From patchwork Mon Oct 18 16:41:18 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Selva Nair <selva.nair@gmail.com>
X-Patchwork-Id: 1988
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Delivered-To: patchwork@openvpn.net
Received: from director15.mail.ord1d.rsapps.net ([172.27.255.59])
	by backend30.mail.ord1d.rsapps.net with LMTP
	id oMQxGbk+bmFvNQAAIUCqbw
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	for <patchwork@openvpn.net>; Mon, 18 Oct 2021 23:42:49 -0400
Received: from proxy17.mail.iad3a.rsapps.net ([172.27.255.59])
	by director15.mail.ord1d.rsapps.net with LMTP
	id qBTfGLk+bmGjeQAAIcMcQg
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	for <patchwork@openvpn.net>; Mon, 18 Oct 2021 23:42:49 -0400
Received: from smtp39.gate.iad3a ([172.27.255.59])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	by proxy17.mail.iad3a.rsapps.net with LMTPS
	id mvB8OLg+bmHHAgAAR4KW9A
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	for <patchwork@openvpn.net>; Mon, 18 Oct 2021 23:42:48 -0400
X-Spam-Threshold: 95
X-Spam-Score: 0
X-Spam-Flag: NO
X-Virus-Scanned: OK
X-Orig-To: openvpnslackdevel@openvpn.net
X-Originating-Ip: [216.105.38.7]
Authentication-Results: smtp39.gate.iad3a.rsapps.net;
 iprev=pass policy.iprev="216.105.38.7";
 spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net"
 smtp.helo="lists.sourceforge.net";
 dkim=fail (signature verification failed) header.d=sourceforge.net;
 dkim=fail (signature verification failed) header.d=sf.net;
 dkim=fail (signature verification failed) header.d=gmail.com;
 dmarc=fail (p=none; dis=none) header.from=gmail.com
X-Suspicious-Flag: YES
X-Classification-ID: a0db6418-308e-11ec-b433-525400eea4e4-1-1
Received: from [216.105.38.7] ([216.105.38.7:36284]
 helo=lists.sourceforge.net)
	by smtp39.gate.iad3a.rsapps.net (envelope-from
 <openvpn-devel-bounces@lists.sourceforge.net>)
	(ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384)
	id 8F/CF-08932-8BE3E616; Mon, 18 Oct 2021 23:42:49 -0400
Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com)
	by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1mcg0g-000493-5i; Tue, 19 Oct 2021 03:41:54 +0000
Received: from [172.30.20.202] (helo=mx.sourceforge.net)
 by sfs-ml-4.v29.lw.sourceforge.com with esmtps
 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1)
 (envelope-from <selva.nair@gmail.com>) id 1mcg0f-00048w-9b
 for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 03:41:53 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References:
 In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=5ptVJqHnrABIU8jGhvoD+aTvnEhkxdS3DHfIYBevqI8=; b=BR8PHhLsT6KReP7hjoNKtdu9Kv
 P1CwWgOorpHio4W4FplIr7EmJ1gVHaYsXC36tWxRjWc68jAAPrHbXfBxZMxio3fOxEF6Go6HQ82h1
 bu1UDXdipWH+XTnUBjcRUO5tWqQnzW0iCjKZBJqEk+yQQW+YdTmUT8Xt1M+xohih7QNg=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id:
 Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=5ptVJqHnrABIU8jGhvoD+aTvnEhkxdS3DHfIYBevqI8=; b=gDBmNnlsIBc90YyajCIKWlKFVB
 Ym8Yz1+ki35MTmKqV/pwQmTSps4IXya8P0fIBW7HK1yv4Hg4iwZkaQLTEb3c6lT/xgs6ecUXFe7KP
 8g/Gyr6TcLzNYp6ifHwwe0CeCKrPEl6U7j1A8zT1L4iEE8ppDOXVv6e6+RUBmSvzlKBo=;
Received: from mail-qk1-f171.google.com ([209.85.222.171])
 by sfi-mx-2.v28.lw.sourceforge.com with esmtps
 (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92.3)
 id 1mcg0b-0001m1-2X
 for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 03:41:53 +0000
Received: by mail-qk1-f171.google.com with SMTP id h20so12869671qko.13
 for <openvpn-devel@lists.sourceforge.net>;
 Mon, 18 Oct 2021 20:41:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
 h=from:to:cc:subject:date:message-id:in-reply-to:references
 :mime-version:content-transfer-encoding;
 bh=5ptVJqHnrABIU8jGhvoD+aTvnEhkxdS3DHfIYBevqI8=;
 b=l/TJJ6ZtD7h3CDwp9tLYxI0CAsXIZ5fqjSYl6bazIqlHDRPhT5e3hOyTMrhF2RYojs
 Hn7JsJ6PdyBTRkNeIN10utFUL3UQhBbhz9mogpt/3ahS33CkH5cTzBRnT9d37Z3IU9Oy
 9SqFCtNkTkAC6Ss7h552ayNUoJYNvoFd7WQext/JB4+4GtKX51S200K5K9XBXKc+s1OI
 5VqOQh68Y+40CgQKo0XDeYwUWzkBsXHPOVH8/7dJfPsOFShyT0R2R7SkgMjth/YRRH4r
 stK8+Bh9dt/1j0QTzvviTG3hF86ikjtBehml/uulQc2q9ANKyir+hG7nxPSn1xXdg7bo
 y1ZQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=5ptVJqHnrABIU8jGhvoD+aTvnEhkxdS3DHfIYBevqI8=;
 b=7Otd0M4G5Ll0d6+goPLVmD2wDepnMoNITeuEPevZ0YiFkh2T6nY/3PsqEBGjbgkNXc
 NnEixZH8eGVrRx149+sdKUtBmLwqXAcSnoagjq1bDM7/FUHihtnd/uGUP4oPnZ+KS0Bo
 VSo7iovh1amtUBdbynyP29bTBc0k5/IxPdwvvZWz4L79hlblqJxlr9q9GpfP2QJalb4B
 YwhAtJ1gvogcaes3fNmSwQ3p9nwGUscdv6Rn26guGpk6GFCVvGtEHPAuIluAwBu46olU
 H5Zj2rseIeCJhISRKKoFbdHdSQ704d01a6SN0rZf0Levbu24GgMhRYtgKxxG+KybEUal
 1yEQ==
X-Gm-Message-State: AOAM532y1JHAoK+WoZD8xvGnlWI+TBMQAZDW8UDiCMG8HzGZdU2Mv79d
 uvaRj0ki03KDfCZPovznIRPRxeSlyYU=
X-Google-Smtp-Source: 
 ABdhPJzppubjO1Yedz0KmqyRk6n/OGT/LKfJlJN7aGqkWElEnHaTVsikE2D3QmazVfuusTGKh5CDjg==
X-Received: by 2002:a05:620a:1269:: with SMTP id
 b9mr25306656qkl.273.1634614903180;
 Mon, 18 Oct 2021 20:41:43 -0700 (PDT)
Received: from uranus.home.sansel.ca
 (bras-vprn-tnhlon4053w-lp130-02-70-51-223-227.dsl.bell.ca. [70.51.223.227])
 by smtp.gmail.com with ESMTPSA id u28sm6713388qtc.48.2021.10.18.20.41.42
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 18 Oct 2021 20:41:42 -0700 (PDT)
From: selva.nair@gmail.com
To: openvpn-devel@lists.sourceforge.net
Date: Mon, 18 Oct 2021 23:41:18 -0400
Message-Id: <20211019034118.28987-3-selva.nair@gmail.com>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20211019034118.28987-1-selva.nair@gmail.com>
References: <20211019034118.28987-1-selva.nair@gmail.com>
MIME-Version: 1.0
X-Spam-Report: Spam detection software,
 running on the system "util-spamd-1.v13.lw.sourceforge.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview: From: Selva Nair Do not support the use of OPENSSL_NO_EC on
 Windows. We build Windows releases with EC key support enabled in OpenSSL
 and there is no reason to disable it in OpenVPN.
 Content analysis details:   (-0.2 points, 6.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 -0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at https://www.dnswl.org/,
 no trust [209.85.222.171 listed in list.dnswl.org]
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 0.0 FREEMAIL_FROM          Sender email is commonly abused enduser mail
 provider [selva.nair[at]gmail.com]
 -0.0 SPF_PASS               SPF: sender matches SPF record
 -0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from
 author's domain
 -0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature from
 envelope-from domain
 -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
 not necessarily
 valid -0.0 RCVD_IN_MSPIKE_H2      RBL: Average reputation (+2)
 [209.85.222.171 listed in wl.mailspike.net]
X-Headers-End: 1mcg0b-0001m1-2X
Subject: [Openvpn-devel] [PATCH 3/3] Require EC key support in Windows builds
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox

From: Selva Nair <selva.nair@gmail.com>

Do not support the use of OPENSSL_NO_EC on Windows.

We build Windows releases with EC key support enabled in
OpenSSL and there is no reason to disable it in OpenVPN.

TODO: If there are no platforms of interest where EC support
cannot be enabled in OpenSSL, we should make !defined(OPENSSL_NO_EC)
a general requirement.

Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
---
 src/openvpn/crypto_openssl.c | 4 ++++
 src/openvpn/cryptoapi.c      | 6 ------
 2 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index 419265a5..60fbec12 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -55,6 +55,10 @@
 #include <openssl/kdf.h>
 #endif
 
+#if defined(_WIN32) && defined(OPENSSL_NO_EC)
+#error Windows build with OPENSSL_NO_EC: disabling EC key is not supported.
+#endif
+
 /*
  * Check for key size creepage.
  */
diff --git a/src/openvpn/cryptoapi.c b/src/openvpn/cryptoapi.c
index c97dbfbf..7fe3c57c 100644
--- a/src/openvpn/cryptoapi.c
+++ b/src/openvpn/cryptoapi.c
@@ -236,8 +236,6 @@ rsa_finish(RSA *rsa)
     return 1;
 }
 
-#if !defined(OPENSSL_NO_EC)
-
 static EC_KEY_METHOD *ec_method = NULL;
 
 /** EC_KEY_METHOD callback: called when the key is freed */
@@ -423,8 +421,6 @@ err:
     return 0;
 }
 
-#endif /* !defined(OPENSSL_NO_EC) */
-
 static const CERT_CONTEXT *
 find_certificate_in_store(const char *cert_prop, HCERTSTORE cert_store)
 {
@@ -853,7 +849,6 @@ SSL_CTX_use_CryptoAPI_certificate(SSL_CTX *ssl_ctx, const char *cert_prop)
             goto err;
         }
     }
-#if !defined(OPENSSL_NO_EC)
     else if (EVP_PKEY_id(pkey) == EVP_PKEY_EC)
     {
         if (!ssl_ctx_set_eckey(ssl_ctx, cd, pkey))
@@ -861,7 +856,6 @@ SSL_CTX_use_CryptoAPI_certificate(SSL_CTX *ssl_ctx, const char *cert_prop)
             goto err;
         }
     }
-#endif /* !defined(OPENSSL_NO_EC) */
     else
     {
         msg(M_WARN|M_INFO, "WARNING: cryptoapicert: key type <%d> not supported",