[Openvpn-devel,4/5] Use EVP_CTRL_AEAD_* instead EVP_CTRL_GCM_*

Message ID 20210406162518.4075-4-arne@rfc2549.org
State Accepted
Headers show
Series
  • [Openvpn-devel,1/5] Remove check for socket functions and Win XP compatbility code
Related show

Commit Message

Arne Schwabe April 6, 2021, 4:25 p.m.
Use the modern names instead of the old GCM specific ones. AEAD instead
GCM makes especially sense when using Chacha20-Poly1305.

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
---
 src/openvpn/crypto_openssl.c | 4 ++--
 src/openvpn/openssl_compat.h | 5 +++++
 2 files changed, 7 insertions(+), 2 deletions(-)

Comments

Antonio Quartulli April 6, 2021, 9:10 p.m. | #1
Hi,

On 06/04/2021 18:25, Arne Schwabe wrote:
> Use the modern names instead of the old GCM specific ones. AEAD instead
> GCM makes especially sense when using Chacha20-Poly1305.
> 
> Signed-off-by: Arne Schwabe <arne@rfc2549.org>

This looks good and does not trigger issues on my build rig.
The manpage also suggests using *AEAD* constants.

Glad we can keep all the ugliness in openssl_compat.h....

Acked-by: Antonio Quartulli <antonio@openvpn.net>
Gert Doering April 7, 2021, 12:58 p.m. | #2
Lightly client-side tested with OpenSSL 1.0.2 and 1.1.1

Your patch has been applied to the master branch.

commit 3fbeeda5cd3cbd0cbb4c039b469685e2a6254daf
Author: Arne Schwabe
Date:   Tue Apr 6 18:25:17 2021 +0200

     Use EVP_CTRL_AEAD_* instead EVP_CTRL_GCM_*

     Signed-off-by: Arne Schwabe <arne@rfc2549.org>
     Acked-by: Antonio Quartulli <antonio@openvpn.net>
     Message-Id: <20210406162518.4075-4-arne@rfc2549.org>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22050.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering

Patch

diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index dc6b0fa71..f8b36bf85 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -792,7 +792,7 @@  cipher_ctx_iv_length(const EVP_CIPHER_CTX *ctx)
 int
 cipher_ctx_get_tag(EVP_CIPHER_CTX *ctx, uint8_t *tag_buf, int tag_size)
 {
-    return EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, tag_size, tag_buf);
+    return EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, tag_size, tag_buf);
 }
 
 int
@@ -853,7 +853,7 @@  cipher_ctx_final_check_tag(EVP_CIPHER_CTX *ctx, uint8_t *dst, int *dst_len,
                            uint8_t *tag, size_t tag_len)
 {
     ASSERT(tag_len < SIZE_MAX);
-    if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, tag_len, tag))
+    if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, tag_len, tag))
     {
         return 0;
     }
diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h
index eb6c9c906..ff024feff 100644
--- a/src/openvpn/openssl_compat.h
+++ b/src/openvpn/openssl_compat.h
@@ -46,6 +46,11 @@ 
 #include <openssl/ssl.h>
 #include <openssl/x509.h>
 
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)) && !defined(ENABLE_CRYPTO_WOLFSSL)
+#define EVP_CTRL_AEAD_SET_TAG EVP_CTRL_GCM_SET_TAG
+#define EVP_CTRL_AEAD_GET_TAG EVP_CTRL_GCM_GET_TAG
+#endif
+
 #if !defined(HAVE_EVP_MD_CTX_RESET)
 /**
  * Reset a message digest context