From: Michael Baentsch Date: Tue, 29 Mar 2022 05:37:09 +0000 (+0200) Subject: Enable usage of TLS groups not identified by a NID in OpenSSL 3 X-Git-Tag: v2.6_beta1~248 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=711a4044a095e83bb70f4620310d385d6f5c7282;p=thirdparty%2Fopenvpn.git Enable usage of TLS groups not identified by a NID in OpenSSL 3 OpenSSL3 prefers to specify groups (including EC groups) with names instead of NID to allow also groups provided by providers. This commit also removes the mapping of secp256r1 to prime256v1 for the OpenSSL3 code path as OpenSSL 3.0 recognises secp256r1.1 Signed-off-by: Michael Baentsch Acked-by: Arne Schwabe Message-Id: <20220329053709.19462-1-info@baentsch.ch> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24012.html Signed-off-by: Gert Doering --- diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index b85951748..af97dabc1 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -572,13 +572,15 @@ void tls_ctx_set_tls_groups(struct tls_root_ctx *ctx, const char *groups) { ASSERT(ctx); +#if OPENSSL_VERSION_NUMBER < 0x30000000L struct gc_arena gc = gc_new(); /* This method could be as easy as * SSL_CTX_set1_groups_list(ctx->ctx, groups) - * but OpenSSL does not like the name secp256r1 for prime256v1 + * but OpenSSL (< 3.0) does not like the name secp256r1 for prime256v1 * This is one of the important curves. * To support the same name for OpenSSL and mbedTLS, we do * this dance. + * Also note that the code is wrong in the presence of OpenSSL3 providers. */ int groups_count = get_num_elements(groups, ':'); @@ -617,6 +619,13 @@ tls_ctx_set_tls_groups(struct tls_root_ctx *ctx, const char *groups) groups); } gc_free(&gc); +#else + if (!SSL_CTX_set1_groups_list(ctx->ctx, groups)) + { + crypto_msg(M_FATAL, "Failed to set allowed TLS group list: %s", + groups); + } +#endif } void