From patchwork Sun Mar 4 00:17:35 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steffan Karger X-Patchwork-Id: 259 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director11.mail.ord1d.rsapps.net ([172.28.255.1]) by backend30.mail.ord1d.rsapps.net (Dovecot) with LMTP id e4QhGfMVnFp3QQAAIUCqbw for ; Sun, 04 Mar 2018 10:51:15 -0500 Received: from director7.mail.ord1c.rsapps.net ([172.28.255.1]) by director11.mail.ord1d.rsapps.net (Dovecot) with LMTP id yfP4EfMVnFp3EgAAvGGmqA ; Sun, 04 Mar 2018 10:51:15 -0500 Received: from smtp53.gate.ord1a ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by director7.mail.ord1c.rsapps.net with LMTP id WDW5GPMVnFpbPQAAqdfm7w ; Sun, 04 Mar 2018 10:51:15 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp53.gate.ord1a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=karger-me.20150623.gappssmtp.com; dmarc=none (p=nil; dis=none) header.from=karger.me X-Classification-ID: de0c4b98-1fc3-11e8-a610-842b2b4240e4-1-1 Received: from [216.105.38.7] ([216.105.38.7:3243] helo=lists.sourceforge.net) by smtp53.gate.ord1a.rsapps.net (envelope-from ) (ecelerity 4.2.1.56364 r(Core:4.2.1.14)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 1D/31-05670-2F51C9A5; Sun, 04 Mar 2018 10:51:14 -0500 Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.89) (envelope-from ) id 1esVuO-000CKR-4u; Sun, 04 Mar 2018 15:50:44 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) (envelope-from ) id 1esVty-000BnK-Hj for openvpn-devel@lists.sourceforge.net; Sun, 04 Mar 2018 15:50:18 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To: MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=iASDiZypNLsr26wDsCCtLvGSRFJo+4WrI8AItLjC6VY=; b=U2AdiWtV0GUWdTXh5N5E5BZ1Sx zzi3fO+oL6Vt/zfmp8Vpz7B0IaZLwt+RJutnzoXN3vC3t2JyyWM0/acZxTjjwZ75bMfrguYfba7ME n6Kecichx6iiLpiwIFiVE/K2C9RvJkostMqGWdqnxBKHmDzyNLJFxwFmdxxG/QNvGCu8=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:MIME-Version: Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=iASDiZypNLsr26wDsCCtLvGSRFJo+4WrI8AItLjC6VY=; b=BXctxFum5Xi6IuG/eyKasf4+Sg Gmoa+RsoybOQoyBFZzjrLXePYkaeTYFlBlE0+lKTivCzTh8/VD+sf6b4IzxjmJ9+rvYKW+TXXovon fLOB9oaadl7hSw0vkYTReBH7CdZ+doFFeYjZcGpqecEn654FkCpiZ1Z1LGxHC6EaMdWk=; Received: from sfi-lb-mx.v20.lw.sourceforge.com ([172.30.20.201] helo=mail-wm0-f65.google.com) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.89) id 1esReL-000dpe-VY for openvpn-devel@lists.sourceforge.net; Sun, 04 Mar 2018 11:18:24 +0000 Received: by mail-wm0-f65.google.com with SMTP id h21so10666767wmd.1 for ; Sun, 04 Mar 2018 03:17:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=karger-me.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id; bh=iASDiZypNLsr26wDsCCtLvGSRFJo+4WrI8AItLjC6VY=; b=DKpoZTkXQ7SLAGjMvCJukn9P+w63tXiGq/yP5tc+ODLxfMD4NSJZMFtZan+dvvL5D7 frXdIy9UMsfQzrNmhSJFkbLysfIDrsGEIwqapwjZcXh26CxOAr+PoMDy4XKiUui9BPjG ljUGhZ6BLHjfwMtNSZk256061ahi3WgTBwBvFGQWV7fK9TQSPbLzRXPZVsI4k/4YacDY TZf9h2M43nTLKLg7eDsynga0kVdrvyuDnMfAJ5Z9RtRgt3ZfyGnhtHl6cR1F7MUXZRv1 Azc+wmFEqbn0DgqeOgitduExFUC+X7pGS5ZdFfxZ0D2wHpfJxhJaJ/rGk7BkdnBtzD6Z otOg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=iASDiZypNLsr26wDsCCtLvGSRFJo+4WrI8AItLjC6VY=; b=X/wXKzF1nS56CMmRVSyJBkspDk70aLMZPdhSwtEXgh912oxjfOu8Y/8dE1ciNS4+f/ N4Ti81JV10bHV0AhVoOiPpWQQbjzv8lo+BkHt8UGJMv/JtUqVw+POYUYKu4PZa+GlQmF Yab+4PzZsLm0czunv37nZKW1lbIjmrKIfdINJETyzYoGCDueb2foeyr6jV1HOJYK1svh QdQMeb8ZIpCZD4FBnIqijSCYLB/w6HHJXD3m53ToFWnJ0Aky86TRRbZl2s3dvub3FgBX VFwMMd3RgzySJG8pNsDgISTdU6bF/rWLaMDdGIhdrtZ3LEZUmOlxTWkXbUF2jYz87t7u 7i4g== X-Gm-Message-State: APf1xPDTY9MqlNaFd3Yfl7IgPyouf1V9Vs//AZ0LrWlPU1MrZPyv50hd 5Zy3b+oOSIs9m8T66VmwL8QyN0AUHqY= X-Google-Smtp-Source: AG47ELubT/ZOqxRuhXnS5x4o38/adPfj0Nx1t9BdXsHnQOnqUt7dfdwewbUUjmXTLpQJ+zEvF6MKkw== X-Received: by 10.80.144.119 with SMTP id z52mr14524019edz.128.1520162267346; Sun, 04 Mar 2018 03:17:47 -0800 (PST) Received: from syzzer-tweakbak.fritz.box ([2001:985:e54:1:881e:647d:3c8e:6ee4]) by smtp.gmail.com with ESMTPSA id f6sm9272532edn.45.2018.03.04.03.17.46 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sun, 04 Mar 2018 03:17:46 -0800 (PST) From: Steffan Karger To: openvpn-devel@lists.sourceforge.net Date: Sun, 4 Mar 2018 12:17:35 +0100 Message-Id: <1520162255-29737-1-git-send-email-steffan@karger.me> X-Mailer: git-send-email 2.7.4 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 TIME_LIMIT_EXCEEDED Exceeded time limit / deadline X-Headers-End: 1esReL-000dpe-VY Subject: [Openvpn-devel] [PATCH] Improve management-external-key/cert error handling X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Check the return values of management_query_cert() and tls_ctx_use_external_private_key(), and error out with a more descriptive error message. To do so, we make the openssl-backed implementation of tls_ctx_use_external_private_key() not throw fatal error anymore. (And fix line wrapping while touching this code.) Signed-off-by: Steffan Karger --- src/openvpn/ssl.c | 29 +++++++++++++++++++++-------- src/openvpn/ssl_openssl.c | 2 +- 2 files changed, 22 insertions(+), 9 deletions(-) diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 79b985e..25a7085 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -660,18 +660,31 @@ init_ssl(const struct options *options, struct tls_root_ctx *new_ctx) else if ((options->management_flags & MF_EXTERNAL_KEY) && (options->cert_file || options->management_flags & MF_EXTERNAL_CERT)) { - if (options->cert_file) + if (options->cert_file + && 0 != tls_ctx_use_external_private_key(new_ctx, + options->cert_file, + options->cert_file_inline)) { - tls_ctx_use_external_private_key(new_ctx, options->cert_file, - options->cert_file_inline); + msg(M_WARN, "Failed to initialize management-external-key"); + goto err; } else { - char *external_certificate = management_query_cert(management, - options->management_certificate); - tls_ctx_use_external_private_key(new_ctx, external_certificate, - true); - free(external_certificate); + char *external_cert = management_query_cert( + management, options->management_certificate); + + if (!external_cert) + { + msg(M_FATAL, "Failed to initialize management-external-cert"); + } + + if (0 != tls_ctx_use_external_private_key(new_ctx, external_cert, + true)) + { + msg(M_FATAL, "Failed to initialize management-external-key"); + } + + free(external_cert); } } #endif diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 66d98c5..87f6768 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -1327,7 +1327,7 @@ tls_ctx_use_external_private_key(struct tls_root_ctx *ctx, return 0; err: - crypto_msg(M_FATAL, "Cannot enable SSL external private key capability"); + crypto_msg(M_WARN, "Cannot enable SSL external private key capability"); return 1; }