[Openvpn-devel] [S] Change in openvpn[master]: Make it more explicit and visible when pkg-config is not found
Attention is currently required from: flichtenheld, plaisthos.
ordex has posted comments on this change. (
http://gerrit.openvpn.net/c/openvpn/+/465?usp=email )
Change subject: Make it more explicit and visible when pkg-config is not found
..
Patch Set 3: Code-Review-1
(3 comments)
Patchset:
PS3:
Other than the two comments I added in the code, the patch does what it says
and it makes very straightforward understanding that pkg-config is now not
installed.
Tested a couple of cases on my lovely gentoo and it just worked.
File configure.ac:
http://gerrit.openvpn.net/c/openvpn/+/465/comment/a58bb3dc_c4b892a1 :
PS3, Line 385: pkg_config_found="(not found)"
am I wrong or there is some indentation havoc here? The line above uses 8blanks
tab, but the lines before have 4 spaces indentation?
I think we uses tabs everywhere else.
http://gerrit.openvpn.net/c/openvpn/+/465/comment/5512845f_c09de864 :
PS3, Line 387: pkg_config_found="(using ${PKG_CONFIG})"
many error messages already contain 'using pkg-config', therefore the text
above will lead to 'using using', which sounds weird.
How about changing 'using' with 'path:'?
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/465?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Iebaa35a23e217a4cd7739af229cbfc08a3d8854a
Gerrit-Change-Number: 465
Gerrit-PatchSet: 3
Gerrit-Owner: plaisthos
Gerrit-Reviewer: cron2
Gerrit-Reviewer: flichtenheld
Gerrit-Reviewer: ordex
Gerrit-CC: openvpn-devel
Gerrit-Attention: plaisthos
Gerrit-Attention: flichtenheld
Gerrit-Comment-Date: Thu, 04 Jan 2024 23:17:56 +
Gerrit-HasComments: Yes
Gerrit-Has-Labels: Yes
Gerrit-MessageType: comment
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v3] Make it more explicit and visible when pkg-config is not found
From: Arne Schwabe
Users seem to struggle to read the full error message. This adds an
indication if pkg-config is actually found to the warning/error message
that use pkg-config.
On platforms that do not require pkg-config and for optional libraries,
the existence of pkg-config is mentioned as part of the error/warning message.
When found:
configure: error: libnl-genl-3.0 package not found or too old. Is the
development package and pkg-config (using /usr/bin/pkg-config) installed? Must
be version 3.4.0 or newer for DCO
not found:
configure: error: libnl-genl-3.0 package not found or too old. Is the
development package and pkg-config (not found) installed? Must be version 3.4.0
or newer for DCO
On platforms where pkg-config is required (only Linux at the moment),
configure will abort when not detecting pkg-config:
checking for pkg-config... no
configure: error: pkg-config is required
Change-Id: Iebaa35a23e217a4cd7739af229cbfc08a3d8854a
Signed-off-by: Arne Schwabe
Acked-by: Gert Doering
---
This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/465
This mail reflects revision 3 of this Change.
Acked-by according to Gerrit (reflected above):
Gert Doering
diff --git a/configure.ac b/configure.ac
index f420612..f009fe2 100644
--- a/configure.ac
+++ b/configure.ac
@@ -323,6 +323,7 @@
AM_CONDITIONAL([TARGET_LINUX], [true])
AC_DEFINE_UNQUOTED([TARGET_PREFIX], ["L"], [Target prefix])
have_sitnl="yes"
+ pkg_config_required="yes"
;;
*-*-solaris*)
AC_DEFINE([TARGET_SOLARIS], [1], [Are we running on Solaris?])
@@ -376,6 +377,16 @@
AM_CONDITIONAL([CROSS_COMPILING], test "${cross_compiling}" = "yes")
PKG_PROG_PKG_CONFIG
+# Add variable to print if pkg-config is found or not. Users often miss that
+if test "${PKG_CONFIG}" = ""; then
+if test "${pkg_config_required}" = "yes"; then
+AC_MSG_ERROR([pkg-config is required])
+fi
+ pkg_config_found="(not found)"
+else
+ pkg_config_found="(using ${PKG_CONFIG})"
+fi
+
AC_PROG_CPP
AC_PROG_INSTALL
AC_PROG_LN_S
@@ -810,7 +821,7 @@
[libnl-genl-3.0 >= 3.4.0],
[have_libnl="yes"],
[
- AC_MSG_ERROR([libnl-genl-3.0 package
not found or too old. Is the development package and pkg-config installed? Must
be version 3.4.0 or newer for DCO])
+ AC_MSG_ERROR([libnl-genl-3.0 package
not found or too old. Is the development package and pkg-config
${pkg_config_found} installed? Must be version 3.4.0 or newer for DCO])
]
)
CFLAGS="${CFLAGS} ${LIBNL_GENL_CFLAGS}"
@@ -854,10 +865,11 @@
dnl
case "$host" in
*-*-linux*)
+ # We require pkg-config
PKG_CHECK_MODULES([LIBCAPNG],
[libcap-ng],
[],
- [AC_MSG_ERROR([libcap-ng package not found.
Is the development package and pkg-config installed?])]
+ [AC_MSG_ERROR([libcap-ng package not found.
Is the development package and pkg-config ${pkg_config_found} installed?])]
)
AC_CHECK_HEADER([sys/prctl.h],,[AC_MSG_ERROR([sys/prctl.h not
found!])])
@@ -878,7 +890,7 @@
[OPENSSL],
[openssl >= 1.0.2],
[have_openssl="yes"],
- [] # If this fails, we will do another test next
+ [AC_MSG_WARN([OpenSSL not found by pkg-config
${pkg_config_found}])] # If this fails, we will do another test next
)
OPENSSL_LIBS=${OPENSSL_LIBS:--lssl -lcrypto}
fi
@@ -1083,7 +1095,7 @@
[WOLFSSL],
[wolfssl],
[],
- [AC_MSG_ERROR([Could not find wolfSSL.])]
+ [AC_MSG_ERROR([Could not find wolfSSL using pkg-config
${pkg_config_found}])]
)
PKG_CHECK_VAR(
[WOLFSSL_INCLUDEDIR],
@@ -1508,7 +1520,7 @@
PKG_CHECK_MODULES(
[CMOCKA], [cmocka],
[have_cmocka="yes"],
- [AC_MSG_WARN([cmocka.pc not found on the system. Unit tests disabled])]
+ [AC_MSG_WARN([cmocka.pc not found on the system using pkg-config
${pkg_config_found}. Unit tests disabled])]
)
AM_CONDITIONAL([ENABLE_UNITTESTS], [test "${enable_unit_tests}" = "yes" -a
"${have_cmocka}" = "yes" ])
AC_SUBST([ENABLE_UNITTESTS])
___
Openvpn-devel mailing list
Openvpn-de
[Openvpn-devel] [S] Change in openvpn[master]: Make it more explicit and visible when pkg-config is not found
Attention is currently required from: flichtenheld, plaisthos. cron2 has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/465?usp=email ) Change subject: Make it more explicit and visible when pkg-config is not found .. Patch Set 3: Code-Review+2 (1 comment) Patchset: PS3: I do like the new approach. Hope to see a test report from ordex (he does this "linux" stuff, I have been told). But I can still +2 it in the meantime and send to the list. -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/465?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Iebaa35a23e217a4cd7739af229cbfc08a3d8854a Gerrit-Change-Number: 465 Gerrit-PatchSet: 3 Gerrit-Owner: plaisthos Gerrit-Reviewer: cron2 Gerrit-Reviewer: flichtenheld Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Thu, 04 Jan 2024 16:29:56 + Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: Check PRF availability on initialisation and add --force-tls-key-mate...
cron2 has uploaded a new patch set (#10) to the change originally created by
plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/460?usp=email )
The following approvals got outdated and were removed:
Code-Review+2 by cron2
Change subject: Check PRF availability on initialisation and add
--force-tls-key-material-export
..
Check PRF availability on initialisation and add --force-tls-key-material-export
We now warn a user if the TLS 1.0 PRF is not supported by the cryptographic
library of the system. Also add the option --force-tls-key-material-export
that automatically rejects clients that do not support TLS Keying Material
Export and automatically enable it when TLS 1.0 PRF support is not available.
Change-Id: I04f8c7c413e7cb62c726262feee6ca89c7e86c70
Signed-off-by: Arne Schwabe
Acked-by: Gert Doering
Message-Id: <20240104140214.32196-1-g...@greenie.muc.de>
URL:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27924.html
Signed-off-by: Gert Doering
---
M doc/man-sections/protocol-options.rst
M src/openvpn/crypto.c
M src/openvpn/crypto.h
M src/openvpn/multi.c
M src/openvpn/options.c
M src/openvpn/options.h
6 files changed, 84 insertions(+), 0 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/60/460/10
diff --git a/doc/man-sections/protocol-options.rst
b/doc/man-sections/protocol-options.rst
index 948c0c8..8b061d2 100644
--- a/doc/man-sections/protocol-options.rst
+++ b/doc/man-sections/protocol-options.rst
@@ -242,3 +242,11 @@
a key renegotiation begins (default :code:`3600` seconds). This feature
allows for a graceful transition from old to new key, and removes the key
renegotiation sequence from the critical path of tunnel data forwarding.
+
+--force-tls-key-material-export
+ This option is only available in --mode server and forces to use
+ Keying Material Exporters (RFC 5705) for clients. This can be used to
+ simulate an environment where the cryptographic library does not support
+ the older method to generate data channel keys anymore. This option is
+ intended to be a test option and might be removed in a future OpenVPN
+ version without notice.
diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index e4452d7..2fca131 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -27,6 +27,7 @@
#endif
#include "syshead.h"
+#include
#include "crypto.h"
#include "error.h"
@@ -1789,3 +1790,22 @@
gc_free(&gc);
return ret;
}
+
+bool
+check_tls_prf_working(void)
+{
+/* Modern TLS libraries might no longer support the TLS 1.0 PRF with
+ * MD5+SHA1. This allows us to establish connections only
+ * with other 2.6.0+ OpenVPN peers.
+ * Do a simple dummy test here to see if it works. */
+const char *seed = "tls1-prf-test";
+const char *secret = "tls1-prf-test-secret";
+uint8_t out[8];
+uint8_t expected_out[] = { 'q', 'D', '\xfe', '%', '@', 's', 'u', '\x95' };
+
+int ret = ssl_tls1_PRF((uint8_t *)seed, (int) strlen(seed),
+ (uint8_t *)secret, (int) strlen(secret),
+ out, sizeof(out));
+
+return (ret && memcmp(out, expected_out, sizeof(out)) == 0);
+}
diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h
index 9255d38..4201524 100644
--- a/src/openvpn/crypto.h
+++ b/src/openvpn/crypto.h
@@ -593,4 +593,12 @@
return kt;
}
+/**
+ * Checks if the current TLS library supports the TLS 1.0 PRF with MD5+SHA1
+ * that OpenVPN uses when TLS Keying Material Export is not available.
+ *
+ * @return true if supported, false otherwise.
+ */
+bool check_tls_prf_working(void);
+
#endif /* CRYPTO_H */
diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index 8b490ed..f4f0b8a 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -1830,6 +1830,16 @@
{
o->imported_protocol_flags |= CO_USE_TLS_KEY_MATERIAL_EXPORT;
}
+else if (o->force_key_material_export)
+{
+msg(M_INFO, "PUSH: client does not support TLS Keying Material "
+"Exporters but --force-tls-key-material-export is enabled.");
+auth_set_client_reason(tls_multi, "Client incompatible with this "
+ "server. Keying Material Exporters (RFC 5705) "
+ "support missing. Upgrade to a client that "
+ "supports this feature (OpenVPN 2.6.0+).");
+return false;
+}
if (proto & IV_PROTO_DYN_TLS_CRYPT)
{
o->imported_protocol_flags |= CO_USE_DYNAMIC_TLS_CRYPT;
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index e498114..1b28a19 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -1561,6 +1561,7 @@
SHOW_STR(auth_user_pass_verify_script);
SHOW_BOOL(auth_user_pass_verify_script_via_file);
SHOW_BOOL(auth_token_generate);
+SHOW_BOOL(force_key_material_export);
SHOW_INT(auth_token_lifetime);
S
[Openvpn-devel] [M] Change in openvpn[master]: Check PRF availability on initialisation and add --force-tls-key-mate...
cron2 has submitted this change. (
http://gerrit.openvpn.net/c/openvpn/+/460?usp=email )
Change subject: Check PRF availability on initialisation and add
--force-tls-key-material-export
..
Check PRF availability on initialisation and add --force-tls-key-material-export
We now warn a user if the TLS 1.0 PRF is not supported by the cryptographic
library of the system. Also add the option --force-tls-key-material-export
that automatically rejects clients that do not support TLS Keying Material
Export and automatically enable it when TLS 1.0 PRF support is not available.
Change-Id: I04f8c7c413e7cb62c726262feee6ca89c7e86c70
Signed-off-by: Arne Schwabe
Acked-by: Gert Doering
Message-Id: <20240104140214.32196-1-g...@greenie.muc.de>
URL:
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27924.html
Signed-off-by: Gert Doering
---
M doc/man-sections/protocol-options.rst
M src/openvpn/crypto.c
M src/openvpn/crypto.h
M src/openvpn/multi.c
M src/openvpn/options.c
M src/openvpn/options.h
6 files changed, 84 insertions(+), 0 deletions(-)
diff --git a/doc/man-sections/protocol-options.rst
b/doc/man-sections/protocol-options.rst
index 948c0c8..8b061d2 100644
--- a/doc/man-sections/protocol-options.rst
+++ b/doc/man-sections/protocol-options.rst
@@ -242,3 +242,11 @@
a key renegotiation begins (default :code:`3600` seconds). This feature
allows for a graceful transition from old to new key, and removes the key
renegotiation sequence from the critical path of tunnel data forwarding.
+
+--force-tls-key-material-export
+ This option is only available in --mode server and forces to use
+ Keying Material Exporters (RFC 5705) for clients. This can be used to
+ simulate an environment where the cryptographic library does not support
+ the older method to generate data channel keys anymore. This option is
+ intended to be a test option and might be removed in a future OpenVPN
+ version without notice.
diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index e4452d7..2fca131 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -27,6 +27,7 @@
#endif
#include "syshead.h"
+#include
#include "crypto.h"
#include "error.h"
@@ -1789,3 +1790,22 @@
gc_free(&gc);
return ret;
}
+
+bool
+check_tls_prf_working(void)
+{
+/* Modern TLS libraries might no longer support the TLS 1.0 PRF with
+ * MD5+SHA1. This allows us to establish connections only
+ * with other 2.6.0+ OpenVPN peers.
+ * Do a simple dummy test here to see if it works. */
+const char *seed = "tls1-prf-test";
+const char *secret = "tls1-prf-test-secret";
+uint8_t out[8];
+uint8_t expected_out[] = { 'q', 'D', '\xfe', '%', '@', 's', 'u', '\x95' };
+
+int ret = ssl_tls1_PRF((uint8_t *)seed, (int) strlen(seed),
+ (uint8_t *)secret, (int) strlen(secret),
+ out, sizeof(out));
+
+return (ret && memcmp(out, expected_out, sizeof(out)) == 0);
+}
diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h
index 9255d38..4201524 100644
--- a/src/openvpn/crypto.h
+++ b/src/openvpn/crypto.h
@@ -593,4 +593,12 @@
return kt;
}
+/**
+ * Checks if the current TLS library supports the TLS 1.0 PRF with MD5+SHA1
+ * that OpenVPN uses when TLS Keying Material Export is not available.
+ *
+ * @return true if supported, false otherwise.
+ */
+bool check_tls_prf_working(void);
+
#endif /* CRYPTO_H */
diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index 8b490ed..f4f0b8a 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -1830,6 +1830,16 @@
{
o->imported_protocol_flags |= CO_USE_TLS_KEY_MATERIAL_EXPORT;
}
+else if (o->force_key_material_export)
+{
+msg(M_INFO, "PUSH: client does not support TLS Keying Material "
+"Exporters but --force-tls-key-material-export is enabled.");
+auth_set_client_reason(tls_multi, "Client incompatible with this "
+ "server. Keying Material Exporters (RFC 5705) "
+ "support missing. Upgrade to a client that "
+ "supports this feature (OpenVPN 2.6.0+).");
+return false;
+}
if (proto & IV_PROTO_DYN_TLS_CRYPT)
{
o->imported_protocol_flags |= CO_USE_DYNAMIC_TLS_CRYPT;
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index e498114..1b28a19 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -1561,6 +1561,7 @@
SHOW_STR(auth_user_pass_verify_script);
SHOW_BOOL(auth_user_pass_verify_script_via_file);
SHOW_BOOL(auth_token_generate);
+SHOW_BOOL(force_key_material_export);
SHOW_INT(auth_token_lifetime);
SHOW_STR_INLINE(auth_token_secret_file);
#if PORT_SHARE
@@ -2802,6 +2803,11 @@
{
msg(M_USAGE, "--vlan-tagging requires --mode server");
}
+
+if (options->force_key_mate
[Openvpn-devel] [PATCH applied] Re: Check PRF availability on initialisation and add --force-tls-key-material-export
Previous versions of the patch had issues with string concatenation (missing whitespace) - all fixed. Also, the manpage would claim auto-activation of the feature, which it didn't -> fixed as well :-) Testing with manual activation of --force-tls-key-material-export led to the expected result - 2.6 clients could connect fine, 2.5 and earlier were refused with a clear message: 2024-01-03 18:35:45 AUTH: Received control message: AUTH_FAILED,Client incompatible with this server. Keying Material Exporters (RFC 5705) support missing. Upgrade to a client that supports this feature (OpenVPN 2.6.0+). and on the server 2024-01-03 18:37:52 us=455522 cron2-freebsd-tc-amd64-25/2001:608:0:814::f000:21 peer-id=0 PUSH: client does not support TLS key material exportbut --force-tls-key-material-export is enabled. so, this should help people hitting such a scenario to much better understand what is happening, and what they can do about it. For completeness I've tried to test this on a FreeBSD 14 system with "--providers fips", but failed to set up OpenSSL/FIPS in a way that actually did anything useful... so I broke check_tls_prf_working() manually, and the expected "auto-enable option" part works too (in v9). Your patch has been applied to the master and release/2.6 branch (long- term compat and better diagnostics). commit fa7960961415fa4f368e9bbb39dc4047680ff30c (master) commit b29ada314cc79497a1e50e29b4b72dede2955b3d (release/2.6) Author: Arne Schwabe Date: Thu Jan 4 15:02:14 2024 +0100 Check PRF availability on initialisation and add --force-tls-key-material-export Signed-off-by: Arne Schwabe Acked-by: Gert Doering Message-Id: <20240104140214.32196-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27924.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH applied] Re: Check PRF availability on initialisation and add --force-tls-key-material-export
Previous versions of the patch had issues with string concatenation (missing whitespace) - all fixed. Also, the manpage would claim auto-activation of the feature, which it didn't -> fixed as well :-) Testing with manual activation of --force-tls-key-material-export led to the expected result - 2.6 clients could connect fine, 2.5 and earlier were refused with a clear message: 2024-01-03 18:35:45 AUTH: Received control message: AUTH_FAILED,Client incompatible with this server. Keying Material Exporters (RFC 5705) support missing. Upgrade to a client that supports this feature (OpenVPN 2.6.0+). and on the server 2024-01-03 18:37:52 us=455522 cron2-freebsd-tc-amd64-25/2001:608:0:814::f000:21 peer-id=0 PUSH: client does not support TLS key material exportbut --force-tls-key-material-export is enabled. so, this should help people hitting such a scenario to much better understand what is happening, and what they can do about it. For completeness I've tried to test this on a FreeBSD 14 system with "--providers fips", but failed to set up OpenSSL/FIPS in a way that actually did anything useful... so I broke check_tls_prf_working() manually, and the expected "auto-enable option" part works too. <<< NAK! Your patch has been applied to the master and release/2.6 branch (long- term compat and better diagnostics). commit 3278524247f07f6d541d29d8ca8d4fafcb623054 (master) commit 425f7d644876755deff1946c0a3aa16f15af4adb (release/2.6) Author: Arne Schwabe Date: Tue Jan 2 13:51:49 2024 +0100 Check PRF availability on initialisation and add --force-tls-key-material-export Signed-off-by: Arne Schwabe Acked-by: Gert Doering Message-Id: <20240102125149.4595-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg27903.html Signed-off-by: Gert Doering -- kind regards, Gert Doering ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v9] Check PRF availability on initialisation and add --force-tls-key-material-export
From: Arne Schwabe
We now warn a user if the TLS 1.0 PRF is not supported by the cryptographic
library of the system. Also add the option --force-tls-key-material-export
that automatically rejects clients that do not support TLS Keying Material
Export and automatically enable it when TLS 1.0 PRF support is not available.
Change-Id: I04f8c7c413e7cb62c726262feee6ca89c7e86c70
Signed-off-by: Arne Schwabe
Acked-by: Gert Doering
---
This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/460
This mail reflects revision 9 of this Change.
Acked-by according to Gerrit (reflected above):
Gert Doering
diff --git a/doc/man-sections/protocol-options.rst
b/doc/man-sections/protocol-options.rst
index 948c0c8..8b061d2 100644
--- a/doc/man-sections/protocol-options.rst
+++ b/doc/man-sections/protocol-options.rst
@@ -242,3 +242,11 @@
a key renegotiation begins (default :code:`3600` seconds). This feature
allows for a graceful transition from old to new key, and removes the key
renegotiation sequence from the critical path of tunnel data forwarding.
+
+--force-tls-key-material-export
+ This option is only available in --mode server and forces to use
+ Keying Material Exporters (RFC 5705) for clients. This can be used to
+ simulate an environment where the cryptographic library does not support
+ the older method to generate data channel keys anymore. This option is
+ intended to be a test option and might be removed in a future OpenVPN
+ version without notice.
diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index e4452d7..2fca131 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -27,6 +27,7 @@
#endif
#include "syshead.h"
+#include
#include "crypto.h"
#include "error.h"
@@ -1789,3 +1790,22 @@
gc_free(&gc);
return ret;
}
+
+bool
+check_tls_prf_working(void)
+{
+/* Modern TLS libraries might no longer support the TLS 1.0 PRF with
+ * MD5+SHA1. This allows us to establish connections only
+ * with other 2.6.0+ OpenVPN peers.
+ * Do a simple dummy test here to see if it works. */
+const char *seed = "tls1-prf-test";
+const char *secret = "tls1-prf-test-secret";
+uint8_t out[8];
+uint8_t expected_out[] = { 'q', 'D', '\xfe', '%', '@', 's', 'u', '\x95' };
+
+int ret = ssl_tls1_PRF((uint8_t *)seed, (int) strlen(seed),
+ (uint8_t *)secret, (int) strlen(secret),
+ out, sizeof(out));
+
+return (ret && memcmp(out, expected_out, sizeof(out)) == 0);
+}
diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h
index 9255d38..4201524 100644
--- a/src/openvpn/crypto.h
+++ b/src/openvpn/crypto.h
@@ -593,4 +593,12 @@
return kt;
}
+/**
+ * Checks if the current TLS library supports the TLS 1.0 PRF with MD5+SHA1
+ * that OpenVPN uses when TLS Keying Material Export is not available.
+ *
+ * @return true if supported, false otherwise.
+ */
+bool check_tls_prf_working(void);
+
#endif /* CRYPTO_H */
diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index 8b490ed..f4f0b8a 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -1830,6 +1830,16 @@
{
o->imported_protocol_flags |= CO_USE_TLS_KEY_MATERIAL_EXPORT;
}
+else if (o->force_key_material_export)
+{
+msg(M_INFO, "PUSH: client does not support TLS Keying Material "
+"Exporters but --force-tls-key-material-export is enabled.");
+auth_set_client_reason(tls_multi, "Client incompatible with this "
+ "server. Keying Material Exporters (RFC 5705) "
+ "support missing. Upgrade to a client that "
+ "supports this feature (OpenVPN 2.6.0+).");
+return false;
+}
if (proto & IV_PROTO_DYN_TLS_CRYPT)
{
o->imported_protocol_flags |= CO_USE_DYNAMIC_TLS_CRYPT;
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index e498114..1b28a19 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -1561,6 +1561,7 @@
SHOW_STR(auth_user_pass_verify_script);
SHOW_BOOL(auth_user_pass_verify_script_via_file);
SHOW_BOOL(auth_token_generate);
+SHOW_BOOL(force_key_material_export);
SHOW_INT(auth_token_lifetime);
SHOW_STR_INLINE(auth_token_secret_file);
#if PORT_SHARE
@@ -2802,6 +2803,11 @@
{
msg(M_USAGE, "--vlan-tagging requires --mode server");
}
+
+if (options->force_key_material_export)
+{
+msg(M_USAGE, "--force-tls-key-material-export requires --mode
server");
+}
}
/*
@@ -3634,6 +3640,30 @@
}
static void
+options_process_mutate_prf(struct options *o)
+{
+if (!check_tls_prf_working())
+{
+msg(D_TLS_ERRORS, "Warning: TLS 1.0 PRF with MD5+SHA1 PRF is not "
+"supported by the TLS library. Your system does not suppo
[Openvpn-devel] [M] Change in openvpn[master]: Check PRF availability on initialisation and add --force-tls-key-mate...
Attention is currently required from: flichtenheld, plaisthos. cron2 has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/460?usp=email ) Change subject: Check PRF availability on initialisation and add --force-tls-key-material-export .. Patch Set 9: Code-Review+2 (1 comment) Patchset: PS9: back to +2 - manipulating expected_out or setting ret=0 now leads to "it failed!" and the code as is pretends the PRF worked. Didn't test FIPS mode, but "set ret=0" as a test case should be good enough. -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/460?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I04f8c7c413e7cb62c726262feee6ca89c7e86c70 Gerrit-Change-Number: 460 Gerrit-PatchSet: 9 Gerrit-Owner: plaisthos Gerrit-Reviewer: cron2 Gerrit-Reviewer: flichtenheld Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Thu, 04 Jan 2024 14:01:55 + Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: Check PRF availability on initialisation and add --force-tls-key-mate...
Attention is currently required from: cron2, flichtenheld. plaisthos has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/460?usp=email ) Change subject: Check PRF availability on initialisation and add --force-tls-key-material-export .. Patch Set 8: (1 comment) File src/openvpn/crypto.c: http://gerrit.openvpn.net/c/openvpn/+/460/comment/46b9a5e4_f4d733cf : PS8, Line 1809: return (ret && memcmp(out, expected_out, sizeof(out)) != 0); > It pains me to return to "-2" again, but there is something really weird > going on here - to see what […] O my got I really butchered that one. -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/460?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I04f8c7c413e7cb62c726262feee6ca89c7e86c70 Gerrit-Change-Number: 460 Gerrit-PatchSet: 8 Gerrit-Owner: plaisthos Gerrit-Reviewer: cron2 Gerrit-Reviewer: flichtenheld Gerrit-CC: openvpn-devel Gerrit-Attention: cron2 Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Thu, 04 Jan 2024 12:45:54 + Gerrit-HasComments: Yes Gerrit-Has-Labels: No Comment-In-Reply-To: cron2 Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: Check PRF availability on initialisation and add --force-tls-key-mate...
Attention is currently required from: flichtenheld, plaisthos.
Hello cron2, flichtenheld,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/460?usp=email
to look at the new patch set (#9).
Change subject: Check PRF availability on initialisation and add
--force-tls-key-material-export
..
Check PRF availability on initialisation and add --force-tls-key-material-export
We now warn a user if the TLS 1.0 PRF is not supported by the cryptographic
library of the system. Also add the option --force-tls-key-material-export
that automatically rejects clients that do not support TLS Keying Material
Export and automatically enable it when TLS 1.0 PRF support is not available.
Change-Id: I04f8c7c413e7cb62c726262feee6ca89c7e86c70
Signed-off-by: Arne Schwabe
---
M doc/man-sections/protocol-options.rst
M src/openvpn/crypto.c
M src/openvpn/crypto.h
M src/openvpn/multi.c
M src/openvpn/options.c
M src/openvpn/options.h
6 files changed, 84 insertions(+), 0 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/60/460/9
diff --git a/doc/man-sections/protocol-options.rst
b/doc/man-sections/protocol-options.rst
index 948c0c8..8b061d2 100644
--- a/doc/man-sections/protocol-options.rst
+++ b/doc/man-sections/protocol-options.rst
@@ -242,3 +242,11 @@
a key renegotiation begins (default :code:`3600` seconds). This feature
allows for a graceful transition from old to new key, and removes the key
renegotiation sequence from the critical path of tunnel data forwarding.
+
+--force-tls-key-material-export
+ This option is only available in --mode server and forces to use
+ Keying Material Exporters (RFC 5705) for clients. This can be used to
+ simulate an environment where the cryptographic library does not support
+ the older method to generate data channel keys anymore. This option is
+ intended to be a test option and might be removed in a future OpenVPN
+ version without notice.
diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index e4452d7..2fca131 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -27,6 +27,7 @@
#endif
#include "syshead.h"
+#include
#include "crypto.h"
#include "error.h"
@@ -1789,3 +1790,22 @@
gc_free(&gc);
return ret;
}
+
+bool
+check_tls_prf_working(void)
+{
+/* Modern TLS libraries might no longer support the TLS 1.0 PRF with
+ * MD5+SHA1. This allows us to establish connections only
+ * with other 2.6.0+ OpenVPN peers.
+ * Do a simple dummy test here to see if it works. */
+const char *seed = "tls1-prf-test";
+const char *secret = "tls1-prf-test-secret";
+uint8_t out[8];
+uint8_t expected_out[] = { 'q', 'D', '\xfe', '%', '@', 's', 'u', '\x95' };
+
+int ret = ssl_tls1_PRF((uint8_t *)seed, (int) strlen(seed),
+ (uint8_t *)secret, (int) strlen(secret),
+ out, sizeof(out));
+
+return (ret && memcmp(out, expected_out, sizeof(out)) == 0);
+}
diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h
index 9255d38..4201524 100644
--- a/src/openvpn/crypto.h
+++ b/src/openvpn/crypto.h
@@ -593,4 +593,12 @@
return kt;
}
+/**
+ * Checks if the current TLS library supports the TLS 1.0 PRF with MD5+SHA1
+ * that OpenVPN uses when TLS Keying Material Export is not available.
+ *
+ * @return true if supported, false otherwise.
+ */
+bool check_tls_prf_working(void);
+
#endif /* CRYPTO_H */
diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index 8b490ed..f4f0b8a 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -1830,6 +1830,16 @@
{
o->imported_protocol_flags |= CO_USE_TLS_KEY_MATERIAL_EXPORT;
}
+else if (o->force_key_material_export)
+{
+msg(M_INFO, "PUSH: client does not support TLS Keying Material "
+"Exporters but --force-tls-key-material-export is enabled.");
+auth_set_client_reason(tls_multi, "Client incompatible with this "
+ "server. Keying Material Exporters (RFC 5705) "
+ "support missing. Upgrade to a client that "
+ "supports this feature (OpenVPN 2.6.0+).");
+return false;
+}
if (proto & IV_PROTO_DYN_TLS_CRYPT)
{
o->imported_protocol_flags |= CO_USE_DYNAMIC_TLS_CRYPT;
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index e498114..1b28a19 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -1561,6 +1561,7 @@
SHOW_STR(auth_user_pass_verify_script);
SHOW_BOOL(auth_user_pass_verify_script_via_file);
SHOW_BOOL(auth_token_generate);
+SHOW_BOOL(force_key_material_export);
SHOW_INT(auth_token_lifetime);
SHOW_STR_INLINE(auth_token_secret_file);
#if PORT_SHARE
@@ -2802,6 +2803,11 @@
{
msg(M_USAGE, "--vlan-tagging requires --mode server");
}
+
+if (op
