From: Steffan Karger Date: Sat, 20 May 2017 12:57:55 +0000 (+0200) Subject: Fix mbedtls fingerprint calculation X-Git-Tag: v2.5_beta1~667 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=21a540f92bf65f39eb92967476eba0bcd2a34ef6;p=thirdparty%2Fopenvpn.git Fix mbedtls fingerprint calculation Commit 'Migrate to mbed TLS 2.x' (86d8cd68) introduced a bug in mbedtls builds where we would calculate the certificate fingerprint over the (too-short) 'to-be-signed' length of the certificate, rather than over the certificate including the signature. Fix that. The security impact of the incorrect calculation is very minimal; the last few bytes (max 4, typically 4) are not verified by the fingerprint. We expect no real-world impact, because users that used this feature before will notice that it has suddenly stopped working, and users that didn't will notice that connection setup fails. Even if the user managed to somehow extract the incorrect hash (e.g. by reading out the tls_digest_* env vars using a --tls-verify script), the impact is miminal: the last 4 bytes must still be properly signed by the CA, and typically contain extension fields, or the last bytes of the public key (which are hard to choose). The most important bits of the certificate were always checked: the version, serial, signature algorithm, issuer, validity and subject. Signed-off-by: Steffan Karger Acked-by: Arne Schwabe Message-Id: <1495285075-4957-1-git-send-email-steffan@karger.me> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14711.html Signed-off-by: Gert Doering --- diff --git a/Changes.rst b/Changes.rst index fbe0fc46f..94cba0703 100644 --- a/Changes.rst +++ b/Changes.rst @@ -305,10 +305,26 @@ Maintainer-visible changes Version 2.4.3 ============= + +User-visible Changes +-------------------- - ``--verify-hash`` can now take an optional flag which changes the hashing algorithm. It can be either SHA1 or SHA256. The default if not provided is SHA1 to preserve backwards compatibility with existing configurations. +Bugfixes +-------- +- Fix fingerprint calculation in mbed TLS builds. This means that mbed TLS users + of OpenVPN 2.4.0, 2.4.1 and 2.4.2 that rely on the values of the + ``tls_digest_*`` env vars, or that use `--verify-hash` will have to change + the fingerprint values they check against. The security impact of the + incorrect calculation is very minimal; the last few bytes (max 4, typically + 4) are not verified by the fingerprint. We expect no real-world impact, + because users that used this feature before will notice that it has suddenly + stopped working, and users that didn't will notice that connection setup + fails if they specify correct fingerprints. + + Version 2.4.1 ============= - ``--remote-cert-ku`` now only requires the certificate to have at least the diff --git a/src/openvpn/ssl_verify_mbedtls.c b/src/openvpn/ssl_verify_mbedtls.c index 27c5c3e14..2b7056c83 100644 --- a/src/openvpn/ssl_verify_mbedtls.c +++ b/src/openvpn/ssl_verify_mbedtls.c @@ -208,7 +208,7 @@ x509_get_fingerprint(const mbedtls_md_info_t *md_info, mbedtls_x509_crt *cert, { const size_t md_size = mbedtls_md_get_size(md_info); struct buffer fingerprint = alloc_buf_gc(md_size, gc); - mbedtls_md(md_info, cert->raw.p, cert->tbs.len, BPTR(&fingerprint)); + mbedtls_md(md_info, cert->raw.p, cert->raw.len, BPTR(&fingerprint)); ASSERT(buf_inc_len(&fingerprint, md_size)); return fingerprint; }