From patchwork Fri Apr 2 00:24:03 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Maximilian Fillinger X-Patchwork-Id: 1701 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director9.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net with LMTP id MJvtD4oCZ2A5XwAAIUCqbw (envelope-from ) for ; Fri, 02 Apr 2021 07:39:54 -0400 Received: from proxy20.mail.iad3b.rsapps.net ([172.31.255.6]) by director9.mail.ord1d.rsapps.net with LMTP id cLGwD4oCZ2CKMgAAalYnBA (envelope-from ) for ; Fri, 02 Apr 2021 07:39:54 -0400 Received: from smtp38.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy20.mail.iad3b.rsapps.net with LMTPS id kEfPCIoCZ2AHRgAAcDxLoQ (envelope-from ) for ; Fri, 02 Apr 2021 07:39:54 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp38.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (key not found in DNS) header.d=foxcrypto.com; dmarc=fail (p=none; dis=none) header.from=foxcrypto.com X-Suspicious-Flag: YES X-Classification-ID: 23eb8452-93a8-11eb-8167-5254006f0979-1-1 Received: from [216.105.38.7] ([216.105.38.7:51746] helo=lists.sourceforge.net) by smtp38.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id D5/D7-30869-98207606; Fri, 02 Apr 2021 07:39:53 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1lSI8m-0000tY-FA; Fri, 02 Apr 2021 11:39:04 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lSI8l-0000rZ-24 for openvpn-devel@lists.sourceforge.net; Fri, 02 Apr 2021 11:39:03 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:MIME-Version:References:In-Reply-To: Date:Subject:CC:To:From:Sender:Reply-To:Message-ID:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=xzcnoa36EoxtY2h3Ba3COALMUz5ToJkRD7Os/jsBMB4=; b=LdC6jtIehLAJOGeUp39v+z6Sar 4xVJfWKXnlQDpj4B2JNlyjSb0cdhF/Vxb+PL5T4INQIPxOj/0x4QboP85DHMhRL/eFV3QLjMNJJbq yAGquIRcG7VXyrC9Howd/K0Uy0VNPc4fMCWqEBXs7bbXcr+O5i08B13DjWmN7GZdm+fY=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:MIME-Version:References:In-Reply-To:Date:Subject:CC:To:From: Sender:Reply-To:Message-ID:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=xzcnoa36EoxtY2h3Ba3COALMUz5ToJkRD7Os/jsBMB4=; b=kew0rnodRaLMf3xWLFBOhMy2pt xn0QsyagfxSmtsORhyOA6cdlrFYgO7PqiHmtA/kQSJapZRKG5IrYvktZ9aNXha5C6J1k8nUCG8Lp9 owzz4yhH+yn6wc2bLCYOGXQ62mvpUbEareNFoAYBJnOs/kTf6xkuhDueaFy9qYBywOkY=; Received: from nl-dft-mx-01.fox-it.com ([178.250.144.135]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1lSHuu-006XZR-1v for openvpn-devel@lists.sourceforge.net; Fri, 02 Apr 2021 11:25:07 +0000 From: Max Fillinger To: Date: Fri, 2 Apr 2021 13:24:03 +0200 X-Mailer: git-send-email 2.11.0 In-Reply-To: <20210402112403.6873-1-maximilian.fillinger@foxcrypto.com> References: <20210402112403.6873-1-maximilian.fillinger@foxcrypto.com> MIME-Version: 1.0 X-ClientProxiedBy: FOXDFT1EX01.FOX.local (10.0.0.129) To FOXDFT1EX01.FOX.local (10.0.0.129) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; d=foxcrypto.com; s=NL-DFT-MX-01; c=relaxed/relaxed; h=from:to:cc:subject:date:references:mime-version:content-type; bh=xzcnoa36EoxtY2h3Ba3COALMUz5ToJkRD7Os/jsBMB4=; b=tMMNH0PkrKwDCZZTORL4QVsWlGUjbTkhkL4tvxfV2WphLBM7WvcOBvisFLdh4tR9VdQWuloANciT 5VZcykWkZhcSkoQ98gnl3+VomNbTYGJoapzfozi5EEIwfBsuwH9/2j274f4Cya36b1aSJcxj2mB7 qjpPbgHGO6/OrDNJyKS38e5VJF394aaS98TGQvdafn8Fw29I13OpQW5Icv1jQxOqlYuM377xaMom A/m/Zzzni731EnpUNa2MN635zlspX0ArnDgw2h+zI25xtQ1QR9X+FIIAo3gWCGXQW6IodADncYRm rLTYAzVf2IVkfKkZbY8ZKPgkS3/7gQYZX9jH9w== X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: fox-it.com] 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 1.0 MISSING_MID Missing Message-Id: header 0.1 DKIM_INVALID DKIM or DK signature exists, but is not valid X-Headers-End: 1lSHuu-006XZR-1v Subject: [Openvpn-devel] [PATCH 1/1] Let mbedtls_ssl_configs find reloaded CRLs X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Maximilian Fillinger Errors-To: openvpn-devel-bounces@lists.sourceforge.net Message-Id: X-getmail-retrieved-from-mailbox: Inbox From: Maximilian Fillinger If the CRL file cannot be read during initialization, a NULL pointer is passed to the mbedtls_ssl_config in key_state_ssl_init(). Then, if the CRL file is successfully read later, the config won't have a pointer to it. Therefore, the CRL won't actually take effect. This commit fixes the bug by creating an empty CRL if crl-verify is in the config, but the file cannot be read during initialization. That way, we can always give the mbedtls_ssl_config struct a pointer to the location where the CRL will be if it is successfully read later. This commit also fixes an additional issue: When a CRL file is present but cannot be parsed, OpenVPN rejects all incoming connections. When the CRL file cannot be stat'ed, OpenVPN keeps using the previous CRL. This commit makes it so that OpenVPN rejects connections in both situations. --- src/openvpn/ssl.c | 11 +++++++++++ src/openvpn/ssl_mbedtls.c | 13 +++++++++++++ src/openvpn/ssl_mbedtls.h | 3 +++ 3 files changed, 27 insertions(+) diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 08222b5e..f20771d7 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -559,6 +559,17 @@ tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file, else if (platform_stat(crl_file, &crl_stat) < 0) { msg(M_WARN, "WARNING: Failed to stat CRL file, not (re)loading CRL."); + +#ifdef ENABLE_CRYPTO_MBEDTLS + /* Store an empty CRL in ssl_ctx. This is so that we can give the + * mbedtls_ssl_configs in the key_states a pointer to the location where + * the CRL will be if we successfully reload the file later. + * + * Storing an empty CRL also causes all connection attempts to be rejected + * until an actual CRL is loaded. */ + make_empty_crl(ssl_ctx); +#endif + return; } diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index 4626e983..5d7af351 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -1044,6 +1044,19 @@ err: } void +make_empty_crl(struct tls_root_ctx *ctx) +{ + if (ctx->crl == NULL) + { + ALLOC_OBJ_CLEAR(ctx->crl, mbedtls_x509_crl); + } + else + { + mbedtls_x509_crl_free(ctx->crl); + } +} + +void key_state_ssl_init(struct key_state_ssl *ks_ssl, const struct tls_root_ctx *ssl_ctx, bool is_server, struct tls_session *session) diff --git a/src/openvpn/ssl_mbedtls.h b/src/openvpn/ssl_mbedtls.h index ff64e17c..579e3c8e 100644 --- a/src/openvpn/ssl_mbedtls.h +++ b/src/openvpn/ssl_mbedtls.h @@ -144,4 +144,7 @@ int tls_ctx_use_external_signing_func(struct tls_root_ctx *ctx, external_sign_func sign_func, void *sign_ctx); +void make_empty_crl(struct tls_root_ctx *); + + #endif /* SSL_MBEDTLS_H_ */