From patchwork Fri Nov 10 15:35:48 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "plaisthos (Code Review)" X-Patchwork-Id: 3424 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:50e4:b0:f2:62eb:61c1 with SMTP id r4csp1261775dyd; Fri, 10 Nov 2023 07:36:56 -0800 (PST) X-Google-Smtp-Source: AGHT+IGWUgoNKbBT39JycxMA1Sz3FI9wioYENVcvsDF4KOsQaF6/N5tCgF/bQYKuWrRHCqwFaWnO X-Received: by 2002:aa7:848c:0:b0:692:ad93:e852 with SMTP id u12-20020aa7848c000000b00692ad93e852mr8490648pfn.2.1699630615849; Fri, 10 Nov 2023 07:36:55 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1699630615; cv=none; d=google.com; s=arc-20160816; b=ur1vPAbsVVpxvjurAZlB8qxYnf2kU3fFm2C6xfL9JHd7oSIJwZfQQARPiBOTyCjubR OQyyrtxib2h1/DOlrAEMSX1Amry2fo/qqXAAYYG01yqhfGda9Vav8L8wUrpTVjQSvCTz YJYtN2J3YqNZoNH/0EJziwJI5+CZryaDDyEAHzEkMG96nIRZlyaS2AqllNJnJW6e8uYH kF1fosLxqMjSZQzC3ll9uRPmyFwzHCFpjEyKbn5d9ni1KjYv6VMhCMInlInBcRZoPElE f5hS+kfaArKOAP4hNbN1ta5n2Pp+MkXRIY5GznXCDJ9NY9kBh6hX/woNlRBqsSibArxQ 0nJw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:cc:reply-to:list-subscribe:list-help:list-post :list-archive:list-unsubscribe:list-id:precedence:subject:user-agent :mime-version:message-id:references:auto-submitted:to:date:from :dkim-signature:dkim-signature:dkim-signature; bh=FTxlV8y7KOBU0QPQv6WBclGeLLF2nN+xv4HuYezYnqc=; fh=U7wEyxtwz2o5+UdevFSA47vNeG9knhWH0KV//QhD5a0=; b=bigswMLqw7ZTr+fpItOUGp4AjFlqOCE1H8j++dveWn8HdfiiWU0ZqYNrHthZFG1EPN 9W22q9m3aoAmdBY7cAS3BuuxrcVSj/ZBs+vQlOMVmtLBHQJA4WCd1bcbeTi0t/qKmHYy mit6uIONDlYuFhg44WYZ/9vf75ayeJbnjH4047QsZl9vosteOfx5+PZaA1sHEctrI1sm 1brkkCLNFYscxD2ArzRoeRn9yaN/jrux2Kfu287UNZ1JJubGAp33oUttWQSoK8z8MGPi pJqn4qrf53E8d51V1vLqBuTUKbnRGF5K2S49L7Fx09XsMyRhT5uAgCpRD1d0t2fH1z95 HZZw== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=jYfq3nGY; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=Xsuaagrs; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=EcnDu5Ru; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id bg24-20020a056a02011800b005b96fdd43cdsi10952923pgb.759.2023.11.10.07.36.55 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 10 Nov 2023 07:36:55 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=jYfq3nGY; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=Xsuaagrs; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=EcnDu5Ru; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1r1TYE-0002ye-4Q; Fri, 10 Nov 2023 15:36:06 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1r1TYD-0002yX-D0 for openvpn-devel@lists.sourceforge.net; Fri, 10 Nov 2023 15:36:05 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:Content-Transfer-Encoding:MIME-Version :Message-ID:Reply-To:References:Subject:List-Unsubscribe:List-Id:Cc:To:Date: From:Sender:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help: List-Subscribe:List-Post:List-Owner:List-Archive; bh=Sa1S/DvcXHMK9aihcCaogtoEAe/y27yDLCllVBM1n7g=; b=jYfq3nGYbuJCL6fSi5+dE2Egwm 3LA9E5kRDg6b9XOtVZYHPzNFZmHXFMaL/r54xuloIRZJ4WMv5ppLLac0vbewg1krwO8C5kEp2suqk sEiHhF49x/ncnHLFjMJzmPF1zCDiFycokRTh3rj6Qg4/d+5htahQDYB2nR73qUA7i23w=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:Content-Transfer-Encoding:MIME-Version:Message-ID:Reply-To: References:Subject:List-Unsubscribe:List-Id:Cc:To:Date:From:Sender:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help:List-Subscribe:List-Post: List-Owner:List-Archive; bh=Sa1S/DvcXHMK9aihcCaogtoEAe/y27yDLCllVBM1n7g=; b=X suaagrsNQKv7As0uXGsnlo/CcXUn//T8/kasnUq1H0GdWh2GekUaKDD/v36jKvEjTd8i03HfWRHGv q+H3b2xYxqCYcFY39reSiF0VLj2/IpXH4HQ4mV+JQchtzj0Pj9lZeAYd25d/Viai3x6ZOIcInBhRP TC81V4IGJhYw42ZI=; Received: from mail-lf1-f49.google.com ([209.85.167.49]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1r1TY4-0006EC-PW for openvpn-devel@lists.sourceforge.net; Fri, 10 Nov 2023 15:36:05 +0000 Received: by mail-lf1-f49.google.com with SMTP id 2adb3069b0e04-5099184f8a3so2057398e87.2 for ; Fri, 10 Nov 2023 07:35:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openvpn.net; s=google; t=1699630550; x=1700235350; darn=lists.sourceforge.net; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from:from:to:cc :subject:date:message-id:reply-to; bh=Sa1S/DvcXHMK9aihcCaogtoEAe/y27yDLCllVBM1n7g=; b=EcnDu5Ruf6FcVDJVnutcR0hQKEn7iCl6WnI5rqjN/g6kAHTXV2JGiyTrxtl7uop8hB 3wjpnV+GShLWqyRZ/WNLeL2IlCKDZrTbYcsotuTq36DwDxuxFns6pLZDzlfDTPAxzhNi ql4uPzNPXxYLUbObiF5ln9nUYtkW0OoUsp9j5r+8Kh59Ow6PdbfFEGjHdFTJ7Z8navGX 889hvtBVCJFQEW0NbWTYIAuj6u6NLlkTNgNuCuZaxTmDuUnM+33STey+l2yMIuLfcplQ ste1BGchmZA2vsbRg5/BJX9ecqy8s8EcMO6fCkg424sOOcA/mZ19JTfrXkYjLmAv8RWl j84g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699630550; x=1700235350; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=Sa1S/DvcXHMK9aihcCaogtoEAe/y27yDLCllVBM1n7g=; b=Y6gxY4u0TgHMaoPYj1+VS7BbXgiqZ8+NZHV3T6PJQ5NSqiQVu9SbzU4FTpJxnrKnn3 vyIjcGxd9kBBtLLfKoed+LG/OOPmG4olfs8xOE81CRY2tcCpj4Sx+vNBBcSXLcifrnNg zZ0UEQ1DLo+5CYftv6toMszVOrYYTF4pKr0F4jHpEQPs4ByIAef0g2VbshAMQ8Hw4kbi WeU57MYFWcbJlFn27M7Rn+tnRHI2pAvqPkR/cLXZcMfuMZEaDZzxnS5huVybfO90a+Rk F8Ri4SAL0O2EuDLfeE5JxiSDzbpwAbXpOm72fkyiDyrA4h8s+ODX61Id292yBkizhxp6 yxcg== X-Gm-Message-State: AOJu0YzbKMeAjuFQJNypER5R5y4hJSRmgOe3O9bRdLRVzWY3IBo35G/s P+8ME2wl08KEvQugtcCK0O+byc+vbLZNtfuJxag= X-Received: by 2002:a19:8c41:0:b0:500:7a23:720b with SMTP id i1-20020a198c41000000b005007a23720bmr4387032lfj.55.1699630549896; Fri, 10 Nov 2023 07:35:49 -0800 (PST) Received: from gerrit.openvpn.in (ec2-18-159-0-78.eu-central-1.compute.amazonaws.com. [18.159.0.78]) by smtp.gmail.com with ESMTPSA id u12-20020a05600c210c00b004090798d29csm5384221wml.15.2023.11.10.07.35.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 10 Nov 2023 07:35:49 -0800 (PST) From: "MaxF (Code Review)" X-Google-Original-From: "MaxF (Code Review)" X-Gerrit-PatchSet: 1 Date: Fri, 10 Nov 2023 15:35:48 +0000 To: plaisthos , flichtenheld Auto-Submitted: auto-generated X-Gerrit-MessageType: newchange X-Gerrit-Change-Id: If4e1c4af9831eb1090ccb3a3c4d3e76b413f0708 X-Gerrit-Change-Number: 403 X-Gerrit-Project: openvpn X-Gerrit-ChangeURL: X-Gerrit-Commit: d408e22e88226ccd18fa9c163deda5ad164a55ea References: Message-ID: <388d6164aee3eb863e780b1cfe3d53c50de9f1a4-HTML@gerrit.openvpn.net> MIME-Version: 1.0 User-Agent: Gerrit/3.8.2 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Attention is currently required from: flichtenheld, plaisthos. Hello plaisthos, flichtenheld, I'd like you to do a code review. Please visit Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.167.49 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.167.49 listed in wl.mailspike.net] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 WEIRD_PORT URI: Uses non-standard port number for HTTP 0.0 HTML_MESSAGE BODY: HTML included in message 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.0 T_SCC_BODY_TEXT_LINE No description available. 0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML X-Headers-End: 1r1TY4-0006EC-PW Subject: [Openvpn-devel] [S] Change in openvpn[master]: Disable TLS 1.3 support with mbed TLS X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: max@max-fillinger.net, arne-openvpn@rfc2549.org, openvpn-devel@lists.sourceforge.net, frank@lichtenheld.com Cc: openvpn-devel Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1782191872624963551?= X-GMAIL-MSGID: =?utf-8?q?1782191872624963551?= X-getmail-filter-classifier: gerrit message type newchange Attention is currently required from: flichtenheld, plaisthos. Hello plaisthos, flichtenheld, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/403?usp=email to review the following change. Change subject: Disable TLS 1.3 support with mbed TLS ...................................................................... Disable TLS 1.3 support with mbed TLS As of version 3.5.0 the TLS-Exporter function is not yet implemented in mbed TLS, and the exporter_master_secret is not exposed to the application either. Falling back to an older PRF when claiming to use TLS1.3 seems like false advertising. Change-Id: If4e1c4af9831eb1090ccb3a3c4d3e76b413f0708 Signed-off-by: Max Fillinger --- M README.mbedtls M src/openvpn/ssl_mbedtls.c 2 files changed, 6 insertions(+), 29 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/03/403/1 diff --git a/README.mbedtls b/README.mbedtls index 9b75c2b..ed9d369 100644 --- a/README.mbedtls +++ b/README.mbedtls @@ -43,19 +43,5 @@ ************************************************************************* -Mbed TLS 3 supports the TLS 1.3 protocol, but the implementation is not yet -complete. Therefore, using TLS 1.3 in the mbed TLS build of OpenVPN is not yet -supported. - -Nevertheless, here are some pointers to make it work with mbed TLS 3.5.0: - - * The stock configuration of mbed TLS does not support TLS 1.3. To enable it, - uncomment `#define MBEDTLS_SSL_PROTO_TLS1_3` in your mbedtls_config.h before - compiling the library. - * An OpenVPN client with mbed TLS cannot connect to a server with OpenSSL - using TLS 1.3. - * An OpenVPN client with OpenSSL *can* connect to a server using mbed TLS with - TLS 1.3, but *only* if `#define MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE` has - been uncommented in mbedtls_config.h. - -Note that none of these limitations apply to TLS 1.2. +Mbed TLS 3 has implemented (parts of) the TLS 1.3 protocol, but we have disabled +support in OpenVPN because the TLS-Exporter function is not yet implemented. diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index 09559be..b940aa4 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -1013,17 +1013,15 @@ int tls_version_max(void) { -#if defined(MBEDTLS_SSL_PROTO_TLS1_3) - return TLS_VER_1_3; -#elif defined(MBEDTLS_SSL_PROTO_TLS1_2) +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) return TLS_VER_1_2; #elif defined(MBEDTLS_SSL_PROTO_TLS1_1) return TLS_VER_1_1; #elif defined(MBEDTLS_SSL_PROTO_TLS1) return TLS_VER_1_0; -#else /* if defined(MBEDTLS_SSL_PROTO_TLS1_3) */ - #error "mbedtls is compiled without support for any version of TLS." -#endif +#else /* defined(MBEDTLS_SSL_PROTO_TLS1_2) */ + #error "mbedtls is compiled without support for TLS 1.0, 1.1 and 1.2." +#endif /* defined(MBEDTLS_SSL_PROTO_TLS1_2) */ } /** @@ -1065,13 +1063,6 @@ break; #endif -#if defined(MBEDTLS_SSL_PROTO_TLS1_3) - case TLS_VER_1_3: - *major = MBEDTLS_SSL_MAJOR_VERSION_3; - *minor = MBEDTLS_SSL_MINOR_VERSION_4; - break; -#endif - default: msg(M_FATAL, "%s: invalid or unsupported TLS version %d", __func__, tls_ver); break;