[Openvpn-devel,v2,0/2] CRL reloading and chroot with mbedtls

Message ID E1lVzhx-0002rG-18@sfs-ml-4.v29.lw.sourceforge.com
Headers show


Maximilian Fillinger April 12, 2021, 6:45 a.m. UTC
After a lot of discussion on IRC on Friday, here's a new attempt at
fixing the mbedtls certificate reloading issue.

To sum up the background: Compumatica discovered the following pair of
bugs in OpenVPN-NL, which are also present in stock OpenVPN with

1) With mbedtls, if the CRL file can't be accessed during init_ssl(),
   OpenVPN will read the file in tls_process() when it becomes available
   later, but it will not actually use it. This situation is likely to
   happen when running in a chroot because of the second bug.

2) OpenVPN attempts to read the CRL file in init_ssl() before chroot-ing
   and tries to access the path outside of the chroot directory. For
   example, let's say we have the CRL file in "/chroot/crl.pem", and we
   run OpenVPN with "--chroot /chroot/" and "--crl-verify /crl.pem".
   During option validation, OpenVPN will check that "/chroot/crl.pem"
   exists. Pre-chroot, it will try to access "/crl.pem", which fails.
   Post-chroot, it opens the file.

Bug 2) is present in OpenVPN with OpenSSL, too, but OpenSSL actually
uses the reloaded CRL from tls_process(), so the only consequence is a
warning message in the logs.

The first patch fixes bug 2) by prefixing the path to the chroot
directory to the CRL file when we're running init_ssl() pre-chroot.
By itself, this makes it much more difficult to trigger bug 1).

The second patch makes OpenVPN abort in init_ssl() if the CRL file
cannot be accessed. Now that the path is handled correctly pre- and
post-chroot, there is no good reason why accessing it should fail.
This fixes bug 1).

Max Fillinger (2):
  In init_ssl, open the correct CRL path pre-chroot
  Abort if CRL file can't be stat-ed in init_ssl

 src/openvpn/init.c    |  3 ++-
 src/openvpn/misc.c    | 11 +++++++++++
 src/openvpn/misc.h    |  7 +++++++
 src/openvpn/options.c |  8 +-------
 src/openvpn/ssl.c     | 37 ++++++++++++++++++++++++++++++++-----
 src/openvpn/ssl.h     |  2 +-
 6 files changed, 54 insertions(+), 14 deletions(-)