From patchwork Sun Nov 26 03:15:54 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steffan Karger X-Patchwork-Id: 97 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director5.mail.ord1d.rsapps.net ([172.30.191.6]) by backend31.mail.ord1d.rsapps.net (Dovecot) with LMTP id i9QSCdfMGlrMQwAAgoeIoA for ; Sun, 26 Nov 2017 09:16:55 -0500 Received: from proxy13.mail.ord1d.rsapps.net ([172.30.191.6]) by director5.mail.ord1d.rsapps.net (Dovecot) with LMTP id 84PsCNfMGlplGAAAsdCWiw ; Sun, 26 Nov 2017 09:16:55 -0500 Received: from smtp28.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy13.mail.ord1d.rsapps.net (Dovecot) with LMTP id 05LIAdfMGlrlSwAAgjf6aA ; Sun, 26 Nov 2017 09:16:55 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.34.181.88] Authentication-Results: smtp28.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.34.181.88"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=karger-me.20150623.gappssmtp.com; dmarc=none (p=nil; dis=none) header.from=karger.me X-Classification-ID: 74818e60-d2b4-11e7-8e06-525400ea129b-1-1 Received: from [216.34.181.88] ([216.34.181.88:8720] helo=lists.sourceforge.net) by smtp28.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.1.56364 r(Core:4.2.1.14)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 76/D3-01582-6DCCA1A5; Sun, 26 Nov 2017 09:16:54 -0500 Received: from localhost ([127.0.0.1] helo=sfs-ml-2.v29.ch3.sourceforge.com) by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.89) (envelope-from ) id 1eIxj9-0007zf-PY; Sun, 26 Nov 2017 14:16:11 +0000 Received: from sfi-mx-3.v28.ch3.sourceforge.com ([172.29.28.193] helo=mx.sourceforge.net) by sfs-ml-2.v29.ch3.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) (envelope-from ) id 1eIxj7-0007zX-Ra for openvpn-devel@lists.sourceforge.net; Sun, 26 Nov 2017 14:16:09 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:Cc: To:From:Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=c3vZsLFivB2djhzu3Onl25EqUAEmSME744UiSJByQWA=; b=Ry6TeMdmWNSQpOVDzNCrb+fFu8 6TF5JNGmHvuGVXpc062oCl6uV/uhPjAtuN7nos350nrLw8bP4QMNnukhF5ImBkNfk8ByN/6pJ6Msb GQa1SiVqB+lHRAWd+7zbFbtnBaDu4xJH7IE2/Upu+pT3NuShtmLRnoktP4blviuLhFB0=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=c3vZsLFivB2djhzu3Onl25EqUAEmSME744UiSJByQWA=; b=h46yyoPgu2m807Lz8ktOMsO9Yc x1qshjBOdAxbLhOvFwF+NS7+1gbWPdxRnENhh/2/EiZE1VCTnk9UWHaMyRtYL+WDKx/RnvRwuvQwk zfxgET3hkiw/3VWcIK/RXsdkXqJT3M5VwqdnnkktKx76+6qRDLVZtfnRcLI/bIfBNxGw=; Received: from mail-wm0-f67.google.com ([74.125.82.67]) by sfi-mx-3.v28.ch3.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.89) id 1eIxj6-0007Hr-IA for openvpn-devel@lists.sourceforge.net; Sun, 26 Nov 2017 14:16:09 +0000 Received: by mail-wm0-f67.google.com with SMTP id x63so29460624wmf.2 for ; Sun, 26 Nov 2017 06:16:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=karger-me.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=c3vZsLFivB2djhzu3Onl25EqUAEmSME744UiSJByQWA=; b=csuFFCYK76OdDQ9ufWxk7xkhsxFb0iUUkRHr6BT1Ed1vt75u8AqRPXYg1aM2n40Mzs csF159IODEKKsVZ4D+hZcRrVocPNP58xmZsCw7f9VzJH6Ee8BcfxgyjipEnk+3gwrQO5 mtU5JZNacx4Z2Y1PkzXiUdApf5iegfDwZuocrt02Jm2bj9wWVXvElFABu96GGrzZA3p9 sxLIX3yJ3HyjxDED7GrI2D771d6EPnuU/SVsLilf+rzTQn1G0zXZqZj37k/CHrxb8L+q bT4nQsC/QPM5KTdZgR0LCWSVqdyTPmjQJRLLFt5z3BSucQTc8vqITsOtmNY2FGtoMAnp IQzw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=c3vZsLFivB2djhzu3Onl25EqUAEmSME744UiSJByQWA=; b=VT5uvBFwDB8HYnLAVuAsBMwD8IGkK8F0i0I0fjmEqdg/9fD4f7mIKnqoTpQuEIh7UK BgaBZuwBwhg9iskvq2DjPYQqImwP4VZcjlm5QbwDrxNJ1qUKkweFBj28gh6wya46D1zP PQqbW2adeuUfs4gEfu3WBLSiwDgwDW113ghTk7e13WvR+Y6PoLF8i+bNZnSMW6cw5Vvl OzcXu69NU2Il6U7FFrHfPV5D51fasYz7PFyTd36c552VW9+coY9SEOiHqB92ssiBYiyu EKX683p9eZqt4qCgSvjW3EGUCW6ZBC+sjJnLQ+ChNsbLgJxbSnSS+mslyiba6YbEk9Ma eclQ== X-Gm-Message-State: AJaThX57CjIWknRTm4KvedAcLDswlcaFY+3nrwashRutZimc3jgoz4Yx OPDBIy+U/QFdGeWADSsnRzIxTG58eXg= X-Google-Smtp-Source: AGs4zMbgzIHE1svtF6cxZX4DTuApauS+Z/Myw4FtzVZW446X7ajPqnkckusM9Geh1KCrl/xayZ51xg== X-Received: by 10.80.180.18 with SMTP id b18mr48471817edh.136.1511705762323; Sun, 26 Nov 2017 06:16:02 -0800 (PST) Received: from vesta.fritz.box ([2001:985:e54:1:d42a:81d4:ce94:db48]) by smtp.gmail.com with ESMTPSA id j27sm19880246eda.59.2017.11.26.06.16.01 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 26 Nov 2017 06:16:01 -0800 (PST) From: Steffan Karger To: openvpn-devel@lists.sourceforge.net Date: Sun, 26 Nov 2017 15:15:54 +0100 Message-Id: <20171126141555.25930-2-steffan@karger.me> X-Mailer: git-send-email 2.14.1 In-Reply-To: <20171126141555.25930-1-steffan@karger.me> References: <20171126141555.25930-1-steffan@karger.me> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [74.125.82.67 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1eIxj6-0007Hr-IA Subject: [Openvpn-devel] [PATCH 2/3] Add support for TLS 1.3 in --tls-version-{min, max} X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Tested with the current openssl master branch for TLS 1.3 support. mbed TLS has no public builds with TLS 1.3 support yet, so nothing to do there right now. Signed-off-by: Steffan Karger Acked-by: Gert Doering --- src/openvpn/ssl.c | 4 ++++ src/openvpn/ssl_backend.h | 1 + src/openvpn/ssl_openssl.c | 10 +++++++++- 3 files changed, 14 insertions(+), 1 deletion(-) diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 843bc393..d61688c5 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -530,6 +530,10 @@ tls_version_parse(const char *vstr, const char *extra) { return TLS_VER_1_2; } + else if (!strcmp(vstr, "1.3") && TLS_VER_1_3 <= max_version) + { + return TLS_VER_1_3; + } else if (extra && !strcmp(extra, "or-highest")) { return max_version; diff --git a/src/openvpn/ssl_backend.h b/src/openvpn/ssl_backend.h index f588110c..7f6057e6 100644 --- a/src/openvpn/ssl_backend.h +++ b/src/openvpn/ssl_backend.h @@ -114,6 +114,7 @@ void tls_clear_error(void); #define TLS_VER_1_0 1 #define TLS_VER_1_1 2 #define TLS_VER_1_2 3 +#define TLS_VER_1_3 4 int tls_version_parse(const char *vstr, const char *extra); /** diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index b645b469..18c0ba5f 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -206,7 +206,9 @@ info_callback(INFO_CALLBACK_SSL_CONST SSL *s, int where, int ret) int tls_version_max(void) { -#if defined(TLS1_2_VERSION) || defined(SSL_OP_NO_TLSv1_2) +#if defined(TLS1_3_VERSION) + return TLS_VER_1_3; +#elif defined(TLS1_2_VERSION) || defined(SSL_OP_NO_TLSv1_2) return TLS_VER_1_2; #elif defined(TLS1_1_VERSION) || defined(SSL_OP_NO_TLSv1_1) return TLS_VER_1_1; @@ -231,6 +233,12 @@ openssl_tls_version(int ver) { return TLS1_2_VERSION; } +#if defined(TLS1_3_VERSION) + else if (ver == TLS_VER_1_3) + { + return TLS1_3_VERSION; + } +#endif return 0; }