From patchwork Sun Mar 27 02:16:39 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Baentsch X-Patchwork-Id: 2352 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director8.mail.ord1d.rsapps.net ([172.30.191.6]) by backend41.mail.ord1d.rsapps.net with LMTP id nXwPJx9kQGKxOQAAqwncew (envelope-from ) for ; Sun, 27 Mar 2022 09:18:23 -0400 Received: from proxy5.mail.ord1d.rsapps.net ([172.30.191.6]) by director8.mail.ord1d.rsapps.net with LMTP id cAClNR9kQGLqcAAAfY0hYg (envelope-from ) for ; Sun, 27 Mar 2022 09:18:23 -0400 Received: from smtp14.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy5.mail.ord1d.rsapps.net with LMTPS id sBOnNR9kQGIcfAAA8Zzt7w (envelope-from ) for ; Sun, 27 Mar 2022 09:18:23 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp14.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=fail (p=none; dis=none) header.from=baentsch.ch X-Suspicious-Flag: YES X-Classification-ID: 60aa12f8-add0-11ec-b1d1-525400504bae-1-1 Received: from [216.105.38.7] ([216.105.38.7:46552] helo=lists.sourceforge.net) by smtp14.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id AA/E0-21562-F1460426; Sun, 27 Mar 2022 09:18:23 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1nYSdU-0007ba-RN; Sun, 27 Mar 2022 13:17:00 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1nYSdS-0007bS-UU for openvpn-devel@lists.sourceforge.net; Sun, 27 Mar 2022 13:16:58 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To: MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=WrxuiRO3h+y94n1Ql2YA4coh8WHbjhvvG1A/1kQRj5o=; b=EBQnaQSPPzsw/2biDb0MZChSKw Fl1KIZhyGFaUhnTlO0SSiJBoPfnSY9EpaKEXu/Sk3lo7FqkeDpuX14CoKL4aAM8mR7AxRGAiF2MNv fD2i/d4CDbuqN7ZdIuIepO3MgnPXlldG6vacILlbYKG1jQ2tBB4W8H2fUbremmJBSJYY=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:MIME-Version: Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=WrxuiRO3h+y94n1Ql2YA4coh8WHbjhvvG1A/1kQRj5o=; b=GBbmWlnMBwAY07/rFPdtbY5AjR kRAbsd5a6skYCiwXmBULXiAdTQZQ8Ef/4ahRoF2a9HBaMUu9Oqf/3SmnfvqgIX8elhQu4C7FuH8tz 1CIMRWqF7zrmAv8bP1zmM3N0P2JcRVzUvfa6rzwsKIG+33ZaiQxAxNhwlEwSDq5Bm+GA=; Received: from www14.servertown.ch ([94.231.94.132]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.94.2) id 1nYSlJ-0000yy-Ur for openvpn-devel@lists.sourceforge.net; Sun, 27 Mar 2022 13:16:58 +0000 Received: from T430s.fritz.box (unknown [81.221.212.131]) by www14.servertown.ch (Postfix) with ESMTPSA id 1C0981629699; Sun, 27 Mar 2022 15:16:44 +0200 (CEST) Received-SPF: pass (www14.servertown.ch: connection is authenticated) From: Michael Baentsch To: openvpn-devel@lists.sourceforge.net Date: Sun, 27 Mar 2022 15:16:39 +0200 Message-Id: <20220327131639.29686-1-info@baentsch.ch> X-Mailer: git-send-email 2.17.1 X-PPP-Message-ID: <164838700451.89847.1826938213790530053@www14.servertown.ch> X-PPP-Vhost: baentsch.ch X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Michael <57787676+baentsch@users.noreply.github.com> --- src/openvpn/ssl_openssl.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index b8595174..af97dabc 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -572,13 +572,15 @@ void tls_ctx_se [...] Content analysis details: (0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record X-Headers-End: 1nYSlJ-0000yy-Ur Subject: [Openvpn-devel] [PATCH] correct tls-groups for OpenSSL3 X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael <57787676+baentsch@users.noreply.github.com> MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Michael <57787676+baentsch@users.noreply.github.com> --- src/openvpn/ssl_openssl.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index b8595174..af97dabc 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -572,13 +572,15 @@ void tls_ctx_set_tls_groups(struct tls_root_ctx *ctx, const char *groups) { ASSERT(ctx); +#if OPENSSL_VERSION_NUMBER < 0x30000000L struct gc_arena gc = gc_new(); /* This method could be as easy as * SSL_CTX_set1_groups_list(ctx->ctx, groups) - * but OpenSSL does not like the name secp256r1 for prime256v1 + * but OpenSSL (< 3.0) does not like the name secp256r1 for prime256v1 * This is one of the important curves. * To support the same name for OpenSSL and mbedTLS, we do * this dance. + * Also note that the code is wrong in the presence of OpenSSL3 providers. */ int groups_count = get_num_elements(groups, ':'); @@ -617,6 +619,13 @@ tls_ctx_set_tls_groups(struct tls_root_ctx *ctx, const char *groups) groups); } gc_free(&gc); +#else + if (!SSL_CTX_set1_groups_list(ctx->ctx, groups)) + { + crypto_msg(M_FATAL, "Failed to set allowed TLS group list: %s", + groups); + } +#endif } void