From patchwork Sun Aug 18 01:18:11 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthias Andree X-Patchwork-Id: 816 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director8.mail.ord1d.rsapps.net ([172.27.255.53]) by backend30.mail.ord1d.rsapps.net with LMTP id UNagC4E0WV0wYgAAIUCqbw for ; Sun, 18 Aug 2019 07:20:33 -0400 Received: from proxy20.mail.iad3a.rsapps.net ([172.27.255.53]) by director8.mail.ord1d.rsapps.net with LMTP id KOznCIE0WV0dAwAAfY0hYg ; Sun, 18 Aug 2019 07:20:33 -0400 Received: from smtp27.gate.iad3a ([172.27.255.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy20.mail.iad3a.rsapps.net with LMTP id eJnmAoE0WV1gAwAAtfLT2w ; Sun, 18 Aug 2019 07:20:33 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp27.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=gmx.net; dmarc=none (p=nil; dis=none) header.from=gmx.de X-Suspicious-Flag: YES X-Classification-ID: 311547b6-c1aa-11e9-a33a-525400358560-1-1 Received: from [216.105.38.7] ([216.105.38.7:50002] helo=lists.sourceforge.net) by smtp27.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 28/80-30616-084395D5; Sun, 18 Aug 2019 07:20:32 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1hzJCk-00019G-SZ; Sun, 18 Aug 2019 11:18:34 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1hzJCj-000194-K2 for openvpn-devel@lists.sourceforge.net; Sun, 18 Aug 2019 11:18:33 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=ZGGmkHPCfXbBI1PvPy+5I7Dmq+4KrNQQ1f2d+LpJQIw=; b=mw+ihMQLvvGvlW1kIX2TTC4nBP F74TpCzNmsaZeKnlO4U8HYdU3GeEmT0LpdJ1Lxxx4nHojGbCyB6co5JhxX5xE9+yjxcsqoXtqW9JW 9rK4bglUtsEdEurK9zWveqKkI/B7JCFZqp2hdbYWHgM2qMZ5SW6IE/JVldK8AmDG+FLI=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=ZGGmkHPCfXbBI1PvPy+5I7Dmq+4KrNQQ1f2d+LpJQIw=; b=A+lf9br4FTji+YOWOZ1VoMmYQe af5bcapw/e9aLlziH4Z+QO6as2pckcARFjTMsAJ08+851C9zv3fGTUtOG4PXyZMBeyS8+/3Sr6cAU Xd5PxNgMWgdMCdyO9PfeO6fTzMf/NQrzVNezLW//nZ/sLyiFMtKCQrkoM82fLTx6Hbmk=; Received: from mout.gmx.net ([212.227.15.19]) by sfi-mx-4.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.90_1) id 1hzJCh-007G5z-S8 for openvpn-devel@lists.sourceforge.net; Sun, 18 Aug 2019 11:18:33 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1566127102; bh=bkiqrMG0VFTsUY93D8BZeThx7TJBt3ApsyCnOBLPasQ=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date:In-Reply-To:References; b=bG8sSayCtAzhgh/YtHhWh6lHCRJK5Y8fVXge+OHhsxQL4PVGFuVnS5FiCH0QZr3xu mKsZPpJprQlupvYxm90iyTuDmvv/EX8lTyhaPn0G07pwiASPzcA39AJ/ogYgeahoKL fA/bCsXmZjZJWScoha/BNoolSBd68rXhb5rX+gGI= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from mandree.no-ip.org ([79.229.32.156]) by mail.gmx.com (mrgmx004 [212.227.17.190]) with ESMTPSA (Nemesis) id 1MKbgE-1hgguw0Bbg-00Kxho; Sun, 18 Aug 2019 13:18:22 +0200 Received: by ryzen.an3e.de (Postfix, from userid 1000) id ACB3712158E; Sun, 18 Aug 2019 13:18:18 +0200 (CEST) From: Matthias Andree To: openvpn-devel@lists.sourceforge.net Date: Sun, 18 Aug 2019 13:18:11 +0200 Message-Id: <20190818111811.8853-2-matthias.andree@gmx.de> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190818111811.8853-1-matthias.andree@gmx.de> References: <20190818111811.8853-1-matthias.andree@gmx.de> MIME-Version: 1.0 X-Provags-ID: V03:K1:QBxkXHbh3stpsgHjrcGG+0WwksdDdhmeGgyFdInq+cvo2NWOfIq K7Ci3ue5Cm24X2uHFYK/S/pvIDjD6cvii4WhZDButuj+YOlutqbPh088XFgwA620DvUar5z Mv3Kgv4FfN8sXraHBVk0tZPHI5vBgO7lrTNSP0lHzkgdzwVJe/OV0HjIy799ZVT60kv4gpc E3q0tybefxx3gx4hXeB7g== X-UI-Out-Filterresults: notjunk:1;V03:K0:nAZuIqdPPgw=:Mga4OuEB0OIBtmj59rHtM7 GnYdvi3JsWSVYBeF4eWqTXBcv78HnEXtcXGegviZw1lxdtTaWzIPQnzk47Mwz8/8REIY7VPQ8 G5KXkbhj+v9+x8smHWJg3txNDE5ZN+K0QavEUHBQr22Nc6gpL5233nGIdfUl3UfqCGEL7QooY SPkw+s6GHhtyrCxjeYATuCNzi+nxLdbRUseHjptHzhNqhnY46p5a1jlwAiBLxCFyP7cdSfjl8 DolTGL8Exr/qyick5OZGF3CMrD6pvTnK56uugg3RmCucSY32RxtxF3YxHbdyfCCAr9WncCCcK xt7qW91oRkRVi2IotojRXEhbY08nm3D6Mo+gDfiBa1ogdtR1EgtSkCeu7ixL26toFQ4cC69v4 /K2s/1NUXXkcDkv8V/4aJPRZW4kmUMMDZPyt4PvuX7Xya/C45yAPmfloUNZ69KiWobp32PshA yPj+ASboL6IRHOMJLg4/YcLq15qEBmsdbbzGl8XyGSuN0BLFTtnw4p5IXgWxqDCzlMHIkWUcW BEf7279BKN/TxGrCXEIS6o0vyr0QxaLh6rr5hAztMQcALnKHDNpiEux/E/tq1Q4aaSyYhvFrN GdeFf1+3qWVN2mkjhFdquoa4r+wWfWbSCuCn0BgNWnFcLWpBljBB2fZOdSAMUhTUW44Wo4ysS WAbPv9TvzXcMeQInilsHXQ3Ta9D5XJ6aHKG1VUcEVYBp3bTk2NpIwE79wCb8lLZhAAjerNJIM DOsj5na2lZu5NaLFxjnN1lcdqMgNTJiniTHolI1AgiE462BTyefpsvlhi+LLeb+OmZGD1V2jn +RytKnSJPHn5GVnzty2d5Jeehd5kgV2izML1vfdv/jaMgjRcTm0nxVidU47STpgHC1M/Rv93u ONoxb7KkKG7s5fTBnSYaJCCYVsg5i3EdYsYoDFFcUuBoHZFeYVhw97cnlb24AcN2hrG5Pil0g EOn7yhxghdgDIPyWEmNFU9YeChrvr1m6vDGID6fwc9dsurpOkdEppEOvJaqHHvmzRdv90WXID 0URywOGZDqZIbUm3WJA9Z8L8WPKQsK8UQGzLSOFwFG8aU1prKJUVwETcbTsgr+MNHGIPbQBge 00ftCFNGiW0JiIVxbQyT4Nz04sSp2iaMn7CfcLuxy1h4m7UYOHIt7z5Yw== X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (matthias.andree[at]gmx.de) -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [212.227.15.19 listed in list.dnswl.org] -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: gmx.de] X-Headers-End: 1hzJCh-007G5z-S8 Subject: [Openvpn-devel] [PATCH] Fix regression, reinstate LibreSSL support. X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: pizzamig@freebsd.org Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox OpenVPN 2.4.6 could be compiled with LibreSSL, 2.4.7 cannot. This was broken since 9de7fe0a "Add support for tls-ciphersuites for TLS 1.3". This patch avoids using TLS 1.3 directly, be it that OpenSSL was compiled without TLS 1.3 support, or LibreSSL was used. This patch was based on an OpenBSD patch by Jeremie Courreges-Anglas , see https://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/net/openvpn/patches/patch-src_openvpn_ssl_openssl_c but was revised to be more obvious and check actual feature macros, do not rely on current LibreSSL implementation details alone. Franco Fichtner reports that OPNsense has been a long-time user of LibreSSL without reported breakage, see also: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=238382#c10 Signed-off-by: Matthias Andree Acked-By: Arne Schwabe --- src/openvpn/ssl_openssl.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) -- 2.21.0 diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index a78dae99..293bb192 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -206,7 +206,7 @@ info_callback(INFO_CALLBACK_SSL_CONST SSL *s, int where, int ret) int tls_version_max(void) { -#if defined(TLS1_3_VERSION) +#if defined(TLS1_3_VERSION) && !defined(OPENSSL_NO_TLS1_3) return TLS_VER_1_3; #elif defined(TLS1_2_VERSION) || defined(SSL_OP_NO_TLSv1_2) return TLS_VER_1_2; @@ -233,7 +233,7 @@ openssl_tls_version(int ver) { return TLS1_2_VERSION; } -#if defined(TLS1_3_VERSION) +#if defined(TLS1_3_VERSION) && !defined(OPENSSL_NO_TLS1_3) else if (ver == TLS_VER_1_3) { return TLS1_3_VERSION; @@ -459,8 +459,8 @@ tls_ctx_restrict_ciphers_tls13(struct tls_root_ctx *ctx, const char *ciphers) return; } -#if (OPENSSL_VERSION_NUMBER < 0x1010100fL) - crypto_msg(M_WARN, "Not compiled with OpenSSL 1.1.1 or higher. " +#if (OPENSSL_VERSION_NUMBER < 0x1010100fL) || !defined(TLS1_3_VERSION) || defined(OPENSSL_NO_TLS1_3) + crypto_msg(M_WARN, "Not compiled with OpenSSL 1.1.1 or higher, or without TLS 1.3 support. " "Ignoring TLS 1.3 only tls-ciphersuites '%s' setting.", ciphers); #else @@ -1846,7 +1846,7 @@ show_available_tls_ciphers_list(const char *cipher_list, crypto_msg(M_FATAL, "Cannot create SSL_CTX object"); } -#if (OPENSSL_VERSION_NUMBER >= 0x1010100fL) +#if (OPENSSL_VERSION_NUMBER >= 0x1010100fL) && defined(TLS1_3_VERSION) && !defined(OPENSSL_NO_TLS1_3) if (tls13) { SSL_CTX_set_min_proto_version(tls_ctx.ctx, TLS1_3_VERSION);