From patchwork Tue Nov 21 18:18:36 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "plaisthos (Code Review)" X-Patchwork-Id: 3473 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7300:53c1:b0:f2:62eb:61c1 with SMTP id u1csp573624dye; Tue, 21 Nov 2023 10:19:46 -0800 (PST) X-Google-Smtp-Source: AGHT+IEAIHOiIJaIMj6TxBqd+wF8ds5uL9qLBvx6AHZRPCgE9XYwt4GpKWm3p9uRoWct47wC4Ejj X-Received: by 2002:a17:902:e891:b0:1ce:66f0:72c7 with SMTP id w17-20020a170902e89100b001ce66f072c7mr13860113plg.4.1700590786251; Tue, 21 Nov 2023 10:19:46 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1700590786; cv=none; d=google.com; s=arc-20160816; b=CieJGvJ98nLCWTb+g+sQQi4dwTnWYtJKsZvyGNxv4jaZ5Ho5QmUAKhu9AB9vL6LCAZ LOuDiZqlm6Gi8m6nVhaoDOJZqaUzTqoCKmkNzgguqsAB7G9M107nKhEH/BZUpL5dJaU3 BFfcjRPQpKZnZv9mD4QEtD0vF/QYFBSceuBiazfNA6rPDMZAv1XoOD842m1p1Ve9zxY4 GSSKlQXvRUQQAcHjiC3Frvg5chN+3emDsToxw6kUjrZY37SVXjPrwCTxmtfxkGGilL8n Sw/9+InNAq3pnS2YCpkWTcrOGq1R4dWU/u2GrBZPCjZjGjAy4aXjCbTkiO87+F43OWPe YULA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:cc:reply-to:list-subscribe:list-help:list-post :list-archive:list-unsubscribe:list-id:precedence:subject:user-agent :mime-version:message-id:references:auto-submitted:to:date:from :dkim-signature:dkim-signature:dkim-signature; bh=yLcJqMPtVe8G68sxBUTumZp1opU2fi+GNoMZCHXhA0I=; fh=lm0MLPW7DntlrDqRECIiC9JlE1uPxhepE0URYHIf+eE=; b=FiXsTIP5hgVa76Zec5h3lToEsrbGn6DmhZpEhcRbQB9kuM+vBjOpwbGDQxYrxDfu5z KgI+rbxp13bssZ5eEkx2c6DFtp5aqE44pgedHLzSo+dlufgqfTVY5vHDSvgv8bx05Pr9 K2rA9w+Kf+FxZHrw7ORMNTtavZJuqJo3HwMsDB5e7wVCjLxLOzsNoU4+3BpR6jXrskce 2/SVfH3r6DkJ2RXePUvyar3iNyPPVJMHJqqSSeKw5xg8tsFtF0mwNz/bymiTJwfIcr++ dz38FyzYaClL+oFxyN3WS9cNjn7jro/0n2NxD2XvANj9LP0F3hePpiODz+5OD73Hag24 QhEg== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=ZTvLNeD1; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=VsvOaEyE; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=Mc9XQGNx; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id u8-20020a17090341c800b001cf665a0922si3747714ple.468.2023.11.21.10.19.46 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 21 Nov 2023 10:19:46 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=ZTvLNeD1; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=VsvOaEyE; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=Mc9XQGNx; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1r5VKp-0008O9-Ji; Tue, 21 Nov 2023 18:18:54 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1r5VKh-0008Nd-DQ for openvpn-devel@lists.sourceforge.net; Tue, 21 Nov 2023 18:18:46 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:Content-Transfer-Encoding:MIME-Version :Message-ID:Reply-To:References:Subject:List-Unsubscribe:List-Id:Cc:To:Date: From:Sender:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help: List-Subscribe:List-Post:List-Owner:List-Archive; bh=ZzK75LjcAurjU58eIJw+IhSl3c1QWzLv6Z49u6Pi7+Q=; b=ZTvLNeD1lYBfFytmuqljD1Pb6o 3ISgB1L2z4h9maoqG3EAgVTDmEQmu6esmH4yY0rXFUP0q2Lw02pmTnrfDOflhFK4dFuPbUxmne1I9 gxBgqES0/yPmdnP85wPxqnePQFIiNEgUyTgqfpKQ+N/tpfEcs6AKm6QEhMzIZ5jZfiTk=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:Content-Transfer-Encoding:MIME-Version:Message-ID:Reply-To: References:Subject:List-Unsubscribe:List-Id:Cc:To:Date:From:Sender:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help:List-Subscribe:List-Post: List-Owner:List-Archive; bh=ZzK75LjcAurjU58eIJw+IhSl3c1QWzLv6Z49u6Pi7+Q=; b=V svOaEyET5oduQgEQEiBt8t5lyo24UAptnPCb84lZHUDn2XbYAoHoihRtg+UvRnpy5ZR/XgqWJRYOt yiwbe6RGBItaupccSQSnLfI7W3cpMEwCCGg4K/cMeQGuy3PIHZUreaYhA3OP80F10GSv+dcD/6804 f521+6AjRb7KmSKU=; Received: from mail-wr1-f43.google.com ([209.85.221.43]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1r5VKe-00C8Qz-AA for openvpn-devel@lists.sourceforge.net; Tue, 21 Nov 2023 18:18:46 +0000 Received: by mail-wr1-f43.google.com with SMTP id ffacd0b85a97d-32f7c44f6a7so3908757f8f.1 for ; Tue, 21 Nov 2023 10:18:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openvpn.net; s=google; t=1700590717; x=1701195517; darn=lists.sourceforge.net; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from:from:to:cc :subject:date:message-id:reply-to; bh=ZzK75LjcAurjU58eIJw+IhSl3c1QWzLv6Z49u6Pi7+Q=; b=Mc9XQGNx2ya9JBF8gOtxdBvO3zE67tq1qHi8OByyjDZRThIXKwNyRTqaH6GtppRuob qo8PiSJqB/se4TGU+/2+VYqwR7FBclhFnVoP8Y1bjVYjvfp9Rl3hUj960qgnrh0GEW8A /I5BGOobaztpcZhQLfLUfiMb1Gw0DWu+9nwaKTrW5G4Wz4eb4P7V2UXQIU/H/XUx1Uyh oVFADG6jY1ooZOiUmpWSJft31sHeBPEceIzCiHwy6Ifr9sUBwC6gdycpQrboshHkabXe vT5ib3DTgJp3917w9ETyv9sfWSsM4ZGLF7T9vOA/XEuuahaaA2lu7TTBRvcoo1/xmLbW pH9w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1700590717; x=1701195517; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=ZzK75LjcAurjU58eIJw+IhSl3c1QWzLv6Z49u6Pi7+Q=; b=eWzqoNerarkjdWn2kHldS+k/6NEvQifKvdgJUD31YDqfMZu5Qtn9H+HCC4GcdThz3c mZaurJxXCxbELmJHkjdcGMMP0U6EGSqwXn8GFwSyJLnx1dDOInwFSwO2BpOA00/fdX3i 4S8HEu8QF3v+IsVihPBIxutnsMaLCm8CpG82L7OkxT226us4IuWg4/ENZAVC1Jj6e407 Zx1ifv7DvpJEo/rdZWyJ3OwILDoSN5en/EZPF7vRhQpZcxVph5jX5TCMSD9FemohyHY0 eItIY1uRCXtI09cJS7RswqR4qXurNNF3NlM5GaFg9596Oic+oQ4aCUxuii3nSFkTitag 25Tw== X-Gm-Message-State: AOJu0YzmyzHWtHu2jDnpCZCYzN90W2gskvQHtGcfbwhfJsAbJSuJBRkW 3KP8qy+X3VK3Co1BSzaXMfmKFZY49VYWfl8zdQ4= X-Received: by 2002:a5d:64ab:0:b0:31a:d9bc:47a2 with SMTP id m11-20020a5d64ab000000b0031ad9bc47a2mr7814820wrp.53.1700590717479; Tue, 21 Nov 2023 10:18:37 -0800 (PST) Received: from gerrit.openvpn.in (ec2-18-159-0-78.eu-central-1.compute.amazonaws.com. [18.159.0.78]) by smtp.gmail.com with ESMTPSA id f3-20020a056000036300b003316ddedb6esm13291271wrf.22.2023.11.21.10.18.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 21 Nov 2023 10:18:37 -0800 (PST) From: "plaisthos (Code Review)" X-Google-Original-From: "plaisthos (Code Review)" X-Gerrit-PatchSet: 1 Date: Tue, 21 Nov 2023 18:18:36 +0000 To: flichtenheld Auto-Submitted: auto-generated X-Gerrit-MessageType: newchange X-Gerrit-Change-Id: Ib3b64b52beed69dc7740f191b0e9a9dc9af5b7f3 X-Gerrit-Change-Number: 456 X-Gerrit-Project: openvpn X-Gerrit-ChangeURL: X-Gerrit-Commit: 49075848c908990ac946f990ff65c3406878de05 References: Message-ID: <7a28bedac4ce2e50fb3c3504c97b7fd91f6cddd3-HTML@gerrit.openvpn.net> MIME-Version: 1.0 User-Agent: Gerrit/3.8.2 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Attention is currently required from: flichtenheld. Hello flichtenheld, I'd like you to do a code review. Please visit Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.221.43 listed in wl.mailspike.net] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.221.43 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 WEIRD_PORT URI: Uses non-standard port number for HTTP 0.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1r5VKe-00C8Qz-AA Subject: [Openvpn-devel] [XS] Change in openvpn[master]: Extend the error message when TLS 1.0 PRF fails X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: arne-openvpn@rfc2549.org, openvpn-devel@lists.sourceforge.net, frank@lichtenheld.com Cc: openvpn-devel Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1783198684414475052?= X-GMAIL-MSGID: =?utf-8?q?1783198684414475052?= X-getmail-filter-classifier: gerrit message type newchange Attention is currently required from: flichtenheld. Hello flichtenheld, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/456?usp=email to review the following change. Change subject: Extend the error message when TLS 1.0 PRF fails ...................................................................... Extend the error message when TLS 1.0 PRF fails This error will probably become more and more common in the future when more and more system will drop TLS 1.0 PRF support. We are already seeing people stumbling upon this (see GitHub issue #460) The current error messages TLS Error: PRF calcuation failed TLS Error: generate_key_expansion failed are not very helpful for people that do not have deep understanding of TLS or the OpenVPN protocol. Improve a on this message to give a normal user a chance to understand that the peer needs to be OpenVPN 2.6.x or newer. Change-Id: Ib3b64b52beed69dc7740f191b0e9a9dc9af5b7f3 --- M src/openvpn/ssl.c 1 file changed, 6 insertions(+), 1 deletion(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/56/456/1 diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 400230c..9817b2e 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -1641,7 +1641,12 @@ { if (!generate_key_expansion_openvpn_prf(session, &key2)) { - msg(D_TLS_ERRORS, "TLS Error: PRF calcuation failed"); + msg(D_TLS_ERRORS, "TLS Error: PRF calculation failed. Your system " + "might not support the old TLS 1.0 PRF calculation anymore or " + "the policy does not allow TLS1 PRF calculation anymore " + "(e.g. running in FIPS mode). The peer did not announce support " + "for the modern TLS Export feature that replaces the TLS 1.0" + "RPF (requires OpenVPN 2.6.x or higher)"); goto exit; } }