pkey; /* will be freed with cd */ - /* SSL_CTX_use_certificate() increased the reference count in 'cert', so - * we decrease it here with X509_free(), or it will never be cleaned up. */ - X509_free(cert); - cert = NULL; - - EVP_PKEY *privkey = xkey_load_generic_key(tls_libctx, cd, pkey, - xkey_cng_sign, (XKEY_PRIVKEY_FREE_fn *) CAPI_DATA_free); - SSL_CTX_use_PrivateKey(ssl_ctx, privkey); + *privkey = xkey_load_generic_key(tls_libctx, cd, pkey, + xkey_cng_sign, (XKEY_PRIVKEY_FREE_fn *) CAPI_DATA_free); gc_free(&gc); return 1; /* do not free cd -- its kept by xkey provider */ @@ -498,5 +492,30 @@ err: gc_free(&gc); return 0; } + +int +SSL_CTX_use_CryptoAPI_certificate(SSL_CTX *ssl_ctx, const char *cert_prop) +{ + X509 *cert = NULL; + EVP_PKEY *privkey = NULL; + int ret = 0; + + if (!Load_CryptoAPI_certificate(cert_prop, &cert, &privkey)) + { + return ret; + } + if (SSL_CTX_use_certificate(ssl_ctx, cert) + && SSL_CTX_use_PrivateKey(ssl_ctx, privkey)) + { + ret = 1; + } + + /* Always free cert and privkey even if retained by ssl_ctx as + * they are reference counted */ + X509_free(cert); + EVP_PKEY_free(privkey); + return ret; +} + #endif /* HAVE_XKEY_PROVIDER */ #endif /* _WIN32 */