diff options
author | Arne Schwabe | 2021-03-21 15:33:53 +0100 |
---|---|---|
committer | Gert Doering | 2021-03-21 19:45:43 +0100 |
commit | c3a7065d5bec0ca4ad479e27c124e74fbd7c2234 (patch) | |
tree | 08f4093d2ad68b69f9c4ffd4cd4e43b6ea71b5c5 /src/openvpn/ssl_verify.c | |
parent | d1fe6d52ca066ec2d49712081d5056825c8973b2 (diff) | |
download | openvpn-c3a7065d5bec0ca4ad479e27c124e74fbd7c2234.zip openvpn-c3a7065d5bec0ca4ad479e27c124e74fbd7c2234.tar.gz |
Implement peer-fingerprint to check fingerprint of peer certificate
This option allows to pin one or more more peer certificates. It also
prepares for doing TLS authentication without a CA and just
self-signed certificates.
Patch V2: Allow peer-fingerprint to be specified multiple times
to allow multiple peers without needing to use inline
syntax. (e.g. on command line).
Patch V3: rebase on v3 of 1/4, reword message of verify-hash and
peer-fingerpring incompatibility
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Antonio Quartulli <antonio@openvpn.net>
Message-Id: <20210321143353.2677-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/search?l=mid&q=20210321143353.2677-1-arne@rfc2549.org
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Diffstat (limited to 'src/openvpn/ssl_verify.c')
-rw-r--r-- | src/openvpn/ssl_verify.c | 19 |
1 files changed, 11 insertions, 8 deletions
diff --git a/src/openvpn/ssl_verify.c b/src/openvpn/ssl_verify.c index 06de0f5..923eac9 100644 --- a/src/openvpn/ssl_verify.c +++ b/src/openvpn/ssl_verify.c @@ -721,19 +721,18 @@ verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_dep goto cleanup; /* Reject connection */ } - /* verify level 1 cert, i.e. the CA that signed our leaf cert */ - if (cert_depth == 1 && opt->verify_hash) + if (cert_depth == opt->verify_hash_depth && opt->verify_hash) { - struct buffer ca_hash = {0}; + struct buffer cert_fp = {0}; switch (opt->verify_hash_algo) { case MD_SHA1: - ca_hash = x509_get_sha1_fingerprint(cert, &gc); + cert_fp = x509_get_sha1_fingerprint(cert, &gc); break; case MD_SHA256: - ca_hash = x509_get_sha256_fingerprint(cert, &gc); + cert_fp = x509_get_sha256_fingerprint(cert, &gc); break; default: @@ -752,8 +751,8 @@ verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_dep while (current_hash) { - if (memcmp_constant_time(BPTR(&ca_hash), current_hash->hash, - BLEN(&ca_hash)) == 0) + if (memcmp_constant_time(BPTR(&cert_fp), current_hash->hash, + BLEN(&cert_fp)) == 0) { break; } @@ -762,7 +761,11 @@ verify_cert(struct tls_session *session, openvpn_x509_cert_t *cert, int cert_dep if (!current_hash) { - msg(D_TLS_ERRORS, "TLS Error: --tls-verify certificate hash verification failed"); + const char *hex_fp = format_hex_ex(BPTR(&cert_fp), BLEN(&cert_fp), + 0, 1, ":", &gc); + msg(D_TLS_ERRORS, "TLS Error: --tls-verify/--peer-fingerprint" + "certificate hash verification failed. (got " + "fingerprint: %s", hex_fp); goto cleanup; } } |