[Openvpn-devel,0/1] CRL issues with mbedtls

Message ID E1lUDfv-00042l-GV@sfs-ml-1.v29.lw.sourceforge.com
Headers show


Max Fillinger April 7, 2021, 9:15 a.m. UTC
This patch fixes the bug I wrote about earlier[0] where the mbedtls
version of OpenVPN might not properly reload a CRL when running in a
chroot. I've submitted a somewhat hacky patch for it[1].

While looking into it further, I also noticed another unrelated problem:

The mbedtls documentation states that the config struct for a
mbedtls_ssl_context is not supposed to be modified after calling
mbedtls_ssl_setup(). However, the config contains a pointer to the CRL,
and we're currently modifying the CRL in place when we reload it.

I figured that by reworking the way CRLs are handled, I could fix the
CRL reloading bug in a less hacky manner and also make sure that we
don't modify the configs of active mbedtls_ssl_contexts.

[0] https://sourceforge.net/p/openvpn/mailman/message/37254045/
[1] https://sourceforge.net/p/openvpn/mailman/message/37254048/

Max Fillinger (1):
  Rework mbedtls CRL handling

 src/openvpn/ssl.c                |   8 +++
 src/openvpn/ssl_mbedtls.c        | 103 ++++++++++++++++++++++++++++++++++-----
 src/openvpn/ssl_mbedtls.h        |  25 +++++++++-
 src/openvpn/ssl_verify_mbedtls.c |   2 +-
 4 files changed, 125 insertions(+), 13 deletions(-)