From patchwork Tue Apr 7 07:44:36 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: WGH X-Patchwork-Id: 1076 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director8.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id oFSMBnO8jF75UwAAIUCqbw for ; Tue, 07 Apr 2020 13:46:27 -0400 Received: from proxy3.mail.ord1d.rsapps.net ([172.30.191.6]) by director8.mail.ord1d.rsapps.net with LMTP id sF58BnO8jF6sfQAAfY0hYg ; Tue, 07 Apr 2020 13:46:27 -0400 Received: from smtp34.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy3.mail.ord1d.rsapps.net with LMTP id WOxLBnO8jF4YMQAA7WKfLA ; Tue, 07 Apr 2020 13:46:27 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp34.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=torlan.ru X-Suspicious-Flag: YES X-Classification-ID: b3d778fe-78f7-11ea-8b44-5254008bd48f-1-1 Received: from [216.105.38.7] ([216.105.38.7:48292] helo=lists.sourceforge.net) by smtp34.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 8F/E7-25504-27CBC8E5; Tue, 07 Apr 2020 13:46:26 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1jLsHc-0006FS-0R; Tue, 07 Apr 2020 17:45:08 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jLsHY-0006FJ-R2 for openvpn-devel@lists.sourceforge.net; Tue, 07 Apr 2020 17:45:04 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=cgc5FUuaRezrbLX7BWD89SvW8MbTk97amhEuAbUVJu0=; b=aD1hFQX6/6Bh1sBD/NCMAq/VyT c5kLAZ9fLtijEeeFTFFLmjyA4tDieAoo27XP2e29OlziP7Ukfz0GNcHemBT9s74hn9qhVInF3Rud0 +LQHKj5/nUOfk3QpXhlGf7Lwdjz7VSrk3tB03FI78USg0MygZBVQVXBCQLXqH2s2ylXU=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=cgc5FUuaRezrbLX7BWD89SvW8MbTk97amhEuAbUVJu0=; b=CS+f7mtnsz8hZhrGV8btd7J6bp E4vTcEPz/SLlPLpANvAGgnwVb7hs2r9z0x2xB3FJ0GQ2OjYR5cYzpPyLVro10p+Zyr/vLE2Gp8/kX r24FRcTCO66ovSPU+bcuNammGiTsvnZRiE84sf2xm3brqTdW2QjjxwxBRZuoEb4G7940=; Received: from forward106o.mail.yandex.net ([37.140.190.187]) by sfi-mx-3.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.2) id 1jLsHQ-007DQi-1s for openvpn-devel@lists.sourceforge.net; Tue, 07 Apr 2020 17:45:04 +0000 Received: from mxback23j.mail.yandex.net (mxback23j.mail.yandex.net [IPv6:2a02:6b8:0:1619::223]) by forward106o.mail.yandex.net (Yandex) with ESMTP id 643B150609B4 for ; Tue, 7 Apr 2020 20:44:44 +0300 (MSK) Received: from myt4-ee976ce519ac.qloud-c.yandex.net (myt4-ee976ce519ac.qloud-c.yandex.net [2a02:6b8:c00:1da4:0:640:ee97:6ce5]) by mxback23j.mail.yandex.net (mxback/Yandex) with ESMTP id fBweQHEx46-iigWGvEJ; Tue, 07 Apr 2020 20:44:44 +0300 Received: by myt4-ee976ce519ac.qloud-c.yandex.net (smtp/Yandex) with ESMTPSA id qx5acYX7a4-ihWqOZ8E; Tue, 07 Apr 2020 20:44:43 +0300 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) (Client certificate not present) From: wgh@torlan.ru To: openvpn-devel@lists.sourceforge.net Date: Tue, 7 Apr 2020 20:44:36 +0300 Message-Id: <20200407174436.238933-1-wgh@torlan.ru> X-Mailer: git-send-email 2.24.1 In-Reply-To: <517c16b8-b552-8728-2e73-5f7bcc149953@rfc2549.org> References: <517c16b8-b552-8728-2e73-5f7bcc149953@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: torlan.ru] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1jLsHQ-007DQi-1s Subject: [Openvpn-devel] [PATCH v2] OpenSSL: Fix --crl-verify not loading multiple CRLs in one file X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Maxim Plotnikov Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Maxim Plotnikov Lack of this led people accepting multiple CAs to use capath, which already supports multiple CRLs. But capath mode itself is somewhat ugly: you have to create new file/symlink every time CRL is updated, and there's no good way to clean them up without restarting OpenVPN, since any gap in the sequence would cause it to lose sync[1]. mbedtls crypto backend already loads multiple CRLs as is, so it doesn't need this fix. The patch also includes some logging changes which I think are useful. If you wish to test the patch, here is prepared configuration files: https://wgh.torlan.ru/openvpn-crl-fix-ca.tar.gz. The client_ca2_revoked.ovpn config uses a revoked certificate issued by the second CA, and is accepted by unpatched server, but rightfully rejected with this patch (or when using mbedtls backend). [1] https://community.openvpn.net/openvpn/ticket/623#comment:7 Acked-By: Arne Schwabe --- src/openvpn/ssl_openssl.c | 40 +++++++++++++++++++++++++++------------ 1 file changed, 28 insertions(+), 12 deletions(-) diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 15959a90..dd818175 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -1050,7 +1050,6 @@ void backend_tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file, const char *crl_inline) { - X509_CRL *crl = NULL; BIO *in = NULL; X509_STORE *store = SSL_CTX_get_cert_store(ssl_ctx->ctx); @@ -1091,21 +1090,38 @@ backend_tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file, goto end; } - crl = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL); - if (crl == NULL) + int num_crls_loaded = 0; + while (true) { - msg(M_WARN, "CRL: cannot read CRL from file %s", crl_file); - goto end; - } + X509_CRL *crl = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL); + if (crl == NULL) + { + /* + * PEM_R_NO_START_LINE can be considered equivalent to EOF. + */ + bool eof = ERR_GET_REASON(ERR_peek_error()) == PEM_R_NO_START_LINE; + /* but warn if no CRLs have been loaded */ + if (num_crls_loaded > 0 && eof) { + /* remove that error from error stack */ + (void)ERR_get_error(); + break; + } - if (!X509_STORE_add_crl(store, crl)) - { - msg(M_WARN, "CRL: cannot add %s to store", crl_file); - goto end; - } + crypto_msg(M_WARN, "CRL: cannot read CRL from file %s", crl_file); + break; + } + if (!X509_STORE_add_crl(store, crl)) + { + X509_CRL_free(crl); + crypto_msg(M_WARN, "CRL: cannot add %s to store", crl_file); + break; + } + X509_CRL_free(crl); + num_crls_loaded++; + } + msg(M_INFO, "CRL: loaded %d CRLs from file %s", num_crls_loaded, crl_file); end: - X509_CRL_free(crl); BIO_free(in); }