[Openvpn-devel] [PATCH] Enablement of quantum-safe key establishment

Thu, 24 Mar 2022 07:00:49 -0700 

Hello,
   as per https://community.openvpn.net/openvpn/ticket/1460 the current openvpn master fails when activating a TLS1.3 group implemented in an external provider. 


The patch attached fixes this and enables successful OpenSSL key 
establishment using any of the quantum-safe and hybrid (classic/QSC) 
algorithms supported by https://github.com/open-quantum-safe/oqs-provider


Regards,

--Michael

index b8595174..73ab4b6a 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -572,7 +572,9 @@ void
 tls_ctx_set_tls_groups(struct tls_root_ctx *ctx, const char *groups)
 {
     ASSERT(ctx);
-    struct gc_arena gc = gc_new();
+    char *f = strstr(groups, "secp256r1");
+    int rc;
+    
     /* This method could be as easy as
      *  SSL_CTX_set1_groups_list(ctx->ctx, groups)
      * but OpenSSL does not like the name secp256r1 for prime256v1
@@ -580,43 +582,26 @@ tls_ctx_set_tls_groups(struct tls_root_ctx *ctx, const char *groups)
      * To support the same name for OpenSSL and mbedTLS, we do
      * this dance.
      */
-
-    int groups_count = get_num_elements(groups, ':');
-
-    int *glist;
-    /* Allocate an array for them */
-    ALLOC_ARRAY_CLEAR_GC(glist, int, groups_count, &gc);
-
-    /* Parse allowed ciphers, getting IDs */
-    int glistlen = 0;
-    char *tmp_groups = string_alloc(groups, &gc);
-
-    const char *token;
-    while ((token = strsep(&tmp_groups, ":")))
-    {
-        if (streq(token, "secp256r1"))
-        {
-            token = "prime256v1";
-        }
-        int nid = OBJ_sn2nid(token);
-
-        if (nid == 0)
-        {
-            msg(M_WARN, "Warning unknown curve/group specified: %s", token);
-        }
-        else
-        {
-            glist[glistlen] = nid;
-            glistlen++;
-        }
+    if (f) {
+         char *new_groups_list = malloc(strlen(groups)+2);
+	 char * idx = new_groups_list;
+	 memcpy(idx, groups, (f-groups));
+	 idx += (f-groups);
+	 memcpy(idx, "prime256v1", strlen("prime256v1"));
+	 idx += strlen("prime256v1");
+	 memcpy(idx, f+strlen("secp256r1"), strlen(groups)-(f-groups)-strlen("secp256r1"));
+	 new_groups_list[strlen(groups)+1] = '\0';
+
+	 rc = SSL_CTX_set1_groups_list(ctx->ctx, new_groups_list);
+	 free(new_groups_list);
     }
+    else
+	 rc = SSL_CTX_set1_groups_list(ctx->ctx, groups);
 
-    if (!SSL_CTX_set1_groups(ctx->ctx, glist, glistlen))
-    {
+    if (!rc) {
         crypto_msg(M_FATAL, "Failed to set allowed TLS group list: %s",
                    groups);
     }
-    gc_free(&gc);
 }
 
 void


_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel






















					Reply via email to