From patchwork Fri Mar 19 03:19:58 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1635 X-Patchwork-Delegate: a@unstable.cc Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director9.mail.ord1d.rsapps.net ([172.28.255.1]) by backend30.mail.ord1d.rsapps.net with LMTP id YHT7EZOzVGC6OQAAIUCqbw (envelope-from ) for ; Fri, 19 Mar 2021 10:22:11 -0400 Received: from proxy8.mail.ord1c.rsapps.net ([172.28.255.1]) by director9.mail.ord1d.rsapps.net with LMTP id uKH4EZOzVGDIIAAAalYnBA (envelope-from ) for ; Fri, 19 Mar 2021 10:22:11 -0400 Received: from smtp22.gate.ord1c ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy8.mail.ord1c.rsapps.net with LMTPS id aG14EZOzVGCZWQAAHz/atg (envelope-from ) for ; Fri, 19 Mar 2021 10:22:11 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp22.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 7dc74b54-88be-11eb-91ca-a0369f0d84d2-1-1 Received: from [216.105.38.7] ([216.105.38.7:42618] helo=lists.sourceforge.net) by smtp22.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 4C/00-20353-293B4506; Fri, 19 Mar 2021 10:22:10 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.92.3) (envelope-from ) id 1lNFzf-0002uz-53; Fri, 19 Mar 2021 14:20:51 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) (envelope-from ) id 1lNFzK-0002uG-Is for openvpn-devel@lists.sourceforge.net; Fri, 19 Mar 2021 14:20:31 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc: MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=zQ5y2G/fwiZRKp1awwKybvT7GI6XvIcOVMiZvtAvt7U=; b=OoQnJLZ/EBenxSzwHjurHXAP8d 9DUzPHYCWndYANpowfJtvze6/IIERRU53IqywZL1j+Py32x5yTU+7E17Y2voxoHG/my8v1yyzdyng DmzpBlVBMglHfIku/ZNj8Z/52tX2IWAprxr8qHgDBJWgFjSH2N3zMrD5lc910W14ldxs=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:MIME-Version: Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=zQ5y2G/fwiZRKp1awwKybvT7GI6XvIcOVMiZvtAvt7U=; b=ZacdmT76rLu67jolG4+4YUJB8a PLHFx/cQ4We/KnVOmaZniwXvAakvU12iy12yUIWVOtK2bDwlZFXdrgykaKrof9H36KpVGFN18W/C/ 5z3wzf6o3mAtVb+cbKXoG7gKm9DNuvL0GCgSNRRFBcNAxI7UvqxTUVDtVxeQAgZRMXlc=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1lNFyy-0007xB-C8 for openvpn-devel@lists.sourceforge.net; Fri, 19 Mar 2021 14:20:22 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94 (FreeBSD)) (envelope-from ) id 1lNFyr-000Mes-Tr for openvpn-devel@lists.sourceforge.net; Fri, 19 Mar 2021 15:20:01 +0100 Received: (nullmailer pid 2247 invoked by uid 10006); Fri, 19 Mar 2021 14:20:01 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Fri, 19 Mar 2021 15:19:58 +0100 Message-Id: <20210319142001.2201-1-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1lNFyy-0007xB-C8 Subject: [Openvpn-devel] [PATCH v2 1/5] Extend verify-hash to allow multiple hashes X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This patch introduces support for verify-hash inlining. When inlined, this options now allows to specify multiple fingerprints, one per line. Since this is a new syntax, there is no backwards compatibility to take care of, therefore we can drop support for SHA1. Inlined fingerprints are assumed be to SHA-256 only. Also print a warning about SHA1 hash being deprecated to verify certificates as it is not "industry standard" anymore. Patch v2: fix/clarify various comments, fix a few minor problems, allow the option to be specified multiple times and have that added to the list. Signed-off-by: Arne Schwabe --- doc/man-sections/inline-files.rst | 4 +- doc/man-sections/tls-options.rst | 10 +++ src/openvpn/options.c | 107 +++++++++++++++++++++++++++--- src/openvpn/options.h | 10 ++- src/openvpn/ssl_common.h | 2 +- src/openvpn/ssl_verify.c | 17 ++++- 6 files changed, 133 insertions(+), 17 deletions(-) diff --git a/doc/man-sections/inline-files.rst b/doc/man-sections/inline-files.rst index 819bd3c8..303bb3c8 100644 --- a/doc/man-sections/inline-files.rst +++ b/doc/man-sections/inline-files.rst @@ -4,8 +4,8 @@ INLINE FILE SUPPORT OpenVPN allows including files in the main configuration for the ``--ca``, ``--cert``, ``--dh``, ``--extra-certs``, ``--key``, ``--pkcs12``, ``--secret``, ``--crl-verify``, ``--http-proxy-user-pass``, ``--tls-auth``, -``--auth-gen-token-secret``, ``--tls-crypt`` and ``--tls-crypt-v2`` -options. +``--auth-gen-token-secret``, ``--tls-crypt``, ``--tls-crypt-v2`` and +``--verify-hash`` options. Each inline file started by the line ```` diff --git a/doc/man-sections/tls-options.rst b/doc/man-sections/tls-options.rst index e13fb3c8..d8f9800e 100644 --- a/doc/man-sections/tls-options.rst +++ b/doc/man-sections/tls-options.rst @@ -582,6 +582,16 @@ certificates and keys: https://github.com/OpenVPN/easy-rsa The ``algo`` flag can be either :code:`SHA1` or :code:`SHA256`. If not provided, it defaults to :code:`SHA1`. + This option can also be inlined + :: + + + 00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff + 11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00 + + +If the option is inlined, ``algo`` is always :code:`SHA256`. + --verify-x509-name args Accept connections only if a host's X.509 name is equal to **name.** The remote host must also pass all other tests of verification. diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 86e78b05..e119e14c 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -1078,12 +1078,24 @@ string_substitute(const char *src, int from, int to, struct gc_arena *gc) return ret; } -static uint8_t * +/** + * Parses a hexstring and checks if the string has the correct length. Return + * a verify_hash_list containing the parsed hash string. + * + * @param str String to check/parse + * @param nbytes Number of bytes expected in the hexstr (e.g. 20 for SHA1) + * @param msglevel message level to use when printing warnings/errors + * @param gc The returned object will be allocated in this gc + */ +static struct verify_hash_list * parse_hash_fingerprint(const char *str, int nbytes, int msglevel, struct gc_arena *gc) { int i; const char *cp = str; - uint8_t *ret = (uint8_t *) gc_malloc(nbytes, true, gc); + + struct verify_hash_list *ret; + ALLOC_OBJ_CLEAR_GC(ret, struct verify_hash_list, gc); + char term = 1; int byte; char bs[3]; @@ -1102,7 +1114,7 @@ parse_hash_fingerprint(const char *str, int nbytes, int msglevel, struct gc_aren { msg(msglevel, "format error in hash fingerprint hex byte: %s", str); } - ret[i] = (uint8_t)byte; + ret->hash[i] = (uint8_t)byte; term = *cp++; if (term != ':' && term != 0) { @@ -1116,10 +1128,55 @@ parse_hash_fingerprint(const char *str, int nbytes, int msglevel, struct gc_aren if (term != 0 || i != nbytes-1) { msg(msglevel, "hash fingerprint is different length than expected (%d bytes): %s", nbytes, str); + return NULL; } return ret; } +/** + * Parses a string consisting of multiple lines of hexstrings and checks if each + * string has the correct length. Empty lines are ignored. Returns + * a linked list of (possibly) multiple verify_hash_list objects. + * + * @param str String to check/parse + * @param nbytes Number of bytes expected in the hexstring (e.g. 20 for SHA1) + * @param msglevel message level to use when printing warnings/errors + * @param gc The returned list items will be allocated in this gc + */ +static struct verify_hash_list * +parse_hash_fingerprint_multiline(const char *str, int nbytes, int msglevel, + struct gc_arena *gc) +{ + struct gc_arena gc_temp = gc_new(); + char *lines = string_alloc(str, &gc_temp); + + struct verify_hash_list *ret = NULL; + + const char *line; + while ((line = strsep(&lines, "\n"))) + { + /* skip empty lines */ + if (strlen(line) == 0) + { + continue; + } + + struct verify_hash_list *hash = parse_hash_fingerprint(line, nbytes, + msglevel, gc); + + if (!hash) + { + gc_free(&gc_temp); + return NULL; + } + + hash->next = ret; + ret = hash; + } + gc_free(&gc_temp); + + return ret; +} #ifdef _WIN32 #ifndef ENABLE_SMALL @@ -8063,22 +8120,50 @@ add_option(struct options *options, } else if (streq(p[0], "verify-hash") && p[1] && !p[3]) { - VERIFY_PERMISSION(OPT_P_GENERAL); + VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE); + options->verify_hash_algo = MD_SHA256; + + int digest_len = SHA256_DIGEST_LENGTH; - if (!p[2] || (p[2] && streq(p[2], "SHA1"))) + if ((!p[2] && !is_inline) || (p[2] && streq(p[2], "SHA1"))) { - options->verify_hash = parse_hash_fingerprint(p[1], SHA_DIGEST_LENGTH, msglevel, &options->gc); options->verify_hash_algo = MD_SHA1; + msg(M_WARN, "DEPRECATED FEATURE: Usage of SHA1 fingerprints for " + "verify-hash is deprecated. You should switch to SHA256."); + options->verify_hash_algo = MD_SHA1; + digest_len = SHA_DIGEST_LENGTH; + } + else if (p[2] && !streq(p[2], "SHA256")) + { + msg(msglevel, "invalid or unsupported hashing algorithm: %s (only SHA1 and SHA256 are valid)", p[2]); + goto err; + } + + struct verify_hash_list *newlist; + if (is_inline) + { + newlist = parse_hash_fingerprint_multiline(p[1], digest_len, msglevel, + &options->gc); } - else if (p[2] && streq(p[2], "SHA256")) + else { - options->verify_hash = parse_hash_fingerprint(p[1], SHA256_DIGEST_LENGTH, msglevel, &options->gc); - options->verify_hash_algo = MD_SHA256; + newlist = parse_hash_fingerprint(p[1], digest_len, msglevel, + &options->gc); + } + + /* Append the new list to the end of our current list */ + if (!options->verify_hash) + { + options->verify_hash = newlist; } else { - msg(msglevel, "invalid or unsupported hashing algorithm: %s (only SHA1 and SHA256 are valid)", p[2]); - goto err; + struct verify_hash_list *listend = options->verify_hash; + while (listend->next) + { + listend = listend->next; + } + listend->next = newlist; } } #ifdef ENABLE_CRYPTOAPI diff --git a/src/openvpn/options.h b/src/openvpn/options.h index 56228668..a7b3174f 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -191,6 +191,14 @@ enum genkey_type { GENKEY_AUTH_TOKEN }; +struct verify_hash_list +{ + /* We support SHA256 and SHA1 fingerpint. In the case of using the + * deprecated SHA1, only the first 20 bytes of each list item are used */ + uint8_t hash[SHA256_DIGEST_LENGTH]; + struct verify_hash_list *next; +}; + /* Command line options */ struct options { @@ -550,7 +558,7 @@ struct options int ns_cert_type; /* set to 0, NS_CERT_CHECK_SERVER, or NS_CERT_CHECK_CLIENT */ unsigned remote_cert_ku[MAX_PARMS]; const char *remote_cert_eku; - uint8_t *verify_hash; + struct verify_hash_list *verify_hash; hash_algo_type verify_hash_algo; unsigned int ssl_flags; /* set to SSLF_x flags from ssl.h */ diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index 2e3c98db..f6aaae98 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -283,7 +283,7 @@ struct tls_options int ns_cert_type; unsigned remote_cert_ku[MAX_PARMS]; const char *remote_cert_eku; - uint8_t *verify_hash; + struct verify_hash_list *verify_hash; hash_algo_type verify_hash_algo; #ifdef ENABLE_X509ALTUSERNAME char *x509_username_field[MAX_PARMS]; diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index 4b120f7b..001ca82b 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -748,9 +748,22 @@ verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_dep goto cleanup; } - if (memcmp(BPTR(&ca_hash), opt->verify_hash, BLEN(&ca_hash))) + struct verify_hash_list *current_hash = opt->verify_hash; + + while (current_hash) + { + if (memcmp_constant_time(BPTR(&ca_hash), current_hash->hash, + BLEN(&ca_hash)) == 0) + { + hash_matched = true; + break; + } + current_hash = current_hash->next; + } + + if (!current_hash) { - msg(D_TLS_ERRORS, "TLS Error: level-1 certificate hash verification failed"); + msg(D_TLS_ERRORS, "TLS Error: --tls-verify certificate hash verification failed"); goto cleanup; } } From patchwork Fri Mar 19 03:19:59 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1633 X-Patchwork-Delegate: a@unstable.cc Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director7.mail.ord1d.rsapps.net ([172.28.255.1]) by backend30.mail.ord1d.rsapps.net with LMTP id eHjPJkyzVGDoUgAAIUCqbw (envelope-from ) for ; Fri, 19 Mar 2021 10:21:00 -0400 Received: from proxy1.mail.ord1c.rsapps.net ([172.28.255.1]) by director7.mail.ord1d.rsapps.net with LMTP id APmoJkyzVGAcEgAAovjBpQ (envelope-from ) for ; Fri, 19 Mar 2021 10:21:00 -0400 Received: from smtp11.gate.ord1c ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy1.mail.ord1c.rsapps.net with LMTPS id mAWHJkyzVGASTAAA2VeTtA (envelope-from ) for ; Fri, 19 Mar 2021 10:21:00 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp11.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 53c118bc-88be-11eb-97e8-bc305beffa54-1-1 Received: from [216.105.38.7] ([216.105.38.7:59436] helo=lists.sourceforge.net) by smtp11.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id AC/E7-18211-B43B4506; Fri, 19 Mar 2021 10:21:00 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1lNFz4-00047e-GF; Fri, 19 Mar 2021 14:20:14 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lNFz3-00047R-BI for openvpn-devel@lists.sourceforge.net; Fri, 19 Mar 2021 14:20:13 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=nIpc7yl8pW9LsqkUDhxtRYsp8XMMgh34M4lSQM6R9ww=; b=LDxWzZaXC5Id4M8eD6FdGShz25 c5duiK8BVwGncy0gFeiIzCke3DXWl4fQiit634D1TfqC0lHlpchVMY52uZ+safQ7oYgYUdhCnZV/7 KH6/gg9MWS/4ItNTujVaQtIqUWWvxOuS/Ik49SnR/3fbrXxMm920tLcRvQVzrWlIyEmk=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=nIpc7yl8pW9LsqkUDhxtRYsp8XMMgh34M4lSQM6R9ww=; b=Z6e3+pfL3IH4BQlsvDBuaa8xvS KhyS8lb+Qd3YA7vRy/n1hXIbkDxYhBaK/lfvgmgVYjw5tzdgC7LnB4eBEmmSF4Cd8amarhAM0HY3R xR36VvqDYcM/kqCdENKyJqGHl7xLD6JwG1hKDqkjj+0MlHYSZ/uPlyZKdgLiuaPf9jds=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1lNFyy-001tv1-Gl for openvpn-devel@lists.sourceforge.net; Fri, 19 Mar 2021 14:20:13 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94 (FreeBSD)) (envelope-from ) id 1lNFys-000Mev-3K for openvpn-devel@lists.sourceforge.net; Fri, 19 Mar 2021 15:20:02 +0100 Received: (nullmailer pid 2250 invoked by uid 10006); Fri, 19 Mar 2021 14:20:01 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Fri, 19 Mar 2021 15:19:59 +0100 Message-Id: <20210319142001.2201-2-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210319142001.2201-1-arne@rfc2549.org> References: <20210319142001.2201-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1lNFyy-001tv1-Gl Subject: [Openvpn-devel] [PATCH v2 2/5] Implement peer-fingerprint to check fingerprint of peer certificate X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This option allows to pin one or more more peer certificates. It also prepares for doing TLS authentication without a CA and just self-signed certificates. Patch V2: Allow peer-fingerprint to be specified multiple times to allow multiple peers without needing to use inline syntax. (e.g. on command line). Signed-off-by: Arne Schwabe --- Changes.rst | 9 ++++++- doc/man-sections/inline-files.rst | 4 +-- doc/man-sections/tls-options.rst | 22 +++++++++++++++- src/openvpn/init.c | 1 + src/openvpn/options.c | 43 ++++++++++++++++++++++++------- src/openvpn/options.h | 1 + src/openvpn/ssl_common.h | 1 + src/openvpn/ssl_verify.c | 19 ++++++++------ 8 files changed, 78 insertions(+), 22 deletions(-) diff --git a/Changes.rst b/Changes.rst index d6be1050..ac32de26 100644 --- a/Changes.rst +++ b/Changes.rst @@ -22,13 +22,20 @@ Compatibility with OpenSSL in FIPS mode Deprecated features ------------------- -``inetd`` has been removed +``inetd`` has been removed This was a very limited and not-well-tested way to run OpenVPN, on TCP and TAP mode only. Overview of changes in 2.5 ========================== +New features in 2.5.1 +--------------------- +Certificate pinning/verify peer fingerprint + The ``--peer-fingerprint`` option has been introduced to give users an + easy to use alternative to the ``tls-verify`` for matching the + fingerprint of the peer. The option takes use a number of allowed + SHA256 certificate fingerprints. New features ------------ diff --git a/doc/man-sections/inline-files.rst b/doc/man-sections/inline-files.rst index 303bb3c8..01e4a840 100644 --- a/doc/man-sections/inline-files.rst +++ b/doc/man-sections/inline-files.rst @@ -4,8 +4,8 @@ INLINE FILE SUPPORT OpenVPN allows including files in the main configuration for the ``--ca``, ``--cert``, ``--dh``, ``--extra-certs``, ``--key``, ``--pkcs12``, ``--secret``, ``--crl-verify``, ``--http-proxy-user-pass``, ``--tls-auth``, -``--auth-gen-token-secret``, ``--tls-crypt``, ``--tls-crypt-v2`` and -``--verify-hash`` options. +``--auth-gen-token-secret``, ``--peer-fingerprint``, ``--tls-crypt``, +``--tls-crypt-v2`` and ``--verify-hash`` options. Each inline file started by the line ```` diff --git a/doc/man-sections/tls-options.rst b/doc/man-sections/tls-options.rst index d8f9800e..cfe1ec98 100644 --- a/doc/man-sections/tls-options.rst +++ b/doc/man-sections/tls-options.rst @@ -271,7 +271,8 @@ certificates and keys: https://github.com/OpenVPN/easy-rsa man-in-the-middle attack where an authorized client attempts to connect to another client by impersonating the server. The attack is easily prevented by having clients verify the server certificate using any one - of ``--remote-cert-tls``, ``--verify-x509-name``, or ``--tls-verify``. + of ``--remote-cert-tls``, ``--verify-x509-name``, ``--peer-fingerprint`` + or ``--tls-verify``. --tls-auth args Add an additional layer of HMAC authentication on top of the TLS control @@ -592,6 +593,25 @@ certificates and keys: https://github.com/OpenVPN/easy-rsa If the option is inlined, ``algo`` is always :code:`SHA256`. +--peer-fingerprint args + Specify a SHA256 fingerprint or list of SHA256 fingerprints to verify + the peer certificate against. The peer certificate must match one of the + fingerprint or certificate verification will fail. The option can also + be inlined + + Valid syntax: + :: + + peer-fingerprint AD:B0:95:D8:09:... + + or inline: + :: + + + 00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff + 11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00:11:22:33:44:55:66:77:88:99:aa:bb:cc:dd:ee:ff:00 + + --verify-x509-name args Accept connections only if a host's X.509 name is equal to **name.** The remote host must also pass all other tests of verification. diff --git a/src/openvpn/init.c b/src/openvpn/init.c index d234729c..731b0cf2 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -2927,6 +2927,7 @@ do_init_crypto_tls(struct context *c, const unsigned int flags) to.remote_cert_eku = options->remote_cert_eku; to.verify_hash = options->verify_hash; to.verify_hash_algo = options->verify_hash_algo; + to.verify_hash_depth = options->verify_hash_depth; #ifdef ENABLE_X509ALTUSERNAME memcpy(to.x509_username_field, options->x509_username_field, sizeof(to.x509_username_field)); #else diff --git a/src/openvpn/options.c b/src/openvpn/options.c index e119e14c..6b4a2c11 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -8118,25 +8118,47 @@ add_option(struct options *options, options->extra_certs_file = p[1]; options->extra_certs_file_inline = is_inline; } - else if (streq(p[0], "verify-hash") && p[1] && !p[3]) + else if ((streq(p[0], "verify-hash") && p[1] && !p[3]) + || (streq(p[0], "peer-fingerprint") && p[1] && !p[2])) { VERIFY_PERMISSION(OPT_P_GENERAL|OPT_P_INLINE); + + int verify_hash_depth = 0; + if (streq(p[0], "verify-hash")) + { + /* verify level 1 cert, i.e. the CA that signed the leaf cert */ + verify_hash_depth = 1; + } + options->verify_hash_algo = MD_SHA256; int digest_len = SHA256_DIGEST_LENGTH; - if ((!p[2] && !is_inline) || (p[2] && streq(p[2], "SHA1"))) + if (options->verify_hash && options->verify_hash_depth != verify_hash_depth) { - options->verify_hash_algo = MD_SHA1; - msg(M_WARN, "DEPRECATED FEATURE: Usage of SHA1 fingerprints for " - "verify-hash is deprecated. You should switch to SHA256."); - options->verify_hash_algo = MD_SHA1; - digest_len = SHA_DIGEST_LENGTH; + msg(msglevel, "ERROR: Setting %s not allowed. Option to verify " + "fingerprint of certificate of peer certificate " + "(--verify-hash or --peer-fingerprint) already set.", + p[0]); + goto err; } - else if (p[2] && !streq(p[2], "SHA256")) + + if (streq(p[0], "verify-hash")) { - msg(msglevel, "invalid or unsupported hashing algorithm: %s (only SHA1 and SHA256 are valid)", p[2]); - goto err; + if ((!p[2] && !is_inline) || (p[2] && streq(p[2], "SHA1"))) + { + options->verify_hash_algo = MD_SHA1; + msg(M_WARN, "DEPRECATED FEATURE: Usage of SHA1 fingerprints for " + "verify-hash is deprecated. You should switch to the " + "SHA256."); + options->verify_hash_algo = SHA_DIGEST_LENGTH; + digest_len = SHA_DIGEST_LENGTH; + } + else if (p[2] && !streq(p[2], "SHA256")) + { + msg(msglevel, "invalid or unsupported hashing algorithm: %s (only SHA1 and SHA256 are valid)", p[2]); + goto err; + } } struct verify_hash_list *newlist; @@ -8155,6 +8177,7 @@ add_option(struct options *options, if (!options->verify_hash) { options->verify_hash = newlist; + options->verify_hash_depth = verify_hash_depth; } else { diff --git a/src/openvpn/options.h b/src/openvpn/options.h index a7b3174f..30ec53d6 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -560,6 +560,7 @@ struct options const char *remote_cert_eku; struct verify_hash_list *verify_hash; hash_algo_type verify_hash_algo; + int verify_hash_depth; unsigned int ssl_flags; /* set to SSLF_x flags from ssl.h */ #ifdef ENABLE_PKCS11 diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index f6aaae98..2b1b87fb 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -284,6 +284,7 @@ struct tls_options unsigned remote_cert_ku[MAX_PARMS]; const char *remote_cert_eku; struct verify_hash_list *verify_hash; + int verify_hash_depth; hash_algo_type verify_hash_algo; #ifdef ENABLE_X509ALTUSERNAME char *x509_username_field[MAX_PARMS]; diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index 001ca82b..6066e75f 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -721,19 +721,18 @@ verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_dep goto cleanup; /* Reject connection */ } - /* verify level 1 cert, i.e. the CA that signed our leaf cert */ - if (cert_depth == 1 && opt->verify_hash) + if (cert_depth == opt->verify_hash_depth && opt->verify_hash) { - struct buffer ca_hash = {0}; + struct buffer cert_fp = {0}; switch (opt->verify_hash_algo) { case MD_SHA1: - ca_hash = x509_get_sha1_fingerprint(cert, &gc); + cert_fp = x509_get_sha1_fingerprint(cert, &gc); break; case MD_SHA256: - ca_hash = x509_get_sha256_fingerprint(cert, &gc); + cert_fp = x509_get_sha256_fingerprint(cert, &gc); break; default: @@ -752,8 +751,8 @@ verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_dep while (current_hash) { - if (memcmp_constant_time(BPTR(&ca_hash), current_hash->hash, - BLEN(&ca_hash)) == 0) + if (memcmp_constant_time(BPTR(&cert_fp), current_hash->hash, + BLEN(&cert_fp)) == 0) { hash_matched = true; break; @@ -763,7 +762,11 @@ verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_dep if (!current_hash) { - msg(D_TLS_ERRORS, "TLS Error: --tls-verify certificate hash verification failed"); + const char *hex_fp = format_hex_ex(BPTR(&cert_fp), BLEN(&cert_fp), + 0, 1, ":", &gc); + msg(D_TLS_ERRORS, "TLS Error: --tls-verify/--peer-fingerprint" + "certificate hash verification failed. (got " + "fingerprint: %s", hex_fp); goto cleanup; } } From patchwork Fri Mar 19 03:20:00 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1634 X-Patchwork-Delegate: a@unstable.cc Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director8.mail.ord1d.rsapps.net ([172.28.255.1]) by backend30.mail.ord1d.rsapps.net with LMTP id IHYhKlezVGABBgAAIUCqbw (envelope-from ) for ; Fri, 19 Mar 2021 10:21:11 -0400 Received: from proxy4.mail.ord1c.rsapps.net ([172.28.255.1]) by director8.mail.ord1d.rsapps.net with LMTP id IBPzKVezVGAHBgAAfY0hYg (envelope-from ) for ; Fri, 19 Mar 2021 10:21:11 -0400 Received: from smtp21.gate.ord1c ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy4.mail.ord1c.rsapps.net with LMTPS id KBaYKVezVGDgdAAAjcXvpA (envelope-from ) for ; Fri, 19 Mar 2021 10:21:11 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp21.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 59c57550-88be-11eb-a4a3-a0369f0d8808-1-1 Received: from [216.105.38.7] ([216.105.38.7:35674] helo=lists.sourceforge.net) by smtp21.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 4A/F1-01407-653B4506; Fri, 19 Mar 2021 10:21:10 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1lNFzE-0008SB-SQ; Fri, 19 Mar 2021 14:20:24 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lNFzD-0008R5-Lw for openvpn-devel@lists.sourceforge.net; Fri, 19 Mar 2021 14:20:23 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=IdZ7ZhLJcnMu0XaOzl1nvUn0ZM5STvb0tokkmYQR4PE=; b=etVhqtoIUhOLScX8Ld/ctpAgTI G83/j/43TLu+KxFxz0mWYR6cWPYyPs3FEUqocTSBvqM/drsEGB0IhmtZfJMwfSjolkY08NWtK3h6e A/GoGXmGeeJ3JjKWoN4SxBoB5FP0T2YIc52GhzMJG7n3JHyMMdzeUQXOcaQxm2PsX4dc=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=IdZ7ZhLJcnMu0XaOzl1nvUn0ZM5STvb0tokkmYQR4PE=; b=Loz/FTQCZGTintZFLnT5cLcHTm jEg8mDFkwoPnjHhIjYukWt5sldLK+mDUcQcn9Fw3zybwKnqaC27OKZeOyjVGJA0+vX3BwZPx8iRfc YTBhwfwdBvCLo/ZuqW9OZhVEnyYZXeXpw5mt/Xe6XrdIjymAHYFKQ8LJQJuysd/xEp7Y=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1lNFz0-0007xC-VI for openvpn-devel@lists.sourceforge.net; Fri, 19 Mar 2021 14:20:19 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94 (FreeBSD)) (envelope-from ) id 1lNFys-000Mey-58 for openvpn-devel@lists.sourceforge.net; Fri, 19 Mar 2021 15:20:02 +0100 Received: (nullmailer pid 2253 invoked by uid 10006); Fri, 19 Mar 2021 14:20:02 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Fri, 19 Mar 2021 15:20:00 +0100 Message-Id: <20210319142001.2201-3-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210319142001.2201-1-arne@rfc2549.org> References: <20210319142001.2201-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1lNFz0-0007xC-VI Subject: [Openvpn-devel] [PATCH v2 3/5] Support fingerprint authentication without CA certificate X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: "Jason A. Donenfeld" OpenVPN traditionally works around CAs. However many TLS-based protocols also allow an alternative simpler mode in which rather than verify certificates against CAs, the certificate itself is hashed and compared against a pre-known set of acceptable hashes. This is usually referred to as "fingerprint verification". It's popular across SMTP servers, IRC servers, XMPP servers, and even in the context of HTTP with pinning. * Allow not specifying the --ca parameter, to specify that certificates should not be checked against a CA. I've included some instructions on how to use all of this. Server side: ============ Make self-signed cert: $ openssl req -x509 -newkey ec:<(openssl ecparam -name secp384r1) -keyout serverkey.pem -out servercert.pem -nodes -sha256 -days 3650 -subj '/CN=server' Record our fingerprint in an environment variable for the client to use later: $ server_fingerprint="$(openssl x509 -in servercert.pem -noout -sha256 -fingerprint | sed 's/.*=//;s/\(.*\)/\1/')" Client side: ============ Make self-signed cert: $ openssl req -x509 -newkey ec:<(openssl ecparam -name secp384r1) -keyout clientkey.pem -out clientcert.pem -nodes -sha256 -days 3650 -subj '/CN=client' Record our fingerprint in an environment variable for the server to use later: $ client_fingerprint="$(openssl x509 -in clientcert.pem -noout -sha256 -fingerprint | sed 's/.*=//;s/\(.*\)/\1/')" Start server/client =================== Start openvpn with peer fingerprint verification: $ sudo openvpn --server 10.66.0.0 255.255.255.0 --dev tun --dh none --cert servercert.pem --key serverkey.pem --peer-fingerprint "$client_fingerprint" $ sudo openvpn --client --remote 127.0.0.1 --dev tun --cert clientcert.pem --key clientkey.pem --peer-fingerprint "$server_fingerprint" --nobind Signed-off-by: Jason A. Donenfeld Patch V2: Changes in V2 (by Arne Schwabe): - Only check peer certificates, not all cert levels, if you need multiple levels of certificate you should use a real CA - Use peer-fingerprint instead tls-verify on server side in example. - rename variable ca_file_none to verify_hash_no_ca - do no require --ca none but allow --ca simply to be absent when --peer-fingprint is present - adjust warnings/errors messages to also point to peer-fingerprint as valid verification method. - Fix mbed TLS version of not requiring CA not working Signed-off-by: Arne Schwabe --- src/openvpn/init.c | 2 ++ src/openvpn/options.c | 30 +++++++++++++++++++++++------- src/openvpn/options.h | 1 + src/openvpn/ssl.c | 2 +- src/openvpn/ssl_common.h | 1 + src/openvpn/ssl_verify_mbedtls.c | 17 +++++++++++++++++ src/openvpn/ssl_verify_openssl.c | 2 +- 7 files changed, 46 insertions(+), 9 deletions(-) diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 731b0cf2..835621cb 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -2928,6 +2928,8 @@ do_init_crypto_tls(struct context *c, const unsigned int flags) to.verify_hash = options->verify_hash; to.verify_hash_algo = options->verify_hash_algo; to.verify_hash_depth = options->verify_hash_depth; + to.verify_hash_no_ca = options->verify_hash_no_ca; + #ifdef ENABLE_X509ALTUSERNAME memcpy(to.x509_username_field, options->x509_username_field, sizeof(to.x509_username_field)); #else diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 6b4a2c11..27ed813d 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -2712,18 +2712,23 @@ options_postprocess_verify_ce(const struct options *options, else { #ifdef ENABLE_CRYPTO_MBEDTLS - if (!(options->ca_file)) + if (!(options->ca_file || options->verify_hash_no_ca)) { - msg(M_USAGE, "You must define CA file (--ca)"); + msg(M_USAGE, "You must define CA file (--ca) and/or " + "peer fingeprint verification " + "(--peer-fingerprint)"); } if (options->ca_path) { msg(M_USAGE, "Parameter --capath cannot be used with the mbed TLS version version of OpenVPN."); } #else /* ifdef ENABLE_CRYPTO_MBEDTLS */ - if ((!(options->ca_file)) && (!(options->ca_path))) + if ((!(options->ca_file)) && (!(options->ca_path)) + && (!(options->verify_hash_no_ca))) { - msg(M_USAGE, "You must define CA file (--ca) or CA path (--capath)"); + msg(M_USAGE, "You must define CA file (--ca) or CA path " + "(--capath) and/or peer fingeprint verification " + "(--peer-fingerprint)"); } #endif if (pull) @@ -2742,7 +2747,8 @@ options_postprocess_verify_ce(const struct options *options, #if P2MP if (!options->auth_user_pass_file) #endif - msg(M_USAGE, "No client-side authentication method is specified. You must use either --cert/--key, --pkcs12, or --auth-user-pass"); + msg(M_USAGE, "No client-side authentication method is specified. You must use either --cert/--key," + " --pkcs12, or --auth-user-pass"); } else if (sum == 2) { @@ -3206,6 +3212,13 @@ options_postprocess_mutate(struct options *o) options_postprocess_http_proxy_override(o); } #endif + if (!o->ca_file && !o->ca_path && o->verify_hash + && o->verify_hash_depth == 0) + { + msg(M_INFO, "Using certificate fingerprint to verify peer (no CA " + "option set). "); + o->verify_hash_no_ca = true; + } #if P2MP /* @@ -3441,8 +3454,11 @@ options_postprocess_filechecks(struct options *options) errs |= check_file_access_inline(options->dh_file_inline, CHKACC_FILE, options->dh_file, R_OK, "--dh"); - errs |= check_file_access_inline(options->ca_file_inline, CHKACC_FILE, - options->ca_file, R_OK, "--ca"); + if (!options->verify_hash_no_ca) + { + errs |= check_file_access_inline(options->ca_file_inline, CHKACC_FILE, + options->ca_file, R_OK, "--ca"); + } errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->ca_path, R_OK, "--capath"); diff --git a/src/openvpn/options.h b/src/openvpn/options.h index 30ec53d6..c68e89d2 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -561,6 +561,7 @@ struct options struct verify_hash_list *verify_hash; hash_algo_type verify_hash_algo; int verify_hash_depth; + bool verify_hash_no_ca; unsigned int ssl_flags; /* set to SSLF_x flags from ssl.h */ #ifdef ENABLE_PKCS11 diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 893e5753..b6bbcc09 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -682,7 +682,7 @@ init_ssl(const struct options *options, struct tls_root_ctx *new_ctx) } #endif - if (options->ca_file || options->ca_path) + if ((!options->verify_hash_no_ca && options->ca_file) || options->ca_path) { tls_ctx_load_ca(new_ctx, options->ca_file, options->ca_file_inline, options->ca_path, options->tls_server); diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index 2b1b87fb..4e1ff6c8 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -285,6 +285,7 @@ struct tls_options const char *remote_cert_eku; struct verify_hash_list *verify_hash; int verify_hash_depth; + bool verify_hash_no_ca; hash_algo_type verify_hash_algo; #ifdef ENABLE_X509ALTUSERNAME char *x509_username_field[MAX_PARMS]; diff --git a/src/openvpn/ssl_verify_mbedtls.c b/src/openvpn/ssl_verify_mbedtls.c index 93891038..1ed1e0e2 100644 --- a/src/openvpn/ssl_verify_mbedtls.c +++ b/src/openvpn/ssl_verify_mbedtls.c @@ -62,6 +62,23 @@ verify_callback(void *session_obj, mbedtls_x509_crt *cert, int cert_depth, struct buffer cert_fingerprint = x509_get_sha256_fingerprint(cert, &gc); cert_hash_remember(session, cert_depth, &cert_fingerprint); + + if (session->opt->verify_hash_no_ca) + { + /* + * If we decide to verify the peer certificate based on the fingerprint + * we ignore wrong dates and the certificate not being trusted. + * Any other problem with the certificate (wrong key, bad cert,...) + * will still trigger an error. + * Clearing these flags relies on verify_cert will later rejecting a + * certificate that has no matching fingerprint. + */ + uint32_t flags_ignore = MBEDTLS_X509_BADCERT_NOT_TRUSTED + | MBEDTLS_X509_BADCERT_EXPIRED + | MBEDTLS_X509_BADCERT_FUTURE; + *flags = *flags & ~flags_ignore; + } + /* did peer present cert which was signed by our root cert? */ if (*flags != 0) { diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c index d063aeda..8b1f1969 100644 --- a/src/openvpn/ssl_verify_openssl.c +++ b/src/openvpn/ssl_verify_openssl.c @@ -67,7 +67,7 @@ verify_callback(int preverify_ok, X509_STORE_CTX *ctx) cert_hash_remember(session, X509_STORE_CTX_get_error_depth(ctx), &cert_hash); /* did peer present cert which was signed by our root cert? */ - if (!preverify_ok) + if (!preverify_ok && !session->opt->verify_hash_no_ca) { /* get the X509 name */ char *subject = x509_get_subject(current_cert, &gc); From patchwork Fri Mar 19 03:20:01 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1632 X-Patchwork-Delegate: a@unstable.cc Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director8.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id APc+FUqzVGCLEQAAIUCqbw (envelope-from ) for ; Fri, 19 Mar 2021 10:20:58 -0400 Received: from proxy14.mail.ord1d.rsapps.net ([172.30.191.6]) by director8.mail.ord1d.rsapps.net with LMTP id yMf7FEqzVGB5eAAAfY0hYg (envelope-from ) for ; Fri, 19 Mar 2021 10:20:58 -0400 Received: from smtp27.gate.ord1c ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy14.mail.ord1d.rsapps.net with LMTPS id uJIaLEqzVGDsCgAAtEH5vw (envelope-from ) for ; Fri, 19 Mar 2021 10:20:58 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp27.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 526419e2-88be-11eb-b273-b8ca3a655ab8-1-1 Received: from [216.105.38.7] ([216.105.38.7:59424] helo=lists.sourceforge.net) by smtp27.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 37/37-18431-943B4506; Fri, 19 Mar 2021 10:20:57 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1lNFz4-00047o-LB; Fri, 19 Mar 2021 14:20:14 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lNFz3-00047S-Bb for openvpn-devel@lists.sourceforge.net; Fri, 19 Mar 2021 14:20:13 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=7pYeNLxf5itn1MTSKkhujt/6ZORqX8o1AdfeJyp80HE=; b=hryvq3/YxXiRMYdfqE2wlvH7Zc 2x2eof3lRzaFcDYrOaFaZmDKSQhEcgkJ7XFtRIg0m6R1VHLtE3sDDOJ6q5nsNcCho1Y8Y8KvL8z8p xJFx8wQFxsvRFvwVd/5cTbOOYxJ8HoVicCPwsm54aQnotn6rEW9LDN1w/qunLRHqzcss=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=7pYeNLxf5itn1MTSKkhujt/6ZORqX8o1AdfeJyp80HE=; b=aDmEFAjL4eijMv9S3s9p94P3rl ZMFaYFgCoIkcS1qdHwr3SKy3qmzAXZwDH8rfPBvntFy1tZIoKUz8PPwHUKii6wpGUsHFTcAOlrZav vgI4roezuySg9Sezvp3YJtpLwt0yCIm+FmOQqARz+gCSIz8v2IGw3rfE+DLCdoA4yQxM=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1lNFyy-001tv2-Gl for openvpn-devel@lists.sourceforge.net; Fri, 19 Mar 2021 14:20:13 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94 (FreeBSD)) (envelope-from ) id 1lNFys-000Mf1-7b for openvpn-devel@lists.sourceforge.net; Fri, 19 Mar 2021 15:20:02 +0100 Received: (nullmailer pid 2256 invoked by uid 10006); Fri, 19 Mar 2021 14:20:02 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Fri, 19 Mar 2021 15:20:01 +0100 Message-Id: <20210319142001.2201-4-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210319142001.2201-1-arne@rfc2549.org> References: <20210319142001.2201-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: rfc2549.org] 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1lNFyy-001tv2-Gl Subject: [Openvpn-devel] [PATCH v2 5/5] Deprecate the --verify-hash option X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Despite trying to figure out with multiple people what the use case for this option is, we could not come up with a good one. Checking that only a specific CA is used can be also done by only using that CA in the --ca directive. Although it feels a bit strange to deprecate the option after improving it with peer-fingerprint patches, all the improvements are needed for --peer-fingerprint and making them specify to --peer-fingerprint would have added more (unecessary) changes. Signed-off-by: Arne Schwabe --- Changes.rst | 3 +++ doc/man-sections/tls-options.rst | 2 +- src/openvpn/options.c | 6 +++--- 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/Changes.rst b/Changes.rst index f1674835..732387f2 100644 --- a/Changes.rst +++ b/Changes.rst @@ -26,6 +26,9 @@ Deprecated features This was a very limited and not-well-tested way to run OpenVPN, on TCP and TAP mode only. +``verify-hash`` has been deprecated + This option has very limited usefulness and should be replaced by either + a better ``--ca`` configuration or with a ``--tls-verify`` script. Overview of changes in 2.5 ========================== diff --git a/doc/man-sections/tls-options.rst b/doc/man-sections/tls-options.rst index 8f5e37cb..00ea063a 100644 --- a/doc/man-sections/tls-options.rst +++ b/doc/man-sections/tls-options.rst @@ -564,7 +564,7 @@ certificates and keys: https://github.com/OpenVPN/easy-rsa :code:`1.2`. --verify-hash args - Specify SHA1 or SHA256 fingerprint for level-1 cert. + **DEPRECATED** Specify SHA1 or SHA256 fingerprint for level-1 cert. Valid syntax: :: diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 27ed813d..1ddcf7bf 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -8142,6 +8142,9 @@ add_option(struct options *options, int verify_hash_depth = 0; if (streq(p[0], "verify-hash")) { + "DEPRECATED OPTION: The option --verify-hash is deprecated. " + "You should switch to the either use the level 1 certificate as " + "--ca option, use --tls-verify or use --peer-fingerprint"; /* verify level 1 cert, i.e. the CA that signed the leaf cert */ verify_hash_depth = 1; } @@ -8164,9 +8167,6 @@ add_option(struct options *options, if ((!p[2] && !is_inline) || (p[2] && streq(p[2], "SHA1"))) { options->verify_hash_algo = MD_SHA1; - msg(M_WARN, "DEPRECATED FEATURE: Usage of SHA1 fingerprints for " - "verify-hash is deprecated. You should switch to the " - "SHA256."); options->verify_hash_algo = SHA_DIGEST_LENGTH; digest_len = SHA_DIGEST_LENGTH; }