From patchwork Tue Jan 2 13:46:40 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "plaisthos (Code Review)" X-Patchwork-Id: 3546 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7301:2791:b0:100:d2e5:60d with SMTP id hm17csp2004954dyb; Tue, 2 Jan 2024 05:47:22 -0800 (PST) X-Google-Smtp-Source: AGHT+IH8jfeW/W38ZwXJTK1KJ0fI01adyu9axoQ4crCZgmI9Eh011rkmLxurVHcFmGzhhdcpX1La X-Received: by 2002:a05:6a21:60f:b0:197:547c:41dc with SMTP id ll15-20020a056a21060f00b00197547c41dcmr811901pzb.1.1704203242088; Tue, 02 Jan 2024 05:47:22 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1704203242; cv=none; d=google.com; s=arc-20160816; b=gzhuzH8b365UyXkm3NoJ943FZ0KQ3NXYHtRcMhvU/6ICjmku14RRqIzwNBjOBp7bl+ lN3xG7hYFl9RlL27sRiBVzqqJYG93JLrQpBE4Irjy/vPg8mCN9SgccqcNTylRZHZxDJn 5RzW3fAOob/cAIZ65Z+rUjR8fNpdnZyZAPp7GB2rDxgAl9BSzPNdLPuuhO9ZiOoDcWBR 5MslgefQ+t/yEIerZeJcECtX2JSoKP4WIum1u+XDa22pnbf7Lrh26AwZFBHMeMSsroB3 pD9jZaAyuiWs33VP+RRvdFbXT8BWR7y2IRVlbWcfnYHSjCJvVGzdHCsgiZZUgEJBrt/J KpNg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:cc:reply-to:list-subscribe:list-help:list-post :list-archive:list-unsubscribe:list-id:precedence:subject:user-agent :mime-version:message-id:references:auto-submitted:to:date:from :dkim-signature:dkim-signature:dkim-signature; bh=Z6wVRegLsFGhkKWLx2qtdlPXpFNQZ8POMfLjsOsDlDY=; fh=lm0MLPW7DntlrDqRECIiC9JlE1uPxhepE0URYHIf+eE=; b=ueFwlJRNJtwcPygTNRZlVZ2rmE1M6pRpxiXNeCCjjRDoQK3NYi8wFMRZy6h3MFS/Sm CaiUmKGMq0vRyKguwPQ0L4RIS2G9qIZNPtKRUKuZ5mR1BydCnxPRYgFzqMLaCSOJ/C6m OXgzr3IQXnxiz8qQsty99y1Avq3GP+3oZ18T6L9MMRHc1b4H2G7V7psa+vvTDeHDvmwt q151OiaQhq9wkfefksY4Q5SJOIamOb/EI1oYy2Ct5xGsQ/760wrKvYQls3i/xbjTF5ng LBf1wu7fy4rM7oX1qppUXOVBOdlMzSbfsUJHqO8WqtyoPZD8CFKJSBAiAiIij/AJZGW2 amgA== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=XrsQxvmH; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=Azn3YDFI; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=eKAfAQ0W; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id s128-20020a625e86000000b006d9b2b88dacsi14572811pfb.403.2024.01.02.05.47.21 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 02 Jan 2024 05:47:22 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=XrsQxvmH; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=Azn3YDFI; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=eKAfAQ0W; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1rKf6e-0005br-QI; Tue, 02 Jan 2024 13:46:55 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1rKf6d-0005bl-9s for openvpn-devel@lists.sourceforge.net; Tue, 02 Jan 2024 13:46:54 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:Content-Transfer-Encoding:MIME-Version :Message-ID:Reply-To:References:Subject:List-Unsubscribe:List-Id:Cc:To:Date: From:Sender:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help: List-Subscribe:List-Post:List-Owner:List-Archive; bh=IOUvEJ3sxHwsEw3y+Rh/zvqIhSVkpbNV3/SWioSWS2c=; b=XrsQxvmHq6/ClzqWnD2WkmDocz uPJsgJ8JrzKOVgna8aESgigf9CSjLzY/TDqAD+zzEwIsVQKWeioKWQaeZjg8jsR4msCkl6HcleUsc vJxVXqj3mCU1xjVZuEaKGdAh+5Lgyw/yD4zYe4cf0dVQa8bEgnDlRdoyZhK4qkTb1vb0=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:Content-Transfer-Encoding:MIME-Version:Message-ID:Reply-To: References:Subject:List-Unsubscribe:List-Id:Cc:To:Date:From:Sender:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help:List-Subscribe:List-Post: List-Owner:List-Archive; bh=IOUvEJ3sxHwsEw3y+Rh/zvqIhSVkpbNV3/SWioSWS2c=; b=A zn3YDFIK5iKxlktS4Ml+rQs53hxdbZUfG5V6qvwrux0kjVVwrhTPQ0OxRrorROc9PPWpY2MKUviqm EqOOzWQf5omVLKGFMpTk/OFDsU30is9O/MvSOGTEGdI3JPjSlzczKkKXhFnqUdnHGVRE3M/jqDdbQ 1vBsimXX83r11N4E=; Received: from mail-wr1-f41.google.com ([209.85.221.41]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1rKf6b-0001lk-7W for openvpn-devel@lists.sourceforge.net; Tue, 02 Jan 2024 13:46:54 +0000 Received: by mail-wr1-f41.google.com with SMTP id ffacd0b85a97d-336c9acec03so5505858f8f.2 for ; Tue, 02 Jan 2024 05:46:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openvpn.net; s=google; t=1704203201; x=1704808001; darn=lists.sourceforge.net; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from:from:to:cc :subject:date:message-id:reply-to; bh=IOUvEJ3sxHwsEw3y+Rh/zvqIhSVkpbNV3/SWioSWS2c=; b=eKAfAQ0WAhGi3jrCSd4b3jOpFS8h32u+XR3e0oZ07VRfsKSoQbn8n+8qrLjO3FACnC Za/9uSn5TO2f5RDhJcvIoRs/6h2EFO1OaTbRXPKEmWQ1fF9NoM5Niezyr+G1x4GTQszq dD7YLOMs1qy2iW1bdiIpEBpHNwZxU+Tef8mxCOY5epKwN+RT6Gl0+G0r5GJ8njHrXeRJ aKnII7Nf3DZYk92Yr33cZzaoq0ZpQJgky02TwRqLeKvPBQK5DSu5+XxmWsG+hwlg5bgg uzIoP3/7JBbYGfOlJg5VKPMKGy66KpS+GiLdXgqrv1ZHbTQzX2TCkLvO0/4ijsR5+b2c rhWA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1704203201; x=1704808001; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=IOUvEJ3sxHwsEw3y+Rh/zvqIhSVkpbNV3/SWioSWS2c=; b=G5iFYWXYKl14Vu1hNf7WJ5glhHalUXHoORJOXQCrpyx0QPKSz1qnRWUogLDhuBNHMl dYZQCq8zMnU6VSmVZp0FXX7TUkz1hmXCIc1qisrQT+i8muCyfR9LJ6U9aN/9lNWWG9xg QYgPr9r9jA00CCxv9W2e3mDjLxSWVdnaAo8rmyI1pHVta+xrSzmeZlFzMI+Wa4EYT1en NyG6XV4sCX0RibEjm/JPEgZQnHUEmB7wXii+jIROYEfvluiWk+tMuyrJEtas2dN0r8VQ PLLtjnJJM+BzbvSwpc63Quc9U9k7uAlL6RLFgzJNDhcv0bu+vALYdLBJI4L1YrCIhRil Kxhw== X-Gm-Message-State: AOJu0YzZuhs0wIeu3X2rSzn5FX9Tus/ji0gRpSip1EO+qItobFyYBIMw IQiePxInWAz3uN/3Dm8KCjDZVNWM3t2moWJWFyVL8gRu8Rc= X-Received: by 2002:a5d:4f04:0:b0:337:2479:9b2a with SMTP id c4-20020a5d4f04000000b0033724799b2amr3452633wru.31.1704203201430; Tue, 02 Jan 2024 05:46:41 -0800 (PST) Received: from gerrit.openvpn.in (ec2-18-159-0-78.eu-central-1.compute.amazonaws.com. [18.159.0.78]) by smtp.gmail.com with ESMTPSA id z14-20020a5d4c8e000000b003374555d88esm2623603wrs.56.2024.01.02.05.46.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Jan 2024 05:46:41 -0800 (PST) From: "plaisthos (Code Review)" X-Google-Original-From: "plaisthos (Code Review)" X-Gerrit-PatchSet: 1 Date: Tue, 2 Jan 2024 13:46:40 +0000 To: flichtenheld Auto-Submitted: auto-generated X-Gerrit-MessageType: newchange X-Gerrit-Change-Id: Ic494d43c835220ae71f10e3afbe53db918887370 X-Gerrit-Change-Number: 487 X-Gerrit-Project: openvpn X-Gerrit-ChangeURL: X-Gerrit-Commit: 675326c46c1f6e5f9bb15300e095159cf2319ea3 References: Message-ID: MIME-Version: 1.0 User-Agent: Gerrit/3.8.2 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Attention is currently required from: flichtenheld. Hello flichtenheld, I'd like you to do a code review. Please visit Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.221.41 listed in wl.mailspike.net] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.221.41 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 WEIRD_PORT URI: Uses non-standard port number for HTTP 0.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.0 T_SCC_BODY_TEXT_LINE No description available. 0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML X-Headers-End: 1rKf6b-0001lk-7W Subject: [Openvpn-devel] [M] Change in openvpn[master]: Keep exported certificate files for following calls X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: arne-openvpn@rfc2549.org, openvpn-devel@lists.sourceforge.net, frank@lichtenheld.com Cc: openvpn-devel Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1786986618865405207?= X-GMAIL-MSGID: =?utf-8?q?1786986618865405207?= X-getmail-filter-classifier: gerrit message type newchange Attention is currently required from: flichtenheld. Hello flichtenheld, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/487?usp=email to review the following change. Change subject: Keep exported certificate files for following calls ...................................................................... Keep exported certificate files for following calls Since the lifetime of environment variables is quite different, we need to tie the lifetime of these files to their environment variables which in turn requires a special function to be called on the removal of these env variables. Change-Id: Ic494d43c835220ae71f10e3afbe53db918887370 Signed-off-by: Arne Schwabe --- M src/openvpn/ssl_verify.c 1 file changed, 31 insertions(+), 37 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/87/487/1 diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index 35d3377..ff1a932 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -39,6 +39,7 @@ #include "run_command.h" #include "ssl_verify.h" #include "ssl_verify_backend.h" +#include "platform.h" #ifdef ENABLE_CRYPTO_OPENSSL #include "ssl_verify_openssl.h" @@ -459,53 +460,51 @@ } /** + * Unlinks a file specified by in the env item that has the form + * key=filename. + */ +static void +unlink_file_env(struct env_item *env) +{ + /* values in env are always x=y */ + const char *filename = strchr(env->string, '='); + ASSERT(filename); + + /* Move just past the = */ + filename += 1; + + platform_unlink((const char *) filename); +} + +/** * Exports the certificate in \c peer_cert into the environment and adds * the filname */ static bool -verify_cert_cert_export_env(struct env_set *es, openvpn_x509_cert_t *peer_cert, - int cert_depth, const char *pem_export_fname) +verify_cert_cert_export_env(const struct tls_options *opt, + openvpn_x509_cert_t *peer_cert, int cert_depth) { - char envname[64]; - /* Make copy of the filename to manage that copy by the gc_arena */ - char *pem_export_filename = strdup(pem_export_fname); - - if (!pem_export_filename) - { - return false; - } + struct gc_arena gc = gc_new(); + const char *pem_export_filename = platform_create_temp_file(opt->export_peer_cert_dir, + "pef", &gc); + char envstr[128]; /* export the path to the certificate in pem file format */ - openvpn_snprintf(envname, sizeof(envname), "peer_cert_%d", cert_depth); - setenv_str(es, envname, pem_export_filename); + openvpn_snprintf(envstr, sizeof(envstr), "peer_cert_%d=%s", cert_depth, + pem_export_filename); + setenv_str(opt->es, envstr, pem_export_filename); + env_set_add_specialfree(opt->es, envstr, &unlink_file_env); /* compatibility with older scripts/plugins that expect peer_cert without * suffix */ if (cert_depth == 0) { - setenv_str(es, "peer_cert", pem_export_filename); + setenv_str(opt->es, "peer_cert", pem_export_filename); } return backend_x509_write_pem(peer_cert, pem_export_filename) == SUCCESS; } -static void -verify_cert_cert_delete_env(struct env_set *es, int cert_depth, - const char *pem_export_fname) -{ - char envname[64]; - openvpn_snprintf(envname, sizeof(envname), "peer_cert_%d", cert_depth); - env_set_del(es, envname); - - /* compatibility with older scripts/plugins that expect peer_cert without - * suffix */ - if (cert_depth == 0) - { - env_set_del(es, "peer_cert"); - } - unlink(pem_export_fname); -} - /* * call --tls-verify plug-in(s) */ @@ -625,7 +624,6 @@ * them defined */ result_t ret = FAILURE; struct gc_arena gc = gc_new(); - const char *pem_export_fname = NULL; const struct tls_options *opt = session->opt; ASSERT(opt); @@ -758,12 +756,9 @@ if (opt->export_peer_cert_dir) { - pem_export_fname = platform_create_temp_file(opt->export_peer_cert_dir, - "pef", &gc); - if (!pem_export_fname - || !verify_cert_cert_export_env(opt->es, cert, cert_depth, - pem_export_fname)) + + if (!verify_cert_cert_export_env(opt, cert, cert_depth)) { msg(D_TLS_ERRORS, "TLS Error: Failed to export certificate for " "--tls-export-cert in %s", opt->export_peer_cert_dir); @@ -821,7 +816,6 @@ ret = SUCCESS; cleanup: - verify_cert_cert_delete_env(opt->es, cert_depth, pem_export_fname); if (ret != SUCCESS) { tls_clear_error(); /* always? */