From patchwork Wed Apr 1 10:50:52 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: WGH X-Patchwork-Id: 1066 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director10.mail.ord1d.rsapps.net ([172.31.255.6]) by backend30.mail.ord1d.rsapps.net with LMTP id 4Ki6KgkNhV7LJwAAIUCqbw for ; Wed, 01 Apr 2020 17:52:09 -0400 Received: from proxy18.mail.iad3b.rsapps.net ([172.31.255.6]) by director10.mail.ord1d.rsapps.net with LMTP id UKuLKAkNhV6MYgAApN4f7A ; Wed, 01 Apr 2020 17:52:09 -0400 Received: from smtp14.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy18.mail.iad3b.rsapps.net with LMTP id EHaDIwkNhV55KgAA3NpJmQ ; Wed, 01 Apr 2020 17:52:09 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp14.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=torlan.ru X-Suspicious-Flag: YES X-Classification-ID: 08840a82-7463-11ea-8c96-52540057873d-1-1 Received: from [216.105.38.7] ([216.105.38.7:33844] helo=lists.sourceforge.net) by smtp14.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 91/21-22400-80D058E5; Wed, 01 Apr 2020 17:52:09 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1jJlGQ-0008Ov-6S; Wed, 01 Apr 2020 21:51:10 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jJlGP-0008Oi-39 for openvpn-devel@lists.sourceforge.net; Wed, 01 Apr 2020 21:51:09 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=rVU+++f6tg5ZEyJyS74e5dfDaGemxfhlO8us3+6CyeE=; b=hovVzsdPuxHn0AH3BV9bMq/Hn6 bWVS6kTcCjLiSWAvJ8I8p8eJ50EPvhhNhc00flfcmPlBk1kBECW3fO/p0Apg/9OoXQlsoG+N7um9n lo9sEvlLi90vTupOpL6wDom8mCIRTcV6dmQA/vbtljdxIuqa6ZQLZzPEXSID78yeEbdM=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:Cc:To:From :Sender:Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=rVU+++f6tg5ZEyJyS74e5dfDaGemxfhlO8us3+6CyeE=; b=L dh0xNZB17J49L7WC/el1X2+734nlwy2xVbjn3/08Zy0D1UzW6ui1g7FlIVQ+yOdjlIoLlrF/QXnu4 YesIH5JOLAI/v+eFd7WUvUcJMCVsfUY9Scvb5FUDnIjXlrLr99PSqOXzlNRXEy2CwNhT1OvDZeEhW R7Bvn1ggAVUny+ys=; Received: from forward105j.mail.yandex.net ([5.45.198.248]) by sfi-mx-3.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1jJlGK-000je9-Ow for openvpn-devel@lists.sourceforge.net; Wed, 01 Apr 2020 21:51:09 +0000 Received: from mxback12g.mail.yandex.net (mxback12g.mail.yandex.net [IPv6:2a02:6b8:0:1472:2741:0:8b7:91]) by forward105j.mail.yandex.net (Yandex) with ESMTP id 739B8B2057A for ; Thu, 2 Apr 2020 00:50:57 +0300 (MSK) Received: from myt4-07bed427b9db.qloud-c.yandex.net (myt4-07bed427b9db.qloud-c.yandex.net [2a02:6b8:c00:887:0:640:7be:d427]) by mxback12g.mail.yandex.net (mxback/Yandex) with ESMTP id C2MtzNAOCV-ovlC6ej1; Thu, 02 Apr 2020 00:50:57 +0300 Received: by myt4-07bed427b9db.qloud-c.yandex.net (smtp/Yandex) with ESMTPSA id s6Adp2tC2N-ouWuTU2c; Thu, 02 Apr 2020 00:50:56 +0300 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (Client certificate not present) From: wgh@torlan.ru To: openvpn-devel@lists.sourceforge.net Date: Thu, 2 Apr 2020 00:50:52 +0300 Message-Id: <20200401215052.3489613-1-wgh@torlan.ru> X-Mailer: git-send-email 2.24.1 MIME-Version: 1.0 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [5.45.198.248 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1jJlGK-000je9-Ow Subject: [Openvpn-devel] [PATCH] OpenSSL: Fix --crl-verify not loading multiple CRLs in one file X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Maxim Plotnikov Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Maxim Plotnikov Lack of this led people accepting multiple CAs to use capath, which already supports multiple CRLs. But capath mode itself is somewhat ugly: you have to create new file/symlink every time CRL is updated, and there's no good way to clean them up without restarting OpenVPN, since any gap in the sequence would cause it to lose sync[1]. mbedtls crypto backends already loads multiple CRLs as is, so it doesn't need this fix. The patch also includes some logging changes which I think are useful. If you wish to test the patch, here is prepared configuration files: https://wgh.torlan.ru/openvpn-crl-fix-ca.tar.gz. The client_ca2_revoked.ovpn config uses a revoked certificate issued by the second CA, and is accepted by unpatched server, but rightfully rejected with this patch (or when using mbedtls backend). [1] https://community.openvpn.net/openvpn/ticket/623#comment:7 --- src/openvpn/ssl_openssl.c | 41 +++++++++++++++++++++++++++------------ 1 file changed, 29 insertions(+), 12 deletions(-) diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 3f0031ff..a5502a5b 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -1038,7 +1038,7 @@ void backend_tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file, const char *crl_inline) { - X509_CRL *crl = NULL; + int i = 0; BIO *in = NULL; X509_STORE *store = SSL_CTX_get_cert_store(ssl_ctx->ctx); @@ -1079,21 +1079,38 @@ backend_tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file, goto end; } - crl = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL); - if (crl == NULL) - { - msg(M_WARN, "CRL: cannot read CRL from file %s", crl_file); - goto end; - } + for (i = 0;; i++) { + X509_CRL *crl = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL); + if (crl == NULL) + { + unsigned long err = ERR_get_error(); + char buf[256]; + + if (ERR_GET_REASON(err) == PEM_R_NO_START_LINE && i > 0) { + // PEM_R_NO_START_LINE can be considered equivalent to EOF. + // + // A file without any CRLs should still be considered an error, + // though. Hence i > 0. + goto end; + } - if (!X509_STORE_add_crl(store, crl)) - { - msg(M_WARN, "CRL: cannot add %s to store", crl_file); - goto end; + ERR_error_string_n(err, buf, sizeof(buf)); + + msg(M_WARN, "CRL: cannot read CRL from file %s: %s", crl_file, buf); + goto end; + } + + if (!X509_STORE_add_crl(store, crl)) + { + msg(M_WARN, "CRL: cannot add %s to store", crl_file); + X509_CRL_free(crl); + goto end; + } + X509_CRL_free(crl); } end: - X509_CRL_free(crl); + msg(M_INFO, "CRL: loaded %d CRLs from file %s", i, crl_file); BIO_free(in); }