Message ID | 20220119151941.37529-1-openvpn@sf.lists.topphemmelig.net |
---|---|
State | Superseded |
Headers | show |
Series | [Openvpn-devel,v2] crypto: Fix OPENSSL_FIPS enabled builds | expand |
Hi, Sorry for chiming in late: On Wed, Jan 19, 2022 at 10:20 AM David Sommerseth < openvpn@sf.lists.topphemmelig.net> wrote: > From: David Sommerseth <davids@openvpn.net> > > On Fedora and RHEL/CentOS, the standard OpenSSL library has the FIPS > module enabled by default. On these platforms, the OPENSSL_FIPS macro > is always defined via /usr/include/openssl/opensslconf-*.h. > > Without this fix, the following compilation error appears: > > ./src/openvpn/crypto.c: In function ‘print_cipher’: > ./src/openvpn/crypto.c:1707:43: error: ‘cipher’ undeclared (first use in > this function); did you mean ‘iphdr’? > if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS)) > ^~~~~~ > > The EVP_CIPHER_fetch() and EVP_CIPHER_free() methods are also provided > via the openssl_compat.h for older than OpenSSL 3.0. > > Signed-off-by: David Sommerseth <davids@openvpn.net> > --- > src/openvpn/crypto.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c > index 5626e2b6..e489d453 100644 > --- a/src/openvpn/crypto.c > +++ b/src/openvpn/crypto.c > @@ -34,6 +34,7 @@ > #include "error.h" > #include "integer.h" > #include "platform.h" > +#include "openssl_compat.h" > > #include "memdbg.h" > > @@ -1704,10 +1705,13 @@ print_cipher(const char *ciphername) > printf(", TLS client/server mode only"); > } > #ifdef OPENSSL_FIPS > + evp_cipher_type *cipher = EVP_CIPHER_fetch(NULL, ciphername, NULL); > + > if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS)) > We need to check that cipher is not NULL. Fetch can return NULL while EVP_CIPHER_flags() requires a non-null argument. Something like: if (cipher && FIPS_mode && etc...) will do. EVP_CIPHER_free() below can handle NULL, so no problem there. { > printf(", disabled by FIPS mode"); > } > + EVP_CIPHER_free(cipher); #endif > > printf(")\n"); > Selva <div dir="ltr"><div>Hi,</div><div><br></div>Sorry for chiming in late:<div><br><div><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Jan 19, 2022 at 10:20 AM David Sommerseth <<a href="mailto:openvpn@sf.lists.topphemmelig.net">openvpn@sf.lists.topphemmelig.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">From: David Sommerseth <<a href="mailto:davids@openvpn.net" target="_blank">davids@openvpn.net</a>><br> <br> On Fedora and RHEL/CentOS, the standard OpenSSL library has the FIPS<br> module enabled by default. On these platforms, the OPENSSL_FIPS macro<br> is always defined via /usr/include/openssl/opensslconf-*.h.<br> <br> Without this fix, the following compilation error appears:<br> <br> ./src/openvpn/crypto.c: In function ‘print_cipher’:<br> ./src/openvpn/crypto.c:1707:43: error: ‘cipher’ undeclared (first use in this function); did you mean ‘iphdr’?<br> if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS))<br> ^~~~~~<br> <br> The EVP_CIPHER_fetch() and EVP_CIPHER_free() methods are also provided<br> via the openssl_compat.h for older than OpenSSL 3.0.<br> <br> Signed-off-by: David Sommerseth <<a href="mailto:davids@openvpn.net" target="_blank">davids@openvpn.net</a>><br> ---<br> src/openvpn/crypto.c | 4 ++++<br> 1 file changed, 4 insertions(+)<br> <br> diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c<br> index 5626e2b6..e489d453 100644<br> --- a/src/openvpn/crypto.c<br> +++ b/src/openvpn/crypto.c<br> @@ -34,6 +34,7 @@<br> #include "error.h"<br> #include "integer.h"<br> #include "platform.h"<br> +#include "openssl_compat.h"<br> <br> #include "memdbg.h"<br> <br> @@ -1704,10 +1705,13 @@ print_cipher(const char *ciphername)<br> printf(", TLS client/server mode only");<br> }<br> #ifdef OPENSSL_FIPS<br> + evp_cipher_type *cipher = EVP_CIPHER_fetch(NULL, ciphername, NULL);<br> +<br> if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS))<br></blockquote><div><br></div><div>We need to check that cipher is not NULL. Fetch can return NULL while EVP_CIPHER_flags() requires a non-null argument. Something like: if (cipher && FIPS_mode && etc...) will do.</div><div><br></div><div>EVP_CIPHER_free() below can handle NULL, so no problem there.</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> </blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> {<br> printf(", disabled by FIPS mode");<br> }<br> + EVP_CIPHER_free(cipher); </blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> #endif<br> <br> printf(")\n");<br></blockquote><div><br></div><div>Selva</div></div></div></div></div>
Am 19.01.22 um 16:19 schrieb David Sommerseth: > From: David Sommerseth <davids@openvpn.net> > > On Fedora and RHEL/CentOS, the standard OpenSSL library has the FIPS > module enabled by default. On these platforms, the OPENSSL_FIPS macro > is always defined via /usr/include/openssl/opensslconf-*.h. > Acked-By: Arne Schwabe <arne@rfc2549.org> Arne
On 19/01/2022 17:34, Selva Nair wrote: > Hi, > > Sorry for chiming in late: > > On Wed, Jan 19, 2022 at 10:20 AM David Sommerseth > <openvpn@sf.lists.topphemmelig.net > <mailto:openvpn@sf.lists.topphemmelig.net>> wrote: > > From: David Sommerseth <davids@openvpn.net <mailto:davids@openvpn.net>> > > On Fedora and RHEL/CentOS, the standard OpenSSL library has the FIPS > module enabled by default. On these platforms, the OPENSSL_FIPS macro > is always defined via /usr/include/openssl/opensslconf-*.h. > > Without this fix, the following compilation error appears: > > ./src/openvpn/crypto.c: In function ‘print_cipher’: > ./src/openvpn/crypto.c:1707:43: error: ‘cipher’ undeclared (first > use in this function); did you mean ‘iphdr’? > if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) & > EVP_CIPH_FLAG_FIPS)) > ^~~~~~ > > The EVP_CIPHER_fetch() and EVP_CIPHER_free() methods are also provided > via the openssl_compat.h for older than OpenSSL 3.0. > > Signed-off-by: David Sommerseth <davids@openvpn.net > <mailto:davids@openvpn.net>> > --- > src/openvpn/crypto.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c > index 5626e2b6..e489d453 100644 > --- a/src/openvpn/crypto.c > +++ b/src/openvpn/crypto.c > @@ -34,6 +34,7 @@ > #include "error.h" > #include "integer.h" > #include "platform.h" > +#include "openssl_compat.h" > > #include "memdbg.h" > > @@ -1704,10 +1705,13 @@ print_cipher(const char *ciphername) > printf(", TLS client/server mode only"); > } > #ifdef OPENSSL_FIPS > + evp_cipher_type *cipher = EVP_CIPHER_fetch(NULL, ciphername, NULL); > + > if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) & > EVP_CIPH_FLAG_FIPS)) > > > We need to check that cipher is not NULL. Fetch can return NULL while > EVP_CIPHER_flags() requires a non-null argument. Something like: if > (cipher && FIPS_mode && etc...) will do. > > EVP_CIPHER_free() below can handle NULL, so no problem there. Thanks! v3 is on its way. -- kind regards, David Sommerseth OpenVPN Inc
diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index 5626e2b6..e489d453 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -34,6 +34,7 @@ #include "error.h" #include "integer.h" #include "platform.h" +#include "openssl_compat.h" #include "memdbg.h" @@ -1704,10 +1705,13 @@ print_cipher(const char *ciphername) printf(", TLS client/server mode only"); } #ifdef OPENSSL_FIPS + evp_cipher_type *cipher = EVP_CIPHER_fetch(NULL, ciphername, NULL); + if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS)) { printf(", disabled by FIPS mode"); } + EVP_CIPHER_free(cipher); #endif printf(")\n");