Message ID | 20220215105407.3936338-1-arne@rfc2549.org |
---|---|
State | Not Applicable |
Headers | show |
Series | [Openvpn-devel] Fix checks of SHA256 in tls-crypt and auth-token | expand |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 May as well attribute this correctly. * tincantech@protonmail.com Protonmail, now so badly mangles mail on reply that I may have to go back to gmail. -----BEGIN PGP SIGNATURE----- Version: ProtonMail wsBzBAEBCAAGBQJiC7VvACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec 9muQuJ2jFAgAjHPRhyMsY1JJuJjt7ePXPcve39xSF46BDUZyMQYXoEVC/pMC Zrlg5SUtASqxBTis3qI8A8t1aCi+8PdYgM+e2GdSuFLwYYGHDsBMBxlohr0V tHEVz4eaLtA5h/vQ5a5aki5g/rkPFP7Zedx1jgO7VNxF1EAmfbGK3ch1F/67 o23TePBzlNOPJLrGNPouU58msG8lv5+kB0PRSOUlNGLIN4TA86ynr9ThqvNY NLP+IXFkmFasizioI5sFZ8wqaLyMFfiSQbUiTXu5yD2DQjuarxwqUsLP2lZv in8LULOk9Vx+L2RWrmv/LOdCgmRNWppAOs+VN4K1P9EcU+y0P4mRjA== =d1PC -----END PGP SIGNATURE-----
Hi, On Tue, Feb 15, 2022 at 11:54:07AM +0100, Arne Schwabe wrote: > These checks were not correctly updated. The check in auth-token > did nothing at all and the check in tls-crypt was the wrong check > but that was hidden by the condition being inverted as well. For the sake of the archives: Antonio's patch v2 fixes the same thing, including the honorable mentioning of Richard's find. So, setting this one to "Not Applicable" in patchwork. (And both patches ignore the "--tls-crypt" warning in auth_token_kt() :-) ) gert
diff --git a/src/openvpn/auth_token.c b/src/openvpn/auth_token.c index ceae68f6..10c9dde6 100644 --- a/src/openvpn/auth_token.c +++ b/src/openvpn/auth_token.c @@ -38,7 +38,7 @@ auth_token_kt(void) kt.cipher = "none"; kt.digest = "SHA256"; - if (!kt.digest) + if (!md_valid(kt.digest)) { msg(M_WARN, "ERROR: --tls-crypt requires HMAC-SHA-256 support."); return (struct key_type) { 0 }; diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h index abf1b876..78260057 100644 --- a/src/openvpn/crypto_backend.h +++ b/src/openvpn/crypto_backend.h @@ -520,8 +520,7 @@ static inline bool md_defined(const char* mdname) * * @param digest Name of the digest to verify, e.g. \c MD5). * - * @return A statically allocated structure containing parameters - * for the given message digest. + * @return the availability of the digest of the given name. */ bool md_valid(const char *digest); diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c index 610168b0..aae2a917 100644 --- a/src/openvpn/tls_crypt.c +++ b/src/openvpn/tls_crypt.c @@ -59,7 +59,7 @@ tls_crypt_kt(void) msg(M_WARN, "ERROR: --tls-crypt requires AES-256-CTR support."); return (struct key_type) { 0 }; } - if (cipher_valid(kt.digest)) + if (!md_valid(kt.digest)) { msg(M_WARN, "ERROR: --tls-crypt requires HMAC-SHA-256 support."); return (struct key_type) { 0 };