[Openvpn-devel,S] Change in openvpn[master]: Check that tls-version-min is supported on startup

Message ID cf94dffabc7185383871976251fb7021aadfa84d-HTML@gerrit.openvpn.net
State Changes Requested
Headers show
Series [Openvpn-devel,S] Change in openvpn[master]: Check that tls-version-min is supported on startup | expand

Commit Message

ordex (Code Review) June 19, 2024, 3:06 p.m. UTC
Attention is currently required from: flichtenheld, plaisthos.

Hello plaisthos, flichtenheld,

I'd like you to do a code review.
Please visit

    http://gerrit.openvpn.net/c/openvpn/+/683?usp=email

to review the following change.


Change subject: Check that tls-version-min is supported on startup
......................................................................

Check that tls-version-min is supported on startup

After disabling TLS 1.0 and 1.1 in the mbedtls build, the client would
error out during startup if tls-version-min was set to 1.0 or 1.1, but
the server would start up and only error out when a client attempts to
connect.

This commit checks that tls-version-min is supported during startup so
that both the client and server error out on startup.

Change-Id: Ifc589854816842e46969a76e2845084b3aaa962f
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
---
M src/openvpn/options.c
M src/openvpn/ssl.c
M src/openvpn/ssl_backend.h
M src/openvpn/ssl_mbedtls.c
M src/openvpn/ssl_openssl.c
5 files changed, 31 insertions(+), 6 deletions(-)



  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/83/683/1

Patch

diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index f2c7536..f8287f2 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -8933,7 +8933,7 @@ 
         ver = tls_version_parse(p[1], p[2]);
         if (ver == TLS_VER_BAD)
         {
-            msg(msglevel, "unknown tls-version-min parameter: %s", p[1]);
+            msg(msglevel, "unknown or unsupported tls-version-min parameter: %s", p[1]);
             goto err;
         }
         options->ssl_flags &=
@@ -8947,7 +8947,7 @@ 
         ver = tls_version_parse(p[1], NULL);
         if (ver == TLS_VER_BAD)
         {
-            msg(msglevel, "unknown tls-version-max parameter: %s", p[1]);
+            msg(msglevel, "unknown or unsupported tls-version-max parameter: %s", p[1]);
             goto err;
         }
         options->ssl_flags &=
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 2054eb4..1d3fdcd 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -405,20 +405,21 @@ 
 int
 tls_version_parse(const char *vstr, const char *extra)
 {
+    const int min_version = tls_version_min();
     const int max_version = tls_version_max();
-    if (!strcmp(vstr, "1.0") && TLS_VER_1_0 <= max_version)
+    if (!strcmp(vstr, "1.0") && min_version <= TLS_VER_1_0 && TLS_VER_1_0 <= max_version)
     {
         return TLS_VER_1_0;
     }
-    else if (!strcmp(vstr, "1.1") && TLS_VER_1_1 <= max_version)
+    else if (!strcmp(vstr, "1.1") && min_version <= TLS_VER_1_1 && TLS_VER_1_1 <= max_version)
     {
         return TLS_VER_1_1;
     }
-    else if (!strcmp(vstr, "1.2") && TLS_VER_1_2 <= max_version)
+    else if (!strcmp(vstr, "1.2") && min_version <= TLS_VER_1_2 && TLS_VER_1_2 <= max_version)
     {
         return TLS_VER_1_2;
     }
-    else if (!strcmp(vstr, "1.3") && TLS_VER_1_3 <= max_version)
+    else if (!strcmp(vstr, "1.3") && min_version <= TLS_VER_1_3 && TLS_VER_1_3 <= max_version)
     {
         return TLS_VER_1_3;
     }
diff --git a/src/openvpn/ssl_backend.h b/src/openvpn/ssl_backend.h
index 285705f..ef1347b 100644
--- a/src/openvpn/ssl_backend.h
+++ b/src/openvpn/ssl_backend.h
@@ -117,6 +117,14 @@ 
 int tls_version_max(void);
 
 /**
+ * Return the minimum TLS version (as a TLS_VER_x constant)
+ * supported by current SSL implementation
+ *
+ * @return              One of the TLS_VER_x constants (but not TLS_VER_BAD).
+ */
+int tls_version_min(void);
+
+/**
  * Initialise a library-specific TLS context for a server.
  *
  * @param ctx           TLS context to initialise
diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
index bb88da9..de7efed 100644
--- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c
@@ -1049,6 +1049,16 @@ 
 #endif /* defined(MBEDTLS_SSL_PROTO_TLS1_2) */
 }
 
+int
+tls_version_min(void)
+{
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+    return TLS_VER_1_2;
+#else
+    #error "mbedtls is compiled without support for TLS 1.2."
+#endif /* defined(MBEDTLS_SSL_PROTO_TLS1_2) */
+}
+
 /**
  * Convert an OpenVPN tls-version variable to mbed TLS format
  *
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index e8a30a3..352f7fb 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -231,6 +231,12 @@ 
 #endif
 }
 
+int
+tls_version_min(void)
+{
+    return TLS_VER_1_0;
+}
+
 /** Convert internal version number to openssl version number */
 static int
 openssl_tls_version(int ver)