From patchwork Thu Nov 18 13:53:06 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lev Stipakov X-Patchwork-Id: 2085 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director13.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id SAX+LOEynWEFPgAAIUCqbw (envelope-from ) for ; Tue, 23 Nov 2021 13:28:49 -0500 Received: from proxy8.mail.ord1d.rsapps.net ([172.30.191.6]) by director13.mail.ord1d.rsapps.net with LMTP id kG6sLOEynWH1WQAA91zNiA (envelope-from ) for ; Tue, 23 Nov 2021 13:28:49 -0500 Received: from smtp24.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy8.mail.ord1d.rsapps.net with LMTPS id WBZbLOEynWHvIAAAGdz6CA (envelope-from ) for ; Tue, 23 Nov 2021 13:28:49 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp24.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=gmail.com; dmarc=fail (p=none; dis=none) header.from=gmail.com X-Suspicious-Flag: YES X-Classification-ID: 3362487a-4c8b-11ec-8875-52540091a1c4-1-1 Received: from [216.105.38.7] ([216.105.38.7:55800] helo=lists.sourceforge.net) by smtp24.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 31/5B-07799-1E23D916; Tue, 23 Nov 2021 13:28:49 -0500 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1mpaWM-0003FG-H1; Tue, 23 Nov 2021 18:27:59 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1mpaWL-0003FA-H8 for openvpn-devel@lists.sourceforge.net; Tue, 23 Nov 2021 18:27:58 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:Cc: To:From:Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=tL1V1FNB3ddWQ9Lg9hGoAKwYHnKZ14PL77bQkhmDICw=; b=C4XFAZbXjwsH0FXbBpJ+Ti53xj aUBAmJqRE/flHo0QtzNtoBBKrpFBUUP0+Fr8BMH3Cuoa2/OzUHzv0G54SUj3GfM3OTuAdTxGuCCM0 MK14k3dDhoTv6JgdwmC6Z3aFgGJtSN3k22wvvsp2oV3PRn3bYL/rSbmF+uau/loQx/o8=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=tL1V1FNB3ddWQ9Lg9hGoAKwYHnKZ14PL77bQkhmDICw=; b=V+GlEJ8CCHYsSqUKKEzSZjmKUu lGf+j0NMjI9NboEGX7cAeZ62L/JK52EZlCb8EpYAb9esGZ57wPF0I/tletmO1oNiz0FjnLcppCsIm TjBUw9STI0n5STpMczSgpt7OOUdg0XJPBjvFA+XYKEcLm4dSECl0BGiNoltVgA58xocw=; Received: from mail-lj1-f181.google.com ([209.85.208.181]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92.3) id 1mpaWL-006PjI-Qh for openvpn-devel@lists.sourceforge.net; Tue, 23 Nov 2021 18:27:58 +0000 Received: by mail-lj1-f181.google.com with SMTP id k2so19558lji.4 for ; Tue, 23 Nov 2021 10:27:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=tL1V1FNB3ddWQ9Lg9hGoAKwYHnKZ14PL77bQkhmDICw=; b=qUTtSc46yWRObiSpKh5hFhETzDlVqol/KpbzYxZUoBP5fRRzwp+YY4BJYsuonVx3A/ Wd4JfIgiqC4HChQEUkxW+zKGrsTdKa2LQQFDztGwoRbQwKTVFtN2ui/tGiw2p2ml+mcX AOI68gbaMtzETrmdl70PV0YAmtjRzJMe0ZBGLDfNGMhynlnbxgvvEg6SJfoZYkfYHpU7 hUIIPyShdKwuRRcfon4AfBLsFqqjiEiwJnMbfyiiLved/4MkqKj4YCX4fhD2bExJY0Wa bqee9zRlHqFo+BLse7eBwF8lC567K9ECZ8Wpcdpv4jQRqRgL9Rb5yAa+MpGWS7bD4Bw8 XNLQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=tL1V1FNB3ddWQ9Lg9hGoAKwYHnKZ14PL77bQkhmDICw=; b=NwwY/lEvxfz1lHvWmTjAltY6i443l5d3+lcD9M2JhaHmVV6pevlCsIGUterHmbvDhV 4tDlqajyzmd7mL1Eo0emjWa/XfEpRM+qy757dR/RHapXOeR1or1DWpCGM5irDmFiN5eD 64aLIVtVGlinRzeFPhQ814rJ9a7Ow5avLJe8Gx4zQI6h+pwk5PDkFt5kczb1GLCRy9N0 NIV5VRWEj4vricFoKnmKN+g++l9P2K2Iq0CJYRnuhSO1fYMZGH5XOudBpjGhtZfI5miH tGJs/uLdXMKe4qEXelfMWtc2o6pusgUmR0/4KN/HbH2ONe5nqN8sRE5G73fOUFnCUWZd NBXg== X-Gm-Message-State: AOAM531MUOCsJyiBUROtXt0HbbDSSCqksNE/InsexaOop88mDCsspcku E570b5RhHRkNpln8FdLWEp1y+7q7BNI= X-Google-Smtp-Source: ABdhPJy7eyWB6UAt9nL4b0qV5SlqGVMAK9vO1X8bChILqwCn7I+ERetdQ1axaKedJP4CgrXcFJCjWQ== X-Received: by 2002:a05:651c:a11:: with SMTP id k17mr7726574ljq.243.1637692070842; Tue, 23 Nov 2021 10:27:50 -0800 (PST) Received: from LAPTOP-4L3N7KFS.localdomain (81-175-157-115.bb.dnainternet.fi. [81.175.157.115]) by smtp.gmail.com with ESMTPSA id t12sm1365318ljh.78.2021.11.23.10.27.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Nov 2021 10:27:50 -0800 (PST) From: Lev Stipakov To: openvpn-devel@lists.sourceforge.net Date: Fri, 19 Nov 2021 02:53:06 +0200 Message-Id: <20211119005306.624-1-lstipakov@gmail.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: References: X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Lev Stipakov Commits - 92535b6 ("contrib/vcpkg-ports: add openssl port with --no-autoload-config option set (CVE-2121-3606)") - 447cfb4 ("crypto_openssl.c: disable explicit initialization on Windows (CVE-2121-3606)") Content analysis details: (1.9 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 2.1 DATE_IN_PAST_96_XX Date: is 96 hours or more before Received: date 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [lstipakov[at]gmail.com] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.208.181 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.208.181 listed in wl.mailspike.net] -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain X-Headers-End: 1mpaWL-006PjI-Qh Subject: [Openvpn-devel] [PATCH v3] Load OpenSSL config on Windows from trusted location X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Lev Stipakov MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Lev Stipakov Commits - 92535b6 ("contrib/vcpkg-ports: add openssl port with --no-autoload-config option set (CVE-2121-3606)") - 447cfb4 ("crypto_openssl.c: disable explicit initialization on Windows (CVE-2121-3606)") disabled OpenSSL config loading functionality, which could be exploited by loading config from untrusted locations. However, ability to load config might be useful for some users. This brings config loading back and sets OpenSSL enviroment variables OPENSSL_CONF, OPENSSL_ENGINES, OPENSSL_MODULES which are used to load config, engines and modules, to a trusted location. The location is constructed based on installation path, read from registry on startup. If installation path cannot be read, Windows\System32 is used as a fallback. While on it, remove unused "bool impersonate_as_system();" declaration. Signed-off-by: Lev Stipakov --- v3: - do not assume that installation path ends with directory separator - set enviroment variables only if they're not already set - bring back explicit initialization on Windows (might be needed on some cases) - slightly revamp commit message v2: - add missing "static" modifier to set_openssl_env_vars() declaration spotted by gcc .../vcpkg-triplets/arm64-windows-ovpn.cmake | 2 - contrib/vcpkg-triplets/x64-windows-ovpn.cmake | 2 - contrib/vcpkg-triplets/x86-windows-ovpn.cmake | 2 - src/openvpn/buffer.c | 23 ----- src/openvpn/crypto_openssl.c | 2 - src/openvpn/win32.c | 92 +++++++++++++++++++ src/openvpn/win32.h | 8 +- 7 files changed, 99 insertions(+), 32 deletions(-) diff --git a/contrib/vcpkg-triplets/arm64-windows-ovpn.cmake b/contrib/vcpkg-triplets/arm64-windows-ovpn.cmake index 89f6a279..dd3c6c0a 100644 --- a/contrib/vcpkg-triplets/arm64-windows-ovpn.cmake +++ b/contrib/vcpkg-triplets/arm64-windows-ovpn.cmake @@ -5,5 +5,3 @@ set(VCPKG_LIBRARY_LINKAGE dynamic) if(PORT STREQUAL "lz4") set(VCPKG_LIBRARY_LINKAGE static) endif() - -set(OPENSSL_NO_AUTOLOAD_CONFIG ON) diff --git a/contrib/vcpkg-triplets/x64-windows-ovpn.cmake b/contrib/vcpkg-triplets/x64-windows-ovpn.cmake index d860eed6..7036ed2d 100644 --- a/contrib/vcpkg-triplets/x64-windows-ovpn.cmake +++ b/contrib/vcpkg-triplets/x64-windows-ovpn.cmake @@ -5,5 +5,3 @@ set(VCPKG_LIBRARY_LINKAGE dynamic) if(PORT STREQUAL "lz4") set(VCPKG_LIBRARY_LINKAGE static) endif() - -set(OPENSSL_NO_AUTOLOAD_CONFIG ON) diff --git a/contrib/vcpkg-triplets/x86-windows-ovpn.cmake b/contrib/vcpkg-triplets/x86-windows-ovpn.cmake index c1ea6ef3..7d3bf340 100644 --- a/contrib/vcpkg-triplets/x86-windows-ovpn.cmake +++ b/contrib/vcpkg-triplets/x86-windows-ovpn.cmake @@ -5,5 +5,3 @@ set(VCPKG_LIBRARY_LINKAGE dynamic) if(PORT STREQUAL "lz4") set(VCPKG_LIBRARY_LINKAGE static) endif() - -set(OPENSSL_NO_AUTOLOAD_CONFIG ON) diff --git a/src/openvpn/buffer.c b/src/openvpn/buffer.c index c82d3d4d..54e758af 100644 --- a/src/openvpn/buffer.c +++ b/src/openvpn/buffer.c @@ -310,29 +310,6 @@ openvpn_snprintf(char *str, size_t size, const char *format, ...) return (len >= 0 && len < size); } -/* - * openvpn_swprintf() is currently only used by Windows code paths - * and when enabled for all platforms it will currently break older - * OpenBSD versions lacking vswprintf(3) support in their libc. - */ - -#ifdef _WIN32 -bool -openvpn_swprintf(wchar_t *const str, const size_t size, const wchar_t *const format, ...) -{ - va_list arglist; - int len = -1; - if (size > 0) - { - va_start(arglist, format); - len = vswprintf(str, size, format, arglist); - va_end(arglist); - str[size - 1] = L'\0'; - } - return (len >= 0 && len < size); -} -#endif - /* * write a string to the end of a buffer that was * truncated by buf_printf diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index c9dc9d0a..ef520928 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -154,13 +154,11 @@ crypto_init_lib_engine(const char *engine_name) void crypto_init_lib(void) { -#ifndef _WIN32 #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL); #else OPENSSL_config(NULL); #endif -#endif /* _WIN32 */ /* * If you build the OpenSSL library and OpenVPN with * CRYPTO_MDEBUG, you will get a listing of OpenSSL diff --git a/src/openvpn/win32.c b/src/openvpn/win32.c index 6cff17b2..ac7775e4 100644 --- a/src/openvpn/win32.c +++ b/src/openvpn/win32.c @@ -101,6 +101,12 @@ struct semaphore netcmd_semaphore; /* GLOBAL */ */ static char *win_sys_path = NULL; /* GLOBAL */ +/** + * Set OpenSSL environment variables to a safe directory + */ +static void +set_openssl_env_vars(); + void init_win32(void) { @@ -110,6 +116,8 @@ init_win32(void) } window_title_clear(&window_title); win32_signal_clear(&win32_signal); + + set_openssl_env_vars(); } void @@ -1509,4 +1517,88 @@ send_msg_iservice(HANDLE pipe, const void *data, size_t size, return ret; } +bool +openvpn_swprintf(wchar_t* const str, const size_t size, const wchar_t* const format, ...) +{ + va_list arglist; + int len = -1; + if (size > 0) + { + va_start(arglist, format); + len = vswprintf(str, size, format, arglist); + va_end(arglist); + str[size - 1] = L'\0'; + } + return (len >= 0 && len < size); +} + +static BOOL +get_install_path(WCHAR *path, DWORD size) +{ + WCHAR reg_path[256]; + HKEY key; + BOOL res = FALSE; + openvpn_swprintf(reg_path, _countof(reg_path), L"SOFTWARE\\" PACKAGE_NAME); + + LONG status = RegOpenKeyExW(HKEY_LOCAL_MACHINE, reg_path, 0, KEY_READ, &key); + if (status != ERROR_SUCCESS) + { + return res; + } + + /* The default value of REG_KEY is the install path */ + status = RegGetValueW(key, NULL, NULL, RRF_RT_REG_SZ, NULL, (LPBYTE)path, &size); + res = status == ERROR_SUCCESS; + + RegCloseKey(key); + + return res; +} + +static void +set_openssl_env_vars() +{ + const WCHAR* ssl_fallback_dir = L"C:\\Windows\\System32"; + + WCHAR install_path[MAX_PATH] = { 0 }; + if (!get_install_path(install_path, _countof(install_path))) + { + /* if we cannot find installation path from the registry, + * use Windows directory as a fallback + */ + openvpn_swprintf(install_path, _countof(install_path), L"%ls", ssl_fallback_dir); + } + + if ((install_path[wcslen(install_path) - 1]) == L'\\') + { + install_path[wcslen(install_path) - 1] = L'\0'; + } + + WCHAR openssl_cnf[MAX_PATH] = {0}; + WCHAR openssl_engines[MAX_PATH] = {0}; + WCHAR openssl_modules[MAX_PATH] = {0}; + + openvpn_swprintf(openssl_cnf, _countof(install_path), + L"OPENSSL_CONF=%ls\\ssl\\openssl.cnf", install_path); + openvpn_swprintf(openssl_engines, _countof(openssl_engines), + L"OPENSSL_ENGINES=%ls\\ssl\\engines", install_path); + openvpn_swprintf(openssl_modules, _countof(openssl_modules), + L"OPENSSL_MODULES=%ls\\ssl\\modules", install_path); + + if (_wgetenv(L"OPENSSL_CONF") == NULL) + { + _wputenv(openssl_cnf); + } + + if (_wgetenv(L"OPENSSL_ENGINES") == NULL) + { + _wputenv(openssl_engines); + } + + if (_wgetenv(L"OPENSSL_MODULES") == NULL) + { + _wputenv(openssl_modules); + } +} + #endif /* ifdef _WIN32 */ diff --git a/src/openvpn/win32.h b/src/openvpn/win32.h index 5d3371a0..4a992d91 100644 --- a/src/openvpn/win32.h +++ b/src/openvpn/win32.h @@ -327,7 +327,13 @@ bool send_msg_iservice(HANDLE pipe, const void *data, size_t size, int openvpn_execve(const struct argv *a, const struct env_set *es, const unsigned int flags); -bool impersonate_as_system(); +/* + * openvpn_swprintf() is currently only used by Windows code paths + * and when enabled for all platforms it will currently break older + * OpenBSD versions lacking vswprintf(3) support in their libc. + */ +bool +openvpn_swprintf(wchar_t* const str, const size_t size, const wchar_t* const format, ...); #endif /* ifndef OPENVPN_WIN32_H */ #endif /* ifdef _WIN32 */