From patchwork Thu May 28 12:59:18 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Bottomley X-Patchwork-Id: 1126 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director11.mail.ord1d.rsapps.net ([172.27.255.7]) by backend30.mail.ord1d.rsapps.net with LMTP id EFa3N79C0F5kIQAAIUCqbw for ; Thu, 28 May 2020 19:01:19 -0400 Received: from proxy19.mail.iad3a.rsapps.net ([172.27.255.7]) by director11.mail.ord1d.rsapps.net with LMTP id 8LsoNb9C0F5xBgAAvGGmqA ; Thu, 28 May 2020 19:01:19 -0400 Received: from smtp49.gate.iad3a ([172.27.255.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy19.mail.iad3a.rsapps.net with LMTP id iHUjL79C0F6dMwAAXy6Yeg ; Thu, 28 May 2020 19:01:19 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp49.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=hansenpartnership.com; dmarc=fail (p=none; dis=none) header.from=hansenpartnership.com X-Suspicious-Flag: YES X-Classification-ID: 22f73082-a137-11ea-943c-525400fffce0-1-1 Received: from [216.105.38.7] ([216.105.38.7:48848] helo=lists.sourceforge.net) by smtp49.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 94/6F-27427-DB240DE5; Thu, 28 May 2020 19:01:17 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1jeRVn-0002TO-FU; Thu, 28 May 2020 23:00:31 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jeRVm-0002TF-98 for openvpn-devel@lists.sourceforge.net; Thu, 28 May 2020 23:00:30 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=9n1yZkfWipVADq7AyGq2z96E1GgfkDaeOPJ8MLqMbmY=; b=XeSjHoUgbE/6exX99YuWAfk+qi I8GU+D8NUCB+gSUnT4pRmPaH2tPAkhK1PVJEYnAu40vQJSN3n+B9dIkm5WG5glQjjSIQ0erohKH/J 21Qji8KyaWt+2z4UfbhsM8ZQEtXxg8FT5aYsezMhy6tp1CiexkRKktK4FJr6WLfldGWU=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=9n1yZkfWipVADq7AyGq2z96E1GgfkDaeOPJ8MLqMbmY=; b=VYbG2LOBU08X2tiq1k/KOJGRPa RCjDpRGRJSlRrkKUwQki4qjVcp/9oanhbu5gMecz2nxHp9iXDuejZuDjSWpI+wGMf4KMjQT8a2nyW mTxs/y67fVEujNHzXkAo/mje+UPxqcDgKngflxZ93IbVpM3qHeAHiBYP4tzt20X0jlu8=; Received: from bedivere.hansenpartnership.com ([66.63.167.143]) by sfi-mx-4.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1jeRVk-0021Ll-9C for openvpn-devel@lists.sourceforge.net; Thu, 28 May 2020 23:00:30 +0000 Received: from localhost (localhost [127.0.0.1]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id 078118EE10F for ; Thu, 28 May 2020 16:00:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=hansenpartnership.com; s=20151216; t=1590706823; bh=7yByrqWbq0aCykG0VpNH9pK8O54l8dm3qxabCEdnOFw=; h=From:To:Subject:Date:In-Reply-To:References:From; b=jq30Kh+Wz+q6hdKqokKgwlWlkIKtElJgFwPRJ1SMmncegghprMne+cfLEsL4F1c8J durmzDlAZqffU0TVGqP0kFa/2YOJ4X1gIueOsIzXgbRSric7v0y1qa/qu1JCxj0PTS 3cOz0lJzH8qNhjpV6vfG9z+wGme5YOl4qh5UcoyI= Received: from bedivere.hansenpartnership.com ([127.0.0.1]) by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nihqCWPV0-BH for ; Thu, 28 May 2020 16:00:22 -0700 (PDT) Received: from jarvis.lan (jarvis.ext.hansenpartnership.com [153.66.160.226]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id B986F8EE0F8 for ; Thu, 28 May 2020 16:00:22 -0700 (PDT) From: James Bottomley To: openvpn-devel@lists.sourceforge.net Date: Thu, 28 May 2020 15:59:18 -0700 Message-Id: <20200528225920.6983-2-James.Bottomley@HansenPartnership.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200528225920.6983-1-James.Bottomley@HansenPartnership.com> References: <20200528225920.6983-1-James.Bottomley@HansenPartnership.com> MIME-Version: 1.0 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: hansenpartnership.com] -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-Headers-End: 1jeRVk-0021Ll-9C Subject: [Openvpn-devel] [PATCH v6 1/3] openssl: add engine method for loading the key X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox As well as doing crypto acceleration, engines can also be used to load key files. If the engine is set, and the private key loading fails for bio methods, this patch makes openvpn try to get the engine to load the key. If that succeeds, we end up using an engine based key. This can be used with the openssl tpm engines to make openvpn use a TPM wrapped key file. Signed-off-by: James Bottomley Acked-By: Arne Schwabe --- v2: add better configuration guarding v4: - use crypto_msg() instead of raw openssl prints - remove ENGINE_init/finish(). Openvpn already initializes the engine so doing a second initialization is wrong. - don't clear the openssl errors from the BIO_read failure just in case they might be useful. - ad ui.h include for openssl 1.1 build failure v5: add engine init --- src/openvpn/crypto_openssl.c | 56 ++++++++++++++++++++++++++++++++++++ src/openvpn/crypto_openssl.h | 12 ++++++++ src/openvpn/ssl_openssl.c | 5 ++++ 3 files changed, 73 insertions(+) diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index a5b2c45a..4ac77fde 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -63,6 +63,7 @@ #endif #if HAVE_OPENSSL_ENGINE +#include #include static bool engine_initialized = false; /* GLOBAL */ @@ -1070,4 +1071,59 @@ memcmp_constant_time(const void *a, const void *b, size_t size) { return CRYPTO_memcmp(a, b, size); } + +#if HAVE_OPENSSL_ENGINE +static int +ui_reader(UI *ui, UI_STRING *uis) +{ + SSL_CTX *ctx = UI_get0_user_data(ui); + + if (UI_get_string_type(uis) == UIT_PROMPT) { + pem_password_cb *cb = SSL_CTX_get_default_passwd_cb(ctx); + void *d = SSL_CTX_get_default_passwd_cb_userdata(ctx); + char password[64]; + + cb(password, sizeof(password), 0, d); + UI_set_result(ui, uis, password); + + return 1; + } + return 0; +} +#endif + +EVP_PKEY * +engine_load_key(const char *file, SSL_CTX *ctx) +{ +#if HAVE_OPENSSL_ENGINE + UI_METHOD *ui; + EVP_PKEY *pkey; + + if (!engine_persist) + return NULL; + + /* this will print out the error from BIO_read */ + crypto_msg(M_INFO, "PEM_read_bio failed, now trying engine method to load private key"); + + ui = UI_create_method("openvpn"); + if (!ui) { + crypto_msg(M_FATAL, "Engine UI creation failed"); + return NULL; + } + + UI_method_set_reader(ui, ui_reader); + + ENGINE_init(engine_persist); + pkey = ENGINE_load_private_key(engine_persist, file, ui, ctx); + ENGINE_finish(engine_persist); + if (!pkey) + crypto_msg(M_FATAL, "Engine could not load key file"); + + UI_destroy_method(ui); + return pkey; +#else + return NULL; +#endif +} + #endif /* ENABLE_CRYPTO_OPENSSL */ diff --git a/src/openvpn/crypto_openssl.h b/src/openvpn/crypto_openssl.h index 64754480..7449fbd3 100644 --- a/src/openvpn/crypto_openssl.h +++ b/src/openvpn/crypto_openssl.h @@ -107,4 +107,16 @@ cipher_kt_var_key_size(const cipher_kt_t *cipher) return EVP_CIPHER_flags(cipher) & EVP_CIPH_VARIABLE_LENGTH; } +/** + * Load a key file from an engine + * + * @param file The engine file to load + * @param ui The UI method for the password prompt + * @param data The data to pass to the UI method + * + * @return The private key if successful or NULL if not + */ +EVP_PKEY * +engine_load_key(const char *file, SSL_CTX *ctx); + #endif /* CRYPTO_OPENSSL_H_ */ diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 06c836da..a489053b 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -1020,6 +1020,11 @@ tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file, pkey = PEM_read_bio_PrivateKey(in, NULL, SSL_CTX_get_default_passwd_cb(ctx->ctx), SSL_CTX_get_default_passwd_cb_userdata(ctx->ctx)); + if (!pkey) + { + pkey = engine_load_key(priv_key_file, ctx->ctx); + } + if (!pkey || !SSL_CTX_use_PrivateKey(ssl_ctx, pkey)) { #ifdef ENABLE_MANAGEMENT From patchwork Thu May 28 12:59:19 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Bottomley X-Patchwork-Id: 1127 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director9.mail.ord1d.rsapps.net ([172.27.255.59]) by backend30.mail.ord1d.rsapps.net with LMTP id yJGdOthC0F6yeAAAIUCqbw for ; Thu, 28 May 2020 19:01:45 -0400 Received: from proxy6.mail.iad3a.rsapps.net ([172.27.255.59]) by director9.mail.ord1d.rsapps.net with LMTP id aGNgONhC0F7UYgAAalYnBA ; Thu, 28 May 2020 19:01:45 -0400 Received: from smtp14.gate.iad3a ([172.27.255.59]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy6.mail.iad3a.rsapps.net with LMTP id qHx/M9hC0F6GIQAA8udqhg ; Thu, 28 May 2020 19:01:44 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp14.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=hansenpartnership.com; dmarc=fail (p=none; dis=none) header.from=hansenpartnership.com X-Suspicious-Flag: YES X-Classification-ID: 32f255ca-a137-11ea-a2f2-5254005d41e3-1-1 Received: from [216.105.38.7] ([216.105.38.7:52822] helo=lists.sourceforge.net) by smtp14.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 98/0A-20713-8D240DE5; Thu, 28 May 2020 19:01:44 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1jeRWE-0002l6-AY; Thu, 28 May 2020 23:00:58 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jeRWD-0002l0-Gy for openvpn-devel@lists.sourceforge.net; Thu, 28 May 2020 23:00:57 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=9J6953LBNtGhUg2eyEd11xAU0XhWcmBbZ/wcMzWQJ9E=; b=TSjOEkYbVervdP13HXXZIUQKDN bVm4ks9/1nBFOmWL2pSNvhWXjwcEknxJcCFhDLTjK78gcy1c9KVQDJTXw5j8zyJlSj/5u2DIGdkNX CxZeGICpw5yIelc6GYg5ThJuVPmmMd40TEhrrtcWo4dEdeG3VCKaYnNsn8aWk/vOpbxg=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=9J6953LBNtGhUg2eyEd11xAU0XhWcmBbZ/wcMzWQJ9E=; b=nBrpkGcsAp31bz5ygFjzGh7RH4 vO104+2cO3q40dDgzp801tI0Rj0mdxpD2fZbd1pUw4p6vDNfmYLH2ovSjwyescjLgmN4JtnCmxhoS GitDRKlqK1DtMTK4GPQDLd6HewpOolwb/zMkbVTJrsPxnF0Za7IDobsVLEieMCU99uo8=; Received: from bedivere.hansenpartnership.com ([66.63.167.143]) by sfi-mx-4.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1jeRWC-0021Mr-I1 for openvpn-devel@lists.sourceforge.net; Thu, 28 May 2020 23:00:57 +0000 Received: from localhost (localhost [127.0.0.1]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id 5A56B8EE10F for ; Thu, 28 May 2020 16:00:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=hansenpartnership.com; s=20151216; t=1590706851; bh=eYdNmcFGQze93gl5QT48HkmrpuHyoH01RQgY6v5u9aQ=; h=From:To:Subject:Date:In-Reply-To:References:From; b=o3d0wyXqgQOuUDU45ZYVafbBSMT54SHChzwCFxcd+usgqtwQHIi8vUF2qxRiVLuaY eu4gN/u807gn8cQ5IM3witjXAFAHbVscIjk3HFS6OtAoSSpq++K/FM2VjOrX8MVEqE 1ScAAI9XDCVv3DzlUnRb+JVhI+fV9gWMT4Ms5668= Received: from bedivere.hansenpartnership.com ([127.0.0.1]) by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aTJVohYtIC0t for ; Thu, 28 May 2020 16:00:51 -0700 (PDT) Received: from jarvis.lan (jarvis.ext.hansenpartnership.com [153.66.160.226]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id 0CEB78EE0F8 for ; Thu, 28 May 2020 16:00:51 -0700 (PDT) From: James Bottomley To: openvpn-devel@lists.sourceforge.net Date: Thu, 28 May 2020 15:59:19 -0700 Message-Id: <20200528225920.6983-3-James.Bottomley@HansenPartnership.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200528225920.6983-1-James.Bottomley@HansenPartnership.com> References: <20200528225920.6983-1-James.Bottomley@HansenPartnership.com> MIME-Version: 1.0 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: hansenpartnership.com] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-Headers-End: 1jeRWC-0021Mr-I1 Subject: [Openvpn-devel] [PATCH v6 2/3] crypto_openssl: add initialization to pick up local configuration X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox The test programme for the new openssl engine code requires overriding the system default configuration file to point to the location of the test engine. Add an initialization stanza that makes this behaviour universal, so now anyone running openvpn configured with openssl can specify their own configuration file with the OPENSSL_CONF environment variable. Signed-off-by: James Bottomley Acked-By: Arne Schwabe Signed-off-by: James Bottomley Acked-By: Arne Schwabe Acked-By: Arne Schwabe <arne@rfc2549.org>
--- src/openvpn/crypto_openssl.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index 4ac77fde..fd57edd2 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -149,6 +149,11 @@ crypto_init_lib_engine(const char *engine_name) void crypto_init_lib(void) { +#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) + OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL); +#else + OPENSSL_config(NULL); +#endif /* * If you build the OpenSSL library and OpenVPN with * CRYPTO_MDEBUG, you will get a listing of OpenSSL From patchwork Thu May 28 12:59:20 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Bottomley X-Patchwork-Id: 1128 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director7.mail.ord1d.rsapps.net ([172.27.255.51]) by backend30.mail.ord1d.rsapps.net with LMTP id WD7TCSRD0F6yeAAAIUCqbw for ; Thu, 28 May 2020 19:03:00 -0400 Received: from proxy10.mail.iad3a.rsapps.net ([172.27.255.51]) by director7.mail.ord1d.rsapps.net with LMTP id UJ/cBiRD0F50cAAAovjBpQ ; Thu, 28 May 2020 19:03:00 -0400 Received: from smtp21.gate.iad3a ([172.27.255.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy10.mail.iad3a.rsapps.net with LMTP id YFktACRD0F4iewAAnQ/bqA ; Thu, 28 May 2020 19:03:00 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp21.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=hansenpartnership.com; dmarc=fail (p=none; dis=none) header.from=hansenpartnership.com X-Suspicious-Flag: YES X-Classification-ID: 5f86e060-a137-11ea-b63d-525400e75841-1-1 Received: from [216.105.38.7] ([216.105.38.7:53116] helo=lists.sourceforge.net) by smtp21.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id FA/2A-23641-32340DE5; Thu, 28 May 2020 19:02:59 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1jeRXO-0002qO-GM; Thu, 28 May 2020 23:02:10 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jeRXN-0002qG-LV for openvpn-devel@lists.sourceforge.net; Thu, 28 May 2020 23:02:09 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=g1kmrsYQirFwVuTX1sT4x8VuIMWsl09MtzTapYKLZ3I=; b=Kuouq5AqqLRX6OglPumPMZhf4S Ijr81IoP62aN/N8/KrqWBjtLCi4SJRW4zeEXO2XJ9LpkdsYp/6aqyIo0ddVzswusUK7+pBnCAT2t7 uzJW5AQzn05+Ow2FUlTiRIkvRLVWIT6d9ehJZVThitoydET62gsuPpkKaPlB2dWkIfBw=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=g1kmrsYQirFwVuTX1sT4x8VuIMWsl09MtzTapYKLZ3I=; b=lk7COUlODOg8N0wkjpDND3ikgV k9JIRy9Rll514j1Mjcgt/5jzxT1wAZkcPAW4DVOjHkFX38LGNhNXe/7vjh9+5rjli6jtjNtNHhMEt 5ySQvckYXmUKZuO/rcHFwSL89bJG0LS0HhBOGtS9tACZH9DykquDwjVlsf+ugK0Q4KoM=; Received: from bedivere.hansenpartnership.com ([66.63.167.143]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1jeRXK-00BQZH-P6 for openvpn-devel@lists.sourceforge.net; Thu, 28 May 2020 23:02:09 +0000 Received: from localhost (localhost [127.0.0.1]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id BC1548EE10F for ; Thu, 28 May 2020 16:02:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=hansenpartnership.com; s=20151216; t=1590706920; bh=rwfkgy6viAmCg4c+GZzb7kdihcmSaYzCRlqPNnCr4dU=; h=From:To:Subject:Date:In-Reply-To:References:From; b=iIW6zMA0nSKsw/1Pf4RwI8Cn6mk9YHAjlEega6/FEgIHYSLcFhVlfuUJPZjiyxued 80OyM8OUlRTRbPiGegPbBu+p7AzkLeyogg35fXv6KLWAikbq84EKdVrlSU+sEFjTWw Z4z4vwTSIQdW+sK/QyXOx6VKovv4uJGvMvvHNH/Q= Received: from bedivere.hansenpartnership.com ([127.0.0.1]) by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nBDYs6NxWpEE for ; Thu, 28 May 2020 16:02:00 -0700 (PDT) Received: from jarvis.lan (jarvis.ext.hansenpartnership.com [153.66.160.226]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id 73F4B8EE0F8 for ; Thu, 28 May 2020 16:02:00 -0700 (PDT) From: James Bottomley To: openvpn-devel@lists.sourceforge.net Date: Thu, 28 May 2020 15:59:20 -0700 Message-Id: <20200528225920.6983-4-James.Bottomley@HansenPartnership.com> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200528225920.6983-1-James.Bottomley@HansenPartnership.com> References: <20200528225920.6983-1-James.Bottomley@HansenPartnership.com> MIME-Version: 1.0 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: makefile.am] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-Headers-End: 1jeRXK-00BQZH-P6 Subject: [Openvpn-devel] [PATCH v6 3/3] Add unit tests for engine keys X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Testing engines is problematic, so one of the prerequisites built for the tests is a simple openssl engine that reads a non-standard PEM guarded key. The test is simply can we run a client/server configuration with the usual sample key replaced by an engine key. The trivial engine prints out some operations and we check for these in the log to make sure the engine was used to load the key and that it correctly got the password. Signed-off-by: James Bottomley Signed-off-by: James Bottomley Signed-off-by: James Bottomley --- v5: do not hard code dynamic library extension into openssl.cnf (MacOS) v4: add OPENSSL_config(NULL) so debian checks will work v3: added this patch --- configure.ac | 5 + tests/unit_tests/Makefile.am | 3 + tests/unit_tests/engine-key/Makefile.am | 24 +++++ .../engine-key/check_engine_keys.sh | 30 ++++++ tests/unit_tests/engine-key/libtestengine.c | 101 ++++++++++++++++++ tests/unit_tests/engine-key/openssl.cnf.in | 12 +++ 6 files changed, 175 insertions(+) create mode 100644 tests/unit_tests/engine-key/Makefile.am create mode 100755 tests/unit_tests/engine-key/check_engine_keys.sh create mode 100644 tests/unit_tests/engine-key/libtestengine.c create mode 100644 tests/unit_tests/engine-key/openssl.cnf.in diff --git a/configure.ac b/configure.ac index 273a8d1b..92d4eeba 100644 --- a/configure.ac +++ b/configure.ac @@ -1387,6 +1387,10 @@ AM_CONDITIONAL([GIT_CHECKOUT], [test "${GIT_CHECKOUT}" = "yes"]) AM_CONDITIONAL([ENABLE_PLUGIN_AUTH_PAM], [test "${enable_plugin_auth_pam}" = "yes"]) AM_CONDITIONAL([ENABLE_PLUGIN_DOWN_ROOT], [test "${enable_plugin_down_root}" = "yes"]) AM_CONDITIONAL([HAVE_LD_WRAP_SUPPORT], [test "${have_ld_wrap_support}" = "yes"]) +AM_CONDITIONAL([OPENSSL_ENGINE], [test "${have_openssl_engine}" = "yes"]) + +shrext=$shrext_cmds +AC_SUBST([shrext]) sampledir="\$(docdir)/sample" AC_SUBST([plugindir]) @@ -1448,6 +1452,7 @@ AC_CONFIG_FILES([ tests/unit_tests/openvpn/Makefile tests/unit_tests/plugins/Makefile tests/unit_tests/plugins/auth-pam/Makefile + tests/unit_tests/engine-key/Makefile sample/Makefile ]) AC_CONFIG_FILES([tests/t_client.sh], [chmod +x tests/t_client.sh]) diff --git a/tests/unit_tests/Makefile.am b/tests/unit_tests/Makefile.am index 33fefaac..f27cd90f 100644 --- a/tests/unit_tests/Makefile.am +++ b/tests/unit_tests/Makefile.am @@ -2,4 +2,7 @@ AUTOMAKE_OPTIONS = foreign if ENABLE_UNITTESTS SUBDIRS = example_test openvpn plugins +if OPENSSL_ENGINE +SUBDIRS += engine-key +endif endif diff --git a/tests/unit_tests/engine-key/Makefile.am b/tests/unit_tests/engine-key/Makefile.am new file mode 100644 index 00000000..05f56bfd --- /dev/null +++ b/tests/unit_tests/engine-key/Makefile.am @@ -0,0 +1,24 @@ +AUTOMAKE_OPTIONS = foreign + +check_LTLIBRARIES = libtestengine.la +conffiles = openssl.cnf + +TESTS_ENVIRONMENT = srcdir="$(abs_srcdir)"; \ + builddir="$(abs_builddir)"; \ + top_builddir="$(top_builddir)"; \ + top_srcdir="$(top_srcdir)"; \ + export srcdir builddir top_builddir top_srcdir; + +TESTS = check_engine_keys.sh +check_engine_keys.sh: $(conffiles) + +clean-local: + rm -f $(conffiles) + +$(builddir)/%.cnf: $(srcdir)/%.cnf.in + sed 's/SHREXT/@shrext@/' < $< > $@ + +libtestengine_la_SOURCES = libtestengine.c +libtestengine_la_LDFLAGS = @TEST_LDFLAGS@ -rpath /lib -avoid-version -module -shared -export-dynamic +libtestengine_la_CFLAGS = @TEST_CFLAGS@ -I$(openvpn_srcdir) -I$(compat_srcdir) + diff --git a/tests/unit_tests/engine-key/check_engine_keys.sh b/tests/unit_tests/engine-key/check_engine_keys.sh new file mode 100755 index 00000000..e0c9d7b0 --- /dev/null +++ b/tests/unit_tests/engine-key/check_engine_keys.sh @@ -0,0 +1,30 @@ +#!/bin/sh + +OPENSSL_CONF="${builddir}/openssl.cnf" +export OPENSSL_CONF + +password='AT3S4PASSWD' + +key="${builddir}/client.key" +pwdfile="${builddir}/passwd" + +# create an engine key for us +sed 's/PRIVATE KEY/TEST ENGINE KEY/' < ${top_srcdir}/sample/sample-keys/client.key > ${key} +echo "$password" > $pwdfile + +# note here we've induced a mismatch in the client key and the server +# cert which openvpn should report and die. Check that it does. Note +# also that this mismatch depends on openssl not openvpn, so it is +# somewhat fragile +${top_builddir}/src/openvpn/openvpn --cd ${top_srcdir}/sample --config sample-config-files/loopback-server --engine testengine --key ${key} --askpass $pwdfile > log.txt 2>&1 + +# first off check we died because of a key mismatch. If this doesn't +# pass, suspect openssl of returning different messages and update the +# test accordingly +grep -q 'X509_check_private_key:key values mismatch' log.txt || { echo "Key mismatch not detected"; exit 1; } + +# now look for the engine prints (these are under our control) +grep -q 'ENGINE: engine_init called' log.txt || { echo "Engine initialization not detected"; exit 1; } +grep -q 'ENGINE: engine_load_key called' log.txt || { echo "Key was not loaded from engine"; exit 1; } +grep -q "ENGINE: engine_load_key got password ${password}" log.txt || { echo "Key password was not retrieved by the engine"; exit 1; } +exit 0 diff --git a/tests/unit_tests/engine-key/libtestengine.c b/tests/unit_tests/engine-key/libtestengine.c new file mode 100644 index 00000000..46ec1e33 --- /dev/null +++ b/tests/unit_tests/engine-key/libtestengine.c @@ -0,0 +1,101 @@ +#include +#include +#include +#include + +static char *engine_id = "testengine"; +static char *engine_name = "Engine for testing openvpn engine key support"; + +static int is_initialized = 0; + +static int engine_init(ENGINE *e) +{ + is_initialized = 1; + fprintf(stderr, "ENGINE: engine_init called\n"); + return 1; +} + +static int engine_finish(ENGINE *e) +{ + fprintf(stderr, "ENGINE: engine_finsh called\n"); + is_initialized = 0; + return 1; +} + +static EVP_PKEY *engine_load_key(ENGINE *e, const char *key_id, + UI_METHOD *ui_method, void *cb_data) +{ + BIO *b; + EVP_PKEY *pkey; + PKCS8_PRIV_KEY_INFO *p8inf; + UI *ui; + char auth[256]; + + fprintf(stderr, "ENGINE: engine_load_key called\n"); + + if (!is_initialized) { + fprintf(stderr, "Load Key called without correct initialization\n"); + return NULL; + } + b = BIO_new_file(key_id, "r"); + if (!b) { + fprintf(stderr, "File %s does not exist or cannot be read\n", key_id); + return 0; + } + /* Basically read an EVP_PKEY private key file with different + * PEM guards --- we are a test engine */ + p8inf = PEM_ASN1_read_bio((d2i_of_void *)d2i_PKCS8_PRIV_KEY_INFO, + "TEST ENGINE KEY", b, + NULL, NULL, NULL); + BIO_free(b); + if (!p8inf) { + fprintf(stderr, "Failed to read engine private key\n"); + return NULL; + } + pkey = EVP_PKCS82PKEY(p8inf); + + /* now we have a private key, pretend it had a password + * this verifies the password makes it through openvpn OK */ + ui = UI_new(); + + if (ui_method) + UI_set_method(ui, ui_method); + + UI_add_user_data(ui, cb_data); + + if (UI_add_input_string(ui, "enter test engine key", + UI_INPUT_FLAG_DEFAULT_PWD, + auth, 0, sizeof(auth)) == 0) { + fprintf(stderr, "UI_add_input_string failed\n"); + goto out; + } + + if (UI_process(ui)) { + fprintf(stderr, "UI_process failed\n"); + goto out; + } + + fprintf(stderr, "ENGINE: engine_load_key got password %s\n", auth); + + out: + UI_free(ui); + + return pkey; +} + + +static int engine_bind_fn(ENGINE *e, const char *id) +{ + if (id && strcmp(id, engine_id) != 0) + return 0; + if (!ENGINE_set_id(e, engine_id) || + !ENGINE_set_name(e, engine_name) || + !ENGINE_set_init_function(e, engine_init) || + !ENGINE_set_finish_function(e, engine_finish) || + !ENGINE_set_load_privkey_function(e, engine_load_key)) + return 0; + return 1; +} + +IMPLEMENT_DYNAMIC_CHECK_FN() +IMPLEMENT_DYNAMIC_BIND_FN(engine_bind_fn) diff --git a/tests/unit_tests/engine-key/openssl.cnf.in b/tests/unit_tests/engine-key/openssl.cnf.in new file mode 100644 index 00000000..93edd483 --- /dev/null +++ b/tests/unit_tests/engine-key/openssl.cnf.in @@ -0,0 +1,12 @@ +HOME = . +openssl_conf = openssl_init + +[req] +[openssl_init] +engines = engines_section + +[engines_section] +testengine = testengine_section + +[testengine_section] +dynamic_path = $ENV::srcdir/.libs/libtestengineSHREXT