From patchwork Wed Nov 22 14:31:01 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Sommerseth X-Patchwork-Id: 3476 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:53c1:b0:f2:62eb:61c1 with SMTP id u1csp1147326dye; Wed, 22 Nov 2023 06:32:01 -0800 (PST) X-Google-Smtp-Source: AGHT+IEFgVkXLrfhBCgHiZyeiVfDidkKSdQHLAH6rqRHdZaIcONqLaBqIpIiw09zIJulTOt7pwxh X-Received: by 2002:a05:6871:5386:b0:1f5:ecc7:2756 with SMTP id hy6-20020a056871538600b001f5ecc72756mr3227501oac.4.1700663521703; Wed, 22 Nov 2023 06:32:01 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1700663521; cv=none; d=google.com; s=arc-20160816; b=cnPVZLBjo0odF0KBdt1wENmWm9ZKJo+AL+Ucgb8U2zBwggthjbxpbV5Vpm+B7GOeZS WQWawsyJu2lVD/frLmpyV9LBgyI7yyJWBjBE742csnEvIAJe4P8qqTKcVl7h6vEzJ36L DxXs5UxbvqyT+BTZrXwHuD5anjU8Jm113HN4YYL7sbs2EW9UmYa1f8DGYU9vQG8gIfjE nxcLTKnwrSjrbELGVYWuGsos7bl+qQnNOgPG2SaN9NARUZgorMGuVlSBixChlcwCl7Lr LVd41eBBJdysYMCJXgiPGADUHrAOauZzY4A/Q3909PWA6alUnL954nq22Q5Roc0BllTY zMbg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:cc:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:message-id:date:to:from:dkim-signature:dkim-signature; bh=h9ra6uS9oZE/PWPGUMHt6qWutrZED1wzlbDUqqQuGPs=; fh=YXTNqFP/QKxSdndq4335GPlifHLzs2hh7ik63TYw/Qc=; b=wJeBjC4z6wfz0m7S2cbShNxfBrp0wbc8rJAe8yhOUmJedW1ZUF92ldkqxcZ3j7XRlw isH2dJ9BvfXrJFiOchcHVgjDGsmamzUmpgnUURsuYouEbaChqd/Z3KBcAXrV/zxwiLwK zaK4MUC6lMnKCskP23bGkNJC2wBljk8vqhH3lN6q2KLG+kdXaBxxsRLQMlXjQtV2eXw6 EF6syT/dLIgGdg3AMMSM/V/kymt5w4mBFFLWZWyBA/HDY0Zwg+3opvUgmtgDFW+03A0B 6pBAd20jZgeLXsW2ZJ97ZeUH82n8SFuPuQh9MyBR437kGvZLAHDVDHSgq7goQh0unLzq 1NdQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=EFGd4vQp; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=lGmBmClN; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=eurephia.org Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id k22-20020a056830169600b006d6473be60dsi4513803otr.253.2023.11.22.06.32.01 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 22 Nov 2023 06:32:01 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=EFGd4vQp; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=lGmBmClN; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=eurephia.org Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1r5oGM-00088m-Vw; Wed, 22 Nov 2023 14:31:34 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1r5oGK-00088g-O9 for openvpn-devel@lists.sourceforge.net; Wed, 22 Nov 2023 14:31:32 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=Mn7GIVc/wCsmQJ1fv+t/goXzY3Cvbk577aCBM3SBZyA=; b=EFGd4vQp6X5vsJM5xUubz7dwQr A/1dValP+RaIPoybkK7jF1BoWcB/cHPdltPRlFyTWMYH1r9p2N6Gn+EKw7rgbg8tA6wQWWXkUmpY6 4oXyURUwm8DfkdOu71CsNTDY+assbaRshUAUhKvNKbmtKCtnEaPYpcDICMYNU+CERwXQ=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:Cc:To:From :Sender:Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=Mn7GIVc/wCsmQJ1fv+t/goXzY3Cvbk577aCBM3SBZyA=; b=l GmBmClN1OUouVzwCKdqVknmgCcR1A01ds4E/U6NDuUmdQyFkxpx4alJy7wXI4mIWbSXmu/GUGFD2h QmY/U47dT0w92MqKuIopbICAYJdGHkgZXcch2TRk6YWnO+uu5HonIfct2bcL6J/1J/661jYS+JVDv dfGkLeIpCsdP7IQg=; Received: from mx1.basenordic.cloud ([217.170.196.134]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1r5oGH-00CpOH-Gl for openvpn-devel@lists.sourceforge.net; Wed, 22 Nov 2023 14:31:31 +0000 Received: from localhost (unknown [127.0.0.1]) by mx1.basenordic.cloud (Postfix) with ESMTP id 06E47E70F; Wed, 22 Nov 2023 14:31:14 +0000 (UTC) X-Virus-Scanned: amavisd-new at basenordic.cloud Received: from mx1.basenordic.cloud ([127.0.0.1]) by localhost (mx1.basenordic.cloud [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ScmCpx9GuXe2; Wed, 22 Nov 2023 15:31:11 +0100 (CET) Received: from xplorer.net (xplorer.sommerseth.xyz [10.35.7.11]) by mx1.basenordic.cloud (Postfix) with ESMTP id 558CEE708; Wed, 22 Nov 2023 15:31:06 +0100 (CET) From: David Sommerseth To: openvpn-devel@lists.sourceforge.net Date: Wed, 22 Nov 2023 15:31:01 +0100 Message-Id: <20231122143101.58483-1-dazo+openvpn@eurephia.org> X-Mailer: git-send-email 2.39.3 MIME-Version: 1.0 X-Spam-Score: -2.3 (--) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: David Sommerseth As OpenVPN 2.6+ is doing some adoptions to the license text, all prior contributors need to accept this new text. Unfortunately, Mathieu Giannecchini who implemented the --tls-export-cert feature did [...] Content analysis details: (-2.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/, medium trust [217.170.196.134 listed in list.dnswl.org] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1r5oGH-00CpOH-Gl Subject: [Openvpn-devel] [PATCH master] Remove --tls-export-cert X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: David Sommerseth Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1783274952690158911?= X-GMAIL-MSGID: =?utf-8?q?1783274952690158911?= From: David Sommerseth As OpenVPN 2.6+ is doing some adoptions to the license text, all prior contributors need to accept this new text. Unfortunately, Mathieu Giannecchini who implemented the --tls-export-cert feature did not respond at all. Without an explicit acceptance we need to remove this feature to avoid potential legal complications. If this is still a wanted feature, it will need to be re-implemented from scratch. Signed-off-by: David Sommerseth Acked-by: Gert Doering --- README.mbedtls | 1 - doc/man-sections/script-options.rst | 4 -- doc/man-sections/tls-options.rst | 7 ---- src/openvpn/init.c | 1 - src/openvpn/options.c | 14 ------- src/openvpn/options.h | 1 - src/openvpn/ssl_common.h | 1 - src/openvpn/ssl_verify.c | 60 +---------------------------- 8 files changed, 2 insertions(+), 87 deletions(-) diff --git a/README.mbedtls b/README.mbedtls index ed9d3691..124eaa2b 100644 --- a/README.mbedtls +++ b/README.mbedtls @@ -38,7 +38,6 @@ in the mbed TLS version of OpenVPN: Plugin/Script features: * X.509 subject line has a different format than the OpenSSL subject line - * X.509 certificate export does not work * X.509 certificate tracking ************************************************************************* diff --git a/doc/man-sections/script-options.rst b/doc/man-sections/script-options.rst index 8c0be0cd..38dcfa2b 100644 --- a/doc/man-sections/script-options.rst +++ b/doc/man-sections/script-options.rst @@ -813,10 +813,6 @@ instances. translations will be recorded rather than their names as denoted on the command line or configuration file. -:code:`peer_cert` - Temporary file name containing the client certificate upon connection. - Useful in conjunction with ``--tls-verify``. - :code:`script_context` Set to "init" or "restart" prior to up/down script execution. For more information, see documentation for ``--up``. diff --git a/doc/man-sections/tls-options.rst b/doc/man-sections/tls-options.rst index 908a42a1..56da886f 100644 --- a/doc/man-sections/tls-options.rst +++ b/doc/man-sections/tls-options.rst @@ -555,13 +555,6 @@ certificates and keys: https://github.com/OpenVPN/easy-rsa --tls-exit Exit on TLS negotiation failure. ---tls-export-cert directory - Store the certificates the clients use upon connection to this - directory. This will be done before ``--tls-verify`` is called. The - certificates will use a temporary name and will be deleted when the - tls-verify script returns. The file name used for the certificate is - available via the ``peer_cert`` environment variable. - --tls-server Enable TLS and assume server role during TLS handshake. Note that OpenVPN is designed as a peer-to-peer application. The designation of diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 8c707a46..659c79e3 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -3323,7 +3323,6 @@ do_init_crypto_tls(struct context *c, const unsigned int flags) } to.verify_command = options->tls_verify; - to.verify_export_cert = options->tls_export_cert; to.verify_x509_type = (options->verify_x509_type & 0xff); to.verify_x509_name = options->verify_x509_name; to.crl_file = options->crl_file; diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 2594b665..1521872d 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -638,9 +638,6 @@ static const char usage_message[] = " tests of certification. cmd should return 0 to allow\n" " TLS handshake to proceed, or 1 to fail. (cmd is\n" " executed as 'cmd certificate_depth subject')\n" - "--tls-export-cert [directory] : Get peer cert in PEM format and store it \n" - " in an openvpn temporary file in [directory]. Peer cert is \n" - " stored before tls-verify script execution and deleted after.\n" "--verify-x509-name name: Accept connections only from a host with X509 subject\n" " DN name. The remote host must also pass all other tests\n" " of verification.\n" @@ -1989,7 +1986,6 @@ show_settings(const struct options *o) SHOW_STR(cipher_list_tls13); SHOW_STR(tls_cert_profile); SHOW_STR(tls_verify); - SHOW_STR(tls_export_cert); SHOW_INT(verify_x509_type); SHOW_STR(verify_x509_name); SHOW_STR_INLINE(crl_file); @@ -3052,7 +3048,6 @@ options_postprocess_verify_ce(const struct options *options, MUST_BE_UNDEF(cipher_list_tls13); MUST_BE_UNDEF(tls_cert_profile); MUST_BE_UNDEF(tls_verify); - MUST_BE_UNDEF(tls_export_cert); MUST_BE_UNDEF(verify_x509_name); MUST_BE_UNDEF(tls_timeout); MUST_BE_UNDEF(renegotiate_bytes); @@ -4108,8 +4103,6 @@ options_postprocess_filechecks(struct options *options) R_OK|W_OK, "--status"); /* ** Config related ** */ - errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->tls_export_cert, - R_OK|W_OK|X_OK, "--tls-export-cert"); errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->client_config_dir, R_OK|X_OK, "--client-config-dir"); errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->tmp_dir, @@ -9005,13 +8998,6 @@ add_option(struct options *options, string_substitute(p[1], ',', ' ', &options->gc), "tls-verify", true); } -#ifndef ENABLE_CRYPTO_MBEDTLS - else if (streq(p[0], "tls-export-cert") && p[1] && !p[2]) - { - VERIFY_PERMISSION(OPT_P_GENERAL); - options->tls_export_cert = p[1]; - } -#endif else if (streq(p[0], "compat-names")) { VERIFY_PERMISSION(OPT_P_GENERAL); diff --git a/src/openvpn/options.h b/src/openvpn/options.h index 5a37316b..c4514e17 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -594,7 +594,6 @@ struct options const char *tls_verify; int verify_x509_type; const char *verify_x509_name; - const char *tls_export_cert; const char *crl_file; bool crl_file_inline; diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index d3edc5fa..925660b2 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -334,7 +334,6 @@ struct tls_options /* cert verification parms */ const char *verify_command; - const char *verify_export_cert; int verify_x509_type; const char *verify_x509_name; const char *crl_file; diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index 90416b69..bd7e5125 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -490,81 +490,25 @@ verify_cert_call_plugin(const struct plugin_list *plugins, struct env_set *es, return SUCCESS; } -static const char * -verify_cert_export_cert(openvpn_x509_cert_t *peercert, const char *tmp_dir, struct gc_arena *gc) -{ - FILE *peercert_file; - const char *peercert_filename = ""; - - /* create tmp file to store peer cert */ - if (!tmp_dir - || !(peercert_filename = platform_create_temp_file(tmp_dir, "pcf", gc))) - { - msg(M_NONFATAL, "Failed to create peer cert file"); - return NULL; - } - - /* write peer-cert in tmp-file */ - peercert_file = fopen(peercert_filename, "w+"); - if (!peercert_file) - { - msg(M_NONFATAL|M_ERRNO, "Failed to open temporary file: %s", - peercert_filename); - return NULL; - } - - if (SUCCESS != x509_write_pem(peercert_file, peercert)) - { - msg(M_NONFATAL, "Error writing PEM file containing certificate"); - (void) platform_unlink(peercert_filename); - peercert_filename = NULL; - } - - fclose(peercert_file); - return peercert_filename; -} - - /* * run --tls-verify script */ static result_t verify_cert_call_command(const char *verify_command, struct env_set *es, - int cert_depth, openvpn_x509_cert_t *cert, char *subject, const char *verify_export_cert) + int cert_depth, openvpn_x509_cert_t *cert, char *subject) { - const char *tmp_file = NULL; int ret; struct gc_arena gc = gc_new(); struct argv argv = argv_new(); setenv_str(es, "script_type", "tls-verify"); - if (verify_export_cert) - { - tmp_file = verify_cert_export_cert(cert, verify_export_cert, &gc); - if (!tmp_file) - { - ret = false; - goto cleanup; - } - setenv_str(es, "peer_cert", tmp_file); - } - argv_parse_cmd(&argv, verify_command); argv_printf_cat(&argv, "%d %s", cert_depth, subject); argv_msg_prefix(D_TLS_DEBUG, &argv, "TLS: executing verify command"); ret = openvpn_run_script(&argv, es, 0, "--tls-verify script"); - if (verify_export_cert) - { - if (tmp_file) - { - platform_unlink(tmp_file); - } - } - -cleanup: gc_free(&gc); argv_free(&argv); @@ -783,7 +727,7 @@ verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_dep /* run --tls-verify script */ if (opt->verify_command && SUCCESS != verify_cert_call_command(opt->verify_command, - opt->es, cert_depth, cert, subject, opt->verify_export_cert)) + opt->es, cert_depth, cert, subject)) { goto cleanup; }