From patchwork Sun Oct  1 17:49:20 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Selva Nair <selva.nair@gmail.com>
X-Patchwork-Id: 3370
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7300:7902:b0:d7:3b0f:3938 with SMTP id c2csp920791dyi;
        Sun, 1 Oct 2023 10:50:09 -0700 (PDT)
X-Google-Smtp-Source: 
 AGHT+IHzn2owQGhJS2lvnoytvGzzvuR+vKES/CNI/6u+MJib53gQ+zdMibjA4zo2MTnwtv3DWUjP
X-Received: by 2002:a17:902:dac8:b0:1bf:1a9e:85f7 with SMTP id
 q8-20020a170902dac800b001bf1a9e85f7mr11491902plx.1.1696182608836;
        Sun, 01 Oct 2023 10:50:08 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1696182608; cv=none;
        d=google.com; s=arc-20160816;
        b=woejBiqWqHHgxTUdYd30jQVbTffqonxczHMfofARJ1fIH9dNI+FasrCxn4w5ufRG39
         fqOnSNmt/8cQyr8HIWY/OamL5eFNQnIVRN53cSgFWXvi/W93vEg1vTAW4SSB6Bi20/vr
         impY8eH8JKAPqWZkWCbHcptkM8fKEjyeZaE2N3JlmZKolpPk00xCePZyLGrKV9mWlnTj
         uORaPTFYbN8IQfKnAKwAobKjoqGvN7UvScfpNHG8ii54qeLFpGcBK4iXJamcJ9h25Tyv
         x4QDYDZq/oKtZ3e6loG01NtdNRacyY0ZJZa4S1ovlM2mLVw4KzWh0xRvJzt0U2G1tqj5
         vpYQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=errors-to:content-transfer-encoding:list-subscribe:list-help
         :list-post:list-archive:list-unsubscribe:list-id:precedence:subject
         :mime-version:message-id:date:to:from:dkim-signature:dkim-signature
         :dkim-signature;
        bh=gXZcuz5CqCjGEO8exMU9p1VArlp/hVHzBgorF3Rq9jE=;
        fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=;
        b=eNoNEUQ4DwHE8sfeRX9oBQ/2ez31UXLyHGTAvfX2GNQE9f3XZHInJJTnReOHJntdVj
         gkP8LEptyYg8V9dFrfJrpW/fydaw9AMNh1G4A+orjz3JPndgThx+XS8YZ7WF7q8+pvYY
         6V7yGcqKwKZOJRAki998WX8ytaqvD9/VsKmZeWZdxzHtfb+g18+e0EQhyfUFefSRhH+c
         QGzswz2cAjQnbtEyS0E9WPOri8Ta+0NG0KvWUzm+XCMbUf8q4YrSbolUcptDrGHOTKE8
         nWt5IbWKHrDE2nysWO9uGr16Js6BrMSlMEI3Rlh0G9WyMndCpav6z+IgrSzLj++wAbMl
         tbrA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b="a7XcH/Fq";
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=AkkUKxkN;
       dkim=neutral (body hash did not verify) header.i=@gmail.com
 header.s=20230601 header.b=Jciec00x;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
       dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
        by mx.google.com with ESMTPS id
 a4-20020a170902ecc400b001c75ed2e4a6si2950158plh.106.2023.10.01.10.50.08
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Sun, 01 Oct 2023 10:50:08 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b="a7XcH/Fq";
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=AkkUKxkN;
       dkim=neutral (body hash did not verify) header.i=@gmail.com
 header.s=20230601 header.b=Jciec00x;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
       dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com)
	by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1qn0Za-0006LL-5t;
	Sun, 01 Oct 2023 17:49:41 +0000
Received: from [172.30.20.202] (helo=mx.sourceforge.net)
 by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
 (envelope-from <selva.nair@gmail.com>) id 1qn0ZY-0006LE-ST
 for openvpn-devel@lists.sourceforge.net;
 Sun, 01 Oct 2023 17:49:39 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id:
 Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=xaOkCYjd0d2JITQ87JhcNFwlU/hu/qZ5+bBIDph35fg=; b=a7XcH/Fq7OkEYnLM8LsqhoHHU0
 QMeenAbEZaUR0EB25s5lR9Tutbia7T3RHjRZkhqefnK2W3Smm9cf9jIJ458Jsa8qZ1o5WKtthdiED
 ltBTHCnocJo0NDc3nQCn7/WHpfB7i+P6ucmLDKJ8pvZSvRkgk0iS3s4QsSWZPW+5uvT8=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:Cc:To:From
 :Sender:Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date:
 Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:
 References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:
 List-Owner:List-Archive; bh=xaOkCYjd0d2JITQ87JhcNFwlU/hu/qZ5+bBIDph35fg=; b=A
 kkUKxkNv+OtGYiURZRum0yS8Zw4JR7SB2MS8hRjpVmmlm7Cx9sHyPvzwZg3cIowGHCzp+ySyx8mTC
 gQ4wjKIh1fWEgbGY+ky2sEme6TXaCeZTvmxUQqi2oYYb90lUN4oKnQDJuzrcb07LV9c52TivibxV8
 K/0PYcKhRuKcjGeo=;
Received: from mail-qv1-f41.google.com ([209.85.219.41])
 by sfi-mx-1.v28.lw.sourceforge.com with esmtps
 (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95)
 id 1qn0ZV-00EaRF-W1 for openvpn-devel@lists.sourceforge.net;
 Sun, 01 Oct 2023 17:49:39 +0000
Received: by mail-qv1-f41.google.com with SMTP id
 6a1803df08f44-637aaaf27f1so26886596d6.0
 for <openvpn-devel@lists.sourceforge.net>;
 Sun, 01 Oct 2023 10:49:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1696182572; x=1696787372;
 darn=lists.sourceforge.net;
 h=content-transfer-encoding:mime-version:message-id:date:subject:cc
 :to:from:from:to:cc:subject:date:message-id:reply-to;
 bh=xaOkCYjd0d2JITQ87JhcNFwlU/hu/qZ5+bBIDph35fg=;
 b=Jciec00xBjwVlneamyNjsAsEe0PLwNxD6rdAsDjqLwPF2lw7bpmh3PyjrERxIRXX9H
 ipKA5o1dVCgm5cCIJnI5AVZgyDuGYKaiiovoReehUkK1HTLwKUNsltAyIa7EDIMUnDpE
 HeVzGMOcXWUzztkhReseb1KGiaV+wXj3qXTzHE4CA5Kr7C4YRTsN6UTA4+UbPRhXQpfj
 SVNNwu1/fAP8TR3AZbjfsllhCkH3gycQbT0e49rpJnFq6BZu4VsYMIiwVfNcmqczvCVu
 2BY51F23Z378rIwNKCCDtXHgaCW0SMfh7LZTfPJhPWbsS3DwBkIYViUzNBLTSp0iEfTo
 HmAA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1696182572; x=1696787372;
 h=content-transfer-encoding:mime-version:message-id:date:subject:cc
 :to:from:x-gm-message-state:from:to:cc:subject:date:message-id
 :reply-to;
 bh=xaOkCYjd0d2JITQ87JhcNFwlU/hu/qZ5+bBIDph35fg=;
 b=Zerz9aw8xa77V4aIf2Xe1whwMcIs4MlnY8R0oxOkPbpqBhnFwbWwlNXkDq5YXAtVNc
 m1ToEiO90yA3xVKGCVE9QUF0PNDtOY2H2WSApkwg0M5FtQCO1kXh2JR8MoTxrJnIPrkU
 ExVcMl88puf22+BLYJnXIXcCMY7U5V8+5GRII4vPgHybr9hv2TWgljXtlTq3SCNXEZn9
 uOIbGjECWIJvcAkO+6mHfZ4Ezof+4b3CCd+y6v8GVtjIyGFnZVY34KLz7Tr9SAZPjSoS
 JetG1BBFCbQsDV28ExZMDr9uMXZyHJf9OHdJZR12MblptLbLFhsCnmSAs4qlZP65NRPI
 Kq0w==
X-Gm-Message-State: AOJu0YziatcUgWmMgFdZ1CIbjlD6CpJ4APZCOcmmhSFz58IXDVlQ1W5U
 s/AjwnmuQ5knNfOIJeQNm0BJKb/CH+Q=
X-Received: by 2002:a05:622a:1a0b:b0:411:ff8f:d5aa with SMTP id
 f11-20020a05622a1a0b00b00411ff8fd5aamr11412280qtb.3.1696182571712;
 Sun, 01 Oct 2023 10:49:31 -0700 (PDT)
Received: from uranus.sansel.ca ([70.51.223.123])
 by smtp.gmail.com with ESMTPSA id
 t24-20020ac85318000000b004109d386323sm553385qtn.66.2023.10.01.10.49.30
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Sun, 01 Oct 2023 10:49:31 -0700 (PDT)
From: selva.nair@gmail.com
To: openvpn-devel@lists.sourceforge.net
Date: Sun,  1 Oct 2023 13:49:20 -0400
Message-Id: <20231001174920.54154-1-selva.nair@gmail.com>
X-Mailer: git-send-email 2.34.1
MIME-Version: 1.0
X-Spam-Score: -0.7 (/)
X-Spam-Report: Spam detection software,
 running on the system "util-spamd-1.v13.lw.sourceforge.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview: From: Selva Nair Currently we log a bogus error message
 saying
 private key password verification failed when SSL_CTX_use_cert_and_key()
 fails in pkcs11_openssl.c. Instead print OpenSSL error queue and exit
 promptly.
 Content analysis details:   (-0.7 points, 6.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 0.0 FREEMAIL_FROM          Sender email is commonly abused enduser mail
 provider [selva.nair[at]gmail.com]
 -0.0 SPF_PASS               SPF: sender matches SPF record
 -0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at https://www.dnswl.org/,
 no trust [209.85.219.41 listed in list.dnswl.org]
 -0.5 RCVD_IN_MSPIKE_H2      RBL: Average reputation (+2)
 [209.85.219.41 listed in wl.mailspike.net]
 -0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from
 author's domain
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
 not necessarily
 valid
 -0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature from
 envelope-from domain
 -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-Headers-End: 1qn0ZV-00EaRF-W1
Subject: [Openvpn-devel] [PATCH] Log OpenSSL errors on failure to set
 certificate
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1778576375291179873?=
X-GMAIL-MSGID: =?utf-8?q?1778576375291179873?=

From: Selva Nair <selva.nair@gmail.com>

Currently we log a bogus error message saying private key password verification
failed when SSL_CTX_use_cert_and_key() fails in pkcs11_openssl.c. Instead print
OpenSSL error queue and exit promptly.

Also log OpenSSL errors when SSL_CTX_use_certiifcate() fails in cryptoapi.c
and elsewhere. Such logging could be useful especially when the ceritficate is
rejected by OpenSSL due to stricter security restrictions in recent versions
of the library.

Change-Id: Ic7ec25ac0503a91d5869b8da966d0065f264af22
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-By: Arne Schwabe <arne@rfc2549.org>
---
 src/openvpn/cryptoapi.c                   |  2 ++
 src/openvpn/pkcs11_openssl.c              |  6 ++++--
 src/openvpn/ssl_openssl.c                 |  2 ++
 tests/unit_tests/openvpn/test_cryptoapi.c | 11 +++++++++++
 tests/unit_tests/openvpn/test_pkcs11.c    | 11 +++++++++++
 5 files changed, 30 insertions(+), 2 deletions(-)

diff --git a/src/openvpn/cryptoapi.c b/src/openvpn/cryptoapi.c
index 3b92e481..f7e5b674 100644
--- a/src/openvpn/cryptoapi.c
+++ b/src/openvpn/cryptoapi.c
@@ -51,6 +51,7 @@
 #include "openssl_compat.h"
 #include "win32.h"
 #include "xkey_common.h"
+#include "crypto_openssl.h"
 
 #ifndef HAVE_XKEY_PROVIDER
 
@@ -505,6 +506,7 @@ SSL_CTX_use_CryptoAPI_certificate(SSL_CTX *ssl_ctx, const char *cert_prop)
     if (SSL_CTX_use_certificate(ssl_ctx, cert)
         && SSL_CTX_use_PrivateKey(ssl_ctx, privkey))
     {
+        crypto_print_openssl_errors(M_WARN);
         ret = 1;
     }
 
diff --git a/src/openvpn/pkcs11_openssl.c b/src/openvpn/pkcs11_openssl.c
index 40080efa..aa0819f9 100644
--- a/src/openvpn/pkcs11_openssl.c
+++ b/src/openvpn/pkcs11_openssl.c
@@ -302,7 +302,8 @@ xkey_load_from_pkcs11h(pkcs11h_certificate_t certificate,
 
     if (!SSL_CTX_use_cert_and_key(ctx->ctx, x509, pkey, NULL, 0))
     {
-        msg(M_WARN, "PKCS#11: Failed to set cert and private key for OpenSSL");
+        crypto_print_openssl_errors(M_WARN);
+        msg(M_FATAL, "PKCS#11: Failed to set cert and private key for OpenSSL");
         goto cleanup;
     }
     ret = 1;
@@ -369,7 +370,8 @@ pkcs11_init_tls_session(pkcs11h_certificate_t certificate,
 
     if (!SSL_CTX_use_certificate(ssl_ctx->ctx, x509))
     {
-        msg(M_WARN, "PKCS#11: Cannot set certificate for openssl");
+        crypto_print_openssl_errors(M_WARN);
+        msg(M_FATAL, "PKCS#11: Cannot set certificate for openssl");
         goto cleanup;
     }
     ret = 0;
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 0b310de3..b5cc9a7f 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -857,6 +857,7 @@ tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file,
     /* Load Certificate */
     if (!SSL_CTX_use_certificate(ctx->ctx, cert))
     {
+        crypto_print_openssl_errors(M_WARN);
         crypto_msg(M_FATAL, "Cannot use certificate");
     }
 
@@ -1007,6 +1008,7 @@ tls_ctx_load_cert_file(struct tls_root_ctx *ctx, const char *cert_file,
 end:
     if (!ret)
     {
+        crypto_print_openssl_errors(M_WARN);
         if (cert_file_inline)
         {
             crypto_msg(M_FATAL, "Cannot load inline certificate file");
diff --git a/tests/unit_tests/openvpn/test_cryptoapi.c b/tests/unit_tests/openvpn/test_cryptoapi.c
index 008f41c0..d90bfc35 100644
--- a/tests/unit_tests/openvpn/test_cryptoapi.c
+++ b/tests/unit_tests/openvpn/test_cryptoapi.c
@@ -58,6 +58,17 @@ management_query_pk_sig(struct management *man, const char *b64_data,
     return NULL;
 }
 
+/* replacement for crypto_print_openssl_errors() */
+void
+crypto_print_openssl_errors(const unsigned int flags)
+{
+    unsigned long e;
+    while ((e = ERR_get_error()))
+    {
+        msg(flags, "OpenSSL error %lu: %s\n", e, ERR_error_string(e, NULL));
+    }
+}
+
 /* tls_libctx is defined in ssl_openssl.c which we do not want to compile in */
 OSSL_LIB_CTX *tls_libctx;
 
diff --git a/tests/unit_tests/openvpn/test_pkcs11.c b/tests/unit_tests/openvpn/test_pkcs11.c
index 235cc43f..b6c130ec 100644
--- a/tests/unit_tests/openvpn/test_pkcs11.c
+++ b/tests/unit_tests/openvpn/test_pkcs11.c
@@ -44,6 +44,17 @@
 
 struct management *management; /* global */
 
+/* replacement for crypto_print_openssl_errors() */
+void
+crypto_print_openssl_errors(const unsigned int flags)
+{
+    unsigned long e;
+    while ((e = ERR_get_error()))
+    {
+        msg(flags, "OpenSSL error %lu: %s\n", e, ERR_error_string(e, NULL));
+    }
+}
+
 /* stubs for some unused functions instead of pulling in too many dependencies */
 int
 parse_line(const char *line, char **p, const int n, const char *file,