[packages/openvpn] - upstream fixes for OpenSSL 3.0.0
baggins
baggins at pld-linux.org
Fri Oct 29 13:59:38 CEST 2021
commit 4d7e3f6835b14b4c3fc814827640e6e6a478184f
Author: Jan Rękorajski <baggins at pld-linux.org>
Date: Fri Oct 29 13:59:23 2021 +0200
- upstream fixes for OpenSSL 3.0.0
...cdh-curve-with-OpenSSL-3.0-and-adjust-mbe.patch | 64 +++++++
...se-EVP_PKEY-based-API-for-loading-DH-keys.patch | 68 +++++++
0040-Remove-DES-check-with-OpenSSL-3.0.patch | 47 +++++
...current-common_name-is-in-the-environment.patch | 48 +++++
...on-t-manually-free-DH-params-in-OpenSSL-3.patch | 34 ++++
0045-Do-not-allow-CTS-ciphers.patch | 33 ++++
...e-new-EVP_MAC-API-for-HMAC-implementation.patch | 195 +++++++++++++++++++++
...penssl-engine-autoconf-option-auto-yes-no.patch | 111 ++++++++++++
openvpn.spec | 16 ++
9 files changed, 616 insertions(+)
---
diff --git a/openvpn.spec b/openvpn.spec
index d0ffcaa..9e39fca 100644
--- a/openvpn.spec
+++ b/openvpn.spec
@@ -21,6 +21,14 @@ Source5: %{name}.target
Source6: %{name}@.service
Source7: %{name}-update-resolv-conf
Patch0: %{name}-pam.patch
+Patch100: 0038-Deprecate-ecdh-curve-with-OpenSSL-3.0-and-adjust-mbe.patch
+Patch101: 0039-Use-EVP_PKEY-based-API-for-loading-DH-keys.patch
+Patch102: 0040-Remove-DES-check-with-OpenSSL-3.0.patch
+Patch103: 0043-Ensure-the-current-common_name-is-in-the-environment.patch
+Patch104: 0044-Don-t-manually-free-DH-params-in-OpenSSL-3.patch
+Patch105: 0045-Do-not-allow-CTS-ciphers.patch
+Patch106: 0046-Use-new-EVP_MAC-API-for-HMAC-implementation.patch
+Patch107: 0047-Add-with-openssl-engine-autoconf-option-auto-yes-no.patch
URL: https://www.openvpn.net/
BuildRequires: autoconf >= 2.59
BuildRequires: automake >= 1:1.9
@@ -139,6 +147,14 @@ Ten pakiet zawiera pliki nagłówkowe do tworzenia wtyczek OpenVPN.
%prep
%setup -q
+%patch100 -p1
+%patch101 -p1
+%patch102 -p1
+%patch103 -p1
+%patch104 -p1
+%patch105 -p1
+%patch106 -p1
+%patch107 -p1
%patch0 -p1
sed -e 's,/''usr/lib/openvpn,%{_libdir}/%{name},' %{SOURCE7} > contrib/update-resolv-conf
diff --git a/0038-Deprecate-ecdh-curve-with-OpenSSL-3.0-and-adjust-mbe.patch b/0038-Deprecate-ecdh-curve-with-OpenSSL-3.0-and-adjust-mbe.patch
new file mode 100644
index 0000000..b44e25e
--- /dev/null
+++ b/0038-Deprecate-ecdh-curve-with-OpenSSL-3.0-and-adjust-mbe.patch
@@ -0,0 +1,64 @@
+From 39eb3125e4f433fc61c92321175f663f13f163e7 Mon Sep 17 00:00:00 2001
+From: Arne Schwabe <arne at rfc2549.org>
+Date: Tue, 19 Oct 2021 20:31:12 +0200
+Subject: [PATCH 38/47] Deprecate --ecdh-curve with OpenSSL 3.0 and adjust mbed
+ TLS message
+
+OpenSSL 3.0 deprecates SSL_CTX_set_tmp_ecdh() in favour of
+SSL_CTX_set1_groups(3). We already support the SSL_CTX_set1_groups
+using the --tls-groups. Adjust both mbed TLS and OpenSSL 3.0 to
+say that --ecdh-curve is ingored and --tls-groups should be used.
+
+Signed-off-by: Arne Schwabe <arne at rfc2549.org>
+Acked-by: Max Fillinger <maximilian.fillinger at foxcrypto.com>
+Message-Id: <20211019183127.614175-7-arne at rfc2549.org>
+URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22999.html
+Signed-off-by: Gert Doering <gert at greenie.muc.de>
+---
+ src/openvpn/ssl_mbedtls.c | 5 +++--
+ src/openvpn/ssl_openssl.c | 12 +++++++++---
+ 2 files changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/src/openvpn/ssl_mbedtls.c b/src/openvpn/ssl_mbedtls.c
+index cea88f41..e7c45c09 100644
+--- a/src/openvpn/ssl_mbedtls.c
++++ b/src/openvpn/ssl_mbedtls.c
+@@ -440,8 +440,9 @@ tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name
+ {
+ if (NULL != curve_name)
+ {
+- msg(M_WARN, "WARNING: mbed TLS builds do not support specifying an ECDH "
+- "curve, using default curves.");
++ msg(M_WARN, "WARNING: mbed TLS builds do not support specifying an "
++ "ECDH curve with --ecdh-curve, using default curves. Use "
++ "--tls-groups to specify curves.");
+ }
+ }
+
+diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
+index 30fc7aef..f2f29607 100644
+--- a/src/openvpn/ssl_openssl.c
++++ b/src/openvpn/ssl_openssl.c
+@@ -690,10 +690,16 @@ tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file,
+ }
+
+ void
+-tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name
+- )
++tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name)
+ {
+-#ifndef OPENSSL_NO_EC
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++ if (curve_name != NULL)
++ {
++ msg(M_WARN, "WARNING: OpenSSL 3.0+ builds do not support specifying an "
++ "ECDH curve with --ecdh-curve, using default curves. Use "
++ "--tls-groups to specify groups.");
++ }
++#elif !defined(OPENSSL_NO_EC)
+ int nid = NID_undef;
+ EC_KEY *ecdh = NULL;
+ const char *sname = NULL;
+--
+2.33.1
+
diff --git a/0039-Use-EVP_PKEY-based-API-for-loading-DH-keys.patch b/0039-Use-EVP_PKEY-based-API-for-loading-DH-keys.patch
new file mode 100644
index 0000000..3d2602e
--- /dev/null
+++ b/0039-Use-EVP_PKEY-based-API-for-loading-DH-keys.patch
@@ -0,0 +1,68 @@
+From 658c72e6e651437943f46a975751109759abd858 Mon Sep 17 00:00:00 2001
+From: Arne Schwabe <arne at rfc2549.org>
+Date: Tue, 19 Oct 2021 20:31:11 +0200
+Subject: [PATCH 39/47] Use EVP_PKEY based API for loading DH keys
+
+OpenSSL 3.0 replaces the DH API with a generic EVP_KEY based API to
+load DH parameters.
+
+Signed-off-by: Arne Schwabe <arne at rfc2549.org>
+Acked-by: Max Fillinger <maximilian.fillinger at foxcrypto.com>
+Message-Id: <20211019183127.614175-6-arne at rfc2549.org>
+URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23015.html
+Signed-off-by: Gert Doering <gert at greenie.muc.de>
+---
+ src/openvpn/ssl_openssl.c | 23 +++++++++++++++++++++--
+ 1 file changed, 21 insertions(+), 2 deletions(-)
+
+diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
+index f2f29607..2414fc5e 100644
+--- a/src/openvpn/ssl_openssl.c
++++ b/src/openvpn/ssl_openssl.c
+@@ -649,7 +649,6 @@ void
+ tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file,
+ bool dh_file_inline)
+ {
+- DH *dh;
+ BIO *bio;
+
+ ASSERT(NULL != ctx);
+@@ -670,7 +669,26 @@ tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file,
+ }
+ }
+
+- dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++ EVP_PKEY *dh = PEM_read_bio_Parameters(bio, NULL);
++ BIO_free(bio);
++
++ if (!dh)
++ {
++ crypto_msg(M_FATAL, "Cannot load DH parameters from %s",
++ print_key_filename(dh_file, dh_file_inline));
++ }
++ if (!SSL_CTX_set0_tmp_dh_pkey(ctx->ctx, dh))
++ {
++ crypto_msg(M_FATAL, "SSL_CTX_set_tmp_dh");
++ }
++
++ msg(D_TLS_DEBUG_LOW, "Diffie-Hellman initialized with %d bit key",
++ 8 * EVP_PKEY_get_size(dh));
++
++ EVP_PKEY_free(dh);
++#else
++ DH *dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
+ BIO_free(bio);
+
+ if (!dh)
+@@ -687,6 +705,7 @@ tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file,
+ 8 * DH_size(dh));
+
+ DH_free(dh);
++#endif
+ }
+
+ void
+--
+2.33.1
+
diff --git a/0040-Remove-DES-check-with-OpenSSL-3.0.patch b/0040-Remove-DES-check-with-OpenSSL-3.0.patch
new file mode 100644
index 0000000..7232bd1
--- /dev/null
+++ b/0040-Remove-DES-check-with-OpenSSL-3.0.patch
@@ -0,0 +1,47 @@
+From d67658feeab4742b9b6f57806ba8e93c8eec75b8 Mon Sep 17 00:00:00 2001
+From: Arne Schwabe <arne at rfc2549.org>
+Date: Tue, 19 Oct 2021 20:31:10 +0200
+Subject: [PATCH 40/47] Remove DES check with OpenSSL 3.0
+
+DES is very deprecated and accidently getting on the of the 16 insecure
+keys that OpenSSL checks is extremely unlikely so we no longer use the
+deprecated functions without replacement in OpenSSL 3.0.
+
+Signed-off-by: Arne Schwabe <arne at rfc2549.org>
+Acked-by: Gert Doering <gert at greenie.muc.de>
+Message-Id: <20211019183127.614175-5-arne at rfc2549.org>
+URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23004.html
+Signed-off-by: Gert Doering <gert at greenie.muc.de>
+---
+ src/openvpn/crypto_openssl.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
+index 60fbec12..dda46c2f 100644
+--- a/src/openvpn/crypto_openssl.c
++++ b/src/openvpn/crypto_openssl.c
+@@ -525,6 +525,7 @@ key_des_num_cblocks(const EVP_CIPHER *kt)
+ bool
+ key_des_check(uint8_t *key, int key_len, int ndc)
+ {
++#if OPENSSL_VERSION_NUMBER < 0x30000000L
+ int i;
+ struct buffer b;
+
+@@ -557,6 +558,13 @@ key_des_check(uint8_t *key, int key_len, int ndc)
+ err:
+ ERR_clear_error();
+ return false;
++#else
++ /* DES is deprecated and the method to even check the keys is deprecated
++ * in OpenSSL 3.0. Instead of checking for the 16 weak/semi-weak keys
++ * we just accept them in OpenSSL 3.0 since the risk of randomly getting
++ * these is pretty low (and "all DES keys are weak" anyway) */
++ return true;
++#endif
+ }
+
+ void
+--
+2.33.1
+
diff --git a/0043-Ensure-the-current-common_name-is-in-the-environment.patch b/0043-Ensure-the-current-common_name-is-in-the-environment.patch
new file mode 100644
index 0000000..2f7f1dd
--- /dev/null
+++ b/0043-Ensure-the-current-common_name-is-in-the-environment.patch
@@ -0,0 +1,48 @@
+From fa5ab2438ad2d8a12eaf43e2cdd8b4294299c175 Mon Sep 17 00:00:00 2001
+From: Selva Nair <selva.nair at gmail.com>
+Date: Fri, 22 Oct 2021 20:07:05 -0400
+Subject: [PATCH 43/47] Ensure the current common_name is in the environment
+ for scripts
+
+When username-as-common-name is in effect, the common_name
+is "CN" from the certificate for auth-user-pass-verify. It gets
+changed to "username" after successful authentication. This
+changed value gets into the env when client-connect script is
+called.
+
+However, "common_name" goes through the cycle of being
+"CN", then "username" during every reauth (renegotiation).
+As the client-connect script is not called during reneg, the changed
+value never gets back into the env. The end result is that the
+disconnect script gets "common_name=<CN>" instead of the username.
+Unless no reneg steps have happened before disconnect.
+(For a more detailed analysis see
+https://community.openvpn.net/openvpn/ticket/1434#comment:12)
+
+Fix by adding common_name to env whenever it changes.
+
+Trac: #1434
+Very likely applies to #160 as well, but that's too old and
+some of the relevant code path has evolved since then.
+
+Signed-off-by: Selva Nair <selva.nair at gmail.com>
+Acked-by: Gert Doering <gert at greenie.muc.de>
+Message-Id: <20211023000706.25016-1-selva.nair at gmail.com>
+URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23051.html
+Signed-off-by: Gert Doering <gert at greenie.muc.de>
+---
+ src/openvpn/ssl_verify.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff -urNp -x '*.orig' openvpn-2.5.4.org/src/openvpn/ssl_verify.c openvpn-2.5.4/src/openvpn/ssl_verify.c
+--- openvpn-2.5.4.org/src/openvpn/ssl_verify.c 2021-10-05 07:56:34.000000000 +0200
++++ openvpn-2.5.4/src/openvpn/ssl_verify.c 2021-10-29 13:57:59.008621745 +0200
+@@ -116,6 +116,8 @@ set_common_name(struct tls_session *sess
+ }
+ #endif
+ }
++ /* update common name in env */
++ setenv_str(session->opt->es, "common_name", common_name);
+ }
+
+ /*
diff --git a/0044-Don-t-manually-free-DH-params-in-OpenSSL-3.patch b/0044-Don-t-manually-free-DH-params-in-OpenSSL-3.patch
new file mode 100644
index 0000000..c904806
--- /dev/null
+++ b/0044-Don-t-manually-free-DH-params-in-OpenSSL-3.patch
@@ -0,0 +1,34 @@
+From 4daed27f28f6bb3033e659328fe80322a8f4b5e1 Mon Sep 17 00:00:00 2001
+From: Max Fillinger <maximilian.fillinger at foxcrypto.com>
+Date: Mon, 25 Oct 2021 16:53:14 +0200
+Subject: [PATCH 44/47] Don't manually free DH params in OpenSSL 3
+
+When the EVP_PKEY object with the Diffie-Hellman parameters is passed
+to SSL_CTX_set0_tmp_dh_pkey, it does not create a copy but stores the
+pointer in the SSL_CTX. Therefore, we should not free it.
+
+The EVP_PKEY will be freed automatically when we free the SSL_CTX.
+
+Trac: #1436
+
+Signed-off-by: Max Fillinger <maximilian.fillinger at foxcrypto.com>
+Acked-by:
+Message-Id: <20211025145314.23009-1-maximilian.fillinger at foxcrypto.com>
+URL: https://www.mail-archive.com/search?l=mid&q=20211025145314.23009-1-maximilian.fillinger@foxcrypto.com
+Signed-off-by: Gert Doering <gert at greenie.muc.de>
+---
+ src/openvpn/ssl_openssl.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff -urNp -x '*.orig' openvpn-2.5.4.org/src/openvpn/ssl_openssl.c openvpn-2.5.4/src/openvpn/ssl_openssl.c
+--- openvpn-2.5.4.org/src/openvpn/ssl_openssl.c 2021-10-29 13:56:56.453449295 +0200
++++ openvpn-2.5.4/src/openvpn/ssl_openssl.c 2021-10-29 13:56:56.593453411 +0200
+@@ -696,8 +696,6 @@ tls_ctx_load_dh_params(struct tls_root_c
+
+ msg(D_TLS_DEBUG_LOW, "Diffie-Hellman initialized with %d bit key",
+ 8 * EVP_PKEY_get_size(dh));
+-
+- EVP_PKEY_free(dh);
+ #else
+ DH *dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
+ BIO_free(bio);
diff --git a/0045-Do-not-allow-CTS-ciphers.patch b/0045-Do-not-allow-CTS-ciphers.patch
new file mode 100644
index 0000000..599657b
--- /dev/null
+++ b/0045-Do-not-allow-CTS-ciphers.patch
@@ -0,0 +1,33 @@
+From 14e4f3b1583749adf104be362a3e2422e0c9e524 Mon Sep 17 00:00:00 2001
+From: Arne Schwabe <arne at rfc2549.org>
+Date: Tue, 19 Oct 2021 20:31:21 +0200
+Subject: [PATCH 45/47] Do not allow CTS ciphers
+
+We do not support CTS algorithms (cipher text stealing) algorithms.
+
+Signed-off-by: Arne Schwabe <arne at rfc2549.org>
+Acked-by: Max Fillinger <maximilian.fillinger at foxcrypto.com>
+Message-Id: <20211019183127.614175-16-arne at rfc2549.org>
+URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23002.html
+Signed-off-by: Gert Doering <gert at greenie.muc.de>
+---
+ src/openvpn/crypto_openssl.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
+index c8fe0d0f..d4792f46 100644
+--- a/src/openvpn/crypto_openssl.c
++++ b/src/openvpn/crypto_openssl.c
+@@ -708,6 +708,9 @@ cipher_kt_mode_cbc(const cipher_kt_t *cipher)
+ {
+ return cipher && cipher_kt_mode(cipher) == OPENVPN_MODE_CBC
+ /* Exclude AEAD cipher modes, they require a different API */
++#ifdef EVP_CIPH_FLAG_CTS
++ && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_CTS)
++#endif
+ && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER);
+ }
+
+--
+2.33.1
+
diff --git a/0046-Use-new-EVP_MAC-API-for-HMAC-implementation.patch b/0046-Use-new-EVP_MAC-API-for-HMAC-implementation.patch
new file mode 100644
index 0000000..cfc9342
--- /dev/null
+++ b/0046-Use-new-EVP_MAC-API-for-HMAC-implementation.patch
@@ -0,0 +1,195 @@
+From 7865ffdcbc603894f268d892d638b111e8b61c36 Mon Sep 17 00:00:00 2001
+From: Arne Schwabe <arne at rfc2549.org>
+Date: Tue, 19 Oct 2021 20:31:07 +0200
+Subject: [PATCH 46/47] Use new EVP_MAC API for HMAC implementation
+
+The old API is deprecated in OpenSSL 3.0 and the new API does not yet
+exist in OpenSSL 1.1. Emulating the new API would be more complex than
+just having two implementations. So this switches to a new hmac
+implementation for OpenSSL 3.0.
+
+Unfortunately the new API does not have an easy to reset an HMAC,
+so we need to keep the key around to emulate a reset functionality.
+
+Signed-off-by: Arne Schwabe <arne at rfc2549.org>
+Acked-by: Max Fillinger <maximilian.fillinger at foxcrypto.com>
+Message-Id: <20211019183127.614175-2-arne at rfc2549.org>
+URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23013.html
+Signed-off-by: Gert Doering <gert at greenie.muc.de>
+---
+ src/openvpn/crypto_backend.h | 2 +-
+ src/openvpn/crypto_mbedtls.c | 2 +-
+ src/openvpn/crypto_openssl.c | 96 +++++++++++++++++++++++++++++++++++-
+ src/openvpn/crypto_openssl.h | 8 +++
+ 4 files changed, 104 insertions(+), 4 deletions(-)
+
+diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h
+index c201735d..cc897acf 100644
+--- a/src/openvpn/crypto_backend.h
++++ b/src/openvpn/crypto_backend.h
+@@ -634,7 +634,7 @@ void hmac_ctx_cleanup(hmac_ctx_t *ctx);
+ *
+ * @return Size of the HMAC, or \0 if ctx is NULL.
+ */
+-int hmac_ctx_size(const hmac_ctx_t *ctx);
++int hmac_ctx_size(hmac_ctx_t *ctx);
+
+ /*
+ * Resets the given HMAC context, preserving the associated key information
+diff --git a/src/openvpn/crypto_mbedtls.c b/src/openvpn/crypto_mbedtls.c
+index ef629136..2f7f00d1 100644
+--- a/src/openvpn/crypto_mbedtls.c
++++ b/src/openvpn/crypto_mbedtls.c
+@@ -915,7 +915,7 @@ hmac_ctx_cleanup(mbedtls_md_context_t *ctx)
+ }
+
+ int
+-hmac_ctx_size(const mbedtls_md_context_t *ctx)
++hmac_ctx_size(mbedtls_md_context_t *ctx)
+ {
+ if (NULL == ctx)
+ {
+diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
+index d4792f46..6b18551e 100644
+--- a/src/openvpn/crypto_openssl.c
++++ b/src/openvpn/crypto_openssl.c
+@@ -989,7 +989,7 @@ md_ctx_final(EVP_MD_CTX *ctx, uint8_t *dst)
+ * Generic HMAC functions
+ *
+ */
+-
++#if OPENSSL_VERSION_NUMBER < 0x30000000L
+ HMAC_CTX *
+ hmac_ctx_new(void)
+ {
+@@ -1027,7 +1027,7 @@ hmac_ctx_cleanup(HMAC_CTX *ctx)
+ }
+
+ int
+-hmac_ctx_size(const HMAC_CTX *ctx)
++hmac_ctx_size(HMAC_CTX *ctx)
+ {
+ return HMAC_size(ctx);
+ }
+@@ -1054,6 +1054,98 @@ hmac_ctx_final(HMAC_CTX *ctx, uint8_t *dst)
+
+ HMAC_Final(ctx, dst, &in_hmac_len);
+ }
++#else
++hmac_ctx_t *
++hmac_ctx_new(void)
++{
++ hmac_ctx_t *ctx;
++ ALLOC_OBJ_CLEAR(ctx, hmac_ctx_t);
++ EVP_MAC *hmac = EVP_MAC_fetch(NULL, "HMAC", NULL);
++ ctx->ctx = EVP_MAC_CTX_new(hmac);
++ check_malloc_return(ctx->ctx);
++ return ctx;
++}
++
++void
++hmac_ctx_free(hmac_ctx_t *ctx)
++{
++ EVP_MAC_CTX_free(ctx->ctx);
++ secure_memzero(ctx, sizeof(hmac_ctx_t));
++ free(ctx);
++}
++
++void
++hmac_ctx_init(hmac_ctx_t *ctx, const uint8_t *key, int key_len,
++ const EVP_MD *kt)
++{
++ ASSERT(NULL != kt && NULL != ctx && ctx->ctx != NULL);
++ ASSERT(key_len <= EVP_MAX_KEY_LENGTH);
++
++ /* We need to make a copy of the key since the OSSL parameters
++ * only reference it */
++ memcpy(ctx->key, key, key_len);
++
++ /* Lookup/setting of parameters in OpenSSL 3.0 are string based
++ *
++ * The OSSL_PARAM_construct_utf8_string needs a non const str but this
++ * only used for lookup so we cast (as OpenSSL also does internally)
++ * the constness away here.
++ */
++ ctx->params[0] = OSSL_PARAM_construct_utf8_string("digest",
++ (char *) EVP_MD_get0_name(kt), 0);
++ ctx->params[1] = OSSL_PARAM_construct_octet_string("key",
++ ctx->key, key_len);
++ ctx->params[2] = OSSL_PARAM_construct_end();
++
++ if (!EVP_MAC_init(ctx->ctx, NULL, 0, ctx->params))
++ {
++ crypto_msg(M_FATAL, "EVP_MAC_init failed");
++ }
++
++ /* make sure we used a big enough key */
++ ASSERT(EVP_MAC_CTX_get_mac_size(ctx->ctx) <= key_len);
++}
++
++void
++hmac_ctx_cleanup(hmac_ctx_t *ctx)
++{
++ EVP_MAC_init(ctx->ctx, NULL, 0, NULL);
++}
++
++int
++hmac_ctx_size(hmac_ctx_t *ctx)
++{
++ return (int)EVP_MAC_CTX_get_mac_size(ctx->ctx);
++}
++
++void
++hmac_ctx_reset(hmac_ctx_t *ctx)
++{
++ /* The OpenSSL MAC API lacks a reset method and passing NULL as params
++ * does not reset it either, so use the params array to reinitialise it the
++ * same way as before */
++ if (!EVP_MAC_init(ctx->ctx, NULL, 0, ctx->params))
++ {
++ crypto_msg(M_FATAL, "EVP_MAC_init failed");
++ }
++}
++
++void
++hmac_ctx_update(hmac_ctx_t *ctx, const uint8_t *src, int src_len)
++{
++ EVP_MAC_update(ctx->ctx, src, src_len);
++}
++
++void
++hmac_ctx_final(hmac_ctx_t *ctx, uint8_t *dst)
++{
++ /* The calling code always gives us a buffer that has the size of our
++ * algorithm */
++ size_t in_hmac_len = EVP_MAC_CTX_get_mac_size(ctx->ctx);
++
++ EVP_MAC_final(ctx->ctx, dst, &in_hmac_len, in_hmac_len);
++}
++#endif
+
+ int
+ memcmp_constant_time(const void *a, const void *b, size_t size)
+diff --git a/src/openvpn/crypto_openssl.h b/src/openvpn/crypto_openssl.h
+index 59a31aac..e540a76b 100644
+--- a/src/openvpn/crypto_openssl.h
++++ b/src/openvpn/crypto_openssl.h
+@@ -47,7 +47,15 @@ typedef EVP_CIPHER_CTX cipher_ctx_t;
+ typedef EVP_MD_CTX md_ctx_t;
+
+ /** Generic HMAC %context. */
++#if OPENSSL_VERSION_NUMBER < 0x30000000L
+ typedef HMAC_CTX hmac_ctx_t;
++#else
++typedef struct {
++ OSSL_PARAM params[3];
++ uint8_t key[EVP_MAX_KEY_LENGTH];
++ EVP_MAC_CTX *ctx;
++} hmac_ctx_t;
++#endif
+
+ /** Maximum length of an IV */
+ #define OPENVPN_MAX_IV_LENGTH EVP_MAX_IV_LENGTH
+--
+2.33.1
+
diff --git a/0047-Add-with-openssl-engine-autoconf-option-auto-yes-no.patch b/0047-Add-with-openssl-engine-autoconf-option-auto-yes-no.patch
new file mode 100644
index 0000000..64838cb
--- /dev/null
+++ b/0047-Add-with-openssl-engine-autoconf-option-auto-yes-no.patch
@@ -0,0 +1,111 @@
+From 0df2261da192eac74d1c53e99db0ed3f49278986 Mon Sep 17 00:00:00 2001
+From: Arne Schwabe <arne at rfc2549.org>
+Date: Tue, 19 Oct 2021 20:31:08 +0200
+Subject: [PATCH 47/47] Add --with-openssl-engine autoconf option (auto|yes|no)
+
+This allows to select engine support at configure time. For OpenSSL 1.1 the
+default is not changed and we detect if engine support is available.
+
+Engine support is deprecated in OpenSSL 3.0 and for OpenSSL 3.0 the default
+is to disable engine support as engine support is deprecated and generates
+compiler warnings which in turn also break -Werror.
+
+By using --with-openssl-engine=no or --with-openssl-engine=yes engine
+support can be forced on or off. If it is enabled but not detected an
+error will be thown.
+
+This commit cleans up the configure logic a bit and removes the
+ENGINE_cleanup checks as we can just assume that it will be also
+available as macro or function if the other engine functions are
+available. Before the cleanup we would only check for the existance
+of engine.h if ENGINE_cleanup was not found.
+
+Signed-off-by: Arne Schwabe <arne at rfc2549.org>
+Acked-by: Max Fillinger <maximilian.fillinger at foxcrypto.com>
+Message-Id: <20211019183127.614175-3-arne at rfc2549.org>
+URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23000.html
+Signed-off-by: Gert Doering <gert at greenie.muc.de>
+---
+ configure.ac | 60 ++++++++++++++++++++++++++++++++++++++++------------
+ 1 file changed, 47 insertions(+), 13 deletions(-)
+
+diff -urNp -x '*.orig' openvpn-2.5.4.org/configure.ac openvpn-2.5.4/configure.ac
+--- openvpn-2.5.4.org/configure.ac 2021-10-05 07:56:34.000000000 +0200
++++ openvpn-2.5.4/configure.ac 2021-10-29 13:58:00.368661733 +0200
+@@ -281,6 +281,18 @@ AC_ARG_WITH(
+ [with_crypto_library="openssl"]
+ )
+
++AC_ARG_WITH(
++ [openssl-engine],
++ [AS_HELP_STRING([--with-openssl-engine], [enable engine support with OpenSSL. Default enabled for OpenSSL < 3.0, auto,yes,no @<:@default=auto@:>@])],
++ [
++ case "${withval}" in
++ auto|yes|no) ;;
++ *) AC_MSG_ERROR([bad value ${withval} for --with-engine]) ;;
++ esac
++ ],
++ [with_openssl_engine="auto"]
++)
++
+ AC_ARG_VAR([PLUGINDIR], [Path of plug-in directory @<:@default=LIBDIR/openvpn/plugins@:>@])
+ if test -n "${PLUGINDIR}"; then
+ plugindir="${PLUGINDIR}"
+@@ -886,22 +898,44 @@ if test "${with_crypto_library}" = "open
+ [AC_MSG_ERROR([openssl check failed])]
+ )
+
+- have_openssl_engine="yes"
+- AC_CHECK_FUNCS(
+- [ \
++ if test "${with_openssl_engine}" = "auto"; then
++ AC_COMPILE_IFELSE(
++ [AC_LANG_PROGRAM(
++ [[
++ #include <openssl/opensslv.h>
++ ]],
++ [[
++ /* Version encoding: MNNFFPPS - see opensslv.h for details */
++ #if OPENSSL_VERSION_NUMBER >= 0x30000000L
++ #error Engine supported disabled by default in OpenSSL 3.0+
++ #endif
++ ]]
++ )],
++ [have_openssl_engine="yes"],
++ [have_openssl_engine="no"]
++ )
++ if test "${have_openssl_engine}" = "yes"; then
++ AC_CHECK_FUNCS(
++ [ \
+ ENGINE_load_builtin_engines \
+ ENGINE_register_all_complete \
+- ENGINE_cleanup \
+- ],
+- ,
+- [have_openssl_engine="no"; break]
+- )
+- if test "${have_openssl_engine}" = "no"; then
+- AC_CHECK_DECL( [ENGINE_cleanup], [have_openssl_engine="yes"],,
+- [[
+- #include <openssl/engine.h>
+- ]]
++ ],
++ ,
++ [have_openssl_engine="no"; break]
++ )
++ fi
++ else
++ have_openssl_engine="${with_openssl_engine}"
++ if test "${have_openssl_engine}" = "yes"; then
++ AC_CHECK_FUNCS(
++ [ \
++ ENGINE_load_builtin_engines \
++ ENGINE_register_all_complete \
++ ],
++ ,
++ [AC_MSG_ERROR([OpenSSL engine support not found])]
+ )
++ fi
+ fi
+ if test "${have_openssl_engine}" = "yes"; then
+ AC_DEFINE([HAVE_OPENSSL_ENGINE], [1], [OpenSSL engine support available])
================================================================
---- gitweb:
http://git.pld-linux.org/gitweb.cgi/packages/openvpn.git/commitdiff/4d7e3f6835b14b4c3fc814827640e6e6a478184f
More information about the pld-cvs-commit
mailing list