From patchwork Wed Apr 1 23:35:59 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 1070 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director10.mail.ord1d.rsapps.net ([172.27.255.55]) by backend30.mail.ord1d.rsapps.net with LMTP id uIg6IGXAhV6TLgAAIUCqbw for ; Thu, 02 Apr 2020 06:37:25 -0400 Received: from proxy16.mail.iad3a.rsapps.net ([172.27.255.55]) by director10.mail.ord1d.rsapps.net with LMTP id KEKvHWXAhV51bgAApN4f7A ; Thu, 02 Apr 2020 06:37:25 -0400 Received: from smtp15.gate.iad3a ([172.27.255.55]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy16.mail.iad3a.rsapps.net with LMTP id KIuyF2XAhV5WTQAADc5QwQ ; Thu, 02 Apr 2020 06:37:25 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp15.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: f01901d0-74cd-11ea-999a-525400f46865-1-1 Received: from [216.105.38.7] ([216.105.38.7:34396] helo=lists.sourceforge.net) by smtp15.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 2A/7C-27247-360C58E5; Thu, 02 Apr 2020 06:37:24 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1jJxCy-0007Iu-Jc; Thu, 02 Apr 2020 10:36:24 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jJxCw-0007Ii-KS for openvpn-devel@lists.sourceforge.net; Thu, 02 Apr 2020 10:36:22 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:To: From:Sender:Reply-To:Cc:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=onW1vR1JsNLM6+uiNdXhZPhcgK7U0bBiZv+3nZcYUv4=; b=cpbePpPA+8Zb1/xQf00WV/LC4d Z0FRar43iUamHCKCs1y8iLymWA5QhWUQhFrQl1Z/+BTuL2ED5bSx5gGUxdspllA02znj85YMFyM85 AseK7j4ezNIni08TpBCG1xXJYz1dhS3iTqdIiWbwcvfxDW5+IQm/mqVU5mmiqKch971o=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=onW1vR1JsNLM6+uiNdXhZPhcgK7U0bBiZv+3nZcYUv4=; b=gLRf/YTSPsizSMFQoqPR2Trt4H K8ZAdZfj2sxOK0VARsrLprCZcitYh6Atw8Utb7J0kjGhoAHwqbez5KWqeJMw9ivoFUDgQSsvbbx94 maQw/IXn0WR3c/MVY00KV2aaLTICIUfdsPf4L+Oc7qfXY6NaUvQtKUuhqn8+dWJhtRWg=; Received: from [192.26.174.232] (helo=mail.blinkt.de) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1jJxCq-00Gbjm-J5 for openvpn-devel@lists.sourceforge.net; Thu, 02 Apr 2020 10:36:22 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.92.3 (FreeBSD)) (envelope-from ) id 1jJxCa-0003lq-0K for openvpn-devel@lists.sourceforge.net; Thu, 02 Apr 2020 12:36:00 +0200 Received: (nullmailer pid 10132 invoked by uid 10006); Thu, 02 Apr 2020 10:35:59 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Thu, 2 Apr 2020 12:35:59 +0200 Message-Id: <20200402103559.10085-1-arne@rfc2549.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200402081829.28362-1-arne@rfc2549.org> References: <20200402081829.28362-1-arne@rfc2549.org> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 1.0 RDNS_NONE Delivered to internal network by a host with no rDNS -0.4 AWL AWL: Adjusted score from AWL reputation of From: address X-Headers-End: 1jJxCq-00Gbjm-J5 Subject: [Openvpn-devel] [PATCH v2] Fix OpenSSL error stack handling of tls_ctx_add_extra_certs X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Commit f67efa94 exposed that tls_ctx_add_extra_certs will always leave an error of PEM_R_NO_START_LINE on the stack that will printed the next time that the error is printed. Fix this by discarding this error. Also clean up the logic to report real error on other errors and also the no start line error if no certificate can be found at all and it is required (--extra-certs config option) Patch V2: fix optional flag was flipped betwen --cert and --extra-certs Signed-off-by: Arne Schwabe --- src/openvpn/ssl_openssl.c | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 3f0031ff..ef5dfc52 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -881,24 +881,36 @@ tls_ctx_load_cryptoapi(struct tls_root_ctx *ctx, const char *cryptoapi_cert) #endif /* ENABLE_CRYPTOAPI */ static void -tls_ctx_add_extra_certs(struct tls_root_ctx *ctx, BIO *bio) +tls_ctx_add_extra_certs(struct tls_root_ctx *ctx, BIO *bio, bool optional) { X509 *cert; - for (;; ) + for (;;) { cert = NULL; - if (!PEM_read_bio_X509(bio, &cert, NULL, NULL)) /* takes ownership of cert */ + if (!PEM_read_bio_X509(bio, &cert, NULL, NULL)) { - break; + /* Error indicates that no more certificates is found in buffer + and loading more certificates is optional, break without + error */ + if (optional && + ERR_GET_REASON(ERR_peek_error()) == PEM_R_NO_START_LINE) + { + /* remove that error from error stack */ + (void)ERR_get_error(); + break; + } } if (!cert) { crypto_msg(M_FATAL, "Error reading extra certificate"); } + /* takes ownership of cert like a set1 method */ if (SSL_CTX_add_extra_chain_cert(ctx->ctx, cert) != 1) { crypto_msg(M_FATAL, "Error adding extra certificate"); } + /* We loaded at least one certificate, so loading more is optional */ + optional = true; } } @@ -942,7 +954,7 @@ tls_ctx_load_cert_file(struct tls_root_ctx *ctx, const char *cert_file, ret = SSL_CTX_use_certificate(ctx->ctx, x); if (ret) { - tls_ctx_add_extra_certs(ctx, in); + tls_ctx_add_extra_certs(ctx, in, true); } end: @@ -1663,7 +1675,7 @@ tls_ctx_load_extra_certs(struct tls_root_ctx *ctx, const char *extra_certs_file, } else { - tls_ctx_add_extra_certs(ctx, in); + tls_ctx_add_extra_certs(ctx, in, false); } BIO_free(in);