From patchwork Mon Oct 8 10:49:21 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 522 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director7.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id 2CChBivRu1ssNQAAIUCqbw for ; Mon, 08 Oct 2018 17:50:35 -0400 Received: from proxy3.mail.ord1d.rsapps.net ([172.30.191.6]) by director7.mail.ord1d.rsapps.net with LMTP id uMGOBivRu1tDSAAAovjBpQ ; Mon, 08 Oct 2018 17:50:35 -0400 Received: from smtp22.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy3.mail.ord1d.rsapps.net with LMTP id mLFaBivRu1u5LAAA7WKfLA ; Mon, 08 Oct 2018 17:50:35 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp22.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 2f0fc14c-cb44-11e8-a488-5254001a15c2-1-1 Received: from [216.105.38.7] ([216.105.38.7:22041] helo=lists.sourceforge.net) by smtp22.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 7E/39-13550-A21DBBB5; Mon, 08 Oct 2018 17:50:34 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1g9dPB-0003za-6o; Mon, 08 Oct 2018 21:49:33 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1g9dPA-0003zU-GP for openvpn-devel@lists.sourceforge.NET; Mon, 08 Oct 2018 21:49:32 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc: MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=Mgu0G1wnwfUvkGA93D4SuSzXAsvz74DMha4Nz8VhSx8=; b=ks6eiglnQF4l+28w/LC0wN2wTq d8MQKKC2g8yX3fVar7IaJ5Mp7R6rsV7QxpD7Cy+/nIDMtgMlN1ZAFd3hweGGb062LkZ2in3yI1i28 o073Fupa3J3/OSdCCZxX1qAb194HA0xE5aRlNFbXnKbmC30W6O5XdqIWKp8zEX9UN6hQ=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:MIME-Version: Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=Mgu0G1wnwfUvkGA93D4SuSzXAsvz74DMha4Nz8VhSx8=; b=IJb3rt7q1w7kUn8A1lPe44oOnr iGfddb8M9YhE0JcD2HG1BPrdpTAtgFBLC7+g+18J1MyDcIsr/u/Or68a/dqg4UQoT2b2hk/EqaX1q hrlPNDsYIPwu2/nLVn6bxqGZ1271wj8v14ETzyMHNEJcgCASdEp6eOAKgLoEEb4Bnmjw=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-4.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) id 1g9dP7-00EiZI-Vy for openvpn-devel@lists.sourceforge.NET; Mon, 08 Oct 2018 21:49:32 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.91 (FreeBSD)) (envelope-from ) id 1g9dP1-000Alp-6t for openvpn-devel@lists.sourceforge.net; Mon, 08 Oct 2018 23:49:23 +0200 Received: (nullmailer pid 11103 invoked by uid 10006); Mon, 08 Oct 2018 21:49:23 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Mon, 8 Oct 2018 23:49:21 +0200 Message-Id: <20181008214923.11058-1-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.5 AWL AWL: Adjusted score from AWL reputation of From: address X-Headers-End: 1g9dP7-00EiZI-Vy Subject: [Openvpn-devel] [PATCH v2 1/3] Remove MANAGMENT_EXTERNAL_KEY, MANAGMENT_IN_EXTRA, ENABLE_CLIENT_CR X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox These defines are always defined when management is enabled. We still have --disable-management as configure option, so we need to replace these with ENABLE_MANAGEMENT in some cases. Signed-off-by: Arne Schwabe --- src/openvpn/init.c | 4 ++-- src/openvpn/manage.c | 38 +++----------------------------------- src/openvpn/manage.h | 10 ---------- src/openvpn/misc.c | 14 ++++++-------- src/openvpn/misc.h | 6 +++--- src/openvpn/options.c | 24 ++++++++++++------------ src/openvpn/options.h | 2 +- src/openvpn/push.c | 2 +- src/openvpn/ssl.c | 16 ++++++++-------- src/openvpn/ssl.h | 2 +- src/openvpn/ssl_backend.h | 4 ++-- src/openvpn/ssl_common.h | 2 +- src/openvpn/ssl_mbedtls.c | 4 ++-- src/openvpn/ssl_openssl.c | 4 ++-- src/openvpn/syshead.h | 22 ---------------------- 15 files changed, 44 insertions(+), 110 deletions(-) diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 8b34ab59..e5e6e85f 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -540,7 +540,7 @@ init_query_passwords(const struct context *c) /* Auth user/pass input */ if (c->options.auth_user_pass_file) { -#ifdef ENABLE_CLIENT_CR +#ifdef ENABLE_MANAGEMENT auth_user_pass_setup(c->options.auth_user_pass_file, &c->options.sc_info); #else auth_user_pass_setup(c->options.auth_user_pass_file, NULL); @@ -2801,7 +2801,7 @@ do_init_crypto_tls(struct context *c, const unsigned int flags) to.x509_track = options->x509_track; #if P2MP -#ifdef ENABLE_CLIENT_CR +#ifdef ENABLE_MANAGEMENT to.sci = &options->sc_info; #endif #endif diff --git a/src/openvpn/manage.c b/src/openvpn/manage.c index ed981ab9..8b633f20 100644 --- a/src/openvpn/manage.c +++ b/src/openvpn/manage.c @@ -110,14 +110,12 @@ man_help(void) msg(M_CLIENT, "client-pf CID : Define packet filter for client CID (MULTILINE)"); #endif #endif -#ifdef MANAGMENT_EXTERNAL_KEY msg(M_CLIENT, "rsa-sig : Enter a signature in response to >RSA_SIGN challenge"); msg(M_CLIENT, " Enter signature base64 on subsequent lines followed by END"); msg(M_CLIENT, "pk-sig : Enter a signature in response to >PK_SIGN challenge"); msg(M_CLIENT, " Enter signature base64 on subsequent lines followed by END"); msg(M_CLIENT, "certificate : Enter a client certificate in response to >NEED-CERT challenge"); msg(M_CLIENT, " Enter certificate base64 on subsequent lines followed by END"); -#endif msg(M_CLIENT, "signal s : Send signal s to daemon,"); msg(M_CLIENT, " s = SIGHUP|SIGTERM|SIGUSR1|SIGUSR2."); msg(M_CLIENT, "state [on|off] [N|all] : Like log, but show state history."); @@ -847,8 +845,6 @@ man_hold(struct management *man, const char *cmd) } } -#ifdef MANAGEMENT_IN_EXTRA - #define IER_RESET 0 #define IER_NEW 1 @@ -936,7 +932,6 @@ in_extra_dispatch(struct management *man) break; #endif /* ifdef MANAGEMENT_PF */ -#ifdef MANAGMENT_EXTERNAL_KEY case IEC_PK_SIGN: man->connection.ext_key_state = EKS_READY; buffer_list_free(man->connection.ext_key_input); @@ -950,13 +945,10 @@ in_extra_dispatch(struct management *man) man->connection.ext_cert_input = man->connection.in_extra; man->connection.in_extra = NULL; return; -#endif } in_extra_reset(&man->connection, IER_RESET); } -#endif /* MANAGEMENT_IN_EXTRA */ - #ifdef MANAGEMENT_DEF_AUTH static bool @@ -1102,8 +1094,6 @@ man_client_pf(struct management *man, const char *cid_str) #endif /* MANAGEMENT_PF */ #endif /* MANAGEMENT_DEF_AUTH */ -#ifdef MANAGMENT_EXTERNAL_KEY - static void man_pk_sig(struct management *man, const char *cmd_name) { @@ -1136,8 +1126,6 @@ man_certificate(struct management *man) } } -#endif /* ifdef MANAGMENT_EXTERNAL_KEY */ - static void man_load_stats(struct management *man) { @@ -1526,7 +1514,6 @@ man_dispatch_command(struct management *man, struct status_output *so, const cha } #endif #endif /* ifdef MANAGEMENT_DEF_AUTH */ -#ifdef MANAGMENT_EXTERNAL_KEY else if (streq(p[0], "rsa-sig")) { man_pk_sig(man, "rsa-sig"); @@ -1539,7 +1526,6 @@ man_dispatch_command(struct management *man, struct status_output *so, const cha { man_certificate(man); } -#endif #ifdef ENABLE_PKCS11 else if (streq(p[0], "pkcs11-id-count")) { @@ -1928,9 +1914,7 @@ man_reset_client_socket(struct management *man, const bool exiting) man->connection.state = MS_INITIAL; command_line_reset(man->connection.in); buffer_list_reset(man->connection.out); -#ifdef MANAGEMENT_IN_EXTRA in_extra_reset(&man->connection, IER_RESET); -#endif msg(D_MANAGEMENT, "MANAGEMENT: Client disconnected"); } if (!exiting) @@ -1972,9 +1956,7 @@ man_process_command(struct management *man, const char *line) CLEAR(parms); so = status_open(NULL, 0, -1, &man->persist.vout, 0); -#ifdef MANAGEMENT_IN_EXTRA in_extra_reset(&man->connection, IER_RESET); -#endif if (man_password_needed(man)) { @@ -2212,7 +2194,6 @@ man_read(struct management *man) const char *line; while ((line = command_line_get(man->connection.in))) { -#ifdef MANAGEMENT_IN_EXTRA if (man->connection.in_extra) { if (!strcmp(line, "END")) @@ -2225,8 +2206,9 @@ man_read(struct management *man) } } else -#endif - man_process_command(man, (char *) line); + { + man_process_command(man, (char *) line); + } if (man->connection.halt) { break; @@ -2572,12 +2554,8 @@ man_connection_close(struct management *man) { buffer_list_free(mc->out); } -#ifdef MANAGEMENT_IN_EXTRA in_extra_reset(&man->connection, IER_RESET); -#endif -#ifdef MANAGMENT_EXTERNAL_KEY buffer_list_free(mc->ext_key_input); -#endif man_connection_clear(mc); } @@ -3412,9 +3390,7 @@ management_query_user_pass(struct management *man, const char *alert_type = NULL; const char *prefix = NULL; unsigned int up_query_mode = 0; -#ifdef ENABLE_CLIENT_CR const char *sc = NULL; -#endif ret = true; man->persist.standalone_disabled = false; /* This is so M_CLIENT messages will be correctly passed through msg() */ man->persist.special_state_msg = NULL; @@ -3444,12 +3420,10 @@ management_query_user_pass(struct management *man, up_query_mode = UP_QUERY_USER_PASS; prefix = "PASSWORD"; alert_type = "username/password"; -#ifdef ENABLE_CLIENT_CR if (static_challenge) { sc = static_challenge; } -#endif } buf_printf(&alert_msg, ">%s:Need '%s' %s", prefix, @@ -3461,14 +3435,12 @@ management_query_user_pass(struct management *man, buf_printf(&alert_msg, " MSG:%s", up->username); } -#ifdef ENABLE_CLIENT_CR if (sc) { buf_printf(&alert_msg, " SC:%d,%s", BOOL_CAST(flags & GET_USER_PASS_STATIC_CHALLENGE_ECHO), sc); } -#endif man_wait_for_client_connection(man, &signal_received, 0, MWCC_PASSWORD_WAIT); if (signal_received) @@ -3531,8 +3503,6 @@ management_query_user_pass(struct management *man, return ret; } -#ifdef MANAGMENT_EXTERNAL_KEY - static int management_query_multiline(struct management *man, const char *b64_data, const char *prompt, const char *cmd, int *state, struct buffer_list **input) @@ -3699,8 +3669,6 @@ management_query_cert(struct management *man, const char *cert_name) return result; } -#endif /* ifdef MANAGMENT_EXTERNAL_KEY */ - /* * Return true if management_hold() would block */ diff --git a/src/openvpn/manage.h b/src/openvpn/manage.h index ff143fc1..d24abe09 100644 --- a/src/openvpn/manage.h +++ b/src/openvpn/manage.h @@ -275,7 +275,6 @@ struct man_connection { struct command_line *in; struct buffer_list *out; -#ifdef MANAGEMENT_IN_EXTRA #define IEC_UNDEF 0 #define IEC_CLIENT_AUTH 1 #define IEC_CLIENT_PF 2 @@ -288,7 +287,6 @@ struct man_connection { unsigned long in_extra_cid; unsigned int in_extra_kid; #endif -#ifdef MANAGMENT_EXTERNAL_KEY #define EKS_UNDEF 0 #define EKS_SOLICIT 1 #define EKS_INPUT 2 @@ -297,8 +295,6 @@ struct man_connection { struct buffer_list *ext_key_input; int ext_cert_state; struct buffer_list *ext_cert_input; -#endif -#endif /* ifdef MANAGEMENT_IN_EXTRA */ struct event_set *es; int env_filter_level; @@ -346,9 +342,7 @@ struct management *management_init(void); #define MF_CLIENT_PF (1<<7) #endif #define MF_UNIX_SOCK (1<<8) -#ifdef MANAGMENT_EXTERNAL_KEY #define MF_EXTERNAL_KEY (1<<9) -#endif #define MF_UP_DOWN (1<<10) #define MF_QUERY_REMOTE (1<<11) #define MF_QUERY_PROXY (1<<12) @@ -436,14 +430,10 @@ void management_learn_addr(struct management *management, #endif -#ifdef MANAGMENT_EXTERNAL_KEY - char *management_query_pk_sig(struct management *man, const char *b64_data); char *management_query_cert(struct management *man, const char *cert_name); -#endif - static inline bool management_connected(const struct management *man) { diff --git a/src/openvpn/misc.c b/src/openvpn/misc.c index 4dc17d94..75f4ff47 100644 --- a/src/openvpn/misc.c +++ b/src/openvpn/misc.c @@ -157,12 +157,10 @@ get_user_pass_cr(struct user_pass *up, management_auth_failure(management, prefix, "previous auth credentials failed"); } -#ifdef ENABLE_CLIENT_CR if (auth_challenge && (flags & GET_USER_PASS_STATIC_CHALLENGE)) { sc = auth_challenge; } -#endif if (!management_query_user_pass(management, up, prefix, flags, sc)) { if ((flags & GET_USER_PASS_NOFATAL) != 0) @@ -272,7 +270,7 @@ get_user_pass_cr(struct user_pass *up, */ if (username_from_stdin || password_from_stdin || response_from_stdin) { -#ifdef ENABLE_CLIENT_CR +#ifdef ENABLE_MANAGEMENT if (auth_challenge && (flags & GET_USER_PASS_DYNAMIC_CHALLENGE) && response_from_stdin) { struct auth_challenge_info *ac = get_auth_challenge(auth_challenge, &gc); @@ -299,7 +297,7 @@ get_user_pass_cr(struct user_pass *up, } } else -#endif /* ifdef ENABLE_CLIENT_CR */ +#endif /* ifdef ENABLE_MANAGEMENT */ { struct buffer user_prompt = alloc_buf_gc(128, &gc); struct buffer pass_prompt = alloc_buf_gc(128, &gc); @@ -333,7 +331,7 @@ get_user_pass_cr(struct user_pass *up, } } -#ifdef ENABLE_CLIENT_CR +#ifdef ENABLE_MANAGEMENT if (auth_challenge && (flags & GET_USER_PASS_STATIC_CHALLENGE) && response_from_stdin) { char *response = (char *) gc_malloc(USER_PASS_LEN, false, &gc); @@ -361,7 +359,7 @@ get_user_pass_cr(struct user_pass *up, string_clear(resp64); free(resp64); } -#endif /* ifdef ENABLE_CLIENT_CR */ +#endif /* ifdef ENABLE_MANAGEMENT */ } } @@ -380,7 +378,7 @@ get_user_pass_cr(struct user_pass *up, return true; } -#ifdef ENABLE_CLIENT_CR +#ifdef ENABLE_MANAGEMENT /* * See management/management-notes.txt for more info on the @@ -455,7 +453,7 @@ get_auth_challenge(const char *auth_challenge, struct gc_arena *gc) } } -#endif /* ifdef ENABLE_CLIENT_CR */ +#endif /* ifdef ENABLE_MANAGEMENT */ void purge_user_pass(struct user_pass *up, const bool force) diff --git a/src/openvpn/misc.h b/src/openvpn/misc.h index 0387e261..fad53de8 100644 --- a/src/openvpn/misc.h +++ b/src/openvpn/misc.h @@ -75,7 +75,7 @@ struct user_pass char password[USER_PASS_LEN]; }; -#ifdef ENABLE_CLIENT_CR +#ifdef ENABLE_MANAGEMENT /* * Challenge response info on client as pushed by server. */ @@ -101,10 +101,10 @@ struct static_challenge_info { const char *challenge_text; }; -#else /* ifdef ENABLE_CLIENT_CR */ +#else /* ifdef ENABLE_MANAGEMENT */ struct auth_challenge_info {}; struct static_challenge_info {}; -#endif /* ifdef ENABLE_CLIENT_CR */ +#endif /* ifdef ENABLE_MANAGEMENT */ /* * Flags for get_user_pass and management_query_user_pass diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 891468bd..111534a5 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -1738,7 +1738,7 @@ show_settings(const struct options *o) SHOW_STR(ca_file); SHOW_STR(ca_path); SHOW_STR(dh_file); -#ifdef MANAGMENT_EXTERNAL_KEY +#ifdef ENABLE_MANAGEMENT if ((o->management_flags & MF_EXTERNAL_CERT)) { SHOW_PARM("cert_file","EXTERNAL_CERT","%s"); @@ -1748,7 +1748,7 @@ show_settings(const struct options *o) SHOW_STR(cert_file); SHOW_STR(extra_certs_file); -#ifdef MANAGMENT_EXTERNAL_KEY +#ifdef ENABLE_MANAGEMENT if ((o->management_flags & MF_EXTERNAL_KEY)) { SHOW_PARM("priv_key_file","EXTERNAL_PRIVATE_KEY","%s"); @@ -2575,7 +2575,7 @@ options_postprocess_verify_ce(const struct options *options, const struct connec { msg(M_USAGE, "Parameter --key cannot be used when --pkcs11-provider is also specified."); } -#ifdef MANAGMENT_EXTERNAL_KEY +#ifdef ENABLE_MANAGEMENT if (options->management_flags & MF_EXTERNAL_KEY) { msg(M_USAGE, "Parameter --management-external-key cannot be used when --pkcs11-provider is also specified."); @@ -2598,7 +2598,7 @@ options_postprocess_verify_ce(const struct options *options, const struct connec } else #endif /* ifdef ENABLE_PKCS11 */ -#ifdef MANAGMENT_EXTERNAL_KEY +#ifdef ENABLE_MANAGEMENT if ((options->management_flags & MF_EXTERNAL_KEY) && options->priv_key_file) { msg(M_USAGE, "--key and --management-external-key are mutually exclusive"); @@ -2635,7 +2635,7 @@ options_postprocess_verify_ce(const struct options *options, const struct connec { msg(M_USAGE, "Parameter --pkcs12 cannot be used when --cryptoapicert is also specified."); } -#ifdef MANAGMENT_EXTERNAL_KEY +#ifdef ENABLE_MANAGEMENT if (options->management_flags & MF_EXTERNAL_KEY) { msg(M_USAGE, "Parameter --management-external-key cannot be used when --cryptoapicert is also specified."); @@ -2665,7 +2665,7 @@ options_postprocess_verify_ce(const struct options *options, const struct connec { msg(M_USAGE, "Parameter --key cannot be used when --pkcs12 is also specified."); } -#ifdef MANAGMENT_EXTERNAL_KEY +#ifdef ENABLE_MANAGEMENT if (options->management_flags & MF_EXTERNAL_KEY) { msg(M_USAGE, "Parameter --management-external-key cannot be used when --pkcs12 is also specified."); @@ -2698,7 +2698,7 @@ options_postprocess_verify_ce(const struct options *options, const struct connec { const int sum = -#ifdef MANAGMENT_EXTERNAL_KEY +#ifdef ENABLE_MANAGEMENT ((options->cert_file != NULL) || (options->management_flags & MF_EXTERNAL_CERT)) +((options->priv_key_file != NULL) || (options->management_flags & MF_EXTERNAL_KEY)); #else @@ -2722,11 +2722,11 @@ options_postprocess_verify_ce(const struct options *options, const struct connec } else { -#ifdef MANAGMENT_EXTERNAL_KEY +#ifdef ENABLE_MANAGEMENT if (!(options->management_flags & MF_EXTERNAL_CERT)) #endif notnull(options->cert_file, "certificate file (--cert) or PKCS#12 file (--pkcs12)"); -#ifdef MANAGMENT_EXTERNAL_KEY +#ifdef ENABLE_MANAGEMENT if (!(options->management_flags & MF_EXTERNAL_KEY)) #endif notnull(options->priv_key_file, "private key file (--key) or PKCS#12 file (--pkcs12)"); @@ -3317,7 +3317,7 @@ options_postprocess_filechecks(struct options *options) errs |= check_file_access(CHKACC_FILE|CHKACC_INLINE, options->cert_file, R_OK, "--cert"); errs |= check_file_access(CHKACC_FILE|CHKACC_INLINE, options->extra_certs_file, R_OK, "--extra-certs"); -#ifdef MANAGMENT_EXTERNAL_KEY +#ifdef ENABLE_MANAGEMENT if (!(options->management_flags & MF_EXTERNAL_KEY)) #endif { @@ -5177,7 +5177,7 @@ add_option(struct options *options, options->management_flags |= MF_CONNECT_AS_CLIENT; options->management_write_peer_info_file = p[1]; } -#ifdef MANAGMENT_EXTERNAL_KEY +#ifdef ENABLE_MANAGEMENT else if (streq(p[0], "management-external-key") && !p[1]) { VERIFY_PERMISSION(OPT_P_GENERAL); @@ -7050,7 +7050,7 @@ add_option(struct options *options, VERIFY_PERMISSION(OPT_P_GENERAL); auth_retry_set(msglevel, p[1]); } -#ifdef ENABLE_CLIENT_CR +#ifdef ENABLE_MANAGEMENT else if (streq(p[0], "static-challenge") && p[1] && p[2] && !p[3]) { VERIFY_PERMISSION(OPT_P_GENERAL); diff --git a/src/openvpn/options.h b/src/openvpn/options.h index 3e7ef4f8..c7903fad 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -470,7 +470,7 @@ struct options int scheduled_exit_interval; -#ifdef ENABLE_CLIENT_CR +#ifdef ENABLE_MANAGEMENT struct static_challenge_info sc_info; #endif #endif /* if P2MP */ diff --git a/src/openvpn/push.c b/src/openvpn/push.c index be5afb68..dbc29d14 100644 --- a/src/openvpn/push.c +++ b/src/openvpn/push.c @@ -100,7 +100,7 @@ receive_auth_failed(struct context *c, const struct buffer *buffer) * Save the dynamic-challenge text even when management is defined */ { -#ifdef ENABLE_CLIENT_CR +#ifdef ENABLE_MANAGEMENT struct buffer buf = *buffer; if (buf_string_match_head_str(&buf, "AUTH_FAILED,CRV1:") && BLEN(&buf)) { diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index dda6bf4e..5a136d69 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -400,7 +400,7 @@ static bool auth_user_pass_enabled; /* GLOBAL */ static struct user_pass auth_user_pass; /* GLOBAL */ static struct user_pass auth_token; /* GLOBAL */ -#ifdef ENABLE_CLIENT_CR +#ifdef ENABLE_MANAGEMENT static char *auth_challenge; /* GLOBAL */ #endif @@ -410,7 +410,7 @@ auth_user_pass_setup(const char *auth_file, const struct static_challenge_info * auth_user_pass_enabled = true; if (!auth_user_pass.defined && !auth_token.defined) { -#ifdef ENABLE_CLIENT_CR +#ifdef ENABLE_MANAGEMENT if (auth_challenge) /* dynamic challenge/response */ { get_user_pass_cr(&auth_user_pass, @@ -433,7 +433,7 @@ auth_user_pass_setup(const char *auth_file, const struct static_challenge_info * sci->challenge_text); } else -#endif /* ifdef ENABLE_CLIENT_CR */ +#endif /* ifdef ENABLE_MANAGEMENT */ get_user_pass(&auth_user_pass, auth_file, UP_TYPE_AUTH, GET_USER_PASS_MANAGEMENT); } } @@ -484,12 +484,12 @@ ssl_purge_auth(const bool auth_user_pass_only) purge_user_pass(&passbuf, true); } purge_user_pass(&auth_user_pass, true); -#ifdef ENABLE_CLIENT_CR +#ifdef ENABLE_MANAGEMENT ssl_purge_auth_challenge(); #endif } -#ifdef ENABLE_CLIENT_CR +#ifdef ENABLE_MANAGEMENT void ssl_purge_auth_challenge(void) @@ -657,7 +657,7 @@ init_ssl(const struct options *options, struct tls_root_ctx *new_ctx) tls_ctx_load_cryptoapi(new_ctx, options->cryptoapi_cert); } #endif -#ifdef MANAGMENT_EXTERNAL_KEY +#ifdef ENABLE_MANAGEMENT else if (options->management_flags & MF_EXTERNAL_CERT) { char *cert = management_query_cert(management, @@ -679,7 +679,7 @@ init_ssl(const struct options *options, struct tls_root_ctx *new_ctx) goto err; } } -#ifdef MANAGMENT_EXTERNAL_KEY +#ifdef ENABLE_MANAGEMENT else if (options->management_flags & MF_EXTERNAL_KEY) { if (tls_ctx_use_management_external_key(new_ctx)) @@ -2369,7 +2369,7 @@ key_method_2_write(struct buffer *buf, struct tls_session *session) /* write username/password if specified */ if (auth_user_pass_enabled) { -#ifdef ENABLE_CLIENT_CR +#ifdef ENABLE_MANAGEMENT auth_user_pass_setup(session->opt->auth_user_pass_file, session->opt->sci); #else auth_user_pass_setup(session->opt->auth_user_pass_file, NULL); diff --git a/src/openvpn/ssl.h b/src/openvpn/ssl.h index 7f487cc5..b4fbf348 100644 --- a/src/openvpn/ssl.h +++ b/src/openvpn/ssl.h @@ -430,7 +430,7 @@ void ssl_set_auth_token(const char *token); bool ssl_clean_auth_token(void); -#ifdef ENABLE_CLIENT_CR +#ifdef ENABLE_MANAGEMENT /* * ssl_get_auth_challenge will parse the server-pushed auth-failed * reason string and return a dynamically allocated diff --git a/src/openvpn/ssl_backend.h b/src/openvpn/ssl_backend.h index 42934230..3f4fd62f 100644 --- a/src/openvpn/ssl_backend.h +++ b/src/openvpn/ssl_backend.h @@ -283,7 +283,7 @@ void tls_ctx_load_cert_file(struct tls_root_ctx *ctx, const char *cert_file, int tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file, const char *priv_key_file_inline); -#ifdef MANAGMENT_EXTERNAL_KEY +#ifdef ENABLE_MANAGEMENT /** * Tell the management interface to load the given certificate and the external @@ -295,7 +295,7 @@ int tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file, */ int tls_ctx_use_management_external_key(struct tls_root_ctx *ctx); -#endif /* MANAGMENT_EXTERNAL_KEY */ +#endif /* ENABLE_MANAGEMENT */ /** * Load certificate authority certificates from the given file or path. diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index 08ef6ffa..919ec57c 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -332,7 +332,7 @@ struct tls_options const struct x509_track *x509_track; -#ifdef ENABLE_CLIENT_CR +#ifdef ENABLE_MANAGEMENT const struct static_challenge_info *sci; #endif diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index 2c6e54b3..6b4ddaf4 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -618,7 +618,7 @@ tls_ctx_use_external_signing_func(struct tls_root_ctx *ctx, return 0; } -#ifdef MANAGMENT_EXTERNAL_KEY +#ifdef ENABLE_MANAGEMENT /** Query the management interface for a signature, see external_sign_func. */ static bool @@ -658,7 +658,7 @@ tls_ctx_use_management_external_key(struct tls_root_ctx *ctx) return tls_ctx_use_external_signing_func(ctx, management_sign_func, NULL); } -#endif /* ifdef MANAGMENT_EXTERNAL_KEY */ +#endif /* ifdef ENABLE_MANAGEMENT */ void tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file, diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 00e672a4..3f1f4658 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -1055,7 +1055,7 @@ end: } -#ifdef MANAGMENT_EXTERNAL_KEY +#ifdef ENABLE_MANAGEMENT /* encrypt */ static int @@ -1398,7 +1398,7 @@ cleanup: return ret; } -#endif /* ifdef MANAGMENT_EXTERNAL_KEY */ +#endif /* ifdef ENABLE_MANAGEMENT */ static int sk_x509_name_cmp(const X509_NAME *const *a, const X509_NAME *const *b) diff --git a/src/openvpn/syshead.h b/src/openvpn/syshead.h index 487b32a6..d2a50341 100644 --- a/src/openvpn/syshead.h +++ b/src/openvpn/syshead.h @@ -548,26 +548,11 @@ socket_defined(const socket_descriptor_t sd) #undef ENABLE_DEF_AUTH #endif -/* - * Enable external private key - */ -#if defined(ENABLE_MANAGEMENT) -#define MANAGMENT_EXTERNAL_KEY -#endif - /* Enable mbed TLS RNG prediction resistance support */ #ifdef ENABLE_CRYPTO_MBEDTLS #define ENABLE_PREDICTION_RESISTANCE #endif /* ENABLE_CRYPTO_MBEDTLS */ -/* - * MANAGEMENT_IN_EXTRA allows the management interface to - * read multi-line inputs from clients. - */ -#if defined(MANAGEMENT_DEF_AUTH) || defined(MANAGMENT_EXTERNAL_KEY) -#define MANAGEMENT_IN_EXTRA -#endif - /* * Enable packet filter? */ @@ -658,13 +643,6 @@ socket_defined(const socket_descriptor_t sd) #define CONNECT_NONBLOCK #endif -/* - * Do we support challenge/response authentication as client? - */ -#if defined(ENABLE_MANAGEMENT) -#define ENABLE_CLIENT_CR -#endif - /* * Compression support */ From patchwork Mon Oct 8 10:49:22 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 521 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director9.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id qOzqJSrRu1twTgAAIUCqbw for ; Mon, 08 Oct 2018 17:50:34 -0400 Received: from proxy17.mail.ord1d.rsapps.net ([172.30.191.6]) by director9.mail.ord1d.rsapps.net with LMTP id 0EzMJSrRu1u/VgAAalYnBA ; Mon, 08 Oct 2018 17:50:34 -0400 Received: from smtp24.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy17.mail.ord1d.rsapps.net with LMTP id sArKJSrRu1v+FgAAWC7mWg ; Mon, 08 Oct 2018 17:50:34 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp24.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 2e948356-cb44-11e8-9c35-52540091a1c4-1-1 Received: from [216.105.38.7] ([216.105.38.7:3876] helo=lists.sourceforge.net) by smtp24.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 63/9F-24499-921DBBB5; Mon, 08 Oct 2018 17:50:34 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1g9dPC-000402-AE; Mon, 08 Oct 2018 21:49:34 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1g9dPB-0003zj-8s for openvpn-devel@lists.sourceforge.NET; Mon, 08 Oct 2018 21:49:33 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=qF50Tjh3JpGrStnX05S4RFInqI6S1U41Vz5o7ixdjBs=; b=AhjlVSklrt0tJXdvqcCb3CgoLU vVtxYADlfHdZKjNCJDx6gI2inh/IFeQcIPjVZZdSUFzjTb4UHHQv6Ep9o8hJv1BTEv61RdSfvHJNL b34kbRiiov3LV8wEDkhOmULZpEQwM6h6Kh+b3xuZgjkMc4XVRnUCbfMe/wCqDI8K4mn0=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=qF50Tjh3JpGrStnX05S4RFInqI6S1U41Vz5o7ixdjBs=; b=Cbx3Ldtkh8f9vKVeIjeO2n1CPm y6Spd9qHwFkvLMDGVfcnNtkivDihi3y5BgY8brSCOJ1COFHeSxQagoMjil4JOJ1E85A7DdY7WhbFf CoCML0CH1cbf1gc4RGMbq1GwI9TSfC8WxoX3mGXlBubNC/jmZ6Oc718PY8SQhmwUMY1Q=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-3.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) id 1g9dP7-00EgvV-Ur for openvpn-devel@lists.sourceforge.NET; Mon, 08 Oct 2018 21:49:33 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.91 (FreeBSD)) (envelope-from ) id 1g9dP1-000Alt-9G for openvpn-devel@lists.sourceforge.net; Mon, 08 Oct 2018 23:49:23 +0200 Received: (nullmailer pid 11106 invoked by uid 10006); Mon, 08 Oct 2018 21:49:23 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Mon, 8 Oct 2018 23:49:22 +0200 Message-Id: <20181008214923.11058-2-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181008214923.11058-1-arne@rfc2549.org> References: <20181008214923.11058-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.2 AWL AWL: Adjusted score from AWL reputation of From: address X-Headers-End: 1g9dP7-00EgvV-Ur Subject: [Openvpn-devel] [PATCH v2 2/3] Add support for OpenSSL TLS 1.3 when using management-external-key X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox For TLS 1.0 to 1.2 OpenSSL calls us and requires a PKCS1 padded response, for TLS 1.3 it requires to an unpadded response. Since we can PCKS1 pad an unpadded response, we prefer to always query for an unpadded response from the management interface and add the PCKS1 padding ourselves when needed. This patch adds an 'unpadded' parameter to the management-external-key option to signal that it is uses the new unpadded API. Since we cannot support TLS 1.3 without unpadded queries we disable TLS 1.3 otherwise. We also do the same for cryptoapi since it uses the same API. Using the management api client version instead might seem like the more logical way but since we only now that version very late, it would extra logic and complexity to deal with this asynchronous behaviour . Signed-off-by: Arne Schwabe --- doc/management-notes.txt | 7 ++++- src/openvpn/manage.h | 9 ++++--- src/openvpn/options.c | 57 +++++++++++++++++++++++++++++++++++++-- src/openvpn/ssl_openssl.c | 26 +++++++++++++----- 4 files changed, 85 insertions(+), 14 deletions(-) diff --git a/doc/management-notes.txt b/doc/management-notes.txt index 17645c1d..7e61ff50 100644 --- a/doc/management-notes.txt +++ b/doc/management-notes.txt @@ -832,7 +832,12 @@ END Base 64 encoded output of RSA_private_encrypt for RSA or ECDSA_sign() for EC using OpenSSL or mbedtls_pk_sign() using mbed TLS will provide a -correct signature. +correct signature. With the 'nopadding' argument to the +external-management-interface the interface expects unpadded signatures +(RSA_NO_PADDING in OpenSSL). When the 'nopadding' keyword is missing the +interfaces expects PKCS1 padded signatures for RSA keys (RSA_PKCS1_PADDING). +EC signatures are always unpadded. To support TLS 1.3 using unpadded +signatures is required. This capability is intended to allow the use of arbitrary cryptographic service providers with OpenVPN via the management interface. diff --git a/src/openvpn/manage.h b/src/openvpn/manage.h index d24abe09..4fe66abf 100644 --- a/src/openvpn/manage.h +++ b/src/openvpn/manage.h @@ -343,10 +343,11 @@ struct management *management_init(void); #endif #define MF_UNIX_SOCK (1<<8) #define MF_EXTERNAL_KEY (1<<9) -#define MF_UP_DOWN (1<<10) -#define MF_QUERY_REMOTE (1<<11) -#define MF_QUERY_PROXY (1<<12) -#define MF_EXTERNAL_CERT (1<<13) +#define MF_EXTERNAL_KEY_NOPADDING (1<<10) +#define MF_UP_DOWN (1<<11) +#define MF_QUERY_REMOTE (1<<12) +#define MF_QUERY_PROXY (1<<13) +#define MF_EXTERNAL_CERT (1<<14) bool management_open(struct management *man, const char *addr, diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 111534a5..61762791 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -3025,6 +3025,35 @@ options_postprocess_verify(const struct options *o) } } +#if defined(ENABLE_CRYPTOAPI) || (defined(ENABLE_CRYPTO_OPENSSL) && defined(ENABLE_MANAGEMENT)) +static void +disable_tls13_if_avilable(struct options *o, const char* msg) +{ +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + const int tls_version_max = + (o->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) & + SSLF_TLS_VERSION_MAX_MASK; + + /* + * The library we are *linked* against is OpenSSL 1.1.1 and therefore support TLS 1.3 + * this need to be a runtime version check since we can be compiled against 1.1.0 and + * then the library can be upgraded to 1.1.1 + */ + if (OpenSSL_version_num() >= 0x1010100fL && + (tls_version_max == TLS_VER_UNSPEC || tls_version_max > TLS_VER_1_2)) + { + msg(M_WARN, "%s Setting maximum TLS version to 1.2 ", msg); + o->ssl_flags &= ~(SSLF_TLS_VERSION_MAX_MASK << + SSLF_TLS_VERSION_MAX_SHIFT); + o->ssl_flags |= (TLS_VER_1_1 << SSLF_TLS_VERSION_MAX_SHIFT); + + } +#else + return; +#endif +} +#endif + static void options_postprocess_mutate(struct options *o) { @@ -3105,6 +3134,26 @@ options_postprocess_mutate(struct options *o) } #endif +#if defined(ENABLE_CRYPTO_MBEDTLS) && defined(MANAGMENT_EXTERNAL_KEY) + if (o->management_flags & MF_EXTERNAL_KEY_NOPADDING) + { + msg(M_FATAL, "mbed TLS does not support the 'nopadding' argument for the --management-external-key option"); + } +#endif + +#if defined(ENABLE_CRYPTOAPI) + if (o->cryptoapi_cert) + { + disable_tls13_if_avilable(o, "Warning: cryptapicert used."); + } +#endif +#if defined(ENABLE_CRYPTO_OPENSSL) && defined(ENABLE_MANAGEMENT) + if ((o->management_flags & MF_EXTERNAL_KEY) && !(o->management_flags & MF_EXTERNAL_KEY_NOPADDING)) + { + disable_tls13_if_avilable(o, "Warning: Using management-external-key " + "without nopadding option."); + } +#endif #if P2MP /* * Save certain parms before modifying options via --pull @@ -5178,9 +5227,13 @@ add_option(struct options *options, options->management_write_peer_info_file = p[1]; } #ifdef ENABLE_MANAGEMENT - else if (streq(p[0], "management-external-key") && !p[1]) + else if (streq(p[0], "management-external-key") && !p[2]) { VERIFY_PERMISSION(OPT_P_GENERAL); + if (p[1] && streq(p[1], "nopadding")) + { + options->management_flags |= MF_EXTERNAL_KEY_NOPADDING; + } options->management_flags |= MF_EXTERNAL_KEY; } else if (streq(p[0], "management-external-cert") && p[1] && !p[2]) @@ -8440,4 +8493,4 @@ add_option(struct options *options, } err: gc_free(&gc); -} \ No newline at end of file +} diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 3f1f4658..fd8026b7 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -1100,15 +1100,27 @@ openvpn_extkey_rsa_finish(RSA *rsa) */ static int get_sig_from_man(const unsigned char *dgst, unsigned int dgstlen, - unsigned char *sig, unsigned int siglen) + unsigned char *sig, unsigned int siglen, bool pkcs1pad) { char *in_b64 = NULL; char *out_b64 = NULL; int len = -1; + int bencret = -1; - /* convert 'dgst' to base64 */ - if (management - && openvpn_base64_encode(dgst, dgstlen, &in_b64) > 0) + if ((management->settings.flags & MF_EXTERNAL_KEY_NOPADDING) && pkcs1pad) + { + /* + * Add PKCS1 signature and replace input with it + * Use our output buffer also als temporary buffer + */ + RSA_padding_add_PKCS1_type_1(sig, siglen, dgst, dgstlen); + bencret = openvpn_base64_encode(sig, siglen, &in_b64); + } + else + { + bencret = openvpn_base64_encode(dgst, dgstlen, &in_b64); + } + if (management && bencret > 0) { out_b64 = management_query_pk_sig(management, in_b64); } @@ -1129,13 +1141,13 @@ rsa_priv_enc(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, i unsigned int len = RSA_size(rsa); int ret = -1; - if (padding != RSA_PKCS1_PADDING) + if (padding != RSA_PKCS1_PADDING && padding != RSA_NO_PADDING) { RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE); return -1; } - ret = get_sig_from_man(from, flen, to, len); + ret = get_sig_from_man(from, flen, to, len, padding == RSA_PKCS1_PADDING); return (ret == len)? ret : -1; } @@ -1229,7 +1241,7 @@ ecdsa_sign(int type, const unsigned char *dgst, int dgstlen, unsigned char *sig, unsigned int *siglen, const BIGNUM *kinv, const BIGNUM *r, EC_KEY *ec) { int capacity = ECDSA_size(ec); - int len = get_sig_from_man(dgst, dgstlen, sig, capacity); + int len = get_sig_from_man(dgst, dgstlen, sig, capacity, false); if (len > 0) { From patchwork Mon Oct 8 10:49:23 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 523 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director10.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id WHcUCCvRu1uaNQAAIUCqbw for ; Mon, 08 Oct 2018 17:50:35 -0400 Received: from proxy18.mail.ord1d.rsapps.net ([172.30.191.6]) by director10.mail.ord1d.rsapps.net with LMTP id IDr9ByvRu1sqVQAApN4f7A ; Mon, 08 Oct 2018 17:50:35 -0400 Received: from smtp36.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy18.mail.ord1d.rsapps.net with LMTP id mJCYByvRu1u+AgAATCaURg ; Mon, 08 Oct 2018 17:50:35 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp36.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 2e94f2a0-cb44-11e8-9009-525400c11307-1-1 Received: from [216.105.38.7] ([216.105.38.7:1754] helo=lists.sourceforge.net) by smtp36.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id AD/89-01542-921DBBB5; Mon, 08 Oct 2018 17:50:34 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1g9dPF-00040V-CR; Mon, 08 Oct 2018 21:49:37 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1g9dPE-00040N-Gn for openvpn-devel@lists.sourceforge.NET; Mon, 08 Oct 2018 21:49:36 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=Fil0ym9tajNetdshGuiWGEZnawLGRs9zXEgRw7AiWxc=; b=LjZxfJQO8KFXpQ+KlKRkEL692h fuetdG5/kQAWQI0Ukr3HYgkN9Q29NFFLkkAWayZ8eetVMvTKCixl1S4lUNYRwnVetqLR/HnZYcGYw 0/kk05zrWa1rQ7MWrA6RADygJ7hgT69bHflshKBBYXbZTfYcQh8Eo/o0kHetzRw2b2mA=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=Fil0ym9tajNetdshGuiWGEZnawLGRs9zXEgRw7AiWxc=; b=I5d+KAqOFQ6SoZhKSVaYWwsAei FqUK6DWPXxwhrVGzFcwwDs8PwKegjoImNJ8bPoo0JuUc0+RasPT+7pTtonduRJsUc8sy+o0lkOP0p Sx822WSOP7qd9dtOSBjWdJyQ9aZ+w5RXYNu0DKag3olaHpIuYpfvUL+7xyPdLUtAMBsI=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) id 1g9dPB-00F7og-Fu for openvpn-devel@lists.sourceforge.NET; Mon, 08 Oct 2018 21:49:36 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.91 (FreeBSD)) (envelope-from ) id 1g9dP1-000Alx-BH for openvpn-devel@lists.sourceforge.net; Mon, 08 Oct 2018 23:49:23 +0200 Received: (nullmailer pid 11109 invoked by uid 10006); Mon, 08 Oct 2018 21:49:23 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Mon, 8 Oct 2018 23:49:23 +0200 Message-Id: <20181008214923.11058-3-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181008214923.11058-1-arne@rfc2549.org> References: <20181008214923.11058-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.2 AWL AWL: Adjusted score from AWL reputation of From: address X-Headers-End: 1g9dPB-00F7og-Fu Subject: [Openvpn-devel] [PATCH v2 3/3] Implement the nopadding option to management-external-key for mbed TLS X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Although mbed TLS does not have a TLS 1.3 API yet and we do not really know how mbed TLS will handle querying for TLS 1.3 signatures, being able to use the same API with OpenSSL and mbed TLS is a nice feature. Since mbed TLS does not expose a way to do pkcs1 padding, copy the trimmed down version of the pkcs1 copy to the OpenVPN source code. Signed-off-by: Arne Schwabe --- src/openvpn/options.c | 11 ++---- src/openvpn/ssl_mbedtls.c | 72 ++++++++++++++++++++++++++++++++++++++- 2 files changed, 73 insertions(+), 10 deletions(-) diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 61762791..fb7d8333 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -3025,11 +3025,11 @@ options_postprocess_verify(const struct options *o) } } -#if defined(ENABLE_CRYPTOAPI) || (defined(ENABLE_CRYPTO_OPENSSL) && defined(ENABLE_MANAGEMENT)) +#if defined(ENABLE_CRYPTOAPI) || defined(ENABLE_MANAGEMENT) static void disable_tls13_if_avilable(struct options *o, const char* msg) { -#if OPENSSL_VERSION_NUMBER >= 0x10100000L +#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(ENABLE_CRYPTO_MBEDTLS) const int tls_version_max = (o->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) & SSLF_TLS_VERSION_MAX_MASK; @@ -3134,13 +3134,6 @@ options_postprocess_mutate(struct options *o) } #endif -#if defined(ENABLE_CRYPTO_MBEDTLS) && defined(MANAGMENT_EXTERNAL_KEY) - if (o->management_flags & MF_EXTERNAL_KEY_NOPADDING) - { - msg(M_FATAL, "mbed TLS does not support the 'nopadding' argument for the --management-external-key option"); - } -#endif - #if defined(ENABLE_CRYPTOAPI) if (o->cryptoapi_cert) { diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index 6b4ddaf4..3e97a329 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -619,6 +619,59 @@ tls_ctx_use_external_signing_func(struct tls_root_ctx *ctx, } #ifdef ENABLE_MANAGEMENT +/* + * Construct a PKCS v1.5 encoding of a hashed message. + * + * Taken and trimmed down version (only MBEDTLS_MD_NONE) of + * rsa_rsassa_pkcs1_v15_encode from mbedTLS 2.13.1 (53546ea0) + * + * This is used both for signature generation and verification. + * + * Parameters: + * - hashlen: Length of hash in case hashlen is MBEDTLS_MD_NONE. + * - hash: Buffer containing the hashed message or the raw data. + * - dst_len: Length of the encoded message. + * - dst: Buffer to hold the encoded message. + * + * Assumptions: + * - hash has size hashlen + * - dst points to a buffer of size at least dst_len. + * + */ +static int rsa_pkcs1_v15_pad(size_t hashlen, const unsigned char *hash, + size_t dst_len, unsigned char *dst) +{ + size_t nb_pad = dst_len; + unsigned char *p = dst; + + if (nb_pad < hashlen) + return MBEDTLS_ERR_RSA_BAD_INPUT_DATA; + + nb_pad -= hashlen; + + + /* Need space for signature header and padding delimiter (3 bytes), + * and 8 bytes for the minimal padding */ + if (nb_pad < 3 + 8) + { + return (MBEDTLS_ERR_RSA_BAD_INPUT_DATA); + } + nb_pad -= 3; + + /* Now nb_pad is the amount of memory to be filled + * with padding, and at least 8 bytes long. */ + + /* Write signature header and padding */ + *p++ = 0; + *p++ = MBEDTLS_RSA_SIGN; + memset(p, 0xFF, nb_pad); + p += nb_pad; + *p++ = 0; + + /* we are signing raw data? */ + memcpy(p, hash, hashlen); + return 0; +} /** Query the management interface for a signature, see external_sign_func. */ static bool @@ -629,7 +682,24 @@ management_sign_func(void *sign_ctx, const void *src, size_t src_len, char *src_b64 = NULL; char *dst_b64 = NULL; - if (!management || (openvpn_base64_encode(src, src_len, &src_b64) <= 0)) + + if (!management) + { + goto cleanup; + } + if (management->settings.flags & MF_EXTERNAL_KEY_NOPADDING) + { + /* + * Add PKCS1 signature and replace input with it + * Use our output buffer also als temporary buffer + */ + if ((!mbed_ok(rsa_pkcs1_v15_pad(src_len, src, dst_len, dst))) + || (openvpn_base64_encode(dst, dst_len, &src_b64) <= 0 )) + { + goto cleanup; + } + } + else if (openvpn_base64_encode(src, src_len, &src_b64) <= 0) { goto cleanup; }