From patchwork Tue Oct 19 07:31:06 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2029 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director13.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id YLTjLzMPb2GhQgAAIUCqbw (envelope-from ) for ; Tue, 19 Oct 2021 14:32:19 -0400 Received: from proxy17.mail.ord1d.rsapps.net ([172.30.191.6]) by director13.mail.ord1d.rsapps.net with LMTP id aCiLLzMPb2GTEwAA91zNiA (envelope-from ) for ; Tue, 19 Oct 2021 14:32:19 -0400 Received: from smtp17.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy17.mail.ord1d.rsapps.net with LMTPS id 0Oh2LzMPb2EPXwAAWC7mWg (envelope-from ) for ; Tue, 19 Oct 2021 14:32:19 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp17.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: e3f44d4c-310a-11ec-942a-5254008de1cb-1-1 Received: from [216.105.38.7] ([216.105.38.7:43790] helo=lists.sourceforge.net) by smtp17.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id A9/19-02353-23F0F616; Tue, 19 Oct 2021 14:32:19 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.92.3) (envelope-from ) id 1mcttg-0001Zg-6m; Tue, 19 Oct 2021 18:31:36 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) (envelope-from ) id 1mctte-0001Z6-D3 for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 18:31:34 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=zlpziJ4g9mI0E9wet6DZ0TrrSACVn3+GokJ/ZKscKNU=; b=BpZOjda2VxNfKgZ3tb2lIirc7z Zzwr9nyZhaW3CsI0OB6cvrclPEjLXCEUAae5IoCacMDs6qLyWaKCq9mQLhCxRQfKIFJuZAUNCtDQq icC4X+2vLnHJNyyB+KVX/tQCJ9oGFol4+It9q3eJrNBNHoA+xTjsctzrTLZKZ06AmjN8=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=zlpziJ4g9mI0E9wet6DZ0TrrSACVn3+GokJ/ZKscKNU=; b=c dWthX0NlYFKnyenK3h63r3ljY1YCEgsiV0ocukL1ofH0JLEuA1/BonaCwD2yPKex5teiBZnaxAq5k WHjlXB94311p31uBXv58k66kJ2Lkr+RsbF8mSnImG6ncHQ9xA7FfRUTPl+HCAhpTk/PDCPDjQLD4O rdq3X0LUbwppivI4=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mcttd-006U05-SU for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 18:31:34 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1mcttW-0008hc-T4 for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 20:31:26 +0200 Received: (nullmailer pid 614223 invoked by uid 10006); Tue, 19 Oct 2021 18:31:27 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 19 Oct 2021 20:31:06 +0200 Message-Id: <20211019183127.614175-1-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This patchset removes almost all deprecation warnings from OpenVPN that related to OpenSSL 3.0. The patchset has already been tested with users and OpenSSL 3.0 as part of my OpenVPN for Android client [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1mcttd-006U05-SU Subject: [Openvpn-devel] [PATCH v3 00/21] OpenSSL 3.0 improvements for OpenVPN X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This patchset removes almost all deprecation warnings from OpenVPN that related to OpenSSL 3.0. The patchset has already been tested with users and OpenSSL 3.0 as part of my OpenVPN for Android client. Some patches also improve interaction with new features of OpenSSL 3.0, mainly with providers. The patchset does not address using a provider to replace the RSA_method/EC_method. This is a separate patchset currently prepared by Selva. Arne Schwabe (21): [OSSL 3.0] Use new EVP_MAC API for HMAC implementation [OSSL 3.0] Add --with-openssl-engine autoconf option (auto|yes|no) [OSSL 3.0] Implement DES ECB encrypt via EVP_CIPHER api [OSSL 3.0] Remove DES check with OpenSSL 3.0 [OSSL 3.0] Use EVP_PKEY based API for loading DH keys [OSSL 3.0] Deprecate --ecdh-curve with OpenSSL 3.0 and adjust mbed TLS message [OSSL 3.0] Remove DES key fixup code [OSSL 3.0] Use EVP_PKEY_get_group_name to query group name Refactor early initialisation and uninitialisation into methods [OSSL 3.0] Replace EVP_get_cipherbyname with EVP_CIPHER_fetch [OSSL 3.0] USe EVP_MD_get0_name instead EV_MD_name [OSSL 3.0] Allow loading of non default providers [OSSL 3.0] Remove dependency on BF-CBC existance from test_ncp [OSSL 3.0] Use TYPE_do_all_provided function for listing cipher/digest [OSSL 3.0] Do not allow CTS ciphers Add message when decoding PKCS12 file fails. Add small unit test for testing HMAC Fix error when BF-CBC is not available Add insecure tls-cert-profile options Add macos OpenSSL 3.0 and ASAN builds Always use 8192 bytes for ERR_BUF_SIZE .github/workflows/build.yaml | 28 ++- configure.ac | 68 ++++-- doc/man-sections/generic-options.rst | 10 + doc/man-sections/tls-options.rst | 6 + src/openvpn/crypto.c | 46 ---- src/openvpn/crypto.h | 2 - src/openvpn/crypto_backend.h | 18 +- src/openvpn/crypto_mbedtls.c | 34 +-- src/openvpn/crypto_openssl.c | 288 +++++++++++++++++++------ src/openvpn/crypto_openssl.h | 8 + src/openvpn/error.h | 6 +- src/openvpn/ntlm.c | 1 - src/openvpn/openssl_compat.h | 61 ++++++ src/openvpn/openvpn.c | 27 ++- src/openvpn/options.c | 7 + src/openvpn/options.h | 1 + src/openvpn/ssl.c | 18 -- src/openvpn/ssl_mbedtls.c | 8 +- src/openvpn/ssl_openssl.c | 57 +++-- tests/unit_tests/openvpn/test_crypto.c | 61 +++++- tests/unit_tests/openvpn/test_ncp.c | 13 +- 21 files changed, 541 insertions(+), 227 deletions(-)