From patchwork Thu Apr 26 04:24:24 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Selva Nair X-Patchwork-Id: 329 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director7.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net (Dovecot) with LMTP id E9iSAm7h4VquCwAAIUCqbw for ; Thu, 26 Apr 2018 10:25:50 -0400 Received: from proxy6.mail.ord1d.rsapps.net ([172.30.191.6]) by director7.mail.ord1d.rsapps.net (Dovecot) with LMTP id 07gVAm7h4VoIegAAovjBpQ ; Thu, 26 Apr 2018 10:25:50 -0400 Received: from smtp9.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy6.mail.ord1d.rsapps.net with LMTP id sMIwAm7h4VrOYQAAQyIf0w ; Thu, 26 Apr 2018 10:25:50 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp9.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=gmail.com; dmarc=fail (p=none; dis=none) header.from=gmail.com X-Suspicious-Flag: YES X-Classification-ID: b718714c-495d-11e8-a930-525400bd3b1f-1-1 Received: from [216.105.38.7] ([216.105.38.7:43943] helo=lists.sourceforge.net) by smtp9.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.1.56364 r(Core:4.2.1.14)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 0E/0B-07488-D61E1EA5; Thu, 26 Apr 2018 10:25:49 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1fBhp8-0000UZ-Un; Thu, 26 Apr 2018 14:24:38 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1fBhp7-0000UT-Si for openvpn-devel@lists.sourceforge.net; Thu, 26 Apr 2018 14:24:37 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To: MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=X3YgFMQNmCR7NM4SD5uxrCsOnu016ZXf20+q2FO77kQ=; b=ejNUleBIbEsKC5/IdZVE69kWJx rDhqVREFZCV8BeqYlIRVoRniUesUIVmJ2Q3i+Am9TU52q4vd3D8VagIdiOy8PD4dUutNDhorLbGQd fD6CDoIItUl/KZ/ACMbbbbTnXUH1UK09QhN93GoePjUh+OXNTaE18kqLRSK5jRtiLTKY=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:MIME-Version: Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=X3YgFMQNmCR7NM4SD5uxrCsOnu016ZXf20+q2FO77kQ=; b=FeTjLGanBA4MlORqfySvTXN3Sf jmCED0DDk1Gmpj/mqj0YDBP7qM8zoK+SQ2pHaPuJlTTDsX2xW1gKdsFgPjvOdrs8NeI+cTKZmyRQ5 r7rs3yjQRsHeneuvZS214FQoob87p0yEMLOhQR3J1n1glzYyBO/g012Q/zATAhJ8CF/E=; Received: from mail-io0-f174.google.com ([209.85.223.174]) by sfi-mx-3.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.90_1) id 1fBhp6-00CsSj-6q for openvpn-devel@lists.sourceforge.net; Thu, 26 Apr 2018 14:24:37 +0000 Received: by mail-io0-f174.google.com with SMTP id z4-v6so7565815iof.5 for ; Thu, 26 Apr 2018 07:24:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=X3YgFMQNmCR7NM4SD5uxrCsOnu016ZXf20+q2FO77kQ=; b=PQj9hiV+7jw0tjefNBSraK/A7tz5XHgNJRs5fhbx5GFV5BgM5CofVGGMu1WeXKarLK WyGF47fcGrrhO+37ZH2SFDHKRODDEK7ak5St2bs3TJRIf+I4Y7q3iCpJZB175JQ4t9H1 QpsMsRp19m8xpl8cv0sTb0TDp+s49QuEY6IjZMgEZDZYhg9FNc0g2AgoXIIc86NkROAQ 61+0d3mJ6wlC/YpppTk2Be3+84VtYWN5OiyxnBDFKpnyoL8jJBMZvIAXLHpQmbg8Lw2F tDQoaJuqBQLhZrTHGHlke9ZOQ9JxEhVMENuY/zWShAYg3desdUjfHXkmSFbFl90ya8B1 BPyQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=X3YgFMQNmCR7NM4SD5uxrCsOnu016ZXf20+q2FO77kQ=; b=rSLomFrJvOCjhsCzTYpKP2kAFrobcnMohzhD/IV7Qgmrm5T5Y3vU2FX4iMRxTUsBmG JfZ8i4NiIYiY9IvucfCN9Hve/AjdknLx1yr36agNK1jVxMnMpYWMILKEugJW+BhGLia4 rgmW9PI4OPfXTdaeRMVL5RLuU6W9EHEwiD4JLAiZhPAN0QxrYE/9GW6hvdKmF2oyHjEf 2fngmNKnftqFtm/XUvQXLYukie3WJl+Oz3HVi5hOydTRrAMLymrdbs+/QVzgE3tuD00k AzAZuh5+y2PMY0vs/quJHSrbl141tAr9/ouwaiwekqurVU5VLz27hFnocE64sUv4gCWR R5aw== X-Gm-Message-State: ALQs6tDQVPQads0Qb1U/kUBxWhbNQANep3qXpxjv9AskAs8f6kyUqx0w IgHZb8eWd5BSYsiCzBsXWv68FjvS X-Google-Smtp-Source: AIpwx4/bGygEmsW+Q0EnsR5sTwcAzduguPVbygJezQu1IVTsnc9z7Vmrfaiu5j3y62qnq9T0r3U3YQ== X-Received: by 2002:a6b:ad89:: with SMTP id m9-v6mr35047797ioo.1.1524752670187; Thu, 26 Apr 2018 07:24:30 -0700 (PDT) Received: from saturn.home.sansel.ca (CPE40167ea0e1c2-CM788df74daaa0.cpe.net.cable.rogers.com. [99.228.215.92]) by smtp.gmail.com with ESMTPSA id g62-v6sm6977293ioj.17.2018.04.26.07.24.29 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 26 Apr 2018 07:24:29 -0700 (PDT) From: selva.nair@gmail.com To: openvpn-devel@lists.sourceforge.net Date: Thu, 26 Apr 2018 10:24:24 -0400 Message-Id: <1524752664-27946-1-git-send-email-selva.nair@gmail.com> X-Mailer: git-send-email 2.1.4 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [209.85.223.174 listed in list.dnswl.org] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (selva.nair[at]gmail.com) -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.223.174 listed in wl.mailspike.net] -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.0 AWL AWL: Adjusted score from AWL reputation of From: address X-Headers-End: 1fBhp6-00CsSj-6q Subject: [Openvpn-devel] [PATCH] Pass the hash without the DigestInfo header to NCryptSignHash() X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Selva Nair In case of TLS 1.2 signatures, the callback rsa_priv_enc() gets the hash with the DigestInfo prepended. Signing this using NCryptSignHash() with hash algorithm id set to NULL works in most cases. But when using some hardware tokens, the data gets interpreted as the pre TLS 1.2 MD5+SHA1 hash and is silently truncated to 36 bytes. Avoid this by passing the raw hash to NCryptSignHash() and let it add the DigestInfo. To get the raw hash we set the RSA_sign() method in the rsa_method structure. This callback bypasses rsa_priv_enc() and gets called with the hash type and the hash. Fixes Trac #1050 Acked-by: Steffan Karger --- Tested by JJK and gizi as described in Trac #1050 src/openvpn/cryptoapi.c | 84 ++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 79 insertions(+), 5 deletions(-) diff --git a/src/openvpn/cryptoapi.c b/src/openvpn/cryptoapi.c index 89d253c..d765954 100644 --- a/src/openvpn/cryptoapi.c +++ b/src/openvpn/cryptoapi.c @@ -217,14 +217,16 @@ rsa_pub_dec(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, in * Sign the hash in 'from' using NCryptSignHash(). This requires an NCRYPT * key handle in cd->crypt_prov. On return the signature is in 'to'. Returns * the length of the signature or 0 on error. + * If the hash_algo is not NULL, PKCS #1 DigestInfo header gets added + * to 'from', else it is signed as is. * For now we support only RSA and the padding is assumed to be PKCS1 v1.5 */ static int -priv_enc_CNG(const CAPI_DATA *cd, const unsigned char *from, int flen, - unsigned char *to, int tlen, int padding) +priv_enc_CNG(const CAPI_DATA *cd, const wchar_t *hash_algo, const unsigned char *from, + int flen, unsigned char *to, int tlen, int padding) { NCRYPT_KEY_HANDLE hkey = cd->crypt_prov; - DWORD len; + DWORD len = 0; ASSERT(cd->key_spec == CERT_NCRYPT_KEY_SPEC); msg(D_LOW, "Signing hash using CNG: data size = %d", flen); @@ -232,7 +234,7 @@ priv_enc_CNG(const CAPI_DATA *cd, const unsigned char *from, int flen, /* The hash OID is already in 'from'. So set the hash algorithm * in the padding info struct to NULL. */ - BCRYPT_PKCS1_PADDING_INFO padinfo = {NULL}; + BCRYPT_PKCS1_PADDING_INFO padinfo = {hash_algo}; DWORD status; status = NCryptSignHash(hkey, padding? &padinfo : NULL, (BYTE*) from, flen, @@ -270,7 +272,7 @@ rsa_priv_enc(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, i } if (cd->key_spec == CERT_NCRYPT_KEY_SPEC) { - return priv_enc_CNG(cd, from, flen, to, RSA_size(rsa), padding); + return priv_enc_CNG(cd, NULL, from, flen, to, RSA_size(rsa), padding); } /* Unfortunately, there is no "CryptSign()" function in CryptoAPI, that would @@ -334,6 +336,69 @@ rsa_priv_enc(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, i return len; } +/* + * Sign the hash in |m| and return the signature in |sig|. + * Returns 1 on success, 0 on error. + * NCryptSignHash() is used to sign and it is instructed to add the + * the PKCS #1 DigestInfo header to |m| unless the hash algorithm is + * the MD5/SHA1 combination used in TLS 1.1 and earlier versions. + */ +static int +rsa_sign_CNG(int type, const unsigned char *m, unsigned int m_len, + unsigned char *sig, unsigned int *siglen, const RSA *rsa) +{ + CAPI_DATA *cd = (CAPI_DATA *) RSA_meth_get0_app_data(RSA_get_method(rsa)); + const wchar_t *alg = NULL; + int padding = RSA_PKCS1_PADDING; + + *siglen = 0; + if (cd == NULL) + { + RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, ERR_R_PASSED_NULL_PARAMETER); + return 0; + } + + switch (type) + { + case NID_md5: + alg = BCRYPT_MD5_ALGORITHM; + break; + + case NID_sha1: + alg = BCRYPT_SHA1_ALGORITHM; + break; + + case NID_sha256: + alg = BCRYPT_SHA256_ALGORITHM; + break; + + case NID_sha384: + alg = BCRYPT_SHA384_ALGORITHM; + break; + + case NID_sha512: + alg = BCRYPT_SHA512_ALGORITHM; + break; + + case NID_md5_sha1: + if (m_len != SSL_SIG_LENGTH) + { + RSAerr(RSA_F_RSA_SIGN, RSA_R_INVALID_MESSAGE_LENGTH); + return 0; + } + /* No DigestInfo header is required -- set alg-name to NULL */ + alg = NULL; + break; + default: + msg(M_WARN, "cryptoapicert: Unknown hash type NID=0x%x", type); + RSAerr(RSA_F_RSA_SIGN, RSA_R_UNKNOWN_ALGORITHM_TYPE); + return 0; + } + + *siglen = priv_enc_CNG(cd, alg, m, (int)m_len, sig, RSA_size(rsa), padding); + return (siglen == 0) ? 0 : 1; +} + /* decrypt */ static int rsa_priv_dec(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding) @@ -555,6 +620,15 @@ SSL_CTX_use_CryptoAPI_certificate(SSL_CTX *ssl_ctx, const char *cert_prop) RSA_meth_set_finish(my_rsa_method, finish); RSA_meth_set0_app_data(my_rsa_method, cd); + /* For CNG, set the RSA_sign method which gets priority over priv_enc(). + * This method is called with the raw hash without the digestinfo + * header and works better when using NCryptSignHash() with some tokens. + */ + if (cd->key_spec == CERT_NCRYPT_KEY_SPEC) + { + RSA_meth_set_sign(my_rsa_method, rsa_sign_CNG); + } + rsa = RSA_new(); if (rsa == NULL) {