From patchwork Fri Jun 14 11:34:38 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "plaisthos (Code Review)" <gerrit@openvpn.net>
X-Patchwork-Id: 3729
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7000:a68e:b0:57d:b2cb:6cf with SMTP id hn14csp172073mab;
        Fri, 14 Jun 2024 04:35:26 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
 AJvYcCUX/wXVK16jlHB6Nt0GKz+g0shoo5uD0J2YMgxVeWBMTAzKwIhBPzDUq3tx4e0Ye4k6DT6Ftkecj7nTyedoEngULhr1QHA=
X-Google-Smtp-Source: 
 AGHT+IGLfUloXFi8Ow16y1YkpOkzog/jevR62ntNhCHM86U5ijTil8LXr30TUnvcsyDFU6ykX2zq
X-Received: by 2002:a05:6a21:9988:b0:1b6:d2e7:160 with SMTP id
 adf61e73a8af0-1bae7bb22d5mr2663303637.0.1718364925935;
        Fri, 14 Jun 2024 04:35:25 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1718364925; cv=none;
        d=google.com; s=arc-20160816;
        b=nkwLOMU+kRui7Nnx+FHHB40bpY9DnUwFUFdaOX0ctZTj6WebNhCELMOSbXtK90S4tn
         PkhJTwWJ3j5valvdHu/exjYTlMtWJzsCy4why2uiGF5mQUwadxLr9rtSEju1nufOafeg
         ZJy39V6eJZdvkjE80rVWm+elhRfQ8Wd0am3Pi3s6y3nGgo5n1X5SMsPZO6EK6m/lNyDP
         DqrI1UD6nAr1qX/3mu+sY/YDaGrABpqZo4ud48xWWJqjcyvdAUVGlCsGk8qSqPACahyT
         /mAv6M9rsUTwgyputJwy9Jgr4VNnjVkfD1qf/0u63bmVM41oV7jVsS09rTuZCvss3sWy
         r5eA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=errors-to:cc:reply-to:list-subscribe:list-help:list-post
         :list-archive:list-unsubscribe:list-id:precedence:subject:user-agent
         :mime-version:message-id:references:auto-submitted:to:date:from
         :dkim-signature:dkim-signature:dkim-signature;
        bh=LErOYt6FdQGv5msqrxanxSTwqi2d9AJaZYk5Wfe0Olo=;
        fh=U7wEyxtwz2o5+UdevFSA47vNeG9knhWH0KV//QhD5a0=;
        b=QN1I59nQlC61IBL/SV6pIsnz6nSJ60Mhc1RefDzueGbwm3JxTCUnyb9YYDhVwjFeEj
         oOG0tOgqlxbpQOw5DtG6dHZ4xI2ktw15vKeVKd8IPIFN4OcHa4HqvMtv6htkXEgRF3xa
         Bka6fjnROiUxbtdbK8MyepKmgmx8zH91vFG98yLFraDupzRItFOjD7bTnoHDdYJzRspE
         0Q9FPPrOT0V+mEg9omUAnkBw6zINDfWFf9ULQyLr1JXwmGwdw93OhczgwAWCMvDmPv0g
         7cTBVNDKzadvEgTXCGsiSfuoLVURIIu+JAbiGDGbduyesXtr9vVwoq4wzasByvNpea/u
         j1TA==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=LhURzxln;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=g0umIIDN;
       dkim=neutral (body hash did not verify) header.i=@openvpn.net
 header.s=google header.b=efukAG0O;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
        by mx.google.com with ESMTPS id
 d9443c01a7336-1f855f1b125si33205405ad.603.2024.06.14.04.35.25
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 14 Jun 2024 04:35:25 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=LhURzxln;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=g0umIIDN;
       dkim=neutral (body hash did not verify) header.i=@openvpn.net
 header.s=google header.b=efukAG0O;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net
Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com)
	by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1sI5Cg-0002s8-Nl;
	Fri, 14 Jun 2024 11:34:47 +0000
Received: from [172.30.29.66] (helo=mx.sourceforge.net)
 by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
 (envelope-from <gerrit@openvpn.net>) id 1sI5Cf-0002s1-LP
 for openvpn-devel@lists.sourceforge.net;
 Fri, 14 Jun 2024 11:34:46 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Type:Content-Transfer-Encoding:MIME-Version
 :Message-ID:Reply-To:References:Subject:List-Unsubscribe:List-Id:Cc:To:Date:
 From:Sender:Content-ID:Content-Description:Resent-Date:Resent-From:
 Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=PfE56sqUGn1N2FJy6afuIzPxGKww31WzxC+lqelibkQ=; b=LhURzxlnprVurnJwcq1T2XjWTD
 mHteLk3ucb3saDMBZzDUuLXQT8i2xNjI0RsPVh3CG1CnIzB2iPzvubCStqmF0ARSa0sU0ECPLC8C7
 xQHkLWl9xMPaJak8Dk1SmzKzf6kVXhSrEZt9C+exnnzmJXe192+31KpVnH1wMqRLW7pk=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Type:Content-Transfer-Encoding:MIME-Version:Message-ID:Reply-To:
 References:Subject:List-Unsubscribe:List-Id:Cc:To:Date:From:Sender:Content-ID
 :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:
 Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help:List-Subscribe:List-Post:
 List-Owner:List-Archive; bh=PfE56sqUGn1N2FJy6afuIzPxGKww31WzxC+lqelibkQ=; b=g
 0umIIDNSBbhZsdB+XdcObV/OBgy9owMJCuAUjQFavE6ZOMsbvOPm39TEiyh7Vxie5WSdO+xXuI4ya
 4jqlNX4oXjYff64ZxO1T5yaV4SwyjU06N3Cl/6rRf3NcLJA7qwTSPbyY4JhZlTzbxg4c73gRwC967
 BuQSvwInva2gIBFw=;
Received: from mail-wr1-f42.google.com ([209.85.221.42])
 by sfi-mx-2.v28.lw.sourceforge.com with esmtps
 (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95)
 id 1sI5Cg-00013Y-OL for openvpn-devel@lists.sourceforge.net;
 Fri, 14 Jun 2024 11:34:46 +0000
Received: by mail-wr1-f42.google.com with SMTP id
 ffacd0b85a97d-35f223e7691so1282475f8f.1
 for <openvpn-devel@lists.sourceforge.net>;
 Fri, 14 Jun 2024 04:34:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=openvpn.net; s=google; t=1718364879; x=1718969679;
 darn=lists.sourceforge.net;
 h=user-agent:content-disposition:content-transfer-encoding
 :mime-version:message-id:reply-to:references:subject
 :list-unsubscribe:list-id:auto-submitted:cc:to:date:from:from:to:cc
 :subject:date:message-id:reply-to;
 bh=PfE56sqUGn1N2FJy6afuIzPxGKww31WzxC+lqelibkQ=;
 b=efukAG0OgKNBGChDI8WKZAFzPSzPeu+9fsU/in24zplW8318EyfCmITC4hgMlOyHYO
 zVJgFzZgWcEc7HOhFdl24FeydXQw/talflqR+9lgv/oEcKXRpXAkB2UH/pNeFbRc5h9y
 6ERFQ9WQF0CzSQNeeQVu4gQU3MfYcONOf4CoAbXN8qDfHkDc8ztzfMaNFvsJqYmLFdbS
 3TDxkUlBV9t7xwGhAkWN4ZQqjvZL5CdbqsmCFAplzkkkiP4zqTcHleUz6tG0U7Wz5xN5
 mgp+USpiA+42XggExlXg4uQsBkRNqSQSqcQg9O9HUg/Q/XUp4oWjbF9V0oC+dPU0NXqP
 BqpQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1718364879; x=1718969679;
 h=user-agent:content-disposition:content-transfer-encoding
 :mime-version:message-id:reply-to:references:subject
 :list-unsubscribe:list-id:auto-submitted:cc:to:date:from
 :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=PfE56sqUGn1N2FJy6afuIzPxGKww31WzxC+lqelibkQ=;
 b=gyS7ys+vc+uEpvMnLirYk3H8Tn+hCCMqTy+MlRuwakRsrqVsidELK/ex45JKCz17Gl
 Z9nFApyttyQ3/GVhiodtaOaUkmh5KbChliTytv9ICnFViUfwn5g8mdW+3uehDu8/t/GI
 TEGav8AZYyxIPYI1gSIj1xjoChlEaCeTZO94VCuvf0W5tthX6FWsnFpkLHYxmGahdnXJ
 cAbXqCLJtiVIIQtDjaUEsnqkcJmqoTQoCCzjQalwZ9FFx60x+ODoaboP4dAFv9V2czvl
 JREXis/JU8QGkfzMqpYS4m+c3atoLgP/QzzTITWiOgti3TBSR5/O7X9TqYgcKKO0AwAE
 +LxA==
X-Gm-Message-State: AOJu0YxXth8g9I2G2+s7HHfavcn6kRba8xaXhLCgEGVTWfcBV+2aeiuY
 gHXEC4nZecLzsl6G3M2B6Pc8SWFVPv2t6yry31V1J7SWbUwcdPCJvYvzDrtrB3YEBEPtjQjMLaA
 4
X-Received: by 2002:a5d:6545:0:b0:35f:d50:3301 with SMTP id
 ffacd0b85a97d-360718c9db7mr5761591f8f.3.1718364879313;
 Fri, 14 Jun 2024 04:34:39 -0700 (PDT)
Received: from gerrit.openvpn.in
 (ec2-18-159-0-78.eu-central-1.compute.amazonaws.com. [18.159.0.78])
 by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-42286fe9230sm94098575e9.17.2024.06.14.04.34.38
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Fri, 14 Jun 2024 04:34:39 -0700 (PDT)
From: "MaxF (Code Review)" <gerrit@openvpn.net>
X-Google-Original-From: "MaxF (Code Review)" <gerrit@gerrit.openvpn.in>
X-Gerrit-PatchSet: 1
Date: Fri, 14 Jun 2024 11:34:38 +0000
To: plaisthos <arne-openvpn@rfc2549.org>, flichtenheld <frank@lichtenheld.com>
Auto-Submitted: auto-generated
X-Gerrit-MessageType: newchange
X-Gerrit-Change-Id: Ia3883a26ac26df6bbb5353fb074a2e0f814737be
X-Gerrit-Change-Number: 682
X-Gerrit-Project: openvpn
X-Gerrit-ChangeURL: <http://gerrit.openvpn.net/c/openvpn/+/682?usp=email>
X-Gerrit-Commit: 94dd46ed3ea775db3b95317c46377aaf98122b18
References: 
 <gerrit.1718364874000.Ia3883a26ac26df6bbb5353fb074a2e0f814737be@gerrit.openvpn.net>
Message-ID: <4ba969b0779fc939adaa9c78f50a41b7b4bb4483-HTML@gerrit.openvpn.net>
MIME-Version: 1.0
User-Agent: Gerrit/3.8.2
X-Spam-Score: -0.2 (/)
X-Spam-Report: Spam detection software,
 running on the system "util-spamd-2.v13.lw.sourceforge.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  Attention is currently required from: flichtenheld,
 plaisthos.
 Hello plaisthos, flichtenheld, I'd like you to do a code review. Please visit
 Content analysis details:   (-0.2 points, 6.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 0.0 URIBL_BLOCKED          ADMINISTRATOR NOTICE: The query to URIBL was
 blocked.  See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
 for more information. [URIs: openvpn.net]
 0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The
 query to Validity was blocked.  See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243
 for more information.
 [209.85.221.42 listed in sa-trusted.bondedsender.org]
 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The
 query to Validity was blocked.  See
 https://knowledge.validity.com/hc/en-us/articles/20961730681243
 for more information.
 [209.85.221.42 listed in bl.score.senderscore.com]
 -0.0 SPF_PASS               SPF: sender matches SPF record
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 -0.0 RCVD_IN_MSPIKE_H2      RBL: Average reputation (+2)
 [209.85.221.42 listed in wl.mailspike.net]
 0.0 WEIRD_PORT             URI: Uses non-standard port number for HTTP
 0.0 HTML_MESSAGE           BODY: HTML included in message
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
 not necessarily
 valid
 -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
 -0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from
 author's domain
 -0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature from
 envelope-from domain
 -0.0 T_SCC_BODY_TEXT_LINE   No description available.
 0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted
 Colors in HTML
X-Headers-End: 1sI5Cg-00013Y-OL
Subject: [Openvpn-devel] [S] Change in openvpn[master]: mbedtls: Remove
 support for old TLS versions
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Reply-To: max@max-fillinger.net, arne-openvpn@rfc2549.org,
 openvpn-devel@lists.sourceforge.net, frank@lichtenheld.com
Cc: openvpn-devel <openvpn-devel@lists.sourceforge.net>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1801836220303831220?=
X-GMAIL-MSGID: =?utf-8?q?1801836220303831220?=
X-getmail-filter-classifier: gerrit message type newchange

Attention is currently required from: flichtenheld, plaisthos.

Hello plaisthos, flichtenheld,

I'd like you to do a code review.
Please visit

    http://gerrit.openvpn.net/c/openvpn/+/682?usp=email

to review the following change.


Change subject: mbedtls: Remove support for old TLS versions
......................................................................

mbedtls: Remove support for old TLS versions

Recent versions of mbedtls have dropped support for TLS 1.0 and 1.1.
Rather than checking which versions are supported, drop support for
everything before 1.2.

Change-Id: Ia3883a26ac26df6bbb5353fb074a2e0f814737be
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
---
M src/openvpn/ssl_mbedtls.c
1 file changed, 1 insertion(+), 20 deletions(-)



  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/82/682/1

diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
index a68588e..e25fb84 100644
--- a/src/openvpn/ssl_mbedtls.c
+++ b/src/openvpn/ssl_mbedtls.c
@@ -1040,12 +1040,8 @@
 {
 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
     return TLS_VER_1_2;
-#elif defined(MBEDTLS_SSL_PROTO_TLS1_1)
-    return TLS_VER_1_1;
-#elif defined(MBEDTLS_SSL_PROTO_TLS1)
-    return TLS_VER_1_0;
 #else /* defined(MBEDTLS_SSL_PROTO_TLS1_2) */
-    #error "mbedtls is compiled without support for TLS 1.0, 1.1 and 1.2."
+    #error "mbedtls is compiled without support for TLS 1.2."
 #endif /* defined(MBEDTLS_SSL_PROTO_TLS1_2) */
 }
 
@@ -1067,27 +1063,12 @@
 
     switch (tls_ver)
     {
-#if defined(MBEDTLS_SSL_PROTO_TLS1)
-        case TLS_VER_1_0:
-            *major = MBEDTLS_SSL_MAJOR_VERSION_3;
-            *minor = MBEDTLS_SSL_MINOR_VERSION_1;
-            break;
-#endif
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_1)
-        case TLS_VER_1_1:
-            *major = MBEDTLS_SSL_MAJOR_VERSION_3;
-            *minor = MBEDTLS_SSL_MINOR_VERSION_2;
-            break;
-#endif
-
 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
         case TLS_VER_1_2:
             *major = MBEDTLS_SSL_MAJOR_VERSION_3;
             *minor = MBEDTLS_SSL_MINOR_VERSION_3;
             break;
 #endif
-
         default:
             msg(M_FATAL, "%s: invalid or unsupported TLS version %d", __func__, tls_ver);
             break;