From patchwork Sun Nov 26 03:15:53 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steffan Karger X-Patchwork-Id: 95 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director6.mail.ord1d.rsapps.net ([172.30.191.6]) by backend31.mail.ord1d.rsapps.net (Dovecot) with LMTP id Ky4GF87MGloEFAAAgoeIoA for ; Sun, 26 Nov 2017 09:16:46 -0500 Received: from proxy6.mail.ord1d.rsapps.net ([172.30.191.6]) by director6.mail.ord1d.rsapps.net (Dovecot) with LMTP id I7C5Fs7MGlqpQQAAhgvE6Q ; Sun, 26 Nov 2017 09:16:46 -0500 Received: from smtp32.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy6.mail.ord1d.rsapps.net (Dovecot) with LMTP id cBaLFs7MGlokAgAAQyIf0w ; Sun, 26 Nov 2017 09:16:46 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.34.181.88] Authentication-Results: smtp32.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.34.181.88"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=karger-me.20150623.gappssmtp.com; dmarc=none (p=nil; dis=none) header.from=karger.me X-Classification-ID: 6f0c779c-d2b4-11e7-a67f-52540099eaf5-1-1 Received: from [216.34.181.88] ([216.34.181.88:54123] helo=lists.sourceforge.net) by smtp32.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.1.56364 r(Core:4.2.1.14)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id EB/93-05604-DCCCA1A5; Sun, 26 Nov 2017 09:16:45 -0500 Received: from localhost ([127.0.0.1] helo=sfs-ml-3.v29.ch3.sourceforge.com) by sfs-ml-3.v29.ch3.sourceforge.com with esmtp (Exim 4.89) (envelope-from ) id 1eIxj8-0006iW-Tr; Sun, 26 Nov 2017 14:16:10 +0000 Received: from sfi-mx-2.v28.ch3.sourceforge.com ([172.29.28.192] helo=mx.sourceforge.net) by sfs-ml-3.v29.ch3.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) (envelope-from ) id 1eIxj7-0006iJ-Uu for openvpn-devel@lists.sourceforge.net; Sun, 26 Nov 2017 14:16:09 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To: MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=lwX0Z4D1acMG+reAsFi6HSh4pSL24+31TyIwqYZoTPs=; b=O55RUK72Mh+MVEntOcOuz1lXs9 PayX1c/QDO0GxSSg+6zs7lrYwys9oUtMVF4b6pNGfbU/9xZd7wfvQ12OtrlHTiSckqzTvnJCAQdAZ pXK+phC+TpLvTU6GD7JXCG9u1S9N8Tmntt7INxouohsc7eAzVhe3hs7KWYRj9Dv1e6Ac=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:MIME-Version: Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=lwX0Z4D1acMG+reAsFi6HSh4pSL24+31TyIwqYZoTPs=; b=KsKIkCokZAUvgQQRW63Yvzyzg8 wE1khC5vsS7x4uec2rdR36Q1TDsh74BG0Lnjm7u7/vdvH3ybPK+8nPAOjAkhckL0WtBWogAHdRJ78 eoCo+KhsmMEnjgY1nplngW50n1TosaqZqn2OzpXlaR5X8yylLClO0SPAj1bGXVDDDOCA=; Received: from mail-wm0-f68.google.com ([74.125.82.68]) by sfi-mx-2.v28.ch3.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.89) id 1eIxj5-0005HU-Pe for openvpn-devel@lists.sourceforge.net; Sun, 26 Nov 2017 14:16:09 +0000 Received: by mail-wm0-f68.google.com with SMTP id x63so29970689wmf.4 for ; Sun, 26 Nov 2017 06:16:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=karger-me.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id; bh=lwX0Z4D1acMG+reAsFi6HSh4pSL24+31TyIwqYZoTPs=; b=cEIb6bvjXTEhzDg/Dp8sI9Ax1uc/CQnDnDanC6rBWaEFZr8BNBip0xTVu97SDE5l73 XMFFA2gPX2mU+4NS3ZhceYVXsD6ZIogd6v4fAGUtO2qIBJLLxeU38/txahZ8A96NpBAb FcEXLXnL0rVEj/GmyLVkjFDWoiSD8Xxkt26eZ5IWFlW2h+dr2ha7xW4ZQFEWJlHmpwEw uix7RQEkALnfKMzICQrGCxHx06jlPOdT77qutEptspNsUqnJ35V3Poe3YsnOGb5ijjjd nKH5lphYw8ffC1rHnP/5NIHIaxf+MWfztT0hI2ahf1GtmHt+s1kaVTbLrmDRPcw2uw6g 03pA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=lwX0Z4D1acMG+reAsFi6HSh4pSL24+31TyIwqYZoTPs=; b=GlfFKbGsenzvrdMnyDgQibgPd7PVs91US3eooYFe1MmbTIeVRn5JlXtdPc0pTqdLF2 PAhjFr0O81hTTrWp5FjHGRH6nSiTAUaUbQudogGAM2UbNy+0hFW7zNTQ1eLLKMqcfUHK NSuJpv7h78xOhCC8Qz3WFw0Wy39zE6OONltmQwwDLjQVrbsft5eA99Vm/i9g9nzZadwD PiSXZKZRkgR8B+oNWHD519StV4Geb3bVBi2Q6rearZwl478ylkw7ZfnKmtKsAdlZqo3q rHTUcOmri0rqnLFBpjimryBTO8+tOM3fh1BdOzhn9H4KXX6Ams1URF2zBPj2wMeNwFV9 ieyQ== X-Gm-Message-State: AJaThX49bTJTAd3ntnO0RTGyJynYla5sDG6rBqBf2BAI1UNFGAbELJxl Af8KZ4fhwy0RZMU5dMJV/anwXBRzOEE= X-Google-Smtp-Source: AGs4zMYqbdcYmxUZoHA4hNGDqFDM6/CBd2HgFRWtw7FWNovlv7O1890p/NBqrv28xoQPJ3PoLbAOdQ== X-Received: by 10.80.211.18 with SMTP id g18mr47602437edh.85.1511705761446; Sun, 26 Nov 2017 06:16:01 -0800 (PST) Received: from vesta.fritz.box ([2001:985:e54:1:d42a:81d4:ce94:db48]) by smtp.gmail.com with ESMTPSA id j27sm19880246eda.59.2017.11.26.06.15.59 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 26 Nov 2017 06:16:00 -0800 (PST) From: Steffan Karger To: openvpn-devel@lists.sourceforge.net Date: Sun, 26 Nov 2017 15:15:53 +0100 Message-Id: <20171126141555.25930-1-steffan@karger.me> X-Mailer: git-send-email 2.14.1 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [74.125.82.68 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1eIxj5-0005HU-Pe Subject: [Openvpn-devel] [PATCH 1/3] Fix --tls-version-min and --tls-version-max for OpenSSL 1.1+ X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox As described in <80e6b449-c536-dc87-7215-3693872bce5a@birkenwald.de> on the openvpn-devel mailing list, --tls-version-min no longer works with OpenSSL 1.1. Kurt Roeckx posted in a debian bug report: "This is marked as important because if you switch to openssl 1.1.0 the defaults minimum version in Debian is currently TLS 1.2 and you can't override it with the options that you're currently using (and are deprecated)." This patch is loosely based on the original patch by Kurt, but solves the issue by adding functions to openssl-compat.h, like we also did for all other openssl 1.1. breakage. This results in not having to add more ifdefs in ssl_openssl.c and thus cleaner code. Signed-off-by: Steffan Karger --- src/openvpn/openssl_compat.h | 65 ++++++++++++++++++++++++++++++++++++ src/openvpn/options.c | 1 + src/openvpn/ssl_openssl.c | 79 ++++++++++++++++++++++++-------------------- 3 files changed, 109 insertions(+), 36 deletions(-) diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h index 70b19aea..c9b6a179 100644 --- a/src/openvpn/openssl_compat.h +++ b/src/openvpn/openssl_compat.h @@ -647,4 +647,69 @@ EC_GROUP_order_bits(const EC_GROUP *group) #define RSA_F_RSA_OSSL_PRIVATE_ENCRYPT RSA_F_RSA_EAY_PRIVATE_ENCRYPT #endif +/* TLS Version defines are new in OpenSSL 1.1 */ +#ifndef TLS1_0_VERSION +#define TLS1_0_VERSION 0x0301 +#endif +#ifndef TLS1_1_VERSION +#define TLS1_1_VERSION 0x0302 +#endif +#ifndef TLS1_2_VERSION +#define TLS1_2_VERSION 0x0303 +#endif + +#ifndef SSL_CTX_set_min_proto_version +/** Mimics SSL_CTX_set_min_proto_version for OpenSSL < 1.1 */ +static inline void +SSL_CTX_set_min_proto_version(SSL_CTX *ctx, long tls_ver_min) +{ + long sslopt = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3; /* Never do < TLS 1.0 */ + + if (tls_ver_min > TLS1_0_VERSION) + { + sslopt |= SSL_OP_NO_TLSv1; + } +#ifdef SSL_OP_NO_TLSv1_1 + if (tls_ver_min > TLS1_1_VERSION) + { + sslopt |= SSL_OP_NO_TLSv1_1; + } +#endif +#ifdef SSL_OP_NO_TLSv1_2 + if (tls_ver_min > TLS1_2_VERSION) + { + sslopt |= SSL_OP_NO_TLSv1_2; + } +#endif + SSL_CTX_set_options(ctx, sslopt); +} +#endif /* SSL_CTX_set_min_proto_version */ + +#ifndef SSL_CTX_set_max_proto_version +/** Mimics SSL_CTX_set_max_proto_version for OpenSSL < 1.1 */ +static inline void +SSL_CTX_set_max_proto_version(SSL_CTX *ctx, long tls_ver_max) +{ + long sslopt = 0; + + if (tls_ver_max < TLS1_0_VERSION) + { + sslopt |= SSL_OP_NO_TLSv1; + } +#ifdef SSL_OP_NO_TLSv1_1 + if (tls_ver_max < TLS1_1_VERSION) + { + sslopt |= SSL_OP_NO_TLSv1_1; + } +#endif +#ifdef SSL_OP_NO_TLSv1_2 + if (tls_ver_max < TLS1_2_VERSION) + { + sslopt |= SSL_OP_NO_TLSv1_2; + } +#endif + SSL_CTX_set_options(ctx, sslopt); +} +#endif /* SSL_CTX_set_max_proto_version */ + #endif /* OPENSSL_COMPAT_H_ */ diff --git a/src/openvpn/options.c b/src/openvpn/options.c index 8e5cdf7f..81646336 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -870,6 +870,7 @@ init_options(struct options *o, const bool init_gc) #ifdef ENABLE_PREDICTION_RESISTANCE o->use_prediction_resistance = false; #endif + o->ssl_flags = (TLS_VER_1_0 << SSLF_TLS_VERSION_MIN_SHIFT); o->key_method = 2; o->tls_timeout = 2; o->renegotiate_bytes = -1; diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index b782946e..b645b469 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -206,15 +206,49 @@ info_callback(INFO_CALLBACK_SSL_CONST SSL *s, int where, int ret) int tls_version_max(void) { -#if defined(SSL_OP_NO_TLSv1_2) +#if defined(TLS1_2_VERSION) || defined(SSL_OP_NO_TLSv1_2) return TLS_VER_1_2; -#elif defined(SSL_OP_NO_TLSv1_1) +#elif defined(TLS1_1_VERSION) || defined(SSL_OP_NO_TLSv1_1) return TLS_VER_1_1; #else return TLS_VER_1_0; #endif } +/** Convert internal version number to openssl version number */ +static int +openssl_tls_version(int ver) +{ + if (ver == TLS_VER_1_0) + { + return TLS1_VERSION; + } + else if (ver == TLS_VER_1_1) + { + return TLS1_1_VERSION; + } + else if (ver == TLS_VER_1_2) + { + return TLS1_2_VERSION; + } + return 0; +} + +static void +tls_ctx_set_tls_versions(struct tls_root_ctx *ctx, unsigned int ssl_flags) +{ + const int tls_ver_min = + (ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT) & SSLF_TLS_VERSION_MIN_MASK; + const int tls_ver_max = + (ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) & SSLF_TLS_VERSION_MAX_MASK; + + SSL_CTX_set_min_proto_version(ctx->ctx, openssl_tls_version(tls_ver_min)); + if (tls_ver_max != TLS_VER_UNSPEC) + { + SSL_CTX_set_max_proto_version(ctx->ctx, openssl_tls_version(tls_ver_max)); + } +} + void tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags) { @@ -223,42 +257,15 @@ tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags) /* default certificate verification flags */ int flags = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT; - /* process SSL options including minimum TLS version we will accept from peer */ - { - long sslopt = SSL_OP_SINGLE_DH_USE | SSL_OP_NO_TICKET | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3; - int tls_ver_max = TLS_VER_UNSPEC; - const int tls_ver_min = - (ssl_flags >> SSLF_TLS_VERSION_MIN_SHIFT) & SSLF_TLS_VERSION_MIN_MASK; - - tls_ver_max = - (ssl_flags >> SSLF_TLS_VERSION_MAX_SHIFT) & SSLF_TLS_VERSION_MAX_MASK; - if (tls_ver_max <= TLS_VER_UNSPEC) - { - tls_ver_max = tls_version_max(); - } - - if (tls_ver_min > TLS_VER_1_0 || tls_ver_max < TLS_VER_1_0) - { - sslopt |= SSL_OP_NO_TLSv1; - } -#ifdef SSL_OP_NO_TLSv1_1 - if (tls_ver_min > TLS_VER_1_1 || tls_ver_max < TLS_VER_1_1) - { - sslopt |= SSL_OP_NO_TLSv1_1; - } -#endif -#ifdef SSL_OP_NO_TLSv1_2 - if (tls_ver_min > TLS_VER_1_2 || tls_ver_max < TLS_VER_1_2) - { - sslopt |= SSL_OP_NO_TLSv1_2; - } -#endif + /* process SSL options */ + long sslopt = SSL_OP_SINGLE_DH_USE | SSL_OP_NO_TICKET; #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE - sslopt |= SSL_OP_CIPHER_SERVER_PREFERENCE; + sslopt |= SSL_OP_CIPHER_SERVER_PREFERENCE; #endif - sslopt |= SSL_OP_NO_COMPRESSION; - SSL_CTX_set_options(ctx->ctx, sslopt); - } + sslopt |= SSL_OP_NO_COMPRESSION; + SSL_CTX_set_options(ctx->ctx, sslopt); + + tls_ctx_set_tls_versions(ctx, ssl_flags); #ifdef SSL_MODE_RELEASE_BUFFERS SSL_CTX_set_mode(ctx->ctx, SSL_MODE_RELEASE_BUFFERS); From patchwork Sun Nov 26 03:15:54 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steffan Karger X-Patchwork-Id: 97 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director5.mail.ord1d.rsapps.net ([172.30.191.6]) by backend31.mail.ord1d.rsapps.net (Dovecot) with LMTP id i9QSCdfMGlrMQwAAgoeIoA for ; Sun, 26 Nov 2017 09:16:55 -0500 Received: from proxy13.mail.ord1d.rsapps.net ([172.30.191.6]) by director5.mail.ord1d.rsapps.net (Dovecot) with LMTP id 84PsCNfMGlplGAAAsdCWiw ; Sun, 26 Nov 2017 09:16:55 -0500 Received: from smtp28.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy13.mail.ord1d.rsapps.net (Dovecot) with LMTP id 05LIAdfMGlrlSwAAgjf6aA ; Sun, 26 Nov 2017 09:16:55 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.34.181.88] Authentication-Results: smtp28.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.34.181.88"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=karger-me.20150623.gappssmtp.com; dmarc=none (p=nil; dis=none) header.from=karger.me X-Classification-ID: 74818e60-d2b4-11e7-8e06-525400ea129b-1-1 Received: from [216.34.181.88] ([216.34.181.88:8720] helo=lists.sourceforge.net) by smtp28.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.1.56364 r(Core:4.2.1.14)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 76/D3-01582-6DCCA1A5; Sun, 26 Nov 2017 09:16:54 -0500 Received: from localhost ([127.0.0.1] helo=sfs-ml-2.v29.ch3.sourceforge.com) by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.89) (envelope-from ) id 1eIxj9-0007zf-PY; Sun, 26 Nov 2017 14:16:11 +0000 Received: from sfi-mx-3.v28.ch3.sourceforge.com ([172.29.28.193] helo=mx.sourceforge.net) by sfs-ml-2.v29.ch3.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) (envelope-from ) id 1eIxj7-0007zX-Ra for openvpn-devel@lists.sourceforge.net; Sun, 26 Nov 2017 14:16:09 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:Cc: To:From:Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=c3vZsLFivB2djhzu3Onl25EqUAEmSME744UiSJByQWA=; b=Ry6TeMdmWNSQpOVDzNCrb+fFu8 6TF5JNGmHvuGVXpc062oCl6uV/uhPjAtuN7nos350nrLw8bP4QMNnukhF5ImBkNfk8ByN/6pJ6Msb GQa1SiVqB+lHRAWd+7zbFbtnBaDu4xJH7IE2/Upu+pT3NuShtmLRnoktP4blviuLhFB0=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=c3vZsLFivB2djhzu3Onl25EqUAEmSME744UiSJByQWA=; b=h46yyoPgu2m807Lz8ktOMsO9Yc x1qshjBOdAxbLhOvFwF+NS7+1gbWPdxRnENhh/2/EiZE1VCTnk9UWHaMyRtYL+WDKx/RnvRwuvQwk zfxgET3hkiw/3VWcIK/RXsdkXqJT3M5VwqdnnkktKx76+6qRDLVZtfnRcLI/bIfBNxGw=; Received: from mail-wm0-f67.google.com ([74.125.82.67]) by sfi-mx-3.v28.ch3.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.89) id 1eIxj6-0007Hr-IA for openvpn-devel@lists.sourceforge.net; Sun, 26 Nov 2017 14:16:09 +0000 Received: by mail-wm0-f67.google.com with SMTP id x63so29460624wmf.2 for ; Sun, 26 Nov 2017 06:16:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=karger-me.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=c3vZsLFivB2djhzu3Onl25EqUAEmSME744UiSJByQWA=; b=csuFFCYK76OdDQ9ufWxk7xkhsxFb0iUUkRHr6BT1Ed1vt75u8AqRPXYg1aM2n40Mzs csF159IODEKKsVZ4D+hZcRrVocPNP58xmZsCw7f9VzJH6Ee8BcfxgyjipEnk+3gwrQO5 mtU5JZNacx4Z2Y1PkzXiUdApf5iegfDwZuocrt02Jm2bj9wWVXvElFABu96GGrzZA3p9 sxLIX3yJ3HyjxDED7GrI2D771d6EPnuU/SVsLilf+rzTQn1G0zXZqZj37k/CHrxb8L+q bT4nQsC/QPM5KTdZgR0LCWSVqdyTPmjQJRLLFt5z3BSucQTc8vqITsOtmNY2FGtoMAnp IQzw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=c3vZsLFivB2djhzu3Onl25EqUAEmSME744UiSJByQWA=; b=VT5uvBFwDB8HYnLAVuAsBMwD8IGkK8F0i0I0fjmEqdg/9fD4f7mIKnqoTpQuEIh7UK BgaBZuwBwhg9iskvq2DjPYQqImwP4VZcjlm5QbwDrxNJ1qUKkweFBj28gh6wya46D1zP PQqbW2adeuUfs4gEfu3WBLSiwDgwDW113ghTk7e13WvR+Y6PoLF8i+bNZnSMW6cw5Vvl OzcXu69NU2Il6U7FFrHfPV5D51fasYz7PFyTd36c552VW9+coY9SEOiHqB92ssiBYiyu EKX683p9eZqt4qCgSvjW3EGUCW6ZBC+sjJnLQ+ChNsbLgJxbSnSS+mslyiba6YbEk9Ma eclQ== X-Gm-Message-State: AJaThX57CjIWknRTm4KvedAcLDswlcaFY+3nrwashRutZimc3jgoz4Yx OPDBIy+U/QFdGeWADSsnRzIxTG58eXg= X-Google-Smtp-Source: AGs4zMbgzIHE1svtF6cxZX4DTuApauS+Z/Myw4FtzVZW446X7ajPqnkckusM9Geh1KCrl/xayZ51xg== X-Received: by 10.80.180.18 with SMTP id b18mr48471817edh.136.1511705762323; Sun, 26 Nov 2017 06:16:02 -0800 (PST) Received: from vesta.fritz.box ([2001:985:e54:1:d42a:81d4:ce94:db48]) by smtp.gmail.com with ESMTPSA id j27sm19880246eda.59.2017.11.26.06.16.01 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 26 Nov 2017 06:16:01 -0800 (PST) From: Steffan Karger To: openvpn-devel@lists.sourceforge.net Date: Sun, 26 Nov 2017 15:15:54 +0100 Message-Id: <20171126141555.25930-2-steffan@karger.me> X-Mailer: git-send-email 2.14.1 In-Reply-To: <20171126141555.25930-1-steffan@karger.me> References: <20171126141555.25930-1-steffan@karger.me> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [74.125.82.67 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1eIxj6-0007Hr-IA Subject: [Openvpn-devel] [PATCH 2/3] Add support for TLS 1.3 in --tls-version-{min, max} X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Tested with the current openssl master branch for TLS 1.3 support. mbed TLS has no public builds with TLS 1.3 support yet, so nothing to do there right now. Signed-off-by: Steffan Karger Acked-by: Gert Doering --- src/openvpn/ssl.c | 4 ++++ src/openvpn/ssl_backend.h | 1 + src/openvpn/ssl_openssl.c | 10 +++++++++- 3 files changed, 14 insertions(+), 1 deletion(-) diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 843bc393..d61688c5 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -530,6 +530,10 @@ tls_version_parse(const char *vstr, const char *extra) { return TLS_VER_1_2; } + else if (!strcmp(vstr, "1.3") && TLS_VER_1_3 <= max_version) + { + return TLS_VER_1_3; + } else if (extra && !strcmp(extra, "or-highest")) { return max_version; diff --git a/src/openvpn/ssl_backend.h b/src/openvpn/ssl_backend.h index f588110c..7f6057e6 100644 --- a/src/openvpn/ssl_backend.h +++ b/src/openvpn/ssl_backend.h @@ -114,6 +114,7 @@ void tls_clear_error(void); #define TLS_VER_1_0 1 #define TLS_VER_1_1 2 #define TLS_VER_1_2 3 +#define TLS_VER_1_3 4 int tls_version_parse(const char *vstr, const char *extra); /** diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index b645b469..18c0ba5f 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -206,7 +206,9 @@ info_callback(INFO_CALLBACK_SSL_CONST SSL *s, int where, int ret) int tls_version_max(void) { -#if defined(TLS1_2_VERSION) || defined(SSL_OP_NO_TLSv1_2) +#if defined(TLS1_3_VERSION) + return TLS_VER_1_3; +#elif defined(TLS1_2_VERSION) || defined(SSL_OP_NO_TLSv1_2) return TLS_VER_1_2; #elif defined(TLS1_1_VERSION) || defined(SSL_OP_NO_TLSv1_1) return TLS_VER_1_1; @@ -231,6 +233,12 @@ openssl_tls_version(int ver) { return TLS1_2_VERSION; } +#if defined(TLS1_3_VERSION) + else if (ver == TLS_VER_1_3) + { + return TLS1_3_VERSION; + } +#endif return 0; } From patchwork Sun Nov 26 03:15:55 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steffan Karger X-Patchwork-Id: 96 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director1.mail.ord1d.rsapps.net ([172.28.255.1]) by backend31.mail.ord1d.rsapps.net (Dovecot) with LMTP id Wz2DBdfMGlrcdAAAgoeIoA for ; Sun, 26 Nov 2017 09:16:55 -0500 Received: from director5.mail.ord1c.rsapps.net ([172.28.255.1]) by director1.mail.ord1d.rsapps.net (Dovecot) with LMTP id Q2QVBdfMGlqdTQAANGzteQ ; Sun, 26 Nov 2017 09:16:55 -0500 Received: from smtp58.gate.ord1a ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by director5.mail.ord1c.rsapps.net (Dovecot) with LMTP id cuCIA9fMGlrmLAAAH8LYwg ; Sun, 26 Nov 2017 09:16:55 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.34.181.88] Authentication-Results: smtp58.gate.ord1a.rsapps.net; iprev=pass policy.iprev="216.34.181.88"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=karger-me.20150623.gappssmtp.com; dmarc=none (p=nil; dis=none) header.from=karger.me X-Classification-ID: 7448f5aa-d2b4-11e7-a611-a4badb1469c9-1-1 Received: from [216.34.181.88] ([216.34.181.88:55315] helo=lists.sourceforge.net) by smtp58.gate.ord1a.rsapps.net (envelope-from ) (ecelerity 4.2.1.56364 r(Core:4.2.1.14)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id F2/E7-24325-6DCCA1A5; Sun, 26 Nov 2017 09:16:54 -0500 Received: from localhost ([127.0.0.1] helo=sfs-ml-3.v29.ch3.sourceforge.com) by sfs-ml-3.v29.ch3.sourceforge.com with esmtp (Exim 4.89) (envelope-from ) id 1eIxjA-0006ip-0L; Sun, 26 Nov 2017 14:16:12 +0000 Received: from sfi-mx-3.v28.ch3.sourceforge.com ([172.29.28.193] helo=mx.sourceforge.net) by sfs-ml-3.v29.ch3.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) (envelope-from ) id 1eIxj8-0006iP-8S for openvpn-devel@lists.sourceforge.net; Sun, 26 Nov 2017 14:16:10 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=References:In-Reply-To:Message-Id:Date:Subject:Cc: To:From:Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=YKgvTMfBv6zmJ1wbPkKnpWEEIAzVcdkceszg9cO+nh8=; b=dkg4gBd+likvNV4Qy2E9Zn6pjx 2MgO6d3a2omOhznAeIa3QcFWWOdLtNRuxz9673sncq2nL7nuDc4wAM3yFWEHvxHF43sjYA/Ej9bEM RDKpH68daliKkq/atYf83oJptHdXug2pgmOblv/RmRMRBxPOaJlWY1HAH+lx8Udxzs1M=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To :MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=YKgvTMfBv6zmJ1wbPkKnpWEEIAzVcdkceszg9cO+nh8=; b=LEKw1Oq7BnofunO3/GnfR+TGBJ pbN3ci4YhDIDbj/Oaypt5aEr4W11AxoCzoZQbghzFMvYojecv8eyCUJ5sQ1LRpdcKHjNhbQKT764+ d+QUPIW+t+Zv60FgETu92sxRG6qglQxZKNl555+HOs5XtUuqe5Rnb8oNRTNy0aikWB1o=; Received: from mail-wm0-f67.google.com ([74.125.82.67]) by sfi-mx-3.v28.ch3.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.89) id 1eIxj7-0007Hv-Cu for openvpn-devel@lists.sourceforge.net; Sun, 26 Nov 2017 14:16:10 +0000 Received: by mail-wm0-f67.google.com with SMTP id n74so4478667wmi.3 for ; Sun, 26 Nov 2017 06:16:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=karger-me.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=YKgvTMfBv6zmJ1wbPkKnpWEEIAzVcdkceszg9cO+nh8=; b=xGLYMYhCRl26ZOGup0z4siwJ2nGSU2W784Rd/+eD5WLA1IZ6XZC6i0VoavW/7KiWkx Y0WSdYEnB/PK/3KH0TUXiFrOQH9Dh0+wX8zGsALVJa57m/vePrUETHXNEjCxM3j5udxw ArJskVFxFJWkneAHs27/QDBKZVWqMXVoycDd7eX8ZJO5EbejmUC26ZBdL1e4QlKNAqGt lT+eM4IRIoyLk+NjCCQ6Oxw2asy1vwBoRytSiGdQ2WAptGm6Je0W80x2iR142F9zR3TW B4ZAYUm5nocrW4vMVMbgGDTlyp4gnQCf+SSzygb0VlTSFyCs04NS57IFJaB5xAr/LmBA /mNw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=YKgvTMfBv6zmJ1wbPkKnpWEEIAzVcdkceszg9cO+nh8=; b=kXeZYFqKtnz/Rj2PdlNrcVxt55zhGwJjITMnm2JRdvmT+AXjzsvUQ0+/e0JGmnj5UZ rb2x0rTgTyhNSUzP6JDsVVhgwSpTW6dwUKj6fn2JmwD9k41HPhzefvb5y6SU7bQq6va+ OkS17444z80aQuhUxnvIKSLOXwD9KP13iLhs44J7BAaU8wovLKyxGUMb+v4zQsKZxsr4 NOHwYBi0SXezsk2RSR855/X49UTYD5nykiX+Ot8UXmSYOLnz7dZSfqRYlZ0tIu8PYl2y WyHgw1jJSXcg7fp2UgQcUIWSbztEw71+LZnFO1vMi9laBLFGEQHBdhKHnEX0TUUM4LWE hRxQ== X-Gm-Message-State: AJaThX4sewnEwXC+RSEi48Ubjr2OkIVRPICXnJVIjdQGGFA1CMZWBf8Z 4Hi0kpQBMYhvlLAY2DjIr9u16uHBMEU= X-Google-Smtp-Source: AGs4zMYaokZO8kNXi9PQNthN1UyHAisgCJmCyVsCH4oQIb5P6MdKoVOTXhfScApv4eJwYYCZiRydag== X-Received: by 10.80.179.17 with SMTP id q17mr48764911edd.270.1511705763192; Sun, 26 Nov 2017 06:16:03 -0800 (PST) Received: from vesta.fritz.box ([2001:985:e54:1:d42a:81d4:ce94:db48]) by smtp.gmail.com with ESMTPSA id j27sm19880246eda.59.2017.11.26.06.16.02 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 26 Nov 2017 06:16:02 -0800 (PST) From: Steffan Karger To: openvpn-devel@lists.sourceforge.net Date: Sun, 26 Nov 2017 15:15:55 +0100 Message-Id: <20171126141555.25930-3-steffan@karger.me> X-Mailer: git-send-email 2.14.1 In-Reply-To: <20171126141555.25930-1-steffan@karger.me> References: <20171126141555.25930-1-steffan@karger.me> X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at http://www.dnswl.org/, no trust [74.125.82.67 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1eIxj7-0007Hv-Cu Subject: [Openvpn-devel] [PATCH 3/3] tls_ctx_set_tls_versions: move verify_flags to where it is used X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Minor cleanup of this function now that we are allowed to write C99: move (and rename) flags to the code where it's actually used to improve readability. (I originally did this as part of the tls-version-{min,max} patch for openssl 1.1, but that made the diff hard to read.) Signed-off-by: Steffan Karger Acked-by: Gert Doering --- src/openvpn/ssl_openssl.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 18c0ba5f..10d161ef 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -262,9 +262,6 @@ tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags) { ASSERT(NULL != ctx); - /* default certificate verification flags */ - int flags = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT; - /* process SSL options */ long sslopt = SSL_OP_SINGLE_DH_USE | SSL_OP_NO_TICKET; #ifdef SSL_OP_CIPHER_SERVER_PREFERENCE @@ -282,17 +279,18 @@ tls_ctx_set_options(struct tls_root_ctx *ctx, unsigned int ssl_flags) SSL_CTX_set_default_passwd_cb(ctx->ctx, pem_password_callback); /* Require peer certificate verification */ + int verify_flags = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT; #if P2MP_SERVER if (ssl_flags & SSLF_CLIENT_CERT_NOT_REQUIRED) { - flags = 0; + verify_flags = 0; } else if (ssl_flags & SSLF_CLIENT_CERT_OPTIONAL) { - flags = SSL_VERIFY_PEER; + verify_flags = SSL_VERIFY_PEER; } #endif - SSL_CTX_set_verify(ctx->ctx, flags, verify_callback); + SSL_CTX_set_verify(ctx->ctx, verify_flags, verify_callback); SSL_CTX_set_info_callback(ctx->ctx, info_callback); }