From patchwork Wed May 24 13:24:23 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 3237 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:7b9a:b0:c3:1364:a2a2 with SMTP id j26csp2980875dyk; Wed, 24 May 2023 06:25:44 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ50xMEByuIX1DIGWVY5tvrkauqGrg3zVJ3xcBl6TJklmEkAXveSrq3zaB8k9KsA3OG2dbOf X-Received: by 2002:a92:d285:0:b0:33a:942b:556d with SMTP id p5-20020a92d285000000b0033a942b556dmr1048335ilp.20.1684934744128; Wed, 24 May 2023 06:25:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1684934744; cv=none; d=google.com; s=arc-20160816; b=Z9xTrTME2VzHaD+hXYXd8OiMod2WUqdfX6juN9gjFUZ6VnIKRI/NcLRjqvYcl0Qrra o3RmejlWXzausIzskYMEzDfr7DNgHsPaTtffeXDvvWSnpdMG3isHZDk2omUIC9UpCxcl xSig5Q7iHiy+QBXGJZTk+vwUQIhjxmr5eyl9wshMG1+5AdBrc4Q0UCAkp+fNbmNeKvrh g++Y4Ydd/P0CAtlz9R6xjnJ9/hOAnUixe2tRA5uGoX4a9OgyTDI+/oyTc7I0bHX/4TiA Ce7NwDlVFPp7KefuOSoFhEOXV+B6AIy6vgAJ2opDRb8kv5sgXWj7UNntBiVJmnKWdDaC 5Y7w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:message-id:date:to:from:dkim-signature:dkim-signature; bh=jIrPW/AU0r89quk941zgL4VRbSAZ24F/6jTVVs+Juss=; b=DZcqV0GdXrGdQ3MC5OlAo0ViUEnppMMB//Z3QGemJ6v+Z0hRtkQzRSKwBUkSDrEyAa PpZvWtqPY6zY8SybxJmIjUMVK4Gwx71sWBqKvqVX3GuB5OWchgtRpLll/ADR1/ymogAq SgV4/TFEXZF67aZx2fpTvO8FsoiwtumD5+QUF1nwymP/alpaf4zTY0myMo608E5QGly7 qLV4fuudajynyjQKzwn4+OnzWKhnVgLjqHalwdCLL0E4/CxJUM1Nql4wyF5y4FTadagL nb4DmHqQyDRUaj2Ftu0t3ewzETrwCFENw07SX2jR3qV+5iM0SLADYvTOY1CN15ff1YTa z3gg== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=EpxDE0iN; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=GxetHpVs; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id x19-20020a056638161300b00412d3d6440csi7055006jas.158.2023.05.24.06.25.43 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 24 May 2023 06:25:44 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=EpxDE0iN; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=GxetHpVs; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1q1oTt-0002kP-BC; Wed, 24 May 2023 13:24:46 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1q1oTr-0002k5-Ai for openvpn-devel@lists.sourceforge.net; Wed, 24 May 2023 13:24:44 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=XkAVAF0cYy+GcnUwmvBFsSVob63xXXeSjDQwfHs/2fQ=; b=EpxDE0iNSQEeGCccNFqW9FS6a0 0+3IImbBevO4T1O5nt1Ufo3bzpYbXHLdhCz7kOwWN2fFcCxnku7D8gGB+j7c3OfiIn9G7E0AzX5an 9xVGi/zmulq3bkLaWyZTgGH2bTCzgze/iF/RgQ0uXp+HgGAJ6XdPZ/U5YVz88nJUwxuk=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=XkAVAF0cYy+GcnUwmvBFsSVob63xXXeSjDQwfHs/2fQ=; b=G xetHpVsHB+98AvCnXGzEViK/Z9pz6gT5Vt15hTAN4K37cIZZ9riHJTrk/NkTI1jHGOWj6c75ECoQI fIpUorUFVURwLYmc1dVKm1D/s7IhbRQio2XDoV9zuYwB6DotXeWQbMsdA3ksUouikdWHIRxMX60b/ gTYuHttVYf9nOhfc=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1q1oTm-0001LK-QD for openvpn-devel@lists.sourceforge.net; Wed, 24 May 2023 13:24:42 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1q1oTY-000GTS-Hh for openvpn-devel@lists.sourceforge.net; Wed, 24 May 2023 15:24:24 +0200 Received: (nullmailer pid 3098521 invoked by uid 10006); Wed, 24 May 2023 13:24:24 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Wed, 24 May 2023 15:24:23 +0200 Message-Id: <20230524132424.3098475-1-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Spam-Score: 0.3 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This reverts commit 423ced962db3129b4ed551c489624faba4340652, which has Jason A. Donenfeld listed as author as the patch was based on his initial submission. We have not received permission to relicense the original patch. Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different X-Headers-End: 1q1oTm-0001LK-QD Subject: [Openvpn-devel] [PATCH 1/2] Revert commit 423ced962d X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1766782134713681472?= X-GMAIL-MSGID: =?utf-8?q?1766782134713681472?= This reverts commit 423ced962db3129b4ed551c489624faba4340652, which has Jason A. Donenfeld listed as author as the patch was based on his initial submission. We have not received permission to relicense the original patch. Change-Id: I8142753928498169032450c56d0497a5042bdc9b Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- src/openvpn/init.c | 1 - src/openvpn/options.c | 26 +++++++++++++------------- src/openvpn/options.h | 1 - src/openvpn/ssl_common.h | 1 - src/openvpn/ssl_verify_mbedtls.c | 16 ---------------- src/openvpn/ssl_verify_openssl.c | 2 +- 6 files changed, 14 insertions(+), 33 deletions(-) diff --git a/src/openvpn/init.c b/src/openvpn/init.c index d358ad003..c023b33c6 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -3347,7 +3347,6 @@ do_init_crypto_tls(struct context *c, const unsigned int flags) to.verify_hash = options->verify_hash; to.verify_hash_algo = options->verify_hash_algo; to.verify_hash_depth = options->verify_hash_depth; - to.verify_hash_no_ca = options->verify_hash_no_ca; #ifdef ENABLE_X509ALTUSERNAME memcpy(to.x509_username_field, options->x509_username_field, sizeof(to.x509_username_field)); #else diff --git a/src/openvpn/options.c b/src/openvpn/options.c index e4c596b89..fe9285384 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -2991,11 +2991,21 @@ options_postprocess_verify_ce(const struct options *options, else { #ifdef ENABLE_CRYPTO_MBEDTLS + if (!(options->ca_file)) + { + msg(M_USAGE, "You must define CA file (--ca)"); + } + if (options->ca_path) { msg(M_USAGE, "Parameter --capath cannot be used with the mbed TLS version version of OpenVPN."); } -#endif /* ifdef ENABLE_CRYPTO_MBEDTLS */ +#else /* ifdef ENABLE_CRYPTO_MBEDTLS */ + if ((!(options->ca_file)) && (!(options->ca_path))) + { + msg(M_USAGE, "You must define CA file (--ca) or CA path (--capath)"); + } +#endif if (pull) { @@ -3727,13 +3737,6 @@ options_postprocess_mutate(struct options *o, struct env_set *es) options_postprocess_http_proxy_override(o); } #endif - if (!o->ca_file && !o->ca_path && o->verify_hash - && o->verify_hash_depth == 0) - { - msg(M_INFO, "Using certificate fingerprint to verify peer (no CA " - "option set). "); - o->verify_hash_no_ca = true; - } if (o->config && streq(o->config, "stdin") && o->remap_sigusr1 == SIGHUP) { @@ -4029,11 +4032,8 @@ options_postprocess_filechecks(struct options *options) errs |= check_file_access_inline(options->dh_file_inline, CHKACC_FILE, options->dh_file, R_OK, "--dh"); - if (!options->verify_hash_no_ca) - { - errs |= check_file_access_inline(options->ca_file_inline, CHKACC_FILE, - options->ca_file, R_OK, "--ca"); - } + errs |= check_file_access_inline(options->ca_file_inline, CHKACC_FILE, + options->ca_file, R_OK, "--ca"); errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->ca_path, R_OK, "--capath"); diff --git a/src/openvpn/options.h b/src/openvpn/options.h index f5890b90f..95f1158a4 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -604,7 +604,6 @@ struct options struct verify_hash_list *verify_hash; hash_algo_type verify_hash_algo; int verify_hash_depth; - bool verify_hash_no_ca; unsigned int ssl_flags; /* set to SSLF_x flags from ssl.h */ #ifdef ENABLE_PKCS11 diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index 27b029479..c0b3caa71 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -345,7 +345,6 @@ struct tls_options const char *remote_cert_eku; struct verify_hash_list *verify_hash; int verify_hash_depth; - bool verify_hash_no_ca; hash_algo_type verify_hash_algo; #ifdef ENABLE_X509ALTUSERNAME char *x509_username_field[MAX_PARMS]; diff --git a/src/openvpn/ssl_verify_mbedtls.c b/src/openvpn/ssl_verify_mbedtls.c index e3437f740..c9ef7a171 100644 --- a/src/openvpn/ssl_verify_mbedtls.c +++ b/src/openvpn/ssl_verify_mbedtls.c @@ -62,22 +62,6 @@ verify_callback(void *session_obj, mbedtls_x509_crt *cert, int cert_depth, struct buffer cert_fingerprint = x509_get_sha256_fingerprint(cert, &gc); cert_hash_remember(session, cert_depth, &cert_fingerprint); - if (session->opt->verify_hash_no_ca) - { - /* - * If we decide to verify the peer certificate based on the fingerprint - * we ignore wrong dates and the certificate not being trusted. - * Any other problem with the certificate (wrong key, bad cert,...) - * will still trigger an error. - * Clearing these flags relies on verify_cert will later rejecting a - * certificate that has no matching fingerprint. - */ - uint32_t flags_ignore = MBEDTLS_X509_BADCERT_NOT_TRUSTED - | MBEDTLS_X509_BADCERT_EXPIRED - | MBEDTLS_X509_BADCERT_FUTURE; - *flags = *flags & ~flags_ignore; - } - /* did peer present cert which was signed by our root cert? */ if (*flags != 0) { diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c index e24ce4e4a..ac36f09db 100644 --- a/src/openvpn/ssl_verify_openssl.c +++ b/src/openvpn/ssl_verify_openssl.c @@ -67,7 +67,7 @@ verify_callback(int preverify_ok, X509_STORE_CTX *ctx) cert_hash_remember(session, X509_STORE_CTX_get_error_depth(ctx), &cert_hash); /* did peer present cert which was signed by our root cert? */ - if (!preverify_ok && !session->opt->verify_hash_no_ca) + if (!preverify_ok) { /* get the X509 name */ char *subject = x509_get_subject(current_cert, &gc);