From patchwork Tue Jan 28 22:09:32 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Shubham Mittal X-Patchwork-Id: 4098 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:6a49:b0:5e7:b9eb:58e8 with SMTP id v9csp721311mat; Tue, 28 Jan 2025 14:26:16 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCVs/BHl0vHtAbidaOutD08Dzoo3D9+6b1z4YZdQ5VVUcnStgbdyt4RQ1jdnGU+NGVEbYQY0Q4wqLF0=@openvpn.net X-Google-Smtp-Source: AGHT+IEPOd4t7gGqcHKAcbSbp95YJ8hpxBCLSMChNd9DikdAy/P6YitLgxFfsVtUhNEFGeOrVWxL X-Received: by 2002:a05:6871:39c8:b0:29e:5aa6:2bb3 with SMTP id 586e51a60fabf-2b32efdb730mr558105fac.1.1738103176682; Tue, 28 Jan 2025 14:26:16 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1738103176; cv=none; d=google.com; s=arc-20240605; b=SE4cqVyU0V4punkY47DUQYUcyAWm+EFGt13f1CL8YS90/HJ6CVwMlgifv0rKwIHvXy tdMj2JzbVCI3Gau+wuNIIOuS64Uwii++q5IfO0uhx3obcP3gB3zK0fwwvnugfsyQp6eY aW7ivlqdh++AHMqklJmrlCEogTn6jQghcnf6otjzx3Fwg8+KUsgAYEP6TcXqhbd1WVKg jbLHUNO4G3WQ9imkNSzxzxTceEAahl4onXYokhYL6wd4ZXfAQLrxeKvheKGU7UcPWTFM +jdDGzihZbkR9vIXruTc2PBXlJK9qMk2mzuvMa1VJ7srd7lURnJ6FQCmN/zgI1lA4RqD oo8A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:reply-to:from:list-subscribe :list-help:list-post:list-archive:list-unsubscribe:list-id :precedence:subject:mime-version:references:in-reply-to:message-id :date:to:dkim-signature:dkim-signature:dkim-signature; bh=LydMM0ZDWuo4uDp/r+fchdVu3zwI+eHQ8ptf68fAPgE=; fh=M0IgS9BLcbDnxRvvrgNqqeQSdb7j85MQs+k/Km/mzfQ=; b=Ti1ryE2Hkkz/nf7kdoPyF561GRa7ngmT/XeFOOrfdA3CMgnjLm9gWnGyHGxUKneL8H e6h5vQoIcLhToY5NIOHgolhXHuQiu+IbB1w6954cdd7LAuZIHKD+mlpEoUAZB8xf/f3j 9eafkxO0Cr9szKiMubQvoR25SCH7LJhPFSqlBSKM2/emrEZRXNtFQcyt46IC6jnDuWNT mbRDLPR0AW5cQGIe2gNQHR/Nelvlm69sHp9YTrZeIaztTgPM4tHA8hBuG7mYQ3n3sBD1 DnvBxUmUxh0IkazBk+1LIJxcsAKHCsIiLeh+y/B9TD3Jtvjbwxfpbd2QtGzQzLoEFrQ+ SazA==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=YQsUkRhR; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=lL3qBR5N; dkim=neutral (body hash did not verify) header.i=@amazon.com header.s=amazon201209 header.b=EHrD6vMo; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=sourceforge.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 586e51a60fabf-2b28f1a679esi8386810fac.93.2025.01.28.14.26.16 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 28 Jan 2025 14:26:16 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=YQsUkRhR; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=lL3qBR5N; dkim=neutral (body hash did not verify) header.i=@amazon.com header.s=amazon201209 header.b=EHrD6vMo; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=pass (p=QUARANTINE sp=NONE dis=NONE) header.from=sourceforge.net Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1tcu26-0003xw-3g; Tue, 28 Jan 2025 22:26:10 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1tcu24-0003xp-Be for openvpn-devel@lists.sourceforge.net; Tue, 28 Jan 2025 22:26:08 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:Content-Transfer-Encoding:MIME-Version :References:In-Reply-To:Message-ID:Date:Subject:CC:To:From:Sender:Reply-To: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=HLs2ujEl6c4MuYmHpRaQvYPg45r9Qdrt/c8R9LRwAbM=; b=YQsUkRhRA3Cl757lu+o+Kc9bCD gm9KnNtWceTvZRTKNWh3nHZhddwqVNIuE1aLw2Xqx4CHXu0gJuNm9qelCLPQhWKPAetCQIGr5ZCqE fRqsk9rDFwxaritYB+JN+PXtAR3CIHMXKujvS2BxEA5i4M40XGWMys/PypzoOFSbe5Ik=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:CC:To:From:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=HLs2ujEl6c4MuYmHpRaQvYPg45r9Qdrt/c8R9LRwAbM=; b=lL3qBR5NUbQJvheXL7NaXMo8Am s+D5bOjwyITSK4s1XsXkAaWLShUsAHiI1roSelffwdeJHKfuSCDah5h2nrDB0IYAKwr6KBCnRkY5r LFz2LER4PpEDrZ6KCZ9pLv4n5ll+/Rdom4cPtAio7zDM6kBEMe3qE6QIlbyEMIuoY0vU=; Received: from smtp-fw-52003.amazon.com ([52.119.213.152]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1tcu1y-0004yv-ST for openvpn-devel@lists.sourceforge.net; Tue, 28 Jan 2025 22:26:08 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1738103163; x=1769639163; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=HLs2ujEl6c4MuYmHpRaQvYPg45r9Qdrt/c8R9LRwAbM=; b=EHrD6vMooTkkeoXnqb2z6LGIV0q2JfaPmcJaM7l2h8Q5HOLUT2tPi05U KJ9NbEc1gZgX+DbDPIsdLvMKyr1z4BeYo07gjR9IFzwHUpcWCigWwqB0c n5hX5YON25Mut/8sp7HqAv3SUTQLx7f828Y0WR7AUuBXrrvU3vLrHvlPO M=; X-IronPort-AV: E=Sophos;i="6.13,242,1732579200"; d="scan'208";a="61290232" Received: from iad12-co-svc-p1-lb1-vlan3.amazon.com (HELO smtpout.prod.us-west-2.prod.farcaster.email.amazon.dev) ([10.43.8.6]) by smtp-border-fw-52003.iad7.amazon.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 28 Jan 2025 22:10:14 +0000 Received: from EX19MTAUWA002.ant.amazon.com [10.0.7.35:18732] by smtpin.naws.us-west-2.prod.farcaster.email.amazon.dev [10.0.24.236:2525] with esmtp (Farcaster) id 47b458a3-fba1-4046-a77b-108e085646ff; Tue, 28 Jan 2025 22:10:13 +0000 (UTC) X-Farcaster-Flow-ID: 47b458a3-fba1-4046-a77b-108e085646ff Received: from EX19D019UWB003.ant.amazon.com (10.13.139.183) by EX19MTAUWA002.ant.amazon.com (10.250.64.202) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.1258.39; Tue, 28 Jan 2025 22:10:07 +0000 Received: from EX19MTAUWC002.ant.amazon.com (10.250.64.143) by EX19D019UWB003.ant.amazon.com (10.13.139.183) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.1258.39; Tue, 28 Jan 2025 22:10:07 +0000 Received: from email-imr-corp-prod-pdx-all-2c-d1311ce8.us-west-2.amazon.com (10.25.36.210) by mail-relay.amazon.com (10.250.64.149) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.1258.39 via Frontend Transport; Tue, 28 Jan 2025 22:10:07 +0000 Received: from 7cf34dea8443.amazon.com (unknown [10.187.171.38]) by email-imr-corp-prod-pdx-all-2c-d1311ce8.us-west-2.amazon.com (Postfix) with ESMTP id 456F0402A4; Tue, 28 Jan 2025 22:10:07 +0000 (UTC) To: Date: Tue, 28 Jan 2025 14:09:32 -0800 Message-ID: <20250128220932.2113-1-smittals@amazon.com> X-Mailer: git-send-email 2.39.5 (Apple Git-154) In-Reply-To: <20250127235014.355-1-smittals@amazon.com> References: <20250127235014.355-1-smittals@amazon.com> MIME-Version: 1.0 X-Spam-Score: -2.5 (--) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Additional context from PR on Github about changes in ssl_openssl.c around line 1900: This change addresses a subtle behavioral difference between AWS-LC and OpenSSL regarding object ownership semanti [...] Content analysis details: (-2.5 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/, medium trust [52.119.213.152 listed in list.dnswl.org] 0.0 RCVD_IN_VALIDITY_SAFE_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [52.119.213.152 listed in sa-trusted.bondedsender.org] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [52.119.213.152 listed in bl.score.senderscore.com] 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.0 T_SCC_BODY_TEXT_LINE No description available. 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines X-Headers-End: 1tcu1y-0004yv-ST Subject: [Openvpn-devel] [PATCH] Add compatibility to build OpenVPN with AWS-LC. X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Shubham Mittal via Openvpn-devel From: Shubham Mittal Reply-To: Shubham Mittal Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1822449040727953226?= X-GMAIL-MSGID: =?utf-8?q?1822533276292167405?= Additional context from PR on Github about changes in ssl_openssl.c around line 1900: This change addresses a subtle behavioral difference between AWS-LC and OpenSSL regarding object ownership semantics in SSL_CTX_set_client_CA_list(ctx->ctx, cert_names). OpenSSL Behavior: Stores a reference to the provided cert_names stack cert_names remains valid after SSL_CTX_set_client_CA_list AWS-LC Behavior: Creates a copy of the parameter cert_names (which is a stack of type X509_NAME) and converts it to a stack of CRYPTO_BUFFER (how we internally represent X509_NAME, it's an opaque byte string). Then frees the original passed in cert_names After SSL_CTX_set_client_CA_list, cert_names no longer points to valid memory The proposed changes reorder operations to getting the size of the stack before the set operation as opposed to after the set operation. No operations between the setter and stack size check modify cert_names. Therefore, the logical outcome should remain the same - and this would also handle the subtle behavioral difference in AWS-LC. URL: https://github.com/OpenVPN/openvpn/pull/672 Acked-by: Arne Schwabe Signed-off-by: Shubham Mittal Acked-By: Arne Schwabe --- README.awslc | 18 ++++++++++++++++++ src/openvpn/crypto_openssl.c | 7 +++++++ src/openvpn/openssl_compat.h | 2 +- src/openvpn/ssl_openssl.c | 10 +++++++--- 4 files changed, 33 insertions(+), 4 deletions(-) create mode 100644 README.awslc diff --git a/README.awslc b/README.awslc new file mode 100644 index 00000000..ae90a832 --- /dev/null +++ b/README.awslc @@ -0,0 +1,18 @@ +This version of OpenVPN supports AWS-LC (AWS Libcrypto), AWS's open-source cryptographic library. + +If you encounter bugs in OpenVPN while using AWS-LC: +1. Try compiling OpenVPN with OpenSSL to determine if the issue is specific to AWS-LC +2. For AWS-LC-specific issues, please report them at: https://github.com/aws/aws-lc + +To build and install OpenVPN with AWS-LC: + + OPENSSL_CFLAGS="-I/${AWS_LC_INSTALL_FOLDER}/include" \ + OPENSSL_LIBS="-L/${AWS_LC_INSTALL_FOLDER}/lib -lssl -lcrypto" \ + LDFLAGS="-Wl,-rpath=${AWS_LC_INSTALL_FOLDER}/lib" \ + ./configure --with-crypto-library=openssl + make + make install + +************************************************************************* +Due to limitations in AWS-LC, the following features are missing +* Windows CryptoAPI support diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index 914b1c4f..070225d3 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -1398,6 +1398,13 @@ out: return ret; } +#elif defined(OPENSSL_IS_AWSLC) +bool +ssl_tls1_PRF(const uint8_t *label, int label_len, const uint8_t *sec, + int slen, uint8_t *out1, int olen) +{ + CRYPTO_tls1_prf(EVP_md5_sha1(), out1, olen, sec, slen, label, label_len, NULL, 0, NULL, 0); +} #elif !defined(LIBRESSL_VERSION_NUMBER) && !defined(ENABLE_CRYPTO_WOLFSSL) bool ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret, diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h index 89f22d13..3e3b406a 100644 --- a/src/openvpn/openssl_compat.h +++ b/src/openvpn/openssl_compat.h @@ -76,7 +76,7 @@ X509_OBJECT_free(X509_OBJECT *obj) #define RSA_F_RSA_OSSL_PRIVATE_ENCRYPT RSA_F_RSA_EAY_PRIVATE_ENCRYPT #endif -#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x3050400fL +#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x3050400fL || defined(OPENSSL_IS_AWSLC) #define SSL_get_peer_tmp_key SSL_get_server_tmp_key #endif diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 89d0328e..aad79a4b 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -1669,7 +1669,11 @@ tls_ctx_use_external_ec_key(struct tls_root_ctx *ctx, EVP_PKEY *pkey) /* Among init methods, we only need the finish method */ EC_KEY_METHOD_set_init(ec_method, NULL, openvpn_extkey_ec_finish, NULL, NULL, NULL, NULL); +#ifdef OPENSSL_IS_AWSLC + EC_KEY_METHOD_set_sign(ec_method, ecdsa_sign, NULL, ecdsa_sign_sig); +#else EC_KEY_METHOD_set_sign(ec_method, ecdsa_sign, ecdsa_sign_setup, ecdsa_sign_sig); +#endif ec = EC_KEY_dup(EVP_PKEY_get0_EC_KEY(pkey)); if (!ec) @@ -1895,9 +1899,10 @@ tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file, } sk_X509_INFO_pop_free(info_stack, X509_INFO_free); } - + int cnum; if (tls_server) { + cnum = sk_X509_NAME_num(cert_names); SSL_CTX_set_client_CA_list(ctx->ctx, cert_names); } @@ -1910,7 +1915,6 @@ tls_ctx_load_ca(struct tls_root_ctx *ctx, const char *ca_file, if (tls_server) { - int cnum = sk_X509_NAME_num(cert_names); if (cnum != added) { crypto_msg(M_FATAL, "Cannot load CA certificate file %s (only %d " @@ -2558,7 +2562,7 @@ show_available_tls_ciphers_list(const char *cipher_list, crypto_msg(M_FATAL, "Cannot create SSL object"); } -#if OPENSSL_VERSION_NUMBER < 0x1010000fL +#if OPENSSL_VERSION_NUMBER < 0x1010000fL || defined(OPENSSL_IS_AWSLC) STACK_OF(SSL_CIPHER) *sk = SSL_get_ciphers(ssl); #else STACK_OF(SSL_CIPHER) *sk = SSL_get1_supported_ciphers(ssl);