From c01767cb15d100eb9159dc8bd96992ef133652d1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicol=C3=A1s=20Pernas=20Maradei?= Date: Sat, 11 Aug 2018 17:57:58 +0100 Subject: [PATCH] Add engine private key password support MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Some OpenSSL engines (selectable via tls_engine option) may require a password to make use of private keys created with them in the first place. The TPM engine for example, will require a password to access the underlying TPM's Storage Root Key (SRK), which is the root key of a hierarchy of keys associated with a TPM; it is generated within a TPM and is a non-migratable key. Each owned TPM contains a SRK, generated by the TPM at the request of the Owner. [1] By default, the engine will prompt the user to introduce the SRK password before any private keys created with the engine can be used. This could be inconvenient when running on an unattended system. Here's where the new tls_engine_kpass_sha option comes in handy. The user can specify a SHA1 hash of its engine private key password via command line or config file and it will be passed on to the engine directly. This commit adds support for both clients (libmosquitto) and broker. [1] https://goo.gl/qQoXBY Signed-off-by: Nicolás Pernas Maradei --- client/client_shared.c | 18 ++++++++++++++++++ client/client_shared.h | 1 + client/pub_client.c | 3 ++- client/sub_client.c | 3 ++- lib/cpp/mosquittopp.cpp | 5 +++++ lib/cpp/mosquittopp.h | 1 + lib/linker.version | 1 + lib/mosquitto.h | 21 +++++++++++++++++++++ lib/mosquitto_internal.h | 1 + lib/net_mosq.c | 18 ++++++++++++++++++ lib/net_mosq.h | 3 +++ lib/options.c | 14 ++++++++++++++ lib/util_mosq.c | 17 ++++++++++++++++- lib/util_mosq.h | 6 +++++- man/mosquitto.conf.5.xml | 11 +++++++++++ man/mosquitto_pub.1.xml | 13 +++++++++++++ man/mosquitto_sub.1.xml | 13 +++++++++++++ src/conf.c | 17 +++++++++++++++++ src/mosquitto_broker_internal.h | 1 + src/net.c | 18 +++++++++++++++++- 20 files changed, 180 insertions(+), 5 deletions(-) diff --git a/client/client_shared.c b/client/client_shared.c index 1179c567ba..c45280aef2 100644 --- a/client/client_shared.c +++ b/client/client_shared.c @@ -152,6 +152,7 @@ void client_config_cleanup(struct mosq_config *cfg) free(cfg->ciphers); free(cfg->tls_version); free(cfg->tls_engine); + free(cfg->tls_engine_kpass_sha); free(cfg->keyform); # ifdef WITH_TLS_PSK free(cfg->psk); @@ -314,6 +315,10 @@ int client_config_load(struct mosq_config *cfg, int pub_or_sub, int argc, char * fprintf(stderr, "Error: keyfile must be specified if keyform is.\n"); return 1; } + if((cfg->tls_engine_kpass_sha && (!cfg->keyform || !cfg->tls_engine))){ + fprintf(stderr, "Error: when using tls-engine-kpass-sha, both tls-engine and keyform must also be provided.\n"); + return 1; + } #endif #ifdef WITH_TLS_PSK if((cfg->cafile || cfg->capath) && cfg->psk){ @@ -439,6 +444,14 @@ int client_config_line_proc(struct mosq_config *cfg, int pub_or_sub, int argc, c cfg->tls_engine = strdup(argv[i+1]); } i++; + }else if(!strcmp(argv[i], "--tls-engine-kpass-sha")){ + if(i==argc-1){ + fprintf(stderr, "Error: --tls-engine-kpass-sha argument given but no kpass sha specified.\n\n"); + return 1; + }else{ + cfg->tls_engine_kpass_sha = strdup(argv[i+1]); + } + i++; #endif }else if(!strcmp(argv[i], "-C")){ if(pub_or_sub == CLIENT_PUB){ @@ -944,6 +957,11 @@ int client_opts_set(struct mosquitto *mosq, struct mosq_config *cfg) mosquitto_lib_cleanup(); return 1; } + if(cfg->tls_engine_kpass_sha && mosquitto_tls_engine_kpass_sha_set(mosq, cfg->tls_engine_kpass_sha)){ + if(!cfg->quiet) fprintf(stderr, "Error: Problem setting TLS engine key pass sha.\n"); + mosquitto_lib_cleanup(); + return 1; + } # ifdef WITH_TLS_PSK if(cfg->psk && mosquitto_tls_psk_set(mosq, cfg->psk, cfg->psk_identity, NULL)){ if(!cfg->quiet) fprintf(stderr, "Error: Problem setting TLS-PSK options.\n"); diff --git a/client/client_shared.h b/client/client_shared.h index 789664a417..9c6b13887d 100644 --- a/client/client_shared.h +++ b/client/client_shared.h @@ -67,6 +67,7 @@ struct mosq_config { bool insecure; char *tls_version; char *tls_engine; + char *tls_engine_kpass_sha; char *keyform; # ifdef WITH_TLS_PSK char *psk; diff --git a/client/pub_client.c b/client/pub_client.c index ed6263d61c..6997675e66 100644 --- a/client/pub_client.c +++ b/client/pub_client.c @@ -224,7 +224,7 @@ void print_usage(void) #ifdef WITH_TLS printf(" [{--cafile file | --capath dir} [--cert file] [--key file]\n"); printf(" [--ciphers ciphers] [--insecure] [--tls-engine engine]\n"); - printf(" [--keyform keyform]]\n"); + printf(" [--keyform keyform] [--tls-engine-kpass-sha]]\n"); #ifdef WITH_TLS_PSK printf(" [--psk hex-key --psk-identity identity [--ciphers ciphers]]\n"); #endif @@ -284,6 +284,7 @@ void print_usage(void) printf(" remote host is the server you wish to connect to and so is insecure.\n"); printf(" Do not use this option in a production environment.\n"); printf(" --tls-engine : toggles the usage of a SSL engine device.\n"); + printf(" --tls-engine-kpass-sha : SHA1 of the key password to be used with the selected SSL engine.\n"); # ifdef WITH_TLS_PSK printf(" --psk : pre-shared-key in hexadecimal (no leading 0x) to enable TLS-PSK mode.\n"); printf(" --psk-identity : client identity string for TLS-PSK mode.\n"); diff --git a/client/sub_client.c b/client/sub_client.c index 66a090ee82..e1854d7f5a 100644 --- a/client/sub_client.c +++ b/client/sub_client.c @@ -155,7 +155,7 @@ void print_usage(void) #ifdef WITH_TLS printf(" [{--cafile file | --capath dir} [--cert file] [--key file]\n"); printf(" [--ciphers ciphers] [--insecure] [--tls-engine engine]\n"); - printf(" [--keyform keyform]]\n"); + printf(" [--keyform keyform] [--tls-engine-kpass-sha]]\n"); #ifdef WITH_TLS_PSK printf(" [--psk hex-key --psk-identity identity [--ciphers ciphers]]\n"); #endif @@ -221,6 +221,7 @@ void print_usage(void) printf(" remote host is the server you wish to connect to and so is insecure.\n"); printf(" Do not use this option in a production environment.\n"); printf(" --tls-engine : toggles the usage of a SSL engine device.\n"); + printf(" --tls-engine-kpass-sha : SHA1 of the key password to be used with the selected SSL engine.\n"); #ifdef WITH_TLS_PSK printf(" --psk : pre-shared-key in hexadecimal (no leading 0x) to enable TLS-PSK mode.\n"); printf(" --psk-identity : client identity string for TLS-PSK mode.\n"); diff --git a/lib/cpp/mosquittopp.cpp b/lib/cpp/mosquittopp.cpp index 2fcef663d2..345b9d97a1 100644 --- a/lib/cpp/mosquittopp.cpp +++ b/lib/cpp/mosquittopp.cpp @@ -376,4 +376,9 @@ int mosquittopp::tls_keyform_set(const char *keyform) return mosquitto_tls_keyform_set(m_mosq, keyform); } +int mosquittopp::tls_engine_kpass_sha_set(const char *kpass_sha) +{ + return mosquitto_tls_engine_kpass_sha_set(m_mosq, kpass_sha); +} + } diff --git a/lib/cpp/mosquittopp.h b/lib/cpp/mosquittopp.h index 961c3c92e0..b29ee94791 100644 --- a/lib/cpp/mosquittopp.h +++ b/lib/cpp/mosquittopp.h @@ -112,6 +112,7 @@ class mosqpp_EXPORT mosquittopp { int tls_psk_set(const char *psk, const char *identity, const char *ciphers=NULL); int tls_engine_set(const char *engine_id); int tls_keyform_set(const char *keyform); + int tls_engine_kpass_sha_set(const char *kpass_sha); int opts_set(enum mosq_opt_t option, void *value); int loop(int timeout=-1, int max_packets=1); diff --git a/lib/linker.version b/lib/linker.version index c330d4aafd..8178c7b482 100644 --- a/lib/linker.version +++ b/lib/linker.version @@ -92,4 +92,5 @@ MOSQ_1.5 { mosquitto_connect_with_flags_callback_set; mosquitto_tls_engine_set; mosquitto_tls_keyform_set; + mosquitto_tls_engine_kpass_sha_set; } MOSQ_1.4; diff --git a/lib/mosquitto.h b/lib/mosquitto.h index aad1877628..d540074071 100644 --- a/lib/mosquitto.h +++ b/lib/mosquitto.h @@ -1168,6 +1168,27 @@ libmosq_EXPORT int mosquitto_tls_engine_set(struct mosquitto *mosq, const char * */ libmosq_EXPORT int mosquitto_tls_keyform_set(struct mosquitto *mosq, const char *keyform); +/* + * Function: mosquitto_tls_engine_kpass_sha_set + * + * Some SSL engines may require the usage of a password in order to being + * accessed, like the TPM engine. This function allows a SHA1 hash of the + * password to be passed on to the engine directly. + * Must be called before . + * + * Parameters: + * mosq - a valid mosquitto instance. + * kpass_sha - SHA1 of the private key password. + * + * Returns: + * MOSQ_ERR_SUCCESS - on success. + * MOSQ_ERR_INVAL - if the input parameters were invalid. + * + * See Also: + * + */ +libmosq_EXPORT int mosquitto_tls_engine_kpass_sha_set(struct mosquitto *mosq, const char *kpass_sha); + /* * Function: mosquitto_connect_callback_set * diff --git a/lib/mosquitto_internal.h b/lib/mosquitto_internal.h index 21dda9eee2..ada384f48e 100644 --- a/lib/mosquitto_internal.h +++ b/lib/mosquitto_internal.h @@ -197,6 +197,7 @@ struct mosquitto { bool tls_insecure; bool ssl_ctx_defaults; char *tls_engine; + char *tls_engine_kpass_sha; enum _mosquitto_keyform tls_keyform; #endif bool want_write; diff --git a/lib/net_mosq.c b/lib/net_mosq.c index 0fce346ea6..bc3b68dd0f 100644 --- a/lib/net_mosq.c +++ b/lib/net_mosq.c @@ -617,6 +617,24 @@ static int net__init_ssl_ctx(struct mosquitto *mosq) } if(mosq->tls_keyfile){ if(mosq->tls_keyform == mosq_k_engine){ + UI_METHOD *ui_method = net__get_ui_method(); + if(mosq->tls_engine_kpass_sha){ + if(!ENGINE_ctrl_cmd(engine, ENGINE_SECRET_MODE, ENGINE_SECRET_MODE_SHA, NULL, NULL, 0)){ + log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to set engine secret mode sha"); + ENGINE_FINISH(engine); + COMPAT_CLOSE(mosq->sock); + net__print_ssl_error(mosq); + return MOSQ_ERR_TLS; + } + if(!ENGINE_ctrl_cmd(engine, ENGINE_PIN, 0, mosq->tls_engine_kpass_sha, NULL, 0)){ + log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to set engine pin"); + ENGINE_FINISH(engine); + COMPAT_CLOSE(mosq->sock); + net__print_ssl_error(mosq); + return MOSQ_ERR_TLS; + } + ui_method = NULL; + } EVP_PKEY *pkey = ENGINE_load_private_key(engine, mosq->tls_keyfile, ui_method, NULL); if(!pkey){ log__printf(mosq, MOSQ_LOG_ERR, "Error: Unable to load engine private key file \"%s\".", mosq->tls_keyfile); diff --git a/lib/net_mosq.h b/lib/net_mosq.h index 5bb5cefa6d..fe58749827 100644 --- a/lib/net_mosq.h +++ b/lib/net_mosq.h @@ -73,6 +73,9 @@ int net__socket_apply_tls(struct mosquitto *mosq); int net__socket_connect_tls(struct mosquitto *mosq); UI_METHOD *net__get_ui_method(void); #define ENGINE_FINISH(e) if(e) ENGINE_finish(e) +#define ENGINE_SECRET_MODE "SECRET_MODE" +#define ENGINE_SECRET_MODE_SHA 0x1000 +#define ENGINE_PIN "PIN" #endif #endif diff --git a/lib/options.c b/lib/options.c index 7ed2a95ac6..a5c9d796aa 100644 --- a/lib/options.c +++ b/lib/options.c @@ -257,6 +257,20 @@ int mosquitto_tls_keyform_set(struct mosquitto *mosq, const char *keyform) } +int mosquitto_tls_engine_kpass_sha_set(struct mosquitto *mosq, const char *kpass_sha) +{ +#ifdef WITH_TLS + if(!mosq) return MOSQ_ERR_INVAL; + char *kpass_sha_bin = NULL; + if(mosquitto__hex2bin_sha1(kpass_sha, (unsigned char**)&kpass_sha_bin) != MOSQ_ERR_SUCCESS) return MOSQ_ERR_INVAL; + mosq->tls_engine_kpass_sha = kpass_sha_bin; + return MOSQ_ERR_SUCCESS; +#else + return MOSQ_ERR_NOT_SUPPORTED; +#endif +} + + int mosquitto_tls_psk_set(struct mosquitto *mosq, const char *psk, const char *identity, const char *ciphers) { #ifdef WITH_TLS_PSK diff --git a/lib/util_mosq.c b/lib/util_mosq.c index b85b95cefc..3d0eec58c3 100644 --- a/lib/util_mosq.c +++ b/lib/util_mosq.c @@ -344,7 +344,22 @@ int mosquitto_topic_matches_sub2(const char *sub, size_t sublen, const char *top return MOSQ_ERR_SUCCESS; } -#ifdef WITH_TLS_PSK +#ifdef WITH_TLS +int mosquitto__hex2bin_sha1(const char *hex, unsigned char **bin) +{ + unsigned char *sha, tmp[SHA_DIGEST_LENGTH]; + + if(mosquitto__hex2bin(hex, tmp, SHA_DIGEST_LENGTH) != SHA_DIGEST_LENGTH) + return MOSQ_ERR_INVAL; + + sha = mosquitto__malloc(SHA_DIGEST_LENGTH); + memcpy(sha, tmp, SHA_DIGEST_LENGTH); + *bin = sha; + return MOSQ_ERR_SUCCESS; +} +#endif + +#if defined(WITH_TLS_PSK) || defined(WITH_TLS) int mosquitto__hex2bin(const char *hex, unsigned char *bin, int bin_max_len) { BIGNUM *bn = NULL; diff --git a/lib/util_mosq.h b/lib/util_mosq.h index 0e65dd9889..bec6a2ec91 100644 --- a/lib/util_mosq.h +++ b/lib/util_mosq.h @@ -33,7 +33,11 @@ void mosquitto__check_keepalive(struct mosquitto *mosq); uint16_t mosquitto__mid_generate(struct mosquitto *mosq); FILE *mosquitto__fopen(const char *path, const char *mode, bool restrict_read); -#ifdef WITH_TLS_PSK +#ifdef WITH_TLS +int mosquitto__hex2bin_sha1(const char *hex, unsigned char **bin); +#endif + +#if defined(WITH_TLS_PSK) || defined(WITH_TLS) int mosquitto__hex2bin(const char *hex, unsigned char *bin, int bin_max_len); #endif diff --git a/man/mosquitto.conf.5.xml b/man/mosquitto.conf.5.xml index b74b750b63..d7cbe9c5a1 100644 --- a/man/mosquitto.conf.5.xml +++ b/man/mosquitto.conf.5.xml @@ -888,6 +888,17 @@ it. If not specified, pem keys are assumed + + engine_kpass_sha + + SHA1 of private key password when using an SSL engine. + Some SSL engines may require the usage of a password + in order to being accessed, like the TPM engine. Instead + of being prompted for the password, this option allows + a SHA1 hash of the password to be passed on to the + engine directly, without user interaction. + + file path diff --git a/man/mosquitto_pub.1.xml b/man/mosquitto_pub.1.xml index d2ed0771f2..9504c26427 100644 --- a/man/mosquitto_pub.1.xml +++ b/man/mosquitto_pub.1.xml @@ -68,6 +68,7 @@ pem engine + kpass-sha @@ -204,6 +205,18 @@ See also . + + + + SHA1 of private key password when using an SSL engine. + Some SSL engines may require the usage of a password + in order to being accessed, like the TPM engine. Instead + of being prompted for the password, this option allows + a SHA1 hash of the password to be passed on to the + engine directly, without user interaction. + See also . + + diff --git a/man/mosquitto_sub.1.xml b/man/mosquitto_sub.1.xml index bcb2921bb0..a5fd8b0e65 100644 --- a/man/mosquitto_sub.1.xml +++ b/man/mosquitto_sub.1.xml @@ -74,6 +74,7 @@ pem engine + kpass-sha @@ -213,6 +214,18 @@ See also . + + + + SHA1 of private key password when using an SSL engine. + Some SSL engines may require the usage of a password + in order to being accessed, like the TPM engine. Instead + of being prompted for the password, this option allows + a SHA1 hash of the password to be passed on to the + engine directly, without user interaction. + See also . + + diff --git a/src/conf.c b/src/conf.c index 5bfdfa0254..c5420b996e 100644 --- a/src/conf.c +++ b/src/conf.c @@ -299,6 +299,7 @@ void config__cleanup(struct mosquitto__config *config) mosquitto__free(config->listeners[i].crlfile); mosquitto__free(config->listeners[i].tls_version); mosquitto__free(config->listeners[i].tls_engine); + mosquitto__free(config->listeners[i].tls_engine_kpass_sha); #ifdef WITH_WEBSOCKETS if(!config->listeners[i].ws_context) /* libwebsockets frees its own SSL_CTX */ #endif @@ -436,6 +437,7 @@ int config__parse_args(struct mosquitto_db *db, struct mosquitto__config *config || config->default_listener.keyfile || config->default_listener.tls_engine || config->default_listener.tls_keyform != mosq_k_pem + || config->default_listener.tls_engine_kpass_sha || config->default_listener.ciphers || config->default_listener.psk_hint || config->default_listener.require_certificate @@ -488,6 +490,7 @@ int config__parse_args(struct mosquitto_db *db, struct mosquitto__config *config config->listeners[config->listener_count-1].tls_version = config->default_listener.tls_version; config->listeners[config->listener_count-1].tls_engine = config->default_listener.tls_engine; config->listeners[config->listener_count-1].tls_keyform = config->default_listener.tls_keyform; + config->listeners[config->listener_count-1].tls_engine_kpass_sha = config->default_listener.tls_engine_kpass_sha; config->listeners[config->listener_count-1].cafile = config->default_listener.cafile; config->listeners[config->listener_count-1].capath = config->default_listener.capath; config->listeners[config->listener_count-1].certfile = config->default_listener.certfile; @@ -1099,6 +1102,20 @@ int config__read_file_core(struct mosquitto__config *config, bool reload, struct mosquitto__free(keyform); #else log__printf(NULL, MOSQ_LOG_WARNING, "Warning: TLS support not available."); +#endif + }else if(!strcmp(token, "tls_engine_kpass_sha")){ +#ifdef WITH_TLS + if(reload) continue; // Listeners not valid for reloading. + char *kpass_sha = NULL, *kpass_sha_bin = NULL; + if(conf__parse_string(&token, "tls_engine_kpass_sha", &kpass_sha, saveptr)) return MOSQ_ERR_INVAL; + if(mosquitto__hex2bin_sha1(kpass_sha, (unsigned char**)&kpass_sha_bin) != MOSQ_ERR_SUCCESS){ + mosquitto__free(kpass_sha); + return MOSQ_ERR_INVAL; + } + cur_listener->tls_engine_kpass_sha = kpass_sha_bin; + mosquitto__free(kpass_sha); +#else + log__printf(NULL, MOSQ_LOG_WARNING, "Warning: TLS support not available."); #endif }else if(!strcmp(token, "ciphers")){ #ifdef WITH_TLS diff --git a/src/mosquitto_broker_internal.h b/src/mosquitto_broker_internal.h index 0ec34efe15..310c429f69 100644 --- a/src/mosquitto_broker_internal.h +++ b/src/mosquitto_broker_internal.h @@ -223,6 +223,7 @@ struct mosquitto__listener { char *keyfile; char *tls_engine; enum _mosquitto_keyform tls_keyform; + char *tls_engine_kpass_sha; char *ciphers; char *psk_hint; SSL_CTX *ssl_ctx; diff --git a/src/net.c b/src/net.c index 82ff54f7f3..f7466a46fe 100644 --- a/src/net.c +++ b/src/net.c @@ -461,7 +461,23 @@ int net__socket_listen(struct mosquitto__listener *listener) return 1; } if(listener->tls_keyform == mosq_k_engine){ - EVP_PKEY *pkey = ENGINE_load_private_key(engine, listener->keyfile, net__get_ui_method(), NULL); + UI_METHOD *ui_method = net__get_ui_method(); + if(listener->tls_engine_kpass_sha){ + if(!ENGINE_ctrl_cmd(engine, ENGINE_SECRET_MODE, ENGINE_SECRET_MODE_SHA, NULL, NULL, 0)){ + log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to set engine secret mode sha"); + COMPAT_CLOSE(sock); + ENGINE_FINISH(engine); + return 1; + } + if(!ENGINE_ctrl_cmd(engine, ENGINE_PIN, 0, listener->tls_engine_kpass_sha, NULL, 0)){ + log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to set engine pin"); + COMPAT_CLOSE(sock); + ENGINE_FINISH(engine); + return 1; + } + ui_method = NULL; + } + EVP_PKEY *pkey = ENGINE_load_private_key(engine, listener->keyfile, ui_method, NULL); if(!pkey){ log__printf(NULL, MOSQ_LOG_ERR, "Error: Unable to load engine private key file \"%s\".", listener->keyfile); COMPAT_CLOSE(sock);