From patchwork Tue Sep  8 05:41:53 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Arne Schwabe <arne@rfc2549.org>
X-Patchwork-Id: 1428
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Delivered-To: patchwork@openvpn.net
Received: from director7.mail.ord1d.rsapps.net ([172.30.191.6])
	by backend30.mail.ord1d.rsapps.net with LMTP
	id sP9cNIqmV184PQAAIUCqbw
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	for <patchwork@openvpn.net>; Tue, 08 Sep 2020 11:43:06 -0400
Received: from proxy12.mail.ord1d.rsapps.net ([172.30.191.6])
	by director7.mail.ord1d.rsapps.net with LMTP
	id aCsuNIqmV18JHAAAovjBpQ
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	for <patchwork@openvpn.net>; Tue, 08 Sep 2020 11:43:06 -0400
Received: from smtp3.gate.ord1c ([172.30.191.6])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	by proxy12.mail.ord1d.rsapps.net with LMTPS
	id yKquM4qmV1+TDQAA7PHxkg
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	for <patchwork@openvpn.net>; Tue, 08 Sep 2020 11:43:06 -0400
X-Spam-Threshold: 95
X-Spam-Score: 0
X-Spam-Flag: NO
X-Virus-Scanned: OK
X-Orig-To: openvpnslackdevel@openvpn.net
X-Originating-Ip: [216.105.38.7]
Authentication-Results: smtp3.gate.ord1c.rsapps.net;
 iprev=pass policy.iprev="216.105.38.7";
 spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net"
 smtp.helo="lists.sourceforge.net";
 dkim=fail (signature verification failed) header.d=sourceforge.net;
 dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil;
 dis=none) header.from=rfc2549.org
X-Suspicious-Flag: YES
X-Classification-ID: fc0262b8-f1e9-11ea-bbef-842b2b47481a-1-1
Received: from [216.105.38.7] ([216.105.38.7:36618]
 helo=lists.sourceforge.net)
	by smtp3.gate.ord1c.rsapps.net (envelope-from
 <openvpn-devel-bounces@lists.sourceforge.net>)
	(ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384)
	id 33/2F-02642-986A75F5; Tue, 08 Sep 2020 11:43:05 -0400
Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com)
	by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1kFfl6-0005J5-1F; Tue, 08 Sep 2020 15:42:12 +0000
Received: from [172.30.20.202] (helo=mx.sourceforge.net)
 by sfs-ml-2.v29.lw.sourceforge.com with esmtps
 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1)
 (envelope-from <arne@kamera.blinkt.de>) id 1kFfl4-0005Iw-31
 for openvpn-devel@lists.sourceforge.net; Tue, 08 Sep 2020 15:42:10 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:
 MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=yoG3409myWcmprm/1tQPf7IkJSe87/JPXuggP3hyomI=; b=V1/ybVyuptrFlvkfZj9w9AAF6e
 3I98L3cGFZAxjt3vmYMOrpOSfDmrMvgR+7GQz9mPHGQ7AMn+unPcvHm/ZM+2Q9SZBase4HN5Xu3HH
 eXqCF4LR5F/8QnF5nuTzEFyuWf7iHV5ayOElt42d5D6tSimVR0DCNu3ONwy1hIDFqf7s=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:MIME-Version:
 Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description:
 Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
 In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=yoG3409myWcmprm/1tQPf7IkJSe87/JPXuggP3hyomI=; b=B5AAcDhQgU2lqBuQaoARTVV4vc
 8hs1HzvNA9sSR3PSO8WwHtPqW5e5mhbyHkNSxDkVpCvSyu876yb+chuTFFnkLrYBrAzHmhRlf1mnn
 CHpSh8zlRSLG1FWl9x/LH/DdM/FzuOxAatuBO3au1Le6lIV+punwK3+eeHtZVBtZi54Q=;
Received: from mail.blinkt.de ([192.26.174.232])
 by sfi-mx-3.v28.lw.sourceforge.com with esmtps
 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2)
 id 1kFfkz-00H6QT-1q
 for openvpn-devel@lists.sourceforge.net; Tue, 08 Sep 2020 15:42:10 +0000
Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c])
 by mail.blinkt.de with smtp (Exim 4.94 (FreeBSD))
 (envelope-from <arne@kamera.blinkt.de>) id 1kFfkr-0002sv-Pn
 for openvpn-devel@lists.sourceforge.net; Tue, 08 Sep 2020 17:41:57 +0200
Received: (nullmailer pid 13854 invoked by uid 10006);
 Tue, 08 Sep 2020 15:41:57 -0000
From: Arne Schwabe <arne@rfc2549.org>
To: openvpn-devel@lists.sourceforge.net
Date: Tue,  8 Sep 2020 17:41:53 +0200
Message-Id: <20200908154157.13809-1-arne@rfc2549.org>
X-Mailer: git-send-email 2.17.1
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
 See http://spamassassin.org/tag/ for more details.
 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail
 domains are different
 0.0 SPF_NONE               SPF: sender does not publish an SPF Record
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
X-Headers-End: 1kFfkz-00H6QT-1q
Subject: [Openvpn-devel] [PATCH 0/4] Allow setting up OpenVPN in TLS mode
 without CA
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
MIME-Version: 1.0
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox

Setting up a CA even with the help of easy-tls and similar tools is
difficult/tiresome. For small setups self-signed certificates are
sufficient enough and restarting the server to add another client is
generally not a big problem (when you need that capability a CA is
better suited).

This patch set allows setting up OpenVPN with verification of peer
certificates and without a CA certificate. Instead of verifying
certificates through a CA, it allows to verify a certificate just by it
fingerprint. This is usually called certificate pinning. (If you wonder if
this secure, it is as secure as normal CA operation as certificate signature
also only sign the finerprinter of a certificate and not the whole cert.)

The commit themselves have examples.

The main difference of this patch set to Jason's V1 version is that it does
not rely on an external script on the server side and instead relys on an a
inlined <peer-fingerprint> section. The downside is that this requires a
server restart on adding a client but the upside is that no script-security
or external scripts are necessary and server/client setup become symmetric.

Arne Schwabe (3):
  Extend verify-hash to allow multiple hashes
  Implement peer-fingerprint to check fingerprint of peer certificate
  Document the simple self-signed certificate setup in examples

Jason A. Donenfeld (1):
  Support fingerprint authentication without CA certificate

 Changes.rst                       |  12 +++
 doc/man-sections/examples.rst     |  46 ++++++----
 doc/man-sections/inline-files.rst |   4 +-
 doc/man-sections/tls-options.rst  |  36 +++++++-
 src/openvpn/init.c                |   3 +
 src/openvpn/options.c             | 145 +++++++++++++++++++++++++-----
 src/openvpn/options.h             |  13 ++-
 src/openvpn/ssl.c                 |   2 +-
 src/openvpn/ssl_common.h          |   4 +-
 src/openvpn/ssl_verify.c          |  30 +++++--
 src/openvpn/ssl_verify_mbedtls.c  |  17 ++++
 src/openvpn/ssl_verify_openssl.c  |   2 +-
 12 files changed, 263 insertions(+), 51 deletions(-)