From patchwork Tue Nov 21 19:36:00 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "its_Giaan (Code Review)" X-Patchwork-Id: 3474 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:53c1:b0:f2:62eb:61c1 with SMTP id u1csp621085dye; Tue, 21 Nov 2023 11:36:38 -0800 (PST) X-Google-Smtp-Source: AGHT+IEXyPFJX/WkURqCeXl1/72yWAcj6Z6zw/p8vD9oe3/kMpc6ftHr92skHiUDr1KrqR9Sv1gy X-Received: by 2002:a05:6a00:1c9b:b0:68a:6cbe:35a7 with SMTP id y27-20020a056a001c9b00b0068a6cbe35a7mr123901pfw.2.1700595397743; Tue, 21 Nov 2023 11:36:37 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1700595397; cv=none; d=google.com; s=arc-20160816; b=yAII6QNa79jRdKcMdpCimjsLvtNQI6CKg8lW/ccF2fSOX/Qx8aGpT3Ap3YQQpAb/ub HBT/2eWI1a0QSDFSAH85+sZlmKl+S7xUa9pR0dW3vksu1vD4GyOXwEqWnvh1LSsEojev tB8TIlrssbnt5u+G6DhSJL0PfGH1G4OTpxJ9SarBAICgDYqMy5h1x7eT9CYlSOYHKaFu k/pcwO9X7Iqrs3WoZ3ehv6V0XuDIb9eDlMcLy8vLxZQtv8/m0XPXhAupE2/ZbsBbkcEF iQmx0qRcATsCewKSAil2mXgLtEdN/ujtx1CITGafN9JphH34p+1CO/FExIDgNwVzKdaV lxxg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:cc:reply-to:list-subscribe:list-help:list-post :list-archive:list-unsubscribe:list-id:precedence:subject:user-agent :mime-version:message-id:references:auto-submitted:to:date:from :dkim-signature:dkim-signature:dkim-signature; bh=74utTY2RQQafR3t0Cv9l3PdtgIZOaPGnR4qGOYX3nQI=; fh=lm0MLPW7DntlrDqRECIiC9JlE1uPxhepE0URYHIf+eE=; b=yn3aa/OkzqZU4X3c5F1/lqdD2fM2bp4LKPetZ8ctztjkKdxeYXIBt/qg6cq2/o4Zx5 qfINKRtIWqzesAQLU7iVtfDzxixwnlc0vAi/zldZWumukdCt20VJFDVK2eHXkgOYrEj7 4aAjBsAxRqgJDmRUvs3h1Eya6SC/BQrqsI2CFaFmqOpBMPsPyXanL2FxFczPoB27D+tE AO0GxcEqZcIGxyO53+Esf6wrl151hC5VyPVRfciinAPgwe+w5drS8FR4ucnt2gEbnnC1 T1z+MqFOHeu2RCrkinJsPqGU8x2pldI6nwJTRNdH33vv6eW4n+mg5PQfCPLlzc+pt3Kz qA6g== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=TvwRh7zL; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=GjQ8EhZG; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=gxlY1TyM; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id b1-20020a6567c1000000b005bd42f6085fsi10973505pgs.344.2023.11.21.11.36.37 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 21 Nov 2023 11:36:37 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=TvwRh7zL; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=GjQ8EhZG; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=gxlY1TyM; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1r5WXi-0001c1-MP; Tue, 21 Nov 2023 19:36:18 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1r5WXh-0001bv-Ml for openvpn-devel@lists.sourceforge.net; Tue, 21 Nov 2023 19:36:17 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:Content-Transfer-Encoding:MIME-Version :Message-ID:Reply-To:References:Subject:List-Unsubscribe:List-Id:Cc:To:Date: From:Sender:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help: List-Subscribe:List-Post:List-Owner:List-Archive; bh=e+RQb2YIwk1tvxhHIKgYBOGB6khokJqhX8RlDOY2Az8=; b=TvwRh7zL17QQftUw6bBMl4xwJ8 ZZoUNInNqiv1cpneAyRhWxDyKzAhsoqvVjJUu9FIDbly8KC7Nwc8lkpu60lQgeYj6RRrOqgHqdAVi kCBoYMAbmAkcg7AbvNN4iKOVoQo37hXDaypHFgF5cCI04e1gOFmd6wtluJK3mEdl6R2o=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:Content-Transfer-Encoding:MIME-Version:Message-ID:Reply-To: References:Subject:List-Unsubscribe:List-Id:Cc:To:Date:From:Sender:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help:List-Subscribe:List-Post: List-Owner:List-Archive; bh=e+RQb2YIwk1tvxhHIKgYBOGB6khokJqhX8RlDOY2Az8=; b=G jQ8EhZGSlU0GI6JhapyXPwaFaGyvINs2G1TsthAquMnBjKemkm9RGsJHfOC5hq3a/RK4M0ucTlypb UQGE53IiONUvk3W4IfrL7F3GplkXJFJHI8soQQza/OYSnY2ipO1RBKKzLM2jpSNoqGxH2OOxN7/L/ oklAc26hPmTR63kg=; Received: from mail-lj1-f181.google.com ([209.85.208.181]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1r5WXY-0001d5-Tn for openvpn-devel@lists.sourceforge.net; Tue, 21 Nov 2023 19:36:17 +0000 Received: by mail-lj1-f181.google.com with SMTP id 38308e7fff4ca-2c6b30acacdso75098561fa.2 for ; Tue, 21 Nov 2023 11:36:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openvpn.net; s=google; t=1700595362; x=1701200162; darn=lists.sourceforge.net; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from:from:to:cc :subject:date:message-id:reply-to; bh=e+RQb2YIwk1tvxhHIKgYBOGB6khokJqhX8RlDOY2Az8=; b=gxlY1TyMY3PwF+KBmSgQcBN1k9Oh3rAJHa9MxZ/ha71Nlvx3OeE8rkpRPbcJ+b2/r+ +Iv32Jt4XML5yyZFvM5ebUwSXjrn+FG6XkkBaAIMZvmiOJfJkQw2IpjOnYb2ib2IoVTu 080huis2hE0NA0+tk8Xq2v1ca9zyks2YPMw3OmyWEL0aBVaNBlv6pNsnQqyO5M2Iaao1 xwzj234OUo44UJPXkWQ6/4/Fr9CXI99hK1N6rmtjgrvqLiXYW3pfxOzbT2j/T2PkHQSs vSTGWW0R11rawESt6J92hI03kEkLLWbrRD1AuXI9XWUD4p37KZPiBmrxvtoqjcUfADuN 9hLQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1700595362; x=1701200162; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=e+RQb2YIwk1tvxhHIKgYBOGB6khokJqhX8RlDOY2Az8=; b=vkebZrKNwqqtwVorx85C/TPXYJhxQiKylSGtz+BuysVV1+3yk0MV2btyujVKm+KyBp MGN4GOji111ZYOusMNleTIzixQZdYm+mvplrLSP3L1DRQkl43AZDaw6YQUoZYVoga3wW qiiFzy3eAXyKKzHbHyHrN1cT8bONKawbGsMLRzoxghqzZuxY5noFDN/pW84E2N5v9JPg tlb1i1pveaEbAbqATk8QDjWRJ6QISEo+lCg8Xh03rmgh8zeq8a6Ci7vG0c+L0F1Furfv BxX7tOvjLrtijIwM0pxFfi4c4qLiIMWwlcEZjb/sfhjmYVokBgyW7pC6Lr377O5ZQnas jYEg== X-Gm-Message-State: AOJu0Yz9KDzyliJ3mo8oCGVkLfKCDw4BIgb0kNvjEPoK3yGno6+qSRzB 6Iy5Vyx89+yTZUtJvXfYQ4I77D1HojDnpbKHG9Y= X-Received: by 2002:a2e:9d88:0:b0:2c4:ff4c:64b0 with SMTP id c8-20020a2e9d88000000b002c4ff4c64b0mr64072ljj.50.1700595361762; Tue, 21 Nov 2023 11:36:01 -0800 (PST) Received: from gerrit.openvpn.in (ec2-18-159-0-78.eu-central-1.compute.amazonaws.com. [18.159.0.78]) by smtp.gmail.com with ESMTPSA id p4-20020a05600c468400b00405959bbf4fsm18234423wmo.19.2023.11.21.11.36.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 21 Nov 2023 11:36:01 -0800 (PST) From: "plaisthos (Code Review)" X-Google-Original-From: "plaisthos (Code Review)" X-Gerrit-PatchSet: 1 Date: Tue, 21 Nov 2023 19:36:00 +0000 To: flichtenheld Auto-Submitted: auto-generated X-Gerrit-MessageType: newchange X-Gerrit-Change-Id: Ic74195a4ed340547c5e862dc2438f95be318c286 X-Gerrit-Change-Number: 457 X-Gerrit-Project: openvpn X-Gerrit-ChangeURL: X-Gerrit-Commit: b2a4216f206dd97e87fbb72e57e9ca49b7100cf5 References: Message-ID: <61eeb6676f4c720e1ae1b76b62e2089ce9d691c6-HTML@gerrit.openvpn.net> MIME-Version: 1.0 User-Agent: Gerrit/3.8.2 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Attention is currently required from: flichtenheld. Hello flichtenheld, I'd like you to do a code review. Please visit Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.208.181 listed in wl.mailspike.net] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.208.181 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 WEIRD_PORT URI: Uses non-standard port number for HTTP 0.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1r5WXY-0001d5-Tn Subject: [Openvpn-devel] [M] Change in openvpn[master]: Implement generating TLS 1.0 PRF using new OpenSSL 3.0 APIs X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: arne-openvpn@rfc2549.org, openvpn-devel@lists.sourceforge.net, frank@lichtenheld.com Cc: openvpn-devel Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1783203520059169594?= X-GMAIL-MSGID: =?utf-8?q?1783203520059169594?= X-getmail-filter-classifier: gerrit message type newchange Attention is currently required from: flichtenheld. Hello flichtenheld, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/457?usp=email to review the following change. Change subject: Implement generating TLS 1.0 PRF using new OpenSSL 3.0 APIs ...................................................................... Implement generating TLS 1.0 PRF using new OpenSSL 3.0 APIs OpenSSL 3.0 introduced a new API for doing key derivation. So this leaves use now with three different implementation for 1.0.2, 1.1.x and 3.x. This was initially done to maybe still have a working TLS 1.0 PRF when using OpenSSL 3.0, it gives the same error as with the older API but since moving to a new API is always good, we use the new API when using OpenSSL 3.0. We also print the internal OpenSSL error message when the KDF fails. Change-Id: Ic74195a4ed340547c5e862dc2438f95be318c286 Signed-off-by: Arne Schwabe --- M src/openvpn/crypto_openssl.c 1 file changed, 50 insertions(+), 1 deletion(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/57/457/1 diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index fe1254f..7351a5f 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -54,6 +54,7 @@ #endif #if OPENSSL_VERSION_NUMBER >= 0x30000000L #include +#include #endif #if defined(_WIN32) && defined(OPENSSL_NO_EC) @@ -1373,8 +1374,56 @@ { return CRYPTO_memcmp(a, b, size); } +#if (OPENSSL_VERSION_NUMBER >= 0x3000000L) && !defined(LIBRESSL_VERSION_NUMBER) +bool +ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret, + int secret_len, uint8_t *output, int output_len) +{ + bool ret = true; + EVP_KDF_CTX *kctx = NULL; -#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER) + + EVP_KDF *kdf = EVP_KDF_fetch(NULL, "TLS1-PRF", NULL); + if (!kdf) + { + goto err; + } + + kctx = EVP_KDF_CTX_new(kdf); + + if (!kctx) + { + goto err; + } + + OSSL_PARAM params[4]; + + params[0] = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, + SN_md5_sha1, strlen(SN_md5_sha1)); + params[1] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SECRET, + secret, (size_t) secret_len); + params[2] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED, + seed, (size_t) seed_len); + params[3] = OSSL_PARAM_construct_end(); + + if (EVP_KDF_derive(kctx, output, output_len, params) <= 0) + { + crypto_msg(D_TLS_DEBUG_LOW, "Generating TLS 1.0 PRF using " + "EVP_KDF_derive failed"); + goto err; + } + + goto out; + +err: + ret = false; +out: + EVP_KDF_free(kdf); + EVP_KDF_free(kdf); + + return ret; +} +#elif (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER) bool ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret, int secret_len, uint8_t *output, int output_len)