[Openvpn-devel] Refuse mbed TLS external key with non RSA certificates

Message ID 20181008214123.10819-1-arne@rfc2549.org
State Accepted, archived
Headers show
Series
  • [Openvpn-devel] Refuse mbed TLS external key with non RSA certificates
Related show

Commit Message

Arne Schwabe Oct. 8, 2018, 9:41 p.m.
The current API that we use (mbedtls_pk_setup_rsa_alt) only allows
using RSA keys with the external API. Using an EC, mbed TLS and external
key in OpenVPN will fail very late with a rather obscure error message.

Instead fail early and provide a clear message that only RSA keys are
supported.

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
---
 src/openvpn/ssl_mbedtls.c | 7 +++++++
 1 file changed, 7 insertions(+)

Comments

Steffan Karger Oct. 9, 2018, 8:48 p.m. | #1
Hi,

On 08-10-18 23:41, Arne Schwabe wrote:
> The current API that we use (mbedtls_pk_setup_rsa_alt) only allows
> using RSA keys with the external API. Using an EC, mbed TLS and external
> key in OpenVPN will fail very late with a rather obscure error message.
> 
> Instead fail early and provide a clear message that only RSA keys are
> supported.
> 
> Signed-off-by: Arne Schwabe <arne@rfc2549.org>
> ---
>  src/openvpn/ssl_mbedtls.c | 7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
> index 3e97a329..95061d6d 100644
> --- a/src/openvpn/ssl_mbedtls.c
> +++ b/src/openvpn/ssl_mbedtls.c
> @@ -604,6 +604,13 @@ tls_ctx_use_external_signing_func(struct tls_root_ctx *ctx,
>          return 1;
>      }
>  
> +    if (mbedtls_pk_get_type(&ctx->crt_chain->pk) != MBEDTLS_PK_RSA)
> +    {
> +        msg (M_WARN, "ERROR: external key with mbed TLS requires a "
> +                     "certificate with an RSA key.");
> +        return 1;
> +    }
> +
>      ctx->external_key.signature_length = mbedtls_pk_get_len(&ctx->crt_chain->pk);
>      ctx->external_key.sign = sign_func;
>      ctx->external_key.sign_ctx = sign_ctx;
> 

There should be no space in "msg(", but other than that this makes sense
and looks good.

Acked-by: Steffan Karger <steffan@karger.me>

-Steffan
David Sommerseth Oct. 16, 2018, 8:38 p.m. | #2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Fixed coding style detail spotted by Steffan on-the-fly during commit.

Your patch has been applied to the master branch

commit b3c24842a807014c1663eed6f79e888d73182205
Author: Arne Schwabe
Date:   Mon Oct 8 23:41:23 2018 +0200

     Refuse mbed TLS external key with non RSA certificates

     Signed-off-by: Arne Schwabe <arne@rfc2549.org>
     Acked-by: Steffan Karger <steffan@karger.me>
     Message-Id: <20181008214123.10819-1-arne@rfc2549.org>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg17671.html
     Signed-off-by: David Sommerseth <davids@openvpn.net>


- --
kind regards,

David Sommerseth

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQIcBAEBCgAGBQJbxkxHAAoJEIbPlEyWcf3yOv8P/1SZGc19VLoq/5CcEpWIdjSX
qQOLUXKUt8w83cnoo2vpZLEZ/tKD0NoPdtqJWFd4Wk1xr2+t2DfmkDzaO/c1UOwa
zM4aAHhAH2ZPSrZcNcu0VU4TfzpvFv4APM4cgrYP9xUqWeQH3WiXN1SGF8WJCMlc
korhfoDeA3Ph4OXXtRl0lV0x0EasTwR95MdMA5J1CcZ5NPKP2ZCG1hrhEJJ/quqO
tfIeH0QkQRtWJnOkLrnR0VqOGdxyXIk5sHMTAoZsrDFa6lVIL3TAA8iPIM9vrB7U
QSGstRzd/IZNJNMLwfaPwxec8jPZJiuubxWwQbR7H4MyR4+D8fO+QbSk6kKPBvXB
QMaV6GHTqj3dVJel4yCAhDquIaskhUC70a9ZDJrcqtdSHh+oWAPPC9tcbrDk7mnX
QnSTVdESguZUdhQJHfOcLmwvIWA+ASmYw+cZwF2aXQwMikutqbQYMANBDQBY0767
j44tIwppE4XJQkXhAP0BBIEp8E/zvhxw/bH3THw0mbSLGeW4FkxxYeH2ouYiSTsq
uTb2FUQUNiHByLIcGAWszAHzk+HajeAnQSuRyQotM5JorSqt4CM43kpgOWl05Jbm
YQmRPgMhDJ5jlZ4Fm7BGFtppPrrV8AqwSmXuC8gZoHN99ILtnoC/FgygMNYwwrZ/
kpIYhYV8JwXlS2/IeS+t
=aHf+
-----END PGP SIGNATURE-----

Patch

diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
index 3e97a329..95061d6d 100644
--- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c
@@ -604,6 +604,13 @@  tls_ctx_use_external_signing_func(struct tls_root_ctx *ctx,
         return 1;
     }
 
+    if (mbedtls_pk_get_type(&ctx->crt_chain->pk) != MBEDTLS_PK_RSA)
+    {
+        msg (M_WARN, "ERROR: external key with mbed TLS requires a "
+                     "certificate with an RSA key.");
+        return 1;
+    }
+
     ctx->external_key.signature_length = mbedtls_pk_get_len(&ctx->crt_chain->pk);
     ctx->external_key.sign = sign_func;
     ctx->external_key.sign_ctx = sign_ctx;