From patchwork Sat Oct 28 01:03:25 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Bottomley X-Patchwork-Id: 37 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director1.mail.ord1d.rsapps.net ([172.27.255.1]) by backend31.mail.ord1d.rsapps.net (Dovecot) with LMTP id 6xZqFDVy9FlGQgAAgoeIoA for ; Sat, 28 Oct 2017 08:04:05 -0400 Received: from proxy8.mail.iad3a.rsapps.net ([172.27.255.1]) by director1.mail.ord1d.rsapps.net (Dovecot) with LMTP id W+RGDjVy9FkNOQAANGzteQ ; Sat, 28 Oct 2017 08:04:05 -0400 Received: from smtp15.gate.iad3a ([172.27.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy8.mail.iad3a.rsapps.net (Dovecot) with LMTP id kn6fCzVy9FmsdAAAsBr/qg ; Sat, 28 Oct 2017 08:04:05 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-MessageSniffer-Scan-Result: 0 X-MessageSniffer-Rules: 0-298-1067-1266-w 0-298-1067-1630-w 0-298-0-13663-f X-CMAE-Scan-Result: 0 X-CNFS-Analysis: v=2.2 cv=cNaiiRWN c=1 sm=1 tr=0 a=Q8DxjiC8O3VT/NpP1XjEZQ==:117 a=Q8DxjiC8O3VT/NpP1XjEZQ==:17 a=kj9zAlcOel0A:10 a=02M-m0pO-4AA:10 a=WiVod9pSvdkA:10 a=bLk-5xynAAAA:8 a=9sSjY8p1AAAA:8 a=P_JWiMecAAAA:8 a=FP58Ms26AAAA:8 a=F3wjIj_0HxC0b9vxi6QA:9 a=CjuIK1q_8ugA:10 a=-FEs8UIgK8oA:10 a=NWVoK91CQyQA:10 a=zSyb8xVVt2t83sZkrLMb:22 a=ub54wNWiXv_DzeFsgEJW:22 a=D0-HAvA3Hk9NMREbgwuX:22 X-Orig-To: justin@openvpn.net X-Originating-Ip: [216.34.181.88] Authentication-Results: smtp15.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.34.181.88"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=hansenpartnership.com; dmarc=fail (p=none; dis=none) header.from=hansenpartnership.com X-Classification-ID: 17d847a0-bbd8-11e7-ad0e-bc305bf58d14-1-1 Received: from [216.34.181.88] ([216.34.181.88:45136] helo=lists.sourceforge.net) by smtp15.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.1.56364 r(Core:4.2.1.14)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id A5/CD-06485-43274F95; Sat, 28 Oct 2017 08:04:05 -0400 Received: from localhost ([127.0.0.1] helo=sfs-ml-4.v29.ch3.sourceforge.com) by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.89) (envelope-from ) id 1e8Ppx-0004IQ-RV; Sat, 28 Oct 2017 12:03:37 +0000 Received: from sog-mx-2.v43.ch3.sourceforge.com ([172.29.43.192] helo=mx.sourceforge.net) by sfs-ml-4.v29.ch3.sourceforge.com with esmtps (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4.89) (envelope-from ) id 1e8Ppw-0004IK-Ka for openvpn-devel@lists.sourceforge.net; Sat, 28 Oct 2017 12:03:36 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:Mime-Version:Content-Type:References:In-Reply-To:Date:To:From:Subject:Message-ID; bh=SPXsmPnPd6dB+A8F8g/w/l3Ti1n3wwzEggOcKxilGIE=; b=bley6VeRu0juWKpAgp2alWXTsQree9Fdhfr6iMoCVq/0BYRZW/MSOvMvEo12Vm1qrZKUFgkoDNVo+JPgTm46bHXTJcrvLxUW3CeF0oCXAAQeE6hXuZ4mCfNbmFEkOMI4Ko3Ja9NNn6oGlMzYdb/d7abUgyPA+8cncujjqf4rKmg=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x; h=Content-Transfer-Encoding:Mime-Version:Content-Type:References:In-Reply-To:Date:To:From:Subject:Message-ID; bh=SPXsmPnPd6dB+A8F8g/w/l3Ti1n3wwzEggOcKxilGIE=; b=L29yOVtPdFNCKFTJEtYbfWgVTYl+2xE9ttM+WNxypqJ9tU9aqVmorDrY9WARl4uQ7VGtbU6YQ9pAnbXkH8LyY7suHJSkKvkxIfkwD5mYboBdwNPXm8BpmKoO8l/Fsa9lQyg2dJoBKY0vy81PEZfsN+Rxsdh2KxmBX3R35TC9nZ8=; Received-SPF: pass (sog-mx-2.v43.ch3.sourceforge.com: domain of HansenPartnership.com designates 66.63.167.143 as permitted sender) client-ip=66.63.167.143; envelope-from=James.Bottomley@HansenPartnership.com; helo=bedivere.hansenpartnership.com; Received: from bedivere.hansenpartnership.com ([66.63.167.143]) by sog-mx-2.v43.ch3.sourceforge.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.76) id 1e8Ppv-00071n-Ps for openvpn-devel@lists.sourceforge.net; Sat, 28 Oct 2017 12:03:36 +0000 Received: from localhost (localhost [127.0.0.1]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id E73008EE151 for ; Sat, 28 Oct 2017 05:03:29 -0700 (PDT) Received: from bedivere.hansenpartnership.com ([127.0.0.1]) by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VOLixiWWfiJm for ; Sat, 28 Oct 2017 05:03:29 -0700 (PDT) Received: from [192.168.1.74] (host86-167-222-165.range86-167.btcentralplus.com [86.167.222.165]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id 7EEA68EE0BF for ; Sat, 28 Oct 2017 05:03:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=hansenpartnership.com; s=20151216; t=1509192209; bh=sUqd1KWnazmMrL9H6qcQ0ADsVX872j1fIb3sYxk9lGk=; h=Subject:From:To:Date:In-Reply-To:References:From; b=LvhB2J0j91soxzO78VGAOOryZEM/34tQXUBPBzWhPeJ2aW5Fh3uVck9yvUg1wP1Qs ZoQxBu00KK/ZftA1SAdmBp8SKHWPtwyTKLpn5SZBstTAgiU9NlS1CJ2MZHGnyHeJ79 CqwCITbwZunPrUAJU6CXyy77i2F2BbliZ2zpYHvM= Message-ID: <1509192205.3021.7.camel@HansenPartnership.com> From: James Bottomley To: openvpn-devel@lists.sourceforge.net Date: Sat, 28 Oct 2017 13:03:25 +0100 In-Reply-To: <1509192147.3021.6.camel@HansenPartnership.com> References: <1509192147.3021.6.camel@HansenPartnership.com> X-Mailer: Evolution 3.20.5 Mime-Version: 1.0 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record -0.0 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 AWL AWL: Adjusted score from AWL reputation of From: address X-Headers-End: 1e8Ppv-00071n-Ps Subject: [Openvpn-devel] [PATCH 1/1] openssl: add engine method for loading the key X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox As well as doing crypto acceleration, engines can also be used to load key files. If the engine is set, and the private key loading fails for bio methods, this patch makes openvpn try to get the engine to load the key. If that succeeds, we end up using an engine based key. This can be used with the openssl tpm engines to make openvpn use a TPM wrapped key file. Signed-off-by: James Bottomley Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Signed-off-by: James Bottomley --- src/openvpn/crypto_backend.h | 13 ++++++++++++ src/openvpn/crypto_openssl.c | 49 ++++++++++++++++++++++++++++++++++++++++++++ src/openvpn/ssl_openssl.c | 6 +++++- 3 files changed, 67 insertions(+), 1 deletion(-) diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h index 567fd9b2..0b4a9ce9 100644 --- a/src/openvpn/crypto_backend.h +++ b/src/openvpn/crypto_backend.h @@ -669,4 +669,17 @@ const char *translate_cipher_name_from_openvpn(const char *cipher_name); */ const char *translate_cipher_name_to_openvpn(const char *cipher_name); +/** + * Load a key file from an engine + * + * @param file The engine file to load + * @param ui The UI method for the password prompt + * @param data The data to pass to the UI method + * + * @return The private key if successful or NULL if not + */ +EVP_PKEY * +engine_load_key(const char *file, SSL_CTX *ctx); + + #endif /* CRYPTO_BACKEND_H_ */ diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index 0134e55d..ee16a496 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -969,4 +969,53 @@ hmac_ctx_final(HMAC_CTX *ctx, uint8_t *dst) HMAC_Final(ctx, dst, &in_hmac_len); } +static int +ui_read(UI *ui, UI_STRING *uis) +{ + SSL_CTX *ctx = UI_get0_user_data(ui); + + if (UI_get_string_type(uis) == UIT_PROMPT) { + pem_password_cb *cb = SSL_CTX_get_default_passwd_cb(ctx); + void *d = SSL_CTX_get_default_passwd_cb_userdata(ctx); + char password[64]; + + cb(password, sizeof(password), 0, d); + UI_set_result(ui, uis, password); + + return 1; + } + return 0; +} + +EVP_PKEY * +engine_load_key(const char *file, SSL_CTX *ctx) +{ + UI_METHOD *ui; + EVP_PKEY *pkey; + + if (!engine_persist) + return NULL; + + ui = UI_create_method("openvpn"); + + if (!ui) + return NULL; + + UI_method_set_reader(ui, ui_read); + + ERR_clear_error(); /* BIO read failure */ + if (!ENGINE_init(engine_persist)) { + ERR_print_errors_fp(stderr); + pkey = NULL; + goto out; + } + pkey = ENGINE_load_private_key(engine_persist, file, ui, ctx); + ENGINE_finish(engine_persist); + if (!pkey) + ERR_print_errors_fp(stderr); + out: + UI_destroy_method(ui); + return pkey; +} + #endif /* ENABLE_CRYPTO && ENABLE_CRYPTO_OPENSSL */ diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 92a662b5..52e9a869 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -839,7 +839,11 @@ tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file, SSL_CTX_get_default_passwd_cb_userdata(ctx->ctx)); if (!pkey) { - goto end; + pkey = engine_load_key(priv_key_file, ctx->ctx); + if (!pkey) + { + goto end; + } } if (!SSL_CTX_use_PrivateKey(ssl_ctx, pkey))