polarssl: add --verify-client-cert optional support

author Steffan Karger <steffan@karger.me>

Thu, 15 Oct 2015 22:43:15 +0000 (00:43 +0200)

committer Gert Doering <gert@greenie.muc.de>

Mon, 9 Nov 2015 16:24:58 +0000 (17:24 +0100)
author Steffan Karger <steffan@karger.me>
Thu, 15 Oct 2015 22:43:15 +0000 (00:43 +0200)
committer Gert Doering <gert@greenie.muc.de>
Mon, 9 Nov 2015 16:24:58 +0000 (17:24 +0100)
diff --git a/src/openvpn/options.c b/src/openvpn/options.c

index 8de4c3cc2ed615308c9ce351109b140560fc5ab9..901d710201257bde8b5821f6febc0f4e6ca5a509 100644 (file)
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -2049,8 +2049,8 @@ options_postprocess_verify_ce (const struct options *options, const struct conne
                              || PLUGIN_OPTION_LIST (options)
                              || MAN_CLIENT_AUTH_ENABLED (options));
           const char *postfix = "must be used with --management-client-auth, an --auth-user-pass-verify script, or plugin";
-         if ((options->ssl_flags & SSLF_CLIENT_CERT_NOT_REQUIRED) && !ccnr)
-           msg (M_USAGE, "--client-cert-not-required %s", postfix);
+         if ((options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL)) && !ccnr)
+           msg (M_USAGE, "--verify-client-cert none|optional %s", postfix);
           if ((options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) && !ccnr)
             msg (M_USAGE, "--username-as-common-name %s", postfix);
           if ((options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL) && !ccnr)
@@ -2084,7 +2084,7 @@ options_postprocess_verify_ce (const struct options *options, const struct conne
         msg (M_USAGE, "--duplicate-cn requires --mode server");
        if (options->cf_max || options->cf_per)
         msg (M_USAGE, "--connect-freq requires --mode server");
-      if (options->ssl_flags & SSLF_CLIENT_CERT_NOT_REQUIRED || options->ssl_flags & SSLF_CLIENT_CERT_OPTIONAL)
+      if (options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL))
         msg (M_USAGE, "--client-cert-not-required and --verify-client-cert require --mode server");
        if (options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME)
         msg (M_USAGE, "--username-as-common-name requires --mode server");
@@ -2132,6 +2132,13 @@ options_postprocess_verify_ce (const struct options *options, const struct conne
        (options->shared_secret_file != NULL) > 1)
      msg (M_USAGE, "specify only one of --tls-server, --tls-client, or --secret");
  
+  if (options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL))
+    {
+      msg (M_WARN, "WARNING: POTENTIALLY DANGEROUS OPTION "
+         "--verify-client-cert none|optional (or --client-cert-not-required) "
+         "may accept clients which do not present a certificate");
+    }
+
    if (options->tls_server || options->tls_client)
      {
  #ifdef ENABLE_PKCS11
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c

index 0bf15b3e1e84ac0df1cd4833d8522cc1969bdffc..4430fec2d35893c6f0ac0b041d85a24a8cc331dc 100644 (file)
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -255,14 +255,12 @@ tls_ctx_set_options (struct tls_root_ctx *ctx, unsigned int ssl_flags)
  #if P2MP_SERVER
    if (ssl_flags & SSLF_CLIENT_CERT_NOT_REQUIRED)
      {
-      msg (M_WARN, "WARNING: POTENTIALLY DANGEROUS OPTION "
-         "--client-cert-not-required and --verify-client-cert none "
-      "may accept clients which do not present a certificate");
-
        flags = 0;
      }
    else if (ssl_flags & SSLF_CLIENT_CERT_OPTIONAL)
-    flags = SSL_VERIFY_PEER;
+    {
+      flags = SSL_VERIFY_PEER;
+    }
  #endif
    SSL_CTX_set_verify (ctx->ctx, flags, verify_callback);
  
diff --git a/src/openvpn/ssl_polarssl.c b/src/openvpn/ssl_polarssl.c

index 27cd7355d9a25bb1d5a3bea47bbdcc3d27da95ec..cf38e69437bdf3585c34040a5e2cec8ec01891c5 100644 (file)
--- a/src/openvpn/ssl_polarssl.c
+++ b/src/openvpn/ssl_polarssl.c
@@ -776,18 +776,16 @@ void key_state_ssl_init(struct key_state_ssl *ks_ssl,
  
        /* Initialise SSL verification */
  #if P2MP_SERVER
-      if (session->opt->ssl_flags & SSLF_CLIENT_CERT_NOT_REQUIRED)
+      if (session->opt->ssl_flags & SSLF_CLIENT_CERT_OPTIONAL)
         {
-         msg (M_WARN, "WARNING: POTENTIALLY DANGEROUS OPTION "
-          "--client-cert-not-required may accept clients which do not present "
-          "a certificate");
+         ssl_set_authmode(ks_ssl->ctx, SSL_VERIFY_OPTIONAL);
         }
-      else
+      else if (!(session->opt->ssl_flags & SSLF_CLIENT_CERT_NOT_REQUIRED))
  #endif
        {
         ssl_set_authmode (ks_ssl->ctx, SSL_VERIFY_REQUIRED);
-       ssl_set_verify (ks_ssl->ctx, verify_callback, session);
        }
+      ssl_set_verify (ks_ssl->ctx, verify_callback, session);
  
        /* TODO: PolarSSL does not currently support sending the CA chain to the client */
        ssl_set_ca_chain (ks_ssl->ctx, ssl_ctx->ca_chain, NULL, NULL );
author	Steffan Karger <steffan@karger.me>
	Thu, 15 Oct 2015 22:43:15 +0000 (00:43 +0200)
committer	Gert Doering <gert@greenie.muc.de>
	Mon, 9 Nov 2015 16:24:58 +0000 (17:24 +0100)
src/openvpn/options.c		patch \| blob \| blame \| history
src/openvpn/ssl_openssl.c		patch \| blob \| blame \| history
src/openvpn/ssl_polarssl.c		patch \| blob \| blame \| history