[Openvpn-devel,1/2] Revert commit 423ced962d

Message ID	20230524132424.3098475-1-arne@rfc2549.org
State	Accepted
Headers	show Return-Path: <openvpn-devel-bounces@lists.sourceforge.net> Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; From: Arne Schwabe <arne@rfc2549.org> To: openvpn-devel@lists.sourceforge.net Date: Wed, 24 May 2023 15:24:23 +0200 Message-Id: <20230524132424.3098475-1-arne@rfc2549.org> MIME-Version: 1.0 preview: This reverts commit 423ced962db3129b4ed551c489624faba4340652, which has Jason A. Donenfeld listed as author as the patch was based on his initial submission. We have not received permission to relicense the original patch. Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different Subject: [Openvpn-devel] [PATCH 1/2] Revert commit 423ced962d Precedence: list Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox
Series	[Openvpn-devel,1/2] Revert commit 423ced962d \| expand [Openvpn-devel,1/2] Revert commit 423ced962d [Openvpn-devel,2/2] Implement using --peer-fingerprint without CA certificates

Message ID

20230524132424.3098475-1-arne@rfc2549.org

State

Accepted

Headers

Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
From: Arne Schwabe <arne@rfc2549.org>
To: openvpn-devel@lists.sourceforge.net
Date: Wed, 24 May 2023 15:24:23 +0200
Message-Id: <20230524132424.3098475-1-arne@rfc2549.org>
MIME-Version: 1.0
Subject: [Openvpn-devel] [PATCH 1/2] Revert commit 423ced962d
Precedence: list
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: openvpn-devel-bounces@lists.sourceforge.net

Series

[Openvpn-devel,1/2] Revert commit 423ced962d | expand

Commit Message

Arne Schwabe May 24, 2023, 1:24 p.m. UTC

This reverts commit 423ced962db3129b4ed551c489624faba4340652, which
has Jason A. Donenfeld listed as author as the patch was based on his
initial submission.

We have not received permission to relicense the original patch.

Change-Id: I8142753928498169032450c56d0497a5042bdc9b
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
---
 src/openvpn/init.c               |  1 -
 src/openvpn/options.c            | 26 +++++++++++++-------------
 src/openvpn/options.h            |  1 -
 src/openvpn/ssl_common.h         |  1 -
 src/openvpn/ssl_verify_mbedtls.c | 16 ----------------
 src/openvpn/ssl_verify_openssl.c |  2 +-
 6 files changed, 14 insertions(+), 33 deletions(-)

Comments

Gert Doering July 18, 2023, 1:04 p.m. UTC | #1

Acked-by: Gert Doering <gert@greenie.muc.de>

This is unfortunate, but the only option if we want to get on with the
license change.  Not tested individually, but tested together with
2/2, and "everything works as before".

Your patch has been applied to the master and release/2.6 branch.

commit 370334828659e205941eecd1c90f085a64ca539d (master)
commit e376a00c2884c7cc3f965cdd08a8b66537264999 (release/2.6)
Author: Arne Schwabe
Date:   Wed May 24 15:24:23 2023 +0200

     Revert commit 423ced962d

     Signed-off-by: Arne Schwabe <arne@rfc2549.org>
     Acked-by: Gert Doering <gert@greenie.muc.de>
     Message-Id: <20230524132424.3098475-1-arne@rfc2549.org>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26722.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering

diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index d358ad003..c023b33c6 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -3347,7 +3347,6 @@  do_init_crypto_tls(struct context *c, const unsigned int flags)
     to.verify_hash = options->verify_hash;
     to.verify_hash_algo = options->verify_hash_algo;
     to.verify_hash_depth = options->verify_hash_depth;
-    to.verify_hash_no_ca = options->verify_hash_no_ca;
 #ifdef ENABLE_X509ALTUSERNAME
     memcpy(to.x509_username_field, options->x509_username_field, sizeof(to.x509_username_field));
 #else
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index e4c596b89..fe9285384 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -2991,11 +2991,21 @@  options_postprocess_verify_ce(const struct options *options,
         else
         {
 #ifdef ENABLE_CRYPTO_MBEDTLS
+            if (!(options->ca_file))
+            {
+                msg(M_USAGE, "You must define CA file (--ca)");
+            }
+
             if (options->ca_path)
             {
                 msg(M_USAGE, "Parameter --capath cannot be used with the mbed TLS version version of OpenVPN.");
             }
-#endif  /* ifdef ENABLE_CRYPTO_MBEDTLS */
+#else  /* ifdef ENABLE_CRYPTO_MBEDTLS */
+            if ((!(options->ca_file)) && (!(options->ca_path)))
+            {
+                msg(M_USAGE, "You must define CA file (--ca) or CA path (--capath)");
+            }
+#endif
             if (pull)
             {
 
@@ -3727,13 +3737,6 @@  options_postprocess_mutate(struct options *o, struct env_set *es)
         options_postprocess_http_proxy_override(o);
     }
 #endif
-    if (!o->ca_file && !o->ca_path && o->verify_hash
-        && o->verify_hash_depth == 0)
-    {
-        msg(M_INFO, "Using certificate fingerprint to verify peer (no CA "
-            "option set). ");
-        o->verify_hash_no_ca = true;
-    }
 
     if (o->config && streq(o->config, "stdin") && o->remap_sigusr1 == SIGHUP)
     {
@@ -4029,11 +4032,8 @@  options_postprocess_filechecks(struct options *options)
     errs |= check_file_access_inline(options->dh_file_inline, CHKACC_FILE,
                                      options->dh_file, R_OK, "--dh");
 
-    if (!options->verify_hash_no_ca)
-    {
-        errs |= check_file_access_inline(options->ca_file_inline, CHKACC_FILE,
-                                         options->ca_file, R_OK, "--ca");
-    }
+    errs |= check_file_access_inline(options->ca_file_inline, CHKACC_FILE,
+                                     options->ca_file, R_OK, "--ca");
 
     errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE,
                                      options->ca_path, R_OK, "--capath");
diff --git a/src/openvpn/options.h b/src/openvpn/options.h
index f5890b90f..95f1158a4 100644
--- a/src/openvpn/options.h
+++ b/src/openvpn/options.h
@@ -604,7 +604,6 @@  struct options
     struct verify_hash_list *verify_hash;
     hash_algo_type verify_hash_algo;
     int verify_hash_depth;
-    bool verify_hash_no_ca;
     unsigned int ssl_flags; /* set to SSLF_x flags from ssl.h */
 
 #ifdef ENABLE_PKCS11
diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h
index 27b029479..c0b3caa71 100644
--- a/src/openvpn/ssl_common.h
+++ b/src/openvpn/ssl_common.h
@@ -345,7 +345,6 @@  struct tls_options
     const char *remote_cert_eku;
     struct verify_hash_list *verify_hash;
     int verify_hash_depth;
-    bool verify_hash_no_ca;
     hash_algo_type verify_hash_algo;
 #ifdef ENABLE_X509ALTUSERNAME
     char *x509_username_field[MAX_PARMS];
diff --git a/src/openvpn/ssl_verify_mbedtls.c b/src/openvpn/ssl_verify_mbedtls.c
index e3437f740..c9ef7a171 100644
--- a/src/openvpn/ssl_verify_mbedtls.c
+++ b/src/openvpn/ssl_verify_mbedtls.c
@@ -62,22 +62,6 @@  verify_callback(void *session_obj, mbedtls_x509_crt *cert, int cert_depth,
     struct buffer cert_fingerprint = x509_get_sha256_fingerprint(cert, &gc);
     cert_hash_remember(session, cert_depth, &cert_fingerprint);
 
-    if (session->opt->verify_hash_no_ca)
-    {
-        /*
-         * If we decide to verify the peer certificate based on the fingerprint
-         * we ignore wrong dates and the certificate not being trusted.
-         * Any other problem with the certificate (wrong key, bad cert,...)
-         * will still trigger an error.
-         * Clearing these flags relies on verify_cert will later rejecting a
-         * certificate that has no matching fingerprint.
-         */
-        uint32_t flags_ignore = MBEDTLS_X509_BADCERT_NOT_TRUSTED
-                                | MBEDTLS_X509_BADCERT_EXPIRED
-                                | MBEDTLS_X509_BADCERT_FUTURE;
-        *flags = *flags & ~flags_ignore;
-    }
-
     /* did peer present cert which was signed by our root cert? */
     if (*flags != 0)
     {
diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c
index e24ce4e4a..ac36f09db 100644
--- a/src/openvpn/ssl_verify_openssl.c
+++ b/src/openvpn/ssl_verify_openssl.c
@@ -67,7 +67,7 @@  verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
     cert_hash_remember(session, X509_STORE_CTX_get_error_depth(ctx), &cert_hash);
 
     /* did peer present cert which was signed by our root cert? */
-    if (!preverify_ok && !session->opt->verify_hash_no_ca)
+    if (!preverify_ok)
     {
         /* get the X509 name */
         char *subject = x509_get_subject(current_cert, &gc);

[Openvpn-devel,1/2] Revert commit 423ced962d

Commit Message

Comments

Patch