From patchwork Tue Jun 3 14:06:24 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4275 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:9994:b0:667:60b:5921 with SMTP id d20csp3228607mav; Tue, 3 Jun 2025 07:07:00 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCWGprU2bsobHWCeVLwLcs6nF4z5sB5xr8RF2VRQtngk0GKcCIWdsPN+NxJP9fRwwO91X6RdIHkC4MM=@openvpn.net X-Google-Smtp-Source: AGHT+IGNIRcQrFapGVssrFh2g0i9sCB0RuJrB+wdHM3OQuK5V0EOt0d4vnLe8pZkdqWVRnil/E/l X-Received: by 2002:a05:6808:6c91:b0:404:e0b3:129 with SMTP id 5614622812f47-4067e550c44mr9408641b6e.12.1748959609388; Tue, 03 Jun 2025 07:06:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1748959609; cv=none; d=google.com; s=arc-20240605; b=Ub6WUlznkf9YrbDpmAlVCVVcsf0hqKVjv+kdIPr/Ny3af2+08TchkeN7kehTdY5DYt HaqgZGEMfYuE7PvCkEcqDiFrKWsPQ5m8WvsvJvGkSTLrZAAO0otr/Zke3tp7IiBVQY+V Mps5BlIECRpT7UsY/+0NxAecUU6u8a4pNF3yerkXJkZ1JGhB0RUfGX0u8Y/l3pOlCpDn ucLEDjjODCKIsgX2Nu/WfohZRdhP/brtPu2NrmKEvlprtZtAhJcGnbue7/8gL1ljZ94I 235z49VNETcbOO6TXdG6IUXfEw02FYwzJziT9YW5617WyvGSP93BEGB46LPcWkGqi2Pc 2yLA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=SzOLVkqAQcBUxJ63y9woLCaffXH/eKYvq0AJugx2r24=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=NDxRxT4tKacXQDeoUTyAHdlPzyxA1NSQRoey1DWwFNSPYZUnkODVdfDE6mfzznmqB+ ziQ1HzdI1qu38RScIOedFfDzkox6Tg3gLbim+/UR0BYQMqIMrgolYfuk3jbwuNWNVejE jkPJQTseqWntNAdOuOxVWEL/V4F0DQ7kDeizmLs+7Mu6wPp4F8u8SdpC8GXa69/V6Iij eo7Pjx6fQBcFeS/CyCyHw3mz7SDd4DIv6q7MDhENp1FkeLMxHIbGNcMJ6uWfvuu7vk95 VBLQ+yzKceOSqz1uPXjelOzX4bW7A3960exRifYBwvRLVkr/eEzCQ3uW7vCD8jiaAjBP SOug==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=FTv5oHvR; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=A9o4qmGt; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=ENm4Hhcp; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 5614622812f47-40678dbd433si5638169b6e.282.2025.06.03.07.06.49 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 03 Jun 2025 07:06:49 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=FTv5oHvR; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=A9o4qmGt; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=ENm4Hhcp; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=SzOLVkqAQcBUxJ63y9woLCaffXH/eKYvq0AJugx2r24=; b=FTv5oHvR8CZ33jmi2otDlmc/I5 ZG15fASsFBdW4nVH/VFQ+SP9EnXlc6KAiiype0Q6fXAnZ1vCg54DEUrJCESCMzP9cyaB36eLa2iEw MjvD2Ns+tuNg30mEsdr7vs27mYw+wPbIP0NPUE5Bsm7lwfMd1tR0b3qlGfNaSR8H4AQM=; Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1uMSHt-0005yG-0p; Tue, 03 Jun 2025 14:06:45 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1uMSHs-0005yA-Ea for openvpn-devel@lists.sourceforge.net; Tue, 03 Jun 2025 14:06:44 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=AasmMdYrsdw344pqLPAWkFdgt3qnuIWh+Rn6qgkCD0I=; b=A9o4qmGtZTpp0qgMOc52+G+XGy OF586eyMye8RbdDE/MbADOx5Pb9YwiS+T6hZaVmYb0qDALjwKnkjcgaBCM1I4er3sWgZsILGmEt+O T8+WMjExCOAbUb4ojyuPmQxsdw8/M+OA0/1kmjdvqCl5VCnN1tajT7HfuRD+7YsXr9sQ=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=AasmMdYrsdw344pqLPAWkFdgt3qnuIWh+Rn6qgkCD0I=; b=ENm4Hhcp8Z4FkgqBVZY28oF8uD mzhPwfnP9z8Sj92Xu3yyM2KbJ0vfrVnnBdAx/OUNyhpzwOtGTGzQO9kfjBh75ahFAo06NeNbftZxv 9+0lVAjtvnkRXSKEYspaUSRHji8AGPMQzpGuTpMabZCEMSS4j7a4GKc5fISd4JcPjDPA=; Received: from [193.149.48.143] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1uMSHr-0004SX-DX for openvpn-devel@lists.sourceforge.net; Tue, 03 Jun 2025 14:06:44 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.17.1.9/8.17.1.9) with ESMTP id 553E6V5K011725 for ; Tue, 3 Jun 2025 16:06:31 +0200 Received: (from gert@localhost) by blue.greenie.muc.de (8.17.1.9/8.17.1.9/Submit) id 553E6Voj011724 for openvpn-devel@lists.sourceforge.net; Tue, 3 Jun 2025 16:06:31 +0200 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Tue, 3 Jun 2025 16:06:24 +0200 Message-ID: <20250603140631.11696-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.49.0 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.7 (+) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Max Fillinger We need mbedtls_ssl_export_keying_material() to support TLS 1.3. The workaround we use for TLS 1.2 does not work for TLS 1.3. Change-Id: If5e832866b312a2f8a1ce6b4e00d40e3dcf63681 Signed-off-by: Max Fillinger Acked-by: Gert Doering Acked-by: Frank Lichtenheld List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1833917071606315481?= X-GMAIL-MSGID: =?utf-8?q?1833917071606315481?= From: Max Fillinger We need mbedtls_ssl_export_keying_material() to support TLS 1.3. The workaround we use for TLS 1.2 does not work for TLS 1.3. Change-Id: If5e832866b312a2f8a1ce6b4e00d40e3dcf63681 Signed-off-by: Max Fillinger Acked-by: Gert Doering Acked-by: Frank Lichtenheld --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1042 This mail reflects revision 3 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering Frank Lichtenheld diff --git a/README.mbedtls b/README.mbedtls index c4f3924..a1012e9 100644 --- a/README.mbedtls +++ b/README.mbedtls @@ -26,5 +26,9 @@ ************************************************************************* -Mbed TLS 3 has implemented (parts of) the TLS 1.3 protocol, but we have disabled -support in OpenVPN because the TLS-Exporter function is not yet implemented. +Mbed TLS 3 has implemented TLS 1.3, but support in OpenVPN requires the +function mbedtls_ssl_export_keying_material() which is currently not in +any released version. It is available when building mbed TLS from source +(mbedtls-3.6 or development branch). + +Without this function, only TLS 1.2 is available. diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index 0159166..b78439c 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -1048,11 +1048,14 @@ int tls_version_max(void) { -#if defined(MBEDTLS_SSL_PROTO_TLS1_2) + /* We need mbedtls_ssl_export_keying_material() to support TLS 1.3. */ +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) + return TLS_VER_1_3; +#elif defined(MBEDTLS_SSL_PROTO_TLS1_2) return TLS_VER_1_2; -#else /* defined(MBEDTLS_SSL_PROTO_TLS1_2) */ - #error "mbedtls is compiled without support for TLS 1.2." -#endif /* defined(MBEDTLS_SSL_PROTO_TLS1_2) */ +#else + #error mbedtls is compiled without support for TLS 1.2 or 1.3 +#endif } /**