OpenVPN
pkcs11_openssl.c
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2024 OpenVPN Inc <sales@openvpn.net>
9  * Copyright (C) 2010-2021 Fox Crypto B.V. <openvpn@foxcrypto.com>
10  *
11  * This program is free software; you can redistribute it and/or modify
12  * it under the terms of the GNU General Public License version 2
13  * as published by the Free Software Foundation.
14  *
15  * This program is distributed in the hope that it will be useful,
16  * but WITHOUT ANY WARRANTY; without even the implied warranty of
17  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18  * GNU General Public License for more details.
19  *
20  * You should have received a copy of the GNU General Public License along
21  * with this program; if not, write to the Free Software Foundation, Inc.,
22  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
23  */
24 
30 #ifdef HAVE_CONFIG_H
31 #include "config.h"
32 #endif
33 
34 #include "syshead.h"
35 
36 #if defined(ENABLE_PKCS11) && defined(ENABLE_CRYPTO_OPENSSL)
37 
38 #include "errlevel.h"
39 #include "pkcs11_backend.h"
40 #include "ssl_verify.h"
41 #include "xkey_common.h"
42 #include <pkcs11-helper-1.0/pkcs11h-openssl.h>
43 
44 #ifdef HAVE_XKEY_PROVIDER
45 static XKEY_EXTERNAL_SIGN_fn xkey_pkcs11h_sign;
46 
47 #if PKCS11H_VERSION > ((1<<16) | (27<<8)) /* version > 1.27 */
48 
49 /* Table linking OpenSSL digest NID with CKM and CKG constants in PKCS#11 */
50 #define MD_TYPE(n) {NID_sha ## n, CKM_SHA ## n, CKG_MGF1_SHA ## n}
51 static const struct
52 {
53  int nid;
54  unsigned long ckm_id;
55  unsigned long mgf_id;
56 } mdtypes[] = {MD_TYPE(224), MD_TYPE(256), MD_TYPE(384), MD_TYPE(512),
57  {NID_sha1, CKM_SHA_1, CKG_MGF1_SHA1}, /* SHA_1 naming is an oddity */
58  {NID_undef, 0, 0}};
59 
60 /* From sigalg, derive parameters for pss signature and fill in pss_params.
61  * Its of type CK_RSA_PKCS_PSS_PARAMS struct with three fields to be filled in:
62  * {enum hashAlg, enum mgf, ulong sLen}
63  * where hashAlg is CKM_SHA256 etc., mgf is CKG_MGF1_SHA256 etc.
64  */
65 static int
66 set_pss_params(CK_RSA_PKCS_PSS_PARAMS *pss_params, XKEY_SIGALG sigalg,
67  pkcs11h_certificate_t cert)
68 {
69  int ret = 0;
70  X509 *x509 = NULL;
71  EVP_PKEY *pubkey = NULL;
72 
73  if ((x509 = pkcs11h_openssl_getX509(cert)) == NULL
74  || (pubkey = X509_get0_pubkey(x509)) == NULL)
75  {
76  msg(M_WARN, "PKCS#11: Unable get public key");
77  goto cleanup;
78  }
79 
80  /* map mdname to CKM and CKG constants for hash and mgf algorithms */
81  int i = 0;
82  int nid = OBJ_sn2nid(sigalg.mdname);
83  while (mdtypes[i].nid != NID_undef && mdtypes[i].nid != nid)
84  {
85  i++;
86  }
87  pss_params->hashAlg = mdtypes[i].ckm_id;
88  pss_params->mgf = mdtypes[i].mgf_id;
89 
90  /* determine salt length */
91  const EVP_MD *md = EVP_get_digestbyname(sigalg.mdname);
92  if (!md)
93  {
94  msg(M_WARN, "WARN: set_pss_params: EVP_get_digestbyname returned NULL "
95  "for mdname = <%s>", sigalg.mdname);
96  goto cleanup;
97  }
98  int mdsize = EVP_MD_get_size(md);
99 
100  int saltlen = -1;
101  if (!strcmp(sigalg.saltlen, "digest")) /* same as digest size */
102  {
103  saltlen = mdsize;
104  }
105  else if (!strcmp(sigalg.saltlen, "max")) /* maximum possible value */
106  {
107  saltlen = xkey_max_saltlen(EVP_PKEY_get_bits(pubkey), mdsize);
108  }
109 
110  if (saltlen < 0 || pss_params->hashAlg == 0)
111  {
112  msg(M_WARN, "WARN: invalid RSA_PKCS1_PSS parameters: saltlen = <%s> "
113  "mdname = <%s>.", sigalg.saltlen, sigalg.mdname);
114  goto cleanup;
115  }
116  pss_params->sLen = (unsigned long) saltlen; /* saltlen >= 0 at this point */
117 
118  msg(D_XKEY, "set_pss_params: sLen = %lu, hashAlg = %lu, mgf = %lu",
119  pss_params->sLen, pss_params->hashAlg, pss_params->mgf);
120 
121  ret = 1;
122 
123 cleanup:
124  if (x509)
125  {
126  X509_free(x509);
127  }
128  return ret;
129 }
130 
131 #else /* if PKCS11H_VERSION > ((1<<16) | (27<<8)) */
132 
133 /* Make set_pss_params a no-op that always succeeds */
134 #define set_pss_params(...) (1)
135 
136 /* Use a wrapper for pkcs11h_certificate_signAny_ex() for versions < 1.28
137  * where its not available.
138  * We just call pkcs11h_certificate_signAny() unless the padding
139  * is PSS in which case we return an error.
140  */
141 static CK_RV
142 pkcs11h_certificate_signAny_ex(const pkcs11h_certificate_t cert,
143  const CK_MECHANISM *mech, const unsigned char *tbs,
144  size_t tbslen, unsigned char *sig, size_t *siglen)
145 {
146  if (mech->mechanism == CKM_RSA_PKCS_PSS)
147  {
148  msg(M_NONFATAL, "PKCS#11: Error: PSS padding is not supported by "
149  "this version of pkcs11-helper library.");
150  return CKR_MECHANISM_INVALID;
151  }
152  return pkcs11h_certificate_signAny(cert, mech->mechanism, tbs, tbslen, sig, siglen);
153 }
154 #endif /* PKCS11H_VERSION > 1.27 */
155 
161 static int
162 xkey_pkcs11h_sign(void *handle, unsigned char *sig,
163  size_t *siglen, const unsigned char *tbs, size_t tbslen, XKEY_SIGALG sigalg)
164 {
165  pkcs11h_certificate_t cert = handle;
166  CK_MECHANISM mech = {CKM_RSA_PKCS, NULL, 0}; /* default value */
167  CK_RSA_PKCS_PSS_PARAMS pss_params = {0};
168 
169  unsigned char buf[EVP_MAX_MD_SIZE];
170  size_t buflen = 0;
171  size_t siglen_max = *siglen;
172 
173  unsigned char enc[EVP_MAX_MD_SIZE + 32]; /* 32 bytes enough for DigestInfo header */
174  size_t enc_len = sizeof(enc);
175 
176  if (!strcmp(sigalg.op, "DigestSign"))
177  {
178  msg(D_XKEY, "xkey_pkcs11h_sign: computing digest");
179  if (xkey_digest(tbs, tbslen, buf, &buflen, sigalg.mdname))
180  {
181  tbs = buf;
182  tbslen = (size_t) buflen;
183  sigalg.op = "Sign";
184  }
185  else
186  {
187  return 0;
188  }
189  }
190 
191  if (!strcmp(sigalg.keytype, "EC"))
192  {
193  msg(D_XKEY, "xkey_pkcs11h_sign: signing with EC key");
194  mech.mechanism = CKM_ECDSA;
195  }
196  else if (!strcmp(sigalg.keytype, "RSA"))
197  {
198  msg(D_XKEY, "xkey_pkcs11h_sign: signing with RSA key: padmode = %s",
199  sigalg.padmode);
200  if (!strcmp(sigalg.padmode, "none"))
201  {
202  mech.mechanism = CKM_RSA_X_509;
203  }
204  else if (!strcmp(sigalg.padmode, "pss"))
205  {
206  mech.mechanism = CKM_RSA_PKCS_PSS;
207 
208  if (!set_pss_params(&pss_params, sigalg, cert))
209  {
210  return 0;
211  }
212 
213  mech.pParameter = &pss_params;
214  mech.ulParameterLen = sizeof(pss_params);
215  }
216  else if (!strcmp(sigalg.padmode, "pkcs1"))
217  {
218  /* CMA_RSA_PKCS needs pkcs1 encoded digest */
219 
220  if (!encode_pkcs1(enc, &enc_len, sigalg.mdname, tbs, tbslen))
221  {
222  return 0;
223  }
224  tbs = enc;
225  tbslen = enc_len;
226  }
227  else /* should not happen */
228  {
229  msg(M_WARN, "PKCS#11: Unknown padmode <%s>", sigalg.padmode);
230  }
231  }
232  else
233  {
234  ASSERT(0); /* coding error -- we couldnt have created any such key */
235  }
236 
237  if (CKR_OK != pkcs11h_certificate_signAny_ex(cert, &mech,
238  tbs, tbslen, sig, siglen))
239  {
240  return 0;
241  }
242  if (strcmp(sigalg.keytype, "EC"))
243  {
244  return 1;
245  }
246 
247  /* For EC keys, pkcs11 returns signature as r|s: convert to der encoded */
248  int derlen = ecdsa_bin2der(sig, (int) *siglen, siglen_max);
249 
250  if (derlen <= 0)
251  {
252  return 0;
253  }
254  *siglen = derlen;
255 
256  return 1;
257 }
258 
259 /* wrapper for handle free */
260 static void
261 xkey_handle_free(void *handle)
262 {
263  pkcs11h_certificate_freeCertificate(handle);
264 }
265 
266 
277 static int
278 xkey_load_from_pkcs11h(pkcs11h_certificate_t certificate,
279  struct tls_root_ctx *const ctx)
280 {
281  int ret = 0;
282 
283  X509 *x509 = pkcs11h_openssl_getX509(certificate);
284  if (!x509)
285  {
286  msg(M_WARN, "PKCS#11: Unable get x509 certificate object");
287  return 0;
288  }
289 
290  EVP_PKEY *pubkey = X509_get0_pubkey(x509);
291 
292  XKEY_PRIVKEY_FREE_fn *free_op = xkey_handle_free; /* it calls pkcs11h_..._freeCertificate() */
293  XKEY_EXTERNAL_SIGN_fn *sign_op = xkey_pkcs11h_sign;
294 
295  EVP_PKEY *pkey = xkey_load_generic_key(tls_libctx, certificate, pubkey, sign_op, free_op);
296  if (!pkey)
297  {
298  msg(M_WARN, "PKCS#11: Failed to load private key into xkey provider");
299  goto cleanup;
300  }
301  /* provider took ownership of the pkcs11h certificate object -- do not free below */
302  certificate = NULL;
303 
304  if (!SSL_CTX_use_cert_and_key(ctx->ctx, x509, pkey, NULL, 0))
305  {
306  crypto_print_openssl_errors(M_WARN);
307  msg(M_FATAL, "PKCS#11: Failed to set cert and private key for OpenSSL");
308  goto cleanup;
309  }
310  ret = 1;
311 
312 cleanup:
313  if (x509)
314  {
315  X509_free(x509);
316  }
317  if (pkey)
318  {
319  EVP_PKEY_free(pkey);
320  }
321  if (certificate)
322  {
323  pkcs11h_certificate_freeCertificate(certificate);
324  }
325  return ret;
326 }
327 #endif /* HAVE_XKEY_PROVIDER */
328 
329 int
330 pkcs11_init_tls_session(pkcs11h_certificate_t certificate,
331  struct tls_root_ctx *const ssl_ctx)
332 {
333 
334 #ifdef HAVE_XKEY_PROVIDER
335  return (xkey_load_from_pkcs11h(certificate, ssl_ctx) == 0); /* inverts the return value */
336 #else
337  int ret = 1;
338 
339  X509 *x509 = NULL;
340  EVP_PKEY *evp = NULL;
341  pkcs11h_openssl_session_t openssl_session = NULL;
342 
343  if ((openssl_session = pkcs11h_openssl_createSession(certificate)) == NULL)
344  {
345  msg(M_WARN, "PKCS#11: Cannot initialize openssl session");
346  goto cleanup;
347  }
348 
349  /*
350  * Will be released by openssl_session
351  */
352  certificate = NULL;
353 
354  if ((evp = pkcs11h_openssl_session_getEVP(openssl_session)) == NULL)
355  {
356  msg(M_WARN, "PKCS#11: Unable get evp object");
357  goto cleanup;
358  }
359 
360  if ((x509 = pkcs11h_openssl_session_getX509(openssl_session)) == NULL)
361  {
362  msg(M_WARN, "PKCS#11: Unable get certificate object");
363  goto cleanup;
364  }
365 
366  if (!SSL_CTX_use_PrivateKey(ssl_ctx->ctx, evp))
367  {
368  msg(M_WARN, "PKCS#11: Cannot set private key for openssl");
369  goto cleanup;
370  }
371 
372  if (!SSL_CTX_use_certificate(ssl_ctx->ctx, x509))
373  {
374  crypto_print_openssl_errors(M_WARN);
375  msg(M_FATAL, "PKCS#11: Cannot set certificate for openssl");
376  goto cleanup;
377  }
378  ret = 0;
379 
380 cleanup:
381  /*
382  * Certificate freeing is usually handled by openssl_session.
383  * If something went wrong, creating the session we have to do it manually.
384  */
385  if (certificate != NULL)
386  {
387  pkcs11h_certificate_freeCertificate(certificate);
388  certificate = NULL;
389  }
390 
391  /*
392  * openssl objects have reference
393  * count, so release them
394  */
395  X509_free(x509);
396  x509 = NULL;
397 
398  EVP_PKEY_free(evp);
399  evp = NULL;
400 
401  if (openssl_session != NULL)
402  {
403  pkcs11h_openssl_freeSession(openssl_session);
404  openssl_session = NULL;
405  }
406  return ret;
407 #endif /* ifdef HAVE_XKEY_PROVIDER */
408 }
409 
410 char *
411 pkcs11_certificate_dn(pkcs11h_certificate_t certificate, struct gc_arena *gc)
412 {
413  X509 *x509 = NULL;
414 
415  char *dn = NULL;
416 
417  if ((x509 = pkcs11h_openssl_getX509(certificate)) == NULL)
418  {
419  msg(M_FATAL, "PKCS#11: Cannot get X509");
420  goto cleanup;
421  }
422 
423  dn = x509_get_subject(x509, gc);
424 
425 cleanup:
426  X509_free(x509);
427  x509 = NULL;
428 
429  return dn;
430 }
431 
432 int
433 pkcs11_certificate_serial(pkcs11h_certificate_t certificate, char *serial,
434  size_t serial_len)
435 {
436  X509 *x509 = NULL;
437  BIO *bio = NULL;
438  int ret = 1;
439  int n;
440 
441  if ((x509 = pkcs11h_openssl_getX509(certificate)) == NULL)
442  {
443  msg(M_FATAL, "PKCS#11: Cannot get X509");
444  goto cleanup;
445  }
446 
447  if ((bio = BIO_new(BIO_s_mem())) == NULL)
448  {
449  msg(M_FATAL, "PKCS#11: Cannot create BIO");
450  goto cleanup;
451  }
452 
453  i2a_ASN1_INTEGER(bio, X509_get_serialNumber(x509));
454  n = BIO_read(bio, serial, serial_len-1);
455 
456  if (n<0)
457  {
458  serial[0] = '\x0';
459  }
460  else
461  {
462  serial[n] = 0;
463  }
464 
465  ret = 0;
466 
467 cleanup:
468  X509_free(x509);
469  x509 = NULL;
470 
471  return ret;
472 }
473 #endif /* defined(ENABLE_PKCS11) && defined(ENABLE_OPENSSL) */
M_FATAL
#define M_FATAL
Definition: error.h:89
M_NONFATAL
#define M_NONFATAL
Definition: error.h:90
xkey_common.h
ssl_verify.h
ASSERT
#define ASSERT(x)
Definition: error.h:195
M_WARN
#define M_WARN
Definition: error.h:91
pkcs11_backend.h
errlevel.h
syshead.h
D_XKEY
#define D_XKEY
Definition: errlevel.h:117
gc_arena
Garbage collection arena used to keep track of dynamically allocated memory.
Definition: buffer.h:116
crypto_print_openssl_errors
void crypto_print_openssl_errors(const unsigned int flags)
Retrieve any occurred OpenSSL errors and print those errors.
Definition: crypto_openssl.c:236
tls_root_ctx
Structure that wraps the TLS context.
Definition: ssl_mbedtls.h:107
x509_get_subject
char * x509_get_subject(openvpn_x509_cert_t *cert, struct gc_arena *gc)
Definition: ssl_verify_openssl.c:368
config.h
tls_root_ctx::ctx
SSL_CTX * ctx
Definition: ssl_openssl.h:41
tls_libctx
OSSL_LIB_CTX * tls_libctx
Definition: ssl_openssl.c:79
msg
#define msg(flags,...)
Definition: error.h:144
gc
struct gc_arena gc
Definition: test_ssl.c:155
cleanup
static int cleanup(void **state)
Definition: test_pkcs11.c:290
Generated by   doxygen 1.8.17