Re: [Openvpn-devel] [PATCH v3 04/21] [OSSL 3.0] Remove DES check with OpenSSL 3.0

2021-10-21 Thread Max Fillinger
On 19/10/2021 20:31, Arne Schwabe wrote: DES is very deprecated and accidently getting on the of the 16 insecure keys that OpenSSL checks is extremely unlikely so we no longer use the deprecated functions without replacement in OpenSSL 3.0. Signed-off-by: Arne Schwabe --- src/openvpn/crypto_o

Re: [Openvpn-devel] [PATCH v3 03/21] [OSSL 3.0] Implement DES ECB encrypt via EVP_CIPHER api

2021-10-21 Thread Arne Schwabe
Am 20.10.21 um 19:36 schrieb Max Fillinger: > On 19/10/2021 20:31, Arne Schwabe wrote: >> +    if (!EVP_EncryptInit_ex(ctx, EVP_bf_ecb(), NULL, key, 0)) > > EVP_bf_ecb() is the Blowfish cipher, not DES. > Oops. I probably need to write a unit test for this one too. Because that sounds like I bro

Re: [Openvpn-devel] [PATCH v3 03/21] [OSSL 3.0] Implement DES ECB encrypt via EVP_CIPHER api

2021-10-21 Thread Arne Schwabe
> > > Apart from the wrong cipher type that Max pointed out, this call will > fail in OpenSSL 3.0 unless legacy is loaded, right? Causing a run-time > error in that case sounds good to me but a helpful error message like > legacy provider may be required or even a check whether legacy is loaded

Re: [Openvpn-devel] [PATCH v3 05/21] [OSSL 3.0] Use EVP_PKEY based API for loading DH keys

2021-10-21 Thread Max Fillinger
On 19/10/2021 20:31, Arne Schwabe wrote: OpenSSL 3.0 replaces the DH API with a generic EVP_KEY based API to load DH parameters. Signed-off-by: Arne Schwabe Acked-by: Max Fillinger Looked at the patch, compiled with OpenSSL 3.1.0, tested that I can get a server and client to talk to each o

[Openvpn-devel] [PATCH] Fix build with compression disabled

2021-10-21 Thread maximilian.fillinger
From: Max Fillinger When building with both --disable-lz4 and --disable-lzo, the function comp_non_stub_enabled and various flags are not defined. One of the places where it is used in options.c was not put behind an #ifdef, which caused compilation to fail. Signed-off-by: Max Fillinger --- sr

Re: [Openvpn-devel] [PATCH v3 06/21] [OSSL 3.0] Deprecate --ecdh-curve with OpenSSL 3.0 and adjust mbed TLS message

2021-10-21 Thread Max Fillinger
On 19/10/2021 20:31, Arne Schwabe wrote: OpenSSL 3.0 deprecates SSL_CTX_set_tmp_ecdh() in favour of SSL_CTX_set1_groups(3). We already support the SSL_CTX_set1_groups using the --tls-groups. Adjust both mbed TLS and OpenSSL 3.0 to say that --ecdh-curve is ingored and --tls-groups should be used.

Re: [Openvpn-devel] [PATCH v3 12/21] [OSSL 3.0] Allow loading of non default providers

2021-10-21 Thread Arne Schwabe
Am 20.10.21 um 20:19 schrieb Selva Nair: > Hi, > > Not a code review but a general comment as this is a new option that > warrants some discussion. > > On Tue, Oct 19, 2021 at 2:32 PM Arne Schwabe > wrote: > > This allows OpenVPN to load non-default providers. This

[Openvpn-devel] [PATCH applied] Re: Deprecate --ecdh-curve with OpenSSL 3.0 and adjust mbed TLS message

2021-10-21 Thread Gert Doering
I have not tested this further, just done a cursory stare-at-code. Your patch has been applied to the master branch. commit 39eb3125e4f433fc61c92321175f663f13f163e7 Author: Arne Schwabe Date: Tue Oct 19 20:31:12 2021 +0200 Deprecate --ecdh-curve with OpenSSL 3.0 and adjust mbed TLS messag

[Openvpn-devel] [PATCH applied] Re: Use EVP_PKEY based API for loading DH keys

2021-10-21 Thread Gert Doering
Have no OpenSSL 3.0 based test environment yet - so, trusting MaxF's tests here. Just did compile + client test on 1.1.1 Your patch has been applied to the master branch. commit 658c72e6e651437943f46a975751109759abd858 Author: Arne Schwabe Date: Tue Oct 19 20:31:11 2021 +0200 Use EVP_PKE

[Openvpn-devel] [PATCH applied] Re: Remove DES check with OpenSSL 3.0

2021-10-21 Thread Gert Doering
Acked-by: Gert Doering Taking MaxF review into account, moving the comment as suggested, and changing "risk ... is ... weak" to "low". Your patch has been applied to the master branch. commit d67658feeab4742b9b6f57806ba8e93c8eec75b8 Author: Arne Schwabe Date: Tue Oct 19 20:31:10 2021 +0200

[Openvpn-devel] [PATCH applied] Re: Fix build with compression disabled

2021-10-21 Thread Gert Doering
Acked-by: Gert Doering "Because it makes sense" :-) - thanks. Added "Trac: #1435" to the commit message since we do have a ticket for that problem. Your patch has been applied to the master branch. commit 0bc3375f1fff09d21f224eb9f8f9c3943ed4f404 Author: Max Fillinger Date: Thu Oct 21 13:50:3

Re: [Openvpn-devel] [PATCH v3 12/21] [OSSL 3.0] Allow loading of non default providers

2021-10-21 Thread Selva Nair
On Thu, Oct 21, 2021 at 8:52 AM Arne Schwabe wrote: > Am 20.10.21 um 20:19 schrieb Selva Nair: > > Hi, > > > > Not a code review but a general comment as this is a new option that > > warrants some discussion. > > > > On Tue, Oct 19, 2021 at 2:32 PM Arne Schwabe > > wrot

Re: [Openvpn-devel] [PATCH v3 08/21] [OSSL 3.0] Use EVP_PKEY_get_group_name to query group name

2021-10-21 Thread Selva Nair
Hi, I had looked at v1 of this so easy: On Tue, Oct 19, 2021 at 2:31 PM Arne Schwabe wrote: > EC_Key methods are deprecated in OpenSSL 3.0. Use > EVP_PKEY_get_group_name instead to query the EC group name from an > EVP_PKEY and add a compatibility function for older OpenSSL versions. > > Signed

Re: [Openvpn-devel] [PATCH v3 03/21] [OSSL 3.0] Implement DES ECB encrypt via EVP_CIPHER api

2021-10-21 Thread Selva Nair
On Thu, Oct 21, 2021 at 5:42 AM Arne Schwabe wrote: > > > > > > > Apart from the wrong cipher type that Max pointed out, this call will > > fail in OpenSSL 3.0 unless legacy is loaded, right? Causing a run-time > > error in that case sounds good to me but a helpful error message like > > legacy p

Re: [Openvpn-devel] [PATCH v3 05/21] [OSSL 3.0] Use EVP_PKEY based API for loading DH keys

2021-10-21 Thread Steffan Karger
Hi, Just a nit: On 19-10-2021 20:31, Arne Schwabe wrote: > +if (!SSL_CTX_set0_tmp_dh_pkey(ctx->ctx, dh)) > +{ > +crypto_msg(M_FATAL, "SSL_CTX_set_tmp_dh"); > +} This error message looks incorrect and incomplete. -Steffan ___ Open