From patchwork Thu May 12 02:14:22 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2448 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director10.mail.ord1d.rsapps.net ([172.30.191.6]) by backend41.mail.ord1d.rsapps.net with LMTP id RN+0BYT6fGLlVwAAqwncew (envelope-from ) for ; Thu, 12 May 2022 08:16:04 -0400 Received: from proxy19.mail.ord1d.rsapps.net ([172.30.191.6]) by director10.mail.ord1d.rsapps.net with LMTP id IKdwGIT6fGIsQQAApN4f7A (envelope-from ) for ; Thu, 12 May 2022 08:16:04 -0400 Received: from smtp17.gate.ord1c ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy19.mail.ord1d.rsapps.net with LMTPS id kMMHGIT6fGL8IQAAyH2SIw (envelope-from ) for ; Thu, 12 May 2022 08:16:04 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp17.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 4a999d9e-d1ed-11ec-b257-bc305beffb0c-1-1 Received: from [216.105.38.7] ([216.105.38.7:38294] helo=lists.sourceforge.net) by smtp17.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 5F/CD-23559-38AFC726; Thu, 12 May 2022 08:16:03 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1np7ii-0004F1-R3; Thu, 12 May 2022 12:15:03 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1np7iT-0004EG-9z for openvpn-devel@lists.sourceforge.net; Thu, 12 May 2022 12:14:47 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=BPjQ9EPhGaSsflQmaZct0RSv8R06hb0Ibc/29Ky2pR0=; b=OQl4CRoBUgdu//r0nNFnhJLn7q swA7i2tuuqmo3tVZIR4YOXQiPNbATQ8vwmr4rj27zF1UxhSGbyHrMEACpCGN2omPLMs+zBz2w6m/Q mTwGFppH+1LVS4dHjMwhM++iJ9apQ/N8rm6ddsCW18qIkJfRrutk6N9A6bKK7DkNP340=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=BPjQ9EPhGaSsflQmaZct0RSv8R06hb0Ibc/29Ky2pR0=; b=Y 22+eSjrO++72YWcTGuBkvzcwyo/xN2tL/w1y5L1TM/QFawNDO5uUDjRNKmJC+qq4x7hh9FpXYp/if 7ViYZsM+/gCzV7wLA0IjFfxYhNvIab4Pk9D410USffYoJDlBa6oT30m8u49sfNMS7BxRU4SL6Z2bi h5dk9weiubzFYV2o=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.94.2) id 1np7iL-009ivk-Fb for openvpn-devel@lists.sourceforge.net; Thu, 12 May 2022 12:14:47 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1np7i9-0004tF-D8 for openvpn-devel@lists.sourceforge.net; Thu, 12 May 2022 14:14:29 +0200 Received: (nullmailer pid 2096210 invoked by uid 10006); Thu, 12 May 2022 12:14:29 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Thu, 12 May 2022 14:14:22 +0200 Message-Id: <20220512121429.2096164-1-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: We already see distros shipping 2.5 with OpenSSL 3.0 and while it builds and works, there are number of problems. This patch addresses most of them while not backporting the full refactoring that also [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1np7iL-009ivk-Fb Subject: [Openvpn-devel] [PATCH 0/7] Improve OpenSSL 3.0 support in OpenVPN 2.5 X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox We already see distros shipping 2.5 with OpenSSL 3.0 and while it builds and works, there are number of problems. This patch addresses most of them while not backporting the full refactoring that also allows using ciphers and digests from providers that were not present in OpenSSL itself. Also the patches that allow a build and make check to suceed with OpenSSL 3.0 have been backported. Most of the commits are cherry-picked from master with small changes were needed. The exception is the From Changes.rst: Limited OpenSSL 3.0 support OpenSSL 3.0 support has been added. OpenSSL 3.0 support in 2.5 relies on the compatiblity layer and full OpenSSL 3.0 support is coming with OpenVPN 2.6. Only features that impact usage directly have been backported: ``--tls-cert-profile insecure`` has been added to allow selecting the lowest OpenSSL security level (not recommended, use only if you must). OpenSSL 3.0 no longer supports the Blowfish (and other deprecated) algorithm by default and the new option ``--providers`` allows loading the legacy provider to renable these algorithms. The OpenSSL engine feature ``--engine`` is not enabled by default anymore if OpenSSL 3.0 is detected. Arne Schwabe (7): Refactor early initialisation and uninitialisation into methods Allow loading of non default providers Add ubuntu 22.04 to Github Actions Add macos OpenSSL 3.0 and ASAN builds Add --with-openssl-engine autoconf option (auto|yes|no) Fix allowing/showing unsupported ciphers and digests Remove dependency on BF-CBC existance from test_ncp .github/workflows/build.yaml | 34 ++++++++++-- Changes.rst | 17 ++++++ configure.ac | 60 ++++++++++++++++----- doc/man-sections/generic-options.rst | 12 +++++ src/openvpn/crypto_backend.h | 15 ++++++ src/openvpn/crypto_mbedtls.c | 13 +++++ src/openvpn/crypto_mbedtls.h | 3 ++ src/openvpn/crypto_openssl.c | 81 ++++++++++++++++++++++++++-- src/openvpn/crypto_openssl.h | 11 ++++ src/openvpn/openvpn.c | 36 +++++++++++-- src/openvpn/options.c | 8 +++ src/openvpn/options.h | 9 ++++ tests/unit_tests/openvpn/test_ncp.c | 10 +++- 13 files changed, 282 insertions(+), 27 deletions(-)