[Openvpn-devel] Enablement of quantum-safe key establishment

Hello,

    as per https://community.openvpn.net/openvpn/ticket/1460 the current 
openvpn master fails when activating a TLS1.3 group implemented in an 
external provider.

The patch attached fixes this and enables successful OpenSSL key 
establishment using any of the quantum-safe and hybrid (classic/QSC) 
algorithms supported by https://github.com/open-quantum-safe/oqs-provider

Regards,

--Michael

Am 24.03.22 um 14:40 schrieb Michael Baentsch:
> Hello,
> 
>     as per https://community.openvpn.net/openvpn/ticket/1460 the current 
> openvpn master fails when activating a TLS1.3 group implemented in an 
> external provider.
> 
> The patch attached fixes this and enables successful OpenSSL key 
> establishment using any of the quantum-safe and hybrid (classic/QSC) 
> algorithms supported by https://github.com/open-quantum-safe/oqs-provider

Thanks for the patch. Usually we would like to have patches in a git 
format that contains a commit message (see git format-patch) and 
https://github.com/OpenVPN/openvpn/blob/master/CONTRIBUTING.rst

The current patch has a few problems:

- Breaks OpenSSL 1.0.2 compatibity. Currently we still support RHEL7, 
which only has OpenSSL 1.0.2
- uses C90 variable declaration (int rc)
- indentation problems

We normally use our own gc_alloc etc usage for strings as the previous 
code did. That usage was replaced with malloc/free.

And the code does not have any comments but removes the existing ones 
and with a line like this:

memcpy(idx, f+strlen("secp256r1"), 
strlen(groups)-(f-groups)-strlen("secp256r1"));

some comments what the code is doing would improve readibility.

The fix itself is right of using the newer SSL_CTX_set1_groups_list 
function that uses strings instead of nids.

But if we use a function that only newer OpenSSL version, have you 
double checked that the prime256v1 vs secp256r1 is still necessary


Build failure with OpenSSL 1.0.2: 
https://github.com/schwabe/openvpn/runs/5680551849?check_suite_focus=true

Arne

Thanks very much for the quick and thorough feedback. Indeed your last 
question is pivotal making the patch _much_ simpler (attached): The 
problem manifests itself only in the presence of providers introduced in 
OpenSSL3.0. At the same time, the curve name causing the "dance code" is 
permitted as of OpenSSL3.0...

So all other observations below are moot/should be resolved with the 
much simpler new patch attached. Feel free to delete/amend the comment 
changes as you see fit.

--Michael

Am 24.03.22 um 18:48 schrieb Arne Schwabe:
> Am 24.03.22 um 14:40 schrieb Michael Baentsch:
>> Hello,
>>
>>     as per https://community.openvpn.net/openvpn/ticket/1460 the 
>> current openvpn master fails when activating a TLS1.3 group 
>> implemented in an external provider.
>>
>> The patch attached fixes this and enables successful OpenSSL key 
>> establishment using any of the quantum-safe and hybrid (classic/QSC) 
>> algorithms supported by 
>> https://github.com/open-quantum-safe/oqs-provider
>
> Thanks for the patch. Usually we would like to have patches in a git 
> format that contains a commit message (see git format-patch) and 
> https://github.com/OpenVPN/openvpn/blob/master/CONTRIBUTING.rst
>
> The current patch has a few problems:
>
> - Breaks OpenSSL 1.0.2 compatibity. Currently we still support RHEL7, 
> which only has OpenSSL 1.0.2
> - uses C90 variable declaration (int rc)
> - indentation problems
>
> We normally use our own gc_alloc etc usage for strings as the previous 
> code did. That usage was replaced with malloc/free.
>
> And the code does not have any comments but removes the existing ones 
> and with a line like this:
>
> memcpy(idx, f+strlen("secp256r1"), 
> strlen(groups)-(f-groups)-strlen("secp256r1"));
>
> some comments what the code is doing would improve readibility.
>
> The fix itself is right of using the newer SSL_CTX_set1_groups_list 
> function that uses strings instead of nids.
>
> But if we use a function that only newer OpenSSL version, have you 
> double checked that the prime256v1 vs secp256r1 is still necessary
>
>
> Build failure with OpenSSL 1.0.2: 
> https://github.com/schwabe/openvpn/runs/5680551849?check_suite_focus=true
>
> Arne
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index b8595174..af97dabc 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -572,13 +572,15 @@ void
 tls_ctx_set_tls_groups(struct tls_root_ctx *ctx, const char *groups)
 {
     ASSERT(ctx);
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
     struct gc_arena gc = gc_new();
     /* This method could be as easy as
      *  SSL_CTX_set1_groups_list(ctx->ctx, groups)
-     * but OpenSSL does not like the name secp256r1 for prime256v1
+     * but OpenSSL (< 3.0) does not like the name secp256r1 for prime256v1
      * This is one of the important curves.
      * To support the same name for OpenSSL and mbedTLS, we do
      * this dance.
+     * Also note that the code is wrong in the presence of OpenSSL3 providers.
      */
 
     int groups_count = get_num_elements(groups, ':');
@@ -617,6 +619,13 @@ tls_ctx_set_tls_groups(struct tls_root_ctx *ctx, const char *groups)
                    groups);
     }
     gc_free(&gc);
+#else
+    if (!SSL_CTX_set1_groups_list(ctx->ctx, groups))
+    {
+        crypto_msg(M_FATAL, "Failed to set allowed TLS group list: %s",
+                   groups);
+    }
+#endif
 }
 
 void

Am 25.03.22 um 08:21 schrieb Michael Baentsch:
> Thanks very much for the quick and thorough feedback. Indeed your last 
> question is pivotal making the patch _much_ simpler (attached): The 
> problem manifests itself only in the presence of providers introduced in 
> OpenSSL3.0. At the same time, the curve name causing the "dance code" is 
> permitted as of OpenSSL3.0...
> 
> So all other observations below are moot/should be resolved with the 
> much simpler new patch attached. Feel free to delete/amend the comment 
> changes as you see fit.

Thanks v2 looks much better code wise and gets ack from me. To commit 
the patch could you either send the patch in git format-message format 
or provide a commit subject and text so we can make full commit of your 
patch?

Arne

On 25/03/2022 16:04, Arne Schwabe wrote:
> Am 25.03.22 um 08:21 schrieb Michael Baentsch:
>> Thanks very much for the quick and thorough feedback. Indeed your last 
>> question is pivotal making the patch _much_ simpler (attached): The 
>> problem manifests itself only in the presence of providers introduced 
>> in OpenSSL3.0. At the same time, the curve name causing the "dance 
>> code" is permitted as of OpenSSL3.0...
>>
>> So all other observations below are moot/should be resolved with the 
>> much simpler new patch attached. Feel free to delete/amend the comment 
>> changes as you see fit.
> 
> Thanks v2 looks much better code wise and gets ack from me. To commit 
> the patch could you either send the patch in git format-message format 
> or provide a commit subject and text so we can make full commit of your 
> patch?

We also need the patch to bear the sign-off-by line, so better create an 
actual git commit and export it via git-format-patch.

Cheers,

I'm not quite sure I understand what you're asking me to do. Why not 
simply use standard github cooperation mechanisms?

Whatever, I put the stuff into 
https://github.com/OpenVPN/openvpn/pull/170 but couldn't run the command 
suggested there:

$ git send-email --to=openvpn-devel@lists.sourceforge.net HEAD~1
git: 'send-email' ist kein Git-Befehl. Siehe 'git --help'.

Pardon the German of my computer: It says "send-email" is no known git 
command.

Please let me know what to do now.

Regards,

--Michael


FWIW, I now have
Am 25.03.22 um 16:09 schrieb Antonio Quartulli:
> On 25/03/2022 16:04, Arne Schwabe wrote:
>> Am 25.03.22 um 08:21 schrieb Michael Baentsch:
>>> Thanks very much for the quick and thorough feedback. Indeed your 
>>> last question is pivotal making the patch _much_ simpler (attached): 
>>> The problem manifests itself only in the presence of providers 
>>> introduced in OpenSSL3.0. At the same time, the curve name causing 
>>> the "dance code" is permitted as of OpenSSL3.0...
>>>
>>> So all other observations below are moot/should be resolved with the 
>>> much simpler new patch attached. Feel free to delete/amend the 
>>> comment changes as you see fit.
>>
>> Thanks v2 looks much better code wise and gets ack from me. To commit 
>> the patch could you either send the patch in git format-message 
>> format or provide a commit subject and text so we can make full 
>> commit of your patch?
>
> We also need the patch to bear the sign-off-by line, so better create 
> an actual git commit and export it via git-format-patch.
>
> Cheers,
>
>

Hi,

On Fri, Mar 25, 2022 at 06:10:10PM +0100, Michael Baentsch wrote:
> I'm not quite sure I understand what you're asking me to do. Why not 
> simply use standard github cooperation mechanisms?

Because our master repo is not "on github", and we do patch review
via the mailing list, with archived public ACKs, and list archive
URLs included in the commit message.  So it is very clear how a 
certain code change came into our tree.

(Is this highly annoying and very much time consuming?  Yes... 
but also "is this appropriate for software handling people's most
sensitive data packets?" - and the answer for that is "yes!" as 
well... :-) )

> $ git send-email --to=openvpn-devel@lists.sourceforge.net HEAD~1
> git: 'send-email' ist kein Git-Befehl. Siehe 'git --help'.
>
> Pardon the German of my computer: It says "send-email" is no known git 
> command.

Seems your distribution split this part of git into a separate package
(propably to avoid the dependency on a mail transport agent).

Of course you can do "git format-patch" and then send the result with
a regular mail client - but we've found out (the hard way) that most
mail clients mistreat patches one way or the other - breaking long
lines, reformatting whitespace, ... - so the end result does not 
apply anymore. "git send-email" works around this.

If you do not succeed in this, one of us can take the patch from the
PR and send it to the list.

gert

Am 27.03.22 um 17:52 schrieb Michael Baentsch:
> Thanks again for your explanations: I finally figured out to correct my 
> git send-email configuration `smtpencryption` to be set to "ssl" 
> (instead of "tls": The latter caused a hang that I debugged for way too 
> long :-(. Maybe worth while adding to some FAQ for newbies? The guidance 
> at 
> https://github.com/git/git/blob/master/Documentation/git-send-email.txt 
> was clearly wrong.
> 
> Please let me know if that submission now arrived and meets your 
> requirements.

The commit message is still not great. Something I would have used instead:

Allow non-standard EC groups with OpenSSL3

OpenSSL3 no longer uses the NID to identify TLS groups, instead it uses
names. This allows also to use groups from external provider. It also 
recognises secp256r1 as the same group as prime256v1.



> 
> One further question: Is there interest on your side to add more/better 
> support for quantum-safe crypto to OpenVPN? 

Depends on what changes you are proposing. There is certainly some 
interest but depends on what exactly we are talking about.

> easyrsa isn't geared for 
> that right now (let alone suitably named :-), but openssl3 (with our 
> oqsprovider) can generate quantum-safe PKI (CA and client certs) without 
> problems.

Easyrsa has become also separate project. Development and maintainance 
of easyrsa have become quite slow in the last years.

> Quantum-safe key exchange works in OpenVPN just fine when the PR lands.
>

Am 28.03.22 um 13:52 schrieb Arne Schwabe:
> Am 27.03.22 um 17:52 schrieb Michael Baentsch:
>> Thanks again for your explanations: I finally figured out to correct 
>> my git send-email configuration `smtpencryption` to be set to "ssl" 
>> (instead of "tls": The latter caused a hang that I debugged for way 
>> too long :-(. Maybe worth while adding to some FAQ for newbies? The 
>> guidance at 
>> https://github.com/git/git/blob/master/Documentation/git-send-email.txt 
>> was clearly wrong.
>>
>> Please let me know if that submission now arrived and meets your 
>> requirements.
>
> The commit message is still not great. Something I would have used 
> instead:
Well....
>
> Allow non-standard EC groups with OpenSSL3
This statement just is not correct: This has not a lot to do with EC. 
What about "Enable setting any TLS1.3 group [provided by the underlying 
crypto libraries]. "?
>
> OpenSSL3 no longer uses the NID to identify TLS groups, instead it uses
> names. This allows also to use groups from external provider. It also 
> recognises secp256r1 as the same group as prime256v1.
This statement also is not quite right: OpenSSL3 still uses NIDs to 
identify some groups, notably those not implemented by a provider, i.e., 
legacy/"classic" crypto. I would agree with the statement that "OpenSSL3 
prefers the use of names over NIDs for the identification of TLS1.3 
groups, including EC groups." Lastly, the "it" in your statement above 
is unclear (at least to me as a non-native speaker): What about 
explicitly stating "OpenSSL3 also recognises secp256r1 as the same group 
as prime256v1"? This fact of course has nothing to do with this patch.
>
>
>
>>
>> One further question: Is there interest on your side to add 
>> more/better support for quantum-safe crypto to OpenVPN? 
>
> Depends on what changes you are proposing. There is certainly some 
> interest but depends on what exactly we are talking about.
I'll flesh that out. It mostly has to do with modifications to "easyrsa" 
- see below.
>
>> easyrsa isn't geared for that right now (let alone suitably named 
>> :-), but openssl3 (with our oqsprovider) can generate quantum-safe 
>> PKI (CA and client certs) without problems.
>
> Easyrsa has become also separate project. Development and maintainance 
> of easyrsa have become quite slow in the last years.
That statement is very helpful, thanks. It might then be sensible (for 
me) to start a script from scratch that does not have such strong 
dependency on legacy crypto. Will report back when I have something of 
interest.
>
>> Quantum-safe key exchange works in OpenVPN just fine when the PR lands.
>>
Thanks in advance for any guidance how to proceed with the PR now.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

EasyRSA development is back on-track.

Happy to help.

BR

------- Original Message -------

On Monday, March 28th, 2022 at 14:56, Michael Baentsch <info@baentsch.ch> wrote:

> Am 28.03.22 um 13:52 schrieb Arne Schwabe:

> >
> > Easyrsa has become also separate project. Development and maintainance
> >
> > of easyrsa have become quite slow in the last years.
>

-----BEGIN PGP SIGNATURE-----
Version: ProtonMail

wsBzBAEBCAAGBQJiQcETACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec
9muQuJ2sGgf+ItPKF6rxjuLxtLJ8IeV8powsxVVmRCJ07c5OgyT98r8zDYsv
NzaQ//cQou736YsA5lPhSfAFvqxLcAAsjyUsqJ24uSOyR49IND7pOe1p06Ea
Jp31EQSCqZU0RkvGkgxGL//j+dg2dq7PLKYpy9axwPBeWb+GWjWZlso6QSrZ
Br73r6qz+nDdQ6JHdt1ZiAti2gewvxkamR+4H51dMjqzrJ81xUbZIjRi6ALX
niJ4hQf0yKtgeZBf3GCLRNtoNB56x5liJIBwrpUA4NTbFaEEiK+kDy/0Rgh2
omuOKZnBgtZR/K/jTh/VTCh8Rn1owKULTTMxnvGdB7oPCMmGN5QgdA==
=N9Ct
-----END PGP SIGNATURE-----

>> Allow non-standard EC groups with OpenSSL3
> This statement just is not correct: This has not a lot to do with EC. 
> What about "Enable setting any TLS1.3 group [provided by the underlying 
> crypto libraries]. "?

A bit long for a commit subject. Maybe just:

Enable usage of TLS groups not identified by a NID in OpenSSL 3


>> OpenSSL3 no longer uses the NID to identify TLS groups, instead it uses
>> names. This allows also to use groups from external provider. It also 
>> recognises secp256r1 as the same group as prime256v1.
> This statement also is not quite right: OpenSSL3 still uses NIDs to 
> identify some groups, notably those not implemented by a provider, i.e., 
> legacy/"classic" crypto. I would agree with the statement that "OpenSSL3 
> prefers the use of names over NIDs for the identification of TLS1.3 
> groups, including EC groups." Lastly, the "it" in your statement above 
> is unclear (at least to me as a non-native speaker): What about 
> explicitly stating "OpenSSL3 also recognises secp256r1 as the same group 
> as prime256v1"? This fact of course has nothing to do with this patch.

This fact has to do with the patch since you no longer doing that dance 
with that curve for the new code that affects OpenSSL 3, so pointing 
that out in the commit message helps to understand the code change.

Maybe like this:

OpenSSL3 prefers to specify groups (including EC groups) with names 
instead of NID to allow also groups provided by providers.
This commits also remove the mapping of secp256r1 to prime256v1 for the 
OpenSSL3 code path as OpenSSL 3.0 recognises secp256r1.

Arne