Re: engine format keys
Hi Geoff, Alas I can't give you any off-the-top hints about UI_METHOD because I haven't used it myself, so I've CC'd Richard who is the guy who did UI_METHOD. Richard, if there's anything obvious in the above snippet please feel free to comment. However I'd suggest taking this over to the openssl-dev mail list Kent - then Richard and/or others can follow up more meaningfully (and the subsequent discussion might be useful for ongoing development). I haven't had time to go back and play with it much, but last time I tried, this program didn't compile: #include openssl/ui.h int main(void) { UI_STRING *ui = malloc(sizeof(UI_STRING)); return 0; } I was going on the assumption that I'd need to stuff the secret pulled in from the modssl callback into a UI_STRING object though, perhaps this is wrong... Downloading 0.9.8a now... Kent -- Kent Yoder IBM LTC Security Dev. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: engine format keys
Hi Kent, On October 6, 2005 05:01 pm, Kent Yoder wrote: Yep, passphrase entry is at least part of the problem with calling ENGINE_load_private_key. After a few different attempts, I'm a bit stumped. The load key call wants a UI* passed to it, which eventually has UI_process() called on it by the engine. I've tried various ways of stuffing the modssl_read_bio_cb_fn pointer and the server rec into this structure, with a custom flush function which'd get called by UI_process. I haven't been able to test this approach yet, since it appears that openssl's UI_STRING and UI_METHOD structs aren't declared in a way that works in ui.h. For instance, any mention of sizeof(UI_STRING) brings an incomplete type error. Any help would be appreciated, I may not be using the ui interface correctly. Alas I can't give you any off-the-top hints about UI_METHOD because I haven't used it myself, so I've CC'd Richard who is the guy who did UI_METHOD. Richard, if there's anything obvious in the above snippet please feel free to comment. However I'd suggest taking this over to the openssl-dev mail list Kent - then Richard and/or others can follow up more meaningfully (and the subsequent discussion might be useful for ongoing development). Cheers, Geoff -- Geoff Thorpe [EMAIL PROTECTED] http://www.geoffthorpe.net/ Même ceux qui se sentent pas des nôtres, ne nous voyant plus à genoux, seront, plus que jamais, chez eux chez nous. -- Loco Locass __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: engine format keys
Ah, right. You'll also need to ensure that the initialisation order allows the engine to be properly initialised (including maybe some control commands to prepare anything the engine needs) *before* the key is loaded. I have a vague recollection that this isn't the case? Though I could be wide of the mark here. I think init of the engine may be ok, but I'm not sure where my problem lies right now. Maybe in password input, or somewhere else... Yep, passphrase entry is at least part of the problem with calling ENGINE_load_private_key. After a few different attempts, I'm a bit stumped. The load key call wants a UI* passed to it, which eventually has UI_process() called on it by the engine. I've tried various ways of stuffing the modssl_read_bio_cb_fn pointer and the server rec into this structure, with a custom flush function which'd get called by UI_process. I haven't been able to test this approach yet, since it appears that openssl's UI_STRING and UI_METHOD structs aren't declared in a way that works in ui.h. For instance, any mention of sizeof(UI_STRING) brings an incomplete type error. Any help would be appreciated, I may not be using the ui interface correctly. Thanks, Kent Ahh, I see. Thanks for the info. I guess the next step is to poke the apache2 guys for openssl 0.9.8 support. I did try compiling 2.1 beta with it without luck. I'd suggest you contact Joe Orton - in fact he's probably on this list too. If the 2.1 beta (and/or cvs HEAD) don't properly handle 0.9.8, then there's a problem. Yep, I was wrong about this.. I'm working on 2.1.8 right now which compiles fine. I'll post when I can narrow down the problem any more. Thanks for the help, Kent -- Kent Yoder IBM LTC Security Dev. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: engine format keys
Hi Geoff, Sorry I didn't notice this earlier. I added some hooks to modssl ages ago to support engine ctrl-commands if that helps. In fact you may have to Thanks for the patch. I don't think I'm going to be able to accomplish what I wanted with control commands though. Basically I need my engine's load_privkey function to be called if PEM_read_PrivateKey fails, or perhaps explicitly with some option to modssl. jiggle with this patch if you want to update it to the latest mod_ssl version, but it may be easier than redoing it from scratch; http://www.geoffthorpe.net/crypto/ If you get it running with a more recent version and feel like giving me a newer diff, I'd appreciate being able to replace the one on my site. I don't think Ralf wants to include this functionality now that mod_ssl is just in maintenance-mode and (kinda) deprecated in favour of apache2. Ahh, I see. Thanks for the info. I guess the next step is to poke the apache2 guys for openssl 0.9.8 support. I did try compiling 2.1 beta with it without luck. Updated patch attached... Thanks, Kent Cheers, Geoff -- Geoff Thorpe [EMAIL PROTECTED] http://www.geoffthorpe.net/ Même ceux qui se sentent pas des nôtres, ne nous voyant plus à genoux, seront, plus que jamais, chez eux chez nous. -- Loco Locass -- Kent Yoder IBM LTC Security Dev. diff -urN mod_ssl-2.8.24-1.3.33/pkg.sslmod/mod_ssl.c mod_ssl-2.8.24-1.3.33-eng_ctrl/pkg.sslmod/mod_ssl.c --- mod_ssl-2.8.24-1.3.33/pkg.sslmod/mod_ssl.c 2005-07-06 03:32:14.0 -0500 +++ mod_ssl-2.8.24-1.3.33-eng_ctrl/pkg.sslmod/mod_ssl.c 2005-10-03 21:42:52.739731294 -0500 @@ -96,6 +96,9 @@ AP_SRV_CMD(CryptoDevice, TAKE1, SSL external Crypto Device usage (`builtin', `...')) +AP_SRV_CMD(CryptoDeviceCtrl, TAKE12, + SSL external Crypto Device custom control commands + (`cmd[:arg] [pre|post]')) #endif AP_SRV_CMD(RandomSeed, TAKE23, SSL Pseudo Random Number Generator (PRNG) seeding source diff -urN mod_ssl-2.8.24-1.3.33/pkg.sslmod/mod_ssl.h mod_ssl-2.8.24-1.3.33-eng_ctrl/pkg.sslmod/mod_ssl.h --- mod_ssl-2.8.24-1.3.33/pkg.sslmod/mod_ssl.h 2005-07-06 03:32:14.0 -0500 +++ mod_ssl-2.8.24-1.3.33-eng_ctrl/pkg.sslmod/mod_ssl.h 2005-10-03 21:42:52.741731054 -0500 @@ -557,6 +557,7 @@ ssl_ds_table *tPrivateKey; #ifdef SSL_EXPERIMENTAL_ENGINE char *szCryptoDevice; +table *tCryptoDeviceCtrl; #endif struct { void *pV1, *pV2, *pV3, *pV4, *pV5, *pV6, *pV7, *pV8, *pV9, *pV10; @@ -653,6 +654,7 @@ const char *ssl_cmd_SSLMutex(cmd_parms *, char *, char *); const char *ssl_cmd_SSLPassPhraseDialog(cmd_parms *, char *, char *); const char *ssl_cmd_SSLCryptoDevice(cmd_parms *, char *, char *); +const char *ssl_cmd_SSLCryptoDeviceCtrl(cmd_parms *, char *, char *, char *); const char *ssl_cmd_SSLRandomSeed(cmd_parms *, char *, char *, char *, char *); const char *ssl_cmd_SSLEngine(cmd_parms *, char *, int); const char *ssl_cmd_SSLCipherSuite(cmd_parms *, SSLDirConfigRec *, char *); diff -urN mod_ssl-2.8.24-1.3.33/pkg.sslmod/ssl_engine_config.c mod_ssl-2.8.24-1.3.33-eng_ctrl/pkg.sslmod/ssl_engine_config.c --- mod_ssl-2.8.24-1.3.33/pkg.sslmod/ssl_engine_config.c 2005-07-06 03:32:15.0 -0500 +++ mod_ssl-2.8.24-1.3.33-eng_ctrl/pkg.sslmod/ssl_engine_config.c 2005-10-03 21:42:52.743730814 -0500 @@ -142,6 +142,7 @@ mc-tTmpKeys = ssl_ds_table_make(pPool, sizeof(ssl_asn1_t)); #ifdef SSL_EXPERIMENTAL_ENGINE mc-szCryptoDevice = NULL; + mc-tCryptoDeviceCtrl = ap_make_table(pPool, 10); #endif (void)memset(mc-pTmpKeys, 0, SSL_TKPIDX_MAX*sizeof(void *)); @@ -473,6 +474,64 @@ return SSLCryptoDevice: Invalid argument; return NULL; } + +/* Our static variables get reset between first and second pass ... so this + * variable is mixed in key-value strings and incremented. On the second pass, + * the key-values will match so will replace, rather than supplement, the table + * entries. (All this to prevent getting two copies of everything?!) */ +static int braindead = 0; + +const char *ssl_cmd_SSLCryptoDeviceCtrl( +cmd_parms *cmd, char *struct_ptr, char *arg, char *prepost) +{ +SSLModConfigRec *mc = myModConfig(); +const char *err; +ENGINE *e; +char *colon, *value, *converted_arg, *converted_val; + +if ((err = ap_check_cmd_context(cmd, GLOBAL_ONLY)) != NULL) +return err; +if ((e = ENGINE_by_id(mc-szCryptoDevice)) == NULL) { +err = SSLCryptoDeviceCtrl: Must follow a valid engine; +goto end; +} +if (!ENGINE_ctrl(e, ENGINE_CTRL_HAS_CTRL_FUNCTION, 0, NULL, NULL)) { +err = SSLCryptoDeviceCtrl: The engine has no 'ctrl' handler; +goto end; +} +if(prepost) { +if(strcmp(prepost, pre) strcmp(prepost, post)) { +err = SSLCryptoDeviceCtrl: Only 'pre' and 'post are valid options; +goto
Re: engine format keys
On October 4, 2005 10:56 am, Kent Yoder wrote: Hi Geoff, Sorry I didn't notice this earlier. I added some hooks to modssl ages ago to support engine ctrl-commands if that helps. In fact you may have to Thanks for the patch. I don't think I'm going to be able to accomplish what I wanted with control commands though. Basically I need my engine's load_privkey function to be called if PEM_read_PrivateKey fails, or perhaps explicitly with some option to modssl. Ah, right. You'll also need to ensure that the initialisation order allows the engine to be properly initialised (including maybe some control commands to prepare anything the engine needs) *before* the key is loaded. I have a vague recollection that this isn't the case? Though I could be wide of the mark here. Ahh, I see. Thanks for the info. I guess the next step is to poke the apache2 guys for openssl 0.9.8 support. I did try compiling 2.1 beta with it without luck. I'd suggest you contact Joe Orton - in fact he's probably on this list too. If the 2.1 beta (and/or cvs HEAD) don't properly handle 0.9.8, then there's a problem. Updated patch attached... Thanks :-) Cheers, Geoff -- Geoff Thorpe [EMAIL PROTECTED] http://www.geoffthorpe.net/ Même ceux qui se sentent pas des nôtres, ne nous voyant plus à genoux, seront, plus que jamais, chez eux chez nous. -- Loco Locass __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: engine format keys
Geoff, Ah, right. You'll also need to ensure that the initialisation order allows the engine to be properly initialised (including maybe some control commands to prepare anything the engine needs) *before* the key is loaded. I have a vague recollection that this isn't the case? Though I could be wide of the mark here. I think init of the engine may be ok, but I'm not sure where my problem lies right now. Maybe in password input, or somewhere else... Ahh, I see. Thanks for the info. I guess the next step is to poke the apache2 guys for openssl 0.9.8 support. I did try compiling 2.1 beta with it without luck. I'd suggest you contact Joe Orton - in fact he's probably on this list too. If the 2.1 beta (and/or cvs HEAD) don't properly handle 0.9.8, then there's a problem. Yep, I was wrong about this.. I'm working on 2.1.8 right now which compiles fine. I'll post when I can narrow down the problem any more. Thanks for the help, Kent __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: engine format keys
This should be a relatively trivial change to ssl_pphrase_Handle()... if szCryptoDevice is non-NULL, pass the private key path as the key_id to ENGINE_load_private_key. If that fails, fall back to the normal PEM loading code... Kent I've been looking into enabling apache+mod_ssl to use hardware keys encrypted by a TPM. I have openssl's s_server test working using an openssl TPM engine [1] and trousers [2]. It looks like the key to getting this working in apache is support for engine format keys in mod_ssl. Is there any interest in enabling engine format keys in mod_ssl, or, is there another path to accomplish what I'm trying to do? Thanks, Kent [1] http://cvs.sourceforge.net/viewcvs.py/trousers/applications/openssl_tpm_engine/ [2] http://trousers.sf.net -- Kent Yoder IBM LTC Security Dev. __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]
Re: engine format keys
Hi Kent, On September 29, 2005 12:28 pm, Kent Yoder wrote: I've been looking into enabling apache+mod_ssl to use hardware keys encrypted by a TPM. I have openssl's s_server test working using an openssl TPM engine [1] and trousers [2]. It looks like the key to getting this working in apache is support for engine format keys in mod_ssl. Is there any interest in enabling engine format keys in mod_ssl, or, is there another path to accomplish what I'm trying to do? Sorry I didn't notice this earlier. I added some hooks to modssl ages ago to support engine ctrl-commands if that helps. In fact you may have to jiggle with this patch if you want to update it to the latest mod_ssl version, but it may be easier than redoing it from scratch; http://www.geoffthorpe.net/crypto/ If you get it running with a more recent version and feel like giving me a newer diff, I'd appreciate being able to replace the one on my site. I don't think Ralf wants to include this functionality now that mod_ssl is just in maintenance-mode and (kinda) deprecated in favour of apache2. Cheers, Geoff -- Geoff Thorpe [EMAIL PROTECTED] http://www.geoffthorpe.net/ Même ceux qui se sentent pas des nôtres, ne nous voyant plus à genoux, seront, plus que jamais, chez eux chez nous. -- Loco Locass __ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager[EMAIL PROTECTED]