[Openvpn-devel] [M] Change in openvpn[master]: Implement the --tls-export-cert feature
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/466?usp=email ) Change subject: Implement the --tls-export-cert feature .. Implement the --tls-export-cert feature This is a re-implementation of the --tls-export-cert feature. This was necessary to due to missing approval to re-license the old (now removed) code. The re-implementation is based on the following description of the feature provided by David: Add an option to export certificate in PEM format of the remote peer to a given directory. For example: --tls-export-cert /var/tmp This option should use a randomised filename, which is provided via a "peer_cert" environment variable for the --tls-verify script or the OPENVPN_PLUGIN_TLS_VERIFY plug-in hook. Once the script or plugin call has completed, OpenVPN should delete this file. Change-Id: Ia9b3f1813d2d0d492d17c87348b4cebd0bf19ce2 Signed-off-by: Arne Schwabe Acked-by: Gert Doering Message-Id: <20240116101556.2257-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28014.html Signed-off-by: Gert Doering --- M doc/man-sections/script-options.rst M src/openvpn/init.c M src/openvpn/options.c M src/openvpn/options.h M src/openvpn/ssl_common.h M src/openvpn/ssl_verify.c M src/openvpn/ssl_verify_backend.h M src/openvpn/ssl_verify_mbedtls.c M src/openvpn/ssl_verify_openssl.c 9 files changed, 145 insertions(+), 5 deletions(-) diff --git a/doc/man-sections/script-options.rst b/doc/man-sections/script-options.rst index 6f90e14..e05100a 100644 --- a/doc/man-sections/script-options.rst +++ b/doc/man-sections/script-options.rst @@ -423,6 +423,14 @@ See the `Environmental Variables`_ section below for additional parameters passed as environmental variables. +--tls-export-cert dir + Adds an environment variable ``peer_cert`` when calling the + ``--tls-verify`` script or executing the OPENVPN_PLUGIN_TLS_VERIFY plugin + hook to verify the certificate. + + The environment variable contains the path to a PEM encoded certificate + of the current peer certificate in the directory ``dir``. + --up cmd Run command ``cmd`` after successful TUN/TAP device open (pre ``--user`` UID change). @@ -633,6 +641,7 @@ Name of first ``--config`` file. Set on program initiation and reset on SIGHUP. + :code:`daemon` Set to "1" if the ``--daemon`` directive is specified, or "0" otherwise. Set on program initiation and reset on SIGHUP. @@ -763,6 +772,11 @@ modifier is specified, and deleted from the environment after the script returns. +:code:`peer_cert` +If the option ``--tls-export-cert`` is enabled, this option contains +the path to the current peer certificate to be verified in PEM format. +See also the argument certificate_depth to the ``--tls-verify`` command. + :code:`proto` The ``--proto`` parameter. Set on program initiation and reset on SIGHUP. diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 9e2b3845..c5cc154 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -3336,6 +3336,7 @@ to.auth_user_pass_verify_script_via_file = options->auth_user_pass_verify_script_via_file; to.client_crresponse_script = options->client_crresponse_script; to.tmp_dir = options->tmp_dir; +to.export_peer_cert_dir = options->tls_export_peer_cert_dir; if (options->ccd_exclusive) { to.client_config_dir_exclusive = options->client_config_dir; diff --git a/src/openvpn/options.c b/src/openvpn/options.c index f54f276..6975cbe 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -1995,6 +1995,7 @@ SHOW_STR(cipher_list_tls13); SHOW_STR(tls_cert_profile); SHOW_STR(tls_verify); +SHOW_STR(tls_export_peer_cert_dir); SHOW_INT(verify_x509_type); SHOW_STR(verify_x509_name); SHOW_STR_INLINE(crl_file); @@ -3062,6 +3063,7 @@ MUST_BE_UNDEF(cipher_list_tls13); MUST_BE_UNDEF(tls_cert_profile); MUST_BE_UNDEF(tls_verify); +MUST_BE_UNDEF(tls_export_peer_cert_dir); MUST_BE_UNDEF(verify_x509_name); MUST_BE_UNDEF(tls_timeout); MUST_BE_UNDEF(renegotiate_bytes); @@ -4092,6 +4094,13 @@ R_OK, "--crl-verify"); } +if (options->tls_export_peer_cert_dir) +{ +errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, + options->tls_export_peer_cert_dir, + W_OK, "--tls-export-cert"); +} + ASSERT(options->connection_list); for (int i = 0; i < options->connection_list->len; ++i) { @@ -9041,6 +9050,11 @@ string_substitute(p[1], ',', ' ', >gc), "tls-verify", true); } +else if (streq(p[0], "tls-export-cert") && p[1] && !p[2]) +{ +
[Openvpn-devel] [M] Change in openvpn[master]: Implement the --tls-export-cert feature
cron2 has uploaded a new patch set (#13) to the change originally created by plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/466?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by cron2 Change subject: Implement the --tls-export-cert feature .. Implement the --tls-export-cert feature This is a re-implementation of the --tls-export-cert feature. This was necessary to due to missing approval to re-license the old (now removed) code. The re-implementation is based on the following description of the feature provided by David: Add an option to export certificate in PEM format of the remote peer to a given directory. For example: --tls-export-cert /var/tmp This option should use a randomised filename, which is provided via a "peer_cert" environment variable for the --tls-verify script or the OPENVPN_PLUGIN_TLS_VERIFY plug-in hook. Once the script or plugin call has completed, OpenVPN should delete this file. Change-Id: Ia9b3f1813d2d0d492d17c87348b4cebd0bf19ce2 Signed-off-by: Arne Schwabe Acked-by: Gert Doering Message-Id: <20240116101556.2257-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28014.html Signed-off-by: Gert Doering --- M doc/man-sections/script-options.rst M src/openvpn/init.c M src/openvpn/options.c M src/openvpn/options.h M src/openvpn/ssl_common.h M src/openvpn/ssl_verify.c M src/openvpn/ssl_verify_backend.h M src/openvpn/ssl_verify_mbedtls.c M src/openvpn/ssl_verify_openssl.c 9 files changed, 145 insertions(+), 5 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/66/466/13 diff --git a/doc/man-sections/script-options.rst b/doc/man-sections/script-options.rst index 6f90e14..e05100a 100644 --- a/doc/man-sections/script-options.rst +++ b/doc/man-sections/script-options.rst @@ -423,6 +423,14 @@ See the `Environmental Variables`_ section below for additional parameters passed as environmental variables. +--tls-export-cert dir + Adds an environment variable ``peer_cert`` when calling the + ``--tls-verify`` script or executing the OPENVPN_PLUGIN_TLS_VERIFY plugin + hook to verify the certificate. + + The environment variable contains the path to a PEM encoded certificate + of the current peer certificate in the directory ``dir``. + --up cmd Run command ``cmd`` after successful TUN/TAP device open (pre ``--user`` UID change). @@ -633,6 +641,7 @@ Name of first ``--config`` file. Set on program initiation and reset on SIGHUP. + :code:`daemon` Set to "1" if the ``--daemon`` directive is specified, or "0" otherwise. Set on program initiation and reset on SIGHUP. @@ -763,6 +772,11 @@ modifier is specified, and deleted from the environment after the script returns. +:code:`peer_cert` +If the option ``--tls-export-cert`` is enabled, this option contains +the path to the current peer certificate to be verified in PEM format. +See also the argument certificate_depth to the ``--tls-verify`` command. + :code:`proto` The ``--proto`` parameter. Set on program initiation and reset on SIGHUP. diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 9e2b3845..c5cc154 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -3336,6 +3336,7 @@ to.auth_user_pass_verify_script_via_file = options->auth_user_pass_verify_script_via_file; to.client_crresponse_script = options->client_crresponse_script; to.tmp_dir = options->tmp_dir; +to.export_peer_cert_dir = options->tls_export_peer_cert_dir; if (options->ccd_exclusive) { to.client_config_dir_exclusive = options->client_config_dir; diff --git a/src/openvpn/options.c b/src/openvpn/options.c index f54f276..6975cbe 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -1995,6 +1995,7 @@ SHOW_STR(cipher_list_tls13); SHOW_STR(tls_cert_profile); SHOW_STR(tls_verify); +SHOW_STR(tls_export_peer_cert_dir); SHOW_INT(verify_x509_type); SHOW_STR(verify_x509_name); SHOW_STR_INLINE(crl_file); @@ -3062,6 +3063,7 @@ MUST_BE_UNDEF(cipher_list_tls13); MUST_BE_UNDEF(tls_cert_profile); MUST_BE_UNDEF(tls_verify); +MUST_BE_UNDEF(tls_export_peer_cert_dir); MUST_BE_UNDEF(verify_x509_name); MUST_BE_UNDEF(tls_timeout); MUST_BE_UNDEF(renegotiate_bytes); @@ -4092,6 +4094,13 @@ R_OK, "--crl-verify"); } +if (options->tls_export_peer_cert_dir) +{ +errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, + options->tls_export_peer_cert_dir, + W_OK, "--tls-export-cert"); +} + ASSERT(options->connection_list); for (int i = 0; i < options->connection_list->len; ++i) { @@ -9041,6 +9050,11 @@
[Openvpn-devel] [M] Change in openvpn[master]: Implement the --tls-export-cert feature
Attention is currently required from: flichtenheld, plaisthos. cron2 has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/466?usp=email ) Change subject: Implement the --tls-export-cert feature .. Patch Set 12: Code-Review+2 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/466?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ia9b3f1813d2d0d492d17c87348b4cebd0bf19ce2 Gerrit-Change-Number: 466 Gerrit-PatchSet: 12 Gerrit-Owner: plaisthos Gerrit-Reviewer: cron2 Gerrit-Reviewer: flichtenheld Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Tue, 16 Jan 2024 10:15:28 + Gerrit-HasComments: No Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: Implement the --tls-export-cert feature
Attention is currently required from: cron2, flichtenheld, plaisthos. Hello cron2, flichtenheld, I'd like you to reexamine a change. Please visit http://gerrit.openvpn.net/c/openvpn/+/466?usp=email to look at the new patch set (#12). The following approvals got outdated and were removed: Code-Review-1 by cron2 Change subject: Implement the --tls-export-cert feature .. Implement the --tls-export-cert feature This is a re-implementation of the --tls-export-cert feature. This was necessary to due to missing approval to re-license the old (now removed) code. The re-implementation is based on the following description of the feature provided by David: Add an option to export certificate in PEM format of the remote peer to a given directory. For example: --tls-export-cert /var/tmp This option should use a randomised filename, which is provided via a "peer_cert" environment variable for the --tls-verify script or the OPENVPN_PLUGIN_TLS_VERIFY plug-in hook. Once the script or plugin call has completed, OpenVPN should delete this file. Change-Id: Ia9b3f1813d2d0d492d17c87348b4cebd0bf19ce2 Signed-off-by: Arne Schwabe --- M doc/man-sections/script-options.rst M src/openvpn/init.c M src/openvpn/options.c M src/openvpn/options.h M src/openvpn/ssl_common.h M src/openvpn/ssl_verify.c M src/openvpn/ssl_verify_backend.h M src/openvpn/ssl_verify_mbedtls.c M src/openvpn/ssl_verify_openssl.c 9 files changed, 145 insertions(+), 5 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/66/466/12 diff --git a/doc/man-sections/script-options.rst b/doc/man-sections/script-options.rst index 6f90e14..e05100a 100644 --- a/doc/man-sections/script-options.rst +++ b/doc/man-sections/script-options.rst @@ -423,6 +423,14 @@ See the `Environmental Variables`_ section below for additional parameters passed as environmental variables. +--tls-export-cert dir + Adds an environment variable ``peer_cert`` when calling the + ``--tls-verify`` script or executing the OPENVPN_PLUGIN_TLS_VERIFY plugin + hook to verify the certificate. + + The environment variable contains the path to a PEM encoded certificate + of the current peer certificate in the directory ``dir``. + --up cmd Run command ``cmd`` after successful TUN/TAP device open (pre ``--user`` UID change). @@ -633,6 +641,7 @@ Name of first ``--config`` file. Set on program initiation and reset on SIGHUP. + :code:`daemon` Set to "1" if the ``--daemon`` directive is specified, or "0" otherwise. Set on program initiation and reset on SIGHUP. @@ -763,6 +772,11 @@ modifier is specified, and deleted from the environment after the script returns. +:code:`peer_cert` +If the option ``--tls-export-cert`` is enabled, this option contains +the path to the current peer certificate to be verified in PEM format. +See also the argument certificate_depth to the ``--tls-verify`` command. + :code:`proto` The ``--proto`` parameter. Set on program initiation and reset on SIGHUP. diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 9e2b3845..c5cc154 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -3336,6 +3336,7 @@ to.auth_user_pass_verify_script_via_file = options->auth_user_pass_verify_script_via_file; to.client_crresponse_script = options->client_crresponse_script; to.tmp_dir = options->tmp_dir; +to.export_peer_cert_dir = options->tls_export_peer_cert_dir; if (options->ccd_exclusive) { to.client_config_dir_exclusive = options->client_config_dir; diff --git a/src/openvpn/options.c b/src/openvpn/options.c index f54f276..6975cbe 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -1995,6 +1995,7 @@ SHOW_STR(cipher_list_tls13); SHOW_STR(tls_cert_profile); SHOW_STR(tls_verify); +SHOW_STR(tls_export_peer_cert_dir); SHOW_INT(verify_x509_type); SHOW_STR(verify_x509_name); SHOW_STR_INLINE(crl_file); @@ -3062,6 +3063,7 @@ MUST_BE_UNDEF(cipher_list_tls13); MUST_BE_UNDEF(tls_cert_profile); MUST_BE_UNDEF(tls_verify); +MUST_BE_UNDEF(tls_export_peer_cert_dir); MUST_BE_UNDEF(verify_x509_name); MUST_BE_UNDEF(tls_timeout); MUST_BE_UNDEF(renegotiate_bytes); @@ -4092,6 +4094,13 @@ R_OK, "--crl-verify"); } +if (options->tls_export_peer_cert_dir) +{ +errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, + options->tls_export_peer_cert_dir, + W_OK, "--tls-export-cert"); +} + ASSERT(options->connection_list); for (int i = 0; i < options->connection_list->len; ++i) { @@ -9041,6 +9050,11 @@ string_substitute(p[1], ',', ' ', >gc), "tls-verify", true);
[Openvpn-devel] [M] Change in openvpn[master]: Implement the --tls-export-cert feature
Attention is currently required from: flichtenheld, plaisthos. cron2 has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/466?usp=email ) The change is no longer submittable: Code-Review is unsatisfied now. Change subject: Implement the --tls-export-cert feature .. Patch Set 11: Code-Review-1 (1 comment) Patchset: PS11: As much as it pains me, this needs to do another round - it now calls "unlink(NULL)" if the feature is not active. GHA/ASAN on ubuntu 20 found this. -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/466?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ia9b3f1813d2d0d492d17c87348b4cebd0bf19ce2 Gerrit-Change-Number: 466 Gerrit-PatchSet: 11 Gerrit-Owner: plaisthos Gerrit-Reviewer: cron2 Gerrit-Reviewer: flichtenheld Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Sat, 13 Jan 2024 12:11:20 + Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: Implement the --tls-export-cert feature
Attention is currently required from: flichtenheld, plaisthos. cron2 has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/466?usp=email ) Change subject: Implement the --tls-export-cert feature .. Patch Set 11: Code-Review+2 (1 comment) Patchset: PS11: as simple as it gets now :-) - I like that. -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/466?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ia9b3f1813d2d0d492d17c87348b4cebd0bf19ce2 Gerrit-Change-Number: 466 Gerrit-PatchSet: 11 Gerrit-Owner: plaisthos Gerrit-Reviewer: cron2 Gerrit-Reviewer: flichtenheld Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Fri, 12 Jan 2024 18:19:01 + Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: Implement the --tls-export-cert feature
Attention is currently required from: cron2, flichtenheld, plaisthos. Hello cron2, flichtenheld, I'd like you to reexamine a change. Please visit http://gerrit.openvpn.net/c/openvpn/+/466?usp=email to look at the new patch set (#11). The following approvals got outdated and were removed: Code-Review+2 by cron2 The change is no longer submittable: Code-Review and checks~ChecksSubmitRule are unsatisfied now. Change subject: Implement the --tls-export-cert feature .. Implement the --tls-export-cert feature This is a re-implementation of the --tls-export-cert feature. This was necessary to due to missing approval to re-license the old (now removed) code. The re-implementation is based on the following description of the feature provided by David: Add an option to export certificate in PEM format of the remote peer to a given directory. For example: --tls-export-cert /var/tmp This option should use a randomised filename, which is provided via a "peer_cert" environment variable for the --tls-verify script or the OPENVPN_PLUGIN_TLS_VERIFY plug-in hook. Once the script or plugin call has completed, OpenVPN should delete this file. Change-Id: Ia9b3f1813d2d0d492d17c87348b4cebd0bf19ce2 Signed-off-by: Arne Schwabe --- M doc/man-sections/script-options.rst M src/openvpn/init.c M src/openvpn/options.c M src/openvpn/options.h M src/openvpn/ssl_common.h M src/openvpn/ssl_verify.c M src/openvpn/ssl_verify_backend.h M src/openvpn/ssl_verify_mbedtls.c M src/openvpn/ssl_verify_openssl.c 9 files changed, 142 insertions(+), 5 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/66/466/11 diff --git a/doc/man-sections/script-options.rst b/doc/man-sections/script-options.rst index 6f90e14..e05100a 100644 --- a/doc/man-sections/script-options.rst +++ b/doc/man-sections/script-options.rst @@ -423,6 +423,14 @@ See the `Environmental Variables`_ section below for additional parameters passed as environmental variables. +--tls-export-cert dir + Adds an environment variable ``peer_cert`` when calling the + ``--tls-verify`` script or executing the OPENVPN_PLUGIN_TLS_VERIFY plugin + hook to verify the certificate. + + The environment variable contains the path to a PEM encoded certificate + of the current peer certificate in the directory ``dir``. + --up cmd Run command ``cmd`` after successful TUN/TAP device open (pre ``--user`` UID change). @@ -633,6 +641,7 @@ Name of first ``--config`` file. Set on program initiation and reset on SIGHUP. + :code:`daemon` Set to "1" if the ``--daemon`` directive is specified, or "0" otherwise. Set on program initiation and reset on SIGHUP. @@ -763,6 +772,11 @@ modifier is specified, and deleted from the environment after the script returns. +:code:`peer_cert` +If the option ``--tls-export-cert`` is enabled, this option contains +the path to the current peer certificate to be verified in PEM format. +See also the argument certificate_depth to the ``--tls-verify`` command. + :code:`proto` The ``--proto`` parameter. Set on program initiation and reset on SIGHUP. diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 9e2b3845..c5cc154 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -3336,6 +3336,7 @@ to.auth_user_pass_verify_script_via_file = options->auth_user_pass_verify_script_via_file; to.client_crresponse_script = options->client_crresponse_script; to.tmp_dir = options->tmp_dir; +to.export_peer_cert_dir = options->tls_export_peer_cert_dir; if (options->ccd_exclusive) { to.client_config_dir_exclusive = options->client_config_dir; diff --git a/src/openvpn/options.c b/src/openvpn/options.c index f54f276..6975cbe 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -1995,6 +1995,7 @@ SHOW_STR(cipher_list_tls13); SHOW_STR(tls_cert_profile); SHOW_STR(tls_verify); +SHOW_STR(tls_export_peer_cert_dir); SHOW_INT(verify_x509_type); SHOW_STR(verify_x509_name); SHOW_STR_INLINE(crl_file); @@ -3062,6 +3063,7 @@ MUST_BE_UNDEF(cipher_list_tls13); MUST_BE_UNDEF(tls_cert_profile); MUST_BE_UNDEF(tls_verify); +MUST_BE_UNDEF(tls_export_peer_cert_dir); MUST_BE_UNDEF(verify_x509_name); MUST_BE_UNDEF(tls_timeout); MUST_BE_UNDEF(renegotiate_bytes); @@ -4092,6 +4094,13 @@ R_OK, "--crl-verify"); } +if (options->tls_export_peer_cert_dir) +{ +errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, + options->tls_export_peer_cert_dir, + W_OK, "--tls-export-cert"); +} + ASSERT(options->connection_list); for (int i = 0; i < options->connection_list->len; ++i) { @@ -9041,6 +9050,11 @@
[Openvpn-devel] [M] Change in openvpn[master]: Implement the --tls-export-cert feature
Attention is currently required from: flichtenheld, plaisthos. cron2 has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/466?usp=email ) Change subject: Implement the --tls-export-cert feature .. Patch Set 10: Code-Review+2 (1 comment) Patchset: PS10: OK, this seems to be doing what the (old) manpage leads me to expect - for each level of certificates, --tls-verify is called once (so "1x for level 0, 1x for level 1" if no intermediate CAs are used) - this was not clear to me initially, that it's indeed called multiple times. - depending on the level of call, exactly one `$peer_cert_` env variable is set, and that certificate file exists - on level 0, `$peer_cert` is set as well - indeed, different certs show up in these files The old code only ever sets `peer_cert`, though, independent of the level, so I'm not sure having a (single) `$peer_cert_` variable is that useful - if it's only one, `peer_cert` is maybe good enough? So we could move onward, or move to "always `$peer_cert`, no `_`... -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/466?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ia9b3f1813d2d0d492d17c87348b4cebd0bf19ce2 Gerrit-Change-Number: 466 Gerrit-PatchSet: 10 Gerrit-Owner: plaisthos Gerrit-Reviewer: cron2 Gerrit-Reviewer: flichtenheld Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Sat, 06 Jan 2024 15:31:06 + Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: Implement the --tls-export-cert feature
Attention is currently required from: cron2, flichtenheld. Hello cron2, flichtenheld, I'd like you to reexamine a change. Please visit http://gerrit.openvpn.net/c/openvpn/+/466?usp=email to look at the new patch set (#10). Change subject: Implement the --tls-export-cert feature .. Implement the --tls-export-cert feature This is a re-implementation of the --tls-export-cert feature. This was necessary to due to missing approval to re-license the old (now removed) code. The re-implementation is based on the following description of the feature provided by David: Add an option to export certificate in PEM format of the remote peer to a given directory. For example: --tls-export-cert /var/tmp This option should use a randomised filename, which is provided via a "peer_cert" environment variable for the --tls-verify script or the OPENVPN_PLUGIN_TLS_VERIFY plug-in hook. Once the script or plugin call has completed, OpenVPN should delete this file. Change-Id: Ia9b3f1813d2d0d492d17c87348b4cebd0bf19ce2 Signed-off-by: Arne Schwabe --- M doc/man-sections/script-options.rst M src/openvpn/init.c M src/openvpn/options.c M src/openvpn/options.h M src/openvpn/ssl_common.h M src/openvpn/ssl_verify.c M src/openvpn/ssl_verify_backend.h M src/openvpn/ssl_verify_mbedtls.c M src/openvpn/ssl_verify_openssl.c 9 files changed, 174 insertions(+), 5 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/66/466/10 diff --git a/doc/man-sections/script-options.rst b/doc/man-sections/script-options.rst index 6f90e14..53c9f97 100644 --- a/doc/man-sections/script-options.rst +++ b/doc/man-sections/script-options.rst @@ -423,6 +423,15 @@ See the `Environmental Variables`_ section below for additional parameters passed as environmental variables. +--tls-export-cert dir + Adds an environment variable ``peer_cert_{x}`` (and an alias + ``peer_cert`` for ``peer_cert_0`` for compatibility) when calling the + ``--tls-verify`` script or executing the OPENVPN_PLUGIN_TLS_VERIFY plugin + hook to verify the certificate. + + The environment variable contains the path to a PEM encoded certificate + of the current peer certificate in the directory ``dir``. + --up cmd Run command ``cmd`` after successful TUN/TAP device open (pre ``--user`` UID change). @@ -763,6 +772,15 @@ modifier is specified, and deleted from the environment after the script returns. +:code:`peer_cert_{n}` +If the option ``--tls-export-cert`` is enabled, this option contains +the path to the current peer certificate to be verified in PEM format +where ``n`` is the verification level. + +:code:`peer_cert` +Identical to `peer_cert_0` for compatibility with older +versions. + :code:`proto` The ``--proto`` parameter. Set on program initiation and reset on SIGHUP. diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 9e2b3845..c5cc154 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -3336,6 +3336,7 @@ to.auth_user_pass_verify_script_via_file = options->auth_user_pass_verify_script_via_file; to.client_crresponse_script = options->client_crresponse_script; to.tmp_dir = options->tmp_dir; +to.export_peer_cert_dir = options->tls_export_peer_cert_dir; if (options->ccd_exclusive) { to.client_config_dir_exclusive = options->client_config_dir; diff --git a/src/openvpn/options.c b/src/openvpn/options.c index e498114..b3b0a5f 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -1986,6 +1986,7 @@ SHOW_STR(cipher_list_tls13); SHOW_STR(tls_cert_profile); SHOW_STR(tls_verify); +SHOW_STR(tls_export_peer_cert_dir); SHOW_INT(verify_x509_type); SHOW_STR(verify_x509_name); SHOW_STR_INLINE(crl_file); @@ -3048,6 +3049,7 @@ MUST_BE_UNDEF(cipher_list_tls13); MUST_BE_UNDEF(tls_cert_profile); MUST_BE_UNDEF(tls_verify); +MUST_BE_UNDEF(tls_export_peer_cert_dir); MUST_BE_UNDEF(verify_x509_name); MUST_BE_UNDEF(tls_timeout); MUST_BE_UNDEF(renegotiate_bytes); @@ -4053,6 +4055,13 @@ R_OK, "--crl-verify"); } +if (options->tls_export_peer_cert_dir) +{ +errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, + options->tls_export_peer_cert_dir, + W_OK, "--tls-export-cert"); +} + ASSERT(options->connection_list); for (int i = 0; i < options->connection_list->len; ++i) { @@ -8997,6 +9006,11 @@ string_substitute(p[1], ',', ' ', >gc), "tls-verify", true); } +else if (streq(p[0], "tls-export-cert") && p[1] && !p[2]) +{ +VERIFY_PERMISSION(OPT_P_SCRIPT); +options->tls_export_peer_cert_dir = p[1]; +} else if (streq(p[0],
[Openvpn-devel] [M] Change in openvpn[master]: Implement the --tls-export-cert feature
Attention is currently required from: cron2, flichtenheld. Hello cron2, flichtenheld, I'd like you to reexamine a change. Please visit http://gerrit.openvpn.net/c/openvpn/+/466?usp=email to look at the new patch set (#9). Change subject: Implement the --tls-export-cert feature .. Implement the --tls-export-cert feature This is a re-implementation of the --tls-export-cert feature. This was necessary to due to missing approval to re-license the old (now removed) code. The re-implementation is based on the following description of the feature provided by David: Add an option to export certificate in PEM format of the remote peer to a given directory. For example: --tls-export-cert /var/tmp This option should use a randomised filename, which is provided via a "peer_cert" environment variable for the --tls-verify script or the OPENVPN_PLUGIN_TLS_VERIFY plug-in hook. Once the script or plugin call has completed, OpenVPN should delete this file. Change-Id: Ia9b3f1813d2d0d492d17c87348b4cebd0bf19ce2 Signed-off-by: Arne Schwabe --- M doc/man-sections/script-options.rst M src/openvpn/init.c M src/openvpn/options.c M src/openvpn/options.h M src/openvpn/ssl_common.h M src/openvpn/ssl_verify.c M src/openvpn/ssl_verify_backend.h M src/openvpn/ssl_verify_mbedtls.c M src/openvpn/ssl_verify_openssl.c 9 files changed, 174 insertions(+), 5 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/66/466/9 diff --git a/doc/man-sections/script-options.rst b/doc/man-sections/script-options.rst index 6f90e14..53c9f97 100644 --- a/doc/man-sections/script-options.rst +++ b/doc/man-sections/script-options.rst @@ -423,6 +423,15 @@ See the `Environmental Variables`_ section below for additional parameters passed as environmental variables. +--tls-export-cert dir + Adds an environment variable ``peer_cert_{x}`` (and an alias + ``peer_cert`` for ``peer_cert_0`` for compatibility) when calling the + ``--tls-verify`` script or executing the OPENVPN_PLUGIN_TLS_VERIFY plugin + hook to verify the certificate. + + The environment variable contains the path to a PEM encoded certificate + of the current peer certificate in the directory ``dir``. + --up cmd Run command ``cmd`` after successful TUN/TAP device open (pre ``--user`` UID change). @@ -763,6 +772,15 @@ modifier is specified, and deleted from the environment after the script returns. +:code:`peer_cert_{n}` +If the option ``--tls-export-cert`` is enabled, this option contains +the path to the current peer certificate to be verified in PEM format +where ``n`` is the verification level. + +:code:`peer_cert` +Identical to `peer_cert_0` for compatibility with older +versions. + :code:`proto` The ``--proto`` parameter. Set on program initiation and reset on SIGHUP. diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 9e2b3845..c5cc154 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -3336,6 +3336,7 @@ to.auth_user_pass_verify_script_via_file = options->auth_user_pass_verify_script_via_file; to.client_crresponse_script = options->client_crresponse_script; to.tmp_dir = options->tmp_dir; +to.export_peer_cert_dir = options->tls_export_peer_cert_dir; if (options->ccd_exclusive) { to.client_config_dir_exclusive = options->client_config_dir; diff --git a/src/openvpn/options.c b/src/openvpn/options.c index e498114..1c0a6bd 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -1986,6 +1986,7 @@ SHOW_STR(cipher_list_tls13); SHOW_STR(tls_cert_profile); SHOW_STR(tls_verify); +SHOW_STR(tls_export_peer_cert_dir); SHOW_INT(verify_x509_type); SHOW_STR(verify_x509_name); SHOW_STR_INLINE(crl_file); @@ -3048,6 +3049,7 @@ MUST_BE_UNDEF(cipher_list_tls13); MUST_BE_UNDEF(tls_cert_profile); MUST_BE_UNDEF(tls_verify); +MUST_BE_UNDEF(tls_export_peer_cert_path); MUST_BE_UNDEF(verify_x509_name); MUST_BE_UNDEF(tls_timeout); MUST_BE_UNDEF(renegotiate_bytes); @@ -4053,6 +4055,13 @@ R_OK, "--crl-verify"); } +if (options->tls_export_peer_cert_dir) +{ +errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, + options->tls_export_peer_cert_dir, + W_OK, "--tls-export-cert"); +} + ASSERT(options->connection_list); for (int i = 0; i < options->connection_list->len; ++i) { @@ -8997,6 +9006,11 @@ string_substitute(p[1], ',', ' ', >gc), "tls-verify", true); } +else if (streq(p[0], "tls-export-cert") && p[1] && !p[2]) +{ +VERIFY_PERMISSION(OPT_P_SCRIPT); +options->tls_export_peer_cert_dir = p[1]; +} else if (streq(p[0],
[Openvpn-devel] [M] Change in openvpn[master]: Implement the --tls-export-cert feature
Attention is currently required from: cron2, plaisthos. Hello cron2, flichtenheld, I'd like you to reexamine a change. Please visit http://gerrit.openvpn.net/c/openvpn/+/466?usp=email to look at the new patch set (#8). Change subject: Implement the --tls-export-cert feature .. Implement the --tls-export-cert feature This is a re-implementation of the --tls-export-cert feature. This was necessary to due to missing approval to re-license the old (now removed) code. The re-implementation is based on the following description of the feature provided by David: Add an option to export certificate in PEM format of the remote peer to a given directory. For example: --tls-export-cert /var/tmp This option should use a randomised filename, which is provided via a "peer_cert" environment variable for the --tls-verify script or the OPENVPN_PLUGIN_TLS_VERIFY plug-in hook. Once the script or plugin call has completed, OpenVPN should delete this file. Change-Id: Ia9b3f1813d2d0d492d17c87348b4cebd0bf19ce2 Signed-off-by: Arne Schwabe --- M doc/man-sections/script-options.rst M src/openvpn/init.c M src/openvpn/options.c M src/openvpn/options.h M src/openvpn/ssl_common.h M src/openvpn/ssl_verify.c M src/openvpn/ssl_verify_backend.h M src/openvpn/ssl_verify_mbedtls.c M src/openvpn/ssl_verify_openssl.c 9 files changed, 174 insertions(+), 5 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/66/466/8 diff --git a/doc/man-sections/script-options.rst b/doc/man-sections/script-options.rst index 6f90e14..53c9f97 100644 --- a/doc/man-sections/script-options.rst +++ b/doc/man-sections/script-options.rst @@ -423,6 +423,15 @@ See the `Environmental Variables`_ section below for additional parameters passed as environmental variables. +--tls-export-cert dir + Adds an environment variable ``peer_cert_{x}`` (and an alias + ``peer_cert`` for ``peer_cert_0`` for compatibility) when calling the + ``--tls-verify`` script or executing the OPENVPN_PLUGIN_TLS_VERIFY plugin + hook to verify the certificate. + + The environment variable contains the path to a PEM encoded certificate + of the current peer certificate in the directory ``dir``. + --up cmd Run command ``cmd`` after successful TUN/TAP device open (pre ``--user`` UID change). @@ -763,6 +772,15 @@ modifier is specified, and deleted from the environment after the script returns. +:code:`peer_cert_{n}` +If the option ``--tls-export-cert`` is enabled, this option contains +the path to the current peer certificate to be verified in PEM format +where ``n`` is the verification level. + +:code:`peer_cert` +Identical to `peer_cert_0` for compatibility with older +versions. + :code:`proto` The ``--proto`` parameter. Set on program initiation and reset on SIGHUP. diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 9e2b3845..c5cc154 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -3336,6 +3336,7 @@ to.auth_user_pass_verify_script_via_file = options->auth_user_pass_verify_script_via_file; to.client_crresponse_script = options->client_crresponse_script; to.tmp_dir = options->tmp_dir; +to.export_peer_cert_dir = options->tls_export_peer_cert_dir; if (options->ccd_exclusive) { to.client_config_dir_exclusive = options->client_config_dir; diff --git a/src/openvpn/options.c b/src/openvpn/options.c index e498114..ecbc63e 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -1986,6 +1986,7 @@ SHOW_STR(cipher_list_tls13); SHOW_STR(tls_cert_profile); SHOW_STR(tls_verify); +SHOW_STR(tls_export_peer_cert_path); SHOW_INT(verify_x509_type); SHOW_STR(verify_x509_name); SHOW_STR_INLINE(crl_file); @@ -3048,6 +3049,7 @@ MUST_BE_UNDEF(cipher_list_tls13); MUST_BE_UNDEF(tls_cert_profile); MUST_BE_UNDEF(tls_verify); +MUST_BE_UNDEF(tls_export_peer_cert_path); MUST_BE_UNDEF(verify_x509_name); MUST_BE_UNDEF(tls_timeout); MUST_BE_UNDEF(renegotiate_bytes); @@ -4053,6 +4055,13 @@ R_OK, "--crl-verify"); } +if (options->tls_export_peer_cert_dir) +{ +errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, + options->tls_export_peer_cert_dir, + W_OK, "--tls-export-cert"); +} + ASSERT(options->connection_list); for (int i = 0; i < options->connection_list->len; ++i) { @@ -8997,6 +9006,11 @@ string_substitute(p[1], ',', ' ', >gc), "tls-verify", true); } +else if (streq(p[0], "tls-export-cert") && p[1] && !p[2]) +{ +VERIFY_PERMISSION(OPT_P_SCRIPT); +options->tls_export_peer_cert_dir = p[1]; +} else if (streq(p[0],
[Openvpn-devel] [M] Change in openvpn[master]: Implement the --tls-export-cert feature
Attention is currently required from: cron2, flichtenheld. plaisthos has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/466?usp=email ) Change subject: Implement the --tls-export-cert feature .. Patch Set 7: (4 comments) Patchset: PS6: So we have to decide how to go about this. The current patch only So just exporting and providing File doc/man-sections/script-options.rst: http://gerrit.openvpn.net/c/openvpn/+/466/comment/f8e03d25_01b36152 : PS6, Line 426: --tls-export-cert-path dir > the manpage calls the option "tls-export-cert-path", while options. […] Ooops missed that one. File src/openvpn/init.c: http://gerrit.openvpn.net/c/openvpn/+/466/comment/e88dae53_952dc331 : PS6, Line 3339: to.export_peer_cert_dir = options->tls_export_peer_cert_path; > why call this "_dir" in the to, and "_path" in options-> ? Fixed and now using always _dir File src/openvpn/ssl_verify.c: http://gerrit.openvpn.net/c/openvpn/+/466/comment/6cb0e20f_1acc6fec : PS6, Line 734: if (opt->export_peer_cert_dir) > So I tried to understand why it seemed to work in my testing. […] This version of the patch now removes the environment variable together with the file. That is not as intrusive and should give at least backwards compatibility for now. The better solution is more complicated and requires modification to env handling (or even lot bigger refactoring) and is moved to follow up patches. -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/466?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ia9b3f1813d2d0d492d17c87348b4cebd0bf19ce2 Gerrit-Change-Number: 466 Gerrit-PatchSet: 7 Gerrit-Owner: plaisthos Gerrit-Reviewer: cron2 Gerrit-Reviewer: flichtenheld Gerrit-CC: openvpn-devel Gerrit-Attention: cron2 Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Tue, 02 Jan 2024 16:45:08 + Gerrit-HasComments: Yes Gerrit-Has-Labels: No Comment-In-Reply-To: cron2 Comment-In-Reply-To: flichtenheld Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: Implement the --tls-export-cert feature
Attention is currently required from: cron2, plaisthos. Hello cron2, flichtenheld, I'd like you to reexamine a change. Please visit http://gerrit.openvpn.net/c/openvpn/+/466?usp=email to look at the new patch set (#7). Change subject: Implement the --tls-export-cert feature .. Implement the --tls-export-cert feature This is a re-implementation of the --tls-export-cert feature. This was necessary to due to missing approval to re-license the old (now removed) code. The re-implementation is based on the following description of the feature provided by David: Add an option to export certificate in PEM format of the remote peer to a given directory. For example: --tls-export-cert /var/tmp This option should use a randomised filename, which is provided via a "peer_cert" environment variable for the --tls-verify script or the OPENVPN_PLUGIN_TLS_VERIFY plug-in hook. Once the script or plugin call has completed, OpenVPN should delete this file. Change-Id: Ia9b3f1813d2d0d492d17c87348b4cebd0bf19ce2 Signed-off-by: Arne Schwabe --- M doc/man-sections/script-options.rst M src/openvpn/init.c M src/openvpn/options.c M src/openvpn/options.h M src/openvpn/ssl_common.h M src/openvpn/ssl_verify.c M src/openvpn/ssl_verify_backend.h M src/openvpn/ssl_verify_mbedtls.c M src/openvpn/ssl_verify_openssl.c 9 files changed, 174 insertions(+), 5 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/66/466/7 diff --git a/doc/man-sections/script-options.rst b/doc/man-sections/script-options.rst index 6f90e14..0e60ab5 100644 --- a/doc/man-sections/script-options.rst +++ b/doc/man-sections/script-options.rst @@ -423,6 +423,15 @@ See the `Environmental Variables`_ section below for additional parameters passed as environmental variables. +--tls-export-cert-path dir + Adds an environment variable ``peer_cert_{x}`` (and an alias + ``peer_cert`` for ``peer_cert_0`` for compatibility) when calling the + ``--tls-verify`` script or executing the OPENVPN_PLUGIN_TLS_VERIFY plugin + hook to verify the certificate. + + The environment variable contains the path to a PEM encoded certificate + of the current peer certificate in the directory ``dir``. + --up cmd Run command ``cmd`` after successful TUN/TAP device open (pre ``--user`` UID change). @@ -763,6 +772,15 @@ modifier is specified, and deleted from the environment after the script returns. +:code:`peer_cert_{n}` +If the option ``--tls-export-cert`` is enabled, this option contains +the path to the current peer certificate to be verified in PEM format +where ``n`` is the verification level. + +:code:`peer_cert` +Identical to `peer_cert_0` for compatibility with older +versions. + :code:`proto` The ``--proto`` parameter. Set on program initiation and reset on SIGHUP. diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 9e2b3845..917ae33 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -3336,6 +3336,7 @@ to.auth_user_pass_verify_script_via_file = options->auth_user_pass_verify_script_via_file; to.client_crresponse_script = options->client_crresponse_script; to.tmp_dir = options->tmp_dir; +to.export_peer_cert_dir = options->tls_export_peer_cert_path; if (options->ccd_exclusive) { to.client_config_dir_exclusive = options->client_config_dir; diff --git a/src/openvpn/options.c b/src/openvpn/options.c index e498114..714a578 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -1986,6 +1986,7 @@ SHOW_STR(cipher_list_tls13); SHOW_STR(tls_cert_profile); SHOW_STR(tls_verify); +SHOW_STR(tls_export_peer_cert_path); SHOW_INT(verify_x509_type); SHOW_STR(verify_x509_name); SHOW_STR_INLINE(crl_file); @@ -3048,6 +3049,7 @@ MUST_BE_UNDEF(cipher_list_tls13); MUST_BE_UNDEF(tls_cert_profile); MUST_BE_UNDEF(tls_verify); +MUST_BE_UNDEF(tls_export_peer_cert_path); MUST_BE_UNDEF(verify_x509_name); MUST_BE_UNDEF(tls_timeout); MUST_BE_UNDEF(renegotiate_bytes); @@ -4053,6 +4055,13 @@ R_OK, "--crl-verify"); } +if (options->tls_export_peer_cert_path) +{ +errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, + options->tls_export_peer_cert_path, + W_OK, "--tls-export-cert"); +} + ASSERT(options->connection_list); for (int i = 0; i < options->connection_list->len; ++i) { @@ -8997,6 +9006,11 @@ string_substitute(p[1], ',', ' ', >gc), "tls-verify", true); } +else if (streq(p[0], "tls-export-cert") && p[1] && !p[2]) +{ +VERIFY_PERMISSION(OPT_P_SCRIPT); +options->tls_export_peer_cert_path = p[1]; +} else if (streq(p[0],
[Openvpn-devel] [M] Change in openvpn[master]: Implement the --tls-export-cert feature
Attention is currently required from: cron2, plaisthos. flichtenheld has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/466?usp=email ) Change subject: Implement the --tls-export-cert feature .. Patch Set 6: -Code-Review (1 comment) File src/openvpn/ssl_verify.c: http://gerrit.openvpn.net/c/openvpn/+/466/comment/2e6bc2d2_f0a6cbd6 : PS6, Line 734: if (opt->export_peer_cert_dir) > Something is not right here. […] So I tried to understand why it seemed to work in my testing. It turns out that I only ever looked at the cert indicated by $depth argument to the hook. So indeed all the certs are exported correctly, but the problem is that after the depth 1 hook is run the file indicated by peer_cert_1 is deleted already. So the behavior is not very useful. -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/466?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ia9b3f1813d2d0d492d17c87348b4cebd0bf19ce2 Gerrit-Change-Number: 466 Gerrit-PatchSet: 6 Gerrit-Owner: plaisthos Gerrit-Reviewer: cron2 Gerrit-Reviewer: flichtenheld Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Attention: cron2 Gerrit-Comment-Date: Wed, 20 Dec 2023 11:57:07 + Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Comment-In-Reply-To: cron2 Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: Implement the --tls-export-cert feature
Attention is currently required from: plaisthos. cron2 has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/466?usp=email ) The change is no longer submittable: Code-Review is unsatisfied now. Change subject: Implement the --tls-export-cert feature .. Patch Set 6: Code-Review-2 (4 comments) Patchset: PS6: Tested, does not crash, but only exports level 0 cert (level 1 variable is set, but no such file exists). File doc/man-sections/script-options.rst: http://gerrit.openvpn.net/c/openvpn/+/466/comment/bff18d9b_f279e622 : PS6, Line 426: --tls-export-cert-path dir the manpage calls the option "tls-export-cert-path", while options.c checks for "tls-export-cert" (only, no "new option and also old option for compat reasons") - this needs to be resolved (and keeping the old option name everywhere is better for not breaking people's configs - so the documentation needs to be fixed) File src/openvpn/init.c: http://gerrit.openvpn.net/c/openvpn/+/466/comment/189e173c_161fa78f : PS6, Line 3339: to.export_peer_cert_dir = options->tls_export_peer_cert_path; why call this "_dir" in the to, and "_path" in options-> ? File src/openvpn/ssl_verify.c: http://gerrit.openvpn.net/c/openvpn/+/466/comment/97340248_881cd351 : PS6, Line 734: if (opt->export_peer_cert_dir) Something is not right here. So the function does set up multiple environment variables, but only one file is ever created... I do a "ls -l $peer_cert_2 $peer_cert_1 $peer_cert0" in my tls-verify-script, and this is what I see peer_cert_1=/var/tmp/openvpn_pef_6a5f2055b342424a15139e5787303c57.tmp peer_cert_0=/var/tmp/openvpn_pef_18e5d27eafdb9fb54c12a8c446b56c76.tmp peer_cert=/var/tmp/openvpn_pef_18e5d27eafdb9fb54c12a8c446b56c76.tmp -rw--- 1 root root 1830 Dec 18 18:39 /var/tmp/openvpn_pef_18e5d27eafdb9fb54c12a8c446b56c76.tmp ... only one file. For "multiple files", I would have expected to find the filenames in an array so they can all be deleted at the end (and no dangling files), but if only one file is ever created, no array is needed... -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/466?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ia9b3f1813d2d0d492d17c87348b4cebd0bf19ce2 Gerrit-Change-Number: 466 Gerrit-PatchSet: 6 Gerrit-Owner: plaisthos Gerrit-Reviewer: cron2 Gerrit-Reviewer: flichtenheld Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Comment-Date: Mon, 18 Dec 2023 17:42:02 + Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: Implement the --tls-export-cert feature
Attention is currently required from: cron2, plaisthos. flichtenheld has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/466?usp=email ) Change subject: Implement the --tls-export-cert feature .. Patch Set 6: Code-Review+2 (1 comment) Patchset: PS5: Did some basic testing with both OpenSSL and mbedTLS. Looks good to me. -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/466?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ia9b3f1813d2d0d492d17c87348b4cebd0bf19ce2 Gerrit-Change-Number: 466 Gerrit-PatchSet: 6 Gerrit-Owner: plaisthos Gerrit-Reviewer: flichtenheld Gerrit-CC: cron2 Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Attention: cron2 Gerrit-Comment-Date: Wed, 13 Dec 2023 14:29:01 + Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: Implement the --tls-export-cert feature
Attention is currently required from: cron2, flichtenheld. plaisthos has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/466?usp=email ) Change subject: Implement the --tls-export-cert feature .. Patch Set 4: (2 comments) File doc/man-sections/script-options.rst: http://gerrit.openvpn.net/c/openvpn/+/466/comment/f51f4a78_549de142 : PS4, Line 427: Adds an environment variables ``peer_cert_{x}`` (and an alias > "variable" or remove "an" Done http://gerrit.openvpn.net/c/openvpn/+/466/comment/eed49c31_f5661e3b : PS4, Line 780: :code:`peer_cert` identical to `peer_cert_0` for compatibility with older > Missing line break before "identical". […] Done -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/466?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ia9b3f1813d2d0d492d17c87348b4cebd0bf19ce2 Gerrit-Change-Number: 466 Gerrit-PatchSet: 4 Gerrit-Owner: plaisthos Gerrit-Reviewer: flichtenheld Gerrit-CC: cron2 Gerrit-CC: openvpn-devel Gerrit-Attention: cron2 Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Tue, 12 Dec 2023 18:24:05 + Gerrit-HasComments: Yes Gerrit-Has-Labels: No Comment-In-Reply-To: flichtenheld Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: Implement the --tls-export-cert feature
Attention is currently required from: cron2, flichtenheld, plaisthos. Hello flichtenheld, I'd like you to reexamine a change. Please visit http://gerrit.openvpn.net/c/openvpn/+/466?usp=email to look at the new patch set (#5). The following approvals got outdated and were removed: Code-Review-1 by flichtenheld Change subject: Implement the --tls-export-cert feature .. Implement the --tls-export-cert feature This is a re-implementation of the --tls-export-cert feature. This was necessary to due to missing approval to re-license the old (now removed) code. The re-implementation is based on the following description of the feature provided by David: Add an option to export certificate in PEM format of the remote peer to a given directory. For example: --tls-export-cert /var/tmp This option should use a randomised filename, which is provided via a "peer_cert" environment variable for the --tls-verify script or the OPENVPN_PLUGIN_TLS_VERIFY plug-in hook. Once the script or plugin call has completed, OpenVPN should delete this file. Change-Id: Ia9b3f1813d2d0d492d17c87348b4cebd0bf19ce2 Signed-off-by: Arne Schwabe --- M doc/man-sections/script-options.rst M src/openvpn/init.c M src/openvpn/options.c M src/openvpn/options.h M src/openvpn/ssl_common.h M src/openvpn/ssl_verify.c M src/openvpn/ssl_verify_backend.h M src/openvpn/ssl_verify_mbedtls.c M src/openvpn/ssl_verify_openssl.c 9 files changed, 151 insertions(+), 4 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/66/466/5 diff --git a/doc/man-sections/script-options.rst b/doc/man-sections/script-options.rst index 38dcfa2..ba700a0 100644 --- a/doc/man-sections/script-options.rst +++ b/doc/man-sections/script-options.rst @@ -423,6 +423,15 @@ See the `Environmental Variables`_ section below for additional parameters passed as environmental variables. +--tls-export-cert-path dir + Adds an environment variable ``peer_cert_{x}`` (and an alias + ``peer_cert`` for ``peer_cert_0`` for compatibility) when calling the + ``--tls-verify`` script or executing the OPENVPN_PLUGIN_TLS_VERIFY plugin + hook to verify the certificate. + + The environment variable contains the path to a PEM encoded certificate + of the current peer certificate in the directory ``dir``. + --up cmd Run command ``cmd`` after successful TUN/TAP device open (pre ``--user`` UID change). @@ -763,6 +772,15 @@ modifier is specified, and deleted from the environment after the script returns. +:code:`peer_cert_{n}` +If the option ``--tls-export-cert`` is enabled, this option contains +the path to the current peer certificate to be verified in PEM format +where ``n`` is the verification level. + +:code:`peer_cert` +Identical to `peer_cert_0` for compatibility with older +versions. + :code:`proto` The ``--proto`` parameter. Set on program initiation and reset on SIGHUP. diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 9e2b3845..917ae33 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -3336,6 +3336,7 @@ to.auth_user_pass_verify_script_via_file = options->auth_user_pass_verify_script_via_file; to.client_crresponse_script = options->client_crresponse_script; to.tmp_dir = options->tmp_dir; +to.export_peer_cert_dir = options->tls_export_peer_cert_path; if (options->ccd_exclusive) { to.client_config_dir_exclusive = options->client_config_dir; diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 1521872..503e832 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -1986,6 +1986,7 @@ SHOW_STR(cipher_list_tls13); SHOW_STR(tls_cert_profile); SHOW_STR(tls_verify); +SHOW_STR(tls_export_peer_cert_path); SHOW_INT(verify_x509_type); SHOW_STR(verify_x509_name); SHOW_STR_INLINE(crl_file); @@ -3048,6 +3049,7 @@ MUST_BE_UNDEF(cipher_list_tls13); MUST_BE_UNDEF(tls_cert_profile); MUST_BE_UNDEF(tls_verify); +MUST_BE_UNDEF(tls_export_peer_cert_path); MUST_BE_UNDEF(verify_x509_name); MUST_BE_UNDEF(tls_timeout); MUST_BE_UNDEF(renegotiate_bytes); @@ -4053,6 +4055,13 @@ R_OK, "--crl-verify"); } +if (options->tls_export_peer_cert_path) +{ +errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, + options->tls_export_peer_cert_path, + W_OK, "--tls-export-cert"); +} + ASSERT(options->connection_list); for (int i = 0; i < options->connection_list->len; ++i) { @@ -8998,6 +9007,11 @@ string_substitute(p[1], ',', ' ', >gc), "tls-verify", true); } +else if (streq(p[0], "tls-export-cert") && p[1] && !p[2]) +{ +
[Openvpn-devel] [M] Change in openvpn[master]: Implement the --tls-export-cert feature
Attention is currently required from: cron2, plaisthos. flichtenheld has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/466?usp=email ) Change subject: Implement the --tls-export-cert feature .. Patch Set 4: Code-Review-1 (2 comments) File doc/man-sections/script-options.rst: http://gerrit.openvpn.net/c/openvpn/+/466/comment/36b80616_1a510d1a : PS4, Line 427: Adds an environment variables ``peer_cert_{x}`` (and an alias "variable" or remove "an" http://gerrit.openvpn.net/c/openvpn/+/466/comment/42a94055_6568f3e0 : PS4, Line 780: :code:`peer_cert` identical to `peer_cert_0` for compatibility with older Missing line break before "identical". Breaks formatting -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/466?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ia9b3f1813d2d0d492d17c87348b4cebd0bf19ce2 Gerrit-Change-Number: 466 Gerrit-PatchSet: 4 Gerrit-Owner: plaisthos Gerrit-Reviewer: flichtenheld Gerrit-CC: cron2 Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Attention: cron2 Gerrit-Comment-Date: Tue, 12 Dec 2023 14:39:26 + Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: Implement the --tls-export-cert feature
Attention is currently required from: cron2, flichtenheld. Hello flichtenheld, I'd like you to reexamine a change. Please visit http://gerrit.openvpn.net/c/openvpn/+/466?usp=email to look at the new patch set (#3). The following approvals got outdated and were removed: Code-Review-1 by flichtenheld Change subject: Implement the --tls-export-cert feature .. Implement the --tls-export-cert feature This is a re-implementation of the --tls-export-cert feature. This was necessary to due to missing approval to re-license the old (now removed) code. The re-implementation is based on the following description of the feature provided by David: Add an option to export certificate in PEM format of the remote peer to a given directory. For example: --tls-export-cert /var/tmp This option should use a randomised filename, which is provided via a "peer_cert" environment variable for the --tls-verify script or the OPENVPN_PLUGIN_TLS_VERIFY plug-in hook. Once the script or plugin call has completed, OpenVPN should delete this file. Change-Id: Ia9b3f1813d2d0d492d17c87348b4cebd0bf19ce2 Signed-off-by: Arne Schwabe --- M doc/man-sections/script-options.rst M src/openvpn/init.c M src/openvpn/options.c M src/openvpn/options.h M src/openvpn/ssl_common.h M src/openvpn/ssl_verify.c M src/openvpn/ssl_verify_backend.h M src/openvpn/ssl_verify_mbedtls.c M src/openvpn/ssl_verify_openssl.c 9 files changed, 150 insertions(+), 4 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/66/466/3 diff --git a/doc/man-sections/script-options.rst b/doc/man-sections/script-options.rst index 38dcfa2..cde0034 100644 --- a/doc/man-sections/script-options.rst +++ b/doc/man-sections/script-options.rst @@ -423,6 +423,15 @@ See the `Environmental Variables`_ section below for additional parameters passed as environmental variables. +--tls-export-cert-path dir + Adds an environment variables ``peer_cert_{x}`` (and an alias + ``peer_cert`` for ``peer_cert_0`` for compatibility) when calling the + ``--tls-verify`` script or executing the OPENVPN_PLUGIN_TLS_VERIFY plugin + hook to verify the certificate. + + The environment variable contains the path to a PEM encoded certificate + of the current peer certificate in the directory ``dir``. + --up cmd Run command ``cmd`` after successful TUN/TAP device open (pre ``--user`` UID change). @@ -763,6 +772,14 @@ modifier is specified, and deleted from the environment after the script returns. +:code:`peer_cert_{n}` +If the option ``--tls-export-cert`` is enabled, this option contains +the path to the current peer certificate to be verified in PEM format +where ``n`` is the verification level. + +:code:`peer_cert` identical to `peer_cert_0` for compatibility with older +versions. + :code:`proto` The ``--proto`` parameter. Set on program initiation and reset on SIGHUP. diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 9e2b3845..917ae33 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -3336,6 +3336,7 @@ to.auth_user_pass_verify_script_via_file = options->auth_user_pass_verify_script_via_file; to.client_crresponse_script = options->client_crresponse_script; to.tmp_dir = options->tmp_dir; +to.export_peer_cert_dir = options->tls_export_peer_cert_path; if (options->ccd_exclusive) { to.client_config_dir_exclusive = options->client_config_dir; diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 1521872..503e832 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -1986,6 +1986,7 @@ SHOW_STR(cipher_list_tls13); SHOW_STR(tls_cert_profile); SHOW_STR(tls_verify); +SHOW_STR(tls_export_peer_cert_path); SHOW_INT(verify_x509_type); SHOW_STR(verify_x509_name); SHOW_STR_INLINE(crl_file); @@ -3048,6 +3049,7 @@ MUST_BE_UNDEF(cipher_list_tls13); MUST_BE_UNDEF(tls_cert_profile); MUST_BE_UNDEF(tls_verify); +MUST_BE_UNDEF(tls_export_peer_cert_path); MUST_BE_UNDEF(verify_x509_name); MUST_BE_UNDEF(tls_timeout); MUST_BE_UNDEF(renegotiate_bytes); @@ -4053,6 +4055,13 @@ R_OK, "--crl-verify"); } +if (options->tls_export_peer_cert_path) +{ +errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, + options->tls_export_peer_cert_path, + W_OK, "--tls-export-cert"); +} + ASSERT(options->connection_list); for (int i = 0; i < options->connection_list->len; ++i) { @@ -8998,6 +9007,11 @@ string_substitute(p[1], ',', ' ', >gc), "tls-verify", true); } +else if (streq(p[0], "tls-export-cert") && p[1] && !p[2]) +{ +VERIFY_PERMISSION(OPT_P_SCRIPT); +
[Openvpn-devel] [M] Change in openvpn[master]: Implement the --tls-export-cert feature
Attention is currently required from: cron2, flichtenheld. plaisthos has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/466?usp=email ) Change subject: Implement the --tls-export-cert feature .. Patch Set 2: (6 comments) File doc/man-sections/script-options.rst: http://gerrit.openvpn.net/c/openvpn/+/466/comment/dccfc964_cfd463f3 : PS2, Line 427: Adds a an environment variables ``peer_cert_{x}`` (and an alias > Remove "a" Done File src/openvpn/ssl_verify.c: http://gerrit.openvpn.net/c/openvpn/+/466/comment/2e49f9a9_cc253bc2 : PS2, Line 466: /* export the certificate itself as pem when the enabled */ > missing words? Done http://gerrit.openvpn.net/c/openvpn/+/466/comment/99393580_9e01f59d : PS2, Line 477: bool ret = true; > Can combine with the next line. Done http://gerrit.openvpn.net/c/openvpn/+/466/comment/9626e926_96849b76 : PS2, Line 602: * these variables defined */ > can replace repetition of "these variables" with "them" Done File src/openvpn/ssl_verify_mbedtls.c: http://gerrit.openvpn.net/c/openvpn/+/466/comment/32a92534_6ee0a5db : PS2, Line 225: * The only way to is directly access the DER encoded raw certificate > "to is" -> "is to" Done http://gerrit.openvpn.net/c/openvpn/+/466/comment/85213291_05de576e : PS2, Line 230: * using needing 3 times the space for the base64 and 100 bytes for the > drop one of "using needing" Done -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/466?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ia9b3f1813d2d0d492d17c87348b4cebd0bf19ce2 Gerrit-Change-Number: 466 Gerrit-PatchSet: 2 Gerrit-Owner: plaisthos Gerrit-Reviewer: flichtenheld Gerrit-CC: cron2 Gerrit-CC: openvpn-devel Gerrit-Attention: cron2 Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Thu, 07 Dec 2023 11:27:23 + Gerrit-HasComments: Yes Gerrit-Has-Labels: No Comment-In-Reply-To: flichtenheld Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: Implement the --tls-export-cert feature
Attention is currently required from: cron2, plaisthos. flichtenheld has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/466?usp=email ) Change subject: Implement the --tls-export-cert feature .. Patch Set 2: Code-Review-1 (6 comments) File doc/man-sections/script-options.rst: http://gerrit.openvpn.net/c/openvpn/+/466/comment/738f9728_f9eb156f : PS2, Line 427: Adds a an environment variables ``peer_cert_{x}`` (and an alias Remove "a" File src/openvpn/ssl_verify.c: http://gerrit.openvpn.net/c/openvpn/+/466/comment/dd7a5b9a_bf660274 : PS2, Line 466: /* export the certificate itself as pem when the enabled */ missing words? http://gerrit.openvpn.net/c/openvpn/+/466/comment/f487e7c8_793bcb7e : PS2, Line 477: bool ret = true; Can combine with the next line. http://gerrit.openvpn.net/c/openvpn/+/466/comment/2e703085_bdc2ffba : PS2, Line 602: * these variables defined */ can replace repetition of "these variables" with "them" File src/openvpn/ssl_verify_mbedtls.c: http://gerrit.openvpn.net/c/openvpn/+/466/comment/74783133_a96d6da5 : PS2, Line 225: * The only way to is directly access the DER encoded raw certificate "to is" -> "is to" http://gerrit.openvpn.net/c/openvpn/+/466/comment/b48e3170_e0e585b4 : PS2, Line 230: * using needing 3 times the space for the base64 and 100 bytes for the drop one of "using needing" -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/466?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ia9b3f1813d2d0d492d17c87348b4cebd0bf19ce2 Gerrit-Change-Number: 466 Gerrit-PatchSet: 2 Gerrit-Owner: plaisthos Gerrit-Reviewer: flichtenheld Gerrit-CC: cron2 Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Attention: cron2 Gerrit-Comment-Date: Wed, 06 Dec 2023 17:30:24 + Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: Implement the --tls-export-cert feature
Attention is currently required from: flichtenheld, plaisthos. Hello flichtenheld, I'd like you to reexamine a change. Please visit http://gerrit.openvpn.net/c/openvpn/+/466?usp=email to look at the new patch set (#2). Change subject: Implement the --tls-export-cert feature .. Implement the --tls-export-cert feature This is a re-implementation of the --tls-export-cert feature. This was necessary to due to missing approval to re-license the old (now removed) code. The re-implementation is based on the following description of the feature provided by David: Add an option to export certificate in PEM format of the remote peer to a given directory. For example: --tls-export-cert /var/tmp This option should use a randomised filename, which is provided via a "peer_cert" environment variable for the --tls-verify script or the OPENVPN_PLUGIN_TLS_VERIFY plug-in hook. Once the script or plugin call has completed, OpenVPN should delete this file. Change-Id: Ia9b3f1813d2d0d492d17c87348b4cebd0bf19ce2 Signed-off-by: Arne Schwabe --- M doc/man-sections/script-options.rst M src/openvpn/init.c M src/openvpn/options.c M src/openvpn/options.h M src/openvpn/ssl_common.h M src/openvpn/ssl_verify.c M src/openvpn/ssl_verify_backend.h M src/openvpn/ssl_verify_mbedtls.c M src/openvpn/ssl_verify_openssl.c 9 files changed, 152 insertions(+), 4 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/66/466/2 diff --git a/doc/man-sections/script-options.rst b/doc/man-sections/script-options.rst index 38dcfa2..26b5434 100644 --- a/doc/man-sections/script-options.rst +++ b/doc/man-sections/script-options.rst @@ -423,6 +423,15 @@ See the `Environmental Variables`_ section below for additional parameters passed as environmental variables. +--tls-export-cert-path dir + Adds a an environment variables ``peer_cert_{x}`` (and an alias + ``peer_cert`` for ``peer_cert_0`` for compatibility) when calling the + ``--tls-verify`` script or executing the OPENVPN_PLUGIN_TLS_VERIFY plugin + hook to verify the certificate. + + The environment variable contains the path to a PEM encoded certificate + of the current peer certificate in the directory ``dir``. + --up cmd Run command ``cmd`` after successful TUN/TAP device open (pre ``--user`` UID change). @@ -763,6 +772,14 @@ modifier is specified, and deleted from the environment after the script returns. +:code:`peer_cert_{n}` +If the option ``--tls-export-cert`` is enabled, this option contains +the path to the current peer certificate to be verified in PEM format +where ``n`` is the verification level. + +:code:`peer_cert` identical to `peer_cert_0` for compatibility with older +versions. + :code:`proto` The ``--proto`` parameter. Set on program initiation and reset on SIGHUP. diff --git a/src/openvpn/init.c b/src/openvpn/init.c index 9e2b3845..917ae33 100644 --- a/src/openvpn/init.c +++ b/src/openvpn/init.c @@ -3336,6 +3336,7 @@ to.auth_user_pass_verify_script_via_file = options->auth_user_pass_verify_script_via_file; to.client_crresponse_script = options->client_crresponse_script; to.tmp_dir = options->tmp_dir; +to.export_peer_cert_dir = options->tls_export_peer_cert_path; if (options->ccd_exclusive) { to.client_config_dir_exclusive = options->client_config_dir; diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 1521872..503e832 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -1986,6 +1986,7 @@ SHOW_STR(cipher_list_tls13); SHOW_STR(tls_cert_profile); SHOW_STR(tls_verify); +SHOW_STR(tls_export_peer_cert_path); SHOW_INT(verify_x509_type); SHOW_STR(verify_x509_name); SHOW_STR_INLINE(crl_file); @@ -3048,6 +3049,7 @@ MUST_BE_UNDEF(cipher_list_tls13); MUST_BE_UNDEF(tls_cert_profile); MUST_BE_UNDEF(tls_verify); +MUST_BE_UNDEF(tls_export_peer_cert_path); MUST_BE_UNDEF(verify_x509_name); MUST_BE_UNDEF(tls_timeout); MUST_BE_UNDEF(renegotiate_bytes); @@ -4053,6 +4055,13 @@ R_OK, "--crl-verify"); } +if (options->tls_export_peer_cert_path) +{ +errs |= check_file_access_chroot(options->chroot_dir, CHKACC_FILE, + options->tls_export_peer_cert_path, + W_OK, "--tls-export-cert"); +} + ASSERT(options->connection_list); for (int i = 0; i < options->connection_list->len; ++i) { @@ -8998,6 +9007,11 @@ string_substitute(p[1], ',', ' ', >gc), "tls-verify", true); } +else if (streq(p[0], "tls-export-cert") && p[1] && !p[2]) +{ +VERIFY_PERMISSION(OPT_P_SCRIPT); +options->tls_export_peer_cert_path = p[1]; +} else if (streq(p[0],
[Openvpn-devel] [M] Change in openvpn[master]: Implement the --tls-export-cert feature
Attention is currently required from: cron2, flichtenheld. plaisthos has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/466?usp=email ) Change subject: Implement the --tls-export-cert feature .. Patch Set 2: (1 comment) File doc/man-sections/script-options.rst: http://gerrit.openvpn.net/c/openvpn/+/466/comment/337ef9e3_0f8bbba4 : PS1, Line 426: --export-peer-cert-path dir > so this is a new option, which is incompatible and will break people's config > (if they use the old o […] Done -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/466?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ia9b3f1813d2d0d492d17c87348b4cebd0bf19ce2 Gerrit-Change-Number: 466 Gerrit-PatchSet: 2 Gerrit-Owner: plaisthos Gerrit-Reviewer: flichtenheld Gerrit-CC: cron2 Gerrit-CC: openvpn-devel Gerrit-Attention: cron2 Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Wed, 06 Dec 2023 14:04:25 + Gerrit-HasComments: Yes Gerrit-Has-Labels: No Comment-In-Reply-To: cron2 Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel