mbedtls: improve error reporting in tls verify callback

Instead of just printing the contents of the flags variable, try to
convert it to a human-readable error string and print that instead.

This will for example print "The certificate is signed with an
unacceptable key (eg bad curve, RSA too short).", instead of
"flags=10000".

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1462306478-21059-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11594
Signed-off-by: Gert Doering <gert@greenie.muc.de>

diff --git a/Changes.rst b/Changes.rst
index 5034b156b3ebc63b304cc22a4f98ecb360e39407..dc9131b84260442fae1aec7842118e6b87fc667b 100644 (file)
--- a/Changes.rst
+++ b/Changes.rst
@@ -91,10 +91,13 @@ User-visible Changes
   * Non-ephemeral key exchange using static (EC)DH keys
   * DSS private keys
 
-- PolarSSL builds: changed the tls_digest_N values exported to the script
+- mbed TLS builds: changed the tls_digest_N values exported to the script
   environment to be equal to the ones exported by OpenSSL builds, namely
   the certificate fingerprint (was the hash of the 'to be signed' data).
 
+- mbed TLS builds: minimum RSA key size is now 2048 bits.  Shorter keys will
+  not be accepted, both local and from the peer.
+
 
 Maintainer-visible changes
 --------------------------

diff --git a/src/openvpn/ssl_verify_mbedtls.c b/src/openvpn/ssl_verify_mbedtls.c
index ffe196ec08f6373da0019aa0e9890d5e96ba8e75..e59dedbc1d8898a1ccd60e59dacc867d16cd1c76 100644 (file)
--- a/src/openvpn/ssl_verify_mbedtls.c
+++ b/src/openvpn/ssl_verify_mbedtls.c
@@ -65,13 +65,27 @@ verify_callback (void *session_obj, mbedtls_x509_crt *cert, int cert_depth,
   /* did peer present cert which was signed by our root cert? */
   if (*flags != 0)
     {
+      int ret = 0;
+      char errstr[512] = { 0 };
       char *subject = x509_get_subject(cert, &gc);
 
+      ret = mbedtls_x509_crt_verify_info (errstr, sizeof(errstr)-1, "", *flags);
+      if (ret <= 0 && !openvpn_snprintf(errstr, sizeof(errstr),
+           "Could not retrieve error string, flags=%"PRIx32, *flags))
+       {
+         errstr[0] = '\0';
+       }
+
       if (subject)
-       msg (D_TLS_ERRORS, "VERIFY ERROR: depth=%d, flags=%x, %s", cert_depth, *flags, subject);
+       {
+         msg (D_TLS_ERRORS, "VERIFY ERROR: depth=%d, subject=%s: %s",
+             cert_depth, subject, errstr);
+       }
       else
-       msg (D_TLS_ERRORS, "VERIFY ERROR: depth=%d, flags=%x, could not extract X509 "
-             "subject string from certificate", *flags, cert_depth);
+       {
+         msg (D_TLS_ERRORS, "VERIFY ERROR: depth=%d, (could not extract X509 "
+             "subject string from certificate): %s", cert_depth, errstr);
+       }
 
       /* Leave flags set to non-zero to indicate that the cert is not ok */
     }