From patchwork Sun Jan 14 08:44:31 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Selva Nair X-Patchwork-Id: 187 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director2.mail.ord1d.rsapps.net ([172.27.255.50]) by backend31.mail.ord1d.rsapps.net (Dovecot) with LMTP id MxunOm+zW1pnNwAAgoeIoA for ; Sun, 14 Jan 2018 14:45:52 -0500 Received: from proxy11.mail.iad3a.rsapps.net ([172.27.255.50]) by director2.mail.ord1d.rsapps.net (Dovecot) with LMTP id KV8dE2+zW1rMLgAAgYhSiA ; Sun, 14 Jan 2018 14:45:52 -0500 Received: from smtp31.gate.iad3a ([172.27.255.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy11.mail.iad3a.rsapps.net (Dovecot) with LMTP id mtP/L2+zW1rqRwAAxCvdqw ; Sun, 14 Jan 2018 14:45:51 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.34.181.88] Authentication-Results: smtp31.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.34.181.88"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=gmail.com; dmarc=fail (p=none; dis=none) header.from=gmail.com X-Classification-ID: 868da852-f963-11e7-a936-bc305bf59894-1-1 Received: from [216.34.181.88] ([216.34.181.88:9150] helo=lists.sourceforge.net) by smtp31.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.1.56364 r(Core:4.2.1.14)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 8F/6E-29476-F63BB5A5; Sun, 14 Jan 2018 14:45:51 -0500 Received: from localhost ([127.0.0.1] helo=sfs-ml-1.v29.ch3.sourceforge.com) by sfs-ml-1.v29.ch3.sourceforge.com with esmtp (Exim 4.89) (envelope-from ) id 1eaoD2-0004NS-HV; Sun, 14 Jan 2018 19:44:48 +0000 Received: from sfi-mx-4.v28.ch3.sourceforge.com ([172.29.28.194] helo=mx.sourceforge.net) by sfs-ml-1.v29.ch3.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) (envelope-from ) id 1eaoD0-0004NL-VS for openvpn-devel@lists.sourceforge.net; Sun, 14 Jan 2018 19:44:46 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:Cc: To:From:Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=fW442QIeT2mEE/OnNbjthT3i2Fs4Rd8nDKhK1hbNcxA=; b=OjeOwItCcGNLkPjnLZGwO/+JOb 1j144RO5ezdUpuYc7yBlrBKxOYqCJPzzodxNRfmXSiu3lLY0DWkxVICAYV42yjjYs+BWDp+q92f4m gwKTeQSzGrhy/dIXvZfKdVB/88aVzqJUSOCIjPjMoKc4Bad12R46C4+We2eVHkb9Q9+0=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=fW442QIeT2mEE/OnNbjthT3i2Fs4Rd8nDKhK1hbNcxA=; b=Team3d4gHNhsJAQ6GcD8Cnk+qE 0yzY2Q9DhpsuKGEukGMY7RvBQBGkMSeERMOuoRs6Ic6SAP83CzkqO8EcC7I99xLUAWnzr4Dk52k+t P72DE3KByDiAcjkwv1bwNfrjvzQ0zrooK0XDlXxsJTnRgJvBlPNC2TuExhLjghPaYnO8=; Received: from mail-it0-f66.google.com ([209.85.214.66]) by sfi-mx-4.v28.ch3.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.89) id 1eaoCz-0000rI-1b for openvpn-devel@lists.sourceforge.net; Sun, 14 Jan 2018 19:44:46 +0000 Received: by mail-it0-f66.google.com with SMTP id b77so14500978itd.0 for ; Sun, 14 Jan 2018 11:44:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=fW442QIeT2mEE/OnNbjthT3i2Fs4Rd8nDKhK1hbNcxA=; b=LaITuCnZvbhtq1hXg8sGJJ7ntpilSoIr0hPCdDSPoE3gEE5HqCNn8r2XbhX3E8oOkB yBqo1kr/IM82WUuK/KDKqQJKwxnG9eF+4ebFjrO2U+yFQok+d/0nvzdzP7AOO8yA9GgW U/mc5r9Hg7yAKUOtOQaXANe0WJLCnNY5RXJlYoU98pUGqotqHbSpvIUeZ5pj5GvBNSbA 0EcmCYFdX+OnFk8+LiFGktdgbAFg2qf4XGISo42xXpl0d9n4wZYQtxHDgpM354PAHOwo J3ZU7dqjeQOpn+Ffj2BI7TaPrgX3Y4TH2wstO5sEvniBOBLSWH8I1gd05aFuGMRNxWmt rHTw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=fW442QIeT2mEE/OnNbjthT3i2Fs4Rd8nDKhK1hbNcxA=; b=qoVpz5aExQuJgqQhjZL/Im0f4GpP7YMCrNlVic8yFNp/ZDPWPz2fgO6nh/NupDEh/m 1BtlJr9GYv3baJIoFIIgOoIggj2VXLnMEHrI8y8pQEJ4T+Xa1+sb6ls9/YMHUttsnkHu TGotSP8/ybf4u3XEAB820bdWrXNIWHs8nZKFIeYbzR8UgMz5aYvxIyWDDDRk3lzDSrIm e4UfkawyFjtTjEmCtZEc4kVXY8pbrB7/yL3jfobuDcNJb0B5lMjiRXJ5kMw3quVj/fUs kgmVNehFzpCYxfV7Pv1fo6xyOqfkdIPRwxJ7zNnA3vm42eqnrSoFf7zIcVTmGEScJ3tn KR+Q== X-Gm-Message-State: AKwxytcCz3H8SdW9iao1H0djkWjUrN3wKXM4jH5HLFwPvUz89G71S94Q bCUwwXh5/e7wGUqBUK1sGcp14wOe X-Google-Smtp-Source: ACJfBotX5T17TCWZVgyTSnX70njz7VUzsb2tIrDSJg4TUJph774UX5O+d+rH8m7Hojb/W7rQ4iDagw== X-Received: by 10.36.124.18 with SMTP id a18mr12520104itd.47.1515959079612; Sun, 14 Jan 2018 11:44:39 -0800 (PST) Received: from saturn.home.sansel.ca (CPE40167ea0e1c2-CM788df74daaa0.cpe.net.cable.rogers.com. [99.228.215.92]) by smtp.gmail.com with ESMTPSA id y64sm15244286ioy.25.2018.01.14.11.44.38 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sun, 14 Jan 2018 11:44:39 -0800 (PST) From: selva.nair@gmail.com To: openvpn-devel@lists.sourceforge.net Date: Sun, 14 Jan 2018 14:44:31 -0500 Message-Id: <1515959073-10376-2-git-send-email-selva.nair@gmail.com> X-Mailer: git-send-email 2.1.4 In-Reply-To: <1515959073-10376-1-git-send-email-selva.nair@gmail.com> References: <1515959073-10376-1-git-send-email-selva.nair@gmail.com> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [209.85.214.66 listed in list.dnswl.org] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (selva.nair[at]gmail.com) -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.0 AWL AWL: Adjusted score from AWL reputation of From: address X-Headers-End: 1eaoCz-0000rI-1b Subject: [Openvpn-devel] [PATCH 1/3] Refactor ssl_openssl.c in prep for external EC key support X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Selva Nair - Move setting of key method callbacks into a function No change in functionality. Signed-off-by: Selva Nair Acked-By: Arne Schwabe --- src/openvpn/ssl_openssl.c | 65 ++++++++++++++++++++++++++++++----------------- 1 file changed, 41 insertions(+), 24 deletions(-) diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index d6d9acf..c29dbcf 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -1063,20 +1063,17 @@ done: return ret; } -int -tls_ctx_use_external_private_key(struct tls_root_ctx *ctx, - const char *cert_file, const char *cert_file_inline) +static int +tls_ctx_use_external_rsa_key(struct tls_root_ctx *ctx, EVP_PKEY *pkey) { RSA *rsa = NULL; RSA *pub_rsa; RSA_METHOD *rsa_meth; - X509 *cert = NULL; ASSERT(NULL != ctx); - tls_ctx_load_cert_file_and_copy(ctx, cert_file, cert_file_inline, &cert); - - ASSERT(NULL != cert); + pub_rsa = EVP_PKEY_get0_RSA(pkey); + ASSERT(NULL != pub_rsa); /* allocate custom RSA method object */ rsa_meth = RSA_meth_new("OpenVPN external private key RSA Method", @@ -1098,18 +1095,6 @@ tls_ctx_use_external_private_key(struct tls_root_ctx *ctx, goto err; } - /* get the public key */ - EVP_PKEY *pkey = X509_get0_pubkey(cert); - ASSERT(pkey); /* NULL before SSL_CTX_use_certificate() is called */ - pub_rsa = EVP_PKEY_get0_RSA(pkey); - - /* Certificate might not be RSA but DSA or EC */ - if (!pub_rsa) - { - crypto_msg(M_WARN, "management-external-key requires a RSA certificate"); - goto err; - } - /* initialize RSA object */ const BIGNUM *n = NULL; const BIGNUM *e = NULL; @@ -1118,8 +1103,10 @@ tls_ctx_use_external_private_key(struct tls_root_ctx *ctx, RSA_set_flags(rsa, RSA_flags(rsa) | RSA_FLAG_EXT_PKEY); if (!RSA_set_method(rsa, rsa_meth)) { + RSA_meth_free(rsa_meth); goto err; } + /* from this point rsa_meth will get freed with rsa */ /* bind our custom RSA object to ssl_ctx */ if (!SSL_CTX_use_RSAPrivateKey(ctx->ctx, rsa)) @@ -1127,15 +1114,10 @@ tls_ctx_use_external_private_key(struct tls_root_ctx *ctx, goto err; } - X509_free(cert); RSA_free(rsa); /* doesn't necessarily free, just decrements refcount */ return 1; err: - if (cert) - { - X509_free(cert); - } if (rsa) { RSA_free(rsa); @@ -1147,6 +1129,41 @@ err: RSA_meth_free(rsa_meth); } } + return 0; +} + +int +tls_ctx_use_external_private_key(struct tls_root_ctx *ctx, + const char *cert_file, const char *cert_file_inline) +{ + X509 *cert = NULL; + + ASSERT(NULL != ctx); + + tls_ctx_load_cert_file_and_copy(ctx, cert_file, cert_file_inline, &cert); + + ASSERT(NULL != cert); + + /* get the public key */ + EVP_PKEY *pkey = X509_get0_pubkey(cert); + ASSERT(pkey); /* NULL before SSL_CTX_use_certificate() is called */ + X509_free(cert); + + if (EVP_PKEY_get0_RSA(pkey)) + { + if (!tls_ctx_use_external_rsa_key(ctx, pkey)) + { + goto err; + } + } + else + { + crypto_msg(M_WARN, "management-external-key requires a RSA certificate"); + goto err; + } + return 1; + +err: crypto_msg(M_FATAL, "Cannot enable SSL external private key capability"); return 0; } From patchwork Sun Jan 14 08:44:32 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Selva Nair X-Patchwork-Id: 186 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director6.mail.ord1d.rsapps.net ([172.28.255.1]) by backend31.mail.ord1d.rsapps.net (Dovecot) with LMTP id 203QMWmzW1pnNwAAgoeIoA for ; Sun, 14 Jan 2018 14:45:45 -0500 Received: from director4.mail.ord1c.rsapps.net ([172.28.255.1]) by director6.mail.ord1d.rsapps.net (Dovecot) with LMTP id I3myMWmzW1qmagAAhgvE6Q ; Sun, 14 Jan 2018 14:45:45 -0500 Received: from smtp24.gate.ord1c ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by director4.mail.ord1c.rsapps.net (Dovecot) with LMTP id Wix0HmqzW1p6CQAAsEL7Xg ; Sun, 14 Jan 2018 14:45:46 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.34.181.88] Authentication-Results: smtp24.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.34.181.88"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=gmail.com; dmarc=fail (p=none; dis=none) header.from=gmail.com X-Classification-ID: 83113842-f963-11e7-9d47-0026b94accf9-1-1 Received: from [216.34.181.88] ([216.34.181.88:9298] helo=lists.sourceforge.net) by smtp24.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.1.56364 r(Core:4.2.1.14)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 73/97-26998-963BB5A5; Sun, 14 Jan 2018 14:45:45 -0500 Received: from localhost ([127.0.0.1] helo=sfs-ml-4.v29.ch3.sourceforge.com) by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.89) (envelope-from ) id 1eaoD2-0006U2-6z; Sun, 14 Jan 2018 19:44:48 +0000 Received: from sfi-mx-3.v28.ch3.sourceforge.com ([172.29.28.193] helo=mx.sourceforge.net) by sfs-ml-4.v29.ch3.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) (envelope-from ) id 1eaoD1-0006Tw-So for openvpn-devel@lists.sourceforge.net; Sun, 14 Jan 2018 19:44:47 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:Cc: To:From:Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=0hLC2P0zTNaa+q1rC4hFWBiyQk/Z5ya77yxTxTgrl5M=; b=nStG1aT0IlKyGy2o9hN0h0piRK WcNz1A0eAoyCMbgohHVRpQHbpKIthCabviTnaKi6UxMAdTqq2Y1xKe6JSf9MICXOo4wjFgHgjjZ6C TXRQzn5fn1RMCOGQT2adBwB6LpALV3607XUzSij9fkGAJL46UxgV2N2i0vFbQtMrsi1k=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=0hLC2P0zTNaa+q1rC4hFWBiyQk/Z5ya77yxTxTgrl5M=; b=B9RUmnd4KI/GJuEpP1/QT8S/mC PWqAggm8ibN2ZnI5lQ+tzz0aa6jMWJuVRMzo9XJcMxVLsUFzxDOoTmhvgDjxwD7f1vOBgeCn+FM3V zVv4pttekENWF3qtFqYITYePftvWhsquHf/NvRNPZum1ne0RyM5XoadfZk6t0HYwoSjM=; Received: from mail-it0-f65.google.com ([209.85.214.65]) by sfi-mx-3.v28.ch3.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.89) id 1eaoD0-0001Fn-Ld for openvpn-devel@lists.sourceforge.net; Sun, 14 Jan 2018 19:44:47 +0000 Received: by mail-it0-f65.google.com with SMTP id c16so14472772itc.5 for ; Sun, 14 Jan 2018 11:44:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=0hLC2P0zTNaa+q1rC4hFWBiyQk/Z5ya77yxTxTgrl5M=; b=ho1wroNG+XcVaXeb0r6auEblu1BVkJ3B7rDyp9OcTtoq6mKcti8GY+1MQpdQkBYiFJ Bl6GeRPV7QmUx5f0DJ7cvqSJbcR2pzC3mehl8tawkQjNOXPFgIZqOI4jyDXFYHgQvkM+ QXNBmajqcOU9ypDeG09w6imn/8YhqZrY6wHlE6Q2ssT2/CQ3D6WQglKJRYaWhLfcg754 M8aV9UX2VI4SzwMrtBEHc0f/1dcMoYlsUfkLCU04ojGx5/G6kulIIGKX4aZ69DOKvlPw FH6otU6+ORA1+WEiX4o1STUTphw+aoW2hEn/jtlJR3L6Ym9SPBrfytzXbb4NWc6gnwes tnWg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=0hLC2P0zTNaa+q1rC4hFWBiyQk/Z5ya77yxTxTgrl5M=; b=C7hhZWCn2mcPwiiUe1DIRbNOkkXKbogNdJGD0orF5OW/fk8TYcPq1HwEZAlCpVnk9O SuyOWfZp6/w4oStAm3SBX37wqfjZiyKjvg5xTMrydutSnXvMRv7iHp8PkS2tDgytR4Fa zG3upTRkwgJA7Cr1bkJlsMCAZuvrD5hJyjpfUH++2OCLNzmooDLejtKnRFBf3SgW1Rz/ 613OwJImYvhd1ytIhhbfp3Hdewn7VQrHaUVG8fELtNGlfvrnLYAIRiRoPDQub1wFW+32 r6ZuKUhosG0BZyslULpRUr86sJQUdtZxTiW91tMVYWOEK2FfiTWvrNB9G9XhENdGhw1y 8IkQ== X-Gm-Message-State: AKwxytfJfAd1RvquNF8+pbUeqI6ZL0Dh9+EeaDAV5FSbUyjxITlABqPk faYKlY82w2rfNHLdZ9FGMxPgoS6x X-Google-Smtp-Source: ACJfBos0gZ/s4OkqFxU/ZnCRakRV1E2Me4Wurzlw6DgrzXCS9/al1YRFTYpy5U4ReJre+PYKN10YzQ== X-Received: by 10.36.151.6 with SMTP id k6mr12032672ite.94.1515959081110; Sun, 14 Jan 2018 11:44:41 -0800 (PST) Received: from saturn.home.sansel.ca (CPE40167ea0e1c2-CM788df74daaa0.cpe.net.cable.rogers.com. [99.228.215.92]) by smtp.gmail.com with ESMTPSA id y64sm15244286ioy.25.2018.01.14.11.44.40 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sun, 14 Jan 2018 11:44:40 -0800 (PST) From: selva.nair@gmail.com To: openvpn-devel@lists.sourceforge.net Date: Sun, 14 Jan 2018 14:44:32 -0500 Message-Id: <1515959073-10376-3-git-send-email-selva.nair@gmail.com> X-Mailer: git-send-email 2.1.4 In-Reply-To: <1515959073-10376-1-git-send-email-selva.nair@gmail.com> References: <1515959073-10376-1-git-send-email-selva.nair@gmail.com> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (selva.nair[at]gmail.com) -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [209.85.214.65 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1eaoD0-0001Fn-Ld Subject: [Openvpn-devel] [PATCH 2/3] Allow external EC key through --management-external-key X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Selva Nair - This automatically supports EC certificates through --management-external-cert - EC signature request from management has the same format as for rsa with >RSA_SIGN replaced by >ECDSA_SIGN Response should be of the form 'ecdsa-sig' followed by DER encoded signature as base64 followed by 'END' Signed-off-by: Selva Nair Tested-By: Arne Schwabe --- src/openvpn/manage.c | 30 ++++++++ src/openvpn/manage.h | 3 + src/openvpn/ssl_openssl.c | 169 ++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 202 insertions(+) diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c index 55b106c..0152dee 100644 --- a/src/openvpn/manage.c +++ b/src/openvpn/manage.c @@ -113,6 +113,8 @@ man_help(void) #ifdef MANAGMENT_EXTERNAL_KEY msg(M_CLIENT, "rsa-sig : Enter an RSA signature in response to >RSA_SIGN challenge"); msg(M_CLIENT, " Enter signature base64 on subsequent lines followed by END"); + msg(M_CLIENT, "ecdsa-sig : Enter an ECDSA signature in response to >ECDSA_SIGN challenge"); + msg(M_CLIENT, " Enter signature base64 on subsequent lines followed by END"); msg(M_CLIENT, "certificate : Enter a client certificate in response to >NEED-CERT challenge"); msg(M_CLIENT, " Enter certificate base64 on subsequent lines followed by END"); #endif @@ -936,6 +938,7 @@ in_extra_dispatch(struct management *man) #endif /* ifdef MANAGEMENT_PF */ #ifdef MANAGMENT_EXTERNAL_KEY case IEC_RSA_SIGN: + case IEC_ECDSA_SIGN: man->connection.ext_key_state = EKS_READY; buffer_list_free(man->connection.ext_key_input); man->connection.ext_key_input = man->connection.in_extra; @@ -1119,6 +1122,22 @@ man_rsa_sig(struct management *man) } static void +man_ecdsa_sig(struct management *man) +{ + struct man_connection *mc = &man->connection; + if (mc->ext_key_state == EKS_SOLICIT) + { + mc->ext_key_state = EKS_INPUT; + mc->in_extra_cmd = IEC_ECDSA_SIGN; + in_extra_reset(mc, IER_NEW); + } + else + { + msg(M_CLIENT, "ERROR: The ecdsa-sig command is not currently available"); + } +} + +static void man_certificate(struct management *man) { struct man_connection *mc = &man->connection; @@ -1516,6 +1535,10 @@ man_dispatch_command(struct management *man, struct status_output *so, const cha { man_rsa_sig(man); } + else if (streq(p[0], "ecdsa-sig")) + { + man_ecdsa_sig(man); + } else if (streq(p[0], "certificate")) { man_certificate(man); @@ -3655,6 +3678,13 @@ management_query_rsa_sig(struct management *man, &man->connection.ext_key_state, &man->connection.ext_key_input); } +char * +management_query_ecdsa_sig(struct management *man, + const char *b64_data) +{ + return management_query_multiline_flatten(man, b64_data, "ECDSA_SIGN", "ecdsa-sign", + &man->connection.ext_key_state, &man->connection.ext_key_input); +} char * management_query_cert(struct management *man, const char *cert_name) diff --git a/src/openvpn/manage.h b/src/openvpn/manage.h index 676be64..0b1ae5b 100644 --- a/src/openvpn/manage.h +++ b/src/openvpn/manage.h @@ -281,6 +281,7 @@ struct man_connection { #define IEC_CLIENT_PF 2 #define IEC_RSA_SIGN 3 #define IEC_CERTIFICATE 4 +#define IEC_ECDSA_SIGN 5 int in_extra_cmd; struct buffer_list *in_extra; #ifdef MANAGEMENT_DEF_AUTH @@ -441,6 +442,8 @@ void management_learn_addr(struct management *management, char *management_query_rsa_sig(struct management *man, const char *b64_data); +char *management_query_ecdsa_sig(struct management *man, const char *b64_data); + char *management_query_cert(struct management *man, const char *cert_name); #endif diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index c29dbcf..9379784 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -1132,6 +1132,160 @@ err: return 0; } +#if OPENSSL_VERSION_NUMBER >= 0x10100001L && !defined(OPENSSL_NO_EC) + +/* called when EC_KEY is destroyed */ +static void +openvpn_extkey_ec_finish(EC_KEY *ec) +{ + /* release the method structure */ + const EC_KEY_METHOD *ec_meth = EC_KEY_get_method(ec); + EC_KEY_METHOD_free((EC_KEY_METHOD *) ec_meth); +} + +/* EC_KEY_METHOD callback: sign(). + * Sign the hash using EC key and return DER encoded signature in sig, + * its length in siglen. Return value is 1 on success, 0 on error. + */ +static int +ecdsa_sign(int type, const unsigned char *dgst, int dgstlen, unsigned char *sig, + unsigned int *siglen, const BIGNUM *kinv, const BIGNUM *r, EC_KEY *ec) +{ + char *in_b64 = NULL; + char *out_b64 = NULL; + int ret = 0; + int len; + + /* convert 'from' to base64 */ + if (openvpn_base64_encode(dgst, dgstlen, &in_b64) <= 0) + { + goto done; + } + + /* call MI for signature */ + if (management) + { + out_b64 = management_query_ecdsa_sig(management, in_b64); + } + if (!out_b64) + { + goto done; + } + + /* decode base64 signature to binary */ + len = ECDSA_size(ec); + *siglen = openvpn_base64_decode(out_b64, sig, len); + if (*siglen > 0) + { + ret = 1; + } + +done: + if (in_b64) + { + free(in_b64); + } + if (out_b64) + { + free(out_b64); + } + return ret; +} + +/* EC_KEY_METHOD callback: sign_setup(). We do no precomputations */ +static int +ecdsa_sign_setup(EC_KEY *ec, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) +{ + return 1; +} + +/* EC_KEY_METHOD callback: sign_sig(). + * Sign the hash and return the result as a newly allocated ECDS_SIG + * struct or NULL on error. + */ +static ECDSA_SIG * +ecdsa_sign_sig(const unsigned char *dgst, int dgstlen, const BIGNUM *in_kinv, + const BIGNUM *in_r, EC_KEY *ec) +{ + ECDSA_SIG *ecsig = NULL; + int len = ECDSA_size(ec); + struct gc_arena gc = gc_new(); + + unsigned char *buf = gc_malloc(len, false, &gc); + if (1 != ecdsa_sign(0, dgst, dgstlen, buf, &len, NULL, NULL, ec)) + { + goto out; + } + /* const char ** should be avoided: not up to us, so we cast our way through */ + ecsig = d2i_ECDSA_SIG(NULL, (const unsigned char **)&buf, len); + +out: + gc_free(&gc); + return ecsig; +} + +static int +tls_ctx_use_external_ec_key(struct tls_root_ctx *ctx, EVP_PKEY *pkey) +{ + EC_KEY *ec = NULL; + EVP_PKEY *privkey = NULL; + EC_KEY_METHOD *ec_method; + + ASSERT(ctx); + + ec_method = EC_KEY_METHOD_new(EC_KEY_OpenSSL()); + if (!ec_method) + { + goto err; + } + + /* Among init methods, we only need the finish method */ + EC_KEY_METHOD_set_init(ec_method, NULL, openvpn_extkey_ec_finish, NULL, NULL, NULL, NULL); + EC_KEY_METHOD_set_sign(ec_method, ecdsa_sign, ecdsa_sign_setup, ecdsa_sign_sig); + + ec = EC_KEY_dup(EVP_PKEY_get0_EC_KEY(pkey)); + if (!ec) + { + EC_KEY_METHOD_free(ec_method); + goto err; + } + if (!EC_KEY_set_method(ec, ec_method)) + { + EC_KEY_METHOD_free(ec_method); + goto err; + } + /* from this point ec_method will get freed when ec is freed */ + + privkey = EVP_PKEY_new(); + if (!EVP_PKEY_assign_EC_KEY(privkey, ec)) + { + goto err; + } + /* from this point ec will get freed when privkey is freed */ + + if (!SSL_CTX_use_PrivateKey(ctx->ctx, privkey)) + { + ec = NULL; /* avoid double freeing it below */ + goto err; + } + + EVP_PKEY_free(privkey); /* this will down ref privkey and ec */ + return 1; + +err: + /* Reach here only when ec and privkey can be independenly freed */ + if (privkey) + { + EVP_PKEY_free(privkey); + } + if(ec) + { + EC_KEY_free(ec); + } + return 0; +} +#endif // OPENSSL_VERSION_NUMBER > 1.1.0 dev + int tls_ctx_use_external_private_key(struct tls_root_ctx *ctx, const char *cert_file, const char *cert_file_inline) @@ -1156,11 +1310,26 @@ tls_ctx_use_external_private_key(struct tls_root_ctx *ctx, goto err; } } +#if OPENSSL_VERSION_NUMBER >= 0x10100001L && !defined(OPENSSL_NO_EC) + else if (EVP_PKEY_get0_EC_KEY(pkey)) + { + if (!tls_ctx_use_external_ec_key(ctx, pkey)) + { + goto err; + } + } + else + { + crypto_msg(M_WARN, "management-external-key requires an RSA or EC certificate"); + goto err; + } +#else else { crypto_msg(M_WARN, "management-external-key requires a RSA certificate"); goto err; } +#endif return 1; err: From patchwork Sun Jan 14 08:44:33 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Selva Nair X-Patchwork-Id: 185 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director1.mail.ord1d.rsapps.net ([172.27.255.52]) by backend31.mail.ord1d.rsapps.net (Dovecot) with LMTP id qzyGA2KzW1qtTgAAgoeIoA for ; Sun, 14 Jan 2018 14:45:38 -0500 Received: from proxy8.mail.iad3a.rsapps.net ([172.27.255.52]) by director1.mail.ord1d.rsapps.net (Dovecot) with LMTP id AWMuAGKzW1oRUwAANGzteQ ; Sun, 14 Jan 2018 14:45:38 -0500 Received: from smtp2.gate.iad3a ([172.27.255.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy8.mail.iad3a.rsapps.net (Dovecot) with LMTP id 054KJWGzW1ryagAAsBr/qg ; Sun, 14 Jan 2018 14:45:37 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.34.181.88] Authentication-Results: smtp2.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.34.181.88"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=gmail.com; dmarc=fail (p=none; dis=none) header.from=gmail.com X-Classification-ID: 7e49b280-f963-11e7-82b2-525400de56ae-1-1 Received: from [216.34.181.88] ([216.34.181.88:39043] helo=lists.sourceforge.net) by smtp2.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.1.56364 r(Core:4.2.1.14)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id A7/A5-14469-163BB5A5; Sun, 14 Jan 2018 14:45:37 -0500 Received: from localhost ([127.0.0.1] helo=sfs-ml-3.v29.ch3.sourceforge.com) by sfs-ml-3.v29.ch3.sourceforge.com with esmtp (Exim 4.89) (envelope-from ) id 1eaoD4-0005Du-2V; Sun, 14 Jan 2018 19:44:50 +0000 Received: from sfi-mx-4.v28.ch3.sourceforge.com ([172.29.28.194] helo=mx.sourceforge.net) by sfs-ml-3.v29.ch3.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) (envelope-from ) id 1eaoD2-0005Do-VO for openvpn-devel@lists.sourceforge.net; Sun, 14 Jan 2018 19:44:48 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:Cc: To:From:Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=xTq2ULzRP34tQaoITp5GQVYKq9PkEJWAqGXwDhh12yo=; b=BIMl/po//fFO9Z6frckV+3rAoL bOGaQPa8Nqt9LrcuviAvvZizrGONG8KdqRZwmia/hAHs8rpS6PiizScVtXUKNYZezD5r5r2E4YZvq CvseWuGt0fHdWgcEYxhgb1aNP6SXHgZonRyyBWjjvsi2vOMNSma7bSllEshzFsJB+bng=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=xTq2ULzRP34tQaoITp5GQVYKq9PkEJWAqGXwDhh12yo=; b=d/9qGNUlFQ/Q7uyvREVOwmOgdf CDikDzWbJs3A52GemHdffKT/+/c9O2vsyzcdfyi5npgFzlc6trWaOCrSHejpAbt80yX4rXlmjgeYN 5WlqQSX9VlFhvGzyIP4n/YBhN88VCudk+A43tKovmdfoVEYC+lhU255d3g8pJeWHEzHg=; Received: from mail-io0-f196.google.com ([209.85.223.196]) by sfi-mx-4.v28.ch3.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.89) id 1eaoD2-0000rQ-3P for openvpn-devel@lists.sourceforge.net; Sun, 14 Jan 2018 19:44:48 +0000 Received: by mail-io0-f196.google.com with SMTP id d11so11028440iog.5 for ; Sun, 14 Jan 2018 11:44:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=xTq2ULzRP34tQaoITp5GQVYKq9PkEJWAqGXwDhh12yo=; b=qACLDTv7C3LMB+54Z9osvtfsPvKnyafjshKaTzO6Yu2Zmq7FshC06LmtljtFp+QlmS GpgYQP75RwZtSZkI5EUHzqOBmYNjkYWZXSe3lyoy8Py6tPxKIeN6X04mAEGWvrEK8vEM psABZLGs6OmrQqUqXVonab2hR4wYW6J1TDD7zTufO4Eiyp5Cg7dimPlIMvysEVEtidjO OIOzPTBlpouR0yEM1QoLFwuxJzvB2baiCEAZljemDghlA4IQjGhSq7q0Vmi2Xif+sqKF wnuB66PELIrUqbmCK54wwJzfNDFIIJXQQnL5mStfS7hrRYnEM0A4in0iH0zc8P+vaGLg 9u4Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=xTq2ULzRP34tQaoITp5GQVYKq9PkEJWAqGXwDhh12yo=; b=cRAUe5tZbz7aI2PJ6++MKjeziAxX4wW5pxIExcSs2nA5aPs1VGMNRIa0wuDCSGS0kU jv5D4cf0926v5OFhWC2AsP5TBpyJdfU6w2ny99nJQNcbs6u33l0N5VsvUtT5gYvv+5PZ hICNltkaw4KZwdFBSOQnW9ixgNvzrc/tfi1Hz1so7EdeggiRSrcU3BFYKY5Dp2fnBn52 DpXbqLEMv33uZ2Vn3BaiEG+ENBS2pARdB536uZ6JgCmxwjkUCLlOdJmkvWXFfPeSPjDc 4unZNeCSnKjDa412ut5tVgvVhXBJ9y0p0YRNvpb0oIwG+mwjTM45bI25WKMeCee6Xnfg xjeg== X-Gm-Message-State: AKwxytfrCEuz8htm/x7KBPdVjDuzmkkpuoL7EMgGkfwm+bM9PdQm0CBb zn556jPCYNDMpI3e2SA8z0OaathP X-Google-Smtp-Source: ACJfBou9yGpHs81/6OpRWe23QKWif0Mle8BoX+smJsxbtsIE2SV//8WXaqjpXj1cS5++r1Yt+zhmrA== X-Received: by 10.107.58.8 with SMTP id h8mr33216503ioa.284.1515959082614; Sun, 14 Jan 2018 11:44:42 -0800 (PST) Received: from saturn.home.sansel.ca (CPE40167ea0e1c2-CM788df74daaa0.cpe.net.cable.rogers.com. [99.228.215.92]) by smtp.gmail.com with ESMTPSA id y64sm15244286ioy.25.2018.01.14.11.44.41 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sun, 14 Jan 2018 11:44:42 -0800 (PST) From: selva.nair@gmail.com To: openvpn-devel@lists.sourceforge.net Date: Sun, 14 Jan 2018 14:44:33 -0500 Message-Id: <1515959073-10376-4-git-send-email-selva.nair@gmail.com> X-Mailer: git-send-email 2.1.4 In-Reply-To: <1515959073-10376-1-git-send-email-selva.nair@gmail.com> References: <1515959073-10376-1-git-send-email-selva.nair@gmail.com> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (selva.nair[at]gmail.com) -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [209.85.223.196 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1eaoD2-0000rQ-3P Subject: [Openvpn-devel] [PATCH 3/3] Document management request >ECDSA_SIGN and response ecdsa-sig X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Selva Nair Signed-off-by: Selva Nair Acked-By: Arne Schwabe --- doc/management-notes.txt | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/doc/management-notes.txt b/doc/management-notes.txt index a9ba18a..e2e8249 100644 --- a/doc/management-notes.txt +++ b/doc/management-notes.txt @@ -795,6 +795,36 @@ Base64 encoded output of RSA_private_encrypt() (OpenSSL) or mbedtls_pk_sign() This capability is intended to allow the use of arbitrary cryptographic service providers with OpenVPN via the management interface. +COMMAND -- ecdsa-sig (OpenVPN 2.5 or higher) +------------------------------------------ +Same as rsa-sig but for EC keys: requires openssl 1.1 + +Provides support for external storage of the EC private key. Requires the +--management-external-key option. This option can be used instead of "key" +in client mode, and allows the client to run without the need to load the +actual private key. When the SSL protocol needs to perform a sign +operation, the data to be signed will be sent to the management interface +via a notification as follows: + +>ECDSA_SIGN:[BASE64_DATA] + +The management interface client should then create a DER encoded signature of +the (decoded) BASE64_DATA using the private key and return the SSL signature as +follows: + +ecdsa-sig +[BASE64_SIG_LINE] +. +. +. +END + +Base64 encoded output of ECDSA_sign() (OpenSSL) or mbedtls_pk_sign() +(mbed TLS) will provide a correct signature. + +This capability is intended to allow the use of arbitrary cryptographic +service providers with OpenVPN via the management interface. + COMMAND -- certificate (OpenVPN 2.4 or higher) ---------------------------------------------- Provides support for external storage of the certificate. Requires the