From patchwork Thu Dec 14 11:17:52 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Frank Lichtenheld X-Patchwork-Id: 3528 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:8d12:b0:fc:24ac:f0cb with SMTP id i18csp7118556dys; Thu, 14 Dec 2023 03:18:27 -0800 (PST) X-Google-Smtp-Source: AGHT+IGdG15OADDH2FE9fEbdJzxA/gzAc7IVmDHU5HIDgBiTSqzzWkfgztQ0AswNdcNW+zGZF12P X-Received: by 2002:a17:90a:c281:b0:28b:2a0:d154 with SMTP id f1-20020a17090ac28100b0028b02a0d154mr2160904pjt.0.1702552707696; Thu, 14 Dec 2023 03:18:27 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1702552707; cv=none; d=google.com; s=arc-20160816; b=f83IB153hJT8CNvYX/I7hk8l3lozyfKEYOOnb7lasXOLUEouYdJ6lm589S41AQD2xN rGsRxHjWt7icvQYrxowmrKNNyUcqBivFk6t47ACqCl5hCBaVs7xnVgSiPamy6PwiomSD fLlk7AibtBwJ3InDP5z/1a+Bzs1sp+ATsUw6n15+UOKPDWJtU0jXmKav+EsZZILlA9W3 LOV+pbI9ZhMS2S5bIkeMGGCJhlG7bBfT7/aArgK/iLelAt/Q0ZMErpWKBmB47bFTDril cYPDvzWpAV+78v2g9b6cimpgWTGvgVEyQVbk6fjxXcABU4Yr5bD0Ly4ZcLzZKr8+Katt Jdxg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=K/+Dnw91Zh8T3UaQ0HfsnSNGf6MbLHPYtGF/3h77pdI=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=srH68bcCWdopwLgbwccuxFW23LXSgemGf3CMapp9ktv/O+iaL89rm42kuSUxgzsHaI 0jAkql+fm8shod4lKuidz5iQCtfvd7EX7YV1r6ABh7A6+Y6eL5naVGn43HPMLPRMkUHj 3fAYUP9+PNbXgad1iokFV1m9qis2Jog9TmCbm2SacJSOi9EQpQMfJ03+D2EtF1sxGu96 Dzgnzx08cgEpmlL4gcbZOhFVDYOPIPQbnaJutgM3YZQmXHLo65JA5yd/uwejkpXm6AlQ A8BQBTuPa3Z550OWR4Z30oKhez78SpYjz/b6uFnYYOUaUIKCdzyebUA51AbJogYob6d1 1lqg== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=gS+rMMkg; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=gQqgKNlG; dkim=neutral (body hash did not verify) header.i=@lichtenheld.com header.s=MBO0001 header.b=LOrI5TPx; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id ot4-20020a17090b3b4400b00285c4fd2ff0si11621951pjb.116.2023.12.14.03.18.27 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 14 Dec 2023 03:18:27 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=gS+rMMkg; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=gQqgKNlG; dkim=neutral (body hash did not verify) header.i=@lichtenheld.com header.s=MBO0001 header.b=LOrI5TPx; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1rDjjC-0005b2-1U; Thu, 14 Dec 2023 11:18:06 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1rDjj9-0005ao-Gz for openvpn-devel@lists.sourceforge.net; Thu, 14 Dec 2023 11:18:04 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=+28hxbmqbOMxuHhGPE4jzhyQfWLUb56Kao2P4j96p8o=; b=gS+rMMkgQiiH+ePUlgzAC0oHCP Qy+yEyJB4LbREjZXWHJEuq1pRiquf32puTk76dM/D0G6gJSel7hUeDEEIGsPxWfs1U5VEZyFkh64r Z73VEEt7Kbj6pES9JX0ZAW9YTTUEQZsDmG2z6v/aQ4dPKMO07JMFcFIvR+fQ8kRS5DLI=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=+28hxbmqbOMxuHhGPE4jzhyQfWLUb56Kao2P4j96p8o=; b=gQqgKNlG26j6ht1rQ+GJ47RSm4 ojgkDLSdI4YSzBtKymh3bcOZ4tS9E9CHh/YjDXX45GGYFxlbo1+W4Wx1FHErkosN361Cys4UXNG9/ GvfN2Sz1hoNHG8rWV2RuPXC620Kk5NvsHzJMVCAwGkbmo2n7CGD5ACQ/qZ2eTDrIm4MY=; Received: from mout-p-202.mailbox.org ([80.241.56.172]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1rDjj8-000401-2j for openvpn-devel@lists.sourceforge.net; Thu, 14 Dec 2023 11:18:04 +0000 Received: from smtp2.mailbox.org (smtp2.mailbox.org [10.196.197.2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-202.mailbox.org (Postfix) with ESMTPS id 4SrVFY4s6Kz9sqs; Thu, 14 Dec 2023 12:17:53 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lichtenheld.com; s=MBO0001; t=1702552673; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=+28hxbmqbOMxuHhGPE4jzhyQfWLUb56Kao2P4j96p8o=; b=LOrI5TPx7nlFdl+O/ZdyYx9Ze3V/ZDaK2NE2nNhxocAsanEOo0RncVOXkEN+kgHxHTYBtM 2TZV90TLkOxk0bQPTsh/4QCyq1f9N3pGDHHtCSZg4M/xFPQW9efvGupUqw73ZoJC2eC++I HeoUx0WXyudCT6hEhWbHjBOkHvLm6bMEseQYuQ+DVOTobGA9vSNoNkJrbIvhHbQBABMZgA H8dk9aIgBS0Fbx581tLjxzHchIQ8039TlUwUbDSjks18vFesgRTJshV2Y8Qr98ct+EVhT6 Jvr7vz0ENCJn/YAiYYjrs+fZF0Y11T7uriU7ZasO9i2GIlFZm9Cy6o2xOZiJVQ== From: Frank Lichtenheld To: openvpn-devel@lists.sourceforge.net Date: Thu, 14 Dec 2023 12:17:52 +0100 Message-Id: <20231214111752.237606-1-frank@lichtenheld.com> In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: -0.9 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Arne Schwabe This is a re-implementation of the --tls-export-cert feature. This was necessary to due to missing approval to re-license the old (now removed) code. The re-implementation is based on the following de [...] Content analysis details: (-0.9 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at https://www.dnswl.org/, low trust [80.241.56.172 listed in list.dnswl.org] 0.0 RCVD_IN_MSPIKE_H5 RBL: Excellent reputation (+5) [80.241.56.172 listed in wl.mailspike.net] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.0 T_SCC_BODY_TEXT_LINE No description available. 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders X-Headers-End: 1rDjj8-000401-2j Subject: [Openvpn-devel] [PATCH v6] Implement the --tls-export-cert feature X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1785255908351193265?= X-GMAIL-MSGID: =?utf-8?q?1785255908351193265?= From: Arne Schwabe This is a re-implementation of the --tls-export-cert feature. This was necessary to due to missing approval to re-license the old (now removed) code. The re-implementation is based on the following description of the feature provided by David: Add an option to export certificate in PEM format of the remote peer to a given directory. For example: --tls-export-cert /var/tmp This option should use a randomised filename, which is provided via a "peer_cert" environment variable for the --tls-verify script or the OPENVPN_PLUGIN_TLS_VERIFY plug-in hook. Once the script or plugin call has completed, OpenVPN should delete this file. Change-Id: Ia9b3f1813d2d0d492d17c87348b4cebd0bf19ce2 Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master and release/2.6. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/466 This mail reflects revision 6 of this Change. Acked-by according to Gerrit (reflected above): Frank Lichtenheld diff --git a/doc/man-sections/script-options.rst b/doc/man-sections/script-options.rst index 38dcfa2..ba700a0 100644 --- a/doc/man-sections/script-options.rst +++ b/doc/man-sections/script-options.rst @@ -423,6 +423,15 @@ See the `Environmental Variables`_ section below for additional parameters passed as environmental variables. +--tls-export-cert-path dir + Adds an environment variable ``peer_cert_{x}`` (and an alias + ``peer_cert`` for ``peer_cert_0`` for compatibility) when calling the + ``--tls-verify`` script or executing the OPENVPN_PLUGIN_TLS_VERIFY plugin + hook to verify the certificate. + + The environment variable contains the path to a PEM encoded certificate + of the current peer certificate in the directory ``dir``. + --up cmd Run command ``cmd`` after successful TUN/TAP device open (pre ``--user`` UID change). @@ -763,6 +772,15 @@ modifier is specified, and deleted from the environment after the script returns. +:code:`peer_cert_{n}` + If the option ``--tls-export-cert`` is enabled, this option contains + the path to the current peer certificate to be verified in PEM format + where ``n`` is the verification level. + +:code:`peer_cert` + Identical to `peer_cert_0` for compatibility with older + versions. + :code:`proto` The ``--proto`` parameter. Set on program initiation and reset on SIGHUP. diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 9e2b3845..917ae33 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -3336,6 +3336,7 @@ to.auth_user_pass_verify_script_via_file = options->auth_user_pass_verify_script_via_file; to.client_crresponse_script = options->client_crresponse_script; to.tmp_dir = options->tmp_dir; + to.export_peer_cert_dir = options->tls_export_peer_cert_path; if (options->ccd_exclusive) { to.client_config_dir_exclusive = options->client_config_dir; diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 1521872..503e832 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -1986,6 +1986,7 @@ SHOW_STR(cipher_list_tls13); SHOW_STR(tls_cert_profile); SHOW_STR(tls_verify); + SHOW_STR(tls_export_peer_cert_path); SHOW_INT(verify_x509_type); SHOW_STR(verify_x509_name); SHOW_STR_INLINE(crl_file); @@ -3048,6 +3049,7 @@ MUST_BE_UNDEF(cipher_list_tls13); MUST_BE_UNDEF(tls_cert_profile); MUST_BE_UNDEF(tls_verify); + MUST_BE_UNDEF(tls_export_peer_cert_path); MUST_BE_UNDEF(verify_x509_name); MUST_BE_UNDEF(tls_timeout); MUST_BE_UNDEF(renegotiate_bytes); @@ -4053,6 +4055,13 @@ R_OK, "--crl-verify"); } + if (options->tls_export_peer_cert_path) + { + errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, + options->tls_export_peer_cert_path, + W_OK, "--tls-export-cert"); + } + ASSERT(options->connection_list); for (int i = 0; i < options->connection_list->len; ++i) { @@ -8998,6 +9007,11 @@ string_substitute(p[1], ',', ' ', &options->gc), "tls-verify", true); } + else if (streq(p[0], "tls-export-cert") && p[1] && !p[2]) + { + VERIFY_PERMISSION(OPT_P_SCRIPT); + options->tls_export_peer_cert_path = p[1]; + } else if (streq(p[0], "compat-names")) { VERIFY_PERMISSION(OPT_P_GENERAL); diff --git a/src/openvpn/options.h b/src/openvpn/options.h index c4514e1..3b9a7f6 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -592,6 +592,7 @@ const char *tls_cert_profile; const char *ecdh_curve; const char *tls_verify; + const char *tls_export_peer_cert_path; int verify_x509_type; const char *verify_x509_name; const char *crl_file; diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index 925660b..f085e0d 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -374,6 +374,7 @@ const char *client_crresponse_script; bool auth_user_pass_verify_script_via_file; const char *tmp_dir; + const char *export_peer_cert_dir; const char *auth_user_pass_file; bool auth_user_pass_file_inline; diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index bd7e512..5cf518e 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -457,6 +457,30 @@ gc_free(&gc); } +static bool +verify_cert_cert_export_env(struct env_set *es, openvpn_x509_cert_t *peer_cert, + int cert_depth, const char *pem_export_fn) +{ + char envname[64]; + struct gc_arena gc = gc_new(); + /* export the path to the certificate in pem file format */ + openvpn_snprintf(envname, sizeof(envname), "peer_cert_%d", cert_depth); + setenv_str(es, envname, pem_export_fn); + + /* compatibility with older scripts/plugins that expect peer_cert without + * suffix */ + if (cert_depth == 0) + { + setenv_str(es, "peer_cert", pem_export_fn); + } + + bool ret = (backend_x509_write_pem(peer_cert, pem_export_fn) == SUCCESS); + + gc_free(&gc); + return ret; +} + + /* * call --tls-verify plug-in(s) */ @@ -572,18 +596,19 @@ result_t verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_depth) { + /* need to define these variables here so goto cleanup will always have + * them defined */ result_t ret = FAILURE; - char *subject = NULL; - const struct tls_options *opt; struct gc_arena gc = gc_new(); + const char *pem_export_fn = NULL; - opt = session->opt; + const struct tls_options *opt = session->opt; ASSERT(opt); session->verified = false; /* get the X509 name */ - subject = x509_get_subject(cert, &gc); + char *subject = x509_get_subject(cert, &gc); if (!subject) { msg(D_TLS_ERRORS, "VERIFY ERROR: depth=%d, could not extract X509 " @@ -706,6 +731,19 @@ session->verify_maxlevel = max_int(session->verify_maxlevel, cert_depth); + if (opt->export_peer_cert_dir) + { + pem_export_fn = platform_create_temp_file(opt->export_peer_cert_dir, + "pef", &gc); + + if (!pem_export_fn + || !verify_cert_cert_export_env(opt->es, cert, cert_depth, pem_export_fn)) + { + msg(D_TLS_ERRORS, "TLS Error: Failed to export certificate for " + "--tls-export-cert in %s", opt->export_peer_cert_dir); + goto cleanup; + } + } /* export certificate values to the environment */ verify_cert_set_env(opt->es, cert, cert_depth, subject, common_name, opt->x509_track); @@ -763,6 +801,11 @@ tls_clear_error(); /* always? */ session->verified = false; /* double sure? */ } + if (pem_export_fn) + { + platform_unlink(pem_export_fn); + } + gc_free(&gc); return ret; diff --git a/src/openvpn/ssl_verify_backend.h b/src/openvpn/ssl_verify_backend.h index d402b1f..5301a51 100644 --- a/src/openvpn/ssl_verify_backend.h +++ b/src/openvpn/ssl_verify_backend.h @@ -161,6 +161,17 @@ struct gc_arena *gc); /* + * Write the certificate to the file in PEM format. + * + * + * @param cert Certificate to serialise. + * + * @return \c FAILURE, \c or SUCCESS + */ +result_t backend_x509_write_pem(openvpn_x509_cert_t *cert, + const char *filename); + +/* * Save X509 fields to environment, using the naming convention: * * X509_{cert_depth}_{name}={value} diff --git a/src/openvpn/ssl_verify_mbedtls.c b/src/openvpn/ssl_verify_mbedtls.c index 5612139..24a89c3 100644 --- a/src/openvpn/ssl_verify_mbedtls.c +++ b/src/openvpn/ssl_verify_mbedtls.c @@ -218,6 +218,41 @@ return buf; } +result_t +backend_x509_write_pem(openvpn_x509_cert_t *cert, const char *filename) +{ + /* mbed TLS does not make it easy to write a certificate in PEM format. + * The only way is to directly access the DER encoded raw certificate + * and PEM encode it ourselves */ + + struct gc_arena gc = gc_new(); + /* just do a very loose upper bound for the base64 based PEM encoding + * using 3 times the space for the base64 and 100 bytes for the + * headers and footer */ + struct buffer pem = alloc_buf_gc(cert->raw.len * 3 + 100, &gc); + + struct buffer der = {}; + buf_set_read(&der, cert->raw.p, cert->raw.len); + + if (!crypto_pem_encode("CERTIFICATE", &pem, &der, &gc)) + { + goto err; + } + + if (!buffer_write_file(filename, &pem)) + { + goto err; + } + + gc_free(&gc); + return SUCCESS; +err: + msg(D_TLS_DEBUG_LOW, "Error writing X509 certificate to file %s", + filename); + gc_free(&gc); + return FAILURE; +} + static struct buffer x509_get_fingerprint(const mbedtls_md_info_t *md_info, mbedtls_x509_crt *cert, struct gc_arena *gc) diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c index 5afffc1..00fdec3 100644 --- a/src/openvpn/ssl_verify_openssl.c +++ b/src/openvpn/ssl_verify_openssl.c @@ -320,6 +320,29 @@ return format_hex_ex(asn1_i->data, asn1_i->length, 0, 1, ":", gc); } +result_t +backend_x509_write_pem(openvpn_x509_cert_t *cert, const char *filename) +{ + BIO *out = BIO_new_file(filename, "w"); + if (!out) + { + goto err; + } + + if (!PEM_write_bio_X509(out, cert)) + { + goto err; + } + BIO_free(out); + + return SUCCESS; +err: + BIO_free(out); + crypto_msg(D_TLS_DEBUG_LOW, "Error writing X509 certificate to file %s", + filename); + return FAILURE; +} + struct buffer x509_get_sha1_fingerprint(X509 *cert, struct gc_arena *gc) {