As also explained in OpenVPN 2.x commit bd9aa06feb4, Diffie Hellman
key exchanges can be optionally be disabled and OpenSSL will then use
only ECDH instead.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
Digest API calculates MD4/MD5 digests etc which
are deprecated. In order to use those one needs to
load OpenSSL legacy provider and EVP_MD_fetch() to
fetch digest implementation from all loaded providers.
EVP_MD_fetch() takes library context as an argument,
so we need to pass it there through the digest api stack.
Signed-off-by: Lev Stipakov <lev@openvpn.net>
This ensure that client that want to set a miminum level of TLS
version do not accidentially lower the version when the profile already
requires a higher version.
Also make the tls version enum an enum class for better type safety.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
Newer mbed TLS version changed the API. This fixes our usage of the API and
also removed the micro optimisation of reusing the buffer for plain and cipher
text.
It also adds a unit test to ensure the data is correctly encrypted/decrypted.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
This is the result after running 'clang-format -i' on all C++ files and
headers, with the defined formatting rules in .clang-format.
Only the openvpn/common/unicode-impl.hpp has been excluded, as that is
mostly a copy of an external project.
Signed-off-by: David Sommerseth <davids@openvpn.net>
throw() is the same as noexcept(true), which is the same as noexpect.
(https://en.cppreference.com/w/cpp/language/noexcept_spec)
noexpect is more standard nowadays and less likely to create confusion.
Single argument constructors should be marked explicit so they do not
end up being acidentially called.
Previously, we only supported int64 serial numbers.
This change renames get_sn() method to serial_number_as_int64()
for code that cares about 64-bit serial numbers.
Signed-off-by: James Yonan <james@openvpn.net>
The xkey provider has been originally implemented by Selva Nair for
OpenVPN 2.x and he has agreed to allow me to reuse the provider for
OpenSSL 3.0
This brings the xkey provider to OpenSSL to Openvpn3. The xkey_provider.c
file is kept as close as possible to the original OpenVPN 2 source.
From xkey_helper only the parts that were needed were picked up and used
in xkey.hpp.
This also changes the requests for clients wanting to implementing the
API, generally making them more work (adding PSS/PKCS1 padding and hashing)
but this is a good thing since especially external keys/HSM often do not
like doing raw signatures and often require to do padding/hashing themselves.
This commit also updates the test client's EPKI implementation to work
with the new requirements of the new API.
Since most of OpenVPN3's code base assumes having only one compilation unit
and the xkey_provider.c, this commit introduces the ENABLE_EXTERNAL_PKI
define. Only if this is set external key support is supported (and the
xkey_provider.c compilation unit needed).
This commit furthermore removes the pragma statements from extpki.hpp that
supressed warnings when being compiled with OpenSSL 3.0+ as this is header file
longer compiled with OpenSSL 3.0+. (Technically xkey is >= 3.0.1 but we have
no target that is OpenSSL 3.0.0).
Signed-off-by: Arne Schwabe <arne@openvpn.net>
With OpenSSL 3.0 the name with MD5 no longer makes sense as it affects
not only MD5 but also SHA1 and number of other settings. So replace the
define with a more fitting name.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
This allows use to load non default providers while also not touching
the default library context. THis is necessary to have profile with and
without legacy library for example
Signed-off-by: Arne Schwabe <arne@openvpn.net>
We currently use a custom function to implement the TLS1 PRF function.
Deprecate the custom function and use the function of the OpenSSL
library instead where available.
This also allows us to work on system that run in FIPS mode and no
longer allow using MD5/SHA1 without workarounds.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
In OpenSSL 3.0 algorithm are no longer guaranteed to be present if the
nid/method is present. Use the udpdated EVP_CIPHER_fetch API to fetch
the ciphers instead as these will return nullptr if the algorithm is
not available.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
Various components like HTTP clients etc already overwrite this
to TLS 1.2 anyway and this can be still lower to 1.0 by explicitly
overriding it.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
Example with ovpncli:
EVENT: WARN Proto: Using a 64-bit block cipher that is vulnerable to the SWEET32 attack. Please inform your admin to upgrade to a stronger algorithm. Support for 64-bit block cipher will be dropped in the future.
VENT: WARN TLS: received certificate signed with SHA1. Please inform your admin to upgrade to a stronger algorithm. Support for SHA1 signatures will be dropped in the future
Signed-off-by: Arne Schwabe <arne@openvpn.net>
This code was originally used in the Connect clients to allow PKIs that
use the (not commonly used) Name constraints feature. This is a
potential security risk but was done to allow PKIs that used that
feature. OpenSSL natively supports Name constraints and will check these.
Remove this hacky feature as feature as it also breaks compiling with
an unpatched mbed TLS and is not used by code anymore.
OpenSSL 1.1+ by default only allows signatures and key exchange from the
default list of X25519:secp256r1:X448:secp521r1:secp384r1. Since in
TLS1.3 key exchange is independent from the signature/key of the
certificates, allowing all groups per default is not a sensible choice
anymore and the shorter lister is reasonable.
However, when using certificates with exotic curves the signatures of
this certificates will no longer be accepted. This option allows to
modify the list for these corner cases.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
This option has been very likely been to fix some incompatibilities
between some TLS libraries. But nobody really remember what it fixes
and its usage today is questionable. So remove the option instead
of supporting an option we cannot even test anymore.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
This also changes the mbed TLS implementation from using the AES GCM
specific API to the generic AEAD API in mbed TLS. As result we can
refactor the commonly used parts of AEAD and normal cipher into a
common class.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
This is the mbed TLS counter part to the OpenSSL change in
commit e0fd92f30756. These two methods are generic and not
tied to the MbedTLSContext in any particular way.
This is needed to be able to add a unit test for the x509_get_*()
functions.
Signed-off-by: David Sommerseth <davids@openvpn.net>
const modifies on primitive return types (int, bool, etc.) do not
do anything and Clang complains about these.
Zero initialisation in C++ is done by = {} or class().
Signed-off-by: Arne Schwabe <arne@openvpn.net>
This information is only send if push-peer-info is enabled. It is meant
to have an easy way for centrally adminstrated to spot clients using
outdated SSL libraries.
For example, the following client directive will push the SNI name
"test@example.com" to the server:
sni "test@example.com"
Signed-off-by: James Yonan <james@openvpn.net>
auth_cert() can now be const because OpenSSL rebuild_authcert()
is never called unless authcert has already been allocated,
making
authcert.reset(new AuthCert());
redundant. Once the above statement is removed,
rebuild_authcert() becomes const.
Signed-off-by: James Yonan <james@openvpn.net>
Attempting to build a standalone program that includes
openvpn/openssl/pki/pkey.hpp will fail because it depends
on the PKType enum in openvpn/ssl/sslapi.hpp which
is not explicitly included by pkey.hpp.
Rather than having pkey.hpp include sslapi.hpp (which
seems like a dependency inversion), put PKType into
its own header file.
Signed-off-by: James Yonan <james@openvpn.net>
On the server side, we add the abstract base class
SNIHandlerBase to provide a hook (sni_hello) where
servers can inspect the SNI name given in the client
hello message and possibly return a different SSLFactoryAPI.
In other changes, we rename the ENABLE_SNI flag to
ENABLE_CLIENT_SNI to be clear that this flag only affects
the client-side SNI implementation.
We also add the NO_VERIFY_HOSTNAME flag on the client side
to allow the SNI name to be transmitted to the server
without requiring a match between the SNI name and the
common name or subject alternative name in the server
certificate.
Signed-off-by: James Yonan <james@openvpn.net>
The Clang++ compiler is not happy about this missing declaration on
virtual methods, which is a fair complaint.
Signed-off-by: David Sommerseth <davids@openvpn.net>
Returns true if we did a full SSL handshake/negotiation.
or false for cached, reused, or persisted sessions.
Signed-off-by: James Yonan <james@openvpn.net>
This is an initial client and server-side implementation
for OpenSSL 1.0.2.
Note that this functionality is intended for use with
HTTP sessions, and should not be used with the OpenVPN
protocol.
Signed-off-by: James Yonan <james@openvpn.net>
Removed set_enable_renegotiation from SSLConfigAPI and underlying
SSL implementations (OpenSSL, MbedTLS) since we are not currently
using it and TLS 1.3 standardizes on a session ticket model rather
than server-side session caching.
Signed-off-by: James Yonan <james@openvpn.net>
In TLS 1.3 the RSA-PSS padding is required in addition to the
traditional PKCS1 padding used in TLS 1.2 and below. Add an
argument to the external sign function to signal what padding
is required. As quirkyness OpenSSL calls out requesting a NONE
padding instead of RSA-PASS.
We might need to move from RSA_method to EVP_PKEY_method in the
future.
Signed-off-by: Arne Schwabe <arne@openvpn.net>
The commit 8b22a7b2 had two mistakes:
Accidentally moving the #endif to the wrong line during reformat.
Forgetting to include mbedtls/version.h so the version check was always
false.