Hi Gert,
thanks very much!
> Have not investigated how to actually trigger these code lines.
If you're curious (TL;DR), below's a test FWIW:
The fix can be seen "in action" when using OpenVPN with a quantum-safe
signature algorithm via oqs-provider:
Everything built into docker images:
1) New code in openquantumsafe/openvpn:23903fd579353c98:
# openvpn --version
OpenVPN 2.7_git [git:master/23903fd579353c98] x86_64-pc-linux-gnu [SSL
(OpenSSL)] [LZO] [EPOLL] [MH/PKTINFO] [AEAD] [DCO] built on Mar 21 2023
library versions: OpenSSL 3.2.0-dev , LZO 2.10
2023-03-21 09:08:43 us=455158 10.0.5.3:37633 TLS: tls_multi_process:
initial untrusted session promoted to trusted
WWRR2023-03-21 09:08:43 us=455383 10.0.5.3:37633 Control Channel:
TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 192
bit dilithium3, signature: dilithium3
2023-03-21 09:08:43 us=455406 10.0.5.3:37633 [oqsopenvpnclient] Peer
Connection Initiated with [AF_INET]10.0.5.3:37633
--> Connection establishment OK
2) Old code in openquantumsafe/openvpn:838474145933199a
# openvpn --version
OpenVPN 2.7_git [git:master/838474145933199a] x86_64-pc-linux-gnu [SSL
(OpenSSL)] [LZO] [EPOLL] [MH/PKTINFO] [AEAD] [DCO] built on Mar 14 2023
library versions: OpenSSL 3.2.0-dev , LZO 2.10
2023-03-21 09:10:59 us=432368 10.0.5.3:40978 TLS: tls_multi_process:
initial untrusted session promoted to trusted
WWRR2023-03-21 09:10:59 us=432601 10.0.5.3:40978 Control Channel:
TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, peer certificate: 192
bit unknown type, signature: dilithium3
2023-03-21 09:10:59 us=432619 10.0.5.3:40978 [oqsopenvpnclient] Peer
Connection Initiated with [AF_INET]10.0.5.3:40978
2023-03-21 09:10:59 us=432634 10.0.5.3:40978 OpenSSL:
error:04000065:object identifier routines::unknown nid
2023-03-21 09:10:59 us=432640 10.0.5.3:40978 TLS_ERROR: BIO read
tls_read_plaintext error
2023-03-21 09:10:59 us=432648 10.0.5.3:40978 TLS Error: TLS object ->
incoming plaintext read error
2023-03-21 09:10:59 us=432653 10.0.5.3:40978 TLS Error: TLS handshake failed
--> Connection setup failure
Regards,
--Michael
Am 20.03.23 um 14:01 schrieb Gert Doering:
I have not tested this extensively, just subjected to GH to compile and
run basic checks with OpenSSL 1.1.x and 3.0.x, and ran a few local tests
(Linux + OpenSSL 1.1.1). This all passed. Have not investigated how
to actually trigger these code lines.
Your patch has been applied to the master and release/2.6 branch.
commit 6c111be9b109a6dbcd39cac7821ea3dd78ff6adf (master)
commit a05ec70edd5178aac7b7432c57878c32aa838013 (release/2.6)
Author: Michael Baentsch
Date: Sun Mar 19 08:54:41 2023 +0100
using OpenSSL3 API for EVP PKEY type name reporting
Signed-off-by: Michael Baentsch<i...@baentsch.ch>
Acked-by: Arne Schwabe<a...@rfc2549.org>
Message-Id:<20230319075441.13021-1-i...@baentsch.ch>
URL:https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26439.html
Signed-off-by: Gert Doering<g...@greenie.muc.de>
--
kind regards,
Gert Doering
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
