Re: [Openvpn-devel] [PATCH] Avoid a crash in mbed TLS 2.25 with --verb < 8

Tue, 09 Mar 2021 01:10:24 -0800 

Hi,

On 08/03/2021 15:21, Arne Schwabe wrote:
[cut]

> diff --git a/src/openvpn/options.c b/src/openvpn/options.c
> index 0eb049d8..6d908e15 100644
> --- a/src/openvpn/options.c
> +++ b/src/openvpn/options.c
> @@ -5883,6 +5883,12 @@ add_option(struct options *options,
>      {
>          VERIFY_PERMISSION(OPT_P_MESSAGES);
>          options->verbosity = positive_atoi(p[1]);
> +        if (options->verbosity > 7)
> +        {
> +            /* We pass this flag to the SSL library to avoid a bug
> +             * in mbed TLS 2.5.0 with high log level */
> +            options->ssl_flags |= SSLF_TLS_DEBUG_ENABLED;
> +        }

(2.5.0 is probably a typ0?)

If we know that a certain combination of options + the right mbedTLS
version will lead to a crash, shouldn't we catch it here (or somewhere
else) and error out right away?

>  #if !defined(ENABLE_DEBUG) && !defined(ENABLE_SMALL)
>          /* Warn when a debug verbosity is supplied when built without debug 
> support */
>          if (options->verbosity >= 7)
> diff --git a/src/openvpn/ssl_common.h b/src/openvpn/ssl_common.h
> index bbb8135d..f821c654 100644
> --- a/src/openvpn/ssl_common.h
> +++ b/src/openvpn/ssl_common.h
> @@ -350,6 +350,7 @@ struct tls_options
>  #define SSLF_TLS_VERSION_MIN_MASK     0xF  /* (uses bit positions 6 to 9) */
>  #define SSLF_TLS_VERSION_MAX_SHIFT    10
>  #define SSLF_TLS_VERSION_MAX_MASK     0xF  /* (uses bit positions 10 to 13) 
> */
> +#define SSLF_TLS_DEBUG_ENABLED        (1<<14)
>      unsigned int ssl_flags;
>  
>  #ifdef ENABLE_MANAGEMENT
> diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
> index b30b6b9d..a7b6c2c6 100644
> --- a/src/openvpn/ssl_mbedtls.c
> +++ b/src/openvpn/ssl_mbedtls.c
> @@ -1058,7 +1058,16 @@ key_state_ssl_init(struct key_state_ssl *ks_ssl,
>      mbedtls_ssl_config_defaults(ks_ssl->ssl_config, ssl_ctx->endpoint,
>                                  MBEDTLS_SSL_TRANSPORT_STREAM, 
> MBEDTLS_SSL_PRESET_DEFAULT);
>  #ifdef MBEDTLS_DEBUG_C
> -    mbedtls_debug_set_threshold(3);
> +    /* This works around a crash in mbed TLS 2.25 if Curve25591 is selected
> +     * for DH (https://github.com/ARMmbed/mbedtls/issues/4208)*/
> +    if (session->opt->ssl_flags & SSLF_TLS_DEBUG_ENABLED)
> +    {
> +        mbedtls_debug_set_threshold(3);

If a user is on mbedTLS 2.25 and specifies verb = 8 we will then crash
(assuming the right combination of options was chosen).

Isn't it better to just always use 2 as threshold when the mbedTLS
version is known to be buggy (regardless of verb)?
An ifdef around this invocation would do it, without the need of
introducing another SSL flag.

> +    }
> +    else
> +    {
> +        mbedtls_debug_set_threshold(2);
> +    }>  #endif
>      mbedtls_ssl_conf_dbg(ks_ssl->ssl_config, my_debug, NULL);
>      mbedtls_ssl_conf_rng(ks_ssl->ssl_config, mbedtls_ctr_drbg_random,
> 


my 2 cents

Cheers,

-- 
Antonio Quartulli


_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to