Attention is currently required from: flichtenheld, plaisthos. Hello plaisthos, flichtenheld,
I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/683?usp=email to review the following change. Change subject: Check that tls-version-min is supported on startup ...................................................................... Check that tls-version-min is supported on startup After disabling TLS 1.0 and 1.1 in the mbedtls build, the client would error out during startup if tls-version-min was set to 1.0 or 1.1, but the server would start up and only error out when a client attempts to connect. This commit checks that tls-version-min is supported during startup so that both the client and server error out on startup. Change-Id: Ifc589854816842e46969a76e2845084b3aaa962f Signed-off-by: Max Fillinger <maximilian.fillin...@foxcrypto.com> --- M src/openvpn/options.c M src/openvpn/ssl.c M src/openvpn/ssl_backend.h M src/openvpn/ssl_mbedtls.c M src/openvpn/ssl_openssl.c 5 files changed, 31 insertions(+), 6 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/83/683/1 diff --git a/src/openvpn/options.c b/src/openvpn/options.c index f2c7536..f8287f2 100644 --- a/src/openvpn/options.c +++ b/src/openvpn/options.c @@ -8933,7 +8933,7 @@ ver = tls_version_parse(p[1], p[2]); if (ver == TLS_VER_BAD) { - msg(msglevel, "unknown tls-version-min parameter: %s", p[1]); + msg(msglevel, "unknown or unsupported tls-version-min parameter: %s", p[1]); goto err; } options->ssl_flags &= @@ -8947,7 +8947,7 @@ ver = tls_version_parse(p[1], NULL); if (ver == TLS_VER_BAD) { - msg(msglevel, "unknown tls-version-max parameter: %s", p[1]); + msg(msglevel, "unknown or unsupported tls-version-max parameter: %s", p[1]); goto err; } options->ssl_flags &= diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 2054eb4..1d3fdcd 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -405,20 +405,21 @@ int tls_version_parse(const char *vstr, const char *extra) { + const int min_version = tls_version_min(); const int max_version = tls_version_max(); - if (!strcmp(vstr, "1.0") && TLS_VER_1_0 <= max_version) + if (!strcmp(vstr, "1.0") && min_version <= TLS_VER_1_0 && TLS_VER_1_0 <= max_version) { return TLS_VER_1_0; } - else if (!strcmp(vstr, "1.1") && TLS_VER_1_1 <= max_version) + else if (!strcmp(vstr, "1.1") && min_version <= TLS_VER_1_1 && TLS_VER_1_1 <= max_version) { return TLS_VER_1_1; } - else if (!strcmp(vstr, "1.2") && TLS_VER_1_2 <= max_version) + else if (!strcmp(vstr, "1.2") && min_version <= TLS_VER_1_2 && TLS_VER_1_2 <= max_version) { return TLS_VER_1_2; } - else if (!strcmp(vstr, "1.3") && TLS_VER_1_3 <= max_version) + else if (!strcmp(vstr, "1.3") && min_version <= TLS_VER_1_3 && TLS_VER_1_3 <= max_version) { return TLS_VER_1_3; } diff --git a/src/openvpn/ssl_backend.h b/src/openvpn/ssl_backend.h index 285705f..ef1347b 100644 --- a/src/openvpn/ssl_backend.h +++ b/src/openvpn/ssl_backend.h @@ -117,6 +117,14 @@ int tls_version_max(void); /** + * Return the minimum TLS version (as a TLS_VER_x constant) + * supported by current SSL implementation + * + * @return One of the TLS_VER_x constants (but not TLS_VER_BAD). + */ +int tls_version_min(void); + +/** * Initialise a library-specific TLS context for a server. * * @param ctx TLS context to initialise diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c index bb88da9..de7efed 100644 --- a/src/openvpn/ssl_mbedtls.c +++ b/src/openvpn/ssl_mbedtls.c @@ -1049,6 +1049,16 @@ #endif /* defined(MBEDTLS_SSL_PROTO_TLS1_2) */ } +int +tls_version_min(void) +{ +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) + return TLS_VER_1_2; +#else + #error "mbedtls is compiled without support for TLS 1.2." +#endif /* defined(MBEDTLS_SSL_PROTO_TLS1_2) */ +} + /** * Convert an OpenVPN tls-version variable to mbed TLS format * diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index e8a30a3..352f7fb 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -231,6 +231,12 @@ #endif } +int +tls_version_min(void) +{ + return TLS_VER_1_0; +} + /** Convert internal version number to openssl version number */ static int openssl_tls_version(int ver) -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/683?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ifc589854816842e46969a76e2845084b3aaa962f Gerrit-Change-Number: 683 Gerrit-PatchSet: 1 Gerrit-Owner: MaxF <m...@max-fillinger.net> Gerrit-Reviewer: flichtenheld <fr...@lichtenheld.com> Gerrit-Reviewer: plaisthos <arne-open...@rfc2549.org> Gerrit-CC: openvpn-devel <openvpn-devel@lists.sourceforge.net> Gerrit-Attention: plaisthos <arne-open...@rfc2549.org> Gerrit-Attention: flichtenheld <fr...@lichtenheld.com> Gerrit-MessageType: newchange
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel