From patchwork Mon Aug 12 11:51:29 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matthias Andree X-Patchwork-Id: 804 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director12.mail.ord1d.rsapps.net ([172.27.255.51]) by backend30.mail.ord1d.rsapps.net with LMTP id oFxxLdffUV3GEwAAIUCqbw for ; Mon, 12 Aug 2019 17:53:27 -0400 Received: from proxy9.mail.iad3a.rsapps.net ([172.27.255.51]) by director12.mail.ord1d.rsapps.net with LMTP id 8CMqK9ffUV21YgAAIasKDg ; Mon, 12 Aug 2019 17:53:27 -0400 Received: from smtp6.gate.iad3a ([172.27.255.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy9.mail.iad3a.rsapps.net with LMTP id wBAOJtffUV3lOAAAGuSQww ; Mon, 12 Aug 2019 17:53:27 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp6.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=gmx.net; dmarc=none (p=nil; dis=none) header.from=gmx.de X-Suspicious-Flag: YES X-Classification-ID: 9d0d5516-bd4b-11e9-a157-5254002f0085-1-1 Received: from [216.105.38.7] ([216.105.38.7:54962] helo=lists.sourceforge.net) by smtp6.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 27/DF-03160-7DFD15D5; Mon, 12 Aug 2019 17:53:27 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1hxIEc-0006dW-4L; Mon, 12 Aug 2019 21:52:10 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1hxIEb-0006dP-2I for openvpn-devel@lists.sourceforge.net; Mon, 12 Aug 2019 21:52:09 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=ZGGmkHPCfXbBI1PvPy+5I7Dmq+4KrNQQ1f2d+LpJQIw=; b=Z2fn6fshHo8xEbvOlAm6CjqHJF fKcFFhH+KLPRr2PjEuW41paP7AN76Ehq2/oKQXrYwJaTVH0tMByY4chEdPFtHm98odXDZ8Mv1uuGj O5sY0ezv2HagIvKBIY4NOARWyPbQ/MmX8EdGgZWr64rSCeI5Et+kLEgHnGgstZyIkM/0=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:Cc:To:From :Sender:Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=ZGGmkHPCfXbBI1PvPy+5I7Dmq+4KrNQQ1f2d+LpJQIw=; b=S v04VtFYchi2IZZjFbV4bdMdazz/4tEid8g8W6jqaSLSLrwGMw/WMiDgRNV/tARw0Cm/I/+lKsJDZq VX3374vHhtYL+D0aIdq/VQraXwReM4q3RweTCcgAqz3U0UuKh0l56ShpsMY/A3ZYgy6auZlA7jc9d VNMSHmm+kj4JTdAs=; Received: from mout.gmx.net ([212.227.17.20]) by sfi-mx-4.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.90_1) id 1hxIEY-0014Is-HR for openvpn-devel@lists.sourceforge.net; Mon, 12 Aug 2019 21:52:09 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1565646719; bh=bkiqrMG0VFTsUY93D8BZeThx7TJBt3ApsyCnOBLPasQ=; h=X-UI-Sender-Class:From:To:Cc:Subject:Date; b=OMTJwWw3J4J/3hKoBFsMnS9NuBwTyEkcV++VmtwGN+4uuuJzs1Ow+21K7jY+LFECI URbv+VHDnJ+FolsuyVcjG66rtzR73UAsy3+Slw+E+UwR7xBfgRBoKZBtXo2OfVUOU5 GjLhz+N3WlhIoEpQnpkmBa1ENfkXefMAc4cesmgo= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from mandree.no-ip.org ([79.229.32.156]) by mail.gmx.com (mrgmx102 [212.227.17.168]) with ESMTPSA (Nemesis) id 0MHMRr-1i1yuq2pQh-00E1fn; Mon, 12 Aug 2019 23:51:59 +0200 Received: by ryzen.an3e.de (Postfix, from userid 1000) id 51CBE12115F; Mon, 12 Aug 2019 23:51:59 +0200 (CEST) From: Matthias Andree To: openvpn-devel@lists.sourceforge.net Date: Mon, 12 Aug 2019 23:51:29 +0200 Message-Id: <20190812215128.10993-1-matthias.andree@gmx.de> X-Mailer: git-send-email 2.21.0 MIME-Version: 1.0 X-Provags-ID: V03:K1:OKQyg+DOrQESQN8d2r+35t/hRN8nlJ9p5Jft433nDrxIarGzCC/ cyheyAdHt1gb7iTYph7Kauu+4cbuXz37/vyc8QcB3O+JGUJKwm6c430zMP7u9u5hZpxJzVC /pl+08tzWlRS8FZGXjVGtXzAm9cbLvFBfbL4YAffs4XL8GDHg8ENhOwdHDZMt0T4WwGr0Mk tXCEisaUEUYYSxI2zZccg== X-UI-Out-Filterresults: notjunk:1;V03:K0:L71Q8N0dJ5U=:xsfICZsAHgTwrIvJ9PyIcX lmUASID6e70dxs8UnlxrVt3H9u7a+GoNDm0wdyvJZBp0RrHBiwatlcXaXAMSTbNqfsqvc9OzF 20vw0sgviF2WyrY1zJ/TqRLPTkbZygzm42EVNfv0sZ+Mf+lTiSjsS9NIIojb6wOoYQ516l6JZ ptr0oZ8hjL+/ve+VP+kHF0EWWy2ksrVH40CPWdwRcE+T8XGbVuSfkFKyG+9zjI+zNFRyyhQMT Oklu9yp+3QywszcOJ1o3hGGKR/E0u0ijhxgWKzFBvfFATVYDEBdFJrejQZVK5MUXF9RghQJ3p BSA4OB6jvQs7LGKe8cBBxOWI0KuhWz71sBHJBKHJReeF1yeAZ+3El5KeisYyyswH18kOHM5Hd NxKk/dLyleD+HkhjQwOgoDxEN5y6TIB8XOt+WVonmK1CnT0ZBzqYosK9dfP3toJKsVBDAsFKD HSibM3uMEvwuMKOYJeeDalOMxwlc9T5l593Gg3LgRqCbF9/Um/PNyX+TRRD4xvlV1ZF4ghaY2 9G1hu/3uJIQ0IoVEaNx4yRPW1TONHwq/DoXrKz39T/bjbf32BqZSTd7RNH1Mh/Brmcw9RXci7 4jWy0ioWTdq1axvPO/M4/ZkmawO4fIis1qahNaFPRP0iAhCtW4AQrti0GDbk3E7LcjHIW9V8E GwtnAX8KiDV/Z5PG5fQlMIk+lC51lx8VdeCBBD0nOjiS/A2q4RndknDJ6vWlHSJBvVYz63J8V XtjASbrer76zoYJrXHGGsjY5oGibL+t0MoRGTHV+O4ILiDj0qbfSAClWOTeEMreWt2ZnwdMKh f9ge2F5pApGdwlAFvoIf3OXg1fu3GvPRriIi8HDApdXOP6LhFW6JySColRIY3Z1jgRnkJne30 1zf/q6/tq1uHjeM+GuSrIzganZzE/bdoINV5SBUp+omkwFPeDlIww6/w8tMB9jGP8r5uv7xBH ARWitpRYzWYwbIJXE9gyGTF8kjVWx5JrN06YkbyKfNWgV1uTo7k0O0toKc9TbzdoQ854RjVEF eAizS87tViD5mtXrgTNXn5QeGrrG6LGhCYu+1dKvBc5OLw+1m7dkAHgMpMcpgMjkDExDZkpSi 7wR1PMm13cD5JiH4LHF9hv+hg6ygzTq3VeIOw4caaZfzczNjaQuWIaJvQ== X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (matthias.andree[at]gmx.de) -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-Headers-End: 1hxIEY-0014Is-HR Subject: [Openvpn-devel] [PATCH] Fix regression, reinstate LibreSSL support. X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox OpenVPN 2.4.6 could be compiled with LibreSSL, 2.4.7 cannot. This was broken since 9de7fe0a "Add support for tls-ciphersuites for TLS 1.3". This patch avoids using TLS 1.3 directly, be it that OpenSSL was compiled without TLS 1.3 support, or LibreSSL was used. This patch was based on an OpenBSD patch by Jeremie Courreges-Anglas , see https://cvsweb.openbsd.org/cgi-bin/cvsweb/ports/net/openvpn/patches/patch-src_openvpn_ssl_openssl_c but was revised to be more obvious and check actual feature macros, do not rely on current LibreSSL implementation details alone. Franco Fichtner reports that OPNsense has been a long-time user of LibreSSL without reported breakage, see also: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=238382#c10 Signed-off-by: Matthias Andree --- src/openvpn/ssl_openssl.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) -- 2.21.0 diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index a78dae99..293bb192 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -206,7 +206,7 @@ info_callback(INFO_CALLBACK_SSL_CONST SSL *s, int where, int ret) int tls_version_max(void) { -#if defined(TLS1_3_VERSION) +#if defined(TLS1_3_VERSION) && !defined(OPENSSL_NO_TLS1_3) return TLS_VER_1_3; #elif defined(TLS1_2_VERSION) || defined(SSL_OP_NO_TLSv1_2) return TLS_VER_1_2; @@ -233,7 +233,7 @@ openssl_tls_version(int ver) { return TLS1_2_VERSION; } -#if defined(TLS1_3_VERSION) +#if defined(TLS1_3_VERSION) && !defined(OPENSSL_NO_TLS1_3) else if (ver == TLS_VER_1_3) { return TLS1_3_VERSION; @@ -459,8 +459,8 @@ tls_ctx_restrict_ciphers_tls13(struct tls_root_ctx *ctx, const char *ciphers) return; } -#if (OPENSSL_VERSION_NUMBER < 0x1010100fL) - crypto_msg(M_WARN, "Not compiled with OpenSSL 1.1.1 or higher. " +#if (OPENSSL_VERSION_NUMBER < 0x1010100fL) || !defined(TLS1_3_VERSION) || defined(OPENSSL_NO_TLS1_3) + crypto_msg(M_WARN, "Not compiled with OpenSSL 1.1.1 or higher, or without TLS 1.3 support. " "Ignoring TLS 1.3 only tls-ciphersuites '%s' setting.", ciphers); #else @@ -1846,7 +1846,7 @@ show_available_tls_ciphers_list(const char *cipher_list, crypto_msg(M_FATAL, "Cannot create SSL_CTX object"); } -#if (OPENSSL_VERSION_NUMBER >= 0x1010100fL) +#if (OPENSSL_VERSION_NUMBER >= 0x1010100fL) && defined(TLS1_3_VERSION) && !defined(OPENSSL_NO_TLS1_3) if (tls13) { SSL_CTX_set_min_proto_version(tls_ctx.ctx, TLS1_3_VERSION);