From e9a7c3772a433d1ae1fdb3acb063948d1ab8570b Mon Sep 17 00:00:00 2001 From: Franco Fichtner Date: Wed, 2 Oct 2024 12:14:40 +0200 Subject: [PATCH] libfetch: allow use of SSL_CRL_VERIFY Since the default store already points to /etc/ssl/certs and the CRLs are hashed there too it is trivial to bring libfetch applications to verifying the CRLs contained when doing a SSL connection. libfetch: ignore the error of an absence of a CRL ... when passing SSL_CRL_FILE / SSL_CRL_VERIFY. The situation isn't ideal, but since we don't know what we are going to deal with the situation is tricky. It's especially pointless in scenarios of pkg multi-repo cases where we need to deal wit a mixed bag of URLs during the same context. For the benefit of the doubt print the appropriate message for the user to see. In general it would be a bit safer if we could enforce the existence of a CRL distribution point as a mandatory CRL check and the others as an optional one with the warning as printed for the user to see. It would also need a strict mode if someone needed the other behaviour but since we did not have any consumers of SSL_CRL_FILE and --crl was broken for a long time it's safe to assume nobody uses this for these specific reasons. libfetch: add the error number to verify callback failure case --- lib/libfetch/common.c | 36 +++++++++++++++++++++++++++++++++--- 1 file changed, 33 insertions(+), 3 deletions(-) diff --git a/lib/libfetch/common.c b/lib/libfetch/common.c index dfa74257758..7c10a8f57ce 100644 --- a/lib/libfetch/common.c +++ b/lib/libfetch/common.c @@ -1060,7 +1060,7 @@ fetch_ssl_setup_peer_verification(SSL_CTX *ctx, int verbose) { X509_LOOKUP *crl_lookup; X509_STORE *crl_store; - const char *ca_cert_file, *ca_cert_path, *crl_file; + const char *ca_cert_file, *ca_cert_path, *crl_file, *crl_verify; if (getenv("SSL_NO_VERIFY_PEER") == NULL) { ca_cert_file = getenv("SSL_CA_CERT_FILE"); @@ -1084,6 +1084,13 @@ fetch_ssl_setup_peer_verification(SSL_CTX *ctx, int verbose) ca_cert_path); else SSL_CTX_set_default_verify_paths(ctx); + if ((crl_verify = getenv("SSL_CRL_VERIFY")) != NULL) { + if (verbose) + fetch_info("Using CRL verify: yes"); + X509_VERIFY_PARAM_set_flags(SSL_CTX_get0_param(ctx), + X509_V_FLAG_CRL_CHECK | + X509_V_FLAG_CRL_CHECK_ALL); + } if ((crl_file = getenv("SSL_CRL_FILE")) != NULL) { if (verbose) fetch_info("Using CRL file: %s", crl_file); @@ -1154,14 +1161,37 @@ fetch_ssl_cb_verify_crt(int verified, X509_STORE_CTX *ctx) char *str; str = NULL; + + /* + * CLRs may be defined explictly but not always. The absence of a + * CRL distribution point is no indication that a CRL does not exist + * which also means the CRL check being enforced will require to have + * proper CRLs in place for the certificates to be checked which can + * not be guaranteed for a random hostname on the Internet. Disable + * the specific OpenSSL error that deals with this case given that + * we do make the utmost effort to supply a proper list of CRLs that + * are required to verify the certificate(s) in question. + */ + if (!verified && X509_STORE_CTX_get_error(ctx) == X509_V_ERR_UNABLE_TO_GET_CRL) { + if ((crt = X509_STORE_CTX_get_current_cert(ctx)) != NULL && + (name = X509_get_subject_name(crt)) != NULL) + str = X509_NAME_oneline(name, 0, 0); + fetch_info("No CRL was provided for %s", str); + OPENSSL_free(str); + + verified = 1; + } + if (!verified) { if ((crt = X509_STORE_CTX_get_current_cert(ctx)) != NULL && (name = X509_get_subject_name(crt)) != NULL) str = X509_NAME_oneline(name, 0, 0); - fprintf(stderr, "Certificate verification failed for %s\n", - str != NULL ? str : "no relevant certificate"); + fprintf(stderr, "Certificate verification failed for %s (%d)\n", + str != NULL ? str : "no relevant certificate", + X509_STORE_CTX_get_error(ctx)); OPENSSL_free(str); } + return (verified); }