From patchwork Mon Apr 12 06:45:43 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Maximilian Fillinger X-Patchwork-Id: 1732 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director15.mail.ord1d.rsapps.net ([172.27.255.58]) by backend30.mail.ord1d.rsapps.net with LMTP id UK9aN6d5dGAOIgAAIUCqbw (envelope-from ) for ; Mon, 12 Apr 2021 12:47:35 -0400 Received: from proxy4.mail.iad3a.rsapps.net ([172.27.255.58]) by director15.mail.ord1d.rsapps.net with LMTP id uPsFN6d5dGAdbwAAIcMcQg (envelope-from ) for ; Mon, 12 Apr 2021 12:47:35 -0400 Received: from smtp39.gate.iad3a ([172.27.255.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy4.mail.iad3a.rsapps.net with LMTPS id uAXhLqd5dGD1BAAA8Zvu4w (envelope-from ) for ; Mon, 12 Apr 2021 12:47:35 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp39.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (key not found in DNS) header.d=foxcrypto.com; dmarc=fail (p=none; dis=none) header.from=foxcrypto.com X-Suspicious-Flag: YES X-Classification-ID: c7dc74c8-9bae-11eb-bd73-525400eea4e4-1-1 Received: from [216.105.38.7] ([216.105.38.7:51810] helo=lists.sourceforge.net) by smtp39.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 01/19-21930-7A974706; Mon, 12 Apr 2021 12:47:35 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1lVzhx-0002rG-18; Mon, 12 Apr 2021 16:46:41 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lVzhv-0002r8-IB for openvpn-devel@lists.sourceforge.net; Mon, 12 Apr 2021 16:46:39 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:MIME-Version:Date:Subject:CC:To:From: Sender:Reply-To:Message-ID:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=6nXQlhjigxrJV1OHgUJwrQucsf2IeeGSzNYvJfd+n4M=; b=Bp62O8jhptU4yn9czS4g1CYFuR ngIfQuP0dTWGUxRCI43D7Y41KX+vsSNduZw8xzXCdcXZm1vaFoBDWrHdSJ/n/Se3BgssPCk+vNqfl 6gcIFtY8BcY1D7yNxSP2d98GEP77bVg6fy2FtJADF1UgHV3j2lINGS4P8rBATeclGrHc=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:MIME-Version:Date:Subject:CC:To:From:Sender:Reply-To: Message-ID:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=6nXQlhjigxrJV1OHgUJwrQucsf2IeeGSzNYvJfd+n4M=; b=akZ6Jz9/N/N0PzV5KgRSiWJ0Qk fdGHlOE54cM1BHHhf6gRrhn9NASckx6KLxSkzTg3k2OczwqS0dzqo4GtPTSs6Qwl/rbB5YkT3ov0b 31ze5nV0sW8ICcqnvDArr87Ram/tgQCtWJmo3gtWG+mU0OhPP07KuB531JitUxWZlFkw=; Received: from nl-dft-mx-01.fox-it.com ([178.250.144.135]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1lVzhi-0008JU-5N for openvpn-devel@lists.sourceforge.net; Mon, 12 Apr 2021 16:46:39 +0000 From: Max Fillinger To: Date: Mon, 12 Apr 2021 18:45:43 +0200 X-Mailer: git-send-email 2.11.0 MIME-Version: 1.0 X-ClientProxiedBy: FOXDFT1EX01.FOX.local (10.0.0.129) To FOXDFT1EX01.FOX.local (10.0.0.129) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; d=foxcrypto.com; s=NL-DFT-MX-01; c=relaxed/relaxed; h=from:to:cc:subject:date:mime-version:content-type; bh=6nXQlhjigxrJV1OHgUJwrQucsf2IeeGSzNYvJfd+n4M=; b=uT/I2MfZDAKOxpaxR281ukScJMYy87qFzjSecQIdR6u6fLWQ456nAAaV725bMVF1mVep/boIU5VU QaJ2WK3obu6KPuk8z3iXfqc1YQDTItZNIUuHgE7fivYxp82R2zHGMPaHs0AtLIgUulNYWA2QLcD7 6fKS0DwqbLcmqKogDlH4e2cn+BsJgIZRKw1GnQxIlYpKIRfWDptruoj+H4uxbCer3SdbYfJdYLo7 wNvbpI6pf64LutQo5rvP8h/5RWne8TYUiPWSepSmZzFYOaZsKKNlwChS54YUJ50IzgTC1jiVvZdN sUaxUmB+xIj2j2thcGh6/T9RxEtYO8wqX1iDpg== X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 1.0 MISSING_MID Missing Message-Id: header 0.1 DKIM_INVALID DKIM or DK signature exists, but is not valid X-Headers-End: 1lVzhi-0008JU-5N Subject: [Openvpn-devel] [PATCH v2 0/2] CRL reloading and chroot with mbedtls X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net Message-Id: X-getmail-retrieved-from-mailbox: Inbox After a lot of discussion on IRC on Friday, here's a new attempt at fixing the mbedtls certificate reloading issue. To sum up the background: Compumatica discovered the following pair of bugs in OpenVPN-NL, which are also present in stock OpenVPN with mbedtls. 1) With mbedtls, if the CRL file can't be accessed during init_ssl(), OpenVPN will read the file in tls_process() when it becomes available later, but it will not actually use it. This situation is likely to happen when running in a chroot because of the second bug. 2) OpenVPN attempts to read the CRL file in init_ssl() before chroot-ing and tries to access the path outside of the chroot directory. For example, let's say we have the CRL file in "/chroot/crl.pem", and we run OpenVPN with "--chroot /chroot/" and "--crl-verify /crl.pem". During option validation, OpenVPN will check that "/chroot/crl.pem" exists. Pre-chroot, it will try to access "/crl.pem", which fails. Post-chroot, it opens the file. Bug 2) is present in OpenVPN with OpenSSL, too, but OpenSSL actually uses the reloaded CRL from tls_process(), so the only consequence is a warning message in the logs. The first patch fixes bug 2) by prefixing the path to the chroot directory to the CRL file when we're running init_ssl() pre-chroot. By itself, this makes it much more difficult to trigger bug 1). The second patch makes OpenVPN abort in init_ssl() if the CRL file cannot be accessed. Now that the path is handled correctly pre- and post-chroot, there is no good reason why accessing it should fail. This fixes bug 1). Max Fillinger (2): In init_ssl, open the correct CRL path pre-chroot Abort if CRL file can't be stat-ed in init_ssl src/openvpn/init.c | 3 ++- src/openvpn/misc.c | 11 +++++++++++ src/openvpn/misc.h | 7 +++++++ src/openvpn/options.c | 8 +------- src/openvpn/ssl.c | 37 ++++++++++++++++++++++++++++++++----- src/openvpn/ssl.h | 2 +- 6 files changed, 54 insertions(+), 14 deletions(-)