[Openvpn-devel] [PATCH 1/1] Let mbedtls_ssl_configs find reloaded CRLs

Fri, 02 Apr 2021 04:39:58 -0700 

From: Maximilian Fillinger <maximilian.fillin...@fox-it.com>

If the CRL file cannot be read during initialization, a NULL pointer is
passed to the mbedtls_ssl_config in key_state_ssl_init(). Then, if the
CRL file is successfully read later, the config won't have a pointer to
it. Therefore, the CRL won't actually take effect.

This commit fixes the bug by creating an empty CRL if crl-verify is in
the config, but the file cannot be read during initialization. That way,
we can always give the mbedtls_ssl_config struct a pointer to the
location where the CRL will be if it is successfully read later.

This commit also fixes an additional issue:

When a CRL file is present but cannot be parsed, OpenVPN rejects all
incoming connections. When the CRL file cannot be stat'ed, OpenVPN keeps
using the previous CRL. This commit makes it so that OpenVPN rejects
connections in both situations.
---
 src/openvpn/ssl.c         | 11 +++++++++++
 src/openvpn/ssl_mbedtls.c | 13 +++++++++++++
 src/openvpn/ssl_mbedtls.h |  3 +++
 3 files changed, 27 insertions(+)

diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 08222b5e..f20771d7 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -559,6 +559,17 @@ tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const 
char *crl_file,
     else if (platform_stat(crl_file, &crl_stat) < 0)
     {
         msg(M_WARN, "WARNING: Failed to stat CRL file, not (re)loading CRL.");
+
+#ifdef ENABLE_CRYPTO_MBEDTLS
+        /* Store an empty CRL in ssl_ctx. This is so that we can give the
+         * mbedtls_ssl_configs in the key_states a pointer to the location 
where
+         * the CRL will be if we successfully reload the file later.
+         *
+         * Storing an empty CRL also causes all connection attempts to be 
rejected
+         * until an actual CRL is loaded. */
+        make_empty_crl(ssl_ctx);
+#endif
+
         return;
     }
 
diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
index 4626e983..5d7af351 100644
--- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c
@@ -1044,6 +1044,19 @@ err:
 }
 
 void
+make_empty_crl(struct tls_root_ctx *ctx)
+{
+    if (ctx->crl == NULL)
+    {
+        ALLOC_OBJ_CLEAR(ctx->crl, mbedtls_x509_crl);
+    }
+    else
+    {
+        mbedtls_x509_crl_free(ctx->crl);
+    }
+}
+
+void
 key_state_ssl_init(struct key_state_ssl *ks_ssl,
                    const struct tls_root_ctx *ssl_ctx, bool is_server,
                    struct tls_session *session)
diff --git a/src/openvpn/ssl_mbedtls.h b/src/openvpn/ssl_mbedtls.h
index ff64e17c..579e3c8e 100644
--- a/src/openvpn/ssl_mbedtls.h
+++ b/src/openvpn/ssl_mbedtls.h
@@ -144,4 +144,7 @@ int tls_ctx_use_external_signing_func(struct tls_root_ctx 
*ctx,
                                       external_sign_func sign_func,
                                       void *sign_ctx);
 
+void make_empty_crl(struct tls_root_ctx *);
+
+
 #endif /* SSL_MBEDTLS_H_ */
-- 
2.11.0



_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to