From patchwork Tue Jun 18 12:01:26 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 3734 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:a68e:b0:57d:b2cb:6cf with SMTP id hn14csp2105791mab; Tue, 18 Jun 2024 05:02:17 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCUEa16j65wW+16dADq1DfwrqEyR1g19cqFUHf4+bf4My2ic3q6LQ4csgirNhxynEK/Z+6Ge5OGk2dkVwrkHdlJmnCRzeqQ= X-Google-Smtp-Source: AGHT+IFtnZsTI8CLKselW/AbAy1De+IWFVg8dMqszKqEKcCtLfvr3OX6R6/f7HZYjkJMh2BftzLq X-Received: by 2002:a17:903:234a:b0:1f7:1687:3037 with SMTP id d9443c01a7336-1f862a0af29mr150938285ad.4.1718712136890; Tue, 18 Jun 2024 05:02:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1718712136; cv=none; d=google.com; s=arc-20160816; b=ddNkyhRyr9dv3miHLZYNf4bV0HtDm6rZqnh9YjqwbB5KiE4yU1NWpB1Fm6SxjbVuSj crcWiNWykMvEBm/1S2rBGffc3No3xUMb6mJO6aeu91J3oAcJzm/vmIbq9mXdsNjzAHCC NPNJfcofLPoVLh77OGiGUoS7L5QAf70NURlEC/Zoz6mlHT+DxtkQs4pr2bVoANOFVl2c YfaB8MnI3nvuOiv39Uv0p4Gfa25XOuAzFJWjm1tJwP3QJcs1FzqMnJt0fPj6yI8Z+UtD KHTHYkkTkroyjVSOaRpbSqXY1EtA50jYsdlJZljl12snDHllYR4LFX/vxBsNFbORtqhf pNTg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature; bh=1dpJZ4prMMSl8VN1mSrzc3UMeMkE6QdQbq/u1n5fjmA=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=FmcbjPJJ1S0EI9JvOGlqvHor5i26rDD+aaMx5fmSUu8PJ8Q+M9xqcS3VmMt6COMi3U FwSgQAfXFQEzDHMLJHr0KU510WulPIXIUE99JXx188XBa/OX9wKbNpjShRDx7m7ou3Rx 1mEZIiu3ngAobmW7E/2QvAqu4ipE1tEsU0My9/WyoSCmUxGpr2xgjsO9X0aXb8dJjRR9 P3DxAgiClPXsxBGTdeQJVDH2PaMuwWx1uYCABBR2yn9TY3KklcDt62Lprx5MqLvYrCz9 u9nkUCQWO6hufQ/xfLy21jpsFvOvVwik8dcjvPmOa2kLFtbKRTfzYt5c+qRnjV0Q+DxZ Mp5Q==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=RWvHGyul; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=BPoELKuI; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id d9443c01a7336-1f855f3367fsi105217975ad.644.2024.06.18.05.02.16 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 18 Jun 2024 05:02:16 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=RWvHGyul; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=BPoELKuI; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1sJXX4-0003um-Ay; Tue, 18 Jun 2024 12:01:50 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1sJXWw-0003uX-1k for openvpn-devel@lists.sourceforge.net; Tue, 18 Jun 2024 12:01:42 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=Wz1uT/nitArPMmEdm1+8jYv8F/hKxmc+UhmT01n+llY=; b=RWvHGyulNEhZ4E9W5wCEYUJfsg TaVdZ92JgJQhcgEM72Zu4iWmOVzUfC2QGNSHtcMywV8xwGTjBCrNKHXE9F4nZG1+jhnG4HVzpa9Sh 2E0Be6uGdQ7tZsz4sC0ZnuMVT2N4aSlSkgCR34pTb5RKj58v0977Dnvz11k+tfLIlkYM=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=Wz1uT/nitArPMmEdm1+8jYv8F/hKxmc+UhmT01n+llY=; b=BPoELKuIq+iW9tl5fseCDsMMJL Ruxr2RmGRdqxYDYLXiQ2ap8EbkeJnac5UkqghwtBPW0acZJKy4fr3QYQdtiE+y0wrVAyMH09A9QEo nQOJF1s2xyNDf14GOHW+OJfIrIey1BJ6CZ1M5gUte3DtHFteIMy9HKw3gcTBmBIAicUM=; Received: from dhcp-174.greenie.muc.de ([193.149.48.174] helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1sJXWu-00063S-OG for openvpn-devel@lists.sourceforge.net; Tue, 18 Jun 2024 12:01:42 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.17.1.9/8.17.1.9) with ESMTP id 45IC1RTG004575 for ; Tue, 18 Jun 2024 14:01:27 +0200 Received: (from gert@localhost) by blue.greenie.muc.de (8.17.1.9/8.17.1.9/Submit) id 45IC1RlX004574 for openvpn-devel@lists.sourceforge.net; Tue, 18 Jun 2024 14:01:27 +0200 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Tue, 18 Jun 2024 14:01:26 +0200 Message-ID: <20240618120127.4564-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.44.1 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: -5.0 (-----) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: rein.vanbaaren This commit allows compiling OpenVPN with recent versions of mbed TLS if MBEDTLS_DEPRECATED_REMOVED is defined. Change-Id: If96c2ebd2af16b18ed34820e8c0531547e2076d9 Signed-off-by: Max Fillinger Acked-by: Arne Schwabe --- Content analysis details: (-5.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [193.149.48.174 listed in bl.score.senderscore.com] 0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [193.149.48.174 listed in sa-accredit.habeas.com] -5.0 RCVD_IN_DNSWL_HI RBL: Sender listed at https://www.dnswl.org/, high trust [193.149.48.174 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1sJXWu-00063S-OG Subject: [Openvpn-devel] [PATCH v4] Fix MBEDTLS_DEPRECATED_REMOVED build errors X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1802200297692786602?= X-GMAIL-MSGID: =?utf-8?q?1802200297692786602?= From: rein.vanbaaren This commit allows compiling OpenVPN with recent versions of mbed TLS if MBEDTLS_DEPRECATED_REMOVED is defined. Change-Id: If96c2ebd2af16b18ed34820e8c0531547e2076d9 Signed-off-by: Max Fillinger Acked-by: Arne Schwabe --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/681 This mail reflects revision 4 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe diff --git a/src/openvpn/mbedtls_compat.h b/src/openvpn/mbedtls_compat.h index d742b54..8559c2e 100644 --- a/src/openvpn/mbedtls_compat.h +++ b/src/openvpn/mbedtls_compat.h @@ -40,6 +40,7 @@ #include #include #include +#include #include #include #include @@ -51,6 +52,12 @@ #include #endif +#if MBEDTLS_VERSION_NUMBER >= 0x03000000 +typedef uint16_t mbedtls_compat_group_id; +#else +typedef mbedtls_ecp_group_id mbedtls_compat_group_id; +#endif + static inline void mbedtls_compat_psa_crypto_init(void) { @@ -64,6 +71,16 @@ #endif /* HAVE_MBEDTLS_PSA_CRYPTO_H && defined(MBEDTLS_PSA_CRYPTO_C) */ } +static inline mbedtls_compat_group_id +mbedtls_compat_get_group_id(const mbedtls_ecp_curve_info *curve_info) +{ +#if MBEDTLS_VERSION_NUMBER >= 0x03000000 + return curve_info->tls_id; +#else + return curve_info->grp_id; +#endif +} + /* * In older versions of mbedtls, mbedtls_ctr_drbg_update() did not return an * error code, and it was deprecated in favor of mbedtls_ctr_drbg_update_ret() @@ -124,6 +141,34 @@ } #if MBEDTLS_VERSION_NUMBER < 0x03020100 +typedef enum { + MBEDTLS_SSL_VERSION_UNKNOWN, /*!< Context not in use or version not yet negotiated. */ + MBEDTLS_SSL_VERSION_TLS1_2 = 0x0303, /*!< (D)TLS 1.2 */ + MBEDTLS_SSL_VERSION_TLS1_3 = 0x0304, /*!< (D)TLS 1.3 */ +} mbedtls_ssl_protocol_version; + +static inline void +mbedtls_ssl_conf_min_tls_version(mbedtls_ssl_config *conf, mbedtls_ssl_protocol_version tls_version) +{ + int major = (tls_version >> 8) & 0xff; + int minor = tls_version & 0xff; + mbedtls_ssl_conf_min_version(conf, major, minor); +} + +static inline void +mbedtls_ssl_conf_max_tls_version(mbedtls_ssl_config *conf, mbedtls_ssl_protocol_version tls_version) +{ + int major = (tls_version >> 8) & 0xff; + int minor = tls_version & 0xff; + mbedtls_ssl_conf_max_version(conf, major, minor); +} + +static inline void +mbedtls_ssl_conf_groups(mbedtls_ssl_config *conf, mbedtls_compat_group_id *groups) +{ + mbedtls_ssl_conf_curves(conf, groups); +} + static inline size_t mbedtls_cipher_info_get_block_size(const mbedtls_cipher_info_t *cipher) { diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index ec9ec13..bb88da9 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -402,7 +402,7 @@ /* Get number of groups and allocate an array in ctx */ int groups_count = get_num_elements(groups, ':'); - ALLOC_ARRAY_CLEAR(ctx->groups, mbedtls_ecp_group_id, groups_count + 1) + ALLOC_ARRAY_CLEAR(ctx->groups, mbedtls_compat_group_id, groups_count + 1) /* Parse allowed ciphers, getting IDs */ int i = 0; @@ -419,11 +419,15 @@ } else { - ctx->groups[i] = ci->grp_id; + ctx->groups[i] = mbedtls_compat_get_group_id(ci); i++; } } - ctx->groups[i] = MBEDTLS_ECP_DP_NONE; + + /* Recent mbedtls versions state that the list of groups must be terminated + * with 0. Older versions state that it must be terminated with MBEDTLS_ECP_DP_NONE + * which is also 0, so this works either way. */ + ctx->groups[i] = 0; gc_free(&gc); } @@ -1046,33 +1050,30 @@ } /** - * Convert an OpenVPN tls-version variable to mbed TLS format (i.e. a major and - * minor ssl version number). + * Convert an OpenVPN tls-version variable to mbed TLS format * * @param tls_ver The tls-version variable to convert. - * @param major Returns the TLS major version in mbed TLS format. - * Must be a valid pointer. - * @param minor Returns the TLS minor version in mbed TLS format. - * Must be a valid pointer. + * + * @return Translated mbedTLS SSL version from OpenVPN TLS version. */ -static void -tls_version_to_major_minor(int tls_ver, int *major, int *minor) +mbedtls_ssl_protocol_version +tls_version_to_ssl_version(int tls_ver) { - ASSERT(major); - ASSERT(minor); - switch (tls_ver) { #if defined(MBEDTLS_SSL_PROTO_TLS1_2) case TLS_VER_1_2: - *major = MBEDTLS_SSL_MAJOR_VERSION_3; - *minor = MBEDTLS_SSL_MINOR_VERSION_3; - break; + return MBEDTLS_SSL_VERSION_TLS1_2; +#endif + +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) + case TLS_VER_1_3: + return MBEDTLS_SSL_VERSION_TLS1_3; #endif default: msg(M_FATAL, "%s: invalid or unsupported TLS version %d", __func__, tls_ver); - break; + return MBEDTLS_SSL_VERSION_UNKNOWN; } } @@ -1153,7 +1154,7 @@ if (ssl_ctx->groups) { - mbedtls_ssl_conf_curves(ks_ssl->ssl_config, ssl_ctx->groups); + mbedtls_ssl_conf_groups(ks_ssl->ssl_config, ssl_ctx->groups); } /* Disable TLS renegotiations if the mbedtls library supports that feature. @@ -1203,15 +1204,14 @@ &SSLF_TLS_VERSION_MIN_MASK; /* default to TLS 1.2 */ - int major = MBEDTLS_SSL_MAJOR_VERSION_3; - int minor = MBEDTLS_SSL_MINOR_VERSION_3; + mbedtls_ssl_protocol_version version = MBEDTLS_SSL_VERSION_TLS1_2; if (configured_tls_version_min > TLS_VER_UNSPEC) { - tls_version_to_major_minor(configured_tls_version_min, &major, &minor); + version = tls_version_to_ssl_version(configured_tls_version_min); } - mbedtls_ssl_conf_min_version(ks_ssl->ssl_config, major, minor); + mbedtls_ssl_conf_min_tls_version(ks_ssl->ssl_config, version); } /* Initialize maximum TLS version */ @@ -1220,20 +1220,19 @@ (session->opt->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) &SSLF_TLS_VERSION_MAX_MASK; - int major = 0; - int minor = 0; + mbedtls_ssl_protocol_version version = MBEDTLS_SSL_VERSION_UNKNOWN; if (configured_tls_version_max > TLS_VER_UNSPEC) { - tls_version_to_major_minor(configured_tls_version_max, &major, &minor); + version = tls_version_to_ssl_version(configured_tls_version_max); } else { /* Default to tls_version_max(). */ - tls_version_to_major_minor(tls_version_max(), &major, &minor); + version = tls_version_to_ssl_version(tls_version_max()); } - mbedtls_ssl_conf_max_version(ks_ssl->ssl_config, major, minor); + mbedtls_ssl_conf_max_tls_version(ks_ssl->ssl_config, version); } #if HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB diff --git a/src/openvpn/ssl_mbedtls.h b/src/openvpn/ssl_mbedtls.h index 1fd0ce8..34b4f02 100644 --- a/src/openvpn/ssl_mbedtls.h +++ b/src/openvpn/ssl_mbedtls.h @@ -39,6 +39,8 @@ #include #endif +#include "mbedtls_compat.h" + typedef struct _buffer_entry buffer_entry; struct _buffer_entry { @@ -118,7 +120,7 @@ #endif struct external_context external_key; /**< External key context */ int *allowed_ciphers; /**< List of allowed ciphers for this connection */ - mbedtls_ecp_group_id *groups; /**< List of allowed groups for this connection */ + mbedtls_compat_group_id *groups; /**< List of allowed groups for this connection */ mbedtls_x509_crt_profile cert_profile; /**< Allowed certificate types */ };