Skip to content

Commit

Permalink
Log OpenSSL errors on failure to set certificate
Browse files Browse the repository at this point in the history
Currently we log a bogus error message saying private key password
verification failed when SSL_CTX_use_cert_and_key() fails in
pkcs11_openssl.c. Instead print OpenSSL error queue and exit promptly.

Also log OpenSSL errors when SSL_CTX_use_certiifcate() fails in
cryptoapi.c and elsewhere. Such logging could be useful especially when
the ceritficate is rejected by OpenSSL due to stricter security
restrictions in recent versions of the library.

Change-Id: Ic7ec25ac0503a91d5869b8da966d0065f264af22
Signed-off-by: Selva Nair <[email protected]>
Acked-by: Arne Schwabe <[email protected]>
Message-Id: <[email protected]>
URL: https://www.mail-archive.com/[email protected]/msg27122.html
Signed-off-by: Gert Doering <[email protected]>
  • Loading branch information
selvanair authored and cron2 committed Oct 2, 2023
1 parent 607ae9b commit 2671dcb
Show file tree
Hide file tree
Showing 5 changed files with 30 additions and 2 deletions.
2 changes: 2 additions & 0 deletions src/openvpn/cryptoapi.c
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@
#include "openssl_compat.h"
#include "win32.h"
#include "xkey_common.h"
#include "crypto_openssl.h"

#ifndef HAVE_XKEY_PROVIDER

Expand Down Expand Up @@ -505,6 +506,7 @@ SSL_CTX_use_CryptoAPI_certificate(SSL_CTX *ssl_ctx, const char *cert_prop)
if (SSL_CTX_use_certificate(ssl_ctx, cert)
&& SSL_CTX_use_PrivateKey(ssl_ctx, privkey))
{
crypto_print_openssl_errors(M_WARN);
ret = 1;
}

Expand Down
6 changes: 4 additions & 2 deletions src/openvpn/pkcs11_openssl.c
Original file line number Diff line number Diff line change
Expand Up @@ -302,7 +302,8 @@ xkey_load_from_pkcs11h(pkcs11h_certificate_t certificate,

if (!SSL_CTX_use_cert_and_key(ctx->ctx, x509, pkey, NULL, 0))
{
msg(M_WARN, "PKCS#11: Failed to set cert and private key for OpenSSL");
crypto_print_openssl_errors(M_WARN);
msg(M_FATAL, "PKCS#11: Failed to set cert and private key for OpenSSL");
goto cleanup;
}
ret = 1;
Expand Down Expand Up @@ -369,7 +370,8 @@ pkcs11_init_tls_session(pkcs11h_certificate_t certificate,

if (!SSL_CTX_use_certificate(ssl_ctx->ctx, x509))
{
msg(M_WARN, "PKCS#11: Cannot set certificate for openssl");
crypto_print_openssl_errors(M_WARN);
msg(M_FATAL, "PKCS#11: Cannot set certificate for openssl");
goto cleanup;
}
ret = 0;
Expand Down
2 changes: 2 additions & 0 deletions src/openvpn/ssl_openssl.c
Original file line number Diff line number Diff line change
Expand Up @@ -857,6 +857,7 @@ tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file,
/* Load Certificate */
if (!SSL_CTX_use_certificate(ctx->ctx, cert))
{
crypto_print_openssl_errors(M_WARN);
crypto_msg(M_FATAL, "Cannot use certificate");
}

Expand Down Expand Up @@ -1007,6 +1008,7 @@ tls_ctx_load_cert_file(struct tls_root_ctx *ctx, const char *cert_file,
end:
if (!ret)
{
crypto_print_openssl_errors(M_WARN);
if (cert_file_inline)
{
crypto_msg(M_FATAL, "Cannot load inline certificate file");
Expand Down
11 changes: 11 additions & 0 deletions tests/unit_tests/openvpn/test_cryptoapi.c
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,17 @@ management_query_pk_sig(struct management *man, const char *b64_data,
return NULL;
}

/* replacement for crypto_print_openssl_errors() */
void
crypto_print_openssl_errors(const unsigned int flags)
{
unsigned long e;
while ((e = ERR_get_error()))
{
msg(flags, "OpenSSL error %lu: %s\n", e, ERR_error_string(e, NULL));
}
}

/* tls_libctx is defined in ssl_openssl.c which we do not want to compile in */
OSSL_LIB_CTX *tls_libctx;

Expand Down
11 changes: 11 additions & 0 deletions tests/unit_tests/openvpn/test_pkcs11.c
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,17 @@

struct management *management; /* global */

/* replacement for crypto_print_openssl_errors() */
void
crypto_print_openssl_errors(const unsigned int flags)
{
unsigned long e;
while ((e = ERR_get_error()))
{
msg(flags, "OpenSSL error %lu: %s\n", e, ERR_error_string(e, NULL));
}
}

/* stubs for some unused functions instead of pulling in too many dependencies */
int
parse_line(const char *line, char **p, const int n, const char *file,
Expand Down

0 comments on commit 2671dcb

Please sign in to comment.