[Openvpn-devel,v3,05/21,OSSL,3.0] Use EVP_PKEY based API for loading DH keys

Message ID 20211019183127.614175-6-arne@rfc2549.org
State Accepted
Headers show
Series
  • OpenSSL 3.0 improvements for OpenVPN
Related show

Commit Message

Arne Schwabe Oct. 19, 2021, 6:31 p.m.
OpenSSL 3.0 replaces the DH API with a generic EVP_KEY based API to
load DH parameters.

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
---
 src/openvpn/ssl_openssl.c | 23 +++++++++++++++++++++--
 1 file changed, 21 insertions(+), 2 deletions(-)

Comments

Maximilian Fillinger Oct. 21, 2021, 9:45 a.m. | #1
On 19/10/2021 20:31, Arne Schwabe wrote:
> OpenSSL 3.0 replaces the DH API with a generic EVP_KEY based API to
> load DH parameters.
> 
> Signed-off-by: Arne Schwabe <arne@rfc2549.org>

Acked-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>

Looked at the patch, compiled with OpenSSL 3.1.0, tested that I can get 
a server and client to talk to each other on localhost.
Gert Doering Oct. 21, 2021, 1:59 p.m. | #2
Have no OpenSSL 3.0 based test environment yet - so, trusting MaxF's
tests here.  Just did compile + client test on 1.1.1

Your patch has been applied to the master branch.

commit 658c72e6e651437943f46a975751109759abd858
Author: Arne Schwabe
Date:   Tue Oct 19 20:31:11 2021 +0200

     Use EVP_PKEY based API for loading DH keys

     Signed-off-by: Arne Schwabe <arne@rfc2549.org>
     Acked-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
     Message-Id: <20211019183127.614175-6-arne@rfc2549.org>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23015.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering
Steffan Karger Oct. 21, 2021, 7:26 p.m. | #3
Hi,

Just a nit:

On 19-10-2021 20:31, Arne Schwabe wrote:
> +    if (!SSL_CTX_set0_tmp_dh_pkey(ctx->ctx, dh))
> +    {
> +        crypto_msg(M_FATAL, "SSL_CTX_set_tmp_dh");
> +    }

This error message looks incorrect and incomplete.

-Steffan

Patch

diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 9a7cb9c64..a44d4f85c 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -649,7 +649,6 @@  void
 tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file,
                        bool dh_file_inline)
 {
-    DH *dh;
     BIO *bio;
 
     ASSERT(NULL != ctx);
@@ -670,7 +669,26 @@  tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file,
         }
     }
 
-    dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+    EVP_PKEY *dh = PEM_read_bio_Parameters(bio, NULL);
+    BIO_free(bio);
+
+    if (!dh)
+    {
+        crypto_msg(M_FATAL, "Cannot load DH parameters from %s",
+                   print_key_filename(dh_file, dh_file_inline));
+    }
+    if (!SSL_CTX_set0_tmp_dh_pkey(ctx->ctx, dh))
+    {
+        crypto_msg(M_FATAL, "SSL_CTX_set_tmp_dh");
+    }
+
+    msg(D_TLS_DEBUG_LOW, "Diffie-Hellman initialized with %d bit key",
+        8 * EVP_PKEY_get_size(dh));
+
+    EVP_PKEY_free(dh);
+#else
+    DH *dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
     BIO_free(bio);
 
     if (!dh)
@@ -687,6 +705,7 @@  tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file,
         8 * DH_size(dh));
 
     DH_free(dh);
+#endif
 }
 
 void