git.ipfire.org Git - thirdparty/openvpn.git/commit

author	Arne Schwabe <arne@rfc2549.org>
	Tue, 16 Mar 2021 12:44:21 +0000 (13:44 +0100)
committer	Gert Doering <gert@greenie.muc.de>
	Thu, 18 Mar 2021 09:32:20 +0000 (10:32 +0100)
commit	4524feb2bbbb6d1bd463a0c5c2d53aae5bdf360a
tree	1763f8b13c90f32d973e89fa287906878df977b4	tree
parent	24596b258aa3a9c0bd79e7e7bd4753c48a435408	commit \| diff

Avoid generating unecessary mbed debug messages

The main motivation to make this change is to avoid a crash in mbed TLS
2.25 with --verb < 8.

mbed TLS 2.25 has a nasty bug that the print function for Montgomery style
EC curves (Curve25519 and Curve448) does segfault. See also the issue
reported here: https://github.com/ARMmbed/mbedtls/issues/4208

We request always debug level 3 from mbed TLS but filter out any debug
output of level 3 unless verb 8 or higher is set. This commeit sets
the debug level to 2 to avoid this problem by makeing mbed TLS not
generatin the problematic debug output.

For the affected version to still use --verb 8 with mbed TLS 2.25 is to
restrict the EC groups to ones that do not crash the print function
like with '--tls-groups secp521r1:secp384r1:secp256r1'.

This patch has no patch on user-visible behaviour on unaffected mbed TLS
versions.

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Patch V2: Replace magic constant with proper define. Highlight more this
avoding generating unessary debug output than crash workaround.
Acked-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <20210316124421.1635-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg21667.html

Signed-off-by: Gert Doering <gert@greenie.muc.de>

src/openvpn/options.c		diff \| blob \| blame \| history
src/openvpn/ssl_common.h		diff \| blob \| blame \| history
src/openvpn/ssl_mbedtls.c		diff \| blob \| blame \| history