openvpn

OpenVPN/openvpn

Fork 0

mirror of https://github.com/OpenVPN/openvpn.git synced 2025-06-25 05:17:36 +08:00

Commit Graph

Author	SHA1	Message	Date
Shubham Mittal	aab1f862f4	Add compatibility to build OpenVPN with AWS-LC. Additional context from PR on Github about changes in ssl_openssl.c around line 1900: This change addresses a subtle behavioral difference between AWS-LC and OpenSSL regarding object ownership semantics in SSL_CTX_set_client_CA_list(ctx->ctx, cert_names). OpenSSL Behavior: Stores a reference to the provided cert_names stack cert_names remains valid after SSL_CTX_set_client_CA_list AWS-LC Behavior: Creates a copy of the parameter cert_names (which is a stack of type X509_NAME) and converts it to a stack of CRYPTO_BUFFER (how we internally represent X509_NAME, it's an opaque byte string). Then frees the original passed in cert_names. After SSL_CTX_set_client_CA_list, cert_names no longer points to valid memory. The proposed changes reorder operations to getting the size of the stack before the set operation as opposed to after the set operation. No operations between the setter and stack size check modify cert_names. Therefore, the logical outcome should remain the same - and this would also handle the subtle behavioral difference in AWS-LC. Github: closes OpenVPN/openvpn#672 Signed-off-by: Shubham Mittal <smittals@amazon.com> Acked-by: Arne Schwabe <arne@rfc2549.org> Message-Id: <20250128220932.2113-1-smittals@amazon.com> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30682.html Signed-off-by: Gert Doering <gert@greenie.muc.de>	2025-01-29 17:11:19 +01:00

Author

SHA1

Message

Date

Shubham Mittal

aab1f862f4

Add compatibility to build OpenVPN with AWS-LC.

Additional context from PR on Github about changes in ssl_openssl.c
around line 1900:
This change addresses a subtle behavioral difference between AWS-LC
and OpenSSL regarding object ownership semantics in
SSL_CTX_set_client_CA_list(ctx->ctx, cert_names).

OpenSSL Behavior:
Stores a reference to the provided cert_names stack
cert_names remains valid after SSL_CTX_set_client_CA_list

AWS-LC Behavior:
Creates a copy of the parameter cert_names (which is a stack of type
X509_NAME) and converts it to a stack of CRYPTO_BUFFER (how we internally
represent X509_NAME, it's an opaque byte string).  Then frees the original
passed in cert_names.
After SSL_CTX_set_client_CA_list, cert_names no longer points to valid
memory.

The proposed changes reorder operations to getting the size of the
stack before the set operation as opposed to after the set operation.
No operations between the setter and stack size check modify
cert_names. Therefore, the logical outcome should remain the same
- and this would also handle the subtle behavioral difference in
AWS-LC.

Github: closes OpenVPN/openvpn#672
Signed-off-by: Shubham Mittal <smittals@amazon.com>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <20250128220932.2113-1-smittals@amazon.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg30682.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

2025-01-29 17:11:19 +01:00

1 Commits