From patchwork Sun Mar 21 03:33:53 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1641 X-Patchwork-Delegate: a@unstable.cc Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director10.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net with LMTP id +EzKDo5ZV2CuagAAIUCqbw (envelope-from ) for ; Sun, 21 Mar 2021 10:34:54 -0400 Received: from proxy14.mail.iad3b.rsapps.net ([172.31.255.6]) by director10.mail.ord1d.rsapps.net with LMTP id +F1fDo5ZV2BdZwAApN4f7A (envelope-from ) for ; Sun, 21 Mar 2021 10:34:54 -0400 Received: from smtp9.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy14.mail.iad3b.rsapps.net with LMTPS id UAraB45ZV2AXPwAA+7ETDg (envelope-from ) for ; Sun, 21 Mar 2021 10:34:54 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp9.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 99486ae4-8a52-11eb-96dd-525400f4d366-1-1 Received: from [216.105.38.7] ([216.105.38.7:55554] helo=lists.sourceforge.net) by smtp9.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 62/51-30358-D8957506; Sun, 21 Mar 2021 10:34:53 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1lNz9f-000858-N0; Sun, 21 Mar 2021 14:34:11 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lNz9e-00084r-CA for openvpn-devel@lists.sourceforge.net; Sun, 21 Mar 2021 14:34:10 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=rlrGUSoKeFvn6xdt7WRUifeLtkeRJq1mp1fmM9cL1Qg=; b=ZqMkn5YOu8MdlLUmHMX7sANnUz E5ggsc8CO/9LYB+HheyM6blGJ+YUc3DHc2jshxyHOJkoA5aLK32u6h7shUTHYEmskHr8JU3oYABJ9 u3nt81MWmf7fX9jRIT67iCjP7kEGfPdLic51/B7ZBsVL9fFnMUC75IPBBTaFqhxszwPc=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=rlrGUSoKeFvn6xdt7WRUifeLtkeRJq1mp1fmM9cL1Qg=; b=EWbiz+aJdFzI9n4xb8jNI76zX+ H1IiXOtut43Af2oBFTzzG6/onVurxLLhXPlMT6pb63YOAIC14GegvGOuxspQswhLtqsRrHXtLmx3/ BsVe+ndipNfzgwHvb4mrb5hLpheARsvJKC/yPAS06mYDyykNEX4UO6M1Rbd8KyI8WldY=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1lNz9V-00ADGM-4u for openvpn-devel@lists.sourceforge.net; Sun, 21 Mar 2021 14:34:10 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94 (FreeBSD)) (envelope-from ) id 1lNz9N-00032a-Ub for openvpn-devel@lists.sourceforge.net; Sun, 21 Mar 2021 15:33:53 +0100 Received: (nullmailer pid 2721 invoked by uid 10006); Sun, 21 Mar 2021 14:33:53 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Sun, 21 Mar 2021 15:33:53 +0100 Message-Id: <20210321143353.2677-1-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210319142001.2201-2-arne@rfc2549.org> References: <20210319142001.2201-2-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1lNz9V-00ADGM-4u Subject: [Openvpn-devel] [PATCH v3] Implement peer-fingerprint to check fingerprint of peer certificate X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This option allows to pin one or more more peer certificates. It also prepares for doing TLS authentication without a CA and just self-signed certificates. Patch V2: Allow peer-fingerprint to be specified multiple times to allow multiple peers without needing to use inline syntax. (e.g. on command line). Patch V3: rebase on v3 of 1/4, reword message of verify-hash and peer-fingerpring incompatibility Signed-off-by: Arne Schwabe Acked-by: Antonio Quartulli --- Changes.rst | 9 ++++++- doc/man-sections/inline-files.rst | 4 +-- doc/man-sections/tls-options.rst | 22 +++++++++++++++- src/openvpn/init.c | 1 + src/openvpn/options.c | 42 +++++++++++++++++++++++-------- src/openvpn/options.h | 1 + src/openvpn/ssl_common.h | 1 + src/openvpn/ssl_verify.c | 19 ++++++++------ 8 files changed, 76 insertions(+), 23 deletions(-) diff --git a/Changes.rst b/Changes.rst index d6be1050..ac32de26 100644 --- a/Changes.rst +++ b/Changes.rst @@ -22,13 +22,20 @@ Compatibility with OpenSSL in FIPS mode Deprecated features ------------------- -``inetd`` has been removed +``inetd`` has been removed This was a very limited and not-well-tested way to run OpenVPN, on TCP and TAP mode only. Overview of changes in 2.5 ========================== +New features in 2.5.1 +--------------------- +Certificate pinning/verify peer fingerprint + The ``--peer-fingerprint`` option has been introduced to give users an + easy to use alternative to the ``tls-verify`` for matching the + fingerprint of the peer. The option takes use a number of allowed + SHA256 certificate fingerprints. New features ------------ diff --git a/doc/man-sections/inline-files.rst b/doc/man-sections/inline-files.rst index 303bb3c8..01e4a840 100644 --- a/doc/man-sections/inline-files.rst +++ b/doc/man-sections/inline-files.rst @@ -4,8 +4,8 @@ INLINE FILE SUPPORT OpenVPN allows including files in the main configuration for the ``--ca``, ``--cert``, ``--dh``, ``--extra-certs``, ``--key``, ``--pkcs12``, ``--secret``, ``--crl-verify``, ``--http-proxy-user-pass``, ``--tls-auth``, -``--auth-gen-token-secret``, ``--tls-crypt``, ``--tls-crypt-v2`` and -``--verify-hash`` options. +``--auth-gen-token-secret``, ``--peer-fingerprint``, ``--tls-crypt``, +``--tls-crypt-v2`` and ``--verify-hash`` options. Each inline file started by the line ```` diff --git a/doc/man-sections/tls-options.rst b/doc/man-sections/tls-options.rst index d8f9800e..cfe1ec98 100644 --- a/doc/man-sections/tls-options.rst +++ b/doc/man-sections/tls-options.rst @@ -271,7 +271,8 @@ certificates and keys: https://github.com/OpenVPN/easy-rsa man-in-the-middle attack where an authorized client attempts to connect to another client by impersonating the server. The attack is easily prevented by having clients verify the server certificate using any one - of ``--remote-cert-tls``, ``--verify-x509-name``, or ``--tls-verify``. + of ``--remote-cert-tls``, ``--verify-x509-name``, ``--peer-fingerprint`` + or ``--tls-verify``. --tls-auth args Add an additional layer of HMAC authentication on top of the TLS control @@ -592,6 +593,25 @@ certificates and keys: https://github.com/OpenVPN/easy-rsa If the option is inlined, ``algo`` is always :code:`SHA256`. +--peer-fingerprint args + Specify a SHA256 fingerprint or list of SHA256 fingerprints to verify + the peer certificate against. The peer certificate must match one of the + fingerprint or certificate verification will fail. The option can also + be inlined + + Valid syntax: + :: + + peer-fingerprint AD:B0:95:D8:09:... + + or inline: + :: + + + 00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff + 11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00 + + --verify-x509-name args Accept connections only if a host's X.509 name is equal to **name.** The remote host must also pass all other tests of verification. diff --git a/src/openvpn/init.c b/src/openvpn/init.c index d234729c..731b0cf2 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -2927,6 +2927,7 @@ do_init_crypto_tls(struct context *c, const unsigned int flags) to.remote_cert_eku = options->remote_cert_eku; to.verify_hash = options->verify_hash; to.verify_hash_algo = options->verify_hash_algo; + to.verify_hash_depth = options->verify_hash_depth; #ifdef ENABLE_X509ALTUSERNAME memcpy(to.x509_username_field, options->x509_username_field, sizeof(to.x509_username_field)); #else diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 3b1c69ba..871f6f5c 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -8118,26 +8118,45 @@ add_option(struct options *options, options->extra_certs_file = p[1]; options->extra_certs_file_inline = is_inline; } - else if (streq(p[0], "verify-hash") && p[1] && !p[3]) + else if ((streq(p[0], "verify-hash") && p[1] && !p[3]) + || (streq(p[0], "peer-fingerprint") && p[1] && !p[2])) { VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE); + + int verify_hash_depth = 0; + if (streq(p[0], "verify-hash")) + { + /* verify level 1 cert, i.e. the CA that signed the leaf cert */ + verify_hash_depth = 1; + } + options->verify_hash_algo = MD_SHA256; int digest_len = SHA256_DIGEST_LENGTH; - if ((!p[2] && !is_inline) || (p[2] && streq(p[2], "SHA1"))) + if (options->verify_hash && options->verify_hash_depth != verify_hash_depth) { - options->verify_hash_algo = MD_SHA1; - msg(M_WARN, "DEPRECATED FEATURE: Usage of SHA1 fingerprints for " - "verify-hash is deprecated. You should switch to SHA256."); - options->verify_hash_algo = MD_SHA1; - digest_len = SHA_DIGEST_LENGTH; + msg(msglevel, "ERROR: Setting %s not allowed. --verify-hash and" + " --peer-fingerprint are mutually exclusive", p[0]); + goto err; } - else if (p[2] && !streq(p[2], "SHA256")) + + if (streq(p[0], "verify-hash")) { - msg(msglevel, "invalid or unsupported hashing algorithm: %s " - "(only SHA1 and SHA256 are valid)", p[2]); - goto err; + if ((!p[2] && !is_inline) || (p[2] && streq(p[2], "SHA1"))) + { + options->verify_hash_algo = MD_SHA1; + msg(M_WARN, "DEPRECATED FEATURE: Usage of SHA1 fingerprints for " + "verify-hash is deprecated. You should switch to SHA256."); + options->verify_hash_algo = SHA_DIGEST_LENGTH; + digest_len = SHA_DIGEST_LENGTH; + } + else if (p[2] && !streq(p[2], "SHA256")) + { + msg(msglevel, "invalid or unsupported hashing algorithm: %s " + "(only SHA1 and SHA256 are supported)", p[2]); + goto err; + } } struct verify_hash_list *newlist; @@ -8148,6 +8167,7 @@ add_option(struct options *options, if (!options->verify_hash) { options->verify_hash = newlist; + options->verify_hash_depth = verify_hash_depth; } else { diff --git a/src/openvpn/options.h b/src/openvpn/options.h index a7b3174f..30ec53d6 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -560,6 +560,7 @@ struct options const char *remote_cert_eku; struct verify_hash_list *verify_hash; hash_algo_type verify_hash_algo; + int verify_hash_depth; unsigned int ssl_flags; /* set to SSLF_x flags from ssl.h */ #ifdef ENABLE_PKCS11 diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index f6aaae98..2b1b87fb 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -284,6 +284,7 @@ struct tls_options unsigned remote_cert_ku[MAX_PARMS]; const char *remote_cert_eku; struct verify_hash_list *verify_hash; + int verify_hash_depth; hash_algo_type verify_hash_algo; #ifdef ENABLE_X509ALTUSERNAME char *x509_username_field[MAX_PARMS]; diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index 06de0f5f..923eac91 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -721,19 +721,18 @@ verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_dep goto cleanup; /* Reject connection */ } - /* verify level 1 cert, i.e. the CA that signed our leaf cert */ - if (cert_depth == 1 && opt->verify_hash) + if (cert_depth == opt->verify_hash_depth && opt->verify_hash) { - struct buffer ca_hash = {0}; + struct buffer cert_fp = {0}; switch (opt->verify_hash_algo) { case MD_SHA1: - ca_hash = x509_get_sha1_fingerprint(cert, &gc); + cert_fp = x509_get_sha1_fingerprint(cert, &gc); break; case MD_SHA256: - ca_hash = x509_get_sha256_fingerprint(cert, &gc); + cert_fp = x509_get_sha256_fingerprint(cert, &gc); break; default: @@ -752,8 +751,8 @@ verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_dep while (current_hash) { - if (memcmp_constant_time(BPTR(&ca_hash), current_hash->hash, - BLEN(&ca_hash)) == 0) + if (memcmp_constant_time(BPTR(&cert_fp), current_hash->hash, + BLEN(&cert_fp)) == 0) { break; } @@ -762,7 +761,11 @@ verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_dep if (!current_hash) { - msg(D_TLS_ERRORS, "TLS Error: --tls-verify certificate hash verification failed"); + const char *hex_fp = format_hex_ex(BPTR(&cert_fp), BLEN(&cert_fp), + 0, 1, ":", &gc); + msg(D_TLS_ERRORS, "TLS Error: --tls-verify/--peer-fingerprint" + "certificate hash verification failed. (got " + "fingerprint: %s", hex_fp); goto cleanup; } }