From patchwork Thu Jun 13 09:35:22 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "its_Giaan (Code Review)" X-Patchwork-Id: 3728 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:a68e:b0:57d:b2cb:6cf with SMTP id hn14csp858408mab; Thu, 13 Jun 2024 02:36:06 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCUU0LV2/wvg0/rvhLVSB9TV7QQ7n59lBFG29Q2VSYkqKGpGgVQsGypRpuA/ejD8gh+YdWvdPeJqUig=@openvpn.net X-Google-Smtp-Source: AGHT+IF6DaGMyPgR9wrUaGnYrFw5fXJcCqenqK4+6HYocf++zElLNKLBYCsBIV7eTuHdfOhNZ7NK X-Received: by 2002:a05:6808:3096:b0:3d2:1dfa:3d1e with SMTP id 5614622812f47-3d23e004a98mr4764576b6e.2.1718271365766; Thu, 13 Jun 2024 02:36:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1718271365; cv=none; d=google.com; s=arc-20160816; b=qFjQ6fVkp1jQP4ppzxA2LgOtI1dqpBc2GOJCPdnrczALhTKOk+MUICTxn1LcvT8Pfy GWqWHIM0+IR/avIF+f2Sc3VD73PiXMyCGdscTGR6NI8Pzo6bxXQowqjH62uPkDYyoSgr Rem/vfpxz8BfBqpmfOZKtLVgEt5pDrhJ4aSQxIl9soCLlVxKA5sL42bMONfdacLV7f9Z S4ixBKWhcoY6Wy608twRn9X+7SBnEsLbMd77d4dQUR9v7DczH920PyivE67wSSaIDbWj rVXQXl1b/1g2KFyzguerf1iwbyAVVgW99Yp6kbL7TxBl842XF1r9jLXNAQsrEbc/2B4U wZIg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:cc:reply-to:list-subscribe:list-help:list-post :list-archive:list-unsubscribe:list-id:precedence:subject:user-agent :mime-version:message-id:references:auto-submitted:to:date:from :dkim-signature:dkim-signature:dkim-signature; bh=jakvXh0pcr5CCy/SzQbJEWah0OulwzeFv8IELXqEM5I=; fh=K2H0ZWIBMuy8uV7hnMkYQkhLIA5+v6q4m5cUfn0s2xc=; b=S4bqYJzkeuMmcv9XKvq8v04BEvQ+k+SvW+F0pg65cjogOl/vZJlwmOn2lJ/qMUeWdE BDWczvbhN0CD5pe3+MT0dz5dl08mA8Z5AuE9JwOurAUJm1t1FoFhBeKZCGH1p/JsdsLw JZOnO9wnDLi09P2g0h3rm4O6Daam3nmawdHAgGt7A6IkJ3PNY5pANkdSIXWh18uSjAH0 Kf3LDdCDRoD2zWfmIYxfLVIIV6UTR/+xnxtITJQPzQxVbkPE4XfXbY4Wufa70kvtzged v9b21pohYm9RrcZd/TpOzk5RKSFuzLE5Yq/CPvVdhMiqasGO4Rd0jYYbTt9APZbveBMs vJLQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=RRUPrMC8; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b="cqP/oR6P"; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=fCPdXHcc; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 41be03b00d2f7-6fee310bd57si940138a12.422.2024.06.13.02.36.05 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 13 Jun 2024 02:36:05 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=RRUPrMC8; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b="cqP/oR6P"; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=fCPdXHcc; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1sHgrr-00056Q-30; Thu, 13 Jun 2024 09:35:38 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1sHgrq-00056J-08 for openvpn-devel@lists.sourceforge.net; Thu, 13 Jun 2024 09:35:37 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:Content-Transfer-Encoding:MIME-Version :Message-ID:Reply-To:References:Subject:List-Unsubscribe:List-Id:Cc:To:Date: From:Sender:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help: List-Subscribe:List-Post:List-Owner:List-Archive; bh=1wDrCDmU8zjGRRRIxoqEjgLMiUghTlG/h+Vm5W99mQ8=; b=RRUPrMC8cYMKZEDKjN8tVW3J0+ rYITlWix9xDUtjKDGhpa3Yi+q6Jkk97rYUvDDNl2wDPbqE2kQ4CqavwBsQebNskiMcgS5L+1aWcLI RojwFkvyUh+vNvJ51NH/I2IUKCrDjtbQ+n1/LxAJyImh39og51pO14/grQdO44PPZaZw=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:Content-Transfer-Encoding:MIME-Version:Message-ID:Reply-To: References:Subject:List-Unsubscribe:List-Id:Cc:To:Date:From:Sender:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help:List-Subscribe:List-Post: List-Owner:List-Archive; bh=1wDrCDmU8zjGRRRIxoqEjgLMiUghTlG/h+Vm5W99mQ8=; b=c qP/oR6PRJtNVHe29dL0W0MQLOPR6JGxVm46c8Zu6RRElhNQCM4rsb4Fz6/nPIQ5DVQfNWtyM+q2Dk rAkfSHqMOtFEhB/zzy82y/uPlFtHMj7/pBOdPBmfwVOTRk416iEgDG/J4tklPdzTdcR509ihfWmH9 ISS9T+IROxvfhJ98=; Received: from mail-lj1-f175.google.com ([209.85.208.175]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1sHgro-0006Se-FT for openvpn-devel@lists.sourceforge.net; Thu, 13 Jun 2024 09:35:37 +0000 Received: by mail-lj1-f175.google.com with SMTP id 38308e7fff4ca-2eaa89464a3so7618861fa.3 for ; Thu, 13 Jun 2024 02:35:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openvpn.net; s=google; t=1718271324; x=1718876124; darn=lists.sourceforge.net; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from:from:to:cc :subject:date:message-id:reply-to; bh=1wDrCDmU8zjGRRRIxoqEjgLMiUghTlG/h+Vm5W99mQ8=; b=fCPdXHccfvwuMfiwRtRGqjoyfRDIxXlOrD0+gWW7CqNlF0olOKLYRIMFlGRWMUEkt0 gTm3g3jO7aq9qlZn3pRIY5NJBE39Tct9B1NYMsL/G2ZxsDex6zKBqq/Uq22/QpQ+FLPY sHkpQR46+pN7WuAG1T3k64QkV20TgaR+t4AaSQBnekw27C3LjsjoyNpjvdqMz/eeU4xl a8BEmt8Jz1S3l5WI0jwyu03bKPO1g4vObAwEoRDz9m17Qf45EOGFkXhiuR/cJ6tiBoeD nPtlo/JrOEGBeYflndqXXm7Zf+uDAVZEeA6MlULx0vWVxSUlXyIzI8HC3yrWBOi3pzmr KCBg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1718271324; x=1718876124; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=1wDrCDmU8zjGRRRIxoqEjgLMiUghTlG/h+Vm5W99mQ8=; b=LLPBzdZ09Oc5QjwPUo6YnCH1aJTcluLzIPKvnyiYHU5U7oqaTcPSTKc7Xz27RG5Sk2 KOO3JBGlqX2rpXnaSs9sLoMYEKbpUyzhA67BpXEZ8IJYpbiBWYgLxTe2MoRcPZ+croMG wVsJukr8QGjKLx1rpmY9tf1DWFf/ZiZOmjzLQ8hg/+tp+mG3DF0ZKtP8S16go2uONOsF Mnr+07RVAtcKbIztREDSYIS44w+KTjm43iN3jX1FR9M7Ai2QNtc7vjyHlhzFQAM+yqve tZAGR9EVoAkNU9Awx2Q44Q1C2dkzFF+xaO/zuNEytpmrsVbTj98FNNnjcLbUGAkb9RU0 CH6g== X-Gm-Message-State: AOJu0Yw8IcetIDppF6DWCakGaA2u3o9L8l4UXZ0V+YHNgaMcUGarCIlD sbhB9xhehknu7wFzvtXNKg5oUPqt9/cb6dIP4WNbug+CmBHHRW9vkc9wTD7Yw88= X-Received: by 2002:a2e:a454:0:b0:2eb:e365:f191 with SMTP id 38308e7fff4ca-2ebfc9327c1mr25244481fa.15.1718271323657; Thu, 13 Jun 2024 02:35:23 -0700 (PDT) Received: from gerrit.openvpn.in (ec2-18-159-0-78.eu-central-1.compute.amazonaws.com. [18.159.0.78]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-42286fe919bsm53181115e9.19.2024.06.13.02.35.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 13 Jun 2024 02:35:23 -0700 (PDT) From: "MaxF (Code Review)" X-Google-Original-From: "MaxF (Code Review)" X-Gerrit-PatchSet: 1 Date: Thu, 13 Jun 2024 09:35:22 +0000 To: plaisthos , flichtenheld Auto-Submitted: auto-generated X-Gerrit-MessageType: newchange X-Gerrit-Change-Id: If96c2ebd2af16b18ed34820e8c0531547e2076d9 X-Gerrit-Change-Number: 681 X-Gerrit-Project: openvpn X-Gerrit-ChangeURL: X-Gerrit-Commit: fb66c82b7a0cb3803099078e8518974f3580002c References: Message-ID: <4d799bdd61343c9df823d01e8cb58048d0fd8384-HTML@gerrit.openvpn.net> MIME-Version: 1.0 User-Agent: Gerrit/3.8.2 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Attention is currently required from: flichtenheld, plaisthos. Hello plaisthos, flichtenheld, I'd like you to do a code review. Please visit Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.208.175 listed in list.dnswl.org] 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: openvpn.net] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [209.85.208.175 listed in bl.score.senderscore.com] 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [209.85.208.175 listed in sa-accredit.habeas.com] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.208.175 listed in wl.mailspike.net] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 WEIRD_PORT URI: Uses non-standard port number for HTTP 0.0 HTML_MESSAGE BODY: HTML included in message 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.0 T_SCC_BODY_TEXT_LINE No description available. 0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML X-Headers-End: 1sHgro-0006Se-FT Subject: [Openvpn-devel] [M] Change in openvpn[master]: Fix MBEDTLS_DEPRECATED_REMOVED build errors X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: max@max-fillinger.net, arne-openvpn@rfc2549.org, rein.vanbaaren@fox-it.com, openvpn-devel@lists.sourceforge.net, frank@lichtenheld.com Cc: comododragon , openvpn-devel Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1801738115526320891?= X-GMAIL-MSGID: =?utf-8?q?1801738115526320891?= X-getmail-filter-classifier: gerrit message type newchange Attention is currently required from: flichtenheld, plaisthos. Hello plaisthos, flichtenheld, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/681?usp=email to review the following change. Change subject: Fix MBEDTLS_DEPRECATED_REMOVED build errors ...................................................................... Fix MBEDTLS_DEPRECATED_REMOVED build errors This commit allows compiling OpenVPN with recent versions of mbed TLS if MBEDTLS_DEPRECATED_REMOVED is defined. Also disables TLS 1.0 and 1.1 because these are dropped in recent versions of mbed TLS. Change-Id: If96c2ebd2af16b18ed34820e8c0531547e2076d9 Signed-off-by: Max Fillinger --- M src/openvpn/mbedtls_compat.h M src/openvpn/ssl_mbedtls.c M src/openvpn/ssl_mbedtls.h 3 files changed, 72 insertions(+), 42 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/81/681/1 diff --git a/src/openvpn/mbedtls_compat.h b/src/openvpn/mbedtls_compat.h index d742b54..74dca22 100644 --- a/src/openvpn/mbedtls_compat.h +++ b/src/openvpn/mbedtls_compat.h @@ -40,6 +40,7 @@ #include #include #include +#include #include #include #include @@ -51,6 +52,13 @@ #include #endif +#if MBEDTLS_VERSION_NUMBER >= 0x03000000 +typedef uint16_t mbedtls_compat_group_id; +#else +#define MBEDTLS_SSL_IANA_TLS_GROUP_NONE MBEDTLS_ECP_DP_NONE +typedef mbedtls_ecp_group_id mbedtls_compat_group_id; +#endif + static inline void mbedtls_compat_psa_crypto_init(void) { @@ -64,6 +72,16 @@ #endif /* HAVE_MBEDTLS_PSA_CRYPTO_H && defined(MBEDTLS_PSA_CRYPTO_C) */ } +static inline mbedtls_compat_group_id +mbedtls_compat_get_group_id(const mbedtls_ecp_curve_info *curve_info) +{ +#if MBEDTLS_VERSION_NUMBER >= 0x03000000 + return curve_info->tls_id; +#else + return curve_info->grp_id; +#endif +} + /* * In older versions of mbedtls, mbedtls_ctr_drbg_update() did not return an * error code, and it was deprecated in favor of mbedtls_ctr_drbg_update_ret() @@ -124,6 +142,34 @@ } #if MBEDTLS_VERSION_NUMBER < 0x03020100 +typedef enum { + MBEDTLS_SSL_VERSION_UNKNOWN, /*!< Context not in use or version not yet negotiated. */ + MBEDTLS_SSL_VERSION_TLS1_2 = 0x0303, /*!< (D)TLS 1.2 */ + MBEDTLS_SSL_VERSION_TLS1_3 = 0x0304, /*!< (D)TLS 1.3 */ +} mbedtls_ssl_protocol_version; + +static inline void +mbedtls_ssl_conf_min_tls_version(mbedtls_ssl_config *conf, mbedtls_ssl_protocol_version tls_version) +{ + int major = (tls_version >> 8) & 0xff; + int minor = tls_version & 0xff; + mbedtls_ssl_conf_min_version(conf, major, minor); +} + +static inline void +mbedtls_ssl_conf_max_tls_version(mbedtls_ssl_config *conf, mbedtls_ssl_protocol_version tls_version) +{ + int major = (tls_version >> 8) & 0xff; + int minor = tls_version & 0xff; + mbedtls_ssl_conf_max_version(conf, major, minor); +} + +static inline void +mbedtls_ssl_conf_groups(mbedtls_ssl_config *conf, mbedtls_compat_group_id *groups) +{ + mbedtls_ssl_conf_curves(conf, groups); +} + static inline size_t mbedtls_cipher_info_get_block_size(const mbedtls_cipher_info_t *cipher) { diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index a68588e..545db0f 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -402,7 +402,7 @@ /* Get number of groups and allocate an array in ctx */ int groups_count = get_num_elements(groups, ':'); - ALLOC_ARRAY_CLEAR(ctx->groups, mbedtls_ecp_group_id, groups_count + 1) + ALLOC_ARRAY_CLEAR(ctx->groups, mbedtls_compat_group_id, groups_count + 1) /* Parse allowed ciphers, getting IDs */ int i = 0; @@ -419,11 +419,11 @@ } else { - ctx->groups[i] = ci->grp_id; + ctx->groups[i] = mbedtls_compat_get_group_id(ci); i++; } } - ctx->groups[i] = MBEDTLS_ECP_DP_NONE; + ctx->groups[i] = MBEDTLS_SSL_IANA_TLS_GROUP_NONE; gc_free(&gc); } @@ -1050,47 +1050,31 @@ } /** - * Convert an OpenVPN tls-version variable to mbed TLS format (i.e. a major and - * minor ssl version number). + * Convert an OpenVPN tls-version variable to mbed TLS format * * @param tls_ver The tls-version variable to convert. - * @param major Returns the TLS major version in mbed TLS format. - * Must be a valid pointer. - * @param minor Returns the TLS minor version in mbed TLS format. - * Must be a valid pointer. + * + * @return Translated mbedTLS SSL version from OpenVPN TLS version. */ -static void -tls_version_to_major_minor(int tls_ver, int *major, int *minor) +mbedtls_ssl_protocol_version +tls_version_to_ssl_version(int tls_ver) { - ASSERT(major); - ASSERT(minor); switch (tls_ver) { -#if defined(MBEDTLS_SSL_PROTO_TLS1) - case TLS_VER_1_0: - *major = MBEDTLS_SSL_MAJOR_VERSION_3; - *minor = MBEDTLS_SSL_MINOR_VERSION_1; - break; -#endif - -#if defined(MBEDTLS_SSL_PROTO_TLS1_1) - case TLS_VER_1_1: - *major = MBEDTLS_SSL_MAJOR_VERSION_3; - *minor = MBEDTLS_SSL_MINOR_VERSION_2; - break; -#endif - #if defined(MBEDTLS_SSL_PROTO_TLS1_2) case TLS_VER_1_2: - *major = MBEDTLS_SSL_MAJOR_VERSION_3; - *minor = MBEDTLS_SSL_MINOR_VERSION_3; - break; + return MBEDTLS_SSL_VERSION_TLS1_2; +#endif + +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) + case TLS_VER_1_3: + return MBEDTLS_SSL_VERSION_TLS1_3; #endif default: msg(M_FATAL, "%s: invalid or unsupported TLS version %d", __func__, tls_ver); - break; + return MBEDTLS_SSL_VERSION_UNKNOWN; } } @@ -1171,7 +1155,7 @@ if (ssl_ctx->groups) { - mbedtls_ssl_conf_curves(ks_ssl->ssl_config, ssl_ctx->groups); + mbedtls_ssl_conf_groups(ks_ssl->ssl_config, ssl_ctx->groups); } /* Disable TLS renegotiations if the mbedtls library supports that feature. @@ -1221,15 +1205,14 @@ &SSLF_TLS_VERSION_MIN_MASK; /* default to TLS 1.2 */ - int major = MBEDTLS_SSL_MAJOR_VERSION_3; - int minor = MBEDTLS_SSL_MINOR_VERSION_3; + mbedtls_ssl_protocol_version version = MBEDTLS_SSL_VERSION_TLS1_2; if (configured_tls_version_min > TLS_VER_UNSPEC) { - tls_version_to_major_minor(configured_tls_version_min, &major, &minor); + version = tls_version_to_ssl_version(configured_tls_version_min); } - mbedtls_ssl_conf_min_version(ks_ssl->ssl_config, major, minor); + mbedtls_ssl_conf_min_tls_version(ks_ssl->ssl_config, version); } /* Initialize maximum TLS version */ @@ -1238,20 +1221,19 @@ (session->opt->ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) &SSLF_TLS_VERSION_MAX_MASK; - int major = 0; - int minor = 0; + mbedtls_ssl_protocol_version version = MBEDTLS_SSL_VERSION_UNKNOWN; if (configured_tls_version_max > TLS_VER_UNSPEC) { - tls_version_to_major_minor(configured_tls_version_max, &major, &minor); + version = tls_version_to_ssl_version(configured_tls_version_max); } else { /* Default to tls_version_max(). */ - tls_version_to_major_minor(tls_version_max(), &major, &minor); + version = tls_version_to_ssl_version(tls_version_max()); } - mbedtls_ssl_conf_max_version(ks_ssl->ssl_config, major, minor); + mbedtls_ssl_conf_max_tls_version(ks_ssl->ssl_config, version); } #if HAVE_MBEDTLS_SSL_CONF_EXPORT_KEYS_EXT_CB diff --git a/src/openvpn/ssl_mbedtls.h b/src/openvpn/ssl_mbedtls.h index 1fd0ce8..34b4f02 100644 --- a/src/openvpn/ssl_mbedtls.h +++ b/src/openvpn/ssl_mbedtls.h @@ -39,6 +39,8 @@ #include #endif +#include "mbedtls_compat.h" + typedef struct _buffer_entry buffer_entry; struct _buffer_entry { @@ -118,7 +120,7 @@ #endif struct external_context external_key; /**< External key context */ int *allowed_ciphers; /**< List of allowed ciphers for this connection */ - mbedtls_ecp_group_id *groups; /**< List of allowed groups for this connection */ + mbedtls_compat_group_id *groups; /**< List of allowed groups for this connection */ mbedtls_x509_crt_profile cert_profile; /**< Allowed certificate types */ };