From patchwork Wed Jun 19 15:06:54 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "plaisthos (Code Review)" X-Patchwork-Id: 3740 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:a501:b0:57d:b2cb:6cf with SMTP id hh1csp327175mab; Wed, 19 Jun 2024 08:07:33 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCUE99cK8El2q/HWsq+0b340XsqnMhGvnSk8gBQsNDSpF3LSwBxHXfeXr59cr1rjajkc5A53d0TDAr4vcAghCj3a3wZWrC8= X-Google-Smtp-Source: AGHT+IFQbmYlh3bIpAJELWVYDoqT2pPjdVZPfVkjAX9jPPj84+MYeLrWPteXWt7ObqeMRQ3g8o5z X-Received: by 2002:a05:6a20:3c9f:b0:1af:acda:979d with SMTP id adf61e73a8af0-1bcbb5849bcmr2874588637.1.1718809653094; Wed, 19 Jun 2024 08:07:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1718809653; cv=none; d=google.com; s=arc-20160816; b=OIZN/Kg3vV63piuEUDLZkiZpPKrSxvvcUV6QWps3x8taK5/Q0PwPGFu3mXmGQS91c5 7XYuM/nwcqv/EwlSdSu57uJARCQ7m6JDmV3Z3Q4xqzKWH3PspJylaSiCWPAIVtG2ppcA r78Bd/jaRKTiDoZOatefNVvGCV5GiFRHOa9awjTFxfVqFvfIuL0To66Y0Pz6a1dSV3kq EWMM/lpWSYPaYf0+pTgNszGWp1eFbOz3JcmWo/HHgsQKnWeL9sg0qUy5FylknK2OWHNn lPfZvmBGowHyBajczd0y9SCNxLvxmQWRR7YS93iMg5pZ+VxlDBmLCUbfG59fnzef7HUa /C3w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:cc:reply-to:list-subscribe:list-help:list-post :list-archive:list-unsubscribe:list-id:precedence:subject:user-agent :mime-version:message-id:references:auto-submitted:to:date:from :dkim-signature:dkim-signature:dkim-signature; bh=xO1Olvsoyd5NQ7WB7ubIMcXqLp2AMLlbFvfbNPLVwJA=; fh=U7wEyxtwz2o5+UdevFSA47vNeG9knhWH0KV//QhD5a0=; b=f/YuFx49NoGjBlU0r77nOmUzK2Vz9pHP/TLfeJVF63wr548uMxEEBnnXCGr6Q4XZJY xQs/fxjt/WHC4l9q1+f2CY2volu6qOtUlTO8Ix6051PtuOBr+fMeol71zP0YjbmCn7Tz mtGELIL53muwfNiaBYsQthGjmDG4zfc4nTL7CWmUcpGO7sOKxkBpEgY/EqlrHFxA364+ khZFYAgBObKW9uw2HhUZPxkgfYLortIKwFSDo/oVsRtjOXzOjc5M64UJA8Nn/1D3IUTy jACO1XdelBcU/u+8wDmM8aGCBYcHPrZSl1INxeyRgvsp41QGS15NbyD9UX3AvhVcHPz2 IgZQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=dJb047OR; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=diHFtgln; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=HcDEqJZa; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 41be03b00d2f7-6fee53a1172si12863824a12.620.2024.06.19.08.07.32 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 19 Jun 2024 08:07:33 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=dJb047OR; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=diHFtgln; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=HcDEqJZa; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1sJwtx-0002aF-0K; Wed, 19 Jun 2024 15:07:10 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1sJwtv-0002a7-D0 for openvpn-devel@lists.sourceforge.net; Wed, 19 Jun 2024 15:07:08 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:Content-Transfer-Encoding:MIME-Version :Message-ID:Reply-To:References:Subject:List-Unsubscribe:List-Id:Cc:To:Date: From:Sender:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help: List-Subscribe:List-Post:List-Owner:List-Archive; bh=geYz34nZGbVzOo45+XrZBWq6X36eqlbmyUpgW8D+80U=; b=dJb047OREhNGpmzjTuQE8D9fNF AcZNH6FG7K6etcL8czbKtoyR2aeuwg0SZh32jned3xatMZgAIIBtMBnZwUYwoxz1GC53VcW/JPI7k ZJ+T0C+qdWHWLdXc6ypsUUR3UMh++9EYRQ2ocYDm4NmnlF7RBDkVBgOX11kqgejoQ1Rk=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:Content-Transfer-Encoding:MIME-Version:Message-ID:Reply-To: References:Subject:List-Unsubscribe:List-Id:Cc:To:Date:From:Sender:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help:List-Subscribe:List-Post: List-Owner:List-Archive; bh=geYz34nZGbVzOo45+XrZBWq6X36eqlbmyUpgW8D+80U=; b=d iHFtgln1ZxevsmZmgXrHWuS7l/RhgtNFf5pUaaeexF+UkWTKlZQ0fX9ulTcDXPFSi71MDGd/6Kud/ kUuM9524Hy+0NftL+OIGMn1lPxEUlmRTTmlybtjzfSxp3o58xk12B9YFLDJ+VG+gDv2t+TkIaHIf0 y60njhwsKNz6t+48=; Received: from mail-lf1-f46.google.com ([209.85.167.46]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1sJwtw-0000gl-6i for openvpn-devel@lists.sourceforge.net; Wed, 19 Jun 2024 15:07:08 +0000 Received: by mail-lf1-f46.google.com with SMTP id 2adb3069b0e04-52c85a7f834so8444333e87.0 for ; Wed, 19 Jun 2024 08:07:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openvpn.net; s=google; t=1718809616; x=1719414416; darn=lists.sourceforge.net; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from:from:to:cc :subject:date:message-id:reply-to; bh=geYz34nZGbVzOo45+XrZBWq6X36eqlbmyUpgW8D+80U=; b=HcDEqJZa5HvtZ7sWMR8SrC77CNNth/rgYzHJNtkS8GeaIyO3OHNQQj0EAvo9qJ2CBW TRpnN3ClSW81PQ3HQ+tTybeD34IBgT3aO2REX8mXYwCkeTKYZ5IQjFTBXC0HZ2iuNSwb IKtARhsV0YlBhB+7crnjVKMlIVQqrfRBR2Z6pl4I9Rynsp2Ryyir+JIceauA2zbtg5HF W4yi/vWDPd36AxNgK6n7pilHLOPxdWRbf87yW43SiVDAiPnwU66rtefHatSCVSXrqcOa sE5trSsvX9NXmm4uWMxZ9BezOaEkAlKUpE0JQSI0TSMjamL6ETcdrBOIx6PpUJCw5AWw hFfg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1718809616; x=1719414416; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=geYz34nZGbVzOo45+XrZBWq6X36eqlbmyUpgW8D+80U=; b=TuSm1EjNfdDdJ1QLchfZRAH/ufpV5d7qa93nFRo7hS/oskFGNW+sdhJY63okZoCBF9 UX/HXey9pfiQ0E9r0sYwy4hXocSgBfxQ5h1v/IHSlUi3C7Q2NcKLxZOoMZplq8FaLr65 wQC73i2H5TQjJSlMOZ4ih6pWPZu9uNPmWifj/JglsFup8SAaZSG7Nt7KbBt1sUcTUGCu AWUZq1InXcnfr56yPSvI+gdGz34KCjBQE1AYfOdBOZ7OTq9pnayVKuv500PEpVTipcE/ UO3GoI7t2VeB3mzT6PfpcUTEHvlAz/SVfQXNkmt57+sYGjv7WZmRj/mFi1y96AfgRARR qMPA== X-Gm-Message-State: AOJu0YxSpMMlsQ/nRnEYIv6hgehhUcSqRtkHvuUOypxe8DXophpgGdK9 NwqukGW8TPktPHkol2xxVaBeKRmsX6Ht0/NFtadaVbx7lwKDLArJIsu8+ZwbB5I= X-Received: by 2002:a05:6512:3127:b0:52c:c032:538d with SMTP id 2adb3069b0e04-52ccaa5be51mr1696221e87.27.1718809615560; Wed, 19 Jun 2024 08:06:55 -0700 (PDT) Received: from gerrit.openvpn.in (ec2-18-159-0-78.eu-central-1.compute.amazonaws.com. [18.159.0.78]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-3607509c785sm17326090f8f.34.2024.06.19.08.06.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 19 Jun 2024 08:06:55 -0700 (PDT) From: "MaxF (Code Review)" X-Google-Original-From: "MaxF (Code Review)" X-Gerrit-PatchSet: 1 Date: Wed, 19 Jun 2024 15:06:54 +0000 To: plaisthos , flichtenheld Auto-Submitted: auto-generated X-Gerrit-MessageType: newchange X-Gerrit-Change-Id: Ifc589854816842e46969a76e2845084b3aaa962f X-Gerrit-Change-Number: 683 X-Gerrit-Project: openvpn X-Gerrit-ChangeURL: X-Gerrit-Commit: 9bcbe7955ad3f6e0b5e738aac30d65e5431e3087 References: Message-ID: MIME-Version: 1.0 User-Agent: Gerrit/3.8.2 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Attention is currently required from: flichtenheld, plaisthos. Hello plaisthos, flichtenheld, I'd like you to do a code review. Please visit Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: openvpn.net] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.167.46 listed in list.dnswl.org] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [209.85.167.46 listed in bl.score.senderscore.com] 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [209.85.167.46 listed in sa-trusted.bondedsender.org] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.167.46 listed in wl.mailspike.net] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.0 WEIRD_PORT URI: Uses non-standard port number for HTTP 0.0 HTML_MESSAGE BODY: HTML included in message 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1sJwtw-0000gl-6i Subject: [Openvpn-devel] [S] Change in openvpn[master]: Check that tls-version-min is supported on startup X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: max@max-fillinger.net, arne-openvpn@rfc2549.org, openvpn-devel@lists.sourceforge.net, frank@lichtenheld.com Cc: openvpn-devel Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1802302550798186958?= X-GMAIL-MSGID: =?utf-8?q?1802302550798186958?= X-getmail-filter-classifier: gerrit message type newchange Attention is currently required from: flichtenheld, plaisthos. Hello plaisthos, flichtenheld, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/683?usp=email to review the following change. Change subject: Check that tls-version-min is supported on startup ...................................................................... Check that tls-version-min is supported on startup After disabling TLS 1.0 and 1.1 in the mbedtls build, the client would error out during startup if tls-version-min was set to 1.0 or 1.1, but the server would start up and only error out when a client attempts to connect. This commit checks that tls-version-min is supported during startup so that both the client and server error out on startup. Change-Id: Ifc589854816842e46969a76e2845084b3aaa962f Signed-off-by: Max Fillinger --- M src/openvpn/options.c M src/openvpn/ssl.c M src/openvpn/ssl_backend.h M src/openvpn/ssl_mbedtls.c M src/openvpn/ssl_openssl.c 5 files changed, 31 insertions(+), 6 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/83/683/1 diff --git a/src/openvpn/options.c b/src/openvpn/options.c index f2c7536..f8287f2 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -8933,7 +8933,7 @@ ver = tls_version_parse(p[1], p[2]); if (ver == TLS_VER_BAD) { - msg(msglevel, "unknown tls-version-min parameter: %s", p[1]); + msg(msglevel, "unknown or unsupported tls-version-min parameter: %s", p[1]); goto err; } options->ssl_flags &= @@ -8947,7 +8947,7 @@ ver = tls_version_parse(p[1], NULL); if (ver == TLS_VER_BAD) { - msg(msglevel, "unknown tls-version-max parameter: %s", p[1]); + msg(msglevel, "unknown or unsupported tls-version-max parameter: %s", p[1]); goto err; } options->ssl_flags &= diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 2054eb4..1d3fdcd 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -405,20 +405,21 @@ int tls_version_parse(const char *vstr, const char *extra) { + const int min_version = tls_version_min(); const int max_version = tls_version_max(); - if (!strcmp(vstr, "1.0") && TLS_VER_1_0 <= max_version) + if (!strcmp(vstr, "1.0") && min_version <= TLS_VER_1_0 && TLS_VER_1_0 <= max_version) { return TLS_VER_1_0; } - else if (!strcmp(vstr, "1.1") && TLS_VER_1_1 <= max_version) + else if (!strcmp(vstr, "1.1") && min_version <= TLS_VER_1_1 && TLS_VER_1_1 <= max_version) { return TLS_VER_1_1; } - else if (!strcmp(vstr, "1.2") && TLS_VER_1_2 <= max_version) + else if (!strcmp(vstr, "1.2") && min_version <= TLS_VER_1_2 && TLS_VER_1_2 <= max_version) { return TLS_VER_1_2; } - else if (!strcmp(vstr, "1.3") && TLS_VER_1_3 <= max_version) + else if (!strcmp(vstr, "1.3") && min_version <= TLS_VER_1_3 && TLS_VER_1_3 <= max_version) { return TLS_VER_1_3; } diff --git a/src/openvpn/ssl_backend.h b/src/openvpn/ssl_backend.h index 285705f..ef1347b 100644 --- a/src/openvpn/ssl_backend.h +++ b/src/openvpn/ssl_backend.h @@ -117,6 +117,14 @@ int tls_version_max(void); /** + * Return the minimum TLS version (as a TLS_VER_x constant) + * supported by current SSL implementation + * + * @return One of the TLS_VER_x constants (but not TLS_VER_BAD). + */ +int tls_version_min(void); + +/** * Initialise a library-specific TLS context for a server. * * @param ctx TLS context to initialise diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index bb88da9..de7efed 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -1049,6 +1049,16 @@ #endif /* defined(MBEDTLS_SSL_PROTO_TLS1_2) */ } +int +tls_version_min(void) +{ +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) + return TLS_VER_1_2; +#else + #error "mbedtls is compiled without support for TLS 1.2." +#endif /* defined(MBEDTLS_SSL_PROTO_TLS1_2) */ +} + /** * Convert an OpenVPN tls-version variable to mbed TLS format * diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index e8a30a3..352f7fb 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -231,6 +231,12 @@ #endif } +int +tls_version_min(void) +{ + return TLS_VER_1_0; +} + /** Convert internal version number to openssl version number */ static int openssl_tls_version(int ver)