From patchwork Thu Nov 18 14:55:48 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lev Stipakov X-Patchwork-Id: 2086 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director7.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id lPWvEZlBnWF9VgAAIUCqbw (envelope-from ) for ; Tue, 23 Nov 2021 14:31:37 -0500 Received: from proxy4.mail.ord1d.rsapps.net ([172.30.191.6]) by director7.mail.ord1d.rsapps.net with LMTP id QDL/EJlBnWHzXwAAovjBpQ (envelope-from ) for ; Tue, 23 Nov 2021 14:31:37 -0500 Received: from smtp17.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy4.mail.ord1d.rsapps.net with LMTPS id 6KbtD5lBnWHkSgAAiYrejw (envelope-from ) for ; Tue, 23 Nov 2021 14:31:37 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp17.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=gmail.com; dmarc=fail (p=none; dis=none) header.from=gmail.com X-Suspicious-Flag: YES X-Classification-ID: f9065dca-4c93-11ec-935c-5254008de1cb-1-1 Received: from [216.105.38.7] ([216.105.38.7:36264] helo=lists.sourceforge.net) by smtp17.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 01/16-05173-8914D916; Tue, 23 Nov 2021 14:31:37 -0500 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1mpbV0-0003xB-MM; Tue, 23 Nov 2021 19:30:38 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1mpbUy-0003x5-Sk for openvpn-devel@lists.sourceforge.net; Tue, 23 Nov 2021 19:30:36 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:Cc: To:From:Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=kuqzbTNACrjJfArSVBToS8gLgD7giOSRCPEhmTDxKqA=; b=N6gpG5StoEYlWksQF84L+T69E0 0TaO+r5uRWJ8hEYjU7q+FOt5cJ3VBmRSOJAeWXS5yNpKlj3X1LSq8lEbAFicQ9sgwerqFjJBdyU8q dCO0u6HsdtGnL+hi4N3CkYB14p3aArrBwIQ1JkHtFUMKvZTf83CbdjBVTYSxL9BNxMAg=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=kuqzbTNACrjJfArSVBToS8gLgD7giOSRCPEhmTDxKqA=; b=jcfmD1aA3hh1l5i1Xwx29wAXSO CM06e2/QyWInJBWJ7u0dNbYYMI4XHqfHIXBlHGM8chwBK/zoE6L56YZGNrBeEB5D4rlkFxLgAD0Jx nH64BlKj+U6FzK1HOPCP9fDXhMsa43W3uKt/Uqr2Io0VI/m/1RSntTtA/n1cBMG/wQhw=; Received: from mail-lf1-f42.google.com ([209.85.167.42]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92.3) id 1mpbUv-0000ZU-40 for openvpn-devel@lists.sourceforge.net; Tue, 23 Nov 2021 19:30:36 +0000 Received: by mail-lf1-f42.google.com with SMTP id b1so656858lfs.13 for ; Tue, 23 Nov 2021 11:30:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=kuqzbTNACrjJfArSVBToS8gLgD7giOSRCPEhmTDxKqA=; b=gIGX9glGlmCcT1ERLtv0SUbJI4D2MKAOMXy7wANiUP1i6AoGOazwzkQqKSFx8kfLB/ S5qzU5t4Here59m7zuOuDJZ4q4S91DhMslhLZAYWpAzmp3u6W+E46p4zq3Gk60vJo4HF o32ZAB/FuLFV97J7QvxKPvS65pkNk0fvBhOi9TjvxTxRUxXm79tM8OkZ1DIVZaWeY/1T bN+8+EqLd5U0Q+jLi7KIsiQOkxhVxzl86roAcYz3sRKa8/pBI6jatc15xkFdfijukYgL OJ6RJSpdaI9CQRjfQUSDWh9qbw66ZSFv0MSnq7+PNKHui46/pGtHg4AmV6atrESEK8nR Pdhg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=kuqzbTNACrjJfArSVBToS8gLgD7giOSRCPEhmTDxKqA=; b=DZ879mu28oI0FsV+PLaaGjebXNjvybmkC0mHnJZ2gcImyDe5fblYSu563QlAVAKdqr JfjbwNxaV22bip7CsHSZhnrqBJdM4X2zUFFRy7kJPu5ZmMi+i6sVMK02WChOaFL/IPFd Z4b1d8juBsZ7YuWSWIg5yrpRjZCrHtqjLjnn3M0n5qjcCAdLFH7Koff+jX9s4uDCr6s6 3hoqrQ5zNpuQuYJKmVhgU7ZZK01qV8rEIecQ2HkdkdV7jWYZOnXmez81ExlhFK42hexp tgjlEhEeGLdVV4ACBoiDm+9KsQpivlZwvt/tKop+1diZGvx0/kGro/SWIRDRdT5IlFZg ks8Q== X-Gm-Message-State: AOAM5305EkSf39kLHFjXDxegKPXtgWLqtFYNR/BOeJKlTJm0YS4fd6td SZv+7RCv7rRF9Y4LA8loILmvrF8XbWc= X-Google-Smtp-Source: ABdhPJxjRGEGsqw8E5eMmGs1FfbzsxEF2I6dkkxSh55sOjdnVr0kfoRb3pnsa54PRcsqCe9dTlfQEA== X-Received: by 2002:ac2:4116:: with SMTP id b22mr7919066lfi.587.1637695826247; Tue, 23 Nov 2021 11:30:26 -0800 (PST) Received: from LAPTOP-4L3N7KFS.localdomain (81-175-157-115.bb.dnainternet.fi. [81.175.157.115]) by smtp.gmail.com with ESMTPSA id b10sm38695lfj.230.2021.11.23.11.30.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 23 Nov 2021 11:30:25 -0800 (PST) From: Lev Stipakov To: openvpn-devel@lists.sourceforge.net Date: Fri, 19 Nov 2021 03:55:48 +0200 Message-Id: <20211119015548.687-1-lstipakov@gmail.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: References: X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Lev Stipakov Commits - 92535b6 ("contrib/vcpkg-ports: add openssl port with --no-autoload-config option set (CVE-2121-3606)") - 447cfb4 ("crypto_openssl.c: disable explicit initialization on Windows (CVE-2121-3606)") Content analysis details: (1.9 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 2.1 DATE_IN_PAST_96_XX Date: is 96 hours or more before Received: date 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [lstipakov[at]gmail.com] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.167.42 listed in wl.mailspike.net] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.167.42 listed in list.dnswl.org] -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain X-Headers-End: 1mpbUv-0000ZU-40 Subject: [Openvpn-devel] [PATCH v4] Load OpenSSL config on Windows from trusted location X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Lev Stipakov MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Lev Stipakov Commits - 92535b6 ("contrib/vcpkg-ports: add openssl port with --no-autoload-config option set (CVE-2121-3606)") - 447cfb4 ("crypto_openssl.c: disable explicit initialization on Windows (CVE-2121-3606)") disabled OpenSSL config loading functionality, which could be exploited by loading config from untrusted locations. This feature might be useful for some users. This brings it back and sets OpenSSL enviroment variables OPENSSL_CONF, OPENSSL_ENGINES, OPENSSL_MODULES which are used to load config, engines and modules, to a trusted location. The location is constructed based on installation path, read from registry on startup. If installation path cannot be read, Windows\System32 is used as a fallback. While on it, remove unused "bool impersonate_as_system();" declaration. Signed-off-by: Lev Stipakov Acked-by: Selva Nair Signed-off-by: Lev Stipakov <lev@openvpn.net>
--- v4: - make set_openssl_env_vars() code more succint - use security-enhanced _wputenv_s/_wgetenv_s v3: - do not assume that installation path ends with directory separator - set enviroment variables only if they're not already set - bring back explicit initialization on Windows (might be needed on some cases) - slightly revamp commit message v2: - add missing "static" modifier to set_openssl_env_vars() declaration spotted by gcc .../vcpkg-triplets/arm64-windows-ovpn.cmake | 2 - contrib/vcpkg-triplets/x64-windows-ovpn.cmake | 2 - contrib/vcpkg-triplets/x86-windows-ovpn.cmake | 2 - src/openvpn/buffer.c | 23 ----- src/openvpn/crypto_openssl.c | 2 - src/openvpn/win32.c | 88 +++++++++++++++++++ src/openvpn/win32.h | 8 +- 7 files changed, 95 insertions(+), 32 deletions(-) diff --git a/contrib/vcpkg-triplets/arm64-windows-ovpn.cmake b/contrib/vcpkg-triplets/arm64-windows-ovpn.cmake index 89f6a279..dd3c6c0a 100644 --- a/contrib/vcpkg-triplets/arm64-windows-ovpn.cmake +++ b/contrib/vcpkg-triplets/arm64-windows-ovpn.cmake @@ -5,5 +5,3 @@ set(VCPKG_LIBRARY_LINKAGE dynamic) if(PORT STREQUAL "lz4") set(VCPKG_LIBRARY_LINKAGE static) endif() - -set(OPENSSL_NO_AUTOLOAD_CONFIG ON) diff --git a/contrib/vcpkg-triplets/x64-windows-ovpn.cmake b/contrib/vcpkg-triplets/x64-windows-ovpn.cmake index d860eed6..7036ed2d 100644 --- a/contrib/vcpkg-triplets/x64-windows-ovpn.cmake +++ b/contrib/vcpkg-triplets/x64-windows-ovpn.cmake @@ -5,5 +5,3 @@ set(VCPKG_LIBRARY_LINKAGE dynamic) if(PORT STREQUAL "lz4") set(VCPKG_LIBRARY_LINKAGE static) endif() - -set(OPENSSL_NO_AUTOLOAD_CONFIG ON) diff --git a/contrib/vcpkg-triplets/x86-windows-ovpn.cmake b/contrib/vcpkg-triplets/x86-windows-ovpn.cmake index c1ea6ef3..7d3bf340 100644 --- a/contrib/vcpkg-triplets/x86-windows-ovpn.cmake +++ b/contrib/vcpkg-triplets/x86-windows-ovpn.cmake @@ -5,5 +5,3 @@ set(VCPKG_LIBRARY_LINKAGE dynamic) if(PORT STREQUAL "lz4") set(VCPKG_LIBRARY_LINKAGE static) endif() - -set(OPENSSL_NO_AUTOLOAD_CONFIG ON) diff --git a/src/openvpn/buffer.c b/src/openvpn/buffer.c index c82d3d4d..54e758af 100644 --- a/src/openvpn/buffer.c +++ b/src/openvpn/buffer.c @@ -310,29 +310,6 @@ openvpn_snprintf(char *str, size_t size, const char *format, ...) return (len >= 0 && len < size); } -/* - * openvpn_swprintf() is currently only used by Windows code paths - * and when enabled for all platforms it will currently break older - * OpenBSD versions lacking vswprintf(3) support in their libc. - */ - -#ifdef _WIN32 -bool -openvpn_swprintf(wchar_t *const str, const size_t size, const wchar_t *const format, ...) -{ - va_list arglist; - int len = -1; - if (size > 0) - { - va_start(arglist, format); - len = vswprintf(str, size, format, arglist); - va_end(arglist); - str[size - 1] = L'\0'; - } - return (len >= 0 && len < size); -} -#endif - /* * write a string to the end of a buffer that was * truncated by buf_printf diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index c9dc9d0a..ef520928 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -154,13 +154,11 @@ crypto_init_lib_engine(const char *engine_name) void crypto_init_lib(void) { -#ifndef _WIN32 #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL); #else OPENSSL_config(NULL); #endif -#endif /* _WIN32 */ /* * If you build the OpenSSL library and OpenVPN with * CRYPTO_MDEBUG, you will get a listing of OpenSSL diff --git a/src/openvpn/win32.c b/src/openvpn/win32.c index 6cff17b2..ee4d3f66 100644 --- a/src/openvpn/win32.c +++ b/src/openvpn/win32.c @@ -101,6 +101,12 @@ struct semaphore netcmd_semaphore; /* GLOBAL */ */ static char *win_sys_path = NULL; /* GLOBAL */ +/** + * Set OpenSSL environment variables to a safe directory + */ +static void +set_openssl_env_vars(); + void init_win32(void) { @@ -110,6 +116,8 @@ init_win32(void) } window_title_clear(&window_title); win32_signal_clear(&win32_signal); + + set_openssl_env_vars(); } void @@ -1509,4 +1517,84 @@ send_msg_iservice(HANDLE pipe, const void *data, size_t size, return ret; } +bool +openvpn_swprintf(wchar_t* const str, const size_t size, const wchar_t* const format, ...) +{ + va_list arglist; + int len = -1; + if (size > 0) + { + va_start(arglist, format); + len = vswprintf(str, size, format, arglist); + va_end(arglist); + str[size - 1] = L'\0'; + } + return (len >= 0 && len < size); +} + +static BOOL +get_install_path(WCHAR *path, DWORD size) +{ + WCHAR reg_path[256]; + HKEY key; + BOOL res = FALSE; + openvpn_swprintf(reg_path, _countof(reg_path), L"SOFTWARE\\" PACKAGE_NAME); + + LONG status = RegOpenKeyExW(HKEY_LOCAL_MACHINE, reg_path, 0, KEY_READ, &key); + if (status != ERROR_SUCCESS) + { + return res; + } + + /* The default value of REG_KEY is the install path */ + status = RegGetValueW(key, NULL, NULL, RRF_RT_REG_SZ, NULL, (LPBYTE)path, &size); + res = status == ERROR_SUCCESS; + + RegCloseKey(key); + + return res; +} + +static void +set_openssl_env_vars() +{ + const WCHAR* ssl_fallback_dir = L"C:\\Windows\\System32"; + + WCHAR install_path[MAX_PATH] = { 0 }; + if (!get_install_path(install_path, _countof(install_path))) + { + /* if we cannot find installation path from the registry, + * use Windows directory as a fallback + */ + openvpn_swprintf(install_path, _countof(install_path), L"%ls", ssl_fallback_dir); + } + + if ((install_path[wcslen(install_path) - 1]) == L'\\') + { + install_path[wcslen(install_path) - 1] = L'\0'; + } + + static struct { + WCHAR* name; + WCHAR* value; + } ossl_env[] = { + {L"OPENSSL_CONF", L"openssl.cnf"}, + {L"OPENSSL_ENGINES", L"engines"}, + {L"OPENSSL_MODULES", L"modules"} + }; + + for (size_t i = 0; i < SIZE(ossl_env); ++i) + { + size_t size = 0; + + _wgetenv_s(&size, NULL, 0, ossl_env[i].name); + if (size == 0) + { + WCHAR val[MAX_PATH] = {0}; + openvpn_swprintf(val, _countof(val), L"%ls\\ssl\\%ls", install_path, ossl_env[i].value); + _wputenv_s(ossl_env[i].name, val); + } + } +} + #endif /* ifdef _WIN32 */ diff --git a/src/openvpn/win32.h b/src/openvpn/win32.h index 5d3371a0..4a992d91 100644 --- a/src/openvpn/win32.h +++ b/src/openvpn/win32.h @@ -327,7 +327,13 @@ bool send_msg_iservice(HANDLE pipe, const void *data, size_t size, int openvpn_execve(const struct argv *a, const struct env_set *es, const unsigned int flags); -bool impersonate_as_system(); +/* + * openvpn_swprintf() is currently only used by Windows code paths + * and when enabled for all platforms it will currently break older + * OpenBSD versions lacking vswprintf(3) support in their libc. + */ +bool +openvpn_swprintf(wchar_t* const str, const size_t size, const wchar_t* const format, ...); #endif /* ifndef OPENVPN_WIN32_H */ #endif /* ifdef _WIN32 */