From patchwork Wed Nov 22 14:31:10 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Sommerseth X-Patchwork-Id: 3477 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:53c1:b0:f2:62eb:61c1 with SMTP id u1csp1147749dye; Wed, 22 Nov 2023 06:32:31 -0800 (PST) X-Google-Smtp-Source: AGHT+IF6FzBJiZ3BWo2lOuyDoSIb7G/Bw4+G8s45fhhmxZlgIckH1CpgXvHNn4dR0V3/xEt6DK6C X-Received: by 2002:a17:902:c94e:b0:1cc:2ba2:55f4 with SMTP id i14-20020a170902c94e00b001cc2ba255f4mr2814217pla.0.1700663550752; Wed, 22 Nov 2023 06:32:30 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1700663550; cv=none; d=google.com; s=arc-20160816; b=JjEOT5RjGaBELsWtohr671GDvYW1lbtwSDqo/6IsCwUbfIAxfT4kuJ1nPWqRlyJK3m PXMOGqHrYEJ/1crgrXMnlM9DcfDnd1tdlwuQbaw+zvpXtkzR+fD00FwPAviFT++q7ASn wIA6GHkrzLp1nczEdjJFUqJQmioUSsiChxU+HPi+a9eKp3EHa9nhiVMJUATBtY2AQ1V6 VxOEO8WO3hgK+MTzNF6pydvGStxoTG1KiTPQ3dp+M4O1tmRqnUCzzpU9YHfQ+dYyisWy P9lIuPQxj92waebJp+ZoO/RM0ZrJmQOlx/Nsh2kfIfPEp534iYbt7hGNRIJSM+rrs8kA zizw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:cc:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:message-id:date:to:from:dkim-signature:dkim-signature; bh=AhTiUe+ZP97gbgYdQUMFTxGWDL9D9iWfUIHr3OfQxRs=; fh=YXTNqFP/QKxSdndq4335GPlifHLzs2hh7ik63TYw/Qc=; b=ztnMSLqooHBxaw6D2UOHDitwOqd3xeqAuUmOSomBzbi4k1P7JXaC0QF1tLZ9rQNl3r yxwwFImow1fAPBoOWBW7xf87uVmpLnOennfeIyU3Uur7sHZtlgSiSK8XOsUhrsWcii0n LpPkc6+JpayKU6tiaKg7hW4ahz7RfDcQyxWm41e59zLPwQ+qFfNgPTjFZic/U4fZ9Tme +ZsQy8J8TTXKsHuw1O9D5zlmk7SK4HiUCJrBcXi2MJQsYWj+FV1I6I5CMV/tZ2hENedk 4M9Cs9Qrbew/wd/hieEn0HwyRg0cdkQRylKokj1ZHSH1rqKNekoe7Mrmfdso6Ud8xja2 Ua8Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=KDYjEZDA; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=I91ydAgr; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=eurephia.org Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id jk11-20020a170903330b00b001cf6b6831b8si4402300plb.58.2023.11.22.06.32.30 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 22 Nov 2023 06:32:30 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=KDYjEZDA; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=I91ydAgr; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=eurephia.org Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1r5oGi-0003Is-Ah; Wed, 22 Nov 2023 14:31:56 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1r5oGd-0003Ia-Ea for openvpn-devel@lists.sourceforge.net; Wed, 22 Nov 2023 14:31:51 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=DNZq29qxeerN7iJfNE95LBPgvDmkicnsUCBqHFXoyyg=; b=KDYjEZDAfe77SrodR9bAlyFrSU DPpQS7Gdyk7U/9OrzXJoBgcChCRjb0oPiuo1auxDE2divTCnw9a3tJH3KIOZCLIW5Kyg3T+sft2HJ bVM/l8c83ctaqvYvz9yt8AHe6TNFW7wq/WbF2Z6X0J/leIUhWfDy/ABq4sH+NQ0GrjKU=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:Cc:To:From :Sender:Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=DNZq29qxeerN7iJfNE95LBPgvDmkicnsUCBqHFXoyyg=; b=I 91ydAgr7nOUuW5Vuw1FINjs8PHH2L9mNOdC3a6a3yZoWOD5pQsAli95ahhisHc1pSSGGKtkaeUrBw YDat/zWoa9K6r7cLDu9fzRhcSoPJnvFib3Zl8a0qy3JBuvH2HT0QNs5hBXkfMZGF2teMIN3DLsuJV 5XhqFhJdGer2zluc=; Received: from mx1.basenordic.cloud ([217.170.196.134]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1r5oGb-00CpOo-6d for openvpn-devel@lists.sourceforge.net; Wed, 22 Nov 2023 14:31:50 +0000 Received: from localhost (unknown [127.0.0.1]) by mx1.basenordic.cloud (Postfix) with ESMTP id 7C1A0E708; Wed, 22 Nov 2023 14:31:20 +0000 (UTC) X-Virus-Scanned: amavisd-new at basenordic.cloud Received: from mx1.basenordic.cloud ([127.0.0.1]) by localhost (mx1.basenordic.cloud [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5wm-G6XuHDEs; Wed, 22 Nov 2023 15:31:19 +0100 (CET) Received: from xplorer.net (xplorer.sommerseth.xyz [10.35.7.11]) by mx1.basenordic.cloud (Postfix) with ESMTP id 3E760E70C; Wed, 22 Nov 2023 15:31:12 +0100 (CET) From: David Sommerseth To: openvpn-devel@lists.sourceforge.net Date: Wed, 22 Nov 2023 15:31:10 +0100 Message-Id: <20231122143110.58520-1-dazo+openvpn@eurephia.org> X-Mailer: git-send-email 2.39.3 MIME-Version: 1.0 X-Spam-Score: -2.3 (--) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: David Sommerseth As OpenVPN 2.6+ is doing some adoptions to the license text, all prior contributors need to accept this new text. Unfortunately, Mathieu Giannecchini who implemented the --tls-export-cert feature did [...] Content analysis details: (-2.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/, medium trust [217.170.196.134 listed in list.dnswl.org] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1r5oGb-00CpOo-6d Subject: [Openvpn-devel] [PATCH release/2.6] Remove --tls-export-cert X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: David Sommerseth Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1783274952690158911?= X-GMAIL-MSGID: =?utf-8?q?1783274983262336025?= From: David Sommerseth As OpenVPN 2.6+ is doing some adoptions to the license text, all prior contributors need to accept this new text. Unfortunately, Mathieu Giannecchini who implemented the --tls-export-cert feature did not respond at all. Without an explicit acceptance we need to remove this feature to avoid potential legal complications. If this is still a wanted feature, it will need to be re-implemented from scratch. Signed-off-by: David Sommerseth --- README.mbedtls | 1 - doc/man-sections/script-options.rst | 4 -- doc/man-sections/tls-options.rst | 7 ---- src/openvpn/init.c | 1 - src/openvpn/options.c | 14 ------- src/openvpn/options.h | 1 - src/openvpn/ssl_common.h | 1 - src/openvpn/ssl_verify.c | 60 +---------------------------- 8 files changed, 2 insertions(+), 87 deletions(-) diff --git a/README.mbedtls b/README.mbedtls index d3466fa9..24a9c224 100644 --- a/README.mbedtls +++ b/README.mbedtls @@ -40,5 +40,4 @@ in the mbed TLS version of OpenVPN: Plugin/Script features: * X.509 subject line has a different format than the OpenSSL subject line - * X.509 certificate export does not work * X.509 certificate tracking diff --git a/doc/man-sections/script-options.rst b/doc/man-sections/script-options.rst index 8c0be0cd..38dcfa2b 100644 --- a/doc/man-sections/script-options.rst +++ b/doc/man-sections/script-options.rst @@ -813,10 +813,6 @@ instances. translations will be recorded rather than their names as denoted on the command line or configuration file. -:code:`peer_cert` - Temporary file name containing the client certificate upon connection. - Useful in conjunction with ``--tls-verify``. - :code:`script_context` Set to "init" or "restart" prior to up/down script execution. For more information, see documentation for ``--up``. diff --git a/doc/man-sections/tls-options.rst b/doc/man-sections/tls-options.rst index d51aff77..45009f7c 100644 --- a/doc/man-sections/tls-options.rst +++ b/doc/man-sections/tls-options.rst @@ -539,13 +539,6 @@ certificates and keys: https://github.com/OpenVPN/easy-rsa --tls-exit Exit on TLS negotiation failure. ---tls-export-cert directory - Store the certificates the clients use upon connection to this - directory. This will be done before ``--tls-verify`` is called. The - certificates will use a temporary name and will be deleted when the - tls-verify script returns. The file name used for the certificate is - available via the ``peer_cert`` environment variable. - --tls-server Enable TLS and assume server role during TLS handshake. Note that OpenVPN is designed as a peer-to-peer application. The designation of diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 079c4f5e..f4ab1635 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -3333,7 +3333,6 @@ do_init_crypto_tls(struct context *c, const unsigned int flags) } to.verify_command = options->tls_verify; - to.verify_export_cert = options->tls_export_cert; to.verify_x509_type = (options->verify_x509_type & 0xff); to.verify_x509_name = options->verify_x509_name; to.crl_file = options->crl_file; diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 7ca77a8e..dc18b332 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -647,9 +647,6 @@ static const char usage_message[] = " tests of certification. cmd should return 0 to allow\n" " TLS handshake to proceed, or 1 to fail. (cmd is\n" " executed as 'cmd certificate_depth subject')\n" - "--tls-export-cert [directory] : Get peer cert in PEM format and store it \n" - " in an openvpn temporary file in [directory]. Peer cert is \n" - " stored before tls-verify script execution and deleted after.\n" "--verify-x509-name name: Accept connections only from a host with X509 subject\n" " DN name. The remote host must also pass all other tests\n" " of verification.\n" @@ -1998,7 +1995,6 @@ show_settings(const struct options *o) SHOW_STR(cipher_list_tls13); SHOW_STR(tls_cert_profile); SHOW_STR(tls_verify); - SHOW_STR(tls_export_cert); SHOW_INT(verify_x509_type); SHOW_STR(verify_x509_name); SHOW_STR_INLINE(crl_file); @@ -3061,7 +3057,6 @@ options_postprocess_verify_ce(const struct options *options, MUST_BE_UNDEF(cipher_list_tls13); MUST_BE_UNDEF(tls_cert_profile); MUST_BE_UNDEF(tls_verify); - MUST_BE_UNDEF(tls_export_cert); MUST_BE_UNDEF(verify_x509_name); MUST_BE_UNDEF(tls_timeout); MUST_BE_UNDEF(renegotiate_bytes); @@ -4117,8 +4112,6 @@ options_postprocess_filechecks(struct options *options) R_OK|W_OK, "--status"); /* ** Config related ** */ - errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->tls_export_cert, - R_OK|W_OK|X_OK, "--tls-export-cert"); errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->client_config_dir, R_OK|X_OK, "--client-config-dir"); errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->tmp_dir, @@ -9001,13 +8994,6 @@ add_option(struct options *options, string_substitute(p[1], ',', ' ', &options->gc), "tls-verify", true); } -#ifndef ENABLE_CRYPTO_MBEDTLS - else if (streq(p[0], "tls-export-cert") && p[1] && !p[2]) - { - VERIFY_PERMISSION(OPT_P_GENERAL); - options->tls_export_cert = p[1]; - } -#endif else if (streq(p[0], "compat-names")) { VERIFY_PERMISSION(OPT_P_GENERAL); diff --git a/src/openvpn/options.h b/src/openvpn/options.h index f5890b90..8e53f6f7 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -594,7 +594,6 @@ struct options const char *tls_verify; int verify_x509_type; const char *verify_x509_name; - const char *tls_export_cert; const char *crl_file; bool crl_file_inline; diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index 27b02947..8d8668a9 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -335,7 +335,6 @@ struct tls_options /* cert verification parms */ const char *verify_command; - const char *verify_export_cert; int verify_x509_type; const char *verify_x509_name; const char *crl_file; diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index 90416b69..bd7e5125 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -490,81 +490,25 @@ verify_cert_call_plugin(const struct plugin_list *plugins, struct env_set *es, return SUCCESS; } -static const char * -verify_cert_export_cert(openvpn_x509_cert_t *peercert, const char *tmp_dir, struct gc_arena *gc) -{ - FILE *peercert_file; - const char *peercert_filename = ""; - - /* create tmp file to store peer cert */ - if (!tmp_dir - || !(peercert_filename = platform_create_temp_file(tmp_dir, "pcf", gc))) - { - msg(M_NONFATAL, "Failed to create peer cert file"); - return NULL; - } - - /* write peer-cert in tmp-file */ - peercert_file = fopen(peercert_filename, "w+"); - if (!peercert_file) - { - msg(M_NONFATAL|M_ERRNO, "Failed to open temporary file: %s", - peercert_filename); - return NULL; - } - - if (SUCCESS != x509_write_pem(peercert_file, peercert)) - { - msg(M_NONFATAL, "Error writing PEM file containing certificate"); - (void) platform_unlink(peercert_filename); - peercert_filename = NULL; - } - - fclose(peercert_file); - return peercert_filename; -} - - /* * run --tls-verify script */ static result_t verify_cert_call_command(const char *verify_command, struct env_set *es, - int cert_depth, openvpn_x509_cert_t *cert, char *subject, const char *verify_export_cert) + int cert_depth, openvpn_x509_cert_t *cert, char *subject) { - const char *tmp_file = NULL; int ret; struct gc_arena gc = gc_new(); struct argv argv = argv_new(); setenv_str(es, "script_type", "tls-verify"); - if (verify_export_cert) - { - tmp_file = verify_cert_export_cert(cert, verify_export_cert, &gc); - if (!tmp_file) - { - ret = false; - goto cleanup; - } - setenv_str(es, "peer_cert", tmp_file); - } - argv_parse_cmd(&argv, verify_command); argv_printf_cat(&argv, "%d %s", cert_depth, subject); argv_msg_prefix(D_TLS_DEBUG, &argv, "TLS: executing verify command"); ret = openvpn_run_script(&argv, es, 0, "--tls-verify script"); - if (verify_export_cert) - { - if (tmp_file) - { - platform_unlink(tmp_file); - } - } - -cleanup: gc_free(&gc); argv_free(&argv); @@ -783,7 +727,7 @@ verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_dep /* run --tls-verify script */ if (opt->verify_command && SUCCESS != verify_cert_call_command(opt->verify_command, - opt->es, cert_depth, cert, subject, opt->verify_export_cert)) + opt->es, cert_depth, cert, subject)) { goto cleanup; }