mirror of
https://github.com/OpenVPN/openvpn3.git
synced 2024-09-19 19:52:15 +02:00
Trigger events on common TLS alerts
OpenVPN 2.7/master will no longer suppress TLS Alerts but send them out to the client. Create event for the common events that occur and notify them to the UI process. Jira: OVPN-1215 Signed-off-by: Arne Schwabe <arne@openvpn.net>
This commit is contained in:
parent
ae3f94a1f5
commit
fe91436cc4
@ -584,7 +584,27 @@ class ClientConnect : ClientProto::NotifyCallback,
|
||||
case Error::NTLM_MISSING_CRYPTO:
|
||||
add_error_and_stop<ClientEvent::NtlmMissingCryptoError>(client.get());
|
||||
break;
|
||||
|
||||
case Error::TLS_ALERT_PROTOCOL_VERSION:
|
||||
add_error_and_stop<ClientEvent::TLSAlertProtocolVersion>(fatal_code);
|
||||
break;
|
||||
case Error::TLS_SIGALG_DISALLOWED_OR_UNSUPPORTED:
|
||||
add_error_and_stop<ClientEvent::TLSSigAlgDisallowedOrUnsupported>(fatal_code);
|
||||
break;
|
||||
case Error::TLS_ALERT_UNKNOWN_CA:
|
||||
add_error_and_stop<ClientEvent::TLSAlertProtocolUnknownCA>(fatal_code);
|
||||
break;
|
||||
case Error::TLS_ALERT_MISC:
|
||||
add_error_and_stop<ClientEvent::TLSAlertMisc>(fatal_code, fatal_reason);
|
||||
break;
|
||||
case Error::TLS_ALERT_HANDSHAKE_FAILURE:
|
||||
add_error_and_stop<ClientEvent::TLSAlertHandshakeFailure>(fatal_code);
|
||||
break;
|
||||
case Error::TLS_ALERT_CERTIFICATE_EXPIRED:
|
||||
add_error_and_stop<ClientEvent::TLSAlertCertificateExpire>(fatal_code);
|
||||
break;
|
||||
case Error::TLS_ALERT_CERTIFICATE_REVOKED:
|
||||
add_error_and_stop<ClientEvent::TLSAlertCertificateRevoked>(fatal_code);
|
||||
break;
|
||||
default:
|
||||
throw client_connect_unhandled_exception();
|
||||
}
|
||||
|
@ -75,6 +75,13 @@ enum Type
|
||||
AUTH_FAILED,
|
||||
CERT_VERIFY_FAIL,
|
||||
TLS_VERSION_MIN,
|
||||
TLS_ALERT_PROTOCOL_VERSION,
|
||||
TLS_ALERT_UNKNOWN_CA,
|
||||
TLS_ALERT_MISC,
|
||||
TLS_ALERT_HANDSHAKE_FAILURE,
|
||||
TLS_ALERT_CERTIFICATE_EXPIRED,
|
||||
TLS_ALERT_CERTIFICATE_REVOKED,
|
||||
TLS_SIGALG_DISALLOWED_OR_UNSUPPORTED,
|
||||
CLIENT_HALT,
|
||||
CLIENT_SETUP,
|
||||
TUN_HALT,
|
||||
@ -138,6 +145,13 @@ inline const char *event_name(const Type type)
|
||||
"AUTH_FAILED",
|
||||
"CERT_VERIFY_FAIL",
|
||||
"TLS_VERSION_MIN",
|
||||
"TLS_ALERT_PROTOCOL_VERSION",
|
||||
"TLS_ALERT_UNKNOWN_CA",
|
||||
"TLS_ALERT_MISC",
|
||||
"TLS_ALERT_HANDSHAKE_FAILURE",
|
||||
"TLS_ALERT_CERTIFICATE_EXPIRED",
|
||||
"TLS_ALERT_CERTIFICATE_REVOKED",
|
||||
"TLS_SIGALG_DISALLOWED_OR_UNSUPPORTED",
|
||||
"CLIENT_HALT",
|
||||
"CLIENT_SETUP",
|
||||
"TUN_HALT",
|
||||
@ -320,6 +334,14 @@ struct InactiveTimeout : public Base
|
||||
}
|
||||
};
|
||||
|
||||
struct TLSMinVersion : public Base
|
||||
{
|
||||
TLSMinVersion()
|
||||
: Base(TLS_VERSION_MIN)
|
||||
{
|
||||
}
|
||||
};
|
||||
|
||||
struct TLSVersionMinFail : public Base
|
||||
{
|
||||
TLSVersionMinFail()
|
||||
@ -328,6 +350,56 @@ struct TLSVersionMinFail : public Base
|
||||
}
|
||||
};
|
||||
|
||||
struct TLSAlertProtocolVersion : public Base
|
||||
{
|
||||
TLSAlertProtocolVersion()
|
||||
: Base(TLS_ALERT_PROTOCOL_VERSION)
|
||||
{
|
||||
}
|
||||
};
|
||||
|
||||
struct TLSAlertHandshakeFailure : public Base
|
||||
{
|
||||
TLSAlertHandshakeFailure()
|
||||
: Base(TLS_ALERT_HANDSHAKE_FAILURE)
|
||||
{
|
||||
}
|
||||
};
|
||||
|
||||
struct TLSAlertCertificateExpire : public Base
|
||||
{
|
||||
TLSAlertCertificateExpire()
|
||||
: Base(TLS_ALERT_CERTIFICATE_EXPIRED)
|
||||
{
|
||||
}
|
||||
};
|
||||
|
||||
struct TLSAlertCertificateRevoked : public Base
|
||||
{
|
||||
TLSAlertCertificateRevoked()
|
||||
: Base(TLS_ALERT_CERTIFICATE_REVOKED)
|
||||
{
|
||||
}
|
||||
};
|
||||
|
||||
struct TLSSigAlgDisallowedOrUnsupported : public Base
|
||||
{
|
||||
TLSSigAlgDisallowedOrUnsupported()
|
||||
: Base(TLS_SIGALG_DISALLOWED_OR_UNSUPPORTED)
|
||||
{
|
||||
}
|
||||
};
|
||||
|
||||
struct TLSAlertProtocolUnknownCA : public Base
|
||||
{
|
||||
TLSAlertProtocolUnknownCA()
|
||||
: Base(TLS_ALERT_UNKNOWN_CA)
|
||||
{
|
||||
}
|
||||
};
|
||||
|
||||
|
||||
|
||||
#ifdef HAVE_JSON
|
||||
|
||||
struct InfoJSON : public Base
|
||||
@ -444,6 +516,15 @@ struct ReasonBase : public Base
|
||||
std::string reason;
|
||||
};
|
||||
|
||||
/* thrown if no other of the TLSAlert* events are matching */
|
||||
struct TLSAlertMisc : public ReasonBase
|
||||
{
|
||||
TLSAlertMisc(std::string reason)
|
||||
: ReasonBase(TLS_ALERT_MISC, std::move(reason))
|
||||
{
|
||||
}
|
||||
};
|
||||
|
||||
struct AuthFailed : public ReasonBase
|
||||
{
|
||||
AuthFailed(std::string reason)
|
||||
@ -540,6 +621,7 @@ struct NtlmMissingCryptoError : public ReasonBase
|
||||
}
|
||||
};
|
||||
|
||||
|
||||
struct ProxyNeedCreds : public ReasonBase
|
||||
{
|
||||
ProxyNeedCreds(std::string reason)
|
||||
|
@ -74,6 +74,13 @@ enum Type
|
||||
PRIMARY_EXPIRE, // primary key context expired
|
||||
TLS_VERSION_MIN, // peer cannot handshake at our minimum required TLS version
|
||||
TLS_SIGALG_DISALLOWED_OR_UNSUPPORTED, // signature algorithm required by TLS peer is not supported
|
||||
TLS_ALERT_PROTOCOL_VERSION, // TLS Alert: No common TLS version between server and client
|
||||
TLS_ALERT_UNKNOWN_CA, // TLS Alert: Unknown CA (client certificate verify failed or peer-fingerprint failed)
|
||||
TLS_ALERT_HANDSHAKE_FAILURE, // TLS Alert: Generic handshake failure from the other side
|
||||
TLS_ALERT_CERTIFICATE_REQUIRED, // TLS Alert: certificate is required
|
||||
TLS_ALERT_CERTIFICATE_EXPIRED, // TLS Alert: certificate has expired
|
||||
TLS_ALERT_CERTIFICATE_REVOKED, // TLS Alert: certificate is revoked
|
||||
TLS_ALERT_MISC, // Any TLS Alert that is in any of the previous TLS alerts
|
||||
TLS_AUTH_FAIL, // tls-auth HMAC verification failed
|
||||
TLS_CRYPT_META_FAIL, // tls-crypt-v2 metadata verification failed
|
||||
CERT_VERIFY_FAIL, // peer certificate verification failure
|
||||
@ -161,6 +168,13 @@ inline const char *name(const size_t type)
|
||||
"PRIMARY_EXPIRE",
|
||||
"TLS_VERSION_MIN",
|
||||
"TLS_SIGALG_DISALLOWED_OR_UNSUPPORTED",
|
||||
"TLS_ALERT_PROTOCOL_VERSION",
|
||||
"TLS_ALERT_UNKNOWN_CA",
|
||||
"TLS_ALERT_HANDSHAKE_FAILURE",
|
||||
"TLS_ALERT_CERTIFICATE_REQUIRED",
|
||||
"TLS_ALERT_CERTIFICATE_EXPIRED",
|
||||
"TLS_ALERT_CERTIFICATE_REVOKED",
|
||||
"TLS_ALERT_MISC",
|
||||
"TLS_AUTH_FAIL",
|
||||
"TLS_CRYPT_META_FAIL",
|
||||
"CERT_VERIFY_FAIL",
|
||||
|
@ -140,12 +140,19 @@ class OpenSSLException : public ExceptionCode
|
||||
if (n_err < MAX_ERRORS)
|
||||
errstack[n_err++] = err;
|
||||
ERR_error_string_n(err, buf, sizeof(buf));
|
||||
auto reason = ERR_GET_REASON(err);
|
||||
tmp << prefix << buf;
|
||||
if (reason >= SSL_AD_REASON_OFFSET)
|
||||
{
|
||||
tmp << "[" << SSL_alert_desc_string_long(reason - SSL_AD_REASON_OFFSET) << "]";
|
||||
}
|
||||
|
||||
prefix = " / ";
|
||||
|
||||
// for certain OpenSSL errors, translate them to an OpenVPN error code,
|
||||
// so they can be propagated up to the higher levels (such as UI level)
|
||||
switch (ERR_GET_REASON(err))
|
||||
|
||||
switch (reason)
|
||||
{
|
||||
case SSL_R_CERTIFICATE_VERIFY_FAILED:
|
||||
set_code(Error::CERT_VERIFY_FAIL, true);
|
||||
@ -172,6 +179,30 @@ class OpenSSLException : public ExceptionCode
|
||||
case SSL_R_DH_KEY_TOO_SMALL:
|
||||
set_code(Error::SSL_DH_KEY_TOO_SMALL, true);
|
||||
break;
|
||||
case SSL_R_TLSV1_ALERT_PROTOCOL_VERSION:
|
||||
set_code(Error::TLS_ALERT_PROTOCOL_VERSION, true);
|
||||
break;
|
||||
case SSL_R_TLSV1_ALERT_UNKNOWN_CA:
|
||||
set_code(Error::TLS_ALERT_UNKNOWN_CA, true);
|
||||
break;
|
||||
case SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE:
|
||||
set_code(Error::TLS_ALERT_HANDSHAKE_FAILURE, true);
|
||||
break;
|
||||
case SSL_R_TLSV13_ALERT_CERTIFICATE_REQUIRED:
|
||||
set_code(Error::TLS_ALERT_CERTIFICATE_REQUIRED, true);
|
||||
break;
|
||||
case SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED:
|
||||
set_code(Error::TLS_ALERT_CERTIFICATE_EXPIRED, true);
|
||||
break;
|
||||
case SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED:
|
||||
set_code(Error::TLS_ALERT_CERTIFICATE_REVOKED, true);
|
||||
break;
|
||||
default:
|
||||
if (reason > SSL_AD_REASON_OFFSET)
|
||||
{
|
||||
/* all TLS alerts use TLS alert code + SSL_AD_REASON_OFFSET in OpenSSL */
|
||||
set_code(Error::TLS_ALERT_MISC, true);
|
||||
}
|
||||
}
|
||||
}
|
||||
errtxt = tmp.str();
|
||||
|
@ -341,6 +341,10 @@ class Client : public ClientBase
|
||||
std::cout << "Unrecognized INFO/INFO_PRE message: " << ev.info << std::endl;
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
std::cout << "Received event " << ev.name << " " << ev.info << std::endl;
|
||||
}
|
||||
}
|
||||
|
||||
void handle_dpc1_protocol(const ClientAPI::AppCustomControlMessageEvent &acev)
|
||||
|
Loading…
Reference in New Issue
Block a user