From patchwork Tue Sep 8 05:41:55 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1427 X-Patchwork-Delegate: a@unstable.cc Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director8.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id ONKCLIqmV184PQAAIUCqbw (envelope-from ) for ; Tue, 08 Sep 2020 11:43:06 -0400 Received: from proxy13.mail.ord1d.rsapps.net ([172.30.191.6]) by director8.mail.ord1d.rsapps.net with LMTP id MJpULIqmV1+FYQAAfY0hYg (envelope-from ) for ; Tue, 08 Sep 2020 11:43:06 -0400 Received: from smtp7.gate.ord1c ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy13.mail.ord1d.rsapps.net with LMTPS id aBCnK4qmV1/MIwAAgjf6aA (envelope-from ) for ; Tue, 08 Sep 2020 11:43:06 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp7.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: fb9e7e9c-f1e9-11ea-bf6f-bc305bf04148-1-1 Received: from [216.105.38.7] ([216.105.38.7:39422] helo=lists.sourceforge.net) by smtp7.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id C2/E4-21739-886A75F5; Tue, 08 Sep 2020 11:43:04 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1kFfl7-0001JH-OW; Tue, 08 Sep 2020 15:42:13 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kFfl5-0001IT-Bj for openvpn-devel@lists.sourceforge.net; Tue, 08 Sep 2020 15:42:11 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=kqJQpe/oTqO5+PZ0iaLbnhGVr2jF4YMtOVyrpzX8sOE=; b=i3h8ShPRBmz4NQFieT9cFAid60 FD7+FmnolsbvkurqXeuH9Ta+iy+W+qotEnQZRLeM+Cze9S+hYaJseVs08y2kAqLFkpJOZyT8UkFeJ t1hu1snjcsc1917J2DmBn9N4SvbAwRfcCEHyjBBahtIOsbhqvo5mNungQ7GhJ99TBcSs=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=kqJQpe/oTqO5+PZ0iaLbnhGVr2jF4YMtOVyrpzX8sOE=; b=DO18QNLHLdnjQw00Mc16/RM74G ZlWzZGg4cnmW6IUa6C0M10YZN6SvfQD+fZAcvGOmZyal9pJP7pW0v0+t0w3V1klu/SF3C5OjyLqB6 twVdCrI9wow9lxaNGXCsSDg6deVyQBnuomJb9APA4O4ektL1pO7RPPWuTjqJHVoNiWnA=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1kFfkz-00GxlQ-3f for openvpn-devel@lists.sourceforge.net; Tue, 08 Sep 2020 15:42:11 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94 (FreeBSD)) (envelope-from ) id 1kFfkr-0002t1-UM for openvpn-devel@lists.sourceforge.net; Tue, 08 Sep 2020 17:41:57 +0200 Received: (nullmailer pid 13861 invoked by uid 10006); Tue, 08 Sep 2020 15:41:57 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 8 Sep 2020 17:41:55 +0200 Message-Id: <20200908154157.13809-3-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200908154157.13809-1-arne@rfc2549.org> References: <20200908154157.13809-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1kFfkz-00GxlQ-3f Subject: [Openvpn-devel] [PATCH 2/4] Implement peer-fingerprint to check fingerprint of peer certificate X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This options allows to pin a certificate or a number of certificate. It also prepares for doing TLS authentication without a CA and just self-signed certificates. Signed-off-by: Arne Schwabe --- Changes.rst | 7 ++++++ doc/man-sections/inline-files.rst | 4 ++-- doc/man-sections/tls-options.rst | 22 ++++++++++++++++- src/openvpn/init.c | 1 + src/openvpn/options.c | 40 ++++++++++++++++++++++--------- src/openvpn/options.h | 1 + src/openvpn/ssl_common.h | 1 + src/openvpn/ssl_verify.c | 19 ++++++++------- 8 files changed, 73 insertions(+), 22 deletions(-) diff --git a/Changes.rst b/Changes.rst index f67e1d76..6007412c 100644 --- a/Changes.rst +++ b/Changes.rst @@ -1,5 +1,12 @@ Overview of changes in 2.5 ========================== +New features in 2.5.1 +--------------------- +Certificate pinning/verify peer fingerprint + The ``--peer-fingerprint`` option has been introduced to give users a + easy to use alternative to the ``tls-verify`` for matching the + fingerprint of the peer. The option has use a number of + SHA256 fingerprints. New features ------------ diff --git a/doc/man-sections/inline-files.rst b/doc/man-sections/inline-files.rst index 303bb3c8..01e4a840 100644 --- a/doc/man-sections/inline-files.rst +++ b/doc/man-sections/inline-files.rst @@ -4,8 +4,8 @@ INLINE FILE SUPPORT OpenVPN allows including files in the main configuration for the ``--ca``, ``--cert``, ``--dh``, ``--extra-certs``, ``--key``, ``--pkcs12``, ``--secret``, ``--crl-verify``, ``--http-proxy-user-pass``, ``--tls-auth``, -``--auth-gen-token-secret``, ``--tls-crypt``, ``--tls-crypt-v2`` and -``--verify-hash`` options. +``--auth-gen-token-secret``, ``--peer-fingerprint``, ``--tls-crypt``, +``--tls-crypt-v2`` and ``--verify-hash`` options. Each inline file started by the line ```` diff --git a/doc/man-sections/tls-options.rst b/doc/man-sections/tls-options.rst index 52d4137e..658300b8 100644 --- a/doc/man-sections/tls-options.rst +++ b/doc/man-sections/tls-options.rst @@ -268,7 +268,8 @@ certificates and keys: https://github.com/OpenVPN/easy-rsa man-in-the-middle attack where an authorized client attempts to connect to another client by impersonating the server. The attack is easily prevented by having clients verify the server certificate using any one - of ``--remote-cert-tls``, ``--verify-x509-name``, or ``--tls-verify``. + of ``--remote-cert-tls``, ``--verify-x509-name``, ``--peer-fingerprint`` + or ``--tls-verify``. --tls-auth args Add an additional layer of HMAC authentication on top of the TLS control @@ -589,6 +590,25 @@ certificates and keys: https://github.com/OpenVPN/easy-rsa If the option is inlined, ``algo`` is always :code:`SHA256`. +--peer-fingerprint args + Specify a SHA256 fingerprint or list of SHA256 fingerprints to verify + the peer certificate against. The peer certificate must match one of the + fingerprint or certificate verification will fail. The option can also + be inlined + + Valid syntax: + :: + + peer-fingerprint AD:B0:95:D8:09:... + + or inline: + :: + + + 00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff + 11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00 + + --verify-x509-name args Accept connections only if a host's X.509 name is equal to **name.** The remote host must also pass all other tests of verification. diff --git a/src/openvpn/init.c b/src/openvpn/init.c index a785934a..0c2b823e 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -2909,6 +2909,7 @@ do_init_crypto_tls(struct context *c, const unsigned int flags) to.remote_cert_eku = options->remote_cert_eku; to.verify_hash = options->verify_hash; to.verify_hash_algo = options->verify_hash_algo; + to.verify_hash_depth = options->verify_hash_depth; #ifdef ENABLE_X509ALTUSERNAME to.x509_username_field = (char *) options->x509_username_field; #else diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 068f3e75..df9eef07 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -8192,26 +8192,44 @@ add_option(struct options *options, options->extra_certs_file = p[1]; options->extra_certs_file_inline = is_inline; } - else if (streq(p[0], "verify-hash") && p[1] && !p[3]) + else if ((streq(p[0], "verify-hash") && p[1] && !p[3]) + || (streq(p[0], "peer-fingerprint") && p[1] && !p[2])) { VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE); + + options->verify_hash_depth = 0; options->verify_hash_algo = MD_SHA256; int digest_len = SHA256_DIGEST_LENGTH; - if (!p[2] || (p[2] && streq(p[2], "SHA1"))) + if (options->verify_hash) { - options->verify_hash_algo = MD_SHA1; - msg(M_WARN, "DEPRECATED FEATURE: Usage of SHA1 fingerprints for " - "verify-hash is deprecated. You should switch to the " - "SHA256."); - options->verify_hash_algo = MD_SHA1; - digest_len = SHA_DIGEST_LENGTH; + msg(msglevel, "ERROR: Setting %s not allowed. Option to verify " + "fingerprint of certificate of peer certificate " + "(--verify-hash or --peer-fingerprint) already set.", + p[0]); + goto err; } - else if (p[2] && !streq(p[2], "SHA256")) + + if (streq(p[0], "verify-hash")) { - msg(msglevel, "invalid or unsupported hashing algorithm: %s (only SHA1 and SHA256 are valid)", p[2]); - goto err; + /* verify level 1 cert, i.e. the CA that signed the leaf cert */ + options->verify_hash_depth = 1; + + if (!p[2] || (p[2] && streq(p[2], "SHA1"))) + { + options->verify_hash_algo = MD_SHA1; + msg(M_WARN, "DEPRECATED FEATURE: Usage of SHA1 fingerprints for " + "verify-hash is deprecated. You should switch to the " + "SHA256."); + options->verify_hash_algo = SHA_DIGEST_LENGTH; + digest_len = SHA_DIGEST_LENGTH; + } + else if (p[2] && !streq(p[2], "SHA256")) + { + msg(msglevel, "invalid or unsupported hashing algorithm: %s (only SHA1 and SHA256 are valid)", p[2]); + goto err; + } } if (is_inline) diff --git a/src/openvpn/options.h b/src/openvpn/options.h index c0dbbd8a..eee6bd21 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -564,6 +564,7 @@ struct options const char *remote_cert_eku; struct verify_hash_list *verify_hash; hash_algo_type verify_hash_algo; + int verify_hash_depth; unsigned int ssl_flags; /* set to SSLF_x flags from ssl.h */ #ifdef ENABLE_PKCS11 diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index 7ccfc0f8..3a07c3d3 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -283,6 +283,7 @@ struct tls_options unsigned remote_cert_ku[MAX_PARMS]; const char *remote_cert_eku; struct verify_hash_list *verify_hash; + int verify_hash_depth; hash_algo_type verify_hash_algo; char *x509_username_field; diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index 73d14e01..ac5e6271 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -693,19 +693,18 @@ verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_dep goto cleanup; /* Reject connection */ } - /* verify level 1 cert, i.e. the CA that signed our leaf cert */ - if (cert_depth == 1 && opt->verify_hash) + if (cert_depth == opt->verify_hash_depth && opt->verify_hash) { - struct buffer ca_hash = {0}; + struct buffer cert_fp = {0}; switch (opt->verify_hash_algo) { case MD_SHA1: - ca_hash = x509_get_sha1_fingerprint(cert, &gc); + cert_fp = x509_get_sha1_fingerprint(cert, &gc); break; case MD_SHA256: - ca_hash = x509_get_sha256_fingerprint(cert, &gc); + cert_fp = x509_get_sha256_fingerprint(cert, &gc); break; default: @@ -725,8 +724,8 @@ verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_dep while (current_hash) { - if (memcmp_constant_time(BPTR(&ca_hash), current_hash->hash, - BLEN(&ca_hash)) == 0) + if (memcmp_constant_time(BPTR(&cert_fp), current_hash->hash, + BLEN(&cert_fp)) == 0) { hash_matched = true; } @@ -735,7 +734,11 @@ verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_dep if (!hash_matched) { - msg(D_TLS_ERRORS, "TLS Error: --tls-verify certificate hash verification failed"); + const char *hex_fp = format_hex_ex(BPTR(&cert_fp), BLEN(&cert_fp), + 0, 1, ":", &gc); + msg(D_TLS_ERRORS, "TLS Error: --tls-verify/--peer-fingerprint" + "certificate hash verification failed. (got " + "fingerprint: %s", hex_fp); goto cleanup; } }