From patchwork Wed May 15 10:01:15 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 3712 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:1443:b0:57d:b2cb:6cf with SMTP id q3csp1084089man; Wed, 15 May 2024 03:01:54 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCWJRPN/NFj2AmpBJK2ix2kKwJD9sNHl3pcVSI8fbooIn7sToO8jnvw2lpmXaHnPyy7j19Y5Qrk59bPuv6lGTYx47CR2pPQ= X-Google-Smtp-Source: AGHT+IHu8Amri+BUXmbin+qtFWZC4iBXXmFypzB0XU7N6Lvrw0KVZxFYg6MQwRs/vbsH7TZTTX5E X-Received: by 2002:a05:6871:e01e:b0:22e:161b:7682 with SMTP id 586e51a60fabf-24172fd264fmr18696355fac.4.1715767314595; Wed, 15 May 2024 03:01:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1715767314; cv=none; d=google.com; s=arc-20160816; b=hYD7eA2vXuY0vg5GFkBaH/lKsOllcLXeVlUhJc++D2zxNLodEnTIe1Mv8OLT8ekgB1 vxkpPqpppPizy0xZzfBLGeHv+GKVPAt387Xy8v1KSOJqzDY8N97Vj3U8BLylZusbLaDW y4DOyIWOV7McRrKanz9LmSw9GXsb8/53OPK2Wv6vjuZCE9I2awjFtcuZii28WBlUndEu bIN08KgP2pVWBHkuew0Ts6xTiJw2m+VYWO6zbFBaZYOGiuoa6Nuasl4h+kuS3SFAvl3v EDKeEehPvA4XCPiZriDSzZ3Ze+nqKYA1EAJmiuwmUv3XAs+9Vsyt3/b1fezpkiz9sU2R YAEQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature; bh=fe2HwnDznf7TxZcQMr4s1EObQl/eJaBXIVGgzZIrRrA=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=CCpOCXz0a3m+nVj133tCeBCv4h69fLjGyVpOOVCK8SgsKZVa/JVpn9NUGQxqhgvcnV 8ezsv0+wY2JH1xKLvzet/1hADa7sy/1k/4AXmZ3cpywmHrgYgbs96SfcX7WSR6vhbIUH s/7XydMw8j1ZAgRRSyuNZhSc/kodhEEptQ37srQxB/U07kGiUWqKcjmpXrKpKQZ91ZY/ UAu4ywEMP/drtqjFgajZuUFfljDYMm4rDMGybUDgYCOAe99UqWOUDoU++HrIlzgE/VoM 2d9x2yfGFlc89XpAG/UNH0/M9e7Kn5M+ehIwWCyQDFYT3cgtEjPX6p5QLJZjCzc3Lg4y 1y8g==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=LO20+uP8; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=ThbrGdyJ; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 586e51a60fabf-2412ac756efsi5447963fac.153.2024.05.15.03.01.53 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 15 May 2024 03:01:53 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=LO20+uP8; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=ThbrGdyJ; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1s7BS0-0000uw-5T; Wed, 15 May 2024 10:01:32 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1s7BRy-0000um-EY for openvpn-devel@lists.sourceforge.net; Wed, 15 May 2024 10:01:30 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=HrPQlsFk0MG1f4Mg+OMcrUqmWhoQowhGL3x4wmT5aiY=; b=LO20+uP8CR+UzfHjMhBRAF38Xa 5uJDbcgnTzxfZbmUOfj5ukvkaf75ldCf4zxam5pGA/UPeFr31cK183gXY385e606pUWgEf92Vdv0D 4aQKw0nfwojUiSQSoa3anqJj3fhyCfOog9zNGuYuVd0apquw/F7H132f5tBV/pvwI1l8=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=HrPQlsFk0MG1f4Mg+OMcrUqmWhoQowhGL3x4wmT5aiY=; b=ThbrGdyJh9dK2Es7p2BE4/qtPI Lx58jKfnvSC0cPSQr1HbS74fWJgwcAn+zcTYoEnMhClfZwZrw2Tf6Hl6nX2n4vky3ip6TpuarlP0B EhtCyuvT/3qwPUchjGOmEW+jT3DPEDzkWAw9JPQrKbuTQWGgXqmk+nVoe4EVi8j6NY3I=; Received: from dhcp-174.greenie.muc.de ([193.149.48.174] helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1s7BRx-0006UP-Dp for openvpn-devel@lists.sourceforge.net; Wed, 15 May 2024 10:01:30 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.17.1.9/8.17.1.9) with ESMTP id 44FA1HmW011066 for ; Wed, 15 May 2024 12:01:17 +0200 Received: (from gert@localhost) by blue.greenie.muc.de (8.17.1.9/8.17.1.9/Submit) id 44FA1HDq011065 for openvpn-devel@lists.sourceforge.net; Wed, 15 May 2024 12:01:17 +0200 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Wed, 15 May 2024 12:01:15 +0200 Message-ID: <20240515100115.11056-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.43.2 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: -0.0 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Arne Schwabe After the removal of the OpenSSL 1.0.2 support, LibreSSL/wolfSSL are the only libraries that still needs the custom implementation. Since our LibreSSL/wolfSSL support is always best effort, we can afford to limit LibreSSL support in this way. If they want to support this, they should expose the functionality as well. Content analysis details: (-0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: openvpn.net] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record X-Headers-End: 1s7BRx-0006UP-Dp Subject: [Openvpn-devel] [PATCH v5] Remove custom TLS 1.0 PRF implementation only used by LibreSSL/wolfSSL X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1799112426723022344?= X-GMAIL-MSGID: =?utf-8?q?1799112426723022344?= From: Arne Schwabe After the removal of the OpenSSL 1.0.2 support, LibreSSL/wolfSSL are the only libraries that still needs the custom implementation. Since our LibreSSL/wolfSSL support is always best effort, we can afford to limit LibreSSL support in this way. If they want to support this, they should expose the functionality as well. Change-Id: I5bfa3630ad4dff2807705658bc877c4a429a39ce Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/560 This mail reflects revision 5 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index 0473fad..fbd38f3 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -1397,7 +1397,7 @@ return ret; } -#elif !defined(LIBRESSL_VERSION_NUMBER) +#elif !defined(LIBRESSL_VERSION_NUMBER) && !defined(ENABLE_CRYPTO_WOLFSSL) bool ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret, int secret_len, uint8_t *output, int output_len) @@ -1444,183 +1444,14 @@ return ret; } #else /* if defined(LIBRESSL_VERSION_NUMBER) */ -/* - * Generate the hash required by for the \c tls1_PRF function. - * - * We cannot use our normal hmac_* function as they do not work - * in a FIPS environment (no MD5 allowed, which we need). Instead - * we need to directly use the EVP_MD_* API with the special - * EVP_MD_CTX_FLAG_NON_FIPS_ALLOW flag. - * - * The function below is adapted from OpenSSL 1.0.2t - * - * @param md_kt Message digest to use - * @param sec Secret to base the hash on - * @param sec_len Length of the secret - * @param seed Seed to hash - * @param seed_len Length of the seed - * @param out Output buffer - * @param olen Length of the output buffer - */ -static -bool -tls1_P_hash(const EVP_MD *md, const unsigned char *sec, - int sec_len, const void *seed, int seed_len, - unsigned char *out, int olen) -{ - int chunk; - size_t j; - EVP_MD_CTX *ctx, *ctx_tmp, *ctx_init; - EVP_PKEY *mac_key; - unsigned char A1[EVP_MAX_MD_SIZE]; - size_t A1_len = EVP_MAX_MD_SIZE; - int ret = false; - - chunk = EVP_MD_size(md); - OPENSSL_assert(chunk >= 0); - - ctx = md_ctx_new(); - ctx_tmp = md_ctx_new(); - ctx_init = md_ctx_new(); - EVP_MD_CTX_set_flags(ctx_init, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); - mac_key = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, sec, sec_len); - if (!mac_key) - { - goto err; - } - if (!EVP_DigestSignInit(ctx_init, NULL, md, NULL, mac_key)) - { - goto err; - } - if (!EVP_MD_CTX_copy_ex(ctx, ctx_init)) - { - goto err; - } - if (!EVP_DigestSignUpdate(ctx, seed, seed_len)) - { - goto err; - } - if (!EVP_DigestSignFinal(ctx, A1, &A1_len)) - { - goto err; - } - - for (;; ) - { - /* Reinit mac contexts */ - if (!EVP_MD_CTX_copy_ex(ctx, ctx_init)) - { - goto err; - } - if (!EVP_DigestSignUpdate(ctx, A1, A1_len)) - { - goto err; - } - if (olen > chunk && !EVP_MD_CTX_copy_ex(ctx_tmp, ctx)) - { - goto err; - } - if (!EVP_DigestSignUpdate(ctx, seed, seed_len)) - { - goto err; - } - - if (olen > chunk) - { - j = olen; - if (!EVP_DigestSignFinal(ctx, out, &j)) - { - goto err; - } - out += j; - olen -= j; - /* calc the next A1 value */ - if (!EVP_DigestSignFinal(ctx_tmp, A1, &A1_len)) - { - goto err; - } - } - else - { - A1_len = EVP_MAX_MD_SIZE; - /* last one */ - if (!EVP_DigestSignFinal(ctx, A1, &A1_len)) - { - goto err; - } - memcpy(out, A1, olen); - break; - } - } - ret = true; -err: - EVP_PKEY_free(mac_key); - EVP_MD_CTX_free(ctx); - EVP_MD_CTX_free(ctx_tmp); - EVP_MD_CTX_free(ctx_init); - OPENSSL_cleanse(A1, sizeof(A1)); - return ret; -} - -/* - * Use the TLS PRF function for generating data channel keys. - * This code is based on the OpenSSL library. - * - * TLS generates keys as such: - * - * master_secret[48] = PRF(pre_master_secret[48], "master secret", - * ClientHello.random[32] + ServerHello.random[32]) - * - * key_block[] = PRF(SecurityParameters.master_secret[48], - * "key expansion", - * SecurityParameters.server_random[32] + - * SecurityParameters.client_random[32]); - * - * Notes: - * - * (1) key_block contains a full set of 4 keys. - * (2) The pre-master secret is generated by the client. - */ +/* LibreSSL and wolfSSL do not expose a TLS 1.0/1.1 PRF via the same APIs as + * OpenSSL does. As result they will only be able to support + * peers that support TLS EKM like when running with OpenSSL 3.x FIPS */ bool ssl_tls1_PRF(const uint8_t *label, int label_len, const uint8_t *sec, int slen, uint8_t *out1, int olen) { - bool ret = true; - struct gc_arena gc = gc_new(); - /* For some reason our md_get("MD5") fails otherwise in the unit test */ - const EVP_MD *md5 = EVP_md5(); - const EVP_MD *sha1 = EVP_sha1(); - - uint8_t *out2 = (uint8_t *)gc_malloc(olen, false, &gc); - - int len = slen/2; - const uint8_t *S1 = sec; - const uint8_t *S2 = &(sec[len]); - len += (slen&1); /* add for odd, make longer */ - - if (!tls1_P_hash(md5, S1, len, label, label_len, out1, olen)) - { - ret = false; - goto done; - } - - if (!tls1_P_hash(sha1, S2, len, label, label_len, out2, olen)) - { - ret = false; - goto done; - } - - for (int i = 0; i < olen; i++) - { - out1[i] ^= out2[i]; - } - - secure_memzero(out2, olen); - - dmsg(D_SHOW_KEY_SOURCE, "tls1_PRF out[%d]: %s", olen, format_hex(out1, olen, 0, &gc)); -done: - gc_free(&gc); - return ret; + return false; } #endif /* if LIBRESSL_VERSION_NUMBER */ #endif /* ENABLE_CRYPTO_OPENSSL */ diff --git a/tests/unit_tests/openvpn/test_crypto.c b/tests/unit_tests/openvpn/test_crypto.c index 01c16c9..9d3ea1a 100644 --- a/tests/unit_tests/openvpn/test_crypto.c +++ b/tests/unit_tests/openvpn/test_crypto.c @@ -137,11 +137,6 @@ } -static uint8_t good_prf[32] = {0xd9, 0x8c, 0x85, 0x18, 0xc8, 0x5e, 0x94, 0x69, - 0x27, 0x91, 0x6a, 0xcf, 0xc2, 0xd5, 0x92, 0xfb, - 0xb1, 0x56, 0x7e, 0x4b, 0x4b, 0x14, 0x59, 0xe6, - 0xa9, 0x04, 0xac, 0x2d, 0xda, 0xb7, 0x2d, 0x67}; - static const char *ipsumlorem = "Lorem ipsum dolor sit amet, consectetur " "adipisici elit, sed eiusmod tempor incidunt " "ut labore et dolore magna aliqua."; @@ -160,9 +155,19 @@ uint8_t out[32]; - ssl_tls1_PRF(seed, seed_len, secret, secret_len, out, sizeof(out)); + bool ret = ssl_tls1_PRF(seed, seed_len, secret, secret_len, out, sizeof(out)); +#if defined(LIBRESSL_VERSION_NUMBER) || defined(ENABLE_CRYPTO_WOLFSSL) + /* No TLS1 PRF support in these libraries */ + assert_false(ret); +#else + assert_true(ret); + uint8_t good_prf[32] = {0xd9, 0x8c, 0x85, 0x18, 0xc8, 0x5e, 0x94, 0x69, + 0x27, 0x91, 0x6a, 0xcf, 0xc2, 0xd5, 0x92, 0xfb, + 0xb1, 0x56, 0x7e, 0x4b, 0x4b, 0x14, 0x59, 0xe6, + 0xa9, 0x04, 0xac, 0x2d, 0xda, 0xb7, 0x2d, 0x67}; assert_memory_equal(good_prf, out, sizeof(out)); +#endif } static uint8_t testkey[20] = {0x0b, 0x00};