From: Steffan Karger Date: Tue, 3 May 2016 20:14:38 +0000 (+0200) Subject: mbedtls: improve error reporting in tls verify callback X-Git-Tag: v2.4_alpha1~99 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=524999ab35c79f0d9732647756ad6e4d4e11d73d;p=thirdparty%2Fopenvpn.git mbedtls: improve error reporting in tls verify callback Instead of just printing the contents of the flags variable, try to convert it to a human-readable error string and print that instead. This will for example print "The certificate is signed with an unacceptable key (eg bad curve, RSA too short).", instead of "flags=10000". Signed-off-by: Steffan Karger Acked-by: Arne Schwabe Acked-by: Gert Doering Message-Id: <1462306478-21059-1-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/11594 Signed-off-by: Gert Doering --- diff --git a/Changes.rst b/Changes.rst index 5034b156b..dc9131b84 100644 --- a/Changes.rst +++ b/Changes.rst @@ -91,10 +91,13 @@ User-visible Changes * Non-ephemeral key exchange using static (EC)DH keys * DSS private keys -- PolarSSL builds: changed the tls_digest_N values exported to the script +- mbed TLS builds: changed the tls_digest_N values exported to the script environment to be equal to the ones exported by OpenSSL builds, namely the certificate fingerprint (was the hash of the 'to be signed' data). +- mbed TLS builds: minimum RSA key size is now 2048 bits. Shorter keys will + not be accepted, both local and from the peer. + Maintainer-visible changes -------------------------- diff --git a/src/openvpn/ssl_verify_mbedtls.c b/src/openvpn/ssl_verify_mbedtls.c index ffe196ec0..e59dedbc1 100644 --- a/src/openvpn/ssl_verify_mbedtls.c +++ b/src/openvpn/ssl_verify_mbedtls.c @@ -65,13 +65,27 @@ verify_callback (void *session_obj, mbedtls_x509_crt *cert, int cert_depth, /* did peer present cert which was signed by our root cert? */ if (*flags != 0) { + int ret = 0; + char errstr[512] = { 0 }; char *subject = x509_get_subject(cert, &gc); + ret = mbedtls_x509_crt_verify_info (errstr, sizeof(errstr)-1, "", *flags); + if (ret <= 0 && !openvpn_snprintf(errstr, sizeof(errstr), + "Could not retrieve error string, flags=%"PRIx32, *flags)) + { + errstr[0] = '\0'; + } + if (subject) - msg (D_TLS_ERRORS, "VERIFY ERROR: depth=%d, flags=%x, %s", cert_depth, *flags, subject); + { + msg (D_TLS_ERRORS, "VERIFY ERROR: depth=%d, subject=%s: %s", + cert_depth, subject, errstr); + } else - msg (D_TLS_ERRORS, "VERIFY ERROR: depth=%d, flags=%x, could not extract X509 " - "subject string from certificate", *flags, cert_depth); + { + msg (D_TLS_ERRORS, "VERIFY ERROR: depth=%d, (could not extract X509 " + "subject string from certificate): %s", cert_depth, errstr); + } /* Leave flags set to non-zero to indicate that the cert is not ok */ }