-
Notifications
You must be signed in to change notification settings - Fork 114
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
OpenVPN error codes, SSL_get_peer_signature_* funcs, and first patch …
…file (#1584) ### Issues CryptoAlg-2477 CryptoAlg-2478 ### Description of changes: 1. Added three new aliases for AES-128-GCM, AES-192-GCM, and AES-256-GCM as required by OpenVPN 2. Added an error and function code. Error code points to our equivalent of the OpenSSL PKCS12_R_MAC_VERIFY_FAILURE error 3. Added SSL_get_peer_signature_nid and SSL_get_peer_signature_type_nid. No new state is stored for these in the SSL connection. 4. Generated a patch file to use OpenVPNs internal ASSERT function instead of OpenSSL_assert, SSL_get_ciphers instead of SSL_get1_supported_ciphers, and point SSL_get_peer_tmp_key to SSL_get_server_tmp_key (which we define as a no-op) 5. Added pkcs8.h to doc.config ### Call-outs: The patch file is temporary and will likely change with future PRs ### Testing: 1. SSL_get_peer_signature_nid and SSL_get_peer_signature_type_nid are tested in a TLS 1.2 connection (with renegotiation) and in a TLS 1.3 connection (with mTLS configured to test both the client and server side). By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.
- Loading branch information
Showing
8 changed files
with
167 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c | ||
index 50683b67..eef80d54 100644 | ||
--- a/src/openvpn/crypto_openssl.c | ||
+++ b/src/openvpn/crypto_openssl.c | ||
@@ -1460,7 +1460,12 @@ tls1_P_hash(const EVP_MD *md, const unsigned char *sec, | ||
int ret = false; | ||
|
||
chunk = EVP_MD_size(md); | ||
+ | ||
+#if !defined(OPENSSL_IS_AWSLC) | ||
OPENSSL_assert(chunk >= 0); | ||
+#else | ||
+ ASSERT(chunk >= 0); | ||
+#endif | ||
|
||
ctx = md_ctx_new(); | ||
ctx_tmp = md_ctx_new(); | ||
diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h | ||
index c9fa7196..a48ef391 100644 | ||
--- a/src/openvpn/openssl_compat.h | ||
+++ b/src/openvpn/openssl_compat.h | ||
@@ -75,7 +75,7 @@ X509_OBJECT_free(X509_OBJECT *obj) | ||
#define RSA_F_RSA_OSSL_PRIVATE_ENCRYPT RSA_F_RSA_EAY_PRIVATE_ENCRYPT | ||
#endif | ||
|
||
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(ENABLE_CRYPTO_WOLFSSL)) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x3050400fL) | ||
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(ENABLE_CRYPTO_WOLFSSL)) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x3050400fL) || defined(OPENSSL_IS_AWSLC) | ||
#define SSL_get_peer_tmp_key SSL_get_server_tmp_key | ||
#endif | ||
|
||
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c | ||
index 4383e981..bd2039d3 100644 | ||
--- a/src/openvpn/ssl_openssl.c | ||
+++ b/src/openvpn/ssl_openssl.c | ||
@@ -2314,7 +2314,7 @@ show_available_tls_ciphers_list(const char *cipher_list, | ||
crypto_msg(M_FATAL, "Cannot create SSL object"); | ||
} | ||
|
||
-#if OPENSSL_VERSION_NUMBER < 0x1010000fL | ||
+#if OPENSSL_VERSION_NUMBER < 0x1010000fL || defined(OPENSSL_IS_AWSLC) | ||
STACK_OF(SSL_CIPHER) *sk = SSL_get_ciphers(ssl); | ||
#else | ||
STACK_OF(SSL_CIPHER) *sk = SSL_get1_supported_ciphers(ssl); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters