From patchwork Thu Oct 14 17:32:27 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Selva Nair X-Patchwork-Id: 1984 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director13.mail.ord1d.rsapps.net ([172.28.255.1]) by backend30.mail.ord1d.rsapps.net with LMTP id 6MupAaYEaWFhSQAAIUCqbw (envelope-from ) for ; Fri, 15 Oct 2021 00:33:42 -0400 Received: from proxy8.mail.ord1c.rsapps.net ([172.28.255.1]) by director13.mail.ord1d.rsapps.net with LMTP id wJpYAaYEaWGDNgAA91zNiA (envelope-from ) for ; Fri, 15 Oct 2021 00:33:42 -0400 Received: from smtp13.gate.ord1c ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy8.mail.ord1c.rsapps.net with LMTPS id IM8jAaYEaWEKUwAAHz/atg (envelope-from ) for ; Fri, 15 Oct 2021 00:33:42 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp13.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=gmail.com; dmarc=fail (p=none; dis=none) header.from=gmail.com X-Suspicious-Flag: YES X-Classification-ID: 12c16300-2d71-11ec-b513-bc305bf03494-1-1 Received: from [216.105.38.7] ([216.105.38.7:48760] helo=lists.sourceforge.net) by smtp13.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 0D/44-21545-5A409616; Fri, 15 Oct 2021 00:33:41 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.92.3) (envelope-from ) id 1mbEtg-0003fs-0O; Fri, 15 Oct 2021 04:32:44 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) (envelope-from ) id 1mbEte-0003fk-7o for openvpn-devel@lists.sourceforge.net; Fri, 15 Oct 2021 04:32:42 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=j8Vs/CMvaSiN/waanYH/xkvmdHoE42kX9JbO1iaWKJY=; b=Z+r7O1+Aw5Tti8YRtGqbG6MYcD 8pJuIOSMy3qwKHLnDGS/Rnd41fslRRG3w7nPKTnybboaFsUfhKhgqz84fS/qlMUnZaxYCM+BbUhht ArDRQizZmVbdqUCBh4H149rXLc5hTYRPGoqAWmbJg7saq9JqA4F0FRHvSU9qKhVU7lXA=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:Cc:To:From :Sender:Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=j8Vs/CMvaSiN/waanYH/xkvmdHoE42kX9JbO1iaWKJY=; b=G s23pgMVXEpxMfQoMu4/TbZprjd0XR3tFM8Ctc0xbH8aySUQOknmoYjymS1FPgEuNhaNak2ygJK5Sx p7pp7rs9iiA4RyRtFbCus2+JkmwNvmhc//jqngPDBD/Wrr++rmOgqGWyE5nYqfxcShAblRyKsF7Y+ 0UKi0VHVJJursdik=; Received: from mail-io1-f48.google.com ([209.85.166.48]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92.3) id 1mbEta-00DIht-0z for openvpn-devel@lists.sourceforge.net; Fri, 15 Oct 2021 04:32:42 +0000 Received: by mail-io1-f48.google.com with SMTP id y67so6313777iof.10 for ; Thu, 14 Oct 2021 21:32:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=j8Vs/CMvaSiN/waanYH/xkvmdHoE42kX9JbO1iaWKJY=; b=M6ewxjUBbxm23lKgCP+NmOme01whhnX3pAvCwm5eMw+iliGF8yFyzRcpPi613ceFv/ +YOuvvO3xVTykHw5Ec2pbJ1Q9v3hHIM2YfZ0VOSAvOlJIeP7c4O4Eh+r418PsUNOHvbP dFYwD6itVYAr/piCQi05YIKmABAqg+R2Kbg3LEJ55P32nTSPf2Qvss3adIKgjcOCkjV7 2w5vuKjxXBuRMxmysG7K5You+ceC9DUBFHGALIpFJnmX3BDSIxIVapohyIi0gFEy9vLq ItqZBDEXd/AqHW9nShShVt04+RkmPvW0HrhCoqtLdUdmqu9i2BRGsjbd+e+tiHbIjjDb Ercw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=j8Vs/CMvaSiN/waanYH/xkvmdHoE42kX9JbO1iaWKJY=; b=2eWUrQ3RFHcoYxLuMIrh2SnVMnTn+UHSSJR9hr0jwfTz6vRu7DyA4EgUCBLv0GfLR5 m09aPn8UOuqaBXSeWnVtB5f4fL+ir/v7C8tGGZIyAnJOsOW/OjMQ1w8XtzSakJjSsC3J jEE6NzW41Pe86cFfzIi6DoS7WfiJTSLW7sCAFXIAXEb7bGIRJBhATbMWjjS4yU07poBJ oZkP0sDELUHkaWEplmmohMng9W728sc58NkWF3WsW1SJQKUDjO3SnJMkFlZzwUy4M68F hjBuhj8KvcXIBciNJ1lZg+pLCQer1L6Y7U9Go0pZwil+gSKSPWzLfBdapDzRD9fuiKlP 81rw== X-Gm-Message-State: AOAM532ikc/7tetxN/PWEHqW916tkW5Sf3cVMN4ggYcdNXl3s+Z0HS57 vHJByVLuaASbv+BcDA9Dx0h/+h0crSU= X-Google-Smtp-Source: ABdhPJyH/3wMmX8LLLIojdUrTKtul4GfvK3/HI2PCpUwkngQWHApsyAq3fVmIzNvbrXRhv8ZdelGiA== X-Received: by 2002:a05:6602:2dd4:: with SMTP id l20mr2375724iow.151.1634272352263; Thu, 14 Oct 2021 21:32:32 -0700 (PDT) Received: from uranus.home.sansel.ca (bras-vprn-tnhlon4053w-lp130-02-70-51-223-227.dsl.bell.ca. [70.51.223.227]) by smtp.gmail.com with ESMTPSA id p19sm2377387iov.3.2021.10.14.21.32.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 14 Oct 2021 21:32:31 -0700 (PDT) From: selva.nair@gmail.com To: openvpn-devel@lists.sourceforge.net Date: Fri, 15 Oct 2021 00:32:27 -0400 Message-Id: <20211015043227.10679-1-selva.nair@gmail.com> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Selva Nair commit 968569f83b1561ea4dff5b8b1f0d7768e2a18e69 defined TLS 1.2 as the minimum version if not set by user. But the patch introduced two errors: (i) ssl_flags is overwritten without regard to other options set in the flags (ii) Any tls-version-max set by the user is not taken into account. Makes it impossible to set tls-version-max without als [...] Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.166.48 listed in list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [selva.nair[at]gmail.com] -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.166.48 listed in wl.mailspike.net] X-Headers-End: 1mbEta-00DIht-0z Subject: [Openvpn-devel] [PATCH] Fix the "default" tls-version-min setting X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Selva Nair commit 968569f83b1561ea4dff5b8b1f0d7768e2a18e69 defined TLS 1.2 as the minimum version if not set by user. But the patch introduced two errors: (i) ssl_flags is overwritten without regard to other options set in the flags (ii) Any tls-version-max set by the user is not taken into account. Makes it impossible to set tls-version-max without also setting tls-version-min along with loss of other bits set in ssl_flags. Fix it. The fix retains the original intent when possible, and tries to use the maximum possible value when it cannot be set to TLS 1.2 without conflicting with user-specified tls-version-max, if any. Signed-off-by: Selva Nair Acked-By: Arne Schwabe --- src/openvpn/options.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 763dd330..7f14c1f3 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -3168,15 +3168,22 @@ options_set_backwards_compatible_options(struct options *o) /* TLS min version is not set */ if ((o->ssl_flags & SSLF_TLS_VERSION_MIN_MASK) == 0) { + int tls_ver_max = (o->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) + & SSLF_TLS_VERSION_MAX_MASK; if (need_compatibility_before(o, 20307)) { /* 2.3.6 and earlier have TLS 1.0 only, set minimum to TLS 1.0 */ - o->ssl_flags = (TLS_VER_1_0 << SSLF_TLS_VERSION_MIN_SHIFT); + o->ssl_flags |= (TLS_VER_1_0 << SSLF_TLS_VERSION_MIN_SHIFT); } - else + else if (tls_ver_max == 0 || tls_ver_max >= TLS_VER_1_2) { /* Use TLS 1.2 as proper default */ - o->ssl_flags = (TLS_VER_1_2 << SSLF_TLS_VERSION_MIN_SHIFT); + o->ssl_flags |= (TLS_VER_1_2 << SSLF_TLS_VERSION_MIN_SHIFT); + } + else + { + /* Maximize the minimum version */ + o->ssl_flags |= (tls_ver_max << SSLF_TLS_VERSION_MIN_SHIFT); } }