From patchwork Tue Jul 2 14:19:38 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Kobras X-Patchwork-Id: 1126269 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=puzzle-itc.de Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="EFS9rAin"; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=puzzle-itc-de.20150623.gappssmtp.com header.i=@puzzle-itc-de.20150623.gappssmtp.com header.b="jCcC5u6D"; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 45dRG06hZdz9sLt for ; Wed, 3 Jul 2019 00:19:52 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Date:Message-ID:Subject: From:To:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=eHuYUjmC0O/qIzHLOJd7MJkIxljVqf5HYJeoAl/vbQg=; b=EFS9rAin2jNgcB KxVV21OUWYiroRQJL3zXYwuQ4T+VGiIu+bN+mQLbLAKnsflEYxtU+JdpLvvfa/tW8HNYdYUFg+y0J 4ttKDEIsn6fvxtlHefSBOwBngioXXdt3odC8GKnViNjYGHDAakxneOHExn0FLW5RrHPv3RnItGvx2 pZBTA8/rHPwiN/9RYPZJrxqxe+pwJWxlGRMR0ZBWuYMrt1CToilhs68AettX5qpQ3vjwILM/TWbrR fbNQc++7k0ZePWwI1D9AzaOvlGuIbxJHEyuagYS3zlU+8BflnMkw+tHtA2uZfZucy894PywhC0/XI bnSTfwGfADdrB68/aZ5Q==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.92 #3 (Red Hat Linux)) id 1hiJdM-00013L-68; Tue, 02 Jul 2019 14:19:48 +0000 Received: from mail-wr1-x443.google.com ([2a00:1450:4864:20::443]) by bombadil.infradead.org with esmtps (Exim 4.92 #3 (Red Hat Linux)) id 1hiJdI-00012B-9q for hostap@lists.infradead.org; Tue, 02 Jul 2019 14:19:45 +0000 Received: by mail-wr1-x443.google.com with SMTP id c27so10356337wrb.2 for ; Tue, 02 Jul 2019 07:19:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=puzzle-itc-de.20150623.gappssmtp.com; s=20150623; h=to:from:openpgp:autocrypt:organization:subject:cc:message-id:date :user-agent:mime-version:content-language:content-transfer-encoding; bh=29JNkMvDcXM6ChiyCkgP02XtGnU6yfVVKv7xriqPRpQ=; b=jCcC5u6Din4sxyAUUUkRMX+aQq6LfRQPIRNrlQGb9cS4fEOUnaOOsrwBB2q2DREIYX vCxIPWtgQ/BaOUDMmHd1Pv7+KRvhL65cu9O4rR+RmV8DfO+Lwe1fa9DTALcve4Fu2zZS Ekzg33tsfg3O1NQdRMgBmygLQGoyzEVYp1xOKaEZwHUwVoWkRZZ91rx8Y3iZCvB5YlVD hC1KPGkQCwfqMqh069Pzh5qlPcJPX6YUdlKNfLo8IyENicMciS34Jl1SrZDwi41RaxyU J4+InMs4RoYc+hsUbsqAl9WuV51TDy4S26QiKd+kkO3WnAMSdt2Fm5+loVF6pJ4EjvtY ReLw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:from:openpgp:autocrypt:organization:subject :cc:message-id:date:user-agent:mime-version:content-language :content-transfer-encoding; bh=29JNkMvDcXM6ChiyCkgP02XtGnU6yfVVKv7xriqPRpQ=; b=onRTqoLgo5g3e+Asf0xqnGmukrvrAYKbrD6vyc32YyC01O1iHG0EstYlwBoq8q++ob 3ipnWmzLw4M53flg4xsFQ3D5MdCff/T06xKkfnRJ7n9hsF95mc/l1j3M9KF+eWves5kk UMKWg2LknTmdI6rW0AYuIjZohW5zHxgTohPgqAjuEXo9OyfYIMOounioT9rs1Sfpgf59 6J4CFsZ5NHx0wU31WlWf51GTREwvO/xy01R8+Aj125AB/4fgSnAPYqANaLHRC4QHH/JA pW9nS/kJacn/Tws+bsiKDUoGHiMOCAO/LkKL570DiQoiP2Ebgq1/N0yA/x+rhALGeN4x iq8A== X-Gm-Message-State: APjAAAXi4BYNbFT6p5WREvg/bF7TmCS6xdYkoq9g1eXmNc+QXrih4eFF ow1f273kQODe/nJ0vtU4naXv/RYMrGEVc8zZ55p7BbK9okgskFGxepI5vSklECBAS7+RmVvpS5/ WQtzXZfvJjXbFZuicYbnQ X-Google-Smtp-Source: APXvYqxccMlatB8gVopqX42OpyoIy68NquiZwFUaaodFCljwZ/daGlphVYkEQ3+WCJNKt8bORCX5rw== X-Received: by 2002:adf:cc92:: with SMTP id p18mr19858793wrj.260.1562077179888; Tue, 02 Jul 2019 07:19:39 -0700 (PDT) Received: from [10.3.2.68] (b2b-94-79-142-242.unitymedia.biz. [94.79.142.242]) by smtp.gmail.com with ESMTPSA id u205sm2989957wmg.36.2019.07.02.07.19.38 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 02 Jul 2019 07:19:39 -0700 (PDT) To: hostap@lists.infradead.org From: Daniel Kobras Openpgp: preference=signencrypt Autocrypt: addr=kobras@puzzle-itc.de; keydata= mQGNBFuyIr8BDADfcwWSZafsIOyivFu+Bh3ynelaKS35BuF43EfZmmCmAKzpVrkqo0vYpWb+ GKn8wyyy+Z89BGvWjMmGQ5tUzIF+2cGgc3SoAeqSOY0CkUPC6ea0rKA/02LiEJR3ScUx5QU9 uz5H0Y7Xcj0MnqLFw6poZmZqVJ6i0YYNYB0/vtrsmZgRdbkCxq+PINdnCAva9ROkiOwW6iyy nmejJETfsy5wIuiVPJ/SyTtnQuBgGvESVzW46JRZS8+aD9PLip/nn0buJCQHZADswMnn62vV 3fNDCnPFo3z5c//jKm+0MesGEBNtdNdHdLyQy9HizvCE7zpV4HVhDGo8FV9JHReWRb4zv7Cc 6Ro3kKP7XTdEs1/qxxMtJakW+VY19tS+qFR9C4+PoaeK0/RS7GeI5SMxTHVI2xCkMwG1nNWB aZ14XDH1ieXjqQKQr/TCcNbfeZAXO021oqhUN6YKH0H6Iywu7Mos9syqCxFZ6KRYhKaZgJzP Jlb6iTcDyFZRbRldOnQiKkEAEQEAAbQxRGFuaWVsIEtvYnJhcyAoUHV6emxlIElUQykgPGtv YnJhc0BwdXp6bGUtaXRjLmRlPokBzgQTAQoAOBYhBM3oc+2tF4TjZ5+mipqV0zLLbB3XBQJb siK/AhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEJqV0zLLbB3XE1kMAIlngQYG6ufb sSPWbK+mqb9cvYkJrQkgdyNNMHd48MVBWMBq89ycfVnQi0DOzRNqXl6sX/dZQnb/ThWEDoFW wvKee2onXGGYVrAf3p1RRFxO1laKXeSECSJE4bru0Lo/mU4tnxOAa+3ugirgIpgvw19zN/Ic P9nnlFFyFoLecnc/jUN7BCNmCpjYsregRoKRBT68FGISFEwot2ut4IvP1u6V01JcMpDTtLKs u3QxbIkfkVIoyfVGZjWbFhtzl8qRE6Ug7esUHsBEsjvpb5OE9XCwHACn3c8yScKk7xI9dpXt bxIIokCJHMZBxO1Q7CUuGYGtAgb2k++/Wh5FxqDTkVglf2UH0nN5B03Sike8TDmZwW59iTiV r8sBAsKDizSzTzOESi7f3lcG90anNHf8oLBeMfzfUQZNypneZ/8R7CKzr6msICKhqrR8F9Ed 889RusI3CPb10OLDRBW4d19nTC5Hyvk4+7vtcenY8g5hGeqLHUgGn28rcK+qkjKr922HU7kB jQRbsiK/AQwAxUDhTjEPV9kluZ/Mo/B7Sq8D2aGzfiTQm1c2t5I8BrCbOIQr+t5p1i6wsbUw SXahmnHzqUSdLs62aT+i25RsUBMpplYepG66zT5q+7YoBzsh6Sl4zchVTAsDSpUhGFkSZ9mh 53G9Y3hbv36ROIYJOisWx8KdCG/HFjC8GaWDT5vgvUUL8u90qDXaot5VZXz5RP8+Y2LAfs1R Ys/9vd9R+93rDLfceDxDjWiXgUXMhywB8ZzC8ulEwWkzFniWQA09g1+w/9/zhTxD/obCCqQW cFhPvZAM7GV4Shx8VhKrsSqwZufVY0d6oA5rB16j/o2lw/2SMOVyZodj8ErwMTYsWsIUt4iG XEu0STSrihGz59YimfdHxKg9sFgwD43JcM3+2pXRSE3Q4oazr3TnyIT/dtlNbjtQOjT7apy9 xZG7kjjvbxjWBkdbmNCNG4te+ueT4Hi/HF5Yw/0xNeOq4WtAT8nGxOLVGLToqugb2P6nKXjF 0BDJu8S42/jSw4XByNsHABEBAAGJAbYEGAEKACAWIQTN6HPtrReE42efpoqaldMyy2wd1wUC W7IivwIbDAAKCRCaldMyy2wd12i4DACUIrpZZqCFVD/jngeYexLci/lmNIUh+pnw/1sI15O+ N4T7ISCUGLvO7ZFO1qCcLC/UrYxQD+qgBnmQ9mRHXFSiEXcTLQG9QB8h/uP/2ZqhZVjWLdZS NFVQBct2etq5NB+z484CT5PhYcpHMzWF8DwwoxqlGxd8MRZ4IEu5Gaa8ZYagZQvSRn/82y6j svvBhMidgy6FphmxOwzFgf9EmAToDTJ5Kp5250C/XU9YrPIlg6ALAI5iFlQf5NJIG1dnV3wJ xSUgDrMtHpfzP0eTFskimusVtsZmsA9SRyny1fiySsl9xm6bOtwmfmSgK1pQznTg5mMHKsgy m66zlacn8OBoZ16acBmNGZL2Du5UUlxsFDGgGNdiXwomLkEhtpPJZC4230d2ngQqLzfBA9CH orAjkyCQkC4vNM8gadJcCEmNW8jxQAFAEypFu9JewCA8DiPOIU2xPw27ocZVPuRQIwiAuF3Z p63U1j1sBdH4lyrWIu/HHjYDEL8+XTvqMCBEHuI= Organization: Puzzle ITC Deutschland GmbH Subject: [PATCH] OpenSSL: add support for TPM2-wrapped keys Message-ID: <8fd6383f-74f5-64d0-c023-e59823a4d138@puzzle-itc.de> Date: Tue, 2 Jul 2019 16:19:38 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.7.1 MIME-Version: 1.0 Content-Language: en-US X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20190702_071944_410686_14DFA5D6 X-CRM114-Status: GOOD ( 19.71 ) X-Spam-Score: 0.0 (/) X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary: Content analysis details: (0.0 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:443 listed in] [list.dnswl.org] 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: David Woodhouse Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org If the header of a PEM-formatted cert or key indicates that it is wrapped with a TPM2 key, try to autoload the appropriate OpenSSL engine that can transparently unwrap the key. This enables systems to use TPM2-wrapped keys as drop-in replacements to ordinary SSL keys. Signed-off-by: Daniel Kobras --- Hi! This patch adds support for TPM2-wrapped keys, similar to what David Woodhouse did in openconnect, and suggested earlier on this list for wpa_supplicant as well. It requires https://git.kernel.org/pub/scm/linux/kernel/git/jejb/openssl_tpm2_engine.git/ to be installed as an openssl engine. The match_line_in_file() helper function is rather generic. If there's a better place to put it, please let me know. Kind regards, Daniel --- src/crypto/tls_openssl.c | 74 +++++++++++++++++++++++++++++++++++++++- 1 file changed, 73 insertions(+), 1 deletion(-) #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) if (params->flags & TLS_CONN_EAP_FAST) { @@ -4903,7 +4975,7 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn, } if (engine_id) { - wpa_printf(MSG_DEBUG, "SSL: Initializing TLS engine"); + wpa_printf(MSG_DEBUG, "SSL: Initializing TLS engine %s", engine_id); ret = tls_engine_init(conn, engine_id, params->pin, key_id, cert_id, ca_cert_id); if (ret) diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c index 1073f6450..7f61f7560 100644 --- a/src/crypto/tls_openssl.c +++ b/src/crypto/tls_openssl.c @@ -4819,6 +4819,67 @@ static int ocsp_status_cb(SSL *s, void *arg) #endif /* HAVE_OCSP */ +static int match_lines_in_file(const char *path, const char **lines) +{ + FILE *f = NULL; + const char **p; + char *buf; + size_t bufsize = 0; + int found, is_linestart; + + if (!path || !lines || !*lines) + return 0; + + for (p = lines; *p; p++) { + size_t size = strlen(*p) + sizeof("\r\n"); + bufsize = (size > bufsize) ? size : bufsize; + } + + buf = os_malloc(bufsize); + if (!buf) + return 0; + + f = fopen(path, "r"); + if (!f) { + os_free(buf); + return 0; + } + + found = 0; + is_linestart = 1; + + while (!found && fgets(buf, bufsize, f)) { + int is_lineend; + size_t buflen = strlen(buf); + + buf[strcspn(buf, "\r\n")] = '\0'; + is_lineend = strlen(buf) < buflen; + + if (is_linestart && is_lineend) { + for (p = lines; !found && *p; p++) { + found = !os_strcmp(buf, *p); + } + } + is_linestart = is_lineend; + } + + fclose(f); + os_free(buf); + + return found; +} + +static int is_tpm2_key(const char *path) +{ + /* Check both new and old format of TPM2 PEM guard tag */ + const char *tpm2_tags[] = { + "-----BEGIN TSS2 PRIVATE KEY-----", + "-----BEGIN TSS2 KEY BLOB-----", + NULL + }; + + return match_lines_in_file(path, tpm2_tags); +} int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn, const struct tls_connection_params *params) @@ -4872,6 +4933,17 @@ int tls_connection_set_params(void *tls_ctx, struct tls_connection *conn, if (can_pkcs11 == 2 && !engine_id) engine_id = "pkcs11"; + /* If private_key points to a TPM2-wrapped key, automatically enable + * tpm2 engine and use it to unwrap the key. */ + if (!engine_id || os_strcmp(engine_id, "tpm2")) { + if (is_tpm2_key(params->private_key)) { + wpa_printf(MSG_DEBUG, "OpenSSL: Found TPM2 wrapped key %s", + params->private_key); + key_id = key_id ? key_id : params->private_key; + engine_id = engine_id ? engine_id : "tpm2"; + } + } + #if defined(EAP_FAST) || defined(EAP_FAST_DYNAMIC) || defined(EAP_SERVER_FAST)