From patchwork Tue Apr 29 15:49:18 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4230 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:31a6:b0:656:592e:a137 with SMTP id u6csp337861mac; Tue, 29 Apr 2025 08:49:59 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCW91QMaZU54VT1J6jdTc4DdlbQQGyWjbr+vwq3K5r9EVtk8uKJtqfmemCwFjwOKLkKuOi7QBmdVtWc=@openvpn.net X-Google-Smtp-Source: AGHT+IET6u9YUYn8I7h1jb47sbqAYXCCp/yBOgAW5aK7VSJs2so4BzpOyzMOvFBs4FCz4rSbh5FI X-Received: by 2002:a05:6e02:3092:b0:3d0:239a:c46a with SMTP id e9e14a558f8ab-3d95d835712mr41767515ab.9.1745941798834; Tue, 29 Apr 2025 08:49:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1745941798; cv=none; d=google.com; s=arc-20240605; b=WyiGrmUokOoa/9DtcE7dHu5PJ6lRytcBlW6cOv+GipNKCS+tovv9c1SCAci1VMJH2W +c1jwggKUXqL3jFN5nbneb1CuCu0z+F97do5UxKmpEhy3Ao2hYokni3s91OLakf0BKIs Yx+JdgQRO/gKqrZGozvzVN0nXGSbdcHFQjHy6gIKW5A3n9HTyg6TdlZ04V5OUDwWwIlw 2aT/6x4Ib5f3oDwGR5gkaqylVnWQWlB0229rAIlz/TO1qJyNldynQqeHBTmh0H+/PwYH e7HFxoFRb4hkknEWT7cfA0pn614Cf3w7wclUZTpXHpN50aLG9zj8F+rs5K4yqC2/eAZE SFSA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=Ve9JAfmlaQsl5rko7AlPSO/8cJcxa5/ofMlfA1KJFLo=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=EGi23zutSmevl2nm/V8MT+r7ZS/iM4PhXePlwhotF3HvmKQD9tkdsRVrLyPkezUf17 E0aXdDqGUESC7RsGwJ+Tkg7R6PxYFtvh9Aqv+aWK8VN/kMF7tMyL4clDinsT/m7QFDyi bQ4Qn0aK112fE4FZe9/x+NQH+iPN+h+4XC6a72riqQlQJH3QxmWhm/d5WtNdrOjIxMk/ DLLJ2GWL4HFhkt7+vggonFBa3s2rAMyTfSHr+7tjiJCr0Nx9pbzbgslGEqPngb0Nh6eb r+Q2jvnat20oMTLeni9VKk9yKiJukMebCggMw5E4pY9fIXSG7w9Jq/1uXHK9y+zs2S+j 6o0A==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=ACoTJjBW; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=HMCrqCFY; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=BwVQ25aN; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id e9e14a558f8ab-3d95f3c6086si18272615ab.97.2025.04.29.08.49.58 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 29 Apr 2025 08:49:58 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=ACoTJjBW; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=HMCrqCFY; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=BwVQ25aN; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=Ve9JAfmlaQsl5rko7AlPSO/8cJcxa5/ofMlfA1KJFLo=; b=ACoTJjBW8tP5kETy/38afqBCiP GSbdrmQf4sAxfxBlvwMpt9O9cCu7QQwgjd7skprW35xNdzWePmrr9dKCwdu0TvFi5jyutvqmnk9UU qxgsPBjFYnR92fVeSAljxbBFwPhHucGxDY/H8nM8Fy6pDvckoGP2Cdhg0+0hph4PTkjY=; Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1u9nDW-0005XZ-A1; Tue, 29 Apr 2025 15:49:54 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1u9nDV-0005XS-1j for openvpn-devel@lists.sourceforge.net; Tue, 29 Apr 2025 15:49:53 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=IcZhaduW/ZAknvwLcPSFMs5CbbmsGm4NKS42kMXdS+s=; b=HMCrqCFYl0qSlYAwKKLjBMPNCc E7Q7JmNlGdHTbspJbD0JPkZguGagmignqM8KcXOowa4lfJVa56JWSQjwoZFSJsibk97SKrEEQDzjw Lzi9lbIDdTzYAtsSyJCZ7VaAYf2O++GHiqaeH2gF1IcZpbAOlF/4pkxuGMj2f3ZqkWOg=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=IcZhaduW/ZAknvwLcPSFMs5CbbmsGm4NKS42kMXdS+s=; b=BwVQ25aNLLtK9b4JujpzL7zbXR fLVR7qNQqf4QPzbeedb0Uj8mj77KAW/K12QUwwLRQPxXbnFTe8P3TJ1aRUw/rOjNVqx4F+7EogCOz UTjz8qUzyOMiBB/l9lkagk/P4q0AQC4jhznlaeypaxaqB7wD47c80jzpaNlwX+8Xyf+o=; Received: from [193.149.48.143] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1u9nDD-0000NL-Vh for openvpn-devel@lists.sourceforge.net; Tue, 29 Apr 2025 15:49:52 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.17.1.9/8.17.1.9) with ESMTP id 53TFnOYK020942 for ; Tue, 29 Apr 2025 17:49:24 +0200 Received: (from gert@localhost) by blue.greenie.muc.de (8.17.1.9/8.17.1.9/Submit) id 53TFnO0T020941 for openvpn-devel@lists.sourceforge.net; Tue, 29 Apr 2025 17:49:24 +0200 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Tue, 29 Apr 2025 17:49:18 +0200 Message-ID: <20250429154923.20921-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.49.0 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.7 (+) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: rein.vanbaaren This commit allows compiling OpenVPN with recent versions of mbed TLS if MBEDTLS_DEPRECATED_REMOVED is defined. Cherry-pick note: - Adapt to still support TLS 1.0 and 1.1 which were removed in master. Content analysis details: (1.7 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [193.149.48.143 listed in sa-accredit.habeas.com] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [193.149.48.143 listed in bl.score.senderscore.com] 0.4 NO_DNS_FOR_FROM DNS: Envelope sender has no MX or A DNS records 0.0 SPF_HELO_FAIL SPF: HELO does not match SPF record (fail) [SPF failed: Rejected by SPF record] 0.0 SPF_NONE SPF: sender does not publish an SPF Record 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1u9nDD-0000NL-Vh Subject: [Openvpn-devel] [PATCH v2] Fix MBEDTLS_DEPRECATED_REMOVED build errors X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1830752667490715675?= X-GMAIL-MSGID: =?utf-8?q?1830752667490715675?= From: rein.vanbaaren This commit allows compiling OpenVPN with recent versions of mbed TLS if MBEDTLS_DEPRECATED_REMOVED is defined. Cherry-pick note: - Adapt to still support TLS 1.0 and 1.1 which were removed in master. Change-Id: If96c2ebd2af16b18ed34820e8c0531547e2076d9 Signed-off-by: Max Fillinger Acked-by: Arne Schwabe Message-Id: <20240618120127.4564-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28771.html Signed-off-by: Gert Doering Acked-by: Gert Doering (cherry picked from commit 8eb397de3656402872f9c9584c6f703b87b50762) --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to release/2.6. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/946 This mail reflects revision 2 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/src/openvpn/mbedtls_compat.h b/src/openvpn/mbedtls_compat.h index 610215b..5705706 100644 --- a/src/openvpn/mbedtls_compat.h +++ b/src/openvpn/mbedtls_compat.h @@ -40,6 +40,7 @@ #include #include #include +#include #include #include #include @@ -51,6 +52,12 @@ #include #endif +#if MBEDTLS_VERSION_NUMBER >= 0x03000000 +typedef uint16_t mbedtls_compat_group_id; +#else +typedef mbedtls_ecp_group_id mbedtls_compat_group_id; +#endif + static inline void mbedtls_compat_psa_crypto_init(void) { @@ -64,6 +71,16 @@ #endif /* HAVE_MBEDTLS_PSA_CRYPTO_H && defined(MBEDTLS_PSA_CRYPTO_C) */ } +static inline mbedtls_compat_group_id +mbedtls_compat_get_group_id(const mbedtls_ecp_curve_info *curve_info) +{ +#if MBEDTLS_VERSION_NUMBER >= 0x03000000 + return curve_info->tls_id; +#else + return curve_info->grp_id; +#endif +} + /* * In older versions of mbedtls, mbedtls_ctr_drbg_update() did not return an * error code, and it was deprecated in favor of mbedtls_ctr_drbg_update_ret() @@ -124,6 +141,36 @@ } #if MBEDTLS_VERSION_NUMBER < 0x03020100 +typedef enum { + MBEDTLS_SSL_VERSION_UNKNOWN, /*!< Context not in use or version not yet negotiated. */ + MBEDTLS_SSL_VERSION_TLS1_0 = 0x0301, /*!< (D)TLS 1.0 */ + MBEDTLS_SSL_VERSION_TLS1_1 = 0x0302, /*!< (D)TLS 1.1 */ + MBEDTLS_SSL_VERSION_TLS1_2 = 0x0303, /*!< (D)TLS 1.2 */ + MBEDTLS_SSL_VERSION_TLS1_3 = 0x0304, /*!< (D)TLS 1.3 */ +} mbedtls_ssl_protocol_version; + +static inline void +mbedtls_ssl_conf_min_tls_version(mbedtls_ssl_config *conf, mbedtls_ssl_protocol_version tls_version) +{ + int major = (tls_version >> 8) & 0xff; + int minor = tls_version & 0xff; + mbedtls_ssl_conf_min_version(conf, major, minor); +} + +static inline void +mbedtls_ssl_conf_max_tls_version(mbedtls_ssl_config *conf, mbedtls_ssl_protocol_version tls_version) +{ + int major = (tls_version >> 8) & 0xff; + int minor = tls_version & 0xff; + mbedtls_ssl_conf_max_version(conf, major, minor); +} + +static inline void +mbedtls_ssl_conf_groups(mbedtls_ssl_config *conf, mbedtls_compat_group_id *groups) +{ + mbedtls_ssl_conf_curves(conf, groups); +} + static inline size_t mbedtls_cipher_info_get_block_size(const mbedtls_cipher_info_t *cipher) { diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index 7e29bd2..8fb69c3 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -401,7 +401,7 @@ /* Get number of groups and allocate an array in ctx */ int groups_count = get_num_elements(groups, ':'); - ALLOC_ARRAY_CLEAR(ctx->groups, mbedtls_ecp_group_id, groups_count + 1) + ALLOC_ARRAY_CLEAR(ctx->groups, mbedtls_compat_group_id, groups_count + 1) /* Parse allowed ciphers, getting IDs */ int i = 0; @@ -418,11 +418,15 @@ } else { - ctx->groups[i] = ci->grp_id; + ctx->groups[i] = mbedtls_compat_get_group_id(ci); i++; } } - ctx->groups[i] = MBEDTLS_ECP_DP_NONE; + + /* Recent mbedtls versions state that the list of groups must be terminated + * with 0. Older versions state that it must be terminated with MBEDTLS_ECP_DP_NONE + * which is also 0, so this works either way. */ + ctx->groups[i] = 0; gc_free(&gc); } @@ -1049,47 +1053,40 @@ } /** - * Convert an OpenVPN tls-version variable to mbed TLS format (i.e. a major and - * minor ssl version number). + * Convert an OpenVPN tls-version variable to mbed TLS format * * @param tls_ver The tls-version variable to convert. - * @param major Returns the TLS major version in mbed TLS format. - * Must be a valid pointer. - * @param minor Returns the TLS minor version in mbed TLS format. - * Must be a valid pointer. + * + * @return Translated mbedTLS SSL version from OpenVPN TLS version. */ -static void -tls_version_to_major_minor(int tls_ver, int *major, int *minor) +static mbedtls_ssl_protocol_version +tls_version_to_ssl_version(int tls_ver) { - ASSERT(major); - ASSERT(minor); - switch (tls_ver) { #if defined(MBEDTLS_SSL_PROTO_TLS1) case TLS_VER_1_0: - *major = MBEDTLS_SSL_MAJOR_VERSION_3; - *minor = MBEDTLS_SSL_MINOR_VERSION_1; - break; + return MBEDTLS_SSL_VERSION_TLS1_0; #endif #if defined(MBEDTLS_SSL_PROTO_TLS1_1) case TLS_VER_1_1: - *major = MBEDTLS_SSL_MAJOR_VERSION_3; - *minor = MBEDTLS_SSL_MINOR_VERSION_2; - break; + return MBEDTLS_SSL_VERSION_TLS1_1; #endif #if defined(MBEDTLS_SSL_PROTO_TLS1_2) case TLS_VER_1_2: - *major = MBEDTLS_SSL_MAJOR_VERSION_3; - *minor = MBEDTLS_SSL_MINOR_VERSION_3; - break; + return MBEDTLS_SSL_VERSION_TLS1_2; +#endif + +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) + case TLS_VER_1_3: + return MBEDTLS_SSL_VERSION_TLS1_3; #endif default: msg(M_FATAL, "%s: invalid or unsupported TLS version %d", __func__, tls_ver); - break; + return MBEDTLS_SSL_VERSION_UNKNOWN; } } @@ -1170,7 +1167,7 @@ if (ssl_ctx->groups) { - mbedtls_ssl_conf_curves(ks_ssl->ssl_config, ssl_ctx->groups); + mbedtls_ssl_conf_groups(ks_ssl->ssl_config, ssl_ctx->groups); } /* Disable TLS renegotiations if the mbedtls library supports that feature. @@ -1220,15 +1217,14 @@ &SSLF_TLS_VERSION_MIN_MASK; /* default to TLS 1.2 */ - int major = MBEDTLS_SSL_MAJOR_VERSION_3; - int minor = MBEDTLS_SSL_MINOR_VERSION_3; + mbedtls_ssl_protocol_version version = MBEDTLS_SSL_VERSION_TLS1_2; if (configured_tls_version_min > TLS_VER_UNSPEC) { - tls_version_to_major_minor(configured_tls_version_min, &major, &minor); + version = tls_version_to_ssl_version(configured_tls_version_min); } - mbedtls_ssl_conf_min_version(ks_ssl->ssl_config, major, minor); + mbedtls_ssl_conf_min_tls_version(ks_ssl->ssl_config, version); } /* Initialize maximum TLS version */ @@ -1237,20 +1233,19 @@ (session->opt->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) &SSLF_TLS_VERSION_MAX_MASK; - int major = 0; - int minor = 0; + mbedtls_ssl_protocol_version version = MBEDTLS_SSL_VERSION_UNKNOWN; if (configured_tls_version_max > TLS_VER_UNSPEC) { - tls_version_to_major_minor(configured_tls_version_max, &major, &minor); + version = tls_version_to_ssl_version(configured_tls_version_max); } else { /* Default to tls_version_max(). */ - tls_version_to_major_minor(tls_version_max(), &major, &minor); + version = tls_version_to_ssl_version(tls_version_max()); } - mbedtls_ssl_conf_max_version(ks_ssl->ssl_config, major, minor); + mbedtls_ssl_conf_max_tls_version(ks_ssl->ssl_config, version); } #if HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB diff --git a/src/openvpn/ssl_mbedtls.h b/src/openvpn/ssl_mbedtls.h index 1fd0ce8..34b4f02 100644 --- a/src/openvpn/ssl_mbedtls.h +++ b/src/openvpn/ssl_mbedtls.h @@ -39,6 +39,8 @@ #include #endif +#include "mbedtls_compat.h" + typedef struct _buffer_entry buffer_entry; struct _buffer_entry { @@ -118,7 +120,7 @@ #endif struct external_context external_key; /**< External key context */ int *allowed_ciphers; /**< List of allowed ciphers for this connection */ - mbedtls_ecp_group_id *groups; /**< List of allowed groups for this connection */ + mbedtls_compat_group_id *groups; /**< List of allowed groups for this connection */ mbedtls_x509_crt_profile cert_profile; /**< Allowed certificate types */ };