From patchwork Mon Jan 27 23:50:14 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Shubham Mittal X-Patchwork-Id: 4087 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:6a49:b0:5e7:b9eb:58e8 with SMTP id v9csp143039mat; Mon, 27 Jan 2025 16:07:23 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCVD1cF+YMr/4SZwuvD/W38RLI8Ujt9SSJeDR+qVNoZsfjyA1UeGcrGCfL7Kwr4zh9e9rPtD+Ya37RE=@openvpn.net X-Google-Smtp-Source: AGHT+IHVjp7l74pZrznb8k91ImACBYR2tiBZ1IH59q0LkzjagyyvXiGAECTdPVAcMAeSzhsCAjod X-Received: by 2002:a05:6870:af8d:b0:288:18a0:e169 with SMTP id 586e51a60fabf-2b1c093dc70mr22112701fac.19.1738022843301; Mon, 27 Jan 2025 16:07:23 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1738022843; cv=none; d=google.com; s=arc-20240605; b=DXEm1FoQh7BuqNDr1y2uB0yJUur1iVQVlit7xiTLabQ7xy+xWMG1gpDDIsPilRBtet pfijTcZ9c5+kNlK1spYWA9V2AE/vJ1JNRVKOkQgDghXCfMWcuKHtuWQHJvUU6G4x95xP +l/kYj/19ch/dgX6+AOt0SMbOYmrpJEiWCZBEgICzalnVC9YrsXxv8hGut/yz22W2KAx 7gRuQ4GwC94e86WDApS85RwO0m7gcHbaUrxyG6ic0gZWjpmd3ENS0X3TKqqx4AY8Z1fc KThC4/JNpcioBlvFAdLzM42/A4iW3HVh7A//qIVHj6jxoKsilKhkl2xSTIWP646ngkQ/ MvQg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:reply-to:from:list-subscribe :list-help:list-post:list-archive:list-unsubscribe:list-id :precedence:subject:mime-version:message-id:date:to:dkim-signature :dkim-signature:dkim-signature; bh=sCixvJKRWvxDt619a4v+skpubtPdA0bOL+tyLKJpWOA=; fh=M0IgS9BLcbDnxRvvrgNqqeQSdb7j85MQs+k/Km/mzfQ=; b=SBFa3/dP8QzaQm0Iq+I8W0cLmkpUT5yhhOFZk94vZzXxFVokGMC/Jdm/3kgKMsHoxT JNNkQgchwERK9b5cKrbTVaKfd6mlaVBygHr/NXTGPL2lrGZmTQ5A9xw5mrnt5J97q5wq 2ppYprqz6M9nnluE6pvJs+KYBSJ7nYN90QnMQ4wqR1qTkqzcEZ10Y9lpy8+85WlBavdn HaSIB0sLlvosIZBlKepJ5PrjzQmowtUxyCDI+LmMaV3LmdMvXX8mWcZDUvgABiMF3eyx gE2vPgaQSn8cBhcEfrREjKOII7M8cuBA4gmQF2rA8vuGXAhiKvnI/+G+BtPECN5Evh4d xoeA==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=PmVHvpS3; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=KWnt08vr; dkim=neutral (body hash did not verify) header.i=@amazon.com header.s=amazon201209 header.b=l9gReFle; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 586e51a60fabf-2b28f15011esi7446619fac.39.2025.01.27.16.07.23 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 27 Jan 2025 16:07:23 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=PmVHvpS3; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=KWnt08vr; dkim=neutral (body hash did not verify) header.i=@amazon.com header.s=amazon201209 header.b=l9gReFle; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1tcZ8N-000642-Hm; Tue, 28 Jan 2025 00:07:16 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1tcZ7K-00062p-4G for openvpn-devel@lists.sourceforge.net; Tue, 28 Jan 2025 00:06:10 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:Content-Transfer-Encoding:MIME-Version :Message-ID:Date:Subject:CC:To:From:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=rcjfXeQnt+go2+b0vqIsvsDKXde0JHgn6y/v1fveBio=; b=PmVHvpS3GinJyd00+lTNA3ICUs fu4XWKd6ZEM+OOp1kTF4id2SmuZru5TQV8AUN1C69DGGSSIn9QadR9bp6EG1jAAiG+bptDrLyRYE/ NMSS/6FDDG3kBkvcNMrq18lYxlA4aDhk69MAXBvA/f4zcqVswSIXIJJF2tHhnRpfjY1c=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:Content-Transfer-Encoding:MIME-Version:Message-ID:Date: Subject:CC:To:From:Sender:Reply-To:Content-ID:Content-Description:Resent-Date :Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=rcjfXeQnt+go2+b0vqIsvsDKXde0JHgn6y/v1fveBio=; b=K Wnt08vr3VxlBhEihLYEpK1HyY0QV05nzcqWwUhiWGfDp+GE8Xqb4R/iyvT9BFVDpHLn8H0b+CdpiD j0GPlc2NfUiwq/+QHGhBxteabLdRuhcVjcZzxxBlWdux4od2UEcmQQDDtQg5TpkoSjwNNPDjFC3fr cWYPCHjxyWIJeQZw=; Received: from smtp-fw-80008.amazon.com ([99.78.197.219]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1tcZ7G-0007n5-9G for openvpn-devel@lists.sourceforge.net; Tue, 28 Jan 2025 00:06:10 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1738022766; x=1769558766; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=rcjfXeQnt+go2+b0vqIsvsDKXde0JHgn6y/v1fveBio=; b=l9gReFleyln5cA2Vzlyb5S6n2NbsYyo2VlEr/VM+r+7P0ghiSMKgrPmt 7CQaI9IOR5BVqXzmbx20EaqInZ/Dr6XcgYfpV6cKGwaSAm509uTE7k5Fz 8yS1RvkchqH+2GXIsKXup1ZMY8TJkFkh17iUQFZAW/uXCBkicBU59XSH7 I=; X-IronPort-AV: E=Sophos;i="6.13,239,1732579200"; d="scan'208";a="164716073" Received: from pdx4-co-svc-p1-lb2-vlan3.amazon.com (HELO smtpout.prod.us-west-2.prod.farcaster.email.amazon.dev) ([10.25.36.214]) by smtp-border-fw-80008.pdx80.corp.amazon.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 27 Jan 2025 23:50:17 +0000 Received: from EX19MTAUWB002.ant.amazon.com [10.0.38.20:46469] by smtpin.naws.us-west-2.prod.farcaster.email.amazon.dev [10.0.39.194:2525] with esmtp (Farcaster) id ddbcadf0-7247-4031-a27a-18ba750a81ac; Mon, 27 Jan 2025 23:50:16 +0000 (UTC) X-Farcaster-Flow-ID: ddbcadf0-7247-4031-a27a-18ba750a81ac Received: from EX19D019UWB001.ant.amazon.com (10.13.139.189) by EX19MTAUWB002.ant.amazon.com (10.250.64.231) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.1258.39; Mon, 27 Jan 2025 23:50:16 +0000 Received: from EX19MTAUWC002.ant.amazon.com (10.250.64.143) by EX19D019UWB001.ant.amazon.com (10.13.139.189) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.1258.39; Mon, 27 Jan 2025 23:50:16 +0000 Received: from email-imr-corp-prod-iad-all-1b-1323ce6b.us-east-1.amazon.com (10.25.36.210) by mail-relay.amazon.com (10.250.64.149) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.1258.39 via Frontend Transport; Mon, 27 Jan 2025 23:50:16 +0000 Received: from 7cf34dea8443.amazon.com (unknown [10.187.170.20]) by email-imr-corp-prod-iad-all-1b-1323ce6b.us-east-1.amazon.com (Postfix) with ESMTP id 8DCE34029D; Mon, 27 Jan 2025 23:50:15 +0000 (UTC) To: Date: Mon, 27 Jan 2025 15:50:14 -0800 Message-ID: <20250127235014.355-1-smittals@amazon.com> X-Mailer: git-send-email 2.39.5 (Apple Git-154) MIME-Version: 1.0 X-Spam-Score: -3.8 (---) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Additional context from PR on Github about changes in ssl_openssl.c around line 1900: This change addresses a subtle behavioral difference between AWS-LC and OpenSSL regarding object ownership semanti [...] Content analysis details: (-3.8 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [99.78.197.219 listed in sa-accredit.habeas.com] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [99.78.197.219 listed in bl.score.senderscore.com] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 RCVD_IN_MSPIKE_H3 RBL: Good reputation (+3) [99.78.197.219 listed in wl.mailspike.net] -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/, medium trust [99.78.197.219 listed in list.dnswl.org] -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.0 T_SCC_BODY_TEXT_LINE No description available. 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines -1.3 DKIMWL_WL_HIGH DKIMwl.org - High trust sender X-Headers-End: 1tcZ7G-0007n5-9G Subject: [Openvpn-devel] [PATCH] Add compatibility to build OpenVPN with AWS-LC. X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Shubham Mittal via Openvpn-devel From: Shubham Mittal Reply-To: Shubham Mittal Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1822449040727953226?= X-GMAIL-MSGID: =?utf-8?q?1822449040727953226?= Additional context from PR on Github about changes in ssl_openssl.c around line 1900: This change addresses a subtle behavioral difference between AWS-LC and OpenSSL regarding object ownership semantics in SSL_CTX_set_client_CA_list(ctx->ctx, cert_names). OpenSSL Behavior: Stores a reference to the provided cert_names stack cert_names remains valid after SSL_CTX_set_client_CA_list AWS-LC Behavior: Creates a copy of the parameter cert_names (which is a stack of type X509_NAME) and converts it to a stack of CRYPTO_BUFFER (how we internally represent X509_NAME, it's an opaque byte string). Then frees the original passed in cert_names After SSL_CTX_set_client_CA_list, cert_names no longer points to valid memory The proposed changes reorder operations to getting the size of the stack before the set operation as opposed to after the set operation. No operations between the setter and stack size check modify cert_names. Therefore, the logical outcome should remain the same - and this would also handle the subtle behavioral difference in AWS-LC. URL: https://github.com/OpenVPN/openvpn/pull/672 Acked-by: Arne Schwabe Signed-off-by: Shubham Mittal --- README.awslc | 23 +++++++++++++++++++++++ src/openvpn/crypto_openssl.c | 7 +++++++ src/openvpn/openssl_compat.h | 2 +- src/openvpn/ssl_openssl.c | 10 +++++++--- 4 files changed, 38 insertions(+), 4 deletions(-) create mode 100644 README.awslc diff --git a/README.awslc b/README.awslc new file mode 100644 index 00000000..c0ee7768 --- /dev/null +++ b/README.awslc @@ -0,0 +1,23 @@ +This version of OpenVPN supports AWS-LC (AWS Libcrypto), AWS's open-source cryptographic library. + +If you encounter bugs in OpenVPN while using AWS-LC: +1. Try compiling OpenVPN with OpenSSL to determine if the issue is specific to AWS-LC +2. For AWS-LC-specific issues, please report them at: https://github.com/aws/aws-lc + +To build and install OpenVPN with AWS-LC: + + OPENSSL_CFLAGS="-I/${AWS_LC_INSTALL_FOLDER}/include" \ + OPENSSL_LIBS="-L/${AWS_LC_INSTALL_FOLDER}/lib -lssl -lcrypto" \ + ./configure --with-crypto-library=openssl + make + make install + + export LD_LIBRARY_PATH="${AWS_LC_INSTALL_FOLDER}/lib" + +When running tests, LD_LIBRARY_PATH must be passed in again: + + LD_LIBRARY_PATH="${AWS_LC_INSTALL_FOLDER}/lib" make check + +************************************************************************* +Due to limitations in AWS-LC, the following features are missing +* Windows CryptoAPI support diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index 914b1c4f..070225d3 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -1398,6 +1398,13 @@ out: return ret; } +#elif defined(OPENSSL_IS_AWSLC) +bool +ssl_tls1_PRF(const uint8_t *label, int label_len, const uint8_t *sec, + int slen, uint8_t *out1, int olen) +{ + CRYPTO_tls1_prf(EVP_md5_sha1(), out1, olen, sec, slen, label, label_len, NULL, 0, NULL, 0); +} #elif !defined(LIBRESSL_VERSION_NUMBER) && !defined(ENABLE_CRYPTO_WOLFSSL) bool ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret, diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h index 89f22d13..3e3b406a 100644 --- a/src/openvpn/openssl_compat.h +++ b/src/openvpn/openssl_compat.h @@ -76,7 +76,7 @@ X509_OBJECT_free(X509_OBJECT *obj) #define RSA_F_RSA_OSSL_PRIVATE_ENCRYPT RSA_F_RSA_EAY_PRIVATE_ENCRYPT #endif -#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x3050400fL +#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x3050400fL || defined(OPENSSL_IS_AWSLC) #define SSL_get_peer_tmp_key SSL_get_server_tmp_key #endif diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 89d0328e..aad79a4b 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -1669,7 +1669,11 @@ tls_ctx_use_external_ec_key(struct tls_root_ctx *ctx, EVP_PKEY *pkey) /* Among init methods, we only need the finish method */ EC_KEY_METHOD_set_init(ec_method, NULL, openvpn_extkey_ec_finish, NULL, NULL, NULL, NULL); +#ifdef OPENSSL_IS_AWSLC + EC_KEY_METHOD_set_sign(ec_method, ecdsa_sign, NULL, ecdsa_sign_sig); +#else EC_KEY_METHOD_set_sign(ec_method, ecdsa_sign, ecdsa_sign_setup, ecdsa_sign_sig); +#endif ec = EC_KEY_dup(EVP_PKEY_get0_EC_KEY(pkey)); if (!ec) @@ -1895,9 +1899,10 @@ tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file, } sk_X509_INFO_pop_free(info_stack, X509_INFO_free); } - + int cnum; if (tls_server) { + cnum = sk_X509_NAME_num(cert_names); SSL_CTX_set_client_CA_list(ctx->ctx, cert_names); } @@ -1910,7 +1915,6 @@ tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file, if (tls_server) { - int cnum = sk_X509_NAME_num(cert_names); if (cnum != added) { crypto_msg(M_FATAL, "Cannot load CA certificate file %s (only %d " @@ -2558,7 +2562,7 @@ show_available_tls_ciphers_list(const char *cipher_list, crypto_msg(M_FATAL, "Cannot create SSL object"); } -#if OPENSSL_VERSION_NUMBER < 0x1010000fL +#if OPENSSL_VERSION_NUMBER < 0x1010000fL || defined(OPENSSL_IS_AWSLC) STACK_OF(SSL_CIPHER) *sk = SSL_get_ciphers(ssl); #else STACK_OF(SSL_CIPHER) *sk = SSL_get1_supported_ciphers(ssl);