upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-06-08 16:22:46 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

libfetch: allow use of SSL_CRL_VERIFY

Browse source 
Since the default store already points to /etc/ssl/certs and the
CRLs are hashed there too it is trivial to bring libfetch applications
to verifying the CRLs contained when doing a SSL connection.

libfetch: ignore the error of an absence of a CRL

... when passing SSL_CRL_FILE / SSL_CRL_VERIFY.

The situation isn't ideal, but since we don't know what we are going to deal
with the situation is tricky.  It's especially pointless in scenarios of
pkg multi-repo cases where we need to deal wit a mixed bag of URLs during
the same context.  For the benefit of the doubt print the appropriate message
for the user to see.

In general it would be a bit safer if we could enforce the existence of a
CRL distribution point as a mandatory CRL check and the others as an optional
one with the warning as printed for the user to see.  It would also need a
strict mode if someone needed the other behaviour but since we did not have
any consumers of SSL_CRL_FILE and --crl was broken for a long time it's safe
to assume nobody uses this for these specific reasons.

libfetch: add the error number to verify callback failure case
This commit is contained in:
Franco Fichtner 2024-10-02 12:14:40 +02:00
parent 4409636fc6
commit e9a7c3772a
1 changed files with 33 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

36
lib/libfetch/common.c
View file

@ -1060,7 +1060,7 @@ fetch_ssl_setup_peer_verification(SSL_CTX *ctx, int verbose)
{
X509_LOOKUP *crl_lookup;
X509_STORE *crl_store;
const char *ca_cert_file, *ca_cert_path, *crl_file;
const char *ca_cert_file, *ca_cert_path, *crl_file, *crl_verify;
if (getenv("SSL_NO_VERIFY_PEER") == NULL) {
ca_cert_file = getenv("SSL_CA_CERT_FILE");
@ -1084,6 +1084,13 @@ fetch_ssl_setup_peer_verification(SSL_CTX *ctx, int verbose)
ca_cert_path);
else
SSL_CTX_set_default_verify_paths(ctx);
if ((crl_verify = getenv("SSL_CRL_VERIFY")) != NULL) {
if (verbose)
fetch_info("Using CRL verify: yes");
X509_VERIFY_PARAM_set_flags(SSL_CTX_get0_param(ctx),
X509_V_FLAG_CRL_CHECK |
X509_V_FLAG_CRL_CHECK_ALL);
}
if ((crl_file = getenv("SSL_CRL_FILE")) != NULL) {
if (verbose)
fetch_info("Using CRL file: %s", crl_file);
@ -1154,14 +1161,37 @@ fetch_ssl_cb_verify_crt(int verified, X509_STORE_CTX *ctx)
char *str;
str = NULL;
/*
* CLRs may be defined explictly but not always. The absence of a
* CRL distribution point is no indication that a CRL does not exist
* which also means the CRL check being enforced will require to have
* proper CRLs in place for the certificates to be checked which can
* not be guaranteed for a random hostname on the Internet. Disable
* the specific OpenSSL error that deals with this case given that
* we do make the utmost effort to supply a proper list of CRLs that
* are required to verify the certificate(s) in question.
*/
if (!verified && X509_STORE_CTX_get_error(ctx) == X509_V_ERR_UNABLE_TO_GET_CRL) {
if ((crt = X509_STORE_CTX_get_current_cert(ctx)) != NULL &&
(name = X509_get_subject_name(crt)) != NULL)
str = X509_NAME_oneline(name, 0, 0);
fetch_info("No CRL was provided for %s", str);
OPENSSL_free(str);
verified = 1;
}
if (!verified) {
if ((crt = X509_STORE_CTX_get_current_cert(ctx)) != NULL &&
(name = X509_get_subject_name(crt)) != NULL)
str = X509_NAME_oneline(name, 0, 0);
fprintf(stderr, "Certificate verification failed for %s\n",
str != NULL ? str : "no relevant certificate");
fprintf(stderr, "Certificate verification failed for %s (%d)\n",
str != NULL ? str : "no relevant certificate",
X509_STORE_CTX_get_error(ctx));
OPENSSL_free(str);
}
return (verified);
}