Message ID | 20211019183127.614175-6-arne@rfc2549.org |
---|---|
State | Accepted |
Headers | show |
Series | OpenSSL 3.0 improvements for OpenVPN | expand |
On 19/10/2021 20:31, Arne Schwabe wrote: > OpenSSL 3.0 replaces the DH API with a generic EVP_KEY based API to > load DH parameters. > > Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Max Fillinger <maximilian.fillinger@foxcrypto.com> Looked at the patch, compiled with OpenSSL 3.1.0, tested that I can get a server and client to talk to each other on localhost.
Have no OpenSSL 3.0 based test environment yet - so, trusting MaxF's tests here. Just did compile + client test on 1.1.1 Your patch has been applied to the master branch. commit 658c72e6e651437943f46a975751109759abd858 Author: Arne Schwabe Date: Tue Oct 19 20:31:11 2021 +0200 Use EVP_PKEY based API for loading DH keys Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Max Fillinger <maximilian.fillinger@foxcrypto.com> Message-Id: <20211019183127.614175-6-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23015.html Signed-off-by: Gert Doering <gert@greenie.muc.de> -- kind regards, Gert Doering
Hi, Just a nit: On 19-10-2021 20:31, Arne Schwabe wrote: > + if (!SSL_CTX_set0_tmp_dh_pkey(ctx->ctx, dh)) > + { > + crypto_msg(M_FATAL, "SSL_CTX_set_tmp_dh"); > + } This error message looks incorrect and incomplete. -Steffan
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 9a7cb9c64..a44d4f85c 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -649,7 +649,6 @@ void tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file, bool dh_file_inline) { - DH *dh; BIO *bio; ASSERT(NULL != ctx); @@ -670,7 +669,26 @@ tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file, } } - dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_PKEY *dh = PEM_read_bio_Parameters(bio, NULL); + BIO_free(bio); + + if (!dh) + { + crypto_msg(M_FATAL, "Cannot load DH parameters from %s", + print_key_filename(dh_file, dh_file_inline)); + } + if (!SSL_CTX_set0_tmp_dh_pkey(ctx->ctx, dh)) + { + crypto_msg(M_FATAL, "SSL_CTX_set_tmp_dh"); + } + + msg(D_TLS_DEBUG_LOW, "Diffie-Hellman initialized with %d bit key", + 8 * EVP_PKEY_get_size(dh)); + + EVP_PKEY_free(dh); +#else + DH *dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); BIO_free(bio); if (!dh) @@ -687,6 +705,7 @@ tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file, 8 * DH_size(dh)); DH_free(dh); +#endif } void
OpenSSL 3.0 replaces the DH API with a generic EVP_KEY based API to load DH parameters. Signed-off-by: Arne Schwabe <arne@rfc2549.org> --- src/openvpn/ssl_openssl.c | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-)