[Openvpn-devel] [M] Change in openvpn[master]: Implement generating TLS 1.0 PRF using new OpenSSL 3.0 APIs
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/457?usp=email ) Change subject: Implement generating TLS 1.0 PRF using new OpenSSL 3.0 APIs .. Implement generating TLS 1.0 PRF using new OpenSSL 3.0 APIs OpenSSL 3.0 introduced a new API for doing key derivation. So this leaves us now with three different implementation for 1.0.2, 1.1.x and 3.x. This was initially done to maybe still have a working TLS 1.0 PRF when using OpenSSL 3.0 in FIPS but it gives the same error as with the older API. But since moving to a new API is always good, we use the new API when using OpenSSL 3.0. We also print the internal OpenSSL error message when the KDF fails. This also allows us now to compile an OpenSSL build that has been built with OPENSSL_NO_MD5. Which is not yet common but might be in the future. Change-Id: Ic74195a4ed340547c5e862dc2438f95be318c286 Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld Message-Id: <20240209110629.15364-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28203.html Signed-off-by: Gert Doering --- M src/openvpn/crypto_openssl.c 1 file changed, 51 insertions(+), 1 deletion(-) diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index e8ddf14..4fd5e6b 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -54,6 +54,7 @@ #endif #if OPENSSL_VERSION_NUMBER >= 0x3000L #include +#include #endif #if defined(_WIN32) && defined(OPENSSL_NO_EC) @@ -1329,8 +1330,57 @@ { return CRYPTO_memcmp(a, b, size); } +#if (OPENSSL_VERSION_NUMBER >= 0x3000L) && !defined(LIBRESSL_VERSION_NUMBER) +bool +ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret, + int secret_len, uint8_t *output, int output_len) +{ +bool ret = true; +EVP_KDF_CTX *kctx = NULL; -#if (OPENSSL_VERSION_NUMBER >= 0x1010L) && !defined(LIBRESSL_VERSION_NUMBER) + +EVP_KDF *kdf = EVP_KDF_fetch(NULL, "TLS1-PRF", NULL); +if (!kdf) +{ +goto err; +} + +kctx = EVP_KDF_CTX_new(kdf); + +if (!kctx) +{ +goto err; +} + +OSSL_PARAM params[4]; + +/* The OpenSSL APIs require us to cast the const aways even though the + * strings are never changed and only read */ +params[0] = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, + SN_md5_sha1, strlen(SN_md5_sha1)); +params[1] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SECRET, + (uint8_t *) secret, (size_t) secret_len); +params[2] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED, + (uint8_t *) seed, (size_t) seed_len); +params[3] = OSSL_PARAM_construct_end(); + +if (EVP_KDF_derive(kctx, output, output_len, params) <= 0) +{ +crypto_msg(D_TLS_DEBUG_LOW, "Generating TLS 1.0 PRF using " + "EVP_KDF_derive failed"); +goto err; +} + +goto out; + +err: +ret = false; +out: +EVP_KDF_free(kdf); + +return ret; +} +#elif (OPENSSL_VERSION_NUMBER >= 0x1010L) && !defined(LIBRESSL_VERSION_NUMBER) bool ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret, int secret_len, uint8_t *output, int output_len) -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/457?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ic74195a4ed340547c5e862dc2438f95be318c286 Gerrit-Change-Number: 457 Gerrit-PatchSet: 9 Gerrit-Owner: plaisthos Gerrit-Reviewer: flichtenheld Gerrit-CC: openvpn-devel Gerrit-MessageType: merged ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: Implement generating TLS 1.0 PRF using new OpenSSL 3.0 APIs
cron2 has uploaded a new patch set (#9) to the change originally created by plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/457?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by flichtenheld Change subject: Implement generating TLS 1.0 PRF using new OpenSSL 3.0 APIs .. Implement generating TLS 1.0 PRF using new OpenSSL 3.0 APIs OpenSSL 3.0 introduced a new API for doing key derivation. So this leaves us now with three different implementation for 1.0.2, 1.1.x and 3.x. This was initially done to maybe still have a working TLS 1.0 PRF when using OpenSSL 3.0 in FIPS but it gives the same error as with the older API. But since moving to a new API is always good, we use the new API when using OpenSSL 3.0. We also print the internal OpenSSL error message when the KDF fails. This also allows us now to compile an OpenSSL build that has been built with OPENSSL_NO_MD5. Which is not yet common but might be in the future. Change-Id: Ic74195a4ed340547c5e862dc2438f95be318c286 Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld Message-Id: <20240209110629.15364-1-fr...@lichtenheld.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28203.html Signed-off-by: Gert Doering --- M src/openvpn/crypto_openssl.c 1 file changed, 51 insertions(+), 1 deletion(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/57/457/9 diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index e8ddf14..4fd5e6b 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -54,6 +54,7 @@ #endif #if OPENSSL_VERSION_NUMBER >= 0x3000L #include +#include #endif #if defined(_WIN32) && defined(OPENSSL_NO_EC) @@ -1329,8 +1330,57 @@ { return CRYPTO_memcmp(a, b, size); } +#if (OPENSSL_VERSION_NUMBER >= 0x3000L) && !defined(LIBRESSL_VERSION_NUMBER) +bool +ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret, + int secret_len, uint8_t *output, int output_len) +{ +bool ret = true; +EVP_KDF_CTX *kctx = NULL; -#if (OPENSSL_VERSION_NUMBER >= 0x1010L) && !defined(LIBRESSL_VERSION_NUMBER) + +EVP_KDF *kdf = EVP_KDF_fetch(NULL, "TLS1-PRF", NULL); +if (!kdf) +{ +goto err; +} + +kctx = EVP_KDF_CTX_new(kdf); + +if (!kctx) +{ +goto err; +} + +OSSL_PARAM params[4]; + +/* The OpenSSL APIs require us to cast the const aways even though the + * strings are never changed and only read */ +params[0] = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, + SN_md5_sha1, strlen(SN_md5_sha1)); +params[1] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SECRET, + (uint8_t *) secret, (size_t) secret_len); +params[2] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED, + (uint8_t *) seed, (size_t) seed_len); +params[3] = OSSL_PARAM_construct_end(); + +if (EVP_KDF_derive(kctx, output, output_len, params) <= 0) +{ +crypto_msg(D_TLS_DEBUG_LOW, "Generating TLS 1.0 PRF using " + "EVP_KDF_derive failed"); +goto err; +} + +goto out; + +err: +ret = false; +out: +EVP_KDF_free(kdf); + +return ret; +} +#elif (OPENSSL_VERSION_NUMBER >= 0x1010L) && !defined(LIBRESSL_VERSION_NUMBER) bool ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret, int secret_len, uint8_t *output, int output_len) -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/457?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ic74195a4ed340547c5e862dc2438f95be318c286 Gerrit-Change-Number: 457 Gerrit-PatchSet: 9 Gerrit-Owner: plaisthos Gerrit-Reviewer: flichtenheld Gerrit-CC: openvpn-devel Gerrit-MessageType: newpatchset ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: Implement generating TLS 1.0 PRF using new OpenSSL 3.0 APIs
Attention is currently required from: plaisthos. flichtenheld has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/457?usp=email ) Change subject: Implement generating TLS 1.0 PRF using new OpenSSL 3.0 APIs .. Patch Set 8: Code-Review+2 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/457?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ic74195a4ed340547c5e862dc2438f95be318c286 Gerrit-Change-Number: 457 Gerrit-PatchSet: 8 Gerrit-Owner: plaisthos Gerrit-Reviewer: flichtenheld Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Comment-Date: Fri, 09 Feb 2024 11:04:41 + Gerrit-HasComments: No Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: Implement generating TLS 1.0 PRF using new OpenSSL 3.0 APIs
flichtenheld has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/457?usp=email ) Change subject: Implement generating TLS 1.0 PRF using new OpenSSL 3.0 APIs .. Patch Set 8: -Code-Review -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/457?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ic74195a4ed340547c5e862dc2438f95be318c286 Gerrit-Change-Number: 457 Gerrit-PatchSet: 8 Gerrit-Owner: plaisthos Gerrit-Reviewer: flichtenheld Gerrit-CC: openvpn-devel Gerrit-Comment-Date: Wed, 10 Jan 2024 16:12:36 + Gerrit-HasComments: No Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: Implement generating TLS 1.0 PRF using new OpenSSL 3.0 APIs
Attention is currently required from: flichtenheld. plaisthos has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/457?usp=email ) Change subject: Implement generating TLS 1.0 PRF using new OpenSSL 3.0 APIs .. Patch Set 8: (2 comments) File src/openvpn/crypto_openssl.c: http://gerrit.openvpn.net/c/openvpn/+/457/comment/c96ab8f9_d5967aa5 : PS7, Line 1406: (uint8_t *) secret, (size_t) secret_len); > Makes format-check unhappy Done http://gerrit.openvpn.net/c/openvpn/+/457/comment/648e41e0_161b8fa0 : PS7, Line 1424: EVP_KDF_free(kdf); > double free? Done -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/457?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ic74195a4ed340547c5e862dc2438f95be318c286 Gerrit-Change-Number: 457 Gerrit-PatchSet: 8 Gerrit-Owner: plaisthos Gerrit-Reviewer: flichtenheld Gerrit-CC: openvpn-devel Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Fri, 05 Jan 2024 13:56:11 + Gerrit-HasComments: Yes Gerrit-Has-Labels: No Comment-In-Reply-To: flichtenheld Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: Implement generating TLS 1.0 PRF using new OpenSSL 3.0 APIs
Attention is currently required from: plaisthos. Hello flichtenheld, I'd like you to reexamine a change. Please visit http://gerrit.openvpn.net/c/openvpn/+/457?usp=email to look at the new patch set (#8). Change subject: Implement generating TLS 1.0 PRF using new OpenSSL 3.0 APIs .. Implement generating TLS 1.0 PRF using new OpenSSL 3.0 APIs OpenSSL 3.0 introduced a new API for doing key derivation. So this leaves us now with three different implementation for 1.0.2, 1.1.x and 3.x. This was initially done to maybe still have a working TLS 1.0 PRF when using OpenSSL 3.0 in FIPS butit gives the same error as with the older API but since moving to a new API is always good, we use the new API when using OpenSSL 3.0. We also print the internal OpenSSL error message when the KDF fails. This also allows us now to compile an OpenSSL build that has been built with OPENSSL_NO_MD5. Which is not yet common but might be in the future. Change-Id: Ic74195a4ed340547c5e862dc2438f95be318c286 Signed-off-by: Arne Schwabe --- M src/openvpn/crypto_openssl.c 1 file changed, 51 insertions(+), 1 deletion(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/57/457/8 diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index e8ddf14..4fd5e6b 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -54,6 +54,7 @@ #endif #if OPENSSL_VERSION_NUMBER >= 0x3000L #include +#include #endif #if defined(_WIN32) && defined(OPENSSL_NO_EC) @@ -1329,8 +1330,57 @@ { return CRYPTO_memcmp(a, b, size); } +#if (OPENSSL_VERSION_NUMBER >= 0x3000L) && !defined(LIBRESSL_VERSION_NUMBER) +bool +ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret, + int secret_len, uint8_t *output, int output_len) +{ +bool ret = true; +EVP_KDF_CTX *kctx = NULL; -#if (OPENSSL_VERSION_NUMBER >= 0x1010L) && !defined(LIBRESSL_VERSION_NUMBER) + +EVP_KDF *kdf = EVP_KDF_fetch(NULL, "TLS1-PRF", NULL); +if (!kdf) +{ +goto err; +} + +kctx = EVP_KDF_CTX_new(kdf); + +if (!kctx) +{ +goto err; +} + +OSSL_PARAM params[4]; + +/* The OpenSSL APIs require us to cast the const aways even though the + * strings are never changed and only read */ +params[0] = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, + SN_md5_sha1, strlen(SN_md5_sha1)); +params[1] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SECRET, + (uint8_t *) secret, (size_t) secret_len); +params[2] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED, + (uint8_t *) seed, (size_t) seed_len); +params[3] = OSSL_PARAM_construct_end(); + +if (EVP_KDF_derive(kctx, output, output_len, params) <= 0) +{ +crypto_msg(D_TLS_DEBUG_LOW, "Generating TLS 1.0 PRF using " + "EVP_KDF_derive failed"); +goto err; +} + +goto out; + +err: +ret = false; +out: +EVP_KDF_free(kdf); + +return ret; +} +#elif (OPENSSL_VERSION_NUMBER >= 0x1010L) && !defined(LIBRESSL_VERSION_NUMBER) bool ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret, int secret_len, uint8_t *output, int output_len) -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/457?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ic74195a4ed340547c5e862dc2438f95be318c286 Gerrit-Change-Number: 457 Gerrit-PatchSet: 8 Gerrit-Owner: plaisthos Gerrit-Reviewer: flichtenheld Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-MessageType: newpatchset ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: Implement generating TLS 1.0 PRF using new OpenSSL 3.0 APIs
Attention is currently required from: plaisthos. flichtenheld has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/457?usp=email ) Change subject: Implement generating TLS 1.0 PRF using new OpenSSL 3.0 APIs .. Patch Set 7: Code-Review-2 (1 comment) File src/openvpn/crypto_openssl.c: http://gerrit.openvpn.net/c/openvpn/+/457/comment/00addad7_5d09b653 : PS7, Line 1424: EVP_KDF_free(kdf); double free? -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/457?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ic74195a4ed340547c5e862dc2438f95be318c286 Gerrit-Change-Number: 457 Gerrit-PatchSet: 7 Gerrit-Owner: plaisthos Gerrit-Reviewer: flichtenheld Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Comment-Date: Wed, 20 Dec 2023 16:59:16 + Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: Implement generating TLS 1.0 PRF using new OpenSSL 3.0 APIs
Attention is currently required from: plaisthos. flichtenheld has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/457?usp=email ) Change subject: Implement generating TLS 1.0 PRF using new OpenSSL 3.0 APIs .. Patch Set 7: -Code-Review (2 comments) Patchset: PS7: Resetting my vote since my concern about general usefulness was addressed. Will need to do some actual testing before being able to ack. File src/openvpn/crypto_openssl.c: http://gerrit.openvpn.net/c/openvpn/+/457/comment/c42d2a0a_ac343d16 : PS7, Line 1406: (uint8_t *) secret, (size_t) secret_len); Makes format-check unhappy -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/457?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ic74195a4ed340547c5e862dc2438f95be318c286 Gerrit-Change-Number: 457 Gerrit-PatchSet: 7 Gerrit-Owner: plaisthos Gerrit-Reviewer: flichtenheld Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Comment-Date: Fri, 01 Dec 2023 12:42:25 + Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: Implement generating TLS 1.0 PRF using new OpenSSL 3.0 APIs
Attention is currently required from: flichtenheld. Hello flichtenheld, I'd like you to reexamine a change. Please visit http://gerrit.openvpn.net/c/openvpn/+/457?usp=email to look at the new patch set (#6). Change subject: Implement generating TLS 1.0 PRF using new OpenSSL 3.0 APIs .. Implement generating TLS 1.0 PRF using new OpenSSL 3.0 APIs OpenSSL 3.0 introduced a new API for doing key derivation. So this leaves us now with three different implementation for 1.0.2, 1.1.x and 3.x. This was initially done to maybe still have a working TLS 1.0 PRF when using OpenSSL 3.0 in FIPS butit gives the same error as with the older API but since moving to a new API is always good, we use the new API when using OpenSSL 3.0. We also print the internal OpenSSL error message when the KDF fails. This also allows us now to compile an OpenSSL build that has been built with OPENSSL_NO_MD5. Which is not yet common but might be in the future. Change-Id: Ic74195a4ed340547c5e862dc2438f95be318c286 Signed-off-by: Arne Schwabe --- M src/openvpn/crypto_openssl.c 1 file changed, 52 insertions(+), 1 deletion(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/57/457/6 diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index fe1254f..21b6a9c 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -54,6 +54,7 @@ #endif #if OPENSSL_VERSION_NUMBER >= 0x3000L #include +#include #endif #if defined(_WIN32) && defined(OPENSSL_NO_EC) @@ -1373,8 +1374,58 @@ { return CRYPTO_memcmp(a, b, size); } +#if (OPENSSL_VERSION_NUMBER >= 0x3000L) && !defined(LIBRESSL_VERSION_NUMBER) +bool +ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret, + int secret_len, uint8_t *output, int output_len) +{ +bool ret = true; +EVP_KDF_CTX *kctx = NULL; -#if (OPENSSL_VERSION_NUMBER >= 0x1010L) && !defined(LIBRESSL_VERSION_NUMBER) + +EVP_KDF *kdf = EVP_KDF_fetch(NULL, "TLS1-PRF", NULL); +if (!kdf) +{ +goto err; +} + +kctx = EVP_KDF_CTX_new(kdf); + +if (!kctx) +{ +goto err; +} + +OSSL_PARAM params[4]; + +/* The OpenSSL APIs require us to cast the const aways even though the + * strings are never changed and only read */ +params[0] = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, + SN_md5_sha1, strlen(SN_md5_sha1)); +params[1] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SECRET, + (uint8_t *) secret, (size_t) secret_len); +params[2] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED, + (uint8_t *) seed, (size_t) seed_len); +params[3] = OSSL_PARAM_construct_end(); + +if (EVP_KDF_derive(kctx, output, output_len, params) <= 0) +{ +crypto_msg(D_TLS_DEBUG_LOW, "Generating TLS 1.0 PRF using " + "EVP_KDF_derive failed"); +goto err; +} + +goto out; + +err: +ret = false; +out: +EVP_KDF_free(kdf); +EVP_KDF_free(kdf); + +return ret; +} +#elif (OPENSSL_VERSION_NUMBER >= 0x1010L) && !defined(LIBRESSL_VERSION_NUMBER) bool ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret, int secret_len, uint8_t *output, int output_len) -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/457?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ic74195a4ed340547c5e862dc2438f95be318c286 Gerrit-Change-Number: 457 Gerrit-PatchSet: 6 Gerrit-Owner: plaisthos Gerrit-Reviewer: flichtenheld Gerrit-CC: openvpn-devel Gerrit-Attention: flichtenheld Gerrit-MessageType: newpatchset ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: Implement generating TLS 1.0 PRF using new OpenSSL 3.0 APIs
Attention is currently required from: flichtenheld. plaisthos has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/457?usp=email ) Change subject: Implement generating TLS 1.0 PRF using new OpenSSL 3.0 APIs .. Patch Set 5: (3 comments) Commit Message: http://gerrit.openvpn.net/c/openvpn/+/457/comment/ae29b807_47365dcf : PS5, Line 13: using OpenSSL 3.0, it gives the same error as with the older API but > missing "in FIPS mode"? My understanding is that this still works with > "normal" OpenSSL 3? Done Patchset: PS5: > I have my doubts whether this change is worth it if it doesn't actually fixes > anything? […] One advantage is that we at least are now compatible with compiling against an OpenSSL that has been compiled with OPENSSL_NO_MD5. Otherwise we fail at the EVP_md5_sha1 function call. File src/openvpn/crypto_openssl.c: http://gerrit.openvpn.net/c/openvpn/+/457/comment/fd9542a8_f818ca77 : PS5, Line 1404: secret, (size_t) secret_len); > ../../../src/openvpn/crypto_openssl. […] Done -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/457?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ic74195a4ed340547c5e862dc2438f95be318c286 Gerrit-Change-Number: 457 Gerrit-PatchSet: 5 Gerrit-Owner: plaisthos Gerrit-Reviewer: flichtenheld Gerrit-CC: openvpn-devel Gerrit-Attention: flichtenheld Gerrit-Comment-Date: Wed, 29 Nov 2023 12:15:50 + Gerrit-HasComments: Yes Gerrit-Has-Labels: No Comment-In-Reply-To: flichtenheld Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: Implement generating TLS 1.0 PRF using new OpenSSL 3.0 APIs
Attention is currently required from: plaisthos. flichtenheld has posted comments on this change. ( http://gerrit.openvpn.net/c/openvpn/+/457?usp=email ) Change subject: Implement generating TLS 1.0 PRF using new OpenSSL 3.0 APIs .. Patch Set 5: Code-Review-2 (3 comments) Commit Message: http://gerrit.openvpn.net/c/openvpn/+/457/comment/13568f5e_b6cd455d : PS5, Line 13: using OpenSSL 3.0, it gives the same error as with the older API but missing "in FIPS mode"? My understanding is that this still works with "normal" OpenSSL 3? Patchset: PS5: I have my doubts whether this change is worth it if it doesn't actually fixes anything? Anyway, currently not -Werrror clean, so not mergeable right now. File src/openvpn/crypto_openssl.c: http://gerrit.openvpn.net/c/openvpn/+/457/comment/d48aa189_6936623c : PS5, Line 1404: secret, (size_t) secret_len); ../../../src/openvpn/crypto_openssl.c:1404:51: warning: passing argument 2 of ‘OSSL_PARAM_construct_octet_string’ discards ‘const’ qualifier from pointer target type [-Wdiscarded-qualifiers] 1404 | secret, (size_t) secret_len); -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/457?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ic74195a4ed340547c5e862dc2438f95be318c286 Gerrit-Change-Number: 457 Gerrit-PatchSet: 5 Gerrit-Owner: plaisthos Gerrit-Reviewer: flichtenheld Gerrit-CC: openvpn-devel Gerrit-Attention: plaisthos Gerrit-Comment-Date: Tue, 28 Nov 2023 14:00:19 + Gerrit-HasComments: Yes Gerrit-Has-Labels: Yes Gerrit-MessageType: comment ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: Implement generating TLS 1.0 PRF using new OpenSSL 3.0 APIs
Attention is currently required from: flichtenheld. Hello flichtenheld, I'd like you to reexamine a change. Please visit http://gerrit.openvpn.net/c/openvpn/+/457?usp=email to look at the new patch set (#3). Change subject: Implement generating TLS 1.0 PRF using new OpenSSL 3.0 APIs .. Implement generating TLS 1.0 PRF using new OpenSSL 3.0 APIs OpenSSL 3.0 introduced a new API for doing key derivation. So this leaves us now with three different implementation for 1.0.2, 1.1.x and 3.x. This was initially done to maybe still have a working TLS 1.0 PRF when using OpenSSL 3.0, it gives the same error as with the older API but since moving to a new API is always good, we use the new API when using OpenSSL 3.0. We also print the internal OpenSSL error message when the KDF fails. Change-Id: Ic74195a4ed340547c5e862dc2438f95be318c286 Signed-off-by: Arne Schwabe --- M src/openvpn/crypto_openssl.c 1 file changed, 50 insertions(+), 1 deletion(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/57/457/3 diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index fe1254f..8b396f2 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -54,6 +54,7 @@ #endif #if OPENSSL_VERSION_NUMBER >= 0x3000L #include +#include #endif #if defined(_WIN32) && defined(OPENSSL_NO_EC) @@ -1373,8 +1374,56 @@ { return CRYPTO_memcmp(a, b, size); } +#if (OPENSSL_VERSION_NUMBER >= 0x3000L) && !defined(LIBRESSL_VERSION_NUMBER) +bool +ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret, + int secret_len, uint8_t *output, int output_len) +{ +bool ret = true; +EVP_KDF_CTX *kctx = NULL; -#if (OPENSSL_VERSION_NUMBER >= 0x1010L) && !defined(LIBRESSL_VERSION_NUMBER) + +EVP_KDF *kdf = EVP_KDF_fetch(NULL, "TLS1-PRF", NULL); +if (!kdf) +{ +goto err; +} + +kctx = EVP_KDF_CTX_new(kdf); + +if (!kctx) +{ +goto err; +} + +OSSL_PARAM params[4]; + +params[0] = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, + SN_md5_sha1, strlen(SN_md5_sha1)); +params[1] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SECRET, + secret, (size_t) secret_len); +params[2] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED, + seed, (size_t) seed_len); +params[3] = OSSL_PARAM_construct_end(); + +if (EVP_KDF_derive(kctx, output, output_len, params) <= 0) +{ +crypto_msg(D_TLS_DEBUG_LOW, "Generating TLS 1.0 PRF using " + "EVP_KDF_derive failed"); +goto err; +} + +goto out; + +err: +ret = false; +out: +EVP_KDF_free(kdf); +EVP_KDF_free(kdf); + +return ret; +} +#elif (OPENSSL_VERSION_NUMBER >= 0x1010L) && !defined(LIBRESSL_VERSION_NUMBER) bool ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret, int secret_len, uint8_t *output, int output_len) -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/457?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ic74195a4ed340547c5e862dc2438f95be318c286 Gerrit-Change-Number: 457 Gerrit-PatchSet: 3 Gerrit-Owner: plaisthos Gerrit-Reviewer: flichtenheld Gerrit-CC: openvpn-devel Gerrit-Attention: flichtenheld Gerrit-MessageType: newpatchset ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: Implement generating TLS 1.0 PRF using new OpenSSL 3.0 APIs
Attention is currently required from: flichtenheld. Hello flichtenheld, I'd like you to reexamine a change. Please visit http://gerrit.openvpn.net/c/openvpn/+/457?usp=email to look at the new patch set (#2). Change subject: Implement generating TLS 1.0 PRF using new OpenSSL 3.0 APIs .. Implement generating TLS 1.0 PRF using new OpenSSL 3.0 APIs OpenSSL 3.0 introduced a new API for doing key derivation. So this leaves us now with three different implementation for 1.0.2, 1.1.x and 3.x. This was initially done to maybe still have a working TLS 1.0 PRF when using OpenSSL 3.0, it gives the same error as with the older API but since moving to a new API is always good, we use the new API when using OpenSSL 3.0. We also print the internal OpenSSL error message when the KDF fails. Change-Id: Ic74195a4ed340547c5e862dc2438f95be318c286 Signed-off-by: Arne Schwabe --- M src/openvpn/crypto_openssl.c 1 file changed, 50 insertions(+), 1 deletion(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/57/457/2 diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index fe1254f..7351a5f 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -54,6 +54,7 @@ #endif #if OPENSSL_VERSION_NUMBER >= 0x3000L #include +#include #endif #if defined(_WIN32) && defined(OPENSSL_NO_EC) @@ -1373,8 +1374,56 @@ { return CRYPTO_memcmp(a, b, size); } +#if (OPENSSL_VERSION_NUMBER >= 0x300L) && !defined(LIBRESSL_VERSION_NUMBER) +bool +ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret, + int secret_len, uint8_t *output, int output_len) +{ +bool ret = true; +EVP_KDF_CTX *kctx = NULL; -#if (OPENSSL_VERSION_NUMBER >= 0x1010L) && !defined(LIBRESSL_VERSION_NUMBER) + +EVP_KDF *kdf = EVP_KDF_fetch(NULL, "TLS1-PRF", NULL); +if (!kdf) +{ +goto err; +} + +kctx = EVP_KDF_CTX_new(kdf); + +if (!kctx) +{ +goto err; +} + +OSSL_PARAM params[4]; + +params[0] = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, + SN_md5_sha1, strlen(SN_md5_sha1)); +params[1] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SECRET, + secret, (size_t) secret_len); +params[2] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED, + seed, (size_t) seed_len); +params[3] = OSSL_PARAM_construct_end(); + +if (EVP_KDF_derive(kctx, output, output_len, params) <= 0) +{ +crypto_msg(D_TLS_DEBUG_LOW, "Generating TLS 1.0 PRF using " + "EVP_KDF_derive failed"); +goto err; +} + +goto out; + +err: +ret = false; +out: +EVP_KDF_free(kdf); +EVP_KDF_free(kdf); + +return ret; +} +#elif (OPENSSL_VERSION_NUMBER >= 0x1010L) && !defined(LIBRESSL_VERSION_NUMBER) bool ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret, int secret_len, uint8_t *output, int output_len) -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/457?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ic74195a4ed340547c5e862dc2438f95be318c286 Gerrit-Change-Number: 457 Gerrit-PatchSet: 2 Gerrit-Owner: plaisthos Gerrit-Reviewer: flichtenheld Gerrit-CC: openvpn-devel Gerrit-Attention: flichtenheld Gerrit-MessageType: newpatchset ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [M] Change in openvpn[master]: Implement generating TLS 1.0 PRF using new OpenSSL 3.0 APIs
Attention is currently required from: flichtenheld. Hello flichtenheld, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/457?usp=email to review the following change. Change subject: Implement generating TLS 1.0 PRF using new OpenSSL 3.0 APIs .. Implement generating TLS 1.0 PRF using new OpenSSL 3.0 APIs OpenSSL 3.0 introduced a new API for doing key derivation. So this leaves use now with three different implementation for 1.0.2, 1.1.x and 3.x. This was initially done to maybe still have a working TLS 1.0 PRF when using OpenSSL 3.0, it gives the same error as with the older API but since moving to a new API is always good, we use the new API when using OpenSSL 3.0. We also print the internal OpenSSL error message when the KDF fails. Change-Id: Ic74195a4ed340547c5e862dc2438f95be318c286 Signed-off-by: Arne Schwabe --- M src/openvpn/crypto_openssl.c 1 file changed, 50 insertions(+), 1 deletion(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/57/457/1 diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index fe1254f..7351a5f 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -54,6 +54,7 @@ #endif #if OPENSSL_VERSION_NUMBER >= 0x3000L #include +#include #endif #if defined(_WIN32) && defined(OPENSSL_NO_EC) @@ -1373,8 +1374,56 @@ { return CRYPTO_memcmp(a, b, size); } +#if (OPENSSL_VERSION_NUMBER >= 0x300L) && !defined(LIBRESSL_VERSION_NUMBER) +bool +ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret, + int secret_len, uint8_t *output, int output_len) +{ +bool ret = true; +EVP_KDF_CTX *kctx = NULL; -#if (OPENSSL_VERSION_NUMBER >= 0x1010L) && !defined(LIBRESSL_VERSION_NUMBER) + +EVP_KDF *kdf = EVP_KDF_fetch(NULL, "TLS1-PRF", NULL); +if (!kdf) +{ +goto err; +} + +kctx = EVP_KDF_CTX_new(kdf); + +if (!kctx) +{ +goto err; +} + +OSSL_PARAM params[4]; + +params[0] = OSSL_PARAM_construct_utf8_string(OSSL_KDF_PARAM_DIGEST, + SN_md5_sha1, strlen(SN_md5_sha1)); +params[1] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SECRET, + secret, (size_t) secret_len); +params[2] = OSSL_PARAM_construct_octet_string(OSSL_KDF_PARAM_SEED, + seed, (size_t) seed_len); +params[3] = OSSL_PARAM_construct_end(); + +if (EVP_KDF_derive(kctx, output, output_len, params) <= 0) +{ +crypto_msg(D_TLS_DEBUG_LOW, "Generating TLS 1.0 PRF using " + "EVP_KDF_derive failed"); +goto err; +} + +goto out; + +err: +ret = false; +out: +EVP_KDF_free(kdf); +EVP_KDF_free(kdf); + +return ret; +} +#elif (OPENSSL_VERSION_NUMBER >= 0x1010L) && !defined(LIBRESSL_VERSION_NUMBER) bool ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret, int secret_len, uint8_t *output, int output_len) -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/457?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ic74195a4ed340547c5e862dc2438f95be318c286 Gerrit-Change-Number: 457 Gerrit-PatchSet: 1 Gerrit-Owner: plaisthos Gerrit-Reviewer: flichtenheld Gerrit-CC: openvpn-devel Gerrit-Attention: flichtenheld Gerrit-MessageType: newchange ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel