From patchwork Thu May 12 02:14:23 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2454 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director12.mail.ord1d.rsapps.net ([172.30.191.6]) by backend41.mail.ord1d.rsapps.net with LMTP id mNdMKoz6fGL5VwAAqwncew (envelope-from ) for ; Thu, 12 May 2022 08:16:12 -0400 Received: from proxy2.mail.ord1d.rsapps.net ([172.30.191.6]) by director12.mail.ord1d.rsapps.net with LMTP id EM0CAo36fGLYXwAAIasKDg (envelope-from ) for ; Thu, 12 May 2022 08:16:13 -0400 Received: from smtp15.gate.ord1c ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy2.mail.ord1d.rsapps.net with LMTPS id 2MzMAY36fGJlNAAAfawv4w (envelope-from ) for ; Thu, 12 May 2022 08:16:13 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp15.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 4fcf8922-d1ed-11ec-bb93-bc305bf03694-1-1 Received: from [216.105.38.7] ([216.105.38.7:57826] helo=lists.sourceforge.net) by smtp15.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 01/49-22282-C8AFC726; Thu, 12 May 2022 08:16:12 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1np7id-0000NC-Le; Thu, 12 May 2022 12:15:00 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1np7iL-0000Lm-HP for openvpn-devel@lists.sourceforge.net; Thu, 12 May 2022 12:14:41 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=9dC60SmVsdJNWGjsJxtzbreF8GWkMcTwiU2jmX1UI3w=; b=Ba45lUyTByF/2BKarXgj039egd Kvm81Vuz1Re4MeqKvNaPYUwEQ/gA94n3Ull/vkUpZwDTGsCf6EoiZR9304WuwCRV5mVt6YqZfQlo6 ZgaDkEGSn3p2e1gYqmt5WR23UGhrB0Y6dBzzkNJJsqCERMH2BhMoE/pdTadgXBIgRW5Q=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=9dC60SmVsdJNWGjsJxtzbreF8GWkMcTwiU2jmX1UI3w=; b=YTK5j2b/49G0i2b1l6cAJ+0D4v FWuHllXFDRcxinashLDtLXnials3WAN60GB+iHPL0Z51U0nfvsRzSjJoO+hp70tB2x6YdKHXCrRqH 4D4E1oeUyaSQGmIUehdlmpTzld5dzMkxMS7ThBb0d6PYFEkSlGYxuDylZLZ10XEczAMU=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.94.2) id 1np7iK-0004Jz-E5 for openvpn-devel@lists.sourceforge.net; Thu, 12 May 2022 12:14:41 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1np7i9-0004tH-FV for openvpn-devel@lists.sourceforge.net; Thu, 12 May 2022 14:14:29 +0200 Received: (nullmailer pid 2096213 invoked by uid 10006); Thu, 12 May 2022 12:14:29 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Thu, 12 May 2022 14:14:23 +0200 Message-Id: <20220512121429.2096164-2-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220512121429.2096164-1-arne@rfc2549.org> References: <20220512121429.2096164-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This put the early initialisation and uninitialisation that needs to happen between option parsing and post processing into small methods. Cherry-pick of 97056dbf9 as prerequirement for the provider patch Content analysis details: (0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1np7iK-0004Jz-E5 Subject: [Openvpn-devel] [PATCH 1/7] Refactor early initialisation and uninitialisation into methods X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This put the early initialisation and uninitialisation that needs to happen between option parsing and post processing into small methods. Cherry-pick of 97056dbf9 as prerequirement for the provider patch Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- src/openvpn/openvpn.c | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) diff --git a/src/openvpn/openvpn.c b/src/openvpn/openvpn.c index a21b21e23..e03d25450 100644 --- a/src/openvpn/openvpn.c +++ b/src/openvpn/openvpn.c @@ -105,6 +105,20 @@ tunnel_point_to_point(struct context *c) #undef PROCESS_SIGNAL_P2P +void init_early(struct context *c) +{ + net_ctx_init(c, &c->net_ctx); + + /* init verbosity and mute levels */ + init_verb_mute(c, IVM_LEVEL_1); + +} + +static void uninit_early(struct context *c) +{ + net_ctx_free(&c->net_ctx); +} + /**************************************************************************/ /** @@ -193,10 +207,9 @@ openvpn_main(int argc, char *argv[]) open_plugins(&c, true, OPENVPN_PLUGIN_INIT_PRE_CONFIG_PARSE); #endif - net_ctx_init(&c, &c.net_ctx); - - /* init verbosity and mute levels */ - init_verb_mute(&c, IVM_LEVEL_1); + /* Early initialisation that need to happen before option + * post processing and other early startup but after parsing */ + init_early(&c); /* set dev options */ init_options_dev(&c.options); @@ -308,7 +321,7 @@ openvpn_main(int argc, char *argv[]) env_set_destroy(c.es); uninit_options(&c.options); gc_reset(&c.gc); - net_ctx_free(&c.net_ctx); + uninit_early(&c); } while (c.sig->signal_received == SIGHUP); } From patchwork Thu May 12 02:14:24 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2449 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director11.mail.ord1d.rsapps.net ([172.30.191.6]) by backend41.mail.ord1d.rsapps.net with LMTP id 0DMWCYT6fGLlVwAAqwncew (envelope-from ) for ; Thu, 12 May 2022 08:16:04 -0400 Received: from proxy19.mail.ord1d.rsapps.net ([172.30.191.6]) by director11.mail.ord1d.rsapps.net with LMTP id gAFxHIT6fGKTeAAAvGGmqA (envelope-from ) for ; Thu, 12 May 2022 08:16:04 -0400 Received: from smtp17.gate.ord1c ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy19.mail.ord1d.rsapps.net with LMTPS id CHMOHIT6fGL8IQAAyH2SIw (envelope-from ) for ; Thu, 12 May 2022 08:16:04 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp17.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 4ad9eaca-d1ed-11ec-b257-bc305beffb0c-1-1 Received: from [216.105.38.7] ([216.105.38.7:38296] helo=lists.sourceforge.net) by smtp17.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id CF/CD-23559-38AFC726; Thu, 12 May 2022 08:16:03 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1np7ii-0004Eq-MF; Thu, 12 May 2022 12:15:03 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1np7iS-0004E5-LL for openvpn-devel@lists.sourceforge.net; Thu, 12 May 2022 12:14:47 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=8El70sJxTCvpCvSDEQXDfNAYJwQm8UrEHM89D3HNmd8=; b=eoJez8v0hAfUulUSn3GGh3zlZc fTjpx08ttAYKP8T/tExpB1PmYyMbPna8Swu3aYYrAmmqhp78D/TMYDQwv4NRE5qbsXJLnKQJUDWxz wmDIn8cd6Q3xS3gNnA/Oc7HN5SlfSvlT4GHNpK8TjHtqpCXFHPKmcrEMCVdhkkI/Cook=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=8El70sJxTCvpCvSDEQXDfNAYJwQm8UrEHM89D3HNmd8=; b=iJeBIk62Sh9AkdLABImiwtwoRr sdJv5Qo8gEKuXTmqkfOMT4JmfroXnl6nkBH1odky+VVQLtAPdqMd0Q9DPWdCB5LwNe1O9otYW/zJn iM2joS/WF9D24+xdy5Oqc5R7Xq9YiaOT6415/3MqWAxw3wycMB6jmkTOg520NpHdlqXc=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.94.2) id 1np7iK-0004K0-LN for openvpn-devel@lists.sourceforge.net; Thu, 12 May 2022 12:14:45 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1np7i9-0004tJ-Hd for openvpn-devel@lists.sourceforge.net; Thu, 12 May 2022 14:14:29 +0200 Received: (nullmailer pid 2096216 invoked by uid 10006); Thu, 12 May 2022 12:14:29 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Thu, 12 May 2022 14:14:24 +0200 Message-Id: <20220512121429.2096164-3-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220512121429.2096164-1-arne@rfc2549.org> References: <20220512121429.2096164-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This allows OpenVPN to load non-default providers. This is mainly useful for loading the legacy provider with --providers legacy default Cherry-pick of 08081aa0a153 to release/2.5. Changes.rst has been adjust to better fit the changes in 2.5. Content analysis details: (0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1np7iK-0004K0-LN Subject: [Openvpn-devel] [PATCH 2/7] Allow loading of non default providers X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This allows OpenVPN to load non-default providers. This is mainly useful for loading the legacy provider with --providers legacy default Cherry-pick of 08081aa0a153 to release/2.5. Changes.rst has been adjust to better fit the changes in 2.5. Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- Changes.rst | 14 +++++++++++++ doc/man-sections/generic-options.rst | 12 +++++++++++ src/openvpn/crypto_backend.h | 15 ++++++++++++++ src/openvpn/crypto_mbedtls.c | 13 ++++++++++++ src/openvpn/crypto_mbedtls.h | 3 +++ src/openvpn/crypto_openssl.c | 31 ++++++++++++++++++++++++++++ src/openvpn/crypto_openssl.h | 11 ++++++++++ src/openvpn/openvpn.c | 15 +++++++++++++- src/openvpn/options.c | 8 +++++++ src/openvpn/options.h | 9 ++++++++ 10 files changed, 130 insertions(+), 1 deletion(-) diff --git a/Changes.rst b/Changes.rst index 45d2c3f39..884c122a9 100644 --- a/Changes.rst +++ b/Changes.rst @@ -14,6 +14,20 @@ New features - upgrade pkcs11-helper to release 1.28.4 +- Limited OpenSSL 3.0 support + OpenSSL 3.0 support has been added. OpenSSL 3.0 support in 2.5 relies + on the compatiblity layer and full OpenSSL 3.0 support is coming with + OpenVPN 2.6. Only features that impact usage directly have been + backported: + + ``--tls-cert-profile insecure`` has been added to allow selecting the + lowest OpenSSL security level (not recommended, use only if you must). + + OpenSSL 3.0 no longer supports the Blowfish (and other deprecated) + algorithm by default and the new option ``--providers`` allows loading + the legacy provider to renable these algorithms. + + Bugfixes -------- - CVE-2022-0547 diff --git a/doc/man-sections/generic-options.rst b/doc/man-sections/generic-options.rst index d5f08839b..18085f9bd 100644 --- a/doc/man-sections/generic-options.rst +++ b/doc/man-sections/generic-options.rst @@ -252,6 +252,18 @@ which mode OpenVPN is configured as. This option solves the problem by persisting keys across :code:`SIGUSR1` resets, so they don't need to be re-read. +--providers providers + Load the list of (OpenSSL) providers. This is mainly useful for using an + external provider for key management like tpm2-openssl or to load the + legacy provider with + + :: + + --providers legacy default + + Behaviour of changing this option between SIGHUP might not be well behaving. + If you need to change/add/remove this option, fully restart OpenVPN. + --remap-usr1 signal Control whether internally or externally generated :code:`SIGUSR1` signals are remapped to :code:`SIGHUP` (restart without persisting state) or diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h index b5a122eee..a9bb38ed2 100644 --- a/src/openvpn/crypto_backend.h +++ b/src/openvpn/crypto_backend.h @@ -78,6 +78,21 @@ void crypto_clear_error(void); */ void crypto_init_lib_engine(const char *engine_name); + +/** + * Load the given (OpenSSL) providers + * @param provider name of providers to load + * @return reference to the loaded provider + */ +provider_t *crypto_load_provider(const char *provider); + +/** + * Unloads the given (OpenSSL) provider + * @param provname name of the provider to unload + * @param provider pointer to the provider to unload + */ +void crypto_unload_provider(const char *provname, provider_t *provider); + #ifdef DMALLOC /* * OpenSSL memory debugging. If dmalloc debugging is enabled, tell diff --git a/src/openvpn/crypto_mbedtls.c b/src/openvpn/crypto_mbedtls.c index 1da99d147..000815209 100644 --- a/src/openvpn/crypto_mbedtls.c +++ b/src/openvpn/crypto_mbedtls.c @@ -69,6 +69,19 @@ crypto_init_lib_engine(const char *engine_name) "available"); } +provider_t *crypto_load_provider(const char *provider) +{ + if (provider) + { + msg(M_WARN, "Note: mbed TLS provider functionality is not available"); + } + return NULL; +} + +void crypto_unload_provider(const char *provname, provider_t *provider) +{ +} + /* * * Functions related to the core crypto library diff --git a/src/openvpn/crypto_mbedtls.h b/src/openvpn/crypto_mbedtls.h index 816e1397a..14614a12d 100644 --- a/src/openvpn/crypto_mbedtls.h +++ b/src/openvpn/crypto_mbedtls.h @@ -48,6 +48,9 @@ typedef mbedtls_md_context_t md_ctx_t; /** Generic HMAC %context. */ typedef mbedtls_md_context_t hmac_ctx_t; +/* Use a dummy type for the provider */ +typedef void provider_t; + /** Maximum length of an IV */ #define OPENVPN_MAX_IV_LENGTH MBEDTLS_MAX_IV_LENGTH diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index 0908e9aa1..beeaee4b7 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -51,6 +51,10 @@ #include #include +#if OPENSSL_VERSION_NUMBER >= 0x30000000L +#include +#endif + #if defined(_WIN32) && defined(OPENSSL_NO_EC) #error Windows build with OPENSSL_NO_EC: disabling EC key is not supported. #endif @@ -145,6 +149,33 @@ crypto_init_lib_engine(const char *engine_name) #endif } +provider_t * +crypto_load_provider(const char *provider) +{ +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + /* Load providers into the default (NULL) library context */ + OSSL_PROVIDER *prov = OSSL_PROVIDER_load(NULL, provider); + if (!prov) + { + crypto_msg(M_FATAL, "failed to load provider '%s'", provider); + } + return prov; +#else /* OPENSSL_VERSION_NUMBER >= 0x30000000L */ + msg(M_WARN, "Note: OpenSSL provider functionality is not available"); + return NULL; +#endif +} + +void crypto_unload_provider(const char *provname, provider_t *provider) +{ +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + if (!OSSL_PROVIDER_unload(provider)) + { + crypto_msg(M_FATAL, "failed to unload provider '%s'", provname); + } +#endif +} + /* * * Functions related to the core crypto library diff --git a/src/openvpn/crypto_openssl.h b/src/openvpn/crypto_openssl.h index ecc66fbfd..9bb58adae 100644 --- a/src/openvpn/crypto_openssl.h +++ b/src/openvpn/crypto_openssl.h @@ -33,6 +33,10 @@ #include #include #include +#if OPENSSL_VERSION_NUMBER >= 0x30000000L +#include +#endif + /** Generic cipher key type %context. */ typedef EVP_CIPHER cipher_kt_t; @@ -49,6 +53,13 @@ typedef EVP_MD_CTX md_ctx_t; /** Generic HMAC %context. */ typedef HMAC_CTX hmac_ctx_t; +#if OPENSSL_VERSION_NUMBER < 0x30000000L +/* Use a dummy type for the provider */ +typedef void provider_t; +#else +typedef OSSL_PROVIDER provider_t; +#endif + /** Maximum length of an IV */ #define OPENVPN_MAX_IV_LENGTH EVP_MAX_IV_LENGTH diff --git a/src/openvpn/openvpn.c b/src/openvpn/openvpn.c index e03d25450..1cd8f1b30 100644 --- a/src/openvpn/openvpn.c +++ b/src/openvpn/openvpn.c @@ -112,14 +112,27 @@ void init_early(struct context *c) /* init verbosity and mute levels */ init_verb_mute(c, IVM_LEVEL_1); + /* Initialise OpenSSL provider, this needs to be initialised this + * early since option post-processing and also openssl info + * printing depends on it */ + for (int j=1; j < MAX_PARMS && c->options.providers.names[j]; j++) + { + c->options.providers.providers[j] = + crypto_load_provider(c->options.providers.names[j]); + } } static void uninit_early(struct context *c) { net_ctx_free(&c->net_ctx); + for (int j=1; j < MAX_PARMS && c->options.providers.providers[j]; j++) + { + crypto_unload_provider(c->options.providers.names[j], + c->options.providers.providers[j]); + } + net_ctx_free(&c->net_ctx); } - /**************************************************************************/ /** * OpenVPN's main init-run-cleanup loop. diff --git a/src/openvpn/options.c b/src/openvpn/options.c index e0b273bdd..f6ef02ae8 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -602,6 +602,7 @@ static const char usage_message[] = " : Use --show-tls to see a list of supported TLS ciphers (suites).\n" "--tls-cert-profile p : Set the allowed certificate crypto algorithm profile\n" " (default=legacy).\n" + "--providers l : A list l of OpenSSL providers to load.\n" "--tls-timeout n : Packet retransmit timeout on TLS control channel\n" " if no ACK from remote within n seconds (default=%d).\n" "--reneg-bytes n : Renegotiate data chan. key after n bytes sent and recvd.\n" @@ -8129,6 +8130,13 @@ add_option(struct options *options, options->keysize = keysize; } #endif + else if (streq(p[0], "providers") && p[1]) + { + for (size_t j = 1; j < MAX_PARMS && p[j] != NULL;j++) + { + options->providers.names[j] = p[j]; + } + } #ifdef ENABLE_PREDICTION_RESISTANCE else if (streq(p[0], "use-prediction-resistance") && !p[1]) { diff --git a/src/openvpn/options.h b/src/openvpn/options.h index 251660fdc..372209042 100644 --- a/src/openvpn/options.h +++ b/src/openvpn/options.h @@ -176,6 +176,14 @@ struct remote_list struct remote_entry *array[CONNECTION_LIST_SIZE]; }; +struct provider_list +{ + /* Names of the providers */ + const char *names[MAX_PARMS]; + /* Pointers to the loaded providers to unload them */ + provider_t *providers[MAX_PARMS]; +}; + enum vlan_acceptable_frames { VLAN_ONLY_TAGGED, @@ -519,6 +527,7 @@ struct options const char *prng_hash; int prng_nonce_secret_len; const char *engine; + struct provider_list providers; bool replay; bool mute_replay_warnings; int replay_window; From patchwork Thu May 12 02:14:25 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2451 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director11.mail.ord1d.rsapps.net ([172.30.191.6]) by backend41.mail.ord1d.rsapps.net with LMTP id cEUPGIX6fGKwVwAAqwncew (envelope-from ) for ; Thu, 12 May 2022 08:16:05 -0400 Received: from proxy7.mail.ord1d.rsapps.net ([172.30.191.6]) by director11.mail.ord1d.rsapps.net with LMTP id oD9tK4X6fGKIfgAAvGGmqA (envelope-from ) for ; Thu, 12 May 2022 08:16:05 -0400 Received: from smtp1.gate.ord1c ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy7.mail.ord1d.rsapps.net with LMTPS id QOVUK4X6fGKVNwAAMe1Fpw (envelope-from ) for ; Thu, 12 May 2022 08:16:05 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp1.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 4b5492e8-d1ed-11ec-a135-842b2b47c027-1-1 Received: from [216.105.38.7] ([216.105.38.7:57796] helo=lists.sourceforge.net) by smtp1.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id C6/99-29618-48AFC726; Thu, 12 May 2022 08:16:04 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1np7ih-0000OI-Pa; Thu, 12 May 2022 12:15:04 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1np7iM-0000Ls-ER for openvpn-devel@lists.sourceforge.net; Thu, 12 May 2022 12:14:42 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=MVm4XttxCuSCbByum+R4JtbwEWMAG709piqCMGeEXx4=; b=RWG6y4j7tdqR/ZipCsfDtJIzpd QmUGlhBy5xfgyzrkOlusp6NBgzBsScH4OtRFfjdTBsCx9HjFzEmrK0r2REgs2SRee7jtOYeSbH+yj XzZFDK7U9JvPRcvH3SnVV5ntwvK1w4qMIEq3vOAw9jfHrkIKYVU8zmMiVq8/Ryvuq1Hc=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=MVm4XttxCuSCbByum+R4JtbwEWMAG709piqCMGeEXx4=; b=CuSXLHgm+KFFZ+xLMLAnbT5Dw5 yrfTk29yN2cd3MK9iQCTIWDJ923zu8sFK+S9LlJzpvYVKT8+r46fVJo5s4ALuLuvyv0m1FLl2fDcP uz0N4JeW0WNsI6FwqSYYgHFiQkZpBAVrukNFUIeIhDybHnYst5Famzr0pcJBSZofvqw8=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.94.2) id 1np7iL-009ivl-94 for openvpn-devel@lists.sourceforge.net; Thu, 12 May 2022 12:14:42 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1np7i9-0004tO-K0; Thu, 12 May 2022 14:14:29 +0200 Received: (nullmailer pid 2096219 invoked by uid 10006); Thu, 12 May 2022 12:14:29 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Thu, 12 May 2022 14:14:25 +0200 Message-Id: <20220512121429.2096164-4-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220512121429.2096164-1-arne@rfc2549.org> References: <20220512121429.2096164-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This adds Ubuntu 22.04 to the Github actions. mbed TLS in 22.04 is still old enough (2.28) to build with OpenVPN and GPL licensed. Signed-off-by: Arne Schwabe Acked-by: Gert Doering Message-Id: <20220506132836.1318985-2-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@list [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1np7iL-009ivl-94 Subject: [Openvpn-devel] [PATCH 3/7] Add ubuntu 22.04 to Github Actions X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Gert Doering Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This adds Ubuntu 22.04 to the Github actions. mbed TLS in 22.04 is still old enough (2.28) to build with OpenVPN and GPL licensed. Signed-off-by: Arne Schwabe Acked-by: Gert Doering Message-Id: <20220506132836.1318985-2-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24299.html Signed-off-by: Gert Doering Acked-by: Gert Doering --- .github/workflows/build.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index fb53fb8bd..4926c1f95 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -130,7 +130,7 @@ jobs: strategy: fail-fast: false matrix: - os: [ubuntu-18.04, ubuntu-20.04] + os: [ubuntu-18.04, ubuntu-20.04, ubuntu-22.04] sslpkg: [libmbedtls-dev] ssllib: [mbedtls] libname: [mbed TLS] @@ -148,6 +148,10 @@ jobs: sslpkg: "libssl-dev" libname: OpenSSL 1.1.1 ssllib: openssl + - os: ubuntu-22.04 + sslpkg: "libssl-dev" + libname: OpenSSL 3.0.2 + ssllib: openssl - os: ubuntu-20.04 sslpkg: "libssl-dev" libname: OpenSSL 1.1.1 From patchwork Thu May 12 02:14:26 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2453 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director12.mail.ord1d.rsapps.net ([172.30.191.6]) by backend41.mail.ord1d.rsapps.net with LMTP id 0JSQLYn6fGL0VwAAqwncew (envelope-from ) for ; Thu, 12 May 2022 08:16:09 -0400 Received: from proxy20.mail.ord1d.rsapps.net ([172.30.191.6]) by director12.mail.ord1d.rsapps.net with LMTP id oGo7BYr6fGLYXwAAIasKDg (envelope-from ) for ; Thu, 12 May 2022 08:16:10 -0400 Received: from smtp27.gate.ord1c ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy20.mail.ord1d.rsapps.net with LMTPS id QLnyBIr6fGL1cQAAsk8m8w (envelope-from ) for ; Thu, 12 May 2022 08:16:10 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp27.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 4e135956-d1ed-11ec-9e95-b8ca3a655ab8-1-1 Received: from [216.105.38.7] ([216.105.38.7:48822] helo=lists.sourceforge.net) by smtp27.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id D8/29-23229-98AFC726; Thu, 12 May 2022 08:16:09 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1np7if-000889-8j; Thu, 12 May 2022 12:15:00 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1np7iS-00087h-2s for openvpn-devel@lists.sourceforge.net; Thu, 12 May 2022 12:14:47 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=a+OJw2pwI6kfPlIR5McidAJEgS2Lhxtj9YD+rW2Tj3U=; b=OQDrnbsajOwuP41mTzhyV2c9eb X2BegB+LSGwpBCBMpRYQJn2Dlg0tvQzNNGoLqJ9az+ImbqddInkuH6Upqbd1lt2KcIZpBq/oFW8+3 E9AV9fqqTEXNFMZtxvmGcwt9UCElith41CqJSeIrU65R5VP6QoeYR3GNTpaDmfixgcd8=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=a+OJw2pwI6kfPlIR5McidAJEgS2Lhxtj9YD+rW2Tj3U=; b=L6FJU838G0VZlnZI0Gbk013sSf UrYOIgioL2Mz+oGNbyjJeXicynu9mbH/7Bk8Wza8zYM2j7Nc+NO6mc3HgXyjuCPR+hmWAJfrT0EF7 7L2/KkQNI7DfDbLenZzjEArVnbpp2cxG+Kg2cH9a/GMqAmFOxp3S4exK1frxGj5bKT38=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.94.2) id 1np7iL-0004K1-2G for openvpn-devel@lists.sourceforge.net; Thu, 12 May 2022 12:14:41 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1np7i9-0004tQ-M1; Thu, 12 May 2022 14:14:29 +0200 Received: (nullmailer pid 2096222 invoked by uid 10006); Thu, 12 May 2022 12:14:29 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Thu, 12 May 2022 14:14:26 +0200 Message-Id: <20220512121429.2096164-5-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220512121429.2096164-1-arne@rfc2549.org> References: <20220512121429.2096164-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Signed-off-by: Arne Schwabe Acked-by: Gert Doering Message-Id: <20211019183127.614175-21-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@list [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1np7iL-0004K1-2G Subject: [Openvpn-devel] [PATCH 4/7] Add macos OpenSSL 3.0 and ASAN builds X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Gert Doering Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Signed-off-by: Arne Schwabe Acked-by: Gert Doering Message-Id: <20211019183127.614175-21-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23018.html Signed-off-by: Gert Doering Acked-by: Gert Doering --- .github/workflows/build.yaml | 28 +++++++++++++++++++++++++--- 1 file changed, 25 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 4926c1f95..3bdf2aa9f 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -224,15 +224,37 @@ jobs: macos: runs-on: macos-latest + strategy: + fail-fast: false + matrix: + ossl: [ 1.1, 3 ] + build: [ normal, asan ] + include: + - build: asan + cflags: "-fsanitize=address -fno-optimize-sibling-calls -fsanitize-address-use-after-scope -fno-omit-frame-pointer -g -O1" + ldflags: -fsanitize=address + # Our build system ignores LDFLAGS for plugins + configureflags: --disable-plugin-auth-pam --disable-plugin-down-root + - build: normal + cflags: "-O2 -g" + ldflags: "" + configureflags: "" + + name: "macOS - OpenSSL ${{matrix.ossl}} - ${{matrix.build}}" + env: + CFLAGS: ${{ matrix.cflags }} + LDFLAGS: ${{ matrix.ldflags }} + OPENSSL_CFLAGS: -I/usr/local/opt/openssl@${{matrix.ossl}}/include + OPENSSL_LIBS: "-L/usr/local/opt/openssl@${{matrix.ossl}}/lib -lcrypto -lssl" steps: + - name: Install dependencies + run: brew install openssl@1.1 openssl@3 lzo lz4 man2html cmocka libtool automake autoconf - name: Checkout OpenVPN uses: actions/checkout@v2 - - name: Install dependencies - run: brew install openssl lzo lz4 man2html cmocka libtool automake autoconf - name: autoconf run: autoreconf -fvi - name: configure - run: OPENSSL_CFLAGS=-I/usr/local/opt/openssl@1.1/include OPENSSL_LIBS="-L/usr/local/opt/openssl@1.1/lib -lcrypto -lssl" ./configure + run: ./configure ${{matrix.configureflags}} - name: make all run: make -j4 - name: make check From patchwork Thu May 12 02:14:27 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2450 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director14.mail.ord1d.rsapps.net ([172.27.255.59]) by backend41.mail.ord1d.rsapps.net with LMTP id kHVKD4T6fGLDVwAAqwncew (envelope-from ) for ; Thu, 12 May 2022 08:16:04 -0400 Received: from proxy2.mail.iad3a.rsapps.net ([172.27.255.59]) by director14.mail.ord1d.rsapps.net with LMTP id aKKbIoT6fGIQQwAAeJ7fFg (envelope-from ) for ; Thu, 12 May 2022 08:16:04 -0400 Received: from smtp13.gate.iad3a ([172.27.255.59]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy2.mail.iad3a.rsapps.net with LMTPS id 2OhJHYT6fGI7UQAABcWvHw (envelope-from ) for ; Thu, 12 May 2022 08:16:04 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp13.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 4aa5dd52-d1ed-11ec-aa06-5254004b83b1-1-1 Received: from [216.105.38.7] ([216.105.38.7:41544] helo=lists.sourceforge.net) by smtp13.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 14/EA-16634-38AFC726; Thu, 12 May 2022 08:16:04 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1np7ih-0000OP-Sa; Thu, 12 May 2022 12:15:04 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1np7iR-0000M0-6W for openvpn-devel@lists.sourceforge.net; Thu, 12 May 2022 12:14:47 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=HXH1EuY3U9XL/T50pKqJiAgdMwBTMnj+vL+Sx6yXu3Y=; b=iYVpnWa4fUAtYdfQRizC1C5UN0 kMREiveKyvZgv5p8k6hAr1hRl7RgshlOGvpXYRw3bUIta6UgyRsj6X4/mhpCOSO/afE4v+bT3skgG cnKKMbwXkBgcEy1uCne7WihB8weJjhp+FIqm3iwUP7tyRXd3RffhpCrM8MyKXi/QlNVw=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=HXH1EuY3U9XL/T50pKqJiAgdMwBTMnj+vL+Sx6yXu3Y=; b=XCp+LMZHEQ+YSLXaaXRST1xdU0 mpjObBtyffOrlUpTOZD0P+pjKEt143whGWZ1YKJzz2mmm60cfWmd6WjQgyVrQiXs7Xc6UH6RKz2Pn 048o8xRvqCYDdN61SKxt7DTIPX00S42enynGMGgdmCkwGj9BA4hqSPaFpEGTOwOAUEms=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.94.2) id 1np7iL-009ivm-E5 for openvpn-devel@lists.sourceforge.net; Thu, 12 May 2022 12:14:47 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1np7i9-0004tS-OM for openvpn-devel@lists.sourceforge.net; Thu, 12 May 2022 14:14:29 +0200 Received: (nullmailer pid 2096225 invoked by uid 10006); Thu, 12 May 2022 12:14:29 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Thu, 12 May 2022 14:14:27 +0200 Message-Id: <20220512121429.2096164-6-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220512121429.2096164-1-arne@rfc2549.org> References: <20220512121429.2096164-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This is a cherry-pick to release2.5 from 0df2261da. The OpenSSL engine tests fail otherwise and it is good to have the same behaviour as in master/2.6 This allows to select engine support at configure time. For OpenSSL 1.1 the default is not changed and we detect if engine support is available. Content analysis details: (0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1np7iL-009ivm-E5 Subject: [Openvpn-devel] [PATCH 5/7] Add --with-openssl-engine autoconf option (auto|yes|no) X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This is a cherry-pick to release2.5 from 0df2261da. The OpenSSL engine tests fail otherwise and it is good to have the same behaviour as in master/2.6 This allows to select engine support at configure time. For OpenSSL 1.1 the default is not changed and we detect if engine support is available. Engine support is deprecated in OpenSSL 3.0 and for OpenSSL 3.0 the default is to disable engine support as engine support is deprecated and generates compiler warnings which in turn also break -Werror. By using --with-openssl-engine=no or --with-openssl-engine=yes engine support can be forced on or off. If it is enabled but not detected an error will be thown. This commit cleans up the configure logic a bit and removes the ENGINE_cleanup checks as we can just assume that it will be also available as macro or function if the other engine functions are available. Before the cleanup we would only check for the existance of engine.h if ENGINE_cleanup was not found. Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- Changes.rst | 3 +++ configure.ac | 60 ++++++++++++++++++++++++++++++++++++++++------------ 2 files changed, 50 insertions(+), 13 deletions(-) diff --git a/Changes.rst b/Changes.rst index 884c122a9..d15ffbb87 100644 --- a/Changes.rst +++ b/Changes.rst @@ -27,6 +27,9 @@ New features algorithm by default and the new option ``--providers`` allows loading the legacy provider to renable these algorithms. + The OpenSSL engine feature ``--engine`` is not enabled by default + anymore if OpenSSL 3.0 is detected. + Bugfixes -------- diff --git a/configure.ac b/configure.ac index 6242cc22e..2f5f6bc7c 100644 --- a/configure.ac +++ b/configure.ac @@ -281,6 +281,18 @@ AC_ARG_WITH( [with_crypto_library="openssl"] ) +AC_ARG_WITH( + [openssl-engine], + [AS_HELP_STRING([--with-openssl-engine], [enable engine support with OpenSSL. Default enabled for OpenSSL < 3.0, auto,yes,no @<:@default=auto@:>@])], + [ + case "${withval}" in + auto|yes|no) ;; + *) AC_MSG_ERROR([bad value ${withval} for --with-engine]) ;; + esac + ], + [with_openssl_engine="auto"] +) + AC_ARG_VAR([PLUGINDIR], [Path of plug-in directory @<:@default=LIBDIR/openvpn/plugins@:>@]) if test -n "${PLUGINDIR}"; then plugindir="${PLUGINDIR}" @@ -880,22 +892,44 @@ if test "${with_crypto_library}" = "openssl"; then [AC_MSG_ERROR([openssl check failed])] ) - have_openssl_engine="yes" - AC_CHECK_FUNCS( - [ \ + if test "${with_openssl_engine}" = "auto"; then + AC_COMPILE_IFELSE( + [AC_LANG_PROGRAM( + [[ + #include + ]], + [[ + /* Version encoding: MNNFFPPS - see opensslv.h for details */ + #if OPENSSL_VERSION_NUMBER >= 0x30000000L + #error Engine supported disabled by default in OpenSSL 3.0+ + #endif + ]] + )], + [have_openssl_engine="yes"], + [have_openssl_engine="no"] + ) + if test "${have_openssl_engine}" = "yes"; then + AC_CHECK_FUNCS( + [ \ ENGINE_load_builtin_engines \ ENGINE_register_all_complete \ - ENGINE_cleanup \ - ], - , - [have_openssl_engine="no"; break] - ) - if test "${have_openssl_engine}" = "no"; then - AC_CHECK_DECL( [ENGINE_cleanup], [have_openssl_engine="yes"],, - [[ - #include - ]] + ], + , + [have_openssl_engine="no"; break] + ) + fi + else + have_openssl_engine="${with_openssl_engine}" + if test "${have_openssl_engine}" = "yes"; then + AC_CHECK_FUNCS( + [ \ + ENGINE_load_builtin_engines \ + ENGINE_register_all_complete \ + ], + , + [AC_MSG_ERROR([OpenSSL engine support not found])] ) + fi fi if test "${have_openssl_engine}" = "yes"; then AC_DEFINE([HAVE_OPENSSL_ENGINE], [1], [OpenSSL engine support available]) From patchwork Thu May 12 02:14:28 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2447 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director15.mail.ord1d.rsapps.net ([172.28.255.1]) by backend41.mail.ord1d.rsapps.net with LMTP id mH0DD4L6fGKwVwAAqwncew (envelope-from ) for ; Thu, 12 May 2022 08:16:02 -0400 Received: from proxy7.mail.ord1c.rsapps.net ([172.28.255.1]) by director15.mail.ord1d.rsapps.net with LMTP id gABiIoL6fGJffQAAIcMcQg (envelope-from ) for ; Thu, 12 May 2022 08:16:02 -0400 Received: from smtp18.gate.ord1c ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy7.mail.ord1c.rsapps.net with LMTPS id iOz1IYL6fGJeKwAAknS3pQ (envelope-from ) for ; Thu, 12 May 2022 08:16:02 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp18.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 49b47b42-d1ed-11ec-aa5f-bc305bf00c68-1-1 Received: from [216.105.38.7] ([216.105.38.7:48788] helo=lists.sourceforge.net) by smtp18.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 39/3A-02782-18AFC726; Thu, 12 May 2022 08:16:02 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1np7if-00088E-FG; Thu, 12 May 2022 12:15:00 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1np7iS-00087i-2t for openvpn-devel@lists.sourceforge.net; Thu, 12 May 2022 12:14:47 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=fo8BMYg3uP+CWzMffwjesgjSGym4ErxbxkM+BqFAIr0=; b=hTkptXFTx7g6Ky0HRelJ0wgB1b dbWVnOv6TSod0cg/6dLyv5EJu/mOwd9JMVaDfRAHB5w1pME0euTDydWiLWzfda6QT0zcWZQ2tIBJJ I0K6TRNYsP9sSgaEfPnFWaJm5+j3R34KrrIF3sAtTEzKgTFFKF4aG61fcqmyF7RgYtqw=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=fo8BMYg3uP+CWzMffwjesgjSGym4ErxbxkM+BqFAIr0=; b=hyrGQJc95KRW1gRyiwjt0M/7ZN qkfla3F+66QgxAPEiPO0A2T62Rq9dyg3lGhLg8LBsupoNkjIdBKx4EVCBQzoNnkrZXj3hWXl+0hag 0lKdQyBMYJILUKf1XpH0S86w2I6D9yKoEwd9DcE/xs1LBrJQk3oSavuVdUzXvJgXfWQk=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.94.2) id 1np7iL-009ivn-KL for openvpn-devel@lists.sourceforge.net; Thu, 12 May 2022 12:14:42 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1np7i9-0004tZ-Ql for openvpn-devel@lists.sourceforge.net; Thu, 12 May 2022 14:14:29 +0200 Received: (nullmailer pid 2096228 invoked by uid 10006); Thu, 12 May 2022 12:14:29 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Thu, 12 May 2022 14:14:28 +0200 Message-Id: <20220512121429.2096164-7-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220512121429.2096164-1-arne@rfc2549.org> References: <20220512121429.2096164-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This is a minimal version to hide the non-supported ciphers in these show-cipher/show-digests listings. It also adds code to the kt_md_get/ kt_cipher_get functions to error out early instead of gettin [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1np7iL-009ivn-KL Subject: [Openvpn-devel] [PATCH 6/7] Fix allowing/showing unsupported ciphers and digests X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This is a minimal version to hide the non-supported ciphers in these show-cipher/show-digests listings. It also adds code to the kt_md_get/ kt_cipher_get functions to error out early instead of getting an ugly backtrace with OpenSSL errors later when actually trying to use the ciphers. This allows make check to work again on with OpenSSL 3.0. The changes are kept minimal to avoid pulling in all the other refactoring for OpenSSL 3.0. This commit is partly cherry-picked from ab3f32b9. Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- src/openvpn/crypto_openssl.c | 50 +++++++++++++++++++++++++++++++++--- 1 file changed, 47 insertions(+), 3 deletions(-) diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index beeaee4b7..ad6c9353a 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -339,7 +339,11 @@ show_available_ciphers(void) || cipher_kt_mode_aead(cipher) )) { - cipher_list[num_ciphers++] = cipher; + /* Check explicit availibility (for OpenSSL 3.0) */ + if (cipher_kt_get(cipher_kt_name(cipher))) + { + cipher_list[num_ciphers++] = cipher; + } } if (num_ciphers == (sizeof(cipher_list)/sizeof(*cipher_list))) { @@ -371,6 +375,13 @@ show_available_ciphers(void) printf("\n"); } +void +print_digest(EVP_MD *digest, void *unused) +{ + printf("%s %d bit digest size\n", EVP_MD_name(digest), + EVP_MD_size(digest) * 8); +} + void show_available_digests(void) { @@ -384,16 +395,22 @@ show_available_digests(void) "the --auth option.\n\n"); #endif +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_MD_do_all_provided(NULL, print_digest, NULL); +#else for (nid = 0; nid < 10000; ++nid) { + const EVP_MD *digest = EVP_get_digestbynid(nid); if (digest) { - printf("%s %d bit digest size\n", - OBJ_nid2sn(nid), EVP_MD_size(digest) * 8); + /* We cast the const away so we can keep the function prototype + * compatible with EVP_MD_do_all_provided */ + print_digest((EVP_MD *)digest, NULL); } } printf("\n"); +#endif } void @@ -624,6 +641,19 @@ cipher_kt_get(const char *ciphername) ciphername = translate_cipher_name_from_openvpn(ciphername); cipher = EVP_get_cipherbyname(ciphername); + /* This is a workaround for OpenSSL 3.0 to infer if the cipher is valid + * without doing all the refactoring that OpenVPN 2.6 has. This will + * not support custom algorithm from providers but at least ignore + * algorithms that are not available without providers (legacy) */ +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_CIPHER *tmpcipher = EVP_CIPHER_fetch(NULL, ciphername, NULL); + if (!tmpcipher) + { + cipher = NULL; + } + EVP_CIPHER_free(tmpcipher); +#endif + if (NULL == cipher) { crypto_msg(D_LOW, "Cipher algorithm '%s' not found", ciphername); @@ -924,6 +954,20 @@ md_kt_get(const char *digest) const EVP_MD *md = NULL; ASSERT(digest); md = EVP_get_digestbyname(digest); + + /* This is a workaround for OpenSSL 3.0 to infer if the digest is valid + * without doing all the refactoring that OpenVPN 2.6 has. This will + * not support custom algorithm from providers but at least ignore + * algorithms that are not available without providers (legacy) */ +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_MD *tmpmd = EVP_MD_fetch(NULL, digest, NULL); + if (!tmpmd) + { + md = NULL; + } + EVP_MD_free(tmpmd); +#endif + if (!md) { crypto_msg(M_FATAL, "Message hash algorithm '%s' not found", digest); From patchwork Thu May 12 02:14:29 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2452 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director11.mail.ord1d.rsapps.net ([172.27.255.56]) by backend41.mail.ord1d.rsapps.net with LMTP id eI2eOIX6fGLFVwAAqwncew (envelope-from ) for ; Thu, 12 May 2022 08:16:05 -0400 Received: from proxy5.mail.iad3a.rsapps.net ([172.27.255.56]) by director11.mail.ord1d.rsapps.net with LMTP id 8L5KEIb6fGLMbgAAvGGmqA (envelope-from ) for ; Thu, 12 May 2022 08:16:06 -0400 Received: from smtp7.gate.iad3a ([172.27.255.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy5.mail.iad3a.rsapps.net with LMTPS id IJ4EC4b6fGK4cAAAhn5joQ (envelope-from ) for ; Thu, 12 May 2022 08:16:06 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp7.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 4bece818-d1ed-11ec-aac7-525400bbebb8-1-1 Received: from [216.105.38.7] ([216.105.38.7:53548] helo=lists.sourceforge.net) by smtp7.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id CE/19-07933-58AFC726; Thu, 12 May 2022 08:16:06 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1np7ii-0004Ej-JK; Thu, 12 May 2022 12:15:03 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1np7iS-0004E4-Ku for openvpn-devel@lists.sourceforge.net; Thu, 12 May 2022 12:14:47 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=O3V6NZKYFl6BTgi5u9HJQ43qRUknMaGFtQUjGTWJT+E=; b=V55aYfQ7lPfqKCDQw3Bs78SMPx DTFD+OxJlJJB4JEF3kxQBS3CQh3mcikFLK24o7Kk6wxGLQmmYLQZBVP9mnkkNht0Yf4AYOe0m4Dm/ Nqh//H2QUBl71kNH/XhscuBIJbS8i+cWZrzgyde+fsbuQ5858vHl5q0pXPlxzNgsdRos=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=O3V6NZKYFl6BTgi5u9HJQ43qRUknMaGFtQUjGTWJT+E=; b=ObjDfyrYWfdpKCuV+Ips3QT4bX TAhs2gB3u9QGMj8sKuAFH+2KS3EkIfub1THVIpjzj8ByQcJuUk2g6GNitxbyyIibujvTdzi99W0aZ a0AKZG+UylFuIDGwsnrZYQ9lW6an1/Qaxjxfl8W3Sv4YjqqoZPyidUBhp9k0BctD7znE=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.94.2) id 1np7iK-0004K5-E5 for openvpn-devel@lists.sourceforge.net; Thu, 12 May 2022 12:14:41 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1np7i9-0004tc-Sq; Thu, 12 May 2022 14:14:29 +0200 Received: (nullmailer pid 2096231 invoked by uid 10006); Thu, 12 May 2022 12:14:29 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Thu, 12 May 2022 14:14:29 +0200 Message-Id: <20220512121429.2096164-8-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220512121429.2096164-1-arne@rfc2549.org> References: <20220512121429.2096164-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: The test_check_ncp_ciphers_list test assumed that BF-CBC is always available, which is no longer the case with OpenSSL 3.0. Rewrite the test to not rely on BF-CBC to be available. Signed-off-by: Arne Schwabe Acked-by: Max Fillinger Message-Id: <20211019183127.614175-14-arne@rfc2549.org> URL: https://www.mail-archive.com/op [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1np7iK-0004K5-E5 Subject: [Openvpn-devel] [PATCH 7/7] Remove dependency on BF-CBC existance from test_ncp X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Gert Doering Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox The test_check_ncp_ciphers_list test assumed that BF-CBC is always available, which is no longer the case with OpenSSL 3.0. Rewrite the test to not rely on BF-CBC to be available. Signed-off-by: Arne Schwabe Acked-by: Max Fillinger Message-Id: <20211019183127.614175-14-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23003.html Signed-off-by: Gert Doering --- tests/unit_tests/openvpn/test_ncp.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/tests/unit_tests/openvpn/test_ncp.c b/tests/unit_tests/openvpn/test_ncp.c index e38a5738e..d4164ef7a 100644 --- a/tests/unit_tests/openvpn/test_ncp.c +++ b/tests/unit_tests/openvpn/test_ncp.c @@ -42,6 +42,7 @@ /* Defines for use in the tests and the mock parse_line() */ const char *bf_chacha = "BF-CBC:CHACHA20-POLY1305"; +const char *aes_chacha = "AES-128-CBC:CHACHA20-POLY1305"; const char *aes_ciphers = "AES-256-GCM:AES-128-GCM"; static void @@ -57,6 +58,11 @@ test_check_ncp_ciphers_list(void **state) assert_string_equal(mutate_ncp_cipher_list(aes_ciphers, &gc), aes_ciphers); + if (have_chacha && have_blowfish) + { + assert_string_equal(mutate_ncp_cipher_list(aes_chacha, &gc), aes_chacha); + } + if (have_chacha && have_blowfish) { assert_string_equal(mutate_ncp_cipher_list(bf_chacha, &gc), bf_chacha); @@ -73,8 +79,8 @@ test_check_ncp_ciphers_list(void **state) bool have_chacha_mixed_case = cipher_kt_get("ChaCha20-Poly1305"); if (have_chacha_mixed_case) { - assert_string_equal(mutate_ncp_cipher_list("BF-CBC:ChaCha20-Poly1305", &gc), - bf_chacha); + assert_string_equal(mutate_ncp_cipher_list("AES-128-CBC:ChaCha20-Poly1305", &gc), + aes_chacha); } assert_ptr_equal(mutate_ncp_cipher_list("vollbit", &gc), NULL);