From patchwork Thu Mar 24 02:40:03 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Michael Baentsch X-Patchwork-Id: 2351 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director7.mail.ord1d.rsapps.net ([172.27.255.1]) by backend41.mail.ord1d.rsapps.net with LMTP id gNT3JqN5PGLTHAAAqwncew (envelope-from ) for ; Thu, 24 Mar 2022 10:01:07 -0400 Received: from proxy3.mail.iad3a.rsapps.net ([172.27.255.1]) by director7.mail.ord1d.rsapps.net with LMTP id aN45B6R5PGJkfQAAovjBpQ (envelope-from ) for ; Thu, 24 Mar 2022 10:01:08 -0400 Received: from smtp12.gate.iad3a ([172.27.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy3.mail.iad3a.rsapps.net with LMTPS id UMn5AKR5PGLWYwAAYaqY3Q (envelope-from ) for ; Thu, 24 Mar 2022 10:01:08 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp12.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=fail (p=none; dis=none) header.from=baentsch.ch X-Suspicious-Flag: YES X-Classification-ID: d8e02eae-ab7a-11ec-9f0d-525400068c1c-1-1 Received: from [216.105.38.7] ([216.105.38.7:50478] helo=lists.sourceforge.net) by smtp12.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 81/C4-13361-2A97C326; Thu, 24 Mar 2022 10:01:06 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1nXO00-0002YM-IC; Thu, 24 Mar 2022 13:59:35 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1nXNzz-0002YG-B1 for openvpn-devel@lists.sourceforge.net; Thu, 24 Mar 2022 13:59:34 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Subject:From:To:MIME-Version:Date:Message-ID: Content-Type:Sender:Reply-To:Cc:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=og14E6J1cDJoAysvBE768JWai+nK8ntL36pG4VZeWyo=; b=PrSUeDluV8oI2LwCGI7dx9dSHz hj5ly/SV4/N8yO+EaR/rrdX1Ws+DCjk5FW/IgWDVELt9oqrgZECBvdON/rrIQbxaR5JVbKsJW+5Zj myuipfZDcAK0OhdHG3A8vj7XecRUA9x73gxN6VuJwp9V9ybgwQSsUUQKnP8+7P4BUNTI=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Subject:From:To:MIME-Version:Date:Message-ID:Content-Type:Sender:Reply-To :Cc:Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=og14E6J1cDJoAysvBE768JWai+nK8ntL36pG4VZeWyo=; b=h a90DI7MIRWNzyGOfAcOgdxdU3avfs0yc2tE1D9qoxJ11hcr/rgFGlI1HHzBfHlsUV+3skBRVZrm3M rD67l3PSEF4O9VKMgFnGGaHTNcNYwXjBVdYYiphRbUj7NkFdZdHEo97yfJJxUkJM08M4m1Lc5NOp0 OxVRTMeApQZJtSX8=; Received: from www14.servertown.ch ([94.231.94.132]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.94.2) id 1nXNzw-0001DL-7j for openvpn-devel@lists.sourceforge.net; Thu, 24 Mar 2022 13:59:33 +0000 Received: from [IPV6:2a01:2ac:51dd:d483:346f:6513:950f:7b44] (unknown [IPv6:2a01:2ac:51dd:d483:346f:6513:950f:7b44]) by www14.servertown.ch (Postfix) with ESMTPSA id 41492162907C for ; Thu, 24 Mar 2022 14:40:04 +0100 (CET) Received-SPF: pass (www14.servertown.ch: connection is authenticated) Message-ID: <400a4652-39d6-ec8d-6f58-824f552e0440@baentsch.ch> Date: Thu, 24 Mar 2022 14:40:03 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.5.0 To: openvpn-devel@lists.sourceforge.net Content-Language: en-US From: Michael Baentsch X-PPP-Message-ID: <164812920470.34407.11673310458654188010@www14.servertown.ch> X-PPP-Vhost: baentsch.ch X-Spam-Report: =?unknown-8bit?q?Spam_detection_software=2C_running_on_the_sy?= =?unknown-8bit?q?stem_=22util-spamd-2=2Ev13=2Elw=2Esourceforge=2Ecom=22=2C?= =?unknown-8bit?q?_has_NOT_identified_this_incoming_email_as_spam=2E__The_ori?= =?unknown-8bit?q?ginal?= =?unknown-8bit?q?_message_has_been_attached_to_this_so_you_can_view_it_or_la?= =?unknown-8bit?q?bel?= =?unknown-8bit?q?_similar_future_email=2E__If_you_have_any_questions=2C_see?= =?unknown-8bit?q?_the_administrator_of_that_system_for_details=2E?= =?unknown-8bit?q?_?= =?unknown-8bit?q?_Content_preview=3A__Hello=2C_=C2=A0=C2=A0_as_per_https=3A/?= =?unknown-8bit?q?/community=2Eopenvpn=2Enet/openvpn/ticket/1460?= =?unknown-8bit?q?_the_current_openvpn_master_fails_when_activating_a_TLS1=2E?= =?unknown-8bit?q?3_group_implemented?= =?unknown-8bit?q?_in_an_external_provider=2E_The_patch_attached_fixes_this_a?= =?unknown-8bit?q?nd_enables_successful?= =?unknown-8bit?q?_OpenSSL_key_establishment_using_any_of_the_quantum-safe_an?= =?unknown-8bit?q?d_hybrid_=28classic/QSC=29?= =?unknown-8bit?q?_algorithms_supported_by_https=3A//github=2Ecom/open-quantu?= =?unknown-8bit?q?m-safe/oqs-p_=5B=2E=2E=2E=5D_?= =?unknown-8bit?q?_?= =?unknown-8bit?q?_Content_analysis_details=3A___=28-0=2E0_points=2C_6=2E0_re?= =?unknown-8bit?q?quired=29?= =?unknown-8bit?q?_?= =?unknown-8bit?q?_pts_rule_name______________description?= =?unknown-8bit?q?_----_----------------------_------------------------------?= =?unknown-8bit?q?--------------------?= =?unknown-8bit?q?_0=2E0_SPF=5FHELO=5FNONE__________SPF=3A_HELO_does_not_publ?= =?unknown-8bit?q?ish_an_SPF_Record?= =?unknown-8bit?q?_0=2E0_SPF=5FNONE_______________SPF=3A_sender_does_not_publ?= =?unknown-8bit?q?ish_an_SPF_Record?= =?unknown-8bit?q?_-0=2E0_T=5FSCC=5FBODY=5FTEXT=5FLINE___No_description_avail?= =?unknown-8bit?q?able=2E?= X-Headers-End: 1nXNzw-0001DL-7j Subject: [Openvpn-devel] [PATCH] Enablement of quantum-safe key establishment X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Hello,    as per https://community.openvpn.net/openvpn/ticket/1460 the current openvpn master fails when activating a TLS1.3 group implemented in an external provider. The patch attached fixes this and enables successful OpenSSL key establishment using any of the quantum-safe and hybrid (classic/QSC) algorithms supported by https://github.com/open-quantum-safe/oqs-provider Regards, --Michael index b8595174..73ab4b6a 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -572,7 +572,9 @@ void tls_ctx_set_tls_groups(struct tls_root_ctx *ctx, const char *groups) { ASSERT(ctx); - struct gc_arena gc = gc_new(); + char *f = strstr(groups, "secp256r1"); + int rc; + /* This method could be as easy as * SSL_CTX_set1_groups_list(ctx->ctx, groups) * but OpenSSL does not like the name secp256r1 for prime256v1 @@ -580,43 +582,26 @@ tls_ctx_set_tls_groups(struct tls_root_ctx *ctx, const char *groups) * To support the same name for OpenSSL and mbedTLS, we do * this dance. */ - - int groups_count = get_num_elements(groups, ':'); - - int *glist; - /* Allocate an array for them */ - ALLOC_ARRAY_CLEAR_GC(glist, int, groups_count, &gc); - - /* Parse allowed ciphers, getting IDs */ - int glistlen = 0; - char *tmp_groups = string_alloc(groups, &gc); - - const char *token; - while ((token = strsep(&tmp_groups, ":"))) - { - if (streq(token, "secp256r1")) - { - token = "prime256v1"; - } - int nid = OBJ_sn2nid(token); - - if (nid == 0) - { - msg(M_WARN, "Warning unknown curve/group specified: %s", token); - } - else - { - glist[glistlen] = nid; - glistlen++; - } + if (f) { + char *new_groups_list = malloc(strlen(groups)+2); + char * idx = new_groups_list; + memcpy(idx, groups, (f-groups)); + idx += (f-groups); + memcpy(idx, "prime256v1", strlen("prime256v1")); + idx += strlen("prime256v1"); + memcpy(idx, f+strlen("secp256r1"), strlen(groups)-(f-groups)-strlen("secp256r1")); + new_groups_list[strlen(groups)+1] = '\0'; + + rc = SSL_CTX_set1_groups_list(ctx->ctx, new_groups_list); + free(new_groups_list); } + else + rc = SSL_CTX_set1_groups_list(ctx->ctx, groups); - if (!SSL_CTX_set1_groups(ctx->ctx, glist, glistlen)) - { + if (!rc) { crypto_msg(M_FATAL, "Failed to set allowed TLS group list: %s", groups); } - gc_free(&gc); } void