From patchwork Tue Oct 19 07:31:07 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2039 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director15.mail.ord1d.rsapps.net ([172.28.255.1]) by backend30.mail.ord1d.rsapps.net with LMTP id CI9FGTsPb2EIQwAAIUCqbw (envelope-from ) for ; Tue, 19 Oct 2021 14:32:27 -0400 Received: from proxy2.mail.ord1c.rsapps.net ([172.28.255.1]) by director15.mail.ord1d.rsapps.net with LMTP id uI37GDsPb2GfCQAAIcMcQg (envelope-from ) for ; Tue, 19 Oct 2021 14:32:27 -0400 Received: from smtp11.gate.ord1c ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy2.mail.ord1c.rsapps.net with LMTPS id uA+TGDsPb2F5MgAA311kuQ (envelope-from ) for ; Tue, 19 Oct 2021 14:32:27 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp11.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: e8b8eee6-310a-11ec-9eb5-bc305beffa54-1-1 Received: from [216.105.38.7] ([216.105.38.7:38680] helo=lists.sourceforge.net) by smtp11.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id D6/10-03661-A3F0F616; Tue, 19 Oct 2021 14:32:27 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1mcttm-0003KL-Lh; Tue, 19 Oct 2021 18:31:42 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mcttf-0003JT-2D for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 18:31:35 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=6GtGijVdrGA1EZiLQGWqQP6hiU3q2PZDp8KJSu1gAW4=; b=nFcuqKXi3t7pUUoGyB5ZttJkKk Cd5vwFng5x+SWLutGemxJnejogkxM9l+BxzjRXufptiTT0sp97tlCcbOycTDlg3ff1oLgMv0E9S75 OKy5Tc+UXhcd1nYiZU4gMnzUK8bhTJsWbHplwFWksRElpWjzoAjv22FvVKlwQOSJvpJM=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=6GtGijVdrGA1EZiLQGWqQP6hiU3q2PZDp8KJSu1gAW4=; b=D1fkGy14EphOT20yYhLpEfvEIJ 08PSfKMW0zQ45RL3AyzReBqbUK2vb6jVVBFb/CRQkq5Kyj+Abv+aSxu7+Q19IcGegywBKq2Do2UT8 28b3ynvk129/qW07FifEqnkyLmyjfJ8rrUBEQTCZEqUVAH1d9zMSWcCe5RHYAEL+8WUU=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mctte-0005tr-5O for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 18:31:34 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1mcttW-0008hf-W4 for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 20:31:27 +0200 Received: (nullmailer pid 614226 invoked by uid 10006); Tue, 19 Oct 2021 18:31:27 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 19 Oct 2021 20:31:07 +0200 Message-Id: <20211019183127.614175-2-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211019183127.614175-1-arne@rfc2549.org> References: <20211019183127.614175-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: The old API is deprecated in OpenSSL 3.0 and the new API does not yet exist in OpenSSL 1.1. Emulating the new API would be more complex than just having two implementations. So this switches to a new [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1mctte-0005tr-5O Subject: [Openvpn-devel] [PATCH v3 01/21] [OSSL 3.0] Use new EVP_MAC API for HMAC implementation X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox The old API is deprecated in OpenSSL 3.0 and the new API does not yet exist in OpenSSL 1.1. Emulating the new API would be more complex than just having two implementations. So this switches to a new hmac implementation for OpenSSL 3.0. Unfortunately the new API does not have an easy to reset an HMAC, so we need to keep the key around to emulate a reset functionality. Signed-off-by: Arne Schwabe Acked-by: Max Fillinger --- src/openvpn/crypto_backend.h | 2 +- src/openvpn/crypto_mbedtls.c | 2 +- src/openvpn/crypto_openssl.c | 96 +++++++++++++++++++++++++++++++++++- src/openvpn/crypto_openssl.h | 8 +++ 4 files changed, 104 insertions(+), 4 deletions(-) diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h index e9447f82f..e0bfdf585 100644 --- a/src/openvpn/crypto_backend.h +++ b/src/openvpn/crypto_backend.h @@ -643,7 +643,7 @@ void hmac_ctx_cleanup(hmac_ctx_t *ctx); * * @return Size of the HMAC, or \0 if ctx is NULL. */ -int hmac_ctx_size(const hmac_ctx_t *ctx); +int hmac_ctx_size(hmac_ctx_t *ctx); /* * Resets the given HMAC context, preserving the associated key information diff --git a/src/openvpn/crypto_mbedtls.c b/src/openvpn/crypto_mbedtls.c index c632849db..e2f5f4012 100644 --- a/src/openvpn/crypto_mbedtls.c +++ b/src/openvpn/crypto_mbedtls.c @@ -939,7 +939,7 @@ hmac_ctx_cleanup(mbedtls_md_context_t *ctx) } int -hmac_ctx_size(const mbedtls_md_context_t *ctx) +hmac_ctx_size(mbedtls_md_context_t *ctx) { if (NULL == ctx) { diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index 419265a51..1c800df7f 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -1001,7 +1001,7 @@ md_ctx_final(EVP_MD_CTX *ctx, uint8_t *dst) * Generic HMAC functions * */ - +#if OPENSSL_VERSION_NUMBER < 0x30000000L HMAC_CTX * hmac_ctx_new(void) { @@ -1039,7 +1039,7 @@ hmac_ctx_cleanup(HMAC_CTX *ctx) } int -hmac_ctx_size(const HMAC_CTX *ctx) +hmac_ctx_size(HMAC_CTX *ctx) { return HMAC_size(ctx); } @@ -1066,6 +1066,98 @@ hmac_ctx_final(HMAC_CTX *ctx, uint8_t *dst) HMAC_Final(ctx, dst, &in_hmac_len); } +#else +hmac_ctx_t * +hmac_ctx_new(void) +{ + hmac_ctx_t *ctx; + ALLOC_OBJ_CLEAR(ctx, hmac_ctx_t); + EVP_MAC *hmac = EVP_MAC_fetch(NULL, "HMAC", NULL); + ctx->ctx = EVP_MAC_CTX_new(hmac); + check_malloc_return(ctx->ctx); + return ctx; +} + +void +hmac_ctx_free(hmac_ctx_t *ctx) +{ + EVP_MAC_CTX_free(ctx->ctx); + secure_memzero(ctx, sizeof(hmac_ctx_t)); + free(ctx); +} + +void +hmac_ctx_init(hmac_ctx_t *ctx, const uint8_t *key, int key_len, + const EVP_MD *kt) +{ + ASSERT(NULL != kt && NULL != ctx && ctx->ctx != NULL); + ASSERT(key_len <= EVP_MAX_KEY_LENGTH); + + /* We need to make a copy of the key since the OSSL parameters + * only reference it */ + memcpy(ctx->key, key, key_len); + + /* Lookup/setting of parameters in OpenSSL 3.0 are string based + * + * The OSSL_PARAM_construct_utf8_string needs a non const str but this + * only used for lookup so we cast (as OpenSSL also does internally) + * the constness away here. + */ + ctx->params[0] = OSSL_PARAM_construct_utf8_string("digest", + (char *) EVP_MD_get0_name(kt), 0); + ctx->params[1] = OSSL_PARAM_construct_octet_string("key", + ctx->key, key_len); + ctx->params[2] = OSSL_PARAM_construct_end(); + + if (!EVP_MAC_init(ctx->ctx, NULL, 0, ctx->params)) + { + crypto_msg(M_FATAL, "EVP_MAC_init failed"); + } + + /* make sure we used a big enough key */ + ASSERT(EVP_MAC_CTX_get_mac_size(ctx->ctx) <= key_len); +} + +void +hmac_ctx_cleanup(hmac_ctx_t *ctx) +{ + EVP_MAC_init(ctx->ctx, NULL, 0, NULL); +} + +int +hmac_ctx_size(hmac_ctx_t *ctx) +{ + return (int)EVP_MAC_CTX_get_mac_size(ctx->ctx); +} + +void +hmac_ctx_reset(hmac_ctx_t *ctx) +{ + /* The OpenSSL MAC API lacks a reset method and passing NULL as params + * does not reset it either, so use the params array to reinitialise it the + * same way as before */ + if (!EVP_MAC_init(ctx->ctx, NULL, 0, ctx->params)) + { + crypto_msg(M_FATAL, "EVP_MAC_init failed"); + } +} + +void +hmac_ctx_update(hmac_ctx_t *ctx, const uint8_t *src, int src_len) +{ + EVP_MAC_update(ctx->ctx, src, src_len); +} + +void +hmac_ctx_final(hmac_ctx_t *ctx, uint8_t *dst) +{ + /* The calling code always gives us a buffer that has the size of our + * algorithm */ + size_t in_hmac_len = EVP_MAC_CTX_get_mac_size(ctx->ctx); + + EVP_MAC_final(ctx->ctx, dst, &in_hmac_len, in_hmac_len); +} +#endif int memcmp_constant_time(const void *a, const void *b, size_t size) diff --git a/src/openvpn/crypto_openssl.h b/src/openvpn/crypto_openssl.h index 59a31aacf..e540a76b9 100644 --- a/src/openvpn/crypto_openssl.h +++ b/src/openvpn/crypto_openssl.h @@ -47,7 +47,15 @@ typedef EVP_CIPHER_CTX cipher_ctx_t; typedef EVP_MD_CTX md_ctx_t; /** Generic HMAC %context. */ +#if OPENSSL_VERSION_NUMBER < 0x30000000L typedef HMAC_CTX hmac_ctx_t; +#else +typedef struct { + OSSL_PARAM params[3]; + uint8_t key[EVP_MAX_KEY_LENGTH]; + EVP_MAC_CTX *ctx; +} hmac_ctx_t; +#endif /** Maximum length of an IV */ #define OPENVPN_MAX_IV_LENGTH EVP_MAX_IV_LENGTH From patchwork Tue Oct 19 07:31:08 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2027 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director13.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id +KrwDDMPb2GwQgAAIUCqbw (envelope-from ) for ; Tue, 19 Oct 2021 14:32:19 -0400 Received: from proxy1.mail.ord1d.rsapps.net ([172.30.191.6]) by director13.mail.ord1d.rsapps.net with LMTP id kMnLDDMPb2HzFAAA91zNiA (envelope-from ) for ; Tue, 19 Oct 2021 14:32:19 -0400 Received: from smtp28.gate.ord1c ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy1.mail.ord1d.rsapps.net with LMTPS id SCSqDDMPb2GPLgAAasrz9Q (envelope-from ) for ; Tue, 19 Oct 2021 14:32:19 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp28.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: e34fe644-310a-11ec-a9dd-a0369f1890f1-1-1 Received: from [216.105.38.7] ([216.105.38.7:55666] helo=lists.sourceforge.net) by smtp28.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 00/71-31896-13F0F616; Tue, 19 Oct 2021 14:32:17 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1mctth-0006Yg-OL; Tue, 19 Oct 2021 18:31:37 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mctte-0006Xd-KL for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 18:31:34 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=g+BbFlk/TNYCxV5SfHT8VRUglsLp9EeKcx2if7PidP0=; b=QCZ3nyi0WVzdBRT8T6pUfYDBQl m5fJFZBDwy68ZKRlAKM5MfrDjw9mfL0FKmlV3cQUtUQFTC1yUfO/ug8nmPzbamby4Cl9mx4QZ/Lj2 j/z3kNWQouQcbBOzwtL2yylhh7JbHfE3q+zQ28aWZsYEDY8jTbXNMT7B+bkeuO1CGRCQ=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=g+BbFlk/TNYCxV5SfHT8VRUglsLp9EeKcx2if7PidP0=; b=M1htAZjVQI5MR9f8oz9mloaBCG qo8EOJph5S/WoRC0OAd0ZL0K9j3fefqYM5f5Rk3FLf1qThaEKOK38lEE4pZ6+YRz/CW2+FRSzyOYo taqtCCJTML5pPMLBiBPkvEG5BZiCUL6o4kc0vYOA7HFu8lUzEZL3Se4z4kxRBe8SSjG0=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mctte-006U06-2g for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 18:31:34 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1mcttX-0008hi-2q for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 20:31:27 +0200 Received: (nullmailer pid 614229 invoked by uid 10006); Tue, 19 Oct 2021 18:31:27 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 19 Oct 2021 20:31:08 +0200 Message-Id: <20211019183127.614175-3-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211019183127.614175-1-arne@rfc2549.org> References: <20211019183127.614175-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This allows to select engine support at configure time. For OpenSSL 1.1 the default is not changed and we detect if engine support is available. Engine support is deprecated in OpenSSL 3.0 and for OpenSSL 3.0 the default is to disable engine support as engine support is deprecated and generates compiler warnings which in turn also break -Werro [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1mctte-006U06-2g Subject: [Openvpn-devel] [PATCH v3 02/21] [OSSL 3.0] Add --with-openssl-engine autoconf option (auto|yes|no) X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This allows to select engine support at configure time. For OpenSSL 1.1 the default is not changed and we detect if engine support is available. Engine support is deprecated in OpenSSL 3.0 and for OpenSSL 3.0 the default is to disable engine support as engine support is deprecated and generates compiler warnings which in turn also break -Werror. By using --with-openssl-engine=no or --with-openssl-engine=yes engine support can be forced on or off. If it is enabled but not detected an error will be thown. This commit cleans up the configurelogic a bit and removes the ENGINE_cleanup checks as we can just assume that it will be also available as macro or function if the other engine functions are available. Before the cleanup we would only check for the existance of engine.h if ENGINE_cleanup was not found. Signed-off-by: Arne Schwabe --- configure.ac | 68 +++++++++++++++++++++++++++++++++++++++------------- 1 file changed, 51 insertions(+), 17 deletions(-) diff --git a/configure.ac b/configure.ac index a37dc762f..31adb875b 100644 --- a/configure.ac +++ b/configure.ac @@ -267,6 +267,18 @@ AC_ARG_ENABLE( [enable_wolfssl_options_h="yes"] ) +AC_ARG_WITH( + [openssl-engine], + [AS_HELP_STRING([--with-openssl-engine], [enable engine support with OpenSSL. Default enabled for OpenSSL < 3.0, auto,yes,no @<:@default=auto@:>@])], + [ + case "${withval}" in + auto|yes|no) ;; + *) AC_MSG_ERROR([bad value ${withval} for --with-engine]) ;; + esac + ], + [with_openssl_engine="auto"] +) + AC_ARG_VAR([PLUGINDIR], [Path of plug-in directory @<:@default=LIBDIR/openvpn/plugins@:>@]) if test -n "${PLUGINDIR}"; then plugindir="${PLUGINDIR}" @@ -800,23 +812,45 @@ if test "${with_crypto_library}" = "openssl"; then [AC_MSG_ERROR([openssl check failed])] ) - have_openssl_engine="yes" - AC_CHECK_FUNCS( - [ \ - ENGINE_load_builtin_engines \ - ENGINE_register_all_complete \ - ENGINE_cleanup \ - ], - , - [have_openssl_engine="no"; break] - ) - if test "${have_openssl_engine}" = "no"; then - AC_CHECK_DECL( [ENGINE_cleanup], [have_openssl_engine="yes"],, - [[ - #include - ]] - ) - fi + if test "${with_openssl_engine}" = "auto"; then + AC_COMPILE_IFELSE( + [AC_LANG_PROGRAM( + [[ + #include + ]], + [[ + /* Version encoding: MNNFFPPS - see opensslv.h for details */ + #if OPENSSL_VERSION_NUMBER >= 0x30000000L + #error Engine supported disabled by default in OpenSSL 3.0+ + #endif + ]] + )], + [have_openssl_engine="yes"], + [have_openssl_engine="no"] + ) + if test "${have_openssl_engine}" = "yes"; then + AC_CHECK_FUNCS( + [ \ + ENGINE_load_builtin_engines \ + ENGINE_register_all_complete \ + ], + , + [have_openssl_engine="no"; break] + ) + fi + else + have_openssl_engine="${with_openssl_engine}" + if test "${have_openssl_engine}" = "yes"; then + AC_CHECK_FUNCS( + [ \ + ENGINE_load_builtin_engines \ + ENGINE_register_all_complete \ + ], + , + [AC_MSG_ERROR([OpenSSL engine support not found])] + ) + fi + fi if test "${have_openssl_engine}" = "yes"; then AC_DEFINE([HAVE_OPENSSL_ENGINE], [1], [OpenSSL engine support available]) fi From patchwork Tue Oct 19 07:31:09 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2033 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director12.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id sHryNzYPb2H5QgAAIUCqbw (envelope-from ) for ; Tue, 19 Oct 2021 14:32:22 -0400 Received: from proxy5.mail.ord1d.rsapps.net ([172.30.191.6]) by director12.mail.ord1d.rsapps.net with LMTP id CACONzYPb2E6egAAIasKDg (envelope-from ) for ; Tue, 19 Oct 2021 14:32:22 -0400 Received: from smtp22.gate.ord1c ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy5.mail.ord1d.rsapps.net with LMTPS id cJFsNzYPb2F1BwAA8Zzt7w (envelope-from ) for ; Tue, 19 Oct 2021 14:32:22 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp22.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: e60be1b2-310a-11ec-b706-a0369f0d84d2-1-1 Received: from [216.105.38.7] ([216.105.38.7:55876] helo=lists.sourceforge.net) by smtp22.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id CF/20-32712-63F0F616; Tue, 19 Oct 2021 14:32:22 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1mctti-0006Yv-ET; Tue, 19 Oct 2021 18:31:38 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mctte-0006Xl-U0 for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 18:31:34 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=gtW3Pqj+xAqCo49Fd9DG4X0OVtL8QXASBeIjda/3DMc=; b=b4QFPRPQsWOR4jgdI1Yg2pEvkZ BcpY5QVjsc5slyLBmgukAq/DBYBs/FMj2otw20AMM8J+9rs5n9G9mogc8d+88OqmbPSYDc7vxvQWm eBS1xg2HDaNxIFvvRj0hOuposb+rsOA96/axAXj13PO8eUbc3OBSuavPwLm4cN1fU7sQ=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=gtW3Pqj+xAqCo49Fd9DG4X0OVtL8QXASBeIjda/3DMc=; b=jhA+UQ/v74jTEOQfkXhTgAWSD2 CthM+5JP5xNxO0VeyecOhxM+sOSEza5TUve/EFmtX6Zyl8EN+pJJZ30sgse4umTEXigHWT3pw/VFZ YHlzYIoYOdWrohuWhpaM4oDQfn+Mlbrb5cAcZyKKkfGSjyP+KbS8q/SoLvdB0K3TSOMQ=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mctte-0005ts-52 for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 18:31:34 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1mcttX-0008hl-62 for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 20:31:27 +0200 Received: (nullmailer pid 614232 invoked by uid 10006); Tue, 19 Oct 2021 18:31:27 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 19 Oct 2021 20:31:09 +0200 Message-Id: <20211019183127.614175-4-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211019183127.614175-1-arne@rfc2549.org> References: <20211019183127.614175-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Even though DES is super outdated and also NTLM is super outdated, eliminating the warnings for OpenSSL 3.0 is still a step in the right direction and using the correct APIs. Signed-off-by: Arne Schwabe --- src/openvpn/crypto_openssl.c | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1mctte-0005ts-52 Subject: [Openvpn-devel] [PATCH v3 03/21] [OSSL 3.0] Implement DES ECB encrypt via EVP_CIPHER api X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Even though DES is super outdated and also NTLM is super outdated, eliminating the warnings for OpenSSL 3.0 is still a step in the right direction and using the correct APIs. Signed-off-by: Arne Schwabe Signed-off-by: Arne Schwabe <arne@rfc2549.org>
--- src/openvpn/crypto_openssl.c | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index 1c800df7f..021698f12 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -879,10 +879,26 @@ cipher_des_encrypt_ecb(const unsigned char key[DES_KEY_LENGTH], unsigned char src[DES_KEY_LENGTH], unsigned char dst[DES_KEY_LENGTH]) { - DES_key_schedule sched; + EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new(); + if (!ctx) + { + crypto_msg(M_FATAL, "%s: EVP_CIPHER_CTX_new() failed", __func__); + } + if (!EVP_EncryptInit_ex(ctx, EVP_bf_ecb(), NULL, key, 0)) + { + crypto_msg(M_FATAL, "%s: EVP_EncryptInit_ex() failed", __func__); + } - DES_set_key_unchecked((DES_cblock *)key, &sched); - DES_ecb_encrypt((DES_cblock *)src, (DES_cblock *)dst, &sched, DES_ENCRYPT); + int len; + if(!EVP_EncryptUpdate(ctx, dst, &len, src, DES_KEY_LENGTH)) + { + crypto_msg(M_FATAL, "%s: EVP_EncryptUpdate() failed", __func__); + } + + if (!EVP_EncryptFinal(ctx, dst + len, &len)) + { + crypto_msg(M_FATAL, "%s: EVP_EncryptFinal() failed", __func__); + } } /* From patchwork Tue Oct 19 07:31:10 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2030 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director10.mail.ord1d.rsapps.net ([172.28.255.1]) by backend30.mail.ord1d.rsapps.net with LMTP id aJIUMjMPb2GvQgAAIUCqbw (envelope-from ) for ; Tue, 19 Oct 2021 14:32:19 -0400 Received: from proxy5.mail.ord1c.rsapps.net ([172.28.255.1]) by director10.mail.ord1d.rsapps.net with LMTP id iL0FMjMPb2G6FwAApN4f7A (envelope-from ) for ; Tue, 19 Oct 2021 14:32:19 -0400 Received: from smtp26.gate.ord1c ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy5.mail.ord1c.rsapps.net with LMTPS id oDqyMTMPb2E3SAAAPBRIyg (envelope-from ) for ; Tue, 19 Oct 2021 14:32:19 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp26.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: e43f8d84-310a-11ec-ae0b-b8ca3a5bd12c-1-1 Received: from [216.105.38.7] ([216.105.38.7:38538] helo=lists.sourceforge.net) by smtp26.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id C7/43-25532-33F0F616; Tue, 19 Oct 2021 14:32:19 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1mcttl-0003K2-Aw; Tue, 19 Oct 2021 18:31:41 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mctte-0003JN-Sg for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 18:31:34 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=UmIINGCVkJLZ3UZIqw002o08rzWb1I8BQgOiP8ggOus=; b=Vgt70EZDOxew7fdFDwroYz7xTF mEk1tQSei7LepQAYGW9x2NMYxFZF2cTHNRgPnlZoL6/SfGU1MhnZQ7A3GlHUfxjRLq12QaWoaIwP0 LGYmL0TUIxpE8doeea1IpIdn9rIS+LfWLVq9sGnjpFKheHCK6RNk8leCP5FANPf6sXaA=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=UmIINGCVkJLZ3UZIqw002o08rzWb1I8BQgOiP8ggOus=; b=Y+UBEOpuwOj1M29xNvtZ8qU3Qe 5puwN07KIVKd3gQamTlsBJmjDgd7VC06LV96+IDevZo6QMCBjqfuiGMIbQ/yQ+7hKext7u7eTBRzL tozLdWwsMCPVii7UJQity8D1P5NMQG6VRVe++vMynTm1VID7zH8KQ37JZyjm01TTx5nU=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mctte-006U07-87 for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 18:31:34 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1mcttX-0008ho-93 for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 20:31:27 +0200 Received: (nullmailer pid 614235 invoked by uid 10006); Tue, 19 Oct 2021 18:31:27 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 19 Oct 2021 20:31:10 +0200 Message-Id: <20211019183127.614175-5-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211019183127.614175-1-arne@rfc2549.org> References: <20211019183127.614175-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: DES is very deprecated and accidently getting on the of the 16 insecure keys that OpenSSL checks is extremely unlikely so we no longer use the deprecated functions without replacement in OpenSSL 3.0. Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1mctte-006U07-87 Subject: [Openvpn-devel] [PATCH v3 04/21] [OSSL 3.0] Remove DES check with OpenSSL 3.0 X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox DES is very deprecated and accidently getting on the of the 16 insecure keys that OpenSSL checks is extremely unlikely so we no longer use the deprecated functions without replacement in OpenSSL 3.0. Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- src/openvpn/crypto_openssl.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index 021698f12..8db2ddd09 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -521,6 +521,11 @@ key_des_num_cblocks(const EVP_CIPHER *kt) bool key_des_check(uint8_t *key, int key_len, int ndc) { +#if OPENSSL_VERSION_NUMBER < 0x30000000L + /* DES is deprecated and the method to even check the keys is deprecated + * in OpenSSL 3.0. Instead of checking for the 16 weak/semi-weak keys + * we just accept them in OpenSSL 3.0 since the risk of randomly getting + * these is pretty weak */ int i; struct buffer b; @@ -553,6 +558,9 @@ key_des_check(uint8_t *key, int key_len, int ndc) err: ERR_clear_error(); return false; +#else + return true; +#endif } void From patchwork Tue Oct 19 07:31:11 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2032 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director12.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id QPfyJTYPb2GNQgAAIUCqbw (envelope-from ) for ; Tue, 19 Oct 2021 14:32:22 -0400 Received: from proxy19.mail.ord1d.rsapps.net ([172.30.191.6]) by director12.mail.ord1d.rsapps.net with LMTP id qJCmJTYPb2FieQAAIasKDg (envelope-from ) for ; Tue, 19 Oct 2021 14:32:22 -0400 Received: from smtp22.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy19.mail.ord1d.rsapps.net with LMTPS id QLWAJTYPb2GAUwAAyH2SIw (envelope-from ) for ; Tue, 19 Oct 2021 14:32:22 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp22.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: e515066c-310a-11ec-bb7d-5254001a15c2-1-1 Received: from [216.105.38.7] ([216.105.38.7:43846] helo=lists.sourceforge.net) by smtp22.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 9E/3F-02340-43F0F616; Tue, 19 Oct 2021 14:32:21 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.92.3) (envelope-from ) id 1mcttg-0001Zy-Mo; Tue, 19 Oct 2021 18:31:36 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) (envelope-from ) id 1mctte-0001ZH-TF for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 18:31:34 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=WQesCLX31htufIwFZq5gmJ5qWIB6b/t7Jrd23mGehWM=; b=mEPLEG+AxNGb9U9jz5eGx16tji xRLl/6N+m2QjEQpmrIgpMcM/Eqc4EW0JIAnR10uEJk3O+aQHgNWWVPO1bSNDubVM3KSy16mSfqGqI /WSIJFW1uKjMhqXdhwL7lXTWo2J9OwIhihHdYODukf3sidra0ZUttKnnRaymtRW6GufU=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=WQesCLX31htufIwFZq5gmJ5qWIB6b/t7Jrd23mGehWM=; b=AbTKiZxzSeFbxWLd+oavZtBku2 rjTProYg3LZPaNjgAIQ/tMK4lQcc8FvgU6jkA0WIadXUedN0zZyCg4YE4yM4agOb1UlFzY9TKDOp7 mglE1EuWikgDeREg3eDjOJW2QO6N65an5df8YHSU9PllvuuFP1DzbR3WQycMYgcBhbfg=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mctte-0005tt-BH for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 18:31:34 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1mcttX-0008hr-BZ for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 20:31:27 +0200 Received: (nullmailer pid 614238 invoked by uid 10006); Tue, 19 Oct 2021 18:31:27 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 19 Oct 2021 20:31:11 +0200 Message-Id: <20211019183127.614175-6-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211019183127.614175-1-arne@rfc2549.org> References: <20211019183127.614175-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: OpenSSL 3.0 replaces the DH API with a generic EVP_KEY based API to load DH parameters. Signed-off-by: Arne Schwabe --- src/openvpn/ssl_openssl.c | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1mctte-0005tt-BH Subject: [Openvpn-devel] [PATCH v3 05/21] [OSSL 3.0] Use EVP_PKEY based API for loading DH keys X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox OpenSSL 3.0 replaces the DH API with a generic EVP_KEY based API to load DH parameters. Signed-off-by: Arne Schwabe Acked-by: Max Fillinger --- src/openvpn/ssl_openssl.c | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 9a7cb9c64..a44d4f85c 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -649,7 +649,6 @@ void tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file, bool dh_file_inline) { - DH *dh; BIO *bio; ASSERT(NULL != ctx); @@ -670,7 +669,26 @@ tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file, } } - dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_PKEY *dh = PEM_read_bio_Parameters(bio, NULL); + BIO_free(bio); + + if (!dh) + { + crypto_msg(M_FATAL, "Cannot load DH parameters from %s", + print_key_filename(dh_file, dh_file_inline)); + } + if (!SSL_CTX_set0_tmp_dh_pkey(ctx->ctx, dh)) + { + crypto_msg(M_FATAL, "SSL_CTX_set_tmp_dh"); + } + + msg(D_TLS_DEBUG_LOW, "Diffie-Hellman initialized with %d bit key", + 8 * EVP_PKEY_get_size(dh)); + + EVP_PKEY_free(dh); +#else + DH *dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); BIO_free(bio); if (!dh) @@ -687,6 +705,7 @@ tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file, 8 * DH_size(dh)); DH_free(dh); +#endif } void From patchwork Tue Oct 19 07:31:12 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2024 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director14.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id OCN+NTEPb2GwQgAAIUCqbw (envelope-from ) for ; Tue, 19 Oct 2021 14:32:17 -0400 Received: from proxy19.mail.ord1d.rsapps.net ([172.30.191.6]) by director14.mail.ord1d.rsapps.net with LMTP id UApDNTEPb2FQAQAAeJ7fFg (envelope-from ) for ; Tue, 19 Oct 2021 14:32:17 -0400 Received: from smtp30.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy19.mail.ord1d.rsapps.net with LMTPS id yC4QNTEPb2HLUwAAyH2SIw (envelope-from ) for ; Tue, 19 Oct 2021 14:32:17 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp30.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: e30cd2e6-310a-11ec-9dbf-5254001e8e38-1-1 Received: from [216.105.38.7] ([216.105.38.7:43748] helo=lists.sourceforge.net) by smtp30.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id C6/8D-02332-13F0F616; Tue, 19 Oct 2021 14:32:17 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.92.3) (envelope-from ) id 1mcttj-0001aa-2O; Tue, 19 Oct 2021 18:31:39 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) (envelope-from ) id 1mcttf-0001ZN-4H for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 18:31:35 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=oxkbFxObRCJ64zbY0+LqDB4if1yTrgQPE3WYum1oQac=; b=KtBMm9U+oXtJXTjUeKOxE+sn2V o8sTRbh5ITVj6r5JR8BJ8FVy4V19+mxBdG6RiokJONtoBCM9i47wgcDNhB/GO8JX4Zo56Q2qoBioc Avot/nbU6OB/6C0mKj8cxKxSoVnWYbnFVEQWr2kRjlHSM6yAI+jb6qaSCnbUrsGVvHcs=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=oxkbFxObRCJ64zbY0+LqDB4if1yTrgQPE3WYum1oQac=; b=lm1gqxmY/v0WNOLzQeEjpvNXtJ YMZ28AXC+1qd+yLW/DIM0ds4aBC8eTggUDymquxddW7S2Qv2sNWhm1cC8bqQ3KenPWE7+Tq1V+KzT zE/m4NfsOvCRp4vJ2ipQGQ2iTRCduSj9+IKe8NnXiY3NkCBb0De6vnC4pXtmYe354wIE=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mctte-006U08-Df for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 18:31:35 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1mcttX-0008hu-ED for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 20:31:27 +0200 Received: (nullmailer pid 614241 invoked by uid 10006); Tue, 19 Oct 2021 18:31:27 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 19 Oct 2021 20:31:12 +0200 Message-Id: <20211019183127.614175-7-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211019183127.614175-1-arne@rfc2549.org> References: <20211019183127.614175-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: OpenSSL 3.0 deprecates SSL_CTX_set_tmp_ecdh() in favour of SSL_CTX_set1_groups(3). We already support the SSL_CTX_set1_groups using the --tls-groups. Adjust both mbed TLS and OpenSSL 3.0 to say that - [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1mctte-006U08-Df Subject: [Openvpn-devel] [PATCH v3 06/21] [OSSL 3.0] Deprecate --ecdh-curve with OpenSSL 3.0 and adjust mbed TLS message X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox OpenSSL 3.0 deprecates SSL_CTX_set_tmp_ecdh() in favour of SSL_CTX_set1_groups(3). We already support the SSL_CTX_set1_groups using the --tls-groups. Adjust both mbed TLS and OpenSSL 3.0 to say that --ecdh-curve is ingored and --tls-groups should be used. Signed-off-by: Arne Schwabe Acked-by: Max Fillinger --- src/openvpn/ssl_mbedtls.c | 5 +++-- src/openvpn/ssl_openssl.c | 12 +++++++++--- 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index cea88f41e..e7c45c099 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -440,8 +440,9 @@ tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name { if (NULL != curve_name) { - msg(M_WARN, "WARNING: mbed TLS builds do not support specifying an ECDH " - "curve, using default curves."); + msg(M_WARN, "WARNING: mbed TLS builds do not support specifying an " + "ECDH curve with --ecdh-curve, using default curves. Use " + "--tls-groups to specify curves."); } } diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index a44d4f85c..92d8d0eeb 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -709,10 +709,16 @@ tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file, } void -tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name - ) +tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name) { -#ifndef OPENSSL_NO_EC +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + if (curve_name != NULL) + { + msg(M_WARN, "WARNING: OpenSSL 3.0+ builds do not support specifying an " + "ECDH curve with --ecdh-curve, using default curves. Use " + "--tls-groups to specify groups."); + } +#elif !defined(OPENSSL_NO_EC) int nid = NID_undef; EC_KEY *ecdh = NULL; const char *sname = NULL; From patchwork Tue Oct 19 07:31:13 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2035 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director11.mail.ord1d.rsapps.net ([172.28.255.1]) by backend30.mail.ord1d.rsapps.net with LMTP id QO/JMzcPb2H5QgAAIUCqbw (envelope-from ) for ; Tue, 19 Oct 2021 14:32:23 -0400 Received: from proxy3.mail.ord1c.rsapps.net ([172.28.255.1]) by director11.mail.ord1d.rsapps.net with LMTP id EGO4MzcPb2HlIgAAvGGmqA (envelope-from ) for ; Tue, 19 Oct 2021 14:32:23 -0400 Received: from smtp11.gate.ord1c ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy3.mail.ord1c.rsapps.net with LMTPS id oNJjMzcPb2FkZQAANIxBXg (envelope-from ) for ; Tue, 19 Oct 2021 14:32:23 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp11.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: e67b75ea-310a-11ec-9eb5-bc305beffa54-1-1 Received: from [216.105.38.7] ([216.105.38.7:55926] helo=lists.sourceforge.net) by smtp11.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 1D/00-03661-73F0F616; Tue, 19 Oct 2021 14:32:23 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1mcttj-0006ZW-0Z; Tue, 19 Oct 2021 18:31:39 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mcttf-0006Y0-Oh for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 18:31:35 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=4E35Yeu/ET5cBQlbtPwlYME4Sk910j4BiaNXN8Wd3XU=; b=IAmqkQQ+4j11t31K4c+S2Hwn9p m6IXnjS5GBP6wzupTZMWh3g40Kuy5CFqMOCxe7kWqPlGxaW/wkrAQmvLC9MFdTHb0QouMQoCAg5jM Of8NFTjIZffqp1cicxegFsoen61dV8rPgfeJHcBId20caL9ebUZGvW0No3onj1b020Zw=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=4E35Yeu/ET5cBQlbtPwlYME4Sk910j4BiaNXN8Wd3XU=; b=a1KOlGgYGE2v9AuiscNGPGyig7 kqhTsD3/Gqm/CyspU+ese2M6ntd636w5pnxhF4zwWOdYwioDpOQa7lQZ5Lhor9NrFCD2PcvCMrK8z tymP4qZbL9kYp5o9QMd6F/8Rnw16TAKhaAzTAZ+TurApRUVYDfIeu6bSWfc0h58PcWQ8=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mctte-0005tu-BG for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 18:31:35 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1mcttX-0008hw-Gm for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 20:31:27 +0200 Received: (nullmailer pid 614244 invoked by uid 10006); Tue, 19 Oct 2021 18:31:27 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 19 Oct 2021 20:31:13 +0200 Message-Id: <20211019183127.614175-8-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211019183127.614175-1-arne@rfc2549.org> References: <20211019183127.614175-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This code mainly sets the parity bits in the DES keys. As mbed TLS and OpenSSL already ignore these bits in the DES key and since DES is deprecated, remove this special DES code that is not even neede [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1mctte-0005tu-BG Subject: [Openvpn-devel] [PATCH v3 07/21] [OSSL 3.0] Remove DES key fixup code X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This code mainly sets the parity bits in the DES keys. As mbed TLS and OpenSSL already ignore these bits in the DES key and since DES is deprecated, remove this special DES code that is not even needed by the libraries. Signed-off-by: Arne Schwabe Acked-by: Max Fillinger --- src/openvpn/crypto.c | 46 ------------------------------------ src/openvpn/crypto.h | 2 -- src/openvpn/crypto_backend.h | 9 ------- src/openvpn/crypto_mbedtls.c | 24 ------------------- src/openvpn/crypto_openssl.c | 27 --------------------- src/openvpn/ntlm.c | 1 - src/openvpn/ssl.c | 18 -------------- 7 files changed, 127 deletions(-) diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index 1dfc760f9..ce041153f 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -956,45 +956,6 @@ check_key(struct key *key, const struct key_type *kt) return true; } -/* - * Make safe mutations to key to ensure it is valid, - * such as ensuring correct parity on DES keys. - * - * This routine cannot guarantee it will generate a good - * key. You must always call check_key after this routine - * to make sure. - */ -void -fixup_key(struct key *key, const struct key_type *kt) -{ - struct gc_arena gc = gc_new(); - if (kt->cipher) - { -#ifdef ENABLE_DEBUG - const struct key orig = *key; -#endif - const int ndc = key_des_num_cblocks(kt->cipher); - - if (ndc) - { - key_des_fixup(key->cipher, kt->cipher_length, ndc); - } - -#ifdef ENABLE_DEBUG - if (check_debug_level(D_CRYPTO_DEBUG)) - { - if (memcmp(orig.cipher, key->cipher, kt->cipher_length)) - { - dmsg(D_CRYPTO_DEBUG, "CRYPTO INFO: fixup_key: before=%s after=%s", - format_hex(orig.cipher, kt->cipher_length, 0, &gc), - format_hex(key->cipher, kt->cipher_length, 0, &gc)); - } - } -#endif - } - gc_free(&gc); -} - void check_replay_consistency(const struct key_type *kt, bool packet_id) { @@ -1043,10 +1004,6 @@ generate_key_random(struct key *key, const struct key_type *kt) dmsg(D_SHOW_KEY_SOURCE, "Cipher source entropy: %s", format_hex(key->cipher, cipher_len, 0, &gc)); dmsg(D_SHOW_KEY_SOURCE, "HMAC source entropy: %s", format_hex(key->hmac, hmac_len, 0, &gc)); - if (kt) - { - fixup_key(key, kt); - } } while (kt && !check_key(key, kt)); gc_free(&gc); @@ -1589,9 +1546,6 @@ verify_fix_key2(struct key2 *key2, const struct key_type *kt, const char *shared for (i = 0; i < key2->n; ++i) { - /* Fix parity for DES keys and make sure not a weak key */ - fixup_key(&key2->keys[i], kt); - /* This should be a very improbable failure */ if (!check_key(&key2->keys[i], kt)) { diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h index 759da4bfb..e9ba21ab2 100644 --- a/src/openvpn/crypto.h +++ b/src/openvpn/crypto.h @@ -288,8 +288,6 @@ void check_replay_consistency(const struct key_type *kt, bool packet_id); bool check_key(struct key *key, const struct key_type *kt); -void fixup_key(struct key *key, const struct key_type *kt); - bool write_key(const struct key *key, const struct key_type *kt, struct buffer *buf); diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h index e0bfdf585..cc897acf4 100644 --- a/src/openvpn/crypto_backend.h +++ b/src/openvpn/crypto_backend.h @@ -170,15 +170,6 @@ int key_des_num_cblocks(const cipher_kt_t *kt); */ bool key_des_check(uint8_t *key, int key_len, int ndc); -/* - * Fix the given DES key, setting its parity to odd. - * - * @param key Key to check - * @param key_len Length of the key, in bytes - * @param ndc Number of DES cblocks that the key is made up of. - */ -void key_des_fixup(uint8_t *key, int key_len, int ndc); - /** * Encrypt the given block, using DES ECB mode * diff --git a/src/openvpn/crypto_mbedtls.c b/src/openvpn/crypto_mbedtls.c index e2f5f4012..2f7f00d19 100644 --- a/src/openvpn/crypto_mbedtls.c +++ b/src/openvpn/crypto_mbedtls.c @@ -422,11 +422,6 @@ key_des_check(uint8_t *key, int key_len, int ndc) msg(D_CRYPT_ERRORS, "CRYPTO INFO: check_key_DES: weak key detected"); goto err; } - if (0 != mbedtls_des_key_check_key_parity(key)) - { - msg(D_CRYPT_ERRORS, "CRYPTO INFO: check_key_DES: bad parity detected"); - goto err; - } } return true; @@ -434,25 +429,6 @@ err: return false; } -void -key_des_fixup(uint8_t *key, int key_len, int ndc) -{ - int i; - struct buffer b; - - buf_set_read(&b, key, key_len); - for (i = 0; i < ndc; ++i) - { - unsigned char *key = buf_read_alloc(&b, MBEDTLS_DES_KEY_SIZE); - if (!key) - { - msg(D_CRYPT_ERRORS, "CRYPTO INFO: fixup_key_DES: insufficient key material"); - return; - } - mbedtls_des_key_set_parity(key); - } -} - /* * * Generic cipher key type functions diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index 8db2ddd09..93c85a836 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -546,12 +546,6 @@ key_des_check(uint8_t *key, int key_len, int ndc) "CRYPTO INFO: check_key_DES: weak key detected"); goto err; } - if (!DES_check_key_parity(dc)) - { - crypto_msg(D_CRYPT_ERRORS, - "CRYPTO INFO: check_key_DES: bad parity detected"); - goto err; - } } return true; @@ -563,27 +557,6 @@ err: #endif } -void -key_des_fixup(uint8_t *key, int key_len, int ndc) -{ - int i; - struct buffer b; - - buf_set_read(&b, key, key_len); - for (i = 0; i < ndc; ++i) - { - DES_cblock *dc = (DES_cblock *) buf_read_alloc(&b, sizeof(DES_cblock)); - if (!dc) - { - msg(D_CRYPT_ERRORS, "CRYPTO INFO: fixup_key_DES: insufficient key material"); - ERR_clear_error(); - return; - } - DES_set_odd_parity(dc); - } -} - - /* * * Generic cipher key type functions diff --git a/src/openvpn/ntlm.c b/src/openvpn/ntlm.c index 3abe3b7e3..28e68ded5 100644 --- a/src/openvpn/ntlm.c +++ b/src/openvpn/ntlm.c @@ -67,7 +67,6 @@ create_des_keys(const unsigned char *hash, unsigned char *key) key[5] = ((hash[4] & 31) << 3) | (hash[5] >> 5); key[6] = ((hash[5] & 63) << 2) | (hash[6] >> 6); key[7] = ((hash[6] & 127) << 1); - key_des_fixup(key, 8, 1); } static void diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index b2dc48be2..ee416a64c 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -1739,24 +1739,6 @@ generate_key_expansion_openvpn_prf(const struct tls_session *session, struct key } secure_memzero(&master, sizeof(master)); - - - /* - * fixup_key only correctly sets DES parity bits if the cipher is a - * DES variant. - * - * The newer OpenSSL and mbed TLS libraries (those that support EKM) - * ignore these bits. - * - * We keep the DES fixup here as compatibility. - * OpenVPN3 never did this fixup anyway. So this code is *probably* not - * required but we keep it for compatibility until we remove DES support - * since it does not hurt either. - */ - for (int i = 0; i < 2; ++i) - { - fixup_key(&key2->keys[i], &session->opt->key_type); - } key2->n = 2; return true; From patchwork Tue Oct 19 07:31:14 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2025 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director15.mail.ord1d.rsapps.net ([172.28.255.1]) by backend30.mail.ord1d.rsapps.net with LMTP id +M5rNjEPb2GNQgAAIUCqbw (envelope-from ) for ; Tue, 19 Oct 2021 14:32:17 -0400 Received: from proxy4.mail.ord1c.rsapps.net ([172.28.255.1]) by director15.mail.ord1d.rsapps.net with LMTP id QOQnNjEPb2GeCQAAIcMcQg (envelope-from ) for ; Tue, 19 Oct 2021 14:32:17 -0400 Received: from smtp38.gate.ord1c ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy4.mail.ord1c.rsapps.net with LMTPS id 2L3dCTEPb2FScQAAjcXvpA (envelope-from ) for ; Tue, 19 Oct 2021 14:32:17 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp38.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: e2a5b5d4-310a-11ec-9c72-5452007bdf16-1-1 Received: from [216.105.38.7] ([216.105.38.7:55612] helo=lists.sourceforge.net) by smtp38.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id D5/85-05813-03F0F616; Tue, 19 Oct 2021 14:32:17 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1mctti-0006Z6-M2; Tue, 19 Oct 2021 18:31:38 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mcttf-0006Xt-C7 for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 18:31:35 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=C91FIl/LLaKtMjMU4nxipqP9Dskf5NcqBqlPJIaAAnA=; b=gRnDujppEm+5fjgw3/3MOwANOV s0O1U/9zjl49aLbnerHtlTUV/NVKQkKEdzcTcH3C9l7GMeaWNNTilSZmzoln0KVKebF+mQO0deOMP XC6z2A0zmNdid4gOHuuhWzGBbRXgitilfjMNHyXQ39niky3gRg0ETO0ykAcLDDOIGpqg=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=C91FIl/LLaKtMjMU4nxipqP9Dskf5NcqBqlPJIaAAnA=; b=eAZGLezfHWczPpdcBGtunU5A37 /qetEdlNSkiPzHV+cFi//FvPkoqA5fpQw33Ifk4acktCJ6haQnynKUTGvtd8V0/HlDkIh6z/K/DmE Mqx/7sswCno96KDE7ja1v3omuSWbmjamBR7GVmXaSWDOiEtHK491N12AjSbfxmFbDEuI=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mctte-006U09-J3 for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 18:31:35 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1mcttX-0008i0-Jt for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 20:31:27 +0200 Received: (nullmailer pid 614247 invoked by uid 10006); Tue, 19 Oct 2021 18:31:28 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 19 Oct 2021 20:31:14 +0200 Message-Id: <20211019183127.614175-9-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211019183127.614175-1-arne@rfc2549.org> References: <20211019183127.614175-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: EC_Key methods are deprecated in OpenSSL 3.0. Use EVP_PKEY_get_group_name instead to query the EC group name from an EVP_PKEY and add a compatibility function for older OpenSSL versions. Signed-off-by: Arne Schwabe --- src/openvpn/openssl_compat.h | 42 ++++++++++++++++++++++++++++++++++++ src/openvpn/ssl_openssl.c | 14 ++++++------ 2 files changed, 50 insertions(+), [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1mctte-006U09-J3 Subject: [Openvpn-devel] [PATCH v3 08/21] [OSSL 3.0] Use EVP_PKEY_get_group_name to query group name X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox EC_Key methods are deprecated in OpenSSL 3.0. Use EVP_PKEY_get_group_name instead to query the EC group name from an EVP_PKEY and add a compatibility function for older OpenSSL versions. Signed-off-by: Arne Schwabe Signed-off-by: Arne Schwabe <arne@rfc2549.org>
--- src/openvpn/openssl_compat.h | 42 ++++++++++++++++++++++++++++++++++++ src/openvpn/ssl_openssl.c | 14 ++++++------ 2 files changed, 50 insertions(+), 6 deletions(-) diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h index ce8e2b360..dda47d76c 100644 --- a/src/openvpn/openssl_compat.h +++ b/src/openvpn/openssl_compat.h @@ -718,4 +718,46 @@ SSL_CTX_set_max_proto_version(SSL_CTX *ctx, long tls_ver_max) return 1; } #endif /* if OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(ENABLE_CRYPTO_WOLFSSL) */ + +/* Functionality missing in 1.1.1 */ +#if OPENSSL_VERSION_NUMBER < 0x30000000L && !defined(OPENSSL_NO_EC) + +/* Note that this is not a perfect emulation of the new function but + * is good enough for our case of printing certificate details during + * handshake */ +static inline +int EVP_PKEY_get_group_name(EVP_PKEY *pkey, char *gname, size_t gname_sz, + size_t *gname_len) +{ + const EC_KEY* ec = EVP_PKEY_get0_EC_KEY(pkey); + if (ec == NULL) + { + return 0; + } + const EC_GROUP* group = EC_KEY_get0_group(ec); + int nid = EC_GROUP_get_curve_name(group); + + if (nid == 0) + { + return 0; + } + const char *curve = OBJ_nid2sn(nid); + + strncpynt(gname, curve, gname_sz); + *gname_len = min_int(strlen(curve), gname_sz); + return 1; +} +#endif + +/** Mimics SSL_CTX_new_ex for OpenSSL < 3 */ +#if OPENSSL_VERSION_NUMBER < 0x30000000L +static inline SSL_CTX * +SSL_CTX_new_ex(void *libctx, const char *propq, const SSL_METHOD *method) +{ + (void) libctx; + (void) propq; + return SSL_CTX_new(method); +} +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ + #endif /* OPENSSL_COMPAT_H_ */ diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 92d8d0eeb..8ec96e66c 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -2053,13 +2053,15 @@ print_cert_details(X509 *cert, char *buf, size_t buflen) int typeid = EVP_PKEY_id(pkey); #ifndef OPENSSL_NO_EC - if (typeid == EVP_PKEY_EC && EVP_PKEY_get0_EC_KEY(pkey) != NULL) + char groupname[256]; + if (typeid == EVP_PKEY_EC) { - const EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey); - const EC_GROUP *group = EC_KEY_get0_group(ec); - - int nid = EC_GROUP_get_curve_name(group); - if (nid == 0 || (curve = OBJ_nid2sn(nid)) == NULL) + size_t len; + if(EVP_PKEY_get_group_name(pkey, groupname, sizeof(groupname), &len)) + { + curve = groupname; + } + else { curve = "(error getting curve name)"; } From patchwork Tue Oct 19 07:31:15 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2028 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director8.mail.ord1d.rsapps.net ([172.28.255.1]) by backend30.mail.ord1d.rsapps.net with LMTP id KKkAHzMPb2GwQgAAIUCqbw (envelope-from ) for ; Tue, 19 Oct 2021 14:32:19 -0400 Received: from proxy1.mail.ord1c.rsapps.net ([172.28.255.1]) by director8.mail.ord1d.rsapps.net with LMTP id WLToHjMPb2FlbwAAfY0hYg (envelope-from ) for ; Tue, 19 Oct 2021 14:32:19 -0400 Received: from smtp7.gate.ord1c ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy1.mail.ord1c.rsapps.net with LMTPS id KFs4AzMPb2EXQgAA2VeTtA (envelope-from ) for ; Tue, 19 Oct 2021 14:32:19 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp7.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: e400a34e-310a-11ec-84db-bc305bf04148-1-1 Received: from [216.105.38.7] ([216.105.38.7:38530] helo=lists.sourceforge.net) by smtp7.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 14/3B-24080-33F0F616; Tue, 19 Oct 2021 14:32:19 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1mcttm-0003KX-R8; Tue, 19 Oct 2021 18:31:42 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mcttf-0003JZ-Dd for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 18:31:35 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=UTj1k/GQkcMGkahvrKXlhgZLdkqR0ja4oNys0u0ECH8=; b=kOUo1Puf3wVF5vl15z0rjvKKYq +0Mp62svhvYlve7FhZ6zyuslKZsc2scIC8uVq5q9yboK0RJdahx6Ns454dULCU6U8PZvVPgurR5FZ vCBSEwzGUAR6wZ2MyBKnJONr75Ktc+TpQ8J6tLrr0CPBy98CJl81sJkhsJexokFhe7RQ=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=UTj1k/GQkcMGkahvrKXlhgZLdkqR0ja4oNys0u0ECH8=; b=EVIZkh+bhYEzeuwXss+8gyi8pQ OtDqqeyGWAxxWgnJ9nPHZj6Xe2cIvPC7Z/73tc2QQzBCbC6jLcPReHI91YZNtoHgWRfxslBL2t+hr d+FqqeL1V5fF71kHsWw4WcXlKnNAo9vXd4JWSOpFg5IkQm0mA6+mNnhne490KepGIR7U=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mctte-0005tw-Mu for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 18:31:35 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1mcttX-0008i3-MW for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 20:31:27 +0200 Received: (nullmailer pid 614250 invoked by uid 10006); Tue, 19 Oct 2021 18:31:28 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 19 Oct 2021 20:31:15 +0200 Message-Id: <20211019183127.614175-10-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211019183127.614175-1-arne@rfc2549.org> References: <20211019183127.614175-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This put the early initialisation and uninitialisation that needs to happen between option parsing and post processing into small methods. Signed-off-by: Arne Schwabe --- src/openvpn/openvpn.c | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1mctte-0005tw-Mu Subject: [Openvpn-devel] [PATCH v3 09/21] Refactor early initialisation and uninitialisation into methods X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This put the early initialisation and uninitialisation that needs to happen between option parsing and post processing into small methods. Signed-off-by: Arne Schwabe Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Max Fillinger --- src/openvpn/openvpn.c | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) diff --git a/src/openvpn/openvpn.c b/src/openvpn/openvpn.c index 0ac961429..f8e94509f 100644 --- a/src/openvpn/openvpn.c +++ b/src/openvpn/openvpn.c @@ -105,6 +105,20 @@ tunnel_point_to_point(struct context *c) #undef PROCESS_SIGNAL_P2P +void init_early(struct context *c) +{ + net_ctx_init(c, &(*c).net_ctx); + + /* init verbosity and mute levels */ + init_verb_mute(c, IVM_LEVEL_1); + +} + +static void uninit_early(struct context *c) +{ + net_ctx_free(&(*c).net_ctx); +} + /**************************************************************************/ /** @@ -193,10 +207,9 @@ openvpn_main(int argc, char *argv[]) open_plugins(&c, true, OPENVPN_PLUGIN_INIT_PRE_CONFIG_PARSE); #endif - net_ctx_init(&c, &c.net_ctx); - - /* init verbosity and mute levels */ - init_verb_mute(&c, IVM_LEVEL_1); + /* Early initialisation that need to happen before option + * post processing and other early startup but after parsing */ + init_early(&c); /* set dev options */ init_options_dev(&c.options); @@ -308,7 +321,7 @@ openvpn_main(int argc, char *argv[]) env_set_destroy(c.es); uninit_options(&c.options); gc_reset(&c.gc); - net_ctx_free(&c.net_ctx); + uninit_early(&c); } while (c.sig->signal_received == SIGHUP); } From patchwork Tue Oct 19 07:31:16 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2034 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director7.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id 4O4yHDcPb2HyQgAAIUCqbw (envelope-from ) for ; Tue, 19 Oct 2021 14:32:23 -0400 Received: from proxy11.mail.ord1d.rsapps.net ([172.30.191.6]) by director7.mail.ord1d.rsapps.net with LMTP id 8DQZHDcPb2G8awAAovjBpQ (envelope-from ) for ; Tue, 19 Oct 2021 14:32:23 -0400 Received: from smtp26.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy11.mail.ord1d.rsapps.net with LMTPS id sF+6DSYPb2GxAgAAgKDEHA (envelope-from ) for ; Tue, 19 Oct 2021 14:32:06 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp26.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: e5971986-310a-11ec-bba4-525400c5b129-1-1 Received: from [216.105.38.7] ([216.105.38.7:43866] helo=lists.sourceforge.net) by smtp26.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 55/36-02334-53F0F616; Tue, 19 Oct 2021 14:32:21 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.92.3) (envelope-from ) id 1mctto-0001bg-CO; Tue, 19 Oct 2021 18:31:44 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) (envelope-from ) id 1mcttf-0001ZT-Hu for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 18:31:35 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=x/8kSbRJfVbkAShqGZ0O+zmpr+FMK4R07wfLK38EcE8=; b=lGxOLSP060G4ahYpJ4ZHacHMGB PUmvA48SufyF4E82qowEueZ5cQoaaCxHbFoEMATO/bvtGsUnhEZc/BY4ijgbXB7Lj63Ovp9Njd0cY qMveSWF0Ii3iRTMCgtiJyiRYp8oY7YGy5mLWTM1Gwj3b5FEDNgBFEULVC5TfNfIjiUKk=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=x/8kSbRJfVbkAShqGZ0O+zmpr+FMK4R07wfLK38EcE8=; b=Jswas/Ifeelp4QlqJ+EXSVsY1f y9LqyJ9Jx2WCVQpPk1mQwlJVhobYC2jyudt2/m6MGLwR/P3TE+vOrMPV3hezZZ1bNEHout0zDNjvU PurnyWpx8cjt/hQmf0xt1lW8kQs+SGDRavRKTBWfk/ZIDMkLeUb3dOy+NDZDdJEURIMc=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mctte-006U0A-Oz for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 18:31:35 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1mcttX-0008i6-Pc for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 20:31:27 +0200 Received: (nullmailer pid 614253 invoked by uid 10006); Tue, 19 Oct 2021 18:31:28 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 19 Oct 2021 20:31:16 +0200 Message-Id: <20211019183127.614175-11-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211019183127.614175-1-arne@rfc2549.org> References: <20211019183127.614175-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: In OpenSSL 3.0 EVP_get_cipherbyname return a non NULL algorithm even if the algorithm is not avaialble with the currently available provider. Luckily EVP_get_cipherbyname can be used here as drop in r [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1mctte-006U0A-Oz Subject: [Openvpn-devel] [PATCH v3 10/21] [OSSL 3.0] Replace EVP_get_cipherbyname with EVP_CIPHER_fetch X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox In OpenSSL 3.0 EVP_get_cipherbyname return a non NULL algorithm even if the algorithm is not avaialble with the currently available provider. Luckily EVP_get_cipherbyname can be used here as drop in replacement and returns only non NULL if the algorithm is actually currently supported. Signed-off-by: Arne Schwabe Acked-by: Max Fillinger Signed-off-by: Arne Schwabe <arne@rfc2549.org>
--- src/openvpn/crypto_openssl.c | 6 +++--- src/openvpn/openssl_compat.h | 17 +++++++++++++++++ 2 files changed, 20 insertions(+), 3 deletions(-) diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index 93c85a836..b10bd7cd5 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -572,7 +572,7 @@ cipher_kt_get(const char *ciphername) ASSERT(ciphername); ciphername = translate_cipher_name_from_openvpn(ciphername); - cipher = EVP_get_cipherbyname(ciphername); + cipher = EVP_CIPHER_fetch(NULL, ciphername, NULL); if (NULL == cipher) { @@ -658,7 +658,7 @@ cipher_kt_block_size(const EVP_CIPHER *cipher) strcpy(mode_str, "-CBC"); - cbc_cipher = EVP_get_cipherbyname(translate_cipher_name_from_openvpn(name)); + cbc_cipher = EVP_CIPHER_fetch(NULL,translate_cipher_name_from_openvpn(name), NULL); if (cbc_cipher) { block_size = EVP_CIPHER_block_size(cbc_cipher); @@ -894,7 +894,7 @@ md_kt_get(const char *digest) { const EVP_MD *md = NULL; ASSERT(digest); - md = EVP_get_digestbyname(digest); + md = EVP_MD_fetch(NULL, digest, NULL); if (!md) { crypto_msg(M_FATAL, "Message hash algorithm '%s' not found", digest); diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h index dda47d76c..0893bfbb2 100644 --- a/src/openvpn/openssl_compat.h +++ b/src/openvpn/openssl_compat.h @@ -758,6 +758,23 @@ SSL_CTX_new_ex(void *libctx, const char *propq, const SSL_METHOD *method) (void) propq; return SSL_CTX_new(method); } +/* Mimics the functions but only when the default context without + * options is chosen */ +static inline const EVP_CIPHER * +EVP_CIPHER_fetch(void *ctx, const char *algorithm, const char *properties) +{ + ASSERT(!ctx); + ASSERT(!properties); + return EVP_get_cipherbyname(algorithm); +} + +static inline const EVP_MD* +EVP_MD_fetch(void *ctx, const char *algorithm, const char *properties) +{ + ASSERT(!ctx); + ASSERT(!properties); + return EVP_get_digestbyname(algorithm); +} #endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ #endif /* OPENSSL_COMPAT_H_ */ From patchwork Tue Oct 19 07:31:17 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2038 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director12.mail.ord1d.rsapps.net ([172.28.255.1]) by backend30.mail.ord1d.rsapps.net with LMTP id 6JL2FTsPb2EaQwAAIUCqbw (envelope-from ) for ; Tue, 19 Oct 2021 14:32:27 -0400 Received: from proxy7.mail.ord1c.rsapps.net ([172.28.255.1]) by director12.mail.ord1d.rsapps.net with LMTP id 2Fy6FTsPb2EyegAAIasKDg (envelope-from ) for ; Tue, 19 Oct 2021 14:32:27 -0400 Received: from smtp40.gate.ord1c ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy7.mail.ord1c.rsapps.net with LMTPS id GLSHFTsPb2FfNwAAknS3pQ (envelope-from ) for ; Tue, 19 Oct 2021 14:32:27 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp40.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: e898f212-310a-11ec-b505-525400b3abc9-1-1 Received: from [216.105.38.7] ([216.105.38.7:38676] helo=lists.sourceforge.net) by smtp40.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 3A/CA-26513-A3F0F616; Tue, 19 Oct 2021 14:32:26 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1mcttn-0003L3-9w; Tue, 19 Oct 2021 18:31:43 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mcttf-0003Jf-Ox for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 18:31:35 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=VJGK/c4xMDazVJez8ceeaSP34XuZYjR0AuDBYfEdR04=; b=aEgtobrPWXV7PWSTwm388HLlKc vD7IzUFYER1z4YgJUh0dB7eydfKsGs/ijw4IUzlNN4KIZfm/89KnUfqH8j9/81KtttVdmUgUnLuod v2C2WL+NUQ9UoyloLvb9oEhCbP/qfZFisiaXQPcuFrdcjkQe8cepXfcDd9iHlcjTAAj0=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=VJGK/c4xMDazVJez8ceeaSP34XuZYjR0AuDBYfEdR04=; b=Wum7JLs7MEdkzUjBJlQu3DCHul BPG4iiRwC7cNoeFsZySv0LEcRoA728w1YHw8ZxpxxDvJ6Iyriud/G95C2izidoRhHy/PGh3nR2HWp AKX7VKFwwYn7L3nnf8JkIQMJwjtcSULQ/m0RCJ8N8cW/oJyaD2emq55pg9aQi6zYa88w=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mctte-0005tx-Qx for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 18:31:35 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1mcttX-0008i8-S0 for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 20:31:27 +0200 Received: (nullmailer pid 614256 invoked by uid 10006); Tue, 19 Oct 2021 18:31:28 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 19 Oct 2021 20:31:17 +0200 Message-Id: <20211019183127.614175-12-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211019183127.614175-1-arne@rfc2549.org> References: <20211019183127.614175-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Use the new name for the function as it indicates with get0 the ownership of the returned value Signed-off-by: Arne Schwabe --- src/openvpn/crypto_openssl.c | 2 +- src/openvpn/openssl_compat.h | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1mctte-0005tx-Qx Subject: [Openvpn-devel] [PATCH v3 11/21] [OSSL 3.0] USe EVP_MD_get0_name instead EV_MD_name X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Use the new name for the function as it indicates with get0 the ownership of the returned value Signed-off-by: Arne Schwabe Acked-by: Max Fillinger --- src/openvpn/crypto_openssl.c | 2 +- src/openvpn/openssl_compat.h | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index b10bd7cd5..407ea4a7c 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -916,7 +916,7 @@ md_kt_name(const EVP_MD *kt) { return "[null-digest]"; } - return EVP_MD_name(kt); + return EVP_MD_get0_name(kt); } unsigned char diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h index 0893bfbb2..2aa718a33 100644 --- a/src/openvpn/openssl_compat.h +++ b/src/openvpn/openssl_compat.h @@ -751,6 +751,8 @@ int EVP_PKEY_get_group_name(EVP_PKEY *pkey, char *gname, size_t gname_sz, /** Mimics SSL_CTX_new_ex for OpenSSL < 3 */ #if OPENSSL_VERSION_NUMBER < 0x30000000L +#define EVP_MD_get0_name EVP_MD_name + static inline SSL_CTX * SSL_CTX_new_ex(void *libctx, const char *propq, const SSL_METHOD *method) { From patchwork Tue Oct 19 07:31:18 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2043 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director10.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id IMydDEEPb2FQQwAAIUCqbw (envelope-from ) for ; Tue, 19 Oct 2021 14:32:33 -0400 Received: from proxy2.mail.ord1d.rsapps.net ([172.30.191.6]) by director10.mail.ord1d.rsapps.net with LMTP id WMOWDEEPb2FOGAAApN4f7A (envelope-from ) for ; Tue, 19 Oct 2021 14:32:33 -0400 Received: from smtp6.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy2.mail.ord1d.rsapps.net with LMTPS id KM9CDEEPb2EIfwAAfawv4w (envelope-from ) for ; Tue, 19 Oct 2021 14:32:33 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp6.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: ec078f76-310a-11ec-9193-52540050e3e0-1-1 Received: from [216.105.38.7] ([216.105.38.7:44176] helo=lists.sourceforge.net) by smtp6.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 77/98-02365-04F0F616; Tue, 19 Oct 2021 14:32:32 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.92.3) (envelope-from ) id 1mctts-0001cd-AC; Tue, 19 Oct 2021 18:31:48 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) (envelope-from ) id 1mcttf-0001Za-VR for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 18:31:35 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=qzIs6SbXq/K+KE5KHkFXTF4+MXufP0yNdcR9tPYNbRk=; b=aPiUCvIc51qCSUjZdeLv661Iwo q49HRcyHUtzgYdz05IrMVkXzQ5Hds7YHvpvP3iu3z5uu3sqr3VdkA1UfhYd13PGjVNucd7daTfaJf dWsPpWpmEcOkQjph8G0y9XtaVdX1MEPXqfAS73eA2WSIQ7EXaKQFy90vUkaNf1+ljCU4=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=qzIs6SbXq/K+KE5KHkFXTF4+MXufP0yNdcR9tPYNbRk=; b=MDMb/J4CbzuXMwqslSS1sb3xCP ETzV10YUEMSkdPPVicxi7Zo/JEuyNZK1HKu6zJ0rROqfd9ima6NIjo3WJhP+vEG/xA6RWw7VKM/jL tnjV+VlVz23iPzEPuvoSNrSXhu/VN+yvBU8gvO4HlQweqm/qXzXZQJ+YGMHSO6N7afgs=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mctte-0005ty-Vq for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 18:31:35 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1mcttX-0008iC-VC for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 20:31:27 +0200 Received: (nullmailer pid 614259 invoked by uid 10006); Tue, 19 Oct 2021 18:31:28 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 19 Oct 2021 20:31:18 +0200 Message-Id: <20211019183127.614175-13-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211019183127.614175-1-arne@rfc2549.org> References: <20211019183127.614175-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This allows OpenVPN to load non-default providers. This is mainly useful for loading the legacy provider with --provider legacy:default Signed-off-by: Arne Schwabe --- doc/man-sections/generic-options.rst | 10 ++++++++++ src/openvpn/crypto_backend.h | 7 +++++++ src/openvpn/crypto_mbedtls.c | 8 ++++++++ src/openvpn/c [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1mctte-0005ty-Vq Subject: [Openvpn-devel] [PATCH v3 12/21] [OSSL 3.0] Allow loading of non default providers X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This allows OpenVPN to load non-default providers. This is mainly useful for loading the legacy provider with --provider legacy:default Signed-off-by: Arne Schwabe Signed-off-by: Arne Schwabe <arne@rfc2549.org>
--- doc/man-sections/generic-options.rst | 10 ++++++++++ src/openvpn/crypto_backend.h | 7 +++++++ src/openvpn/crypto_mbedtls.c | 8 ++++++++ src/openvpn/crypto_openssl.c | 29 ++++++++++++++++++++++++++++ src/openvpn/openvpn.c | 4 ++++ src/openvpn/options.c | 4 ++++ src/openvpn/options.h | 1 + 7 files changed, 63 insertions(+) diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst index e6c1fe455..f5b8a9135 100644 --- a/doc/man-sections/generic-options.rst +++ b/doc/man-sections/generic-options.rst @@ -280,6 +280,16 @@ which mode OpenVPN is configured as. This option solves the problem by persisting keys across :code:`SIGUSR1` resets, so they don't need to be re-read. +--provider providers + Load the : separated list of (OpenSSL) providers. This is mainly useful for + using an external provider for key management like tpm2-openssl or to load + the legacy provider with + + :: + + --provider "legacy:default" + + --remap-usr1 signal Control whether internally or externally generated :code:`SIGUSR1` signals are remapped to :code:`SIGHUP` (restart without persisting state) or diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h index cc897acf4..fa265e6c2 100644 --- a/src/openvpn/crypto_backend.h +++ b/src/openvpn/crypto_backend.h @@ -78,6 +78,13 @@ void crypto_clear_error(void); */ void crypto_init_lib_engine(const char *engine_name); + +/** + * Load the given (OpenSSL) providers + * @param providers list of providers to load, seperated by : + */ +void crypto_init_lib_provider(const char *providers); + #ifdef DMALLOC /* * OpenSSL memory debugging. If dmalloc debugging is enabled, tell diff --git a/src/openvpn/crypto_mbedtls.c b/src/openvpn/crypto_mbedtls.c index 2f7f00d19..e6ed1ae99 100644 --- a/src/openvpn/crypto_mbedtls.c +++ b/src/openvpn/crypto_mbedtls.c @@ -70,6 +70,14 @@ crypto_init_lib_engine(const char *engine_name) "available"); } +void crypto_init_lib_provider(const char *providers) +{ + if (providers) + { + msg(M_WARN, "Note: mbed TLS provider functionality is not available"); + } +} + /* * * Functions related to the core crypto library diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index 407ea4a7c..1900ccc1b 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -54,6 +54,9 @@ #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER) #include #endif +#if OPENSSL_VERSION_NUMBER >= 0x30000000L +#include +#endif /* * Check for key size creepage. @@ -145,6 +148,32 @@ crypto_init_lib_engine(const char *engine_name) #endif } +void +crypto_init_lib_provider(const char *providers) +{ + if (!providers) + { + return; + } +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + struct gc_arena gc = gc_new(); + char *tmp_providers = string_alloc(providers, &gc); + + const char *provname; + while ((provname = strsep(&tmp_providers, ":"))) + { + /* Load providers into the default (NULL) library context */ + OSSL_PROVIDER* provider = OSSL_PROVIDER_load(NULL, provname); + if (!provider) + { + crypto_msg(M_FATAL, "failed to load provider '%s'", provname); + } + } +#else /* OPENSSL_VERSION_NUMBER >= 0x30000000L */ + msg(M_WARN, "Note: OpenSSL hardware crypto engine functionality is not available"); +#endif +} + /* * * Functions related to the core crypto library diff --git a/src/openvpn/openvpn.c b/src/openvpn/openvpn.c index f8e94509f..3c9bcf885 100644 --- a/src/openvpn/openvpn.c +++ b/src/openvpn/openvpn.c @@ -112,6 +112,10 @@ void init_early(struct context *c) /* init verbosity and mute levels */ init_verb_mute(c, IVM_LEVEL_1); + /* Initialise OpenVPN provider, this needs to be intialised this + * early since option post processing and also openssl info + * printing depends on it */ + crypto_init_lib_provider((*c).options.providers); } static void uninit_early(struct context *c) diff --git a/src/openvpn/options.c b/src/openvpn/options.c index ed2dcd53d..ab7b00783 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -8178,6 +8178,10 @@ add_option(struct options *options, options->engine = "auto"; } } + else if (streq(p[0], "provider") && p[1] && !p[2]) + { + options->providers = p[1]; + } #endif /* ENABLE_CRYPTO_MBEDTLS */ #ifdef ENABLE_PREDICTION_RESISTANCE else if (streq(p[0], "use-prediction-resistance") && !p[1]) diff --git a/src/openvpn/options.h b/src/openvpn/options.h index 98c21a2a8..6759f1950 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -521,6 +521,7 @@ struct options const char *prng_hash; int prng_nonce_secret_len; const char *engine; + const char *providers; bool replay; bool mute_replay_warnings; int replay_window; From patchwork Tue Oct 19 07:31:19 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2031 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director13.mail.ord1d.rsapps.net ([172.28.255.1]) by backend30.mail.ord1d.rsapps.net with LMTP id wAy8FzQPb2HkQgAAIUCqbw (envelope-from ) for ; Tue, 19 Oct 2021 14:32:20 -0400 Received: from proxy4.mail.ord1c.rsapps.net ([172.28.255.1]) by director13.mail.ord1d.rsapps.net with LMTP id QI6cFzQPb2GlFAAA91zNiA (envelope-from ) for ; Tue, 19 Oct 2021 14:32:20 -0400 Received: from smtp14.gate.ord1c ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy4.mail.ord1c.rsapps.net with LMTPS id kDAEJzMPb2F2cQAAjcXvpA (envelope-from ) for ; Tue, 19 Oct 2021 14:32:19 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp14.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: e478390e-310a-11ec-8347-bc305bf032e0-1-1 Received: from [216.105.38.7] ([216.105.38.7:38552] helo=lists.sourceforge.net) by smtp14.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id D7/55-30613-33F0F616; Tue, 19 Oct 2021 14:32:19 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1mctto-0003LX-3J; Tue, 19 Oct 2021 18:31:44 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mcttf-0003Jl-Vy for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 18:31:35 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=6PkH/ajNbk4GCIt0pL7WsI1wOaK4KCw4iQj98MJIaX8=; b=evWE1Mh4piZDVstPxTYrUqX96E R6N5yobmVMZqwYeYf0/KwUiuugZJU0xZv1ht7PiyN+IqV9hWCMIou5fMl0cqmQprkuEqNnUB5VIDH GHpQhHuWlPOGCDaQ7+X1U7yXynITCOEFFIUko82TUiAo/elWPJg5scETIIjE6mIbPezs=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=6PkH/ajNbk4GCIt0pL7WsI1wOaK4KCw4iQj98MJIaX8=; b=PMNsR/nRe6BqH2OsdqSD0gQrpB uFgPzYJCokWwmcqPv5CifneyYbsDL17OLTMnXCQrwzngc+/W+TzoDIliJBdUuTNxB3WAXFIABjDZG WnsnYDBfetvzb0jTYgetQcC4CLy0Rb4Ja8hkeivjL/08GrH/0UZWh1MWNwFEitt/08fo=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mcttf-006U0C-2v for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 18:31:35 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1mcttY-0008iF-20 for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 20:31:28 +0200 Received: (nullmailer pid 614262 invoked by uid 10006); Tue, 19 Oct 2021 18:31:28 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 19 Oct 2021 20:31:19 +0200 Message-Id: <20211019183127.614175-14-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211019183127.614175-1-arne@rfc2549.org> References: <20211019183127.614175-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: The test_check_ncp_ciphers_list test assumed that BF-CBC is always available, which is no longer the case with OpenSSL 3.0. Rewrite the test to not rely on BF-CBC to be available. Signed-off-by: Arne Schwabe --- tests/unit_tests/openvpn/test_ncp.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1mcttf-006U0C-2v Subject: [Openvpn-devel] [PATCH v3 13/21] [OSSL 3.0] Remove dependency on BF-CBC existance from test_ncp X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox The test_check_ncp_ciphers_list test assumed that BF-CBC is always available, which is no longer the case with OpenSSL 3.0. Rewrite the test to not rely on BF-CBC to be available. Signed-off-by: Arne Schwabe Acked-by: Max Fillinger --- tests/unit_tests/openvpn/test_ncp.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/tests/unit_tests/openvpn/test_ncp.c b/tests/unit_tests/openvpn/test_ncp.c index 613b5f1ba..a77afde17 100644 --- a/tests/unit_tests/openvpn/test_ncp.c +++ b/tests/unit_tests/openvpn/test_ncp.c @@ -41,6 +41,7 @@ /* Defines for use in the tests and the mock parse_line() */ const char *bf_chacha = "BF-CBC:CHACHA20-POLY1305"; +const char *aes_chacha = "AES-128-CBC:CHACHA20-POLY1305"; const char *aes_ciphers = "AES-256-GCM:AES-128-GCM"; @@ -59,6 +60,7 @@ test_check_ncp_ciphers_list(void **state) { struct gc_arena gc = gc_new(); bool have_chacha = cipher_kt_get("CHACHA20-POLY1305"); + bool have_blowfish= cipher_kt_get("BF-CBC"); assert_string_equal(mutate_ncp_cipher_list("none", &gc), "none"); assert_string_equal(mutate_ncp_cipher_list("AES-256-GCM:none", &gc), @@ -66,7 +68,12 @@ test_check_ncp_ciphers_list(void **state) assert_string_equal(mutate_ncp_cipher_list(aes_ciphers, &gc), aes_ciphers); - if (have_chacha) + if(have_chacha) + { + assert_string_equal(mutate_ncp_cipher_list(aes_chacha, &gc), aes_chacha); + } + + if (have_chacha && have_blowfish) { assert_string_equal(mutate_ncp_cipher_list(bf_chacha, &gc), bf_chacha); assert_string_equal(mutate_ncp_cipher_list("BF-CBC:CHACHA20-POLY1305", &gc), @@ -82,8 +89,8 @@ test_check_ncp_ciphers_list(void **state) bool have_chacha_mixed_case = cipher_kt_get("ChaCha20-Poly1305"); if (have_chacha_mixed_case) { - assert_string_equal(mutate_ncp_cipher_list("BF-CBC:ChaCha20-Poly1305", &gc), - bf_chacha); + assert_string_equal(mutate_ncp_cipher_list("AES-128-CBC:ChaCha20-Poly1305", &gc), + aes_chacha); } assert_ptr_equal(mutate_ncp_cipher_list("vollbit", &gc), NULL); From patchwork Tue Oct 19 07:31:20 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2042 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director14.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id yIaXIzwPb2EKQwAAIUCqbw (envelope-from ) for ; Tue, 19 Oct 2021 14:32:28 -0400 Received: from proxy8.mail.ord1d.rsapps.net ([172.30.191.6]) by director14.mail.ord1d.rsapps.net with LMTP id +NRfIzwPb2GSAQAAeJ7fFg (envelope-from ) for ; Tue, 19 Oct 2021 14:32:28 -0400 Received: from smtp26.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy8.mail.ord1d.rsapps.net with LMTPS id gBlDIzwPb2GMBAAAGdz6CA (envelope-from ) for ; Tue, 19 Oct 2021 14:32:28 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp26.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: e9594c56-310a-11ec-bba4-525400c5b129-1-1 Received: from [216.105.38.7] ([216.105.38.7:44038] helo=lists.sourceforge.net) by smtp26.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 98/46-02334-B3F0F616; Tue, 19 Oct 2021 14:32:28 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.92.3) (envelope-from ) id 1mctts-0001d3-V0; Tue, 19 Oct 2021 18:31:48 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) (envelope-from ) id 1mcttg-0001Zh-6h for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 18:31:36 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=X5v6s5X+WWU5Gm/YWCO7tWSj48td0/s24Np8RWk0uyU=; b=YPVn2+AtROAr7U/6jXqs4Nn6BC x/3fqVmEuIQoYVpRkAee2bS4D0lavtgwpyuqcr0jdL6L3D8oxFAkfoX8YHh6LVtcKMZup9607j/tB 3JKfe0L5KRt7itIybcEz4B8S8yQtIaFxAXoW4XVr2ebVDNMDwSrNYDNKfn6yGMEV+6VA=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=X5v6s5X+WWU5Gm/YWCO7tWSj48td0/s24Np8RWk0uyU=; b=bFx2hkev+DluoQ9H8uYqFhVj/s 9j7wwED56WcuRoIhy7MG3YZI6Fov/1PPBzGmd/0xGv38qQrSsVPeTqwAjOuql0XHay3SG9qlWlY3p qNdp/rtGckTBwZ1pcyiZPycAb9C0DuGeKfQmASMCKPhNwxWfUBRVGQrX79vzpb7ZvVVs=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mcttf-006U0D-8A for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 18:31:36 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1mcttY-0008iI-5g for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 20:31:28 +0200 Received: (nullmailer pid 614265 invoked by uid 10006); Tue, 19 Oct 2021 18:31:28 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 19 Oct 2021 20:31:20 +0200 Message-Id: <20211019183127.614175-15-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211019183127.614175-1-arne@rfc2549.org> References: <20211019183127.614175-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: With OpenSSL 3.0 the use of nid values is deprecated and new algorithms do not even have NID values anymore. This also works nicely with providers now: openvpn --provider legacy:default --show-ciphers Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1mcttf-006U0D-8A Subject: [Openvpn-devel] [PATCH v3 14/21] [OSSL 3.0] Use TYPE_do_all_provided function for listing cipher/digest X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox With OpenSSL 3.0 the use of nid values is deprecated and new algorithms do not even have NID values anymore. This also works nicely with providers now: openvpn --provider legacy:default --show-ciphers shows more ciphers (e.g. BF-CBC) than just openvpn --show-ciphers when compiled with OpenSSL 3.0 Signed-off-by: Arne Schwabe --- src/openvpn/crypto_openssl.c | 95 +++++++++++++++++++++++------------- 1 file changed, 61 insertions(+), 34 deletions(-) diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index 1900ccc1b..ab552efab 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -311,86 +311,113 @@ cipher_name_cmp(const void *a, const void *b) return strcmp(cipher_kt_name(*cipher_a), cipher_kt_name(*cipher_b)); } +struct collect_ciphers { + /* If we ever exceed this, we must be more selective */ + const EVP_CIPHER *list[1000]; + size_t num; +}; + +static void collect_ciphers(EVP_CIPHER *cipher, void *list) +{ + struct collect_ciphers* cipher_list = list; + if (cipher_list->num == (sizeof(cipher_list->list)/sizeof(*cipher_list->list))) + { + msg(M_WARN, "WARNING: Too many ciphers, not showing all"); + return; + } + + if (cipher && (cipher_kt_mode_cbc(cipher) +#ifdef ENABLE_OFB_CFB_MODE + || cipher_kt_mode_ofb_cfb(cipher) +#endif + || cipher_kt_mode_aead(cipher) + )) + { + cipher_list->list[cipher_list->num++] = cipher; + } +} + void show_available_ciphers(void) { - int nid; - size_t i; + struct collect_ciphers cipher_list = { 0 }; - /* If we ever exceed this, we must be more selective */ - const EVP_CIPHER *cipher_list[1000]; - size_t num_ciphers = 0; #ifndef ENABLE_SMALL printf("The following ciphers and cipher modes are available for use\n" "with " PACKAGE_NAME ". Each cipher shown below may be used as a\n" "parameter to the --data-ciphers (or --cipher) option. In static \n" - "key mode only CBC mode is allowed.\n\n"); + "key mode only CBC mode is allowed.\n"); + printf("See also openssl list -cipher-algorithms\n\n"); #endif - for (nid = 0; nid < 10000; ++nid) +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_CIPHER_do_all_provided(NULL, collect_ciphers, &cipher_list); +#else + for (int nid = 0; nid < 10000; ++nid) { const EVP_CIPHER *cipher = EVP_get_cipherbynid(nid); - if (cipher && (cipher_kt_mode_cbc(cipher) -#ifdef ENABLE_OFB_CFB_MODE - || cipher_kt_mode_ofb_cfb(cipher) -#endif - || cipher_kt_mode_aead(cipher) - )) - { - cipher_list[num_ciphers++] = cipher; - } - if (num_ciphers == (sizeof(cipher_list)/sizeof(*cipher_list))) - { - msg(M_WARN, "WARNING: Too many ciphers, not showing all"); - break; - } + /* We cast the const away so we can keep the function prototype + * compatible with EVP_CIPHER_do_all_provided */ + collect_ciphers((EVP_CIPHER *)cipher, &cipher_list); } +#endif /* cast to non-const to prevent warning */ - qsort((EVP_CIPHER *)cipher_list, num_ciphers, sizeof(*cipher_list), cipher_name_cmp); + qsort((EVP_CIPHER *)cipher_list.list, cipher_list.num, sizeof(*cipher_list.list), cipher_name_cmp); - for (i = 0; i < num_ciphers; i++) + for (size_t i = 0; i < cipher_list.num; i++) { - if (!cipher_kt_insecure(cipher_list[i])) + if (!cipher_kt_insecure(cipher_list.list[i])) { - print_cipher(cipher_list[i]); + print_cipher(cipher_list.list[i]); } } printf("\nThe following ciphers have a block size of less than 128 bits, \n" "and are therefore deprecated. Do not use unless you have to.\n\n"); - for (i = 0; i < num_ciphers; i++) + for (int i = 0; i < cipher_list.num; i++) { - if (cipher_kt_insecure(cipher_list[i])) + if (cipher_kt_insecure(cipher_list.list[i])) { - print_cipher(cipher_list[i]); + print_cipher(cipher_list.list[i]); } } printf("\n"); } void -show_available_digests(void) +print_digest(EVP_MD* digest, void* unused) { - int nid; + printf("%s %d bit digest size\n", EVP_MD_get0_name(digest), + EVP_MD_size(digest) * 8); +} +void +show_available_digests(void) +{ #ifndef ENABLE_SMALL printf("The following message digests are available for use with\n" PACKAGE_NAME ". A message digest is used in conjunction with\n" "the HMAC function, to authenticate received packets.\n" "You can specify a message digest as parameter to\n" - "the --auth option.\n\n"); + "the --auth option.\n"); + printf("See also openssl list -digest-algorithms\n\n"); #endif - for (nid = 0; nid < 10000; ++nid) +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_MD_do_all_provided(NULL, print_digest, NULL); +#else + for (int nid = 0; nid < 10000; ++nid) { const EVP_MD *digest = EVP_get_digestbynid(nid); if (digest) { - printf("%s %d bit digest size\n", - OBJ_nid2sn(nid), EVP_MD_size(digest) * 8); + /* We cast the const away so we can keep the function prototype + * compatible with EVP_MD_do_all_provided */ + print_digest((EVP_MD *)digest, NULL); } } +#endif printf("\n"); } From patchwork Tue Oct 19 07:31:21 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2026 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director14.mail.ord1d.rsapps.net ([172.28.255.1]) by backend30.mail.ord1d.rsapps.net with LMTP id aIK3OjIPb2GxQgAAIUCqbw (envelope-from ) for ; Tue, 19 Oct 2021 14:32:18 -0400 Received: from proxy8.mail.ord1c.rsapps.net ([172.28.255.1]) by director14.mail.ord1d.rsapps.net with LMTP id 8J53OjIPb2GWAQAAeJ7fFg (envelope-from ) for ; Tue, 19 Oct 2021 14:32:18 -0400 Received: from smtp11.gate.ord1c ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy8.mail.ord1c.rsapps.net with LMTPS id CBpOOjIPb2EeGwAAHz/atg (envelope-from ) for ; Tue, 19 Oct 2021 14:32:18 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp11.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: e39831e2-310a-11ec-9eb5-bc305beffa54-1-1 Received: from [216.105.38.7] ([216.105.38.7:55682] helo=lists.sourceforge.net) by smtp11.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id BC/FF-03661-23F0F616; Tue, 19 Oct 2021 14:32:18 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1mcttj-0006Zj-3d; Tue, 19 Oct 2021 18:31:39 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mcttf-0006Y8-Vu for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 18:31:35 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=a4JLqJwLW4T280ohE4dvZVriJdyFAZ0pSyffCYSSZKs=; b=VFe2YRcUtoszuBsbOluZltL+CM Lo6tAtocx6BWGQ62iCNB+VARWxgI4xIDmGljRiSijOn/6+7a1MtuXutTVaJbZDJ4bwstqxB5ibNBO gUR5Vi8UKaMMTTcHFDvyQI5abkP5ZC6qVERugRzel14DNME1D1xMt8Lv9OuiJfKSqihc=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=a4JLqJwLW4T280ohE4dvZVriJdyFAZ0pSyffCYSSZKs=; b=WkONniwtMOAJj8/m43fzIAMJjw 4FuerhfNQEYv5QXuguIMhtVBXRn5TZxIBgguHcBA+GymMirZw3hJfrb3JRO4KCfc9F3vVi7rE3+X5 KIYYaYHTyD6B5/Bsfvw12y/GI5rBgM+91etj2Bl+1BEyj5eN+awr1CfyjhFbDjBifSbQ=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mcttf-0005u0-74 for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 18:31:35 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1mcttY-0008iK-82 for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 20:31:28 +0200 Received: (nullmailer pid 614268 invoked by uid 10006); Tue, 19 Oct 2021 18:31:28 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 19 Oct 2021 20:31:21 +0200 Message-Id: <20211019183127.614175-16-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211019183127.614175-1-arne@rfc2549.org> References: <20211019183127.614175-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: We do not support CTS algorithms (cipher text stealing) algorithms. Signed-off-by: Arne Schwabe --- src/openvpn/crypto_openssl.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index ab552efab..ac8287440 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -760,6 +760,9 @@ cip [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1mcttf-0005u0-74 Subject: [Openvpn-devel] [PATCH v3 15/21] [OSSL 3.0] Do not allow CTS ciphers X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox We do not support CTS algorithms (cipher text stealing) algorithms. Signed-off-by: Arne Schwabe Acked-by: Max Fillinger --- src/openvpn/crypto_openssl.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index ab552efab..ac8287440 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -760,6 +760,9 @@ cipher_kt_mode_cbc(const cipher_kt_t *cipher) { return cipher && cipher_kt_mode(cipher) == OPENVPN_MODE_CBC /* Exclude AEAD cipher modes, they require a different API */ +#ifdef EVP_CIPH_FLAG_CTS + && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_CTS) +#endif && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER); } From patchwork Tue Oct 19 07:31:22 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2040 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director14.mail.ord1d.rsapps.net ([172.28.255.1]) by backend30.mail.ord1d.rsapps.net with LMTP id yDWRBzwPb2EEQwAAIUCqbw (envelope-from ) for ; Tue, 19 Oct 2021 14:32:28 -0400 Received: from proxy1.mail.ord1c.rsapps.net ([172.28.255.1]) by director14.mail.ord1d.rsapps.net with LMTP id wBZKBzwPb2GSAQAAeJ7fFg (envelope-from ) for ; Tue, 19 Oct 2021 14:32:28 -0400 Received: from smtp39.gate.ord1c ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy1.mail.ord1c.rsapps.net with LMTPS id 4BJoJzsPb2FRQgAA2VeTtA (envelope-from ) for ; Tue, 19 Oct 2021 14:32:27 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp39.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: e934a158-310a-11ec-9615-5452006c005a-1-1 Received: from [216.105.38.7] ([216.105.38.7:38700] helo=lists.sourceforge.net) by smtp39.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id CA/6C-19324-B3F0F616; Tue, 19 Oct 2021 14:32:27 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1mctto-0003Lo-B9; Tue, 19 Oct 2021 18:31:44 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mcttg-0003Jr-HM for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 18:31:36 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=AczJHzHchSKflPm8Hzl2bPwS0C72//0LhChm55Y10Q0=; b=YnK0txPGNO5ZJ5/ApbFEoQa0q1 VqquBaHgJX8/lOJNgSyLlKukGtwIrNHfyQXbxcPUuI6LXBX8lKzA6tNOWI3iUbHTQ4cA4PjiZlzjh gVMMGeZG9E1eBbp/Xd3rQeq8X/jaEeD6Wrfw7oRbvbbA2yvUQpx8KcQoNQPvUpb3qcyM=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=AczJHzHchSKflPm8Hzl2bPwS0C72//0LhChm55Y10Q0=; b=eKinHVDIzQxs+Jbsze5AEpA7vQ p8FLTnFgFeagvnOAVErG8jaWxXYm1jb3E6DSEboXK12OVJT8sVOl6Vwb7PIrhvSZ3xNGyU2VOWFK5 iPTSVtcj9dZiJKE1abpYgcGOYvceHDnwhbgNUECXwUJiQzZ8bNDuG8yEchupTVRLOIoM=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mcttf-0005u1-7p for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 18:31:36 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1mcttY-0008iN-AW for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 20:31:28 +0200 Received: (nullmailer pid 614271 invoked by uid 10006); Tue, 19 Oct 2021 18:31:28 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 19 Oct 2021 20:31:22 +0200 Message-Id: <20211019183127.614175-17-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211019183127.614175-1-arne@rfc2549.org> References: <20211019183127.614175-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Currently we never display the OpenSSL error stack when decoding a PCKS12 file fails. With LibreSSL defaulting to RC2-40-CBC, the failure might not be a wrong password but can actually be an unsupport [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1mcttf-0005u1-7p Subject: [Openvpn-devel] [PATCH v3 16/21] Add message when decoding PKCS12 file fails. X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Currently we never display the OpenSSL error stack when decoding a PCKS12 file fails. With LibreSSL defaulting to RC2-40-CBC, the failure might not be a wrong password but can actually be an unsupported encoding, seeing the error stack is really helpful (example from OpenSSL 3.0): error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:346:Global default library context, Algorithm (RC2-40-CBC : 0), Properties () to pinpoint the issue Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- src/openvpn/ssl_openssl.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 8ec96e66c..d93292700 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -831,6 +831,8 @@ tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file, ca = NULL; if (!PKCS12_parse(p12, password, &pkey, &cert, &ca)) { + crypto_msg(M_WARN, "Decoding PKCS12 failed. Probably wrong password " + "or unsupported/legacy encryption"); #ifdef ENABLE_MANAGEMENT if (management && (ERR_GET_REASON(ERR_peek_error()) == PKCS12_R_MAC_VERIFY_FAILURE)) { From patchwork Tue Oct 19 07:31:23 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2037 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director10.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id 2FqWIjgPb2H6QgAAIUCqbw (envelope-from ) for ; Tue, 19 Oct 2021 14:32:24 -0400 Received: from proxy20.mail.ord1d.rsapps.net ([172.30.191.6]) by director10.mail.ord1d.rsapps.net with LMTP id qJ6MIjgPb2EmGAAApN4f7A (envelope-from ) for ; Tue, 19 Oct 2021 14:32:24 -0400 Received: from smtp14.gate.ord1c ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy20.mail.ord1d.rsapps.net with LMTPS id QNE6IjgPb2HScwAAsk8m8w (envelope-from ) for ; Tue, 19 Oct 2021 14:32:24 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp14.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: e6ac10b0-310a-11ec-8347-bc305bf032e0-1-1 Received: from [216.105.38.7] ([216.105.38.7:55944] helo=lists.sourceforge.net) by smtp14.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 02/75-30613-73F0F616; Tue, 19 Oct 2021 14:32:23 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1mcttj-0006a1-8D; Tue, 19 Oct 2021 18:31:39 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mcttg-0006YI-GM for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 18:31:36 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=AOB2u9rjuSAJgWj5jDt58qkHDUt6hvM7EOL/y6DbjdE=; b=nRQbNCt3S5n0VIx/dkfJI/aBwq mV/x2fTC8V8SXVyCK6ii2eCHZuBTYksBnwM3pV4b14TqCo1XjCYuErkENaysYBCtUeFKQsMVq0i7H g6+zy+afFdxdxh5fJsjionrghK1otabAaBCLRda2l5zF2MxhFvHxZAX7ZxBYoWZkjviA=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=AOB2u9rjuSAJgWj5jDt58qkHDUt6hvM7EOL/y6DbjdE=; b=Yjf2XxoffLPVo+3Addug0dFx5O +TFyNNp0S7z0usc66rT7dGrEzdpSnfhTGomIdSN1YUNYJVAii2hkckHawbMABCK4PQz0fvugH6mhA 9dLdG6ZfyBB2u6Kccef6Y2fGst/ajwh7nWHYRCuPijuz57Unyk7Tvv1CtgqM1nGZ3BCA=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mcttf-006U0F-Dt for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 18:31:36 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1mcttY-0008iR-DL for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 20:31:28 +0200 Received: (nullmailer pid 614274 invoked by uid 10006); Tue, 19 Oct 2021 18:31:28 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 19 Oct 2021 20:31:23 +0200 Message-Id: <20211019183127.614175-18-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211019183127.614175-1-arne@rfc2549.org> References: <20211019183127.614175-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This just adds a very simple unit test to check that the HMAC implementation produces a well known hash. Signed-off-by: Arne Schwabe --- tests/unit_tests/openvpn/test_crypto.c | 61 +++++++++++++++++++++++--- 1 file changed, 54 insertions(+), 7 deletions(-) Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1mcttf-006U0F-Dt Subject: [Openvpn-devel] [PATCH v3 17/21] Add small unit test for testing HMAC X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This just adds a very simple unit test to check that the HMAC implementation produces a well known hash. Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- tests/unit_tests/openvpn/test_crypto.c | 61 +++++++++++++++++++++++--- 1 file changed, 54 insertions(+), 7 deletions(-) diff --git a/tests/unit_tests/openvpn/test_crypto.c b/tests/unit_tests/openvpn/test_crypto.c index 32063fc46..66f53a020 100644 --- a/tests/unit_tests/openvpn/test_crypto.c +++ b/tests/unit_tests/openvpn/test_crypto.c @@ -141,6 +141,11 @@ static uint8_t good_prf[32] = {0xd9, 0x8c, 0x85, 0x18, 0xc8, 0x5e, 0x94, 0x69, 0x27, 0x91, 0x6a, 0xcf, 0xc2, 0xd5, 0x92, 0xfb, 0xb1, 0x56, 0x7e, 0x4b, 0x4b, 0x14, 0x59, 0xe6, 0xa9, 0x04, 0xac, 0x2d, 0xda, 0xb7, 0x2d, 0x67}; + +static const char* ipsumlorem = "Lorem ipsum dolor sit amet, consectetur " + "adipisici elit, sed eiusmod tempor incidunt " + "ut labore et dolore magna aliqua."; + static void crypto_test_tls_prf(void **state) { @@ -150,12 +155,6 @@ crypto_test_tls_prf(void **state) const size_t seed_len = strlen(seedstr); - - - const char* ipsumlorem = "Lorem ipsum dolor sit amet, consectetur " - "adipisici elit, sed eiusmod tempor incidunt ut " - "labore et dolore magna aliqua."; - const unsigned char *secret = (const unsigned char *) ipsumlorem; size_t secret_len = strlen((const char *)secret); @@ -166,13 +165,61 @@ crypto_test_tls_prf(void **state) assert_memory_equal(good_prf, out, sizeof(out)); } +static uint8_t testkey[20] = {0x0b, 0x00}; +static uint8_t goodhash[20] = {0x58, 0xea, 0x5a, 0xf0, 0x42, 0x94, 0xe9, 0x17, + 0xed, 0x84, 0xb9, 0xf0, 0x83, 0x30, 0x23, 0xae, + 0x8b, 0xa7, 0x7e, 0xb8}; + +static void +crypto_test_hmac(void **state) +{ + hmac_ctx_t *hmac = hmac_ctx_new(); + const md_kt_t *sha1 = md_kt_get("SHA1"); + + assert_int_equal(md_kt_size(sha1), 20); + + uint8_t key[20]; + memcpy(key, testkey, sizeof(key)); + + hmac_ctx_init(hmac, key, 20, sha1); + hmac_ctx_update(hmac, (const uint8_t *)ipsumlorem, (int) strlen(ipsumlorem)); + hmac_ctx_update(hmac, (const uint8_t *)ipsumlorem, (int) strlen(ipsumlorem)); + + uint8_t hash[20]; + hmac_ctx_final(hmac, hash); + + assert_memory_equal(hash, goodhash, sizeof(hash)); + memset(hash, 0x00, sizeof(hash)); + + /* try again */ + hmac_ctx_reset(hmac); + hmac_ctx_update(hmac, (const uint8_t *)ipsumlorem, (int) strlen(ipsumlorem)); + hmac_ctx_update(hmac, (const uint8_t *)ipsumlorem, (int) strlen(ipsumlorem)); + hmac_ctx_final(hmac, hash); + + assert_memory_equal(hash, goodhash, sizeof(hash)); + + /* Fill our key with random data to ensure it is not used by hmac anymore */ + memset(key, 0x55, sizeof(key)); + + hmac_ctx_reset(hmac); + hmac_ctx_update(hmac, (const uint8_t *)ipsumlorem, (int) strlen(ipsumlorem)); + hmac_ctx_update(hmac, (const uint8_t *)ipsumlorem, (int) strlen(ipsumlorem)); + hmac_ctx_final(hmac, hash); + + assert_memory_equal(hash, goodhash, sizeof(hash)); + hmac_ctx_cleanup(hmac); + hmac_ctx_free(hmac); +} + int main(void) { const struct CMUnitTest tests[] = { cmocka_unit_test(crypto_pem_encode_decode_loopback), cmocka_unit_test(crypto_translate_cipher_names), - cmocka_unit_test(crypto_test_tls_prf) + cmocka_unit_test(crypto_test_tls_prf), + cmocka_unit_test(crypto_test_hmac) }; #if defined(ENABLE_CRYPTO_OPENSSL) From patchwork Tue Oct 19 07:31:24 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2036 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director7.mail.ord1d.rsapps.net ([172.28.255.1]) by backend30.mail.ord1d.rsapps.net with LMTP id gOL2CjgPb2EIQwAAIUCqbw (envelope-from ) for ; Tue, 19 Oct 2021 14:32:24 -0400 Received: from proxy5.mail.ord1c.rsapps.net ([172.28.255.1]) by director7.mail.ord1d.rsapps.net with LMTP id sPPdCjgPb2G6awAAovjBpQ (envelope-from ) for ; Tue, 19 Oct 2021 14:32:24 -0400 Received: from smtp39.gate.ord1c ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy5.mail.ord1c.rsapps.net with LMTPS id gBCcCjgPb2ElSAAAPBRIyg (envelope-from ) for ; Tue, 19 Oct 2021 14:32:24 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp39.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: e69bef46-310a-11ec-9615-5452006c005a-1-1 Received: from [216.105.38.7] ([216.105.38.7:55936] helo=lists.sourceforge.net) by smtp39.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 00/6C-19324-73F0F616; Tue, 19 Oct 2021 14:32:23 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1mcttj-0006aX-H5; Tue, 19 Oct 2021 18:31:39 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mcttg-0006YU-QS for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 18:31:36 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=E3O5vRD99cKIArpknckgsutQVnnLFEA7EOlZAQaXp9k=; b=I+00HFplJBuRrN3WO43furmUzK bXGUspqnzjLxqwxjsmdkHoA1Mgm9wAgQgA1tZrT0wwCdekMaeKm/vKl2eXZzbIq9hdwa6dc5Hsliw hXqI38vtYdMHdwehYkXqXYm3o/Rs3m2w6i6+UCYqroDIMR/S+MkSs/GNF5z9ELDBhq0I=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=E3O5vRD99cKIArpknckgsutQVnnLFEA7EOlZAQaXp9k=; b=TAjKGj5nBiu51itfR26G/Rswyv fCjjBozrxLrU4lFYsNOuBRKdhx5W1qWZwI5gXwG93zY/zNQggXN+ibQ+LvpT1yiebQBWIjHCOh5/i AmO37dbVzgekG4JYRCzwM4O7De9Wb0wJyx4mhLFtcxglmWPG91OUVmJmqVzjODhevpUk=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mcttf-0005u3-Gf for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 18:31:36 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1mcttY-0008iU-G6 for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 20:31:28 +0200 Received: (nullmailer pid 614277 invoked by uid 10006); Tue, 19 Oct 2021 18:31:28 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 19 Oct 2021 20:31:24 +0200 Message-Id: <20211019183127.614175-19-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211019183127.614175-1-arne@rfc2549.org> References: <20211019183127.614175-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Through the multiple iteration of allowing OpenVPN to run without BF-CBC we accidentially made a regression and still required BF-CBC. This patch fixes the code path and restores its intended function. Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1mcttf-0005u3-Gf Subject: [Openvpn-devel] [PATCH v3 18/21] Fix error when BF-CBC is not available X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Through the multiple iteration of allowing OpenVPN to run without BF-CBC we accidentially made a regression and still required BF-CBC. This patch fixes the code path and restores its intended function. Signed-off-by: Arne Schwabe Acked-by: Max Fillinger --- src/openvpn/options.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/openvpn/options.c b/src/openvpn/options.c index ab7b00783..fe873944b 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -3797,6 +3797,9 @@ calc_options_string_link_mtu(const struct options *o, const struct frame *frame) /* overhead of BF-CBC: 64 bit block size, 64 bit IV size */ frame_add_to_extra_frame(&fake_frame, 64/8 + 64/8); + /* set ciphername to none, so its size does get added in the fake_kt and + * the cipher is not tried to be resolved */ + ciphername = "none"; } init_key_type(&fake_kt, ciphername, o->authname, true, false); From patchwork Tue Oct 19 07:31:25 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2023 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director9.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id EKyFNjAPb2GkQgAAIUCqbw (envelope-from ) for ; Tue, 19 Oct 2021 14:32:16 -0400 Received: from proxy6.mail.ord1d.rsapps.net ([172.30.191.6]) by director9.mail.ord1d.rsapps.net with LMTP id kGlcNjAPb2GxCAAAalYnBA (envelope-from ) for ; Tue, 19 Oct 2021 14:32:16 -0400 Received: from smtp28.gate.ord1c ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy6.mail.ord1d.rsapps.net with LMTPS id UCxhNjAPb2F1HwAAQyIf0w (envelope-from ) for ; Tue, 19 Oct 2021 14:32:16 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp28.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: e25c5e3e-310a-11ec-a9dd-a0369f1890f1-1-1 Received: from [216.105.38.7] ([216.105.38.7:55582] helo=lists.sourceforge.net) by smtp28.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id AC/61-31896-03F0F616; Tue, 19 Oct 2021 14:32:16 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1mcttj-0006aI-DZ; Tue, 19 Oct 2021 18:31:39 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mcttg-0006YH-G1 for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 18:31:36 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=uUrrXID36UnmYpghOfx/+XaCTWxs6K7NW92ktDrk0DY=; b=C4fwZgoCokx11s8YmzOC6nXlVF 8hlMrVifYDexP2P0Z9+M5rhPcRw2H3Dy6PMq2F/RnnuUaue6XCU/lnPqgkZBpKl71lihZgUSgecbg SsMZTNfTlInbHVa2dhJDw7v+OuP+4NpFvO7AeO2Sp6JCKvnDm6XKtDCC4dglU+NAPHHw=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=uUrrXID36UnmYpghOfx/+XaCTWxs6K7NW92ktDrk0DY=; b=HqUKKPPWWy4p5P/vSzaqqp+LAc 2UPjJztfqu1y4eFQyWvUAK7h3pMt+UX4mfmkW5J/vnmCir2Ctr6Pu8D2ki1HX2Ii9Lix73jLkd0ey MSpKj4YPRY4moPPZqcWCRTrpJLxgyEzRiB/eYlc/wlWBe0DbjdD8ojKQEJkQhqZE47ZY=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mcttf-006U0H-DC for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 18:31:36 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1mcttY-0008iW-IU for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 20:31:28 +0200 Received: (nullmailer pid 614280 invoked by uid 10006); Tue, 19 Oct 2021 18:31:28 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 19 Oct 2021 20:31:25 +0200 Message-Id: <20211019183127.614175-20-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211019183127.614175-1-arne@rfc2549.org> References: <20211019183127.614175-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: The recent deprecation of SHA1 certificates in OpenSSL 3.0 makes it necessary to reallow them in certain deployments. Currently this works by using the hack of using tls-cipher "DEFAULT:@SECLEVEL=0". [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1mcttf-006U0H-DC Subject: [Openvpn-devel] [PATCH v3 19/21] Add insecure tls-cert-profile options X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox The recent deprecation of SHA1 certificates in OpenSSL 3.0 makes it necessary to reallow them in certain deployments. Currently this works by using the hack of using tls-cipher "DEFAULT:@SECLEVEL=0". Add insecure as option to tls-cert-profile to allow setting a seclevel of 0. Signed-off-by: Arne Schwabe --- doc/man-sections/tls-options.rst | 6 ++++++ src/openvpn/ssl_mbedtls.c | 3 ++- src/openvpn/ssl_openssl.c | 6 +++++- 3 files changed, 13 insertions(+), 2 deletions(-) diff --git a/doc/man-sections/tls-options.rst b/doc/man-sections/tls-options.rst index eaf38395d..ac5756034 100644 --- a/doc/man-sections/tls-options.rst +++ b/doc/man-sections/tls-options.rst @@ -373,6 +373,9 @@ certificates and keys: https://github.com/OpenVPN/easy-rsa The following profiles are supported: + :code:`insecure` + Identical for mbed TLS to `legacy` + :code:`legacy` (default) SHA1 and newer, RSA 2048-bit+, any elliptic curve. @@ -385,6 +388,9 @@ certificates and keys: https://github.com/OpenVPN/easy-rsa This option is only fully supported for mbed TLS builds. OpenSSL builds use the following approximation: + :code:`insecure` + sets "security level 0" + :code:`legacy` (default) sets "security level 1" diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index e7c45c099..acf4993fd 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -336,7 +336,8 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers) void tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile) { - if (!profile || 0 == strcmp(profile, "legacy")) + if (!profile || 0 == strcmp(profile, "legacy") + || 0 == strcmp(profile, "insecure")) { ctx->cert_profile = openvpn_x509_crt_profile_legacy; } diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index d93292700..b29765daf 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -532,7 +532,11 @@ tls_ctx_set_cert_profile(struct tls_root_ctx *ctx, const char *profile) * callbacks that we could try to implement to achieve something similar. * For now, use OpenSSL's security levels to achieve similar (but not equal) * behaviour. */ - if (!profile || 0 == strcmp(profile, "legacy")) + if (!profile || 0 == strcmp(profile, "insecure")) + { + SSL_CTX_set_security_level(ctx->ctx, 0); + } + else if (!profile || 0 == strcmp(profile, "legacy")) { SSL_CTX_set_security_level(ctx->ctx, 1); } From patchwork Tue Oct 19 07:31:26 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2044 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director14.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id ULbfMkIPb2E0QwAAIUCqbw (envelope-from ) for ; Tue, 19 Oct 2021 14:32:34 -0400 Received: from proxy9.mail.ord1d.rsapps.net ([172.30.191.6]) by director14.mail.ord1d.rsapps.net with LMTP id ODqhMkIPb2GCAQAAeJ7fFg (envelope-from ) for ; Tue, 19 Oct 2021 14:32:34 -0400 Received: from smtp39.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy9.mail.ord1d.rsapps.net with LMTPS id YP+GMkIPb2GlWwAA7h+8OQ (envelope-from ) for ; Tue, 19 Oct 2021 14:32:34 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp39.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: eca3d8a4-310a-11ec-92cf-525400a97bbc-1-1 Received: from [216.105.38.7] ([216.105.38.7:44208] helo=lists.sourceforge.net) by smtp39.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 5A/93-02339-14F0F616; Tue, 19 Oct 2021 14:32:33 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.92.3) (envelope-from ) id 1mcttt-0001dU-Nd; Tue, 19 Oct 2021 18:31:49 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) (envelope-from ) id 1mcttg-0001Zx-MN for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 18:31:36 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=Etkz+r7+1YjHnq+2uYQ35kJWBJ3eXGO6qqRMOTdA6DE=; b=UUMckLD1Rd/glg+PILBqwK1CSf begMYl27wGJbUVqVCP36gTCzIwJG3oT8TV8uhkTqZjCm3QLQEiPyEBmD8WmMNYjtKzRwfTAUMw35P QcN3EVicd3L7+fdWubczpYxU/n7ECoGzutl/tLItcfBN+q25HCtwJLNfRWIbailfM0ZM=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=Etkz+r7+1YjHnq+2uYQ35kJWBJ3eXGO6qqRMOTdA6DE=; b=aI5vfr9uVgMogO72zfYt7quZv/ C3ymKAZJ7SOX+vZPK6UbB56fo7Ijr/Qp7FWxQrIbop4RnjnRX0FWvXWX0VEBrXOgxHLsrDs4Q9By9 z763op+Oykkcg0OPP2fVujzSNszDJ9xYlwKgjeTAo729SUiHab63x9qgLDVAEmmEJ0Xg=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mcttf-0005u4-Fm for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 18:31:36 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1mcttY-0008ia-Lg for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 20:31:28 +0200 Received: (nullmailer pid 614283 invoked by uid 10006); Tue, 19 Oct 2021 18:31:29 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 19 Oct 2021 20:31:26 +0200 Message-Id: <20211019183127.614175-21-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211019183127.614175-1-arne@rfc2549.org> References: <20211019183127.614175-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Signed-off-by: Arne Schwabe --- .github/workflows/build.yaml | 28 +++++++++++++++++++++++++--- 1 file changed, 25 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 514ae66b2..d39ea8bfa 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -168,15 +168,37 @@ j [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1mcttf-0005u4-Fm Subject: [Openvpn-devel] [PATCH v3 20/21] Add macos OpenSSL 3.0 and ASAN builds X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- .github/workflows/build.yaml | 28 +++++++++++++++++++++++++--- 1 file changed, 25 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 514ae66b2..d39ea8bfa 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -168,15 +168,37 @@ jobs: macos: runs-on: macos-latest + strategy: + fail-fast: false + matrix: + ossl: [ 1.1, 3 ] + build: [ normal, asan ] + include: + - build: asan + cflags: "-fsanitize=address -fno-optimize-sibling-calls -fsanitize-address-use-after-scope -fno-omit-frame-pointer -g -O1" + ldflags: -fsanitize=address + # Our build system ignores LDFLAGS for plugins + configureflags: --disable-plugin-auth-pam --disable-plugin-down-root + - build: normal + cflags: "-O2 -g" + ldflags: "" + configureflags: "" + + name: "macOS - OpenSSL ${{matrix.ossl}} - ${{matrix.build}}" + env: + CFLAGS: ${{ matrix.cflags }} + LDFLAGS: ${{ matrix.ldflags }} + OPENSSL_CFLAGS: -I/usr/local/opt/openssl@${{matrix.ossl}}/include + OPENSSL_LIBS: "-L/usr/local/opt/openssl@${{matrix.ossl}}/lib -lcrypto -lssl" steps: + - name: Install dependencies + run: brew install openssl@1.1 openssl@3 lzo lz4 man2html cmocka libtool automake autoconf - name: Checkout OpenVPN uses: actions/checkout@v2 - - name: Install dependencies - run: brew install openssl lzo lz4 man2html cmocka libtool automake autoconf - name: autoconf run: autoreconf -fvi - name: configure - run: OPENSSL_CFLAGS=-I/usr/local/opt/openssl@1.1/include OPENSSL_LIBS="-L/usr/local/opt/openssl@1.1/lib -lcrypto -lssl" ./configure + run: ./configure ${{matrix.configureflags}} - name: make all run: make -j4 - name: make check From patchwork Tue Oct 19 07:31:27 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2041 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director10.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id kI/gGDwPb2EaQwAAIUCqbw (envelope-from ) for ; Tue, 19 Oct 2021 14:32:28 -0400 Received: from proxy15.mail.ord1d.rsapps.net ([172.30.191.6]) by director10.mail.ord1d.rsapps.net with LMTP id GOXVGDwPb2FMGAAApN4f7A (envelope-from ) for ; Tue, 19 Oct 2021 14:32:28 -0400 Received: from smtp5.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy15.mail.ord1d.rsapps.net with LMTPS id 4DbCFzwPb2E8UwAAAY1PeQ (envelope-from ) for ; Tue, 19 Oct 2021 14:32:28 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp5.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: e9469bce-310a-11ec-b3c5-525400d73c44-1-1 Received: from [216.105.38.7] ([216.105.38.7:44034] helo=lists.sourceforge.net) by smtp5.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 28/AC-02346-B3F0F616; Tue, 19 Oct 2021 14:32:28 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.92.3) (envelope-from ) id 1mcttu-0001dy-1f; Tue, 19 Oct 2021 18:31:50 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) (envelope-from ) id 1mcttg-0001a3-Pf for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 18:31:36 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=R4bdthZFlCJBB37LWoI6+61tUEH2ZBIbLjmfaPjqTxg=; b=EjAYlzn9zAfzQb+mzrCKFaPXmH kcmpT3f8jaKcAS93TCtHfa8UWXz7Fh0SDOu4yZjcoLLTRh59uk+JdrgjHpSp4/GLrt3itpT9q1Kd8 Ggi+GDVjgCyDprQQO8kdqQHpdbHvY/uX+U0np/A/lmXkuJliK2HfKkxveWJUasKZAcDA=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=R4bdthZFlCJBB37LWoI6+61tUEH2ZBIbLjmfaPjqTxg=; b=RuW4/8o23xgZbX4Kq7HHhdC5TT hSDKEHI5mIornSNiSk9yMPXeENBuw+2fT5bPl52VVYVowvIFzeW7s4H8/yVsmot0ZSeX6VHtna2pK PUyeRAB7JQf5lSlPg4nXcnITUpmVWlREJDEKFD4ju/vVKEcVk56so2mTgZBq53GmZRMM=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mcttf-006U0I-Ou for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 18:31:36 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1mcttY-0008id-OP for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 20:31:28 +0200 Received: (nullmailer pid 614286 invoked by uid 10006); Tue, 19 Oct 2021 18:31:29 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 19 Oct 2021 20:31:27 +0200 Message-Id: <20211019183127.614175-22-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20211019183127.614175-1-arne@rfc2549.org> References: <20211019183127.614175-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: The signature messages required by external key managed also break the 1280 limit. To also avoid this surprise of different behaviour with PKCS11 enabled/disable, always use the larger size. Signed-off-by: Arne Schwabe --- src/openvpn/error.h | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1mcttf-006U0I-Ou Subject: [Openvpn-devel] [PATCH v3 21/21] Always use 8192 bytes for ERR_BUF_SIZE X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox The signature messages required by external key managed also break the 1280 limit. To also avoid this surprise of different behaviour with PKCS11 enabled/disable, always use the larger size. Signed-off-by: Arne Schwabe --- src/openvpn/error.h | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/src/openvpn/error.h b/src/openvpn/error.h index 533354b3c..c36a82659 100644 --- a/src/openvpn/error.h +++ b/src/openvpn/error.h @@ -36,12 +36,8 @@ #endif /* #define ABORT_ON_ERROR */ - -#ifdef ENABLE_PKCS11 #define ERR_BUF_SIZE 8192 -#else -#define ERR_BUF_SIZE 1280 -#endif + struct gc_arena;