diff options
-rw-r--r-- | src/openvpn/init.c | 1 | ||||
-rw-r--r-- | src/openvpn/options.c | 26 | ||||
-rw-r--r-- | src/openvpn/options.h | 1 | ||||
-rw-r--r-- | src/openvpn/ssl_common.h | 1 | ||||
-rw-r--r-- | src/openvpn/ssl_verify_mbedtls.c | 16 | ||||
-rw-r--r-- | src/openvpn/ssl_verify_openssl.c | 2 |
6 files changed, 33 insertions, 14 deletions
diff --git a/src/openvpn/init.c b/src/openvpn/init.c index c023b33..d358ad0 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -3347,6 +3347,7 @@ do_init_crypto_tls(struct context *c, const unsigned int flags) to.verify_hash = options->verify_hash; to.verify_hash_algo = options->verify_hash_algo; to.verify_hash_depth = options->verify_hash_depth; + to.verify_hash_no_ca = options->verify_hash_no_ca; #ifdef ENABLE_X509ALTUSERNAME memcpy(to.x509_username_field, options->x509_username_field, sizeof(to.x509_username_field)); #else diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 6d8ae57..efddc58 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -2989,21 +2989,11 @@ options_postprocess_verify_ce(const struct options *options, else { #ifdef ENABLE_CRYPTO_MBEDTLS - if (!(options->ca_file)) - { - msg(M_USAGE, "You must define CA file (--ca)"); - } - if (options->ca_path) { msg(M_USAGE, "Parameter --capath cannot be used with the mbed TLS version version of OpenVPN."); } -#else /* ifdef ENABLE_CRYPTO_MBEDTLS */ - if ((!(options->ca_file)) && (!(options->ca_path))) - { - msg(M_USAGE, "You must define CA file (--ca) or CA path (--capath)"); - } -#endif +#endif /* ifdef ENABLE_CRYPTO_MBEDTLS */ if (pull) { @@ -3735,6 +3725,13 @@ options_postprocess_mutate(struct options *o, struct env_set *es) options_postprocess_http_proxy_override(o); } #endif + if (!o->ca_file && !o->ca_path && o->verify_hash + && o->verify_hash_depth == 0) + { + msg(M_INFO, "Using certificate fingerprint to verify peer (no CA " + "option set). "); + o->verify_hash_no_ca = true; + } if (o->config && streq(o->config, "stdin") && o->remap_sigusr1 == SIGHUP) { @@ -4030,8 +4027,11 @@ options_postprocess_filechecks(struct options *options) errs |= check_file_access_inline(options->dh_file_inline, CHKACC_FILE, options->dh_file, R_OK, "--dh"); - errs |= check_file_access_inline(options->ca_file_inline, CHKACC_FILE, - options->ca_file, R_OK, "--ca"); + if (!options->verify_hash_no_ca) + { + errs |= check_file_access_inline(options->ca_file_inline, CHKACC_FILE, + options->ca_file, R_OK, "--ca"); + } errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, options->ca_path, R_OK, "--capath"); diff --git a/src/openvpn/options.h b/src/openvpn/options.h index 95f1158..f5890b9 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -604,6 +604,7 @@ struct options struct verify_hash_list *verify_hash; hash_algo_type verify_hash_algo; int verify_hash_depth; + bool verify_hash_no_ca; unsigned int ssl_flags; /* set to SSLF_x flags from ssl.h */ #ifdef ENABLE_PKCS11 diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h index c0b3caa..27b0294 100644 --- a/src/openvpn/ssl_common.h +++ b/src/openvpn/ssl_common.h @@ -345,6 +345,7 @@ struct tls_options const char *remote_cert_eku; struct verify_hash_list *verify_hash; int verify_hash_depth; + bool verify_hash_no_ca; hash_algo_type verify_hash_algo; #ifdef ENABLE_X509ALTUSERNAME char *x509_username_field[MAX_PARMS]; diff --git a/src/openvpn/ssl_verify_mbedtls.c b/src/openvpn/ssl_verify_mbedtls.c index c9ef7a1..e3437f7 100644 --- a/src/openvpn/ssl_verify_mbedtls.c +++ b/src/openvpn/ssl_verify_mbedtls.c @@ -62,6 +62,22 @@ verify_callback(void *session_obj, mbedtls_x509_crt *cert, int cert_depth, struct buffer cert_fingerprint = x509_get_sha256_fingerprint(cert, &gc); cert_hash_remember(session, cert_depth, &cert_fingerprint); + if (session->opt->verify_hash_no_ca) + { + /* + * If we decide to verify the peer certificate based on the fingerprint + * we ignore wrong dates and the certificate not being trusted. + * Any other problem with the certificate (wrong key, bad cert,...) + * will still trigger an error. + * Clearing these flags relies on verify_cert will later rejecting a + * certificate that has no matching fingerprint. + */ + uint32_t flags_ignore = MBEDTLS_X509_BADCERT_NOT_TRUSTED + | MBEDTLS_X509_BADCERT_EXPIRED + | MBEDTLS_X509_BADCERT_FUTURE; + *flags = *flags & ~flags_ignore; + } + /* did peer present cert which was signed by our root cert? */ if (*flags != 0) { diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c index ac36f09..e24ce4e 100644 --- a/src/openvpn/ssl_verify_openssl.c +++ b/src/openvpn/ssl_verify_openssl.c @@ -67,7 +67,7 @@ verify_callback(int preverify_ok, X509_STORE_CTX *ctx) cert_hash_remember(session, X509_STORE_CTX_get_error_depth(ctx), &cert_hash); /* did peer present cert which was signed by our root cert? */ - if (!preverify_ok) + if (!preverify_ok && !session->opt->verify_hash_no_ca) { /* get the X509 name */ char *subject = x509_get_subject(current_cert, &gc); |