From patchwork Mon Mar 28 18:37:09 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Baentsch X-Patchwork-Id: 2353 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director10.mail.ord1d.rsapps.net ([172.28.255.1]) by backend41.mail.ord1d.rsapps.net with LMTP id GP2uCWWbQmIhDAAAqwncew (envelope-from ) for ; Tue, 29 Mar 2022 01:38:45 -0400 Received: from proxy6.mail.ord1c.rsapps.net ([172.28.255.1]) by director10.mail.ord1d.rsapps.net with LMTP id GJr2H2WbQmLBNgAApN4f7A (envelope-from ) for ; Tue, 29 Mar 2022 01:38:45 -0400 Received: from smtp21.gate.ord1c ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy6.mail.ord1c.rsapps.net with LMTPS id WJhAH2WbQmLEaQAA9sKXow (envelope-from ) for ; Tue, 29 Mar 2022 01:38:45 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp21.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=fail (p=none; dis=none) header.from=baentsch.ch X-Suspicious-Flag: YES X-Classification-ID: 7f7972c0-af22-11ec-ac8d-a0369f0d8808-1-1 Received: from [216.105.38.7] ([216.105.38.7:53316] helo=lists.sourceforge.net) by smtp21.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 24/D9-27606-46B92426; Tue, 29 Mar 2022 01:38:45 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1nZ4Xr-00020g-6Q; Tue, 29 Mar 2022 05:37:30 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1nZ4Xo-00020Z-Qt for openvpn-devel@lists.sourceforge.net; Tue, 29 Mar 2022 05:37:27 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To: MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=fn9n61FalNxXdyQcuFqwAiGyT1AxfeyYq5IENAuKRwI=; b=JW3avDv0zndoomcH9tJgpe68t9 J+UneWeWv0+coLf+DYK3spLsN8ar4jS+ToI7jiJChhV0W/eS78xHqWeKRSYWf0vfZX+3s7GjDcI5d /STrGTxC6g+xhJ029AYVnk6Zzc2CTwSO7LSOy2EN/u2LHyV9K9l68QNWEzDkU1R/uzAA=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:MIME-Version: Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=fn9n61FalNxXdyQcuFqwAiGyT1AxfeyYq5IENAuKRwI=; b=elcQlqQatcwLarV4aYLJpM0kti Fsa89XOIz5UW0zsE19buOyDD8I0PH/FX5AdoCHvJN1R1bMUhE/6I+4h2edMYtTtzlpslkIgbrFwUg oeLtOhpmOAeZ5VEjKHqBPVEH3+h+VEHhJO9hCPr6Y3SS1nKWF29t6Ltx0yowgukEQNZs=; Received: from www14.servertown.ch ([94.231.94.132]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.94.2) id 1nZ4Xj-0002Jm-1B for openvpn-devel@lists.sourceforge.net; Tue, 29 Mar 2022 05:37:27 +0000 Received: from T430s.fritz.box (unknown [IPv6:2a01:2ac:51dd:d483:346f:6513:950f:7b44]) by www14.servertown.ch (Postfix) with ESMTPSA id 1FA8E1624E11; Tue, 29 Mar 2022 07:37:13 +0200 (CEST) Received-SPF: pass (www14.servertown.ch: connection is authenticated) From: Michael Baentsch To: openvpn-devel@lists.sourceforge.net Date: Tue, 29 Mar 2022 07:37:09 +0200 Message-Id: <20220329053709.19462-1-info@baentsch.ch> X-Mailer: git-send-email 2.17.1 X-PPP-Message-ID: <164853223353.84416.16045044775432440539@www14.servertown.ch> X-PPP-Vhost: baentsch.ch X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Michael <57787676+baentsch@users.noreply.github.com> OpenSSL3 prefers to specify groups (including EC groups) with names instead of NID to allow also groups provided by providers. This commit also removes the mapping of secp256r1 to prime256v1 for the O [...] Content analysis details: (-0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1nZ4Xj-0002Jm-1B Subject: [Openvpn-devel] [PATCH] Enable usage of TLS groups not identified by a NID in OpenSSL 3 X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Michael <57787676+baentsch@users.noreply.github.com> MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Michael <57787676+baentsch@users.noreply.github.com> OpenSSL3 prefers to specify groups (including EC groups) with names instead of NID to allow also groups provided by providers. This commit also removes the mapping of secp256r1 to prime256v1 for the OpenSSL3 code path as OpenSSL 3.0 recognises secp256r1.1 Acked-By: Arne Schwabe --- src/openvpn/ssl_openssl.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index b8595174..af97dabc 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -572,13 +572,15 @@ void tls_ctx_set_tls_groups(struct tls_root_ctx *ctx, const char *groups) { ASSERT(ctx); +#if OPENSSL_VERSION_NUMBER < 0x30000000L struct gc_arena gc = gc_new(); /* This method could be as easy as * SSL_CTX_set1_groups_list(ctx->ctx, groups) - * but OpenSSL does not like the name secp256r1 for prime256v1 + * but OpenSSL (< 3.0) does not like the name secp256r1 for prime256v1 * This is one of the important curves. * To support the same name for OpenSSL and mbedTLS, we do * this dance. + * Also note that the code is wrong in the presence of OpenSSL3 providers. */ int groups_count = get_num_elements(groups, ':'); @@ -617,6 +619,13 @@ tls_ctx_set_tls_groups(struct tls_root_ctx *ctx, const char *groups) groups); } gc_free(&gc); +#else + if (!SSL_CTX_set1_groups_list(ctx->ctx, groups)) + { + crypto_msg(M_FATAL, "Failed to set allowed TLS group list: %s", + groups); + } +#endif } void