rpms / stunnel

Clone
Source Code
GIT

Blame SOURCES/stunnel-5.56-verify-chain.patch

c4 c5 c5-plus c6 c6-plus c7 c7-beta c8 c8-beta c8s c9 c9-beta
  1.   0bafc904c7485747726001d475df5aa887934ccf
  2.   SOURCES
  3.   stunnel-5.56-verify-chain.patch
Blob History Raw
0bafc9 
diff -up stunnel-5.56/src/ssl.c.verify-chain stunnel-5.56/src/ssl.c
0bafc9 
--- stunnel-5.56/src/ssl.c.verify-chain	2021-02-17 00:37:28.950981672 +0100
0bafc9 
+++ stunnel-5.56/src/ssl.c	2021-02-17 00:37:36.047053139 +0100
0bafc9 
@@ -1,6 +1,6 @@
0bafc9 
 /*
0bafc9 
  *   stunnel       TLS offloading and load-balancing proxy
0bafc9 
- *   Copyright (C) 1998-2019 Michal Trojnara <Michal.Trojnara@stunnel.org>
0bafc9 
+ *   Copyright (C) 1998-2020 Michal Trojnara <Michal.Trojnara@stunnel.org>
0bafc9 
  *
0bafc9 
  *   This program is free software; you can redistribute it and/or modify it
0bafc9 
  *   under the terms of the GNU General Public License as published by the
0bafc9 
@@ -39,7 +39,12 @@
0bafc9 
 #include "prototypes.h"
0bafc9
0bafc9 
     /* global OpenSSL initialization: compression, engine, entropy */
0bafc9 
-#if OPENSSL_VERSION_NUMBER>=0x10100000L
0bafc9 
+NOEXPORT void cb_new_auth(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
0bafc9 
+        int idx, long argl, void *argp);
0bafc9 
+#if OPENSSL_VERSION_NUMBER>=0x30000000L
0bafc9 
+NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
0bafc9 
+    void **from_d, int idx, long argl, void *argp);
0bafc9 
+#elif OPENSSL_VERSION_NUMBER>=0x10100000L
0bafc9 
 NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
0bafc9 
     void *from_d, int idx, long argl, void *argp);
0bafc9 
 #else
0bafc9 
@@ -72,7 +77,7 @@ int ssl_init(void) { /* init TLS before
0bafc9 
     index_ssl_ctx_opt=SSL_CTX_get_ex_new_index(0,
0bafc9 
         "SERVICE_OPTIONS pointer", NULL, NULL, NULL);
0bafc9 
     index_session_authenticated=SSL_SESSION_get_ex_new_index(0,
0bafc9 
-        "session authenticated", NULL, NULL, NULL);
0bafc9 
+        "session authenticated", cb_new_auth, NULL, NULL);
0bafc9 
     index_session_connect_address=SSL_SESSION_get_ex_new_index(0,
0bafc9 
         "session connect address", NULL, cb_dup_addr, cb_free_addr);
0bafc9 
     if(index_ssl_cli<0 || index_ssl_ctx_opt<0 ||
0bafc9 
@@ -104,17 +109,31 @@ int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNU
0bafc9 
     BN_free(dh->p);
0bafc9 
     BN_free(dh->q);
0bafc9 
     BN_free(dh->g);
0bafc9 
-    dh->p = p;
0bafc9 
-    dh->q = q;
0bafc9 
-    dh->g = g;
0bafc9 
+    dh->p=p;
0bafc9 
+    dh->q=q;
0bafc9 
+    dh->g=g;
0bafc9 
     if(q)
0bafc9 
-        dh->length = BN_num_bits(q);
0bafc9 
+        dh->length=BN_num_bits(q);
0bafc9 
     return 1;
0bafc9 
 }
0bafc9 
 #endif
0bafc9 
 #endif
0bafc9
0bafc9 
-#if OPENSSL_VERSION_NUMBER>=0x10100000L
0bafc9 
+NOEXPORT void cb_new_auth(void *parent, void *ptr, CRYPTO_EX_DATA *ad,
0bafc9 
+        int idx, long argl, void *argp) {
0bafc9 
+    (void)parent; /* squash the unused parameter warning */
0bafc9 
+    (void)ptr; /* squash the unused parameter warning */
0bafc9 
+    (void)argl; /* squash the unused parameter warning */
0bafc9 
+    s_log(LOG_DEBUG, "Initializing application specific data for %s",
0bafc9 
+        (char *)argp);
0bafc9 
+    if(!CRYPTO_set_ex_data(ad, idx, (void *)(-1)))
0bafc9 
+        sslerror("CRYPTO_set_ex_data");
0bafc9 
+}
0bafc9 
+
0bafc9 
+#if OPENSSL_VERSION_NUMBER>=0x30000000L
0bafc9 
+NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
0bafc9 
+        void **from_d, int idx, long argl, void *argp) {
0bafc9 
+#elif OPENSSL_VERSION_NUMBER>=0x10100000L
0bafc9 
 NOEXPORT int cb_dup_addr(CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from,
0bafc9 
         void *from_d, int idx, long argl, void *argp) {
0bafc9 
 #else
0bafc9 
diff -up stunnel-5.56/src/verify.c.verify-chain stunnel-5.56/src/verify.c
0bafc9 
--- stunnel-5.56/src/verify.c.verify-chain	2021-02-17 00:37:11.577806692 +0100
0bafc9 
+++ stunnel-5.56/src/verify.c	2021-02-17 00:37:42.542118546 +0100
0bafc9 
@@ -1,6 +1,6 @@
0bafc9 
 /*
0bafc9 
  *   stunnel       TLS offloading and load-balancing proxy
0bafc9 
- *   Copyright (C) 1998-2019 Michal Trojnara <Michal.Trojnara@stunnel.org>
0bafc9 
+ *   Copyright (C) 1998-2020 Michal Trojnara <Michal.Trojnara@stunnel.org>
0bafc9 
  *
0bafc9 
  *   This program is free software; you can redistribute it and/or modify it
0bafc9 
  *   under the terms of the GNU General Public License as published by the
0bafc9 
@@ -214,11 +214,15 @@ NOEXPORT int verify_callback(int preveri
0bafc9 
         s_log(LOG_INFO, "Certificate verification disabled");
0bafc9 
         return 1; /* accept */
0bafc9 
     }
0bafc9 
-    if(verify_checks(c, preverify_ok, callback_ctx)) {
0bafc9 
+    if(verify_checks(c, preverify_ok, callback_ctx))
0bafc9 
+        return 1; /* accept */
0bafc9 
+    if(c->opt->option.client || c->opt->protocol)
0bafc9 
+        return 0; /* reject */
0bafc9 
+    if(c->opt->redirect_addr.names) {
0bafc9 
         SSL_SESSION *sess=SSL_get1_session(c->ssl);
0bafc9 
         if(sess) {
0bafc9 
-            int ok=SSL_SESSION_set_ex_data(sess, index_session_authenticated,
0bafc9 
-                (void *)(-1));
0bafc9 
+            int ok=SSL_SESSION_set_ex_data(sess,
0bafc9 
+                index_session_authenticated, NULL);
0bafc9 
             SSL_SESSION_free(sess);
0bafc9 
             if(!ok) {
0bafc9 
                 sslerror("SSL_SESSION_set_ex_data");
0bafc9 
@@ -227,10 +231,6 @@ NOEXPORT int verify_callback(int preveri
0bafc9 
         }
0bafc9 
         return 1; /* accept */
0bafc9 
     }
0bafc9 
-    if(c->opt->option.client || c->opt->protocol)
0bafc9 
-        return 0; /* reject */
0bafc9 
-    if(c->opt->redirect_addr.names)
0bafc9 
-        return 1; /* accept */
0bafc9 
     return 0; /* reject */
0bafc9 
 }
0bafc9
0bafc9 
diff -up stunnel-5.56/tests/recipes/028_redirect_chain.verify-chain stunnel-5.56/tests/recipes/028_redirect_chain
0bafc9 
--- stunnel-5.56/tests/recipes/028_redirect_chain.verify-chain	2021-02-17 00:38:44.823745781 +0100
0bafc9 
+++ stunnel-5.56/tests/recipes/028_redirect_chain	2021-02-17 00:38:16.143456937 +0100
0bafc9 
@@ -0,0 +1,50 @@
0bafc9 
+#!/bin/sh
0bafc9 
+
0bafc9 
+# Redirect TLS client connections on certificate-based authentication failures.
0bafc9 
+# [client_1] -> [server_1] -> [client_2] -> [server_2]
0bafc9 
+# The success is expected because the client presents the *wrong* certificate
0bafc9 
+# and the client connection is redirected.
0bafc9 
+# Checking if the verifyChain option verifies the peer certificate starting from the root CA.
0bafc9 
+
0bafc9 
+. $(dirname $0)/../test_library
0bafc9 
+
0bafc9 
+start() {
0bafc9 
+  ../../src/stunnel -fd 0 <
0bafc9 
+  debug = debug
0bafc9 
+  syslog = no
0bafc9 
+  pid = ${result_path}/stunnel.pid
0bafc9 
+  output = ${result_path}/stunnel.log
0bafc9 
+
0bafc9 
+  [client_1]
0bafc9 
+  client = yes
0bafc9 
+  accept = 127.0.0.1:${http1}
0bafc9 
+  connect = 127.0.0.1:${https1}
0bafc9 
+  ;cert = ${script_path}/certs/client_cert.pem
0bafc9 
+;wrong self signed certificate
0bafc9 
+  cert = ${script_path}/certs/stunnel.pem
0bafc9 
+
0bafc9 
+  [client_2]
0bafc9 
+  client = yes
0bafc9 
+  accept = 127.0.0.1:${http2}
0bafc9 
+  connect = 127.0.0.1:${https2}
0bafc9 
+
0bafc9 
+  [server_1]
0bafc9 
+  accept = 127.0.0.1:${https1}
0bafc9 
+  exec = ${script_path}/execute
0bafc9 
+  execArgs = execute 028_redirect_chain_error
0bafc9 
+  redirect = ${http2}
0bafc9 
+  cert = ${script_path}/certs/server_cert.pem
0bafc9 
+  verifyChain = yes
0bafc9 
+  CAfile = ${script_path}/certs/CACert.pem
0bafc9 
+
0bafc9 
+  [server_2]
0bafc9 
+  accept = 127.0.0.1:${https2}
0bafc9 
+  cert = ${script_path}/certs/server_cert.pem
0bafc9 
+  exec = ${script_path}/execute
0bafc9 
+  execArgs = execute 028_redirect_chain
0bafc9 
+
0bafc9 
+EOT
0bafc9 
+}
0bafc9 
+
0bafc9 
+test_log_for "028_redirect_chain" "execute" "0" "$1" "$2" "$3" 2>> "stderr.log"
0bafc9 
+exit $?
0bafc9 
diff -up stunnel-5.56/tests/recipes/029_no_redirect_chain.verify-chain stunnel-5.56/tests/recipes/029_no_redirect_chain
0bafc9 
--- stunnel-5.56/tests/recipes/029_no_redirect_chain.verify-chain	2021-02-17 00:38:57.819876672 +0100
0bafc9 
+++ stunnel-5.56/tests/recipes/029_no_redirect_chain	2021-02-17 00:38:24.895545080 +0100
0bafc9 
@@ -0,0 +1,49 @@
0bafc9 
+#!/bin/sh
0bafc9 
+
0bafc9 
+# Do not redirect TLS client connections on certificate-based authentication success.
0bafc9 
+# [client_1] -> [server_1]
0bafc9 
+# The success is expected because the client presents the *correct* certificate
0bafc9 
+# and the client connection isn't redirected.
0bafc9 
+# Checking if the verifyChain option verifies the peer certificate starting from the root CA.
0bafc9 
+
0bafc9 
+. $(dirname $0)/../test_library
0bafc9 
+
0bafc9 
+start() {
0bafc9 
+  ../../src/stunnel -fd 0 <
0bafc9 
+  debug = debug
0bafc9 
+  syslog = no
0bafc9 
+  pid = ${result_path}/stunnel.pid
0bafc9 
+  output = ${result_path}/stunnel.log
0bafc9 
+
0bafc9 
+  [client_1]
0bafc9 
+  client = yes
0bafc9 
+  accept = 127.0.0.1:${http1}
0bafc9 
+  connect = 127.0.0.1:${https1}
0bafc9 
+;correct certificate
0bafc9 
+  cert = ${script_path}/certs/client_cert.pem
0bafc9 
+
0bafc9 
+  [client_2]
0bafc9 
+  client = yes
0bafc9 
+  accept = 127.0.0.1:${http2}
0bafc9 
+  connect = 127.0.0.1:${https2}
0bafc9 
+
0bafc9 
+  [server_1]
0bafc9 
+  accept = 127.0.0.1:${https1}
0bafc9 
+  exec = ${script_path}/execute
0bafc9 
+  execArgs = execute 029_no_redirect_chain
0bafc9 
+  redirect = ${http2}
0bafc9 
+  cert = ${script_path}/certs/server_cert.pem
0bafc9 
+  verifyChain = yes
0bafc9 
+  CAfile = ${script_path}/certs/CACert.pem
0bafc9 
+
0bafc9 
+  [server_2]
0bafc9 
+  accept = 127.0.0.1:${https2}
0bafc9 
+  cert = ${script_path}/certs/server_cert.pem
0bafc9 
+  exec = ${script_path}/execute
0bafc9 
+  execArgs = execute 029_no_redirect_chain_error
0bafc9 
+
0bafc9 
+EOT
0bafc9 
+}
0bafc9 
+
0bafc9 
+test_log_for "029_no_redirect_chain" "execute" "0" "$1" "$2" "$3" 2>> "stderr.log"
0bafc9 
+exit $?

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation