From patchwork Tue Sep 8 05:41:56 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1426 X-Patchwork-Delegate: a@unstable.cc Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director11.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id oLjrJIqmV18wXAAAIUCqbw (envelope-from ) for ; Tue, 08 Sep 2020 11:43:06 -0400 Received: from proxy7.mail.ord1d.rsapps.net ([172.30.191.6]) by director11.mail.ord1d.rsapps.net with LMTP id IPjWJIqmV18YTAAAvGGmqA (envelope-from ) for ; Tue, 08 Sep 2020 11:43:06 -0400 Received: from smtp37.gate.ord1c ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy7.mail.ord1d.rsapps.net with LMTPS id ULA6JIqmV196RQAAMe1Fpw (envelope-from ) for ; Tue, 08 Sep 2020 11:43:06 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp37.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: f97ec22a-f1e9-11ea-b9d3-525400e8d833-1-1 Received: from [216.105.38.7] ([216.105.38.7:39320] helo=lists.sourceforge.net) by smtp37.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 1E/6F-32504-486A75F5; Tue, 08 Sep 2020 11:43:01 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1kFfl7-0001J4-JZ; Tue, 08 Sep 2020 15:42:13 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kFfl4-0001I8-2f for openvpn-devel@lists.sourceforge.net; Tue, 08 Sep 2020 15:42:10 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:Cc: To:From:Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=fpnjbtx6O6sAbuQg8K42qyspz8q8+GZWbFpShlWubNs=; b=KwJn2Ewf7MqfmKy0+47Bf6nWRT mk6iscccd6nq2Mnr61YFWEryAN3uLo2myx7kgpM57835FsTsquws1QNemF2ZvPnEUIyPx2c1XI61c cXcZiaS20waz96bM1FJea6ba6ZGjw/m+N6PvXFzl7U1AIUwrWrP9MGoJynSsFP+JoRec=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=fpnjbtx6O6sAbuQg8K42qyspz8q8+GZWbFpShlWubNs=; b=D5B5gMRx4GevPFa+R8Scw8zuLX dmNHgBndRNxpj33nx+RK2Rp/5KfbCfPVexDApY6XERPD8v1f0rAjfijQPbTp6ZBizGg0RiPhO8hFJ vP1TJU9wNGc5I1XDtXKDd8CO5WezKlGK0pG2YkRDFbxR/dk/NDIT3+Z2/01aTl/sL7Gg=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-3.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1kFfkz-00H6Qb-1z for openvpn-devel@lists.sourceforge.net; Tue, 08 Sep 2020 15:42:10 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94 (FreeBSD)) (envelope-from ) id 1kFfks-0002t4-0P; Tue, 08 Sep 2020 17:41:58 +0200 Received: (nullmailer pid 13865 invoked by uid 10006); Tue, 08 Sep 2020 15:41:57 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 8 Sep 2020 17:41:56 +0200 Message-Id: <20200908154157.13809-4-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200908154157.13809-1-arne@rfc2549.org> References: <20200908154157.13809-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1kFfkz-00H6Qb-1z Subject: [Openvpn-devel] [PATCH 3/4] Support fingerprint authentication without CA certificate X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: "Jason A. Donenfeld" MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: "Jason A. Donenfeld" OpenVPN traditionally works around CAs. However many TLS-based protocols also allow an alternative simpler mode in which rather than verify certificates against CAs, the certificate itself is hashed and compared against a pre-known set of acceptable hashes. This is usually referred to as "fingerprint verification". It's popular across SMTP servers, IRC servers, XMPP servers, and even in the context of HTTP with pinning. * Allow not specifying the --ca parameter, to specify that certificates should not be checked against a CA. I've included some instructions on how to use all of this. Server side: ============ Make self-signed cert: $ openssl req -x509 -newkey ec:<(openssl ecparam -name secp384r1) -keyout serverkey.pem -out servercert.pem -nodes -sha256 -days 3650 -subj '/CN=server' Record our fingerprint in an environment variable for the client to use later: $ server_fingerprint="$(openssl x509 -in servercert.pem -noout -sha256 -fingerprint | sed 's/.*=//;s/\(.*\)/\1/')" Client side: ============ Make self-signed cert: $ openssl req -x509 -newkey ec:<(openssl ecparam -name secp384r1) -keyout clientkey.pem -out clientcert.pem -nodes -sha256 -days 3650 -subj '/CN=client' Record our fingerprint in an environment variable for the server to use later: $ client_fingerprint="$(openssl x509 -in clientcert.pem -noout -sha256 -fingerprint | sed 's/.*=//;s/\(.*\)/\1/')" Start server/client =================== Start openvpn with peer fingerprint verification: $ sudo openvpn --server 10.66.0.0 255.255.255.0 --dev tun --dh none --cert servercert.pem --key serverkey.pem --peer-fingerprint "$client_fingerprint" $ sudo openvpn --client --remote 127.0.0.1 --dev tun --cert clientcert.pem --key clientkey.pem --peer-fingerprint "$server_fingerprint" --nobind Signed-off-by: Jason A. Donenfeld Patch V2: Changes in V2 (by Arne Schwabe): - Only check peer certificates, not all cert levels, if you need multiple levels of certificate you should use a real CA - Use peer-fingerprint instead tls-verify on server side in example. - rename variable ca_file_none to verify_hash_no_ca - do no require --ca none but allow --ca simply to be absent when --peer-fingprint is present - adjust warnings/errors messages to also point to peer-fingerprint as valid verification method. - Fix mbed TLS version of not requiring CA not working Signed-off-by: Arne Schwabe --- src/openvpn/init.c | 2 ++ src/openvpn/options.c | 30 +++++++++++++++++++++++------- src/openvpn/options.h | 1 + src/openvpn/ssl.c | 2 +- src/openvpn/ssl_common.h | 1 + src/openvpn/ssl_verify_mbedtls.c | 17 +++++++++++++++++ src/openvpn/ssl_verify_openssl.c | 2 +- 7 files changed, 46 insertions(+), 9 deletions(-) diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 0c2b823e..585b5760 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -2910,6 +2910,8 @@ do_init_crypto_tls(struct context *c, const unsigned int flags) to.verify_hash = options->verify_hash; to.verify_hash_algo = options->verify_hash_algo; to.verify_hash_depth = options->verify_hash_depth; + to.verify_hash_no_ca = options->verify_hash_no_ca; + #ifdef ENABLE_X509ALTUSERNAME to.x509_username_field = (char *) options->x509_username_field; #else diff --git a/src/openvpn/options.c b/src/openvpn/options.c index df9eef07..8e00e896 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -2721,18 +2721,23 @@ options_postprocess_verify_ce(const struct options *options, const struct connec else { #ifdef ENABLE_CRYPTO_MBEDTLS - if (!(options->ca_file)) + if (!(options->ca_file || options->verify_hash_no_ca)) { - msg(M_USAGE, "You must define CA file (--ca)"); + msg(M_USAGE, "You must define CA file (--ca) and/or " + "peer fingeprint verification " + "(--peer-fingerprint)"); } if (options->ca_path) { msg(M_USAGE, "Parameter --capath cannot be used with the mbed TLS version version of OpenVPN."); } #else /* ifdef ENABLE_CRYPTO_MBEDTLS */ - if ((!(options->ca_file)) && (!(options->ca_path))) + if ((!(options->ca_file)) && (!(options->ca_path)) + && (!(options->verify_hash_no_ca))) { - msg(M_USAGE, "You must define CA file (--ca) or CA path (--capath)"); + msg(M_USAGE, "You must define CA file (--ca) or CA path " + "(--capath) and/or peer fingeprint verification " + "(--peer-fingerprint)"); } #endif if (pull) @@ -2751,7 +2756,8 @@ options_postprocess_verify_ce(const struct options *options, const struct connec #if P2MP if (!options->auth_user_pass_file) #endif - msg(M_USAGE, "No client-side authentication method is specified. You must use either --cert/--key, --pkcs12, or --auth-user-pass"); + msg(M_USAGE, "No client-side authentication method is specified. You must use either --cert/--key," + " --pkcs12, or --auth-user-pass"); } else if (sum == 2) { @@ -3241,6 +3247,13 @@ options_postprocess_mutate(struct options *o) options_postprocess_http_proxy_override(o); } #endif + if (!o->ca_file && !o->ca_path && o->verify_hash + && o->verify_hash_depth == 0) + { + msg(M_INFO, "Using certificate fingerprint to verify peer (no CA " + "option set). "); + o->verify_hash_no_ca = true; + } #if P2MP /* @@ -3476,8 +3489,11 @@ options_postprocess_filechecks(struct options *options) errs |= check_file_access_inline(options->dh_file_inline, CHKACC_FILE, options->dh_file, R_OK, "--dh"); - errs |= check_file_access_inline(options->ca_file_inline, CHKACC_FILE, - options->ca_file, R_OK, "--ca"); + if (!options->verify_hash_no_ca) + { + errs |= check_file_access_inline(options->ca_file_inline, CHKACC_FILE, + options->ca_file, R_OK, "--ca"); + } errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->ca_path, R_OK, "--capath"); diff --git a/src/openvpn/options.h b/src/openvpn/options.h index eee6bd21..ea1b49d0 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -565,6 +565,7 @@ struct options struct verify_hash_list *verify_hash; hash_algo_type verify_hash_algo; int verify_hash_depth; + bool verify_hash_no_ca; unsigned int ssl_flags; /* set to SSLF_x flags from ssl.h */ #ifdef ENABLE_PKCS11 diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 3fcaa25f..45836821 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -684,7 +684,7 @@ init_ssl(const struct options *options, struct tls_root_ctx *new_ctx) } #endif - if (options->ca_file || options->ca_path) + if ((!options->verify_hash_no_ca && options->ca_file) || options->ca_path) { tls_ctx_load_ca(new_ctx, options->ca_file, options->ca_file_inline, options->ca_path, options->tls_server); diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index 3a07c3d3..33fd8237 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -284,6 +284,7 @@ struct tls_options const char *remote_cert_eku; struct verify_hash_list *verify_hash; int verify_hash_depth; + bool verify_hash_no_ca; hash_algo_type verify_hash_algo; char *x509_username_field; diff --git a/src/openvpn/ssl_verify_mbedtls.c b/src/openvpn/ssl_verify_mbedtls.c index 93891038..1ed1e0e2 100644 --- a/src/openvpn/ssl_verify_mbedtls.c +++ b/src/openvpn/ssl_verify_mbedtls.c @@ -62,6 +62,23 @@ verify_callback(void *session_obj, mbedtls_x509_crt *cert, int cert_depth, struct buffer cert_fingerprint = x509_get_sha256_fingerprint(cert, &gc); cert_hash_remember(session, cert_depth, &cert_fingerprint); + + if (session->opt->verify_hash_no_ca) + { + /* + * If we decide to verify the peer certificate based on the fingerprint + * we ignore wrong dates and the certificate not being trusted. + * Any other problem with the certificate (wrong key, bad cert,...) + * will still trigger an error. + * Clearing these flags relies on verify_cert will later rejecting a + * certificate that has no matching fingerprint. + */ + uint32_t flags_ignore = MBEDTLS_X509_BADCERT_NOT_TRUSTED + | MBEDTLS_X509_BADCERT_EXPIRED + | MBEDTLS_X509_BADCERT_FUTURE; + *flags = *flags & ~flags_ignore; + } + /* did peer present cert which was signed by our root cert? */ if (*flags != 0) { diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c index 454efeec..cb2a2e2a 100644 --- a/src/openvpn/ssl_verify_openssl.c +++ b/src/openvpn/ssl_verify_openssl.c @@ -67,7 +67,7 @@ verify_callback(int preverify_ok, X509_STORE_CTX *ctx) cert_hash_remember(session, X509_STORE_CTX_get_error_depth(ctx), &cert_hash); /* did peer present cert which was signed by our root cert? */ - if (!preverify_ok) + if (!preverify_ok && !session->opt->verify_hash_no_ca) { /* get the X509 name */ char *subject = x509_get_subject(current_cert, &gc);