From patchwork Tue Dec 5 08:47:27 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: James Bottomley X-Patchwork-Id: 135 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director4.mail.ord1d.rsapps.net ([172.28.255.1]) by backend31.mail.ord1d.rsapps.net (Dovecot) with LMTP id u0BHCz74JlocQAAAgoeIoA for ; Tue, 05 Dec 2017 14:49:18 -0500 Received: from director4.mail.ord1c.rsapps.net ([172.28.255.1]) by director4.mail.ord1d.rsapps.net (Dovecot) with LMTP id 5ZANCT74JlpvfAAAHDmxtw ; Tue, 05 Dec 2017 14:49:18 -0500 Received: from smtp30.gate.ord1a ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by director4.mail.ord1c.rsapps.net (Dovecot) with LMTP id ouKkBT74JlruOAAAsEL7Xg ; Tue, 05 Dec 2017 14:49:18 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.34.181.88] Authentication-Results: smtp30.gate.ord1a.rsapps.net; iprev=pass policy.iprev="216.34.181.88"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=hansenpartnership.com; dmarc=fail (p=none; dis=none) header.from=hansenpartnership.com X-Classification-ID: 60856628-d9f5-11e7-9c07-0024e83017e2-1-1 Received: from [216.34.181.88] ([216.34.181.88:26496] helo=lists.sourceforge.net) by smtp30.gate.ord1a.rsapps.net (envelope-from ) (ecelerity 4.2.1.56364 r(Core:4.2.1.14)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id E0/89-17060-C38F62A5; Tue, 05 Dec 2017 14:49:16 -0500 Received: from localhost ([127.0.0.1] helo=sfs-ml-1.v29.ch3.sourceforge.com) by sfs-ml-1.v29.ch3.sourceforge.com with esmtp (Exim 4.89) (envelope-from ) id 1eMJBq-0006mN-I8; Tue, 05 Dec 2017 19:47:38 +0000 Received: from sfi-mx-1.v28.ch3.sourceforge.com ([172.29.28.191] helo=mx.sourceforge.net) by sfs-ml-1.v29.ch3.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) (envelope-from ) id 1eMJBp-0006mG-2m for openvpn-devel@lists.sourceforge.net; Tue, 05 Dec 2017 19:47:37 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:Mime-Version:Content-Type :References:In-Reply-To:Date:To:From:Subject:Message-ID:Sender:Reply-To:Cc: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=3ZmIVQk8oLkGiVHMmCl+2IypmTBjB9xgIM3kL4vqFDM=; b=Tis/IW74V93IcplsBHEiMJZ/vW UtlpzxQ5QaUDmHkJq6uDBY7LNoIU4rxKITCN3EYFvSNDuItIq0n3vaiySkRncftPCSZlhPgOvfofc FJ2Vkgqxj26pdG6Gmm7f8T1R/hiMCA0R/Kt7ZJoAGRZBJbS5AlL8NKsRkcIwnRyjcYbg=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:Mime-Version:Content-Type:References: In-Reply-To:Date:To:From:Subject:Message-ID:Sender:Reply-To:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=3ZmIVQk8oLkGiVHMmCl+2IypmTBjB9xgIM3kL4vqFDM=; b=VZTRu+jZEj/kuPSCE3gSnyXIfS +PEZS/PSJp1MrkLxLn+zvPBbQYQ4KVfnTPxpgAWHQrnCe6GRZl5MM3KNGK8K6mq9p6XHDbejQZLsu C6mypFz6j0rCMQoEDAiwtXwyOSVntr4X3PsKMnSy2YVR8MeHgvrDqDzqW69XS64hEksY=; Received: from bedivere.hansenpartnership.com ([66.63.167.143]) by sfi-mx-1.v28.ch3.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) id 1eMJBm-0004Bh-Vm for openvpn-devel@lists.sourceforge.net; Tue, 05 Dec 2017 19:47:37 +0000 Received: from localhost (localhost [127.0.0.1]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id 36F4B8EE326 for ; Tue, 5 Dec 2017 11:47:29 -0800 (PST) Received: from bedivere.hansenpartnership.com ([127.0.0.1]) by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z5Tg3LsgqdCl for ; Tue, 5 Dec 2017 11:47:29 -0800 (PST) Received: from [153.66.254.194] (unknown [50.35.65.221]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id B4C208EE0D2 for ; Tue, 5 Dec 2017 11:47:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=hansenpartnership.com; s=20151216; t=1512503248; bh=5An/oLbo9y69DBzbrxvi6PftKHNwMzyyKgqq7HUU5ec=; h=Subject:From:To:Date:In-Reply-To:References:From; b=X+TKy8fzVPANi2wA2qRkghLVoUjGmUsWYItNEdzjwbag9DsbNCMKZk2Awa3KUH6KO bPCXkxJiWH0YMYW8L3JU1V3NYGi+BNG1tOz73bw/MESLLhNHX9ZS52IMyJO0430KJw As/WqKswRIeXr0ltoZQLScFwOyfd/de62o2qr+AU= Message-ID: <1512503247.3019.30.camel@HansenPartnership.com> From: James Bottomley To: openvpn-devel@lists.sourceforge.net Date: Tue, 05 Dec 2017 11:47:27 -0800 In-Reply-To: <1512503184.3019.29.camel@HansenPartnership.com> References: <1512503184.3019.29.camel@HansenPartnership.com> X-Mailer: Evolution 3.20.5 Mime-Version: 1.0 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 T_RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1eMJBm-0004Bh-Vm Subject: [Openvpn-devel] [PATCH v2 1/1] openssl: add engine method for loading the key X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox As well as doing crypto acceleration, engines can also be used to load key files. If the engine is set, and the private key loading fails for bio methods, this patch makes openvpn try to get the engine to load the key. If that succeeds, we end up using an engine based key. This can be used with the openssl tpm engines to make openvpn use a TPM wrapped key file. Signed-off-by: James Bottomley --- v2: add better configuration guarding --- src/openvpn/crypto_openssl.c | 55 ++++++++++++++++++++++++++++++++++++++++++++ src/openvpn/crypto_openssl.h | 12 ++++++++++ src/openvpn/ssl_openssl.c | 6 ++++- 3 files changed, 72 insertions(+), 1 deletion(-) diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index 20a519ec..d3f35030 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -969,4 +969,59 @@ hmac_ctx_final(HMAC_CTX *ctx, uint8_t *dst) HMAC_Final(ctx, dst, &in_hmac_len); } +#if HAVE_OPENSSL_ENGINE +static int +ui_read(UI *ui, UI_STRING *uis) +{ + SSL_CTX *ctx = UI_get0_user_data(ui); + + if (UI_get_string_type(uis) == UIT_PROMPT) { + pem_password_cb *cb = SSL_CTX_get_default_passwd_cb(ctx); + void *d = SSL_CTX_get_default_passwd_cb_userdata(ctx); + char password[64]; + + cb(password, sizeof(password), 0, d); + UI_set_result(ui, uis, password); + + return 1; + } + return 0; +} +#endif + +EVP_PKEY * +engine_load_key(const char *file, SSL_CTX *ctx) +{ +#if HAVE_OPENSSL_ENGINE + UI_METHOD *ui; + EVP_PKEY *pkey; + + if (!engine_persist) + return NULL; + + ui = UI_create_method("openvpn"); + + if (!ui) + return NULL; + + UI_method_set_reader(ui, ui_read); + + ERR_clear_error(); /* BIO read failure */ + if (!ENGINE_init(engine_persist)) { + ERR_print_errors_fp(stderr); + pkey = NULL; + goto out; + } + pkey = ENGINE_load_private_key(engine_persist, file, ui, ctx); + ENGINE_finish(engine_persist); + if (!pkey) + ERR_print_errors_fp(stderr); + out: + UI_destroy_method(ui); + return pkey; +#else + return NULL; +#endif +} + #endif /* ENABLE_CRYPTO_OPENSSL */ diff --git a/src/openvpn/crypto_openssl.h b/src/openvpn/crypto_openssl.h index 60a28123..759dc927 100644 --- a/src/openvpn/crypto_openssl.h +++ b/src/openvpn/crypto_openssl.h @@ -101,5 +101,17 @@ void crypto_print_openssl_errors(const unsigned int flags); msg((flags), __VA_ARGS__); \ } while (false) +/** + * Load a key file from an engine + * + * @param file The engine file to load + * @param ui The UI method for the password prompt + * @param data The data to pass to the UI method + * + * @return The private key if successful or NULL if not + */ +EVP_PKEY * +engine_load_key(const char *file, SSL_CTX *ctx); + #endif /* CRYPTO_OPENSSL_H_ */ diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 34c31b9d..757515c8 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -873,7 +873,11 @@ tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file, SSL_CTX_get_default_passwd_cb_userdata(ctx->ctx)); if (!pkey) { - goto end; + pkey = engine_load_key(priv_key_file, ctx->ctx); + if (!pkey) + { + goto end; + } } if (!SSL_CTX_use_PrivateKey(ssl_ctx, pkey))