From cdd7852b32704c0516a8849bb62d525c2bae9b5d Mon Sep 17 00:00:00 2001
From: James Yonan <james@openvpn.net>
Date: Thu, 9 Jan 2025 20:16:55 -0700
Subject: [PATCH] TLS: in OpenSSL verify_callback_server(), set fine-grained
 alert error codes

For example, early rejection of common name will call
X509_STORE_CTX_set_error with X509_V_ERR_CERT_REJECTED.

This, in turn, will alert the client:

  EVENT: TLS_ALERT_MISC OpenSSLContext::SSL::read_cleartext:
  BIO_read failed, cap=2640 status=0: error:14094412:
  SSL routines:ssl3_read_bytes:sslv3 alert bad certificate[bad certificate]
  [FATAL-ERR]

Signed-off-by: James Yonan <james@openvpn.net>
---
 openvpn/openssl/ssl/sslctx.hpp | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/openvpn/openssl/ssl/sslctx.hpp b/openvpn/openssl/ssl/sslctx.hpp
index 01227a35..098f2840 100644
--- a/openvpn/openssl/ssl/sslctx.hpp
+++ b/openvpn/openssl/ssl/sslctx.hpp
@@ -1976,6 +1976,7 @@ class OpenSSLContext : public SSLFactoryAPI
                     self_ssl->authcert->add_fail(depth,
                                                  AuthCert::Fail::BAD_CERT_TYPE,
                                                  "bad peer-fingerprint in leaf certificate");
+                X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_SIGNATURE_FAILURE);
                 preverify_ok = false;
             }
 
@@ -1987,6 +1988,7 @@ class OpenSSLContext : public SSLFactoryAPI
                     self_ssl->authcert->add_fail(depth,
                                                  AuthCert::Fail::BAD_CERT_TYPE,
                                                  "bad ns-cert-type in leaf certificate");
+                X509_STORE_CTX_set_error(ctx, X509_V_ERR_INVALID_PURPOSE);
                 preverify_ok = false;
             }
 
@@ -1998,6 +2000,7 @@ class OpenSSLContext : public SSLFactoryAPI
                     self_ssl->authcert->add_fail(depth,
                                                  AuthCert::Fail::BAD_CERT_TYPE,
                                                  "bad X509 key usage in leaf certificate");
+                X509_STORE_CTX_set_error(ctx, X509_V_ERR_INVALID_PURPOSE);
                 preverify_ok = false;
             }
 
@@ -2009,6 +2012,7 @@ class OpenSSLContext : public SSLFactoryAPI
                     self_ssl->authcert->add_fail(depth,
                                                  AuthCert::Fail::BAD_CERT_TYPE,
                                                  "bad X509 extended key usage in leaf certificate");
+                X509_STORE_CTX_set_error(ctx, X509_V_ERR_INVALID_PURPOSE);
                 preverify_ok = false;
             }
 
@@ -2023,12 +2027,14 @@ class OpenSSLContext : public SSLFactoryAPI
                     if (self->config->cn_reject_handler->reject(cn))
                     {
                         OVPN_LOG_INFO("VERIFY FAIL -- early rejection of leaf cert Common Name");
+                        X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_REJECTED);
                         preverify_ok = false;
                     }
                 }
                 catch (const std::exception &e)
                 {
                     OVPN_LOG_INFO("VERIFY FAIL -- early rejection of leaf cert Common Name due to handler exception: " << e.what());
+                    X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_REJECTED);
                     preverify_ok = false;
                 }
             }