From patchwork Fri May 19 13:23:09 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 3232 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:7b9a:b0:c3:1364:a2a2 with SMTP id j26csp1095904dyk; Fri, 19 May 2023 06:23:57 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ4Gl1bS4iGb1EjZYsnS9AZzlacyGx94vRH1fDg0HcqM1eWL8yK2FwXYA6aPTPjz1JU7Lz61 X-Received: by 2002:a92:6b12:0:b0:338:1e73:ca0 with SMTP id g18-20020a926b12000000b003381e730ca0mr1095902ilc.11.1684502636981; Fri, 19 May 2023 06:23:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1684502636; cv=none; d=google.com; s=arc-20160816; b=uw9IkyFluFcIj2dIx16pObiM1QtzRbejoCrckl3i9y4YvcOtKipukkQEpaTIVy41g8 Qvo8HVlVYnWiy+X7ro2ovatTAAMevhV9+mLgePmsrigShJ2w3detDMvaiazwaixC6fSb SvMX/dBbOrUvDOrQ5t3Okqo1bX7rbpFy9bcW3RkGQvgbW1D8BuYWYyL+8WAcBh16Knrf kMInbxANAnfbZt8eXLwJ+jHGBNOe9McKJpwdgcUFn0kegxguUxy+570IH9+Wd6Z4LQH5 u7FBTUlcVB9s7ONWbwW24d+klOOV3bhc0czC9BhzN43fCrSmYAYlODG2c+oV9RyoMd9H 4Kmg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:message-id:date:to:from:dkim-signature:dkim-signature; bh=9/O88Bh+ngnCXB7HCBhzWFx4ynVa+u9loOXDBPjJevQ=; b=GDs46aplK6SBmVU3vVyO0EyJ4LFmhDz4LkaaSweNJRDhOdoEz1E1mlVNNjIO5KJBPS G0AzJLkrFepLGBIg2XPFfMJ5VShprHbc4ggba/smpLdXdMG4DcGULXTs1gKRZWJnWfmX kzMBMwD6cCYROys4oFwBuizT8zkjMc4H9VfeGsn3WQ/QNcKPo5ESZTOrdVH/GFd199ZF H8Y/ykyQylTKCyEmpgpUJx6DAPEMaQT5i3cXyyn/kk13lnPFbHUPI4dI9w9Lq4kTujN/ yV9A9JBqKN+0YMDbuwnENfAFYae2Cyb4VOLPYHxrr6O0eD2b+KPGU+K/0rjZlnMNintx 8fhQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=Xuu33HoD; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=dIV+zlzf; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id d5-20020a92d5c5000000b0032aa14a2d15si1803149ilq.194.2023.05.19.06.23.56 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 19 May 2023 06:23:56 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=Xuu33HoD; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=dIV+zlzf; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1q004u-0004ks-9V; Fri, 19 May 2023 13:23:29 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1q004s-0004kb-LM for openvpn-devel@lists.sourceforge.net; Fri, 19 May 2023 13:23:27 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=7P9LGwEgXQ/jWkrmKx2Q6YUuqZk6gMTMpy0GHbFhJWg=; b=Xuu33HoDMuMijbuzjEGv4tlWuc uTPBkp3H6A3dPVFUS2VaT+BvCGyWpdHJfKza2/B2+AIGuJjNQFUi9ZT+ukPRdFBsYxtZCfB1TLJOn fv4+IPvDNunWmy+sS5UPXTywvSdsfrHWkSqoXVIoXpzzFUHSV7uodRfTrVMM0oGWLFWU=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=7P9LGwEgXQ/jWkrmKx2Q6YUuqZk6gMTMpy0GHbFhJWg=; b=d IV+zlzfQm6Iq4yCWTc9A1JR3TfgFpFYkBmeg9BrI1e5A47ZDcLrIobVppyjbeDG1YIWjf6gFfEWZr eMfOnnFt0yapv/RUDxQVr+bJrACi0lUD1FK1KZ245e+GXs+FRS/zipcLibygat9u1tbi1IeU/CY7c GMSYnnESM5d/ZZ4Y=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1q004o-00DO17-47 for openvpn-devel@lists.sourceforge.net; Fri, 19 May 2023 13:23:27 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1q004c-000MXu-NF for openvpn-devel@lists.sourceforge.net; Fri, 19 May 2023 15:23:10 +0200 Received: (nullmailer pid 2502526 invoked by uid 10006); Fri, 19 May 2023 13:23:10 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Fri, 19 May 2023 15:23:09 +0200 Message-Id: <20230519132310.2502480-1-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Spam-Score: 0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This reverts commit 423ced962db3129b4ed551c489624faba4340652, which has Jason A. Donenfeld as author. Jason has expressed that he does not want to be bothered with the license change of OpenVPN and unfortunately that leaves us no alternative other than to remove his contribution from OpenVPN in order [...] Content analysis details: (0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1q004o-00DO17-47 Subject: [Openvpn-devel] [PATCH 1/2] Remove contribution from Jason A. Donenfeld X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1766329036664929122?= X-GMAIL-MSGID: =?utf-8?q?1766329036664929122?= This reverts commit 423ced962db3129b4ed551c489624faba4340652, which has Jason A. Donenfeld as author. Jason has expressed that he does not want to be bothered with the license change of OpenVPN and unfortunately that leaves us no alternative other than to remove his contribution from OpenVPN in order to be able to go forward with the license change. Change-Id: I8142753928498169032450c56d0497a5042bdc9b Signed-off-by: Arne Schwabe --- src/openvpn/init.c | 1 - src/openvpn/options.c | 26 +++++++++++++------------- src/openvpn/options.h | 1 - src/openvpn/ssl_common.h | 1 - src/openvpn/ssl_verify_mbedtls.c | 16 ---------------- src/openvpn/ssl_verify_openssl.c | 2 +- 6 files changed, 14 insertions(+), 33 deletions(-) diff --git a/src/openvpn/init.c b/src/openvpn/init.c index d358ad003..c023b33c6 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -3347,7 +3347,6 @@ do_init_crypto_tls(struct context *c, const unsigned int flags) to.verify_hash = options->verify_hash; to.verify_hash_algo = options->verify_hash_algo; to.verify_hash_depth = options->verify_hash_depth; - to.verify_hash_no_ca = options->verify_hash_no_ca; #ifdef ENABLE_X509ALTUSERNAME memcpy(to.x509_username_field, options->x509_username_field, sizeof(to.x509_username_field)); #else diff --git a/src/openvpn/options.c b/src/openvpn/options.c index e4c596b89..fe9285384 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -2991,11 +2991,21 @@ options_postprocess_verify_ce(const struct options *options, else { #ifdef ENABLE_CRYPTO_MBEDTLS + if (!(options->ca_file)) + { + msg(M_USAGE, "You must define CA file (--ca)"); + } + if (options->ca_path) { msg(M_USAGE, "Parameter --capath cannot be used with the mbed TLS version version of OpenVPN."); } -#endif /* ifdef ENABLE_CRYPTO_MBEDTLS */ +#else /* ifdef ENABLE_CRYPTO_MBEDTLS */ + if ((!(options->ca_file)) && (!(options->ca_path))) + { + msg(M_USAGE, "You must define CA file (--ca) or CA path (--capath)"); + } +#endif if (pull) { @@ -3727,13 +3737,6 @@ options_postprocess_mutate(struct options *o, struct env_set *es) options_postprocess_http_proxy_override(o); } #endif - if (!o->ca_file && !o->ca_path && o->verify_hash - && o->verify_hash_depth == 0) - { - msg(M_INFO, "Using certificate fingerprint to verify peer (no CA " - "option set). "); - o->verify_hash_no_ca = true; - } if (o->config && streq(o->config, "stdin") && o->remap_sigusr1 == SIGHUP) { @@ -4029,11 +4032,8 @@ options_postprocess_filechecks(struct options *options) errs |= check_file_access_inline(options->dh_file_inline, CHKACC_FILE, options->dh_file, R_OK, "--dh"); - if (!options->verify_hash_no_ca) - { - errs |= check_file_access_inline(options->ca_file_inline, CHKACC_FILE, - options->ca_file, R_OK, "--ca"); - } + errs |= check_file_access_inline(options->ca_file_inline, CHKACC_FILE, + options->ca_file, R_OK, "--ca"); errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->ca_path, R_OK, "--capath"); diff --git a/src/openvpn/options.h b/src/openvpn/options.h index f5890b90f..95f1158a4 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -604,7 +604,6 @@ struct options struct verify_hash_list *verify_hash; hash_algo_type verify_hash_algo; int verify_hash_depth; - bool verify_hash_no_ca; unsigned int ssl_flags; /* set to SSLF_x flags from ssl.h */ #ifdef ENABLE_PKCS11 diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index 27b029479..c0b3caa71 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -345,7 +345,6 @@ struct tls_options const char *remote_cert_eku; struct verify_hash_list *verify_hash; int verify_hash_depth; - bool verify_hash_no_ca; hash_algo_type verify_hash_algo; #ifdef ENABLE_X509ALTUSERNAME char *x509_username_field[MAX_PARMS]; diff --git a/src/openvpn/ssl_verify_mbedtls.c b/src/openvpn/ssl_verify_mbedtls.c index e3437f740..c9ef7a171 100644 --- a/src/openvpn/ssl_verify_mbedtls.c +++ b/src/openvpn/ssl_verify_mbedtls.c @@ -62,22 +62,6 @@ verify_callback(void *session_obj, mbedtls_x509_crt *cert, int cert_depth, struct buffer cert_fingerprint = x509_get_sha256_fingerprint(cert, &gc); cert_hash_remember(session, cert_depth, &cert_fingerprint); - if (session->opt->verify_hash_no_ca) - { - /* - * If we decide to verify the peer certificate based on the fingerprint - * we ignore wrong dates and the certificate not being trusted. - * Any other problem with the certificate (wrong key, bad cert,...) - * will still trigger an error. - * Clearing these flags relies on verify_cert will later rejecting a - * certificate that has no matching fingerprint. - */ - uint32_t flags_ignore = MBEDTLS_X509_BADCERT_NOT_TRUSTED - | MBEDTLS_X509_BADCERT_EXPIRED - | MBEDTLS_X509_BADCERT_FUTURE; - *flags = *flags & ~flags_ignore; - } - /* did peer present cert which was signed by our root cert? */ if (*flags != 0) { diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c index e24ce4e4a..ac36f09db 100644 --- a/src/openvpn/ssl_verify_openssl.c +++ b/src/openvpn/ssl_verify_openssl.c @@ -67,7 +67,7 @@ verify_callback(int preverify_ok, X509_STORE_CTX *ctx) cert_hash_remember(session, X509_STORE_CTX_get_error_depth(ctx), &cert_hash); /* did peer present cert which was signed by our root cert? */ - if (!preverify_ok && !session->opt->verify_hash_no_ca) + if (!preverify_ok) { /* get the X509 name */ char *subject = x509_get_subject(current_cert, &gc); From patchwork Fri May 19 13:23:10 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 3233 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:7b9a:b0:c3:1364:a2a2 with SMTP id j26csp1096163dyk; Fri, 19 May 2023 06:24:24 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ6BQNni9zhK1MC5v7qs4UDbraBmggIgduaIZ+HwaIUD59TrKuJ74xXJL3LnzOqDM5TLnu9W X-Received: by 2002:a92:c689:0:b0:337:de0c:9c89 with SMTP id o9-20020a92c689000000b00337de0c9c89mr1025327ilg.28.1684502663780; Fri, 19 May 2023 06:24:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1684502663; cv=none; d=google.com; s=arc-20160816; b=Q/2An0AdE9YaPEYcBVH4jHyzNpm3yi0ZRLrWe36KDTruto/dhEmo9Zx1odYelkUl9k 6Xtka5gjPLzCbFCHRYqs0t4NCv6NAZFRdogAGIvbv1nFUzVPPdkbU6/dDU7wa5ZZJWkr NZxvwRx4Wb+vIT8De+OF0EKQxk7MkvI+5ka4CtFh/E/gakoz0IZ6VwTt8V6Tpv7aiiuW rFwQocKwsu6cb9U19KdQIKTNITgyZRTKTeCXvKNLAaJeNTB/pKlgizG6ZsUZ+ScKineu 69htAkR+YrOTNhhZJxseYT7XlK11L4ij10JOG0UYLsRsDKyzeQ/qWFIfAYu1C37uf5Nq sixA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature; bh=+6pibzQnv3U+r0qMOPJeScJdKHx9lZ8G9qQURH71Xqs=; b=nf6y582kfiLB2U6Pno8PmyK45AuB0l1OW/emZeh6pwq1hZ1ZPE9Msl+LKpHTdyRQrg U+98G77SDNt6RPqgOb243KSkkjK5rOp/une5z6WZ/07GskA6XsxXpoTn10VcgOWn0waA H3bauApZC7TuCOUKD4ZsgimU72ybx1E8FJEEF3PfZ7N+BAFZsJ1Rt1iePaoslkGotCzk pYGgkY7v/ir5pZ3ERG7Wj6YE7Kw/l7j4K3hNLGa8zqpojEZrcAATHbTf++5OgVSbrpn5 9ZtNkrO5Wte5dpnrzOgh0Apd3f5D9SZShcPVraQKxM15+MH3LCxnaui4QwhxMpsFaKLA XABg== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=Ir93To9a; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=OqBkVlmL; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id h8-20020a92c088000000b00330f34acbfbsi1854438ile.47.2023.05.19.06.24.23 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 19 May 2023 06:24:23 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=Ir93To9a; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=OqBkVlmL; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1q004w-0003aT-69; Fri, 19 May 2023 13:23:30 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1q004t-0003aN-KI for openvpn-devel@lists.sourceforge.net; Fri, 19 May 2023 13:23:27 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=GHTw0OD66oTyH6UlAhg8Yx0n/orPYHOik0xEGFtRqUo=; b=Ir93To9arZeZp53snFCumYNsHy P0bJVDugH0zwKjPu2G+mbDwF5pWwFaJ9Kyqt9tqRVdPJ2pxZJb7roMal0jExxjj0UcMRiDR1K1Yjh 4PU29Qn2gwjK2/yiuIpn0w5wcD+rTX4BhBCcYVLqMLUBmu43MziI5eOP6YeVN+55fdA0=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=GHTw0OD66oTyH6UlAhg8Yx0n/orPYHOik0xEGFtRqUo=; b=OqBkVlmLQEwGWkhQ3vwmHtCfBX ImFvO+0jy/ugWAYFS5dfV4RCTE20OlwRSa4bWg/waWfY4JfyKYaf31SPuZziNX5JfvkFZqTdZVC/K abVmdKSsorXhPEc3Vh5SedM+G9oCZfU1p+Ka5+iQYr4ZqUZvLx5a+nmeL43xnpB+EDoE=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1q004o-0007Wt-Jm for openvpn-devel@lists.sourceforge.net; Fri, 19 May 2023 13:23:27 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1q004c-000MXw-Nx for openvpn-devel@lists.sourceforge.net; Fri, 19 May 2023 15:23:10 +0200 Received: (nullmailer pid 2502529 invoked by uid 10006); Fri, 19 May 2023 13:23:10 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Fri, 19 May 2023 15:23:10 +0200 Message-Id: <20230519132310.2502480-2-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230519132310.2502480-1-arne@rfc2549.org> References: <20230519132310.2502480-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Score: 0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This is implements --peer-fingerprint command to support OpenVPN authentication without involving a PKI. The current implementation in OpenVPN for peer fingerprint has been already extensively rewritten from the original submission from Jason. The commit preserved the original author since it was based o [...] Content analysis details: (0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1q004o-0007Wt-Jm Subject: [Openvpn-devel] [PATCH 2/2] Implement using --peer-fingerprint without CA certificates X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1766329065462199516?= X-GMAIL-MSGID: =?utf-8?q?1766329065462199516?= This is implements --peer-fingerprint command to support OpenVPN authentication without involving a PKI. The current implementation in OpenVPN for peer fingerprint has been already extensively rewritten from the original submission from Jason. The commit preserved the original author since it was based on Jason code/idea. The code uses two commits to prepare the --peer-fingerprint solution as which choose to use a simple to use --peer-fingerprint directive instead of using using a --tls-verify script like the v1 of the patch proposed. The two commit preparing this are: - Extend verify-hash to allow multiple hashes - Implement peer-fingerprint to check fingerprint of peer certificate This perparing patches make this actual patch quite short. There are some lines in this patch that bear some similarity to the ones like if (!preverify_ok && !session->opt->verify_hash_no_ca) vs if (!preverify_ok && !session->opt->ca_file_none) But these similarities are one line fragments and dictated by the surrounding style and program flow, so even a complete black box implementation will likely end up with the same lines. Patch V2: Changes in V2 (by Arne Schwabe): - Only check peer certificates, not all cert levels, if you need multiple levels of certificate you should use a real CA - Use peer-fingerprint instead tls-verify on server side in example. - rename variable ca_file_none to verify_hash_no_ca - do no require --ca none but allow --ca simply to be absent when --peer-fingprint is present - adjust warnings/errors messages to also point to peer-fingerprint as valid verification method. - Fix mbed TLS version of not requiring CA not working Patch v3: Fix minor style. Remove unessary check of verify_hash_no_ca in ssl.c. Patch v4: remove the last parts of Jason's original patch. Change-Id: Ie74c3d606c5429455c293c367462244566a936e3 Signed-off-by: Arne Schwabe --- src/openvpn/init.c | 1 + src/openvpn/options.c | 26 +++++++++++++------------- src/openvpn/options.h | 1 + src/openvpn/ssl_common.h | 1 + src/openvpn/ssl_verify_mbedtls.c | 16 ++++++++++++++++ src/openvpn/ssl_verify_openssl.c | 2 +- 6 files changed, 33 insertions(+), 14 deletions(-) diff --git a/src/openvpn/init.c b/src/openvpn/init.c index c023b33c6..d358ad003 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -3347,6 +3347,7 @@ do_init_crypto_tls(struct context *c, const unsigned int flags) to.verify_hash = options->verify_hash; to.verify_hash_algo = options->verify_hash_algo; to.verify_hash_depth = options->verify_hash_depth; + to.verify_hash_no_ca = options->verify_hash_no_ca; #ifdef ENABLE_X509ALTUSERNAME memcpy(to.x509_username_field, options->x509_username_field, sizeof(to.x509_username_field)); #else diff --git a/src/openvpn/options.c b/src/openvpn/options.c index fe9285384..e4c596b89 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -2991,21 +2991,11 @@ options_postprocess_verify_ce(const struct options *options, else { #ifdef ENABLE_CRYPTO_MBEDTLS - if (!(options->ca_file)) - { - msg(M_USAGE, "You must define CA file (--ca)"); - } - if (options->ca_path) { msg(M_USAGE, "Parameter --capath cannot be used with the mbed TLS version version of OpenVPN."); } -#else /* ifdef ENABLE_CRYPTO_MBEDTLS */ - if ((!(options->ca_file)) && (!(options->ca_path))) - { - msg(M_USAGE, "You must define CA file (--ca) or CA path (--capath)"); - } -#endif +#endif /* ifdef ENABLE_CRYPTO_MBEDTLS */ if (pull) { @@ -3737,6 +3727,13 @@ options_postprocess_mutate(struct options *o, struct env_set *es) options_postprocess_http_proxy_override(o); } #endif + if (!o->ca_file && !o->ca_path && o->verify_hash + && o->verify_hash_depth == 0) + { + msg(M_INFO, "Using certificate fingerprint to verify peer (no CA " + "option set). "); + o->verify_hash_no_ca = true; + } if (o->config && streq(o->config, "stdin") && o->remap_sigusr1 == SIGHUP) { @@ -4032,8 +4029,11 @@ options_postprocess_filechecks(struct options *options) errs |= check_file_access_inline(options->dh_file_inline, CHKACC_FILE, options->dh_file, R_OK, "--dh"); - errs |= check_file_access_inline(options->ca_file_inline, CHKACC_FILE, - options->ca_file, R_OK, "--ca"); + if (!options->verify_hash_no_ca) + { + errs |= check_file_access_inline(options->ca_file_inline, CHKACC_FILE, + options->ca_file, R_OK, "--ca"); + } errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->ca_path, R_OK, "--capath"); diff --git a/src/openvpn/options.h b/src/openvpn/options.h index 95f1158a4..f5890b90f 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -604,6 +604,7 @@ struct options struct verify_hash_list *verify_hash; hash_algo_type verify_hash_algo; int verify_hash_depth; + bool verify_hash_no_ca; unsigned int ssl_flags; /* set to SSLF_x flags from ssl.h */ #ifdef ENABLE_PKCS11 diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index c0b3caa71..27b029479 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -345,6 +345,7 @@ struct tls_options const char *remote_cert_eku; struct verify_hash_list *verify_hash; int verify_hash_depth; + bool verify_hash_no_ca; hash_algo_type verify_hash_algo; #ifdef ENABLE_X509ALTUSERNAME char *x509_username_field[MAX_PARMS]; diff --git a/src/openvpn/ssl_verify_mbedtls.c b/src/openvpn/ssl_verify_mbedtls.c index c9ef7a171..e3437f740 100644 --- a/src/openvpn/ssl_verify_mbedtls.c +++ b/src/openvpn/ssl_verify_mbedtls.c @@ -62,6 +62,22 @@ verify_callback(void *session_obj, mbedtls_x509_crt *cert, int cert_depth, struct buffer cert_fingerprint = x509_get_sha256_fingerprint(cert, &gc); cert_hash_remember(session, cert_depth, &cert_fingerprint); + if (session->opt->verify_hash_no_ca) + { + /* + * If we decide to verify the peer certificate based on the fingerprint + * we ignore wrong dates and the certificate not being trusted. + * Any other problem with the certificate (wrong key, bad cert,...) + * will still trigger an error. + * Clearing these flags relies on verify_cert will later rejecting a + * certificate that has no matching fingerprint. + */ + uint32_t flags_ignore = MBEDTLS_X509_BADCERT_NOT_TRUSTED + | MBEDTLS_X509_BADCERT_EXPIRED + | MBEDTLS_X509_BADCERT_FUTURE; + *flags = *flags & ~flags_ignore; + } + /* did peer present cert which was signed by our root cert? */ if (*flags != 0) { diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c index ac36f09db..e24ce4e4a 100644 --- a/src/openvpn/ssl_verify_openssl.c +++ b/src/openvpn/ssl_verify_openssl.c @@ -67,7 +67,7 @@ verify_callback(int preverify_ok, X509_STORE_CTX *ctx) cert_hash_remember(session, X509_STORE_CTX_get_error_depth(ctx), &cert_hash); /* did peer present cert which was signed by our root cert? */ - if (!preverify_ok) + if (!preverify_ok && !session->opt->verify_hash_no_ca) { /* get the X509 name */ char *subject = x509_get_subject(current_cert, &gc);