From: Steffan Karger <steffan@karger.me>
Date: Thu, 15 Oct 2015 22:43:15 +0000 (+0200)
Subject: polarssl: add --verify-client-cert optional support
X-Git-Tag: v2.4_alpha1~206
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f107c62051ebbf4a2b661fcba8703fe26485c7af;p=thirdparty%2Fopenvpn.git

polarssl: add --verify-client-cert optional support

This adds support for the --verify-client-cert optional option in PolarSSL
builds, as was earlier added for OpenSSL builds by Jan-Just Keijser.

This patch also adds an additional sanity check that this option may only
be used in combination with some other authentication method, and changes
the warning message about this option to be displayed only once on startup,
instead of for each connecting client.

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Jan Just Keijser <janjust@nikhef.nl>
Message-Id: <1444948995-18720-3-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10288
Signed-off-by: Gert Doering <gert@greenie.muc.de>
---

diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 8de4c3cc2..901d71020 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -2049,8 +2049,8 @@ options_postprocess_verify_ce (const struct options *options, const struct conne
 			     || PLUGIN_OPTION_LIST (options)
 			     || MAN_CLIENT_AUTH_ENABLED (options));
 	  const char *postfix = "must be used with --management-client-auth, an --auth-user-pass-verify script, or plugin";
-	  if ((options->ssl_flags & SSLF_CLIENT_CERT_NOT_REQUIRED) && !ccnr)
-	    msg (M_USAGE, "--client-cert-not-required %s", postfix);
+	  if ((options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL)) && !ccnr)
+	    msg (M_USAGE, "--verify-client-cert none|optional %s", postfix);
 	  if ((options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME) && !ccnr)
 	    msg (M_USAGE, "--username-as-common-name %s", postfix);
 	  if ((options->ssl_flags & SSLF_AUTH_USER_PASS_OPTIONAL) && !ccnr)
@@ -2084,7 +2084,7 @@ options_postprocess_verify_ce (const struct options *options, const struct conne
 	msg (M_USAGE, "--duplicate-cn requires --mode server");
       if (options->cf_max || options->cf_per)
 	msg (M_USAGE, "--connect-freq requires --mode server");
-      if (options->ssl_flags & SSLF_CLIENT_CERT_NOT_REQUIRED || options->ssl_flags & SSLF_CLIENT_CERT_OPTIONAL)
+      if (options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL))
 	msg (M_USAGE, "--client-cert-not-required and --verify-client-cert require --mode server");
       if (options->ssl_flags & SSLF_USERNAME_AS_COMMON_NAME)
 	msg (M_USAGE, "--username-as-common-name requires --mode server");
@@ -2132,6 +2132,13 @@ options_postprocess_verify_ce (const struct options *options, const struct conne
       (options->shared_secret_file != NULL) > 1)
     msg (M_USAGE, "specify only one of --tls-server, --tls-client, or --secret");
 
+  if (options->ssl_flags & (SSLF_CLIENT_CERT_NOT_REQUIRED|SSLF_CLIENT_CERT_OPTIONAL))
+    {
+      msg (M_WARN, "WARNING: POTENTIALLY DANGEROUS OPTION "
+	  "--verify-client-cert none|optional (or --client-cert-not-required) "
+	  "may accept clients which do not present a certificate");
+    }
+
   if (options->tls_server || options->tls_client)
     {
 #ifdef ENABLE_PKCS11
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 0bf15b3e1..4430fec2d 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -255,14 +255,12 @@ tls_ctx_set_options (struct tls_root_ctx *ctx, unsigned int ssl_flags)
 #if P2MP_SERVER
   if (ssl_flags & SSLF_CLIENT_CERT_NOT_REQUIRED)
     {
-      msg (M_WARN, "WARNING: POTENTIALLY DANGEROUS OPTION "
-	  "--client-cert-not-required and --verify-client-cert none "
-      "may accept clients which do not present a certificate");
-
       flags = 0;
     }
   else if (ssl_flags & SSLF_CLIENT_CERT_OPTIONAL)
-    flags = SSL_VERIFY_PEER;
+    {
+      flags = SSL_VERIFY_PEER;
+    }
 #endif
   SSL_CTX_set_verify (ctx->ctx, flags, verify_callback);
 
diff --git a/src/openvpn/ssl_polarssl.c b/src/openvpn/ssl_polarssl.c
index 27cd7355d..cf38e6943 100644
--- a/src/openvpn/ssl_polarssl.c
+++ b/src/openvpn/ssl_polarssl.c
@@ -776,18 +776,16 @@ void key_state_ssl_init(struct key_state_ssl *ks_ssl,
 
       /* Initialise SSL verification */
 #if P2MP_SERVER
-      if (session->opt->ssl_flags & SSLF_CLIENT_CERT_NOT_REQUIRED)
+      if (session->opt->ssl_flags & SSLF_CLIENT_CERT_OPTIONAL)
 	{
-	  msg (M_WARN, "WARNING: POTENTIALLY DANGEROUS OPTION "
-	   "--client-cert-not-required may accept clients which do not present "
-	   "a certificate");
+	  ssl_set_authmode(ks_ssl->ctx, SSL_VERIFY_OPTIONAL);
 	}
-      else
+      else if (!(session->opt->ssl_flags & SSLF_CLIENT_CERT_NOT_REQUIRED))
 #endif
       {
 	ssl_set_authmode (ks_ssl->ctx, SSL_VERIFY_REQUIRED);
-	ssl_set_verify (ks_ssl->ctx, verify_callback, session);
       }
+      ssl_set_verify (ks_ssl->ctx, verify_callback, session);
 
       /* TODO: PolarSSL does not currently support sending the CA chain to the client */
       ssl_set_ca_chain (ks_ssl->ctx, ssl_ctx->ca_chain, NULL, NULL );