From: Arne Schwabe Date: Wed, 24 May 2023 13:24:23 +0000 (+0200) Subject: Revert commit 423ced962d X-Git-Tag: v2.7_alpha1~426 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=370334828659e205941eecd1c90f085a64ca539d;p=thirdparty%2Fopenvpn.git Revert commit 423ced962d This reverts commit 423ced962db3129b4ed551c489624faba4340652, which has Jason A. Donenfeld listed as author as the patch was based on his initial submission. We have not received permission to relicense the original patch. Change-Id: I8142753928498169032450c56d0497a5042bdc9b Signed-off-by: Arne Schwabe Acked-by: Gert Doering Message-Id: <20230524132424.3098475-1-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26722.html Signed-off-by: Gert Doering --- diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 6fb6900de..008bae982 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -3345,7 +3345,6 @@ do_init_crypto_tls(struct context *c, const unsigned int flags) to.verify_hash = options->verify_hash; to.verify_hash_algo = options->verify_hash_algo; to.verify_hash_depth = options->verify_hash_depth; - to.verify_hash_no_ca = options->verify_hash_no_ca; #ifdef ENABLE_X509ALTUSERNAME memcpy(to.x509_username_field, options->x509_username_field, sizeof(to.x509_username_field)); #else diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 90d85be42..3a6990e77 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -2987,11 +2987,21 @@ options_postprocess_verify_ce(const struct options *options, else { #ifdef ENABLE_CRYPTO_MBEDTLS + if (!(options->ca_file)) + { + msg(M_USAGE, "You must define CA file (--ca)"); + } + if (options->ca_path) { msg(M_USAGE, "Parameter --capath cannot be used with the mbed TLS version version of OpenVPN."); } -#endif /* ifdef ENABLE_CRYPTO_MBEDTLS */ +#else /* ifdef ENABLE_CRYPTO_MBEDTLS */ + if ((!(options->ca_file)) && (!(options->ca_path))) + { + msg(M_USAGE, "You must define CA file (--ca) or CA path (--capath)"); + } +#endif if (pull) { @@ -3723,13 +3733,6 @@ options_postprocess_mutate(struct options *o, struct env_set *es) options_postprocess_http_proxy_override(o); } #endif - if (!o->ca_file && !o->ca_path && o->verify_hash - && o->verify_hash_depth == 0) - { - msg(M_INFO, "Using certificate fingerprint to verify peer (no CA " - "option set). "); - o->verify_hash_no_ca = true; - } if (o->config && streq(o->config, "stdin") && o->remap_sigusr1 == SIGHUP) { @@ -4025,11 +4028,8 @@ options_postprocess_filechecks(struct options *options) errs |= check_file_access_inline(options->dh_file_inline, CHKACC_FILE, options->dh_file, R_OK, "--dh"); - if (!options->verify_hash_no_ca) - { - errs |= check_file_access_inline(options->ca_file_inline, CHKACC_FILE, - options->ca_file, R_OK, "--ca"); - } + errs |= check_file_access_inline(options->ca_file_inline, CHKACC_FILE, + options->ca_file, R_OK, "--ca"); errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->ca_path, R_OK, "--capath"); diff --git a/src/openvpn/options.h b/src/openvpn/options.h index f5890b90f..95f1158a4 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -604,7 +604,6 @@ struct options struct verify_hash_list *verify_hash; hash_algo_type verify_hash_algo; int verify_hash_depth; - bool verify_hash_no_ca; unsigned int ssl_flags; /* set to SSLF_x flags from ssl.h */ #ifdef ENABLE_PKCS11 diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index 27b029479..c0b3caa71 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -345,7 +345,6 @@ struct tls_options const char *remote_cert_eku; struct verify_hash_list *verify_hash; int verify_hash_depth; - bool verify_hash_no_ca; hash_algo_type verify_hash_algo; #ifdef ENABLE_X509ALTUSERNAME char *x509_username_field[MAX_PARMS]; diff --git a/src/openvpn/ssl_verify_mbedtls.c b/src/openvpn/ssl_verify_mbedtls.c index a1ddf8d0b..2a205c8a4 100644 --- a/src/openvpn/ssl_verify_mbedtls.c +++ b/src/openvpn/ssl_verify_mbedtls.c @@ -60,22 +60,6 @@ verify_callback(void *session_obj, mbedtls_x509_crt *cert, int cert_depth, struct buffer cert_fingerprint = x509_get_sha256_fingerprint(cert, &gc); cert_hash_remember(session, cert_depth, &cert_fingerprint); - if (session->opt->verify_hash_no_ca) - { - /* - * If we decide to verify the peer certificate based on the fingerprint - * we ignore wrong dates and the certificate not being trusted. - * Any other problem with the certificate (wrong key, bad cert,...) - * will still trigger an error. - * Clearing these flags relies on verify_cert will later rejecting a - * certificate that has no matching fingerprint. - */ - uint32_t flags_ignore = MBEDTLS_X509_BADCERT_NOT_TRUSTED - | MBEDTLS_X509_BADCERT_EXPIRED - | MBEDTLS_X509_BADCERT_FUTURE; - *flags = *flags & ~flags_ignore; - } - /* did peer present cert which was signed by our root cert? */ if (*flags != 0) { diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c index 3194c232a..177200aaa 100644 --- a/src/openvpn/ssl_verify_openssl.c +++ b/src/openvpn/ssl_verify_openssl.c @@ -65,7 +65,7 @@ verify_callback(int preverify_ok, X509_STORE_CTX *ctx) cert_hash_remember(session, X509_STORE_CTX_get_error_depth(ctx), &cert_hash); /* did peer present cert which was signed by our root cert? */ - if (!preverify_ok && !session->opt->verify_hash_no_ca) + if (!preverify_ok) { /* get the X509 name */ char *subject = x509_get_subject(current_cert, &gc);