From patchwork Tue Oct 19 07:23:10 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Arne Schwabe <arne@rfc2549.org>
X-Patchwork-Id: 2012
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Delivered-To: patchwork@openvpn.net
Received: from director7.mail.ord1d.rsapps.net ([172.30.191.6])
	by backend30.mail.ord1d.rsapps.net with LMTP
	id AN9xImoNb2GJLwAAIUCqbw
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	for <patchwork@openvpn.net>; Tue, 19 Oct 2021 14:24:42 -0400
Received: from proxy1.mail.ord1d.rsapps.net ([172.30.191.6])
	by director7.mail.ord1d.rsapps.net with LMTP
	id 6N5IImoNb2FaawAAovjBpQ
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	for <patchwork@openvpn.net>; Tue, 19 Oct 2021 14:24:42 -0400
Received: from smtp11.gate.ord1c ([172.30.191.6])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	by proxy1.mail.ord1d.rsapps.net with LMTPS
	id wHAWImoNb2FdLQAAasrz9Q
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	for <patchwork@openvpn.net>; Tue, 19 Oct 2021 14:24:42 -0400
X-Spam-Threshold: 95
X-Spam-Score: 0
X-Spam-Flag: NO
X-Virus-Scanned: OK
X-Orig-To: openvpnslackdevel@openvpn.net
X-Originating-Ip: [216.105.38.7]
Authentication-Results: smtp11.gate.ord1c.rsapps.net;
 iprev=pass policy.iprev="216.105.38.7";
 spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net"
 smtp.helo="lists.sourceforge.net";
 dkim=fail (signature verification failed) header.d=sourceforge.net;
 dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil;
 dis=none) header.from=rfc2549.org
X-Suspicious-Flag: YES
X-Classification-ID: d38d4f4a-3109-11ec-9eb5-bc305beffa54-1-1
Received: from [216.105.38.7] ([216.105.38.7:33644]
 helo=lists.sourceforge.net)
	by smtp11.gate.ord1c.rsapps.net (envelope-from
 <openvpn-devel-bounces@lists.sourceforge.net>)
	(ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384)
	id C8/2C-03661-96D0F616; Tue, 19 Oct 2021 14:24:42 -0400
Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com)
	by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.92.3)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1mctmI-0000sS-Bh; Tue, 19 Oct 2021 18:23:58 +0000
Received: from [172.30.20.202] (helo=mx.sourceforge.net)
 by sfs-ml-2.v29.lw.sourceforge.com with esmtps
 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3)
 (envelope-from <arne@kamera.blinkt.de>) id 1mctmD-0000qJ-GI
 for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 18:23:53 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References:
 In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=UmIINGCVkJLZ3UZIqw002o08rzWb1I8BQgOiP8ggOus=; b=kNHtsjbBXqzjFIr3+RSr+IXs9t
 A0xEjxJ/Tm5FhoHqEhD4TLC3KAwGCyxEZEXc0l5NZFbfxpI4bBaYjx1DIPT2QpH8xL7adtsCiB1hd
 mcR2gNYZSDhltHzW39t90ePB2ihBjFk2+BPL9UkDKh3ok5S0IYYdbujC6c5o1l7hhH9E=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id:
 Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=UmIINGCVkJLZ3UZIqw002o08rzWb1I8BQgOiP8ggOus=; b=l0ms3E1W6h6Cj0wRHG63sluX2k
 QCF8UxwO7d+msath6TfbeNNH1wLPOp2Hed4CUiLUd1cT3N1QXd3bF7X+lAdtgUgDi+34V24NicEDS
 yKu06136lT8Az91yeVQQGf9t0A1+DePgMIsG43oYdlbLRbXhIhQ0G5M4dKNG3JBt9cgA=;
Received: from mail.blinkt.de ([192.26.174.232])
 by sfi-mx-1.v28.lw.sourceforge.com with esmtps
 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3)
 id 1mctm4-006Tek-6O
 for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 18:23:53 +0000
Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c])
 by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD))
 (envelope-from <arne@kamera.blinkt.de>) id 1mctls-0008ac-Ro
 for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 20:23:32 +0200
Received: (nullmailer pid 613220 invoked by uid 10006);
 Tue, 19 Oct 2021 18:23:33 -0000
From: Arne Schwabe <arne@rfc2549.org>
To: openvpn-devel@lists.sourceforge.net
Date: Tue, 19 Oct 2021 20:23:10 +0200
Message-Id: <20211019182332.613155-6-arne@rfc2549.org>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20211019182332.613155-1-arne@rfc2549.org>
References: <20211019182332.613155-1-arne@rfc2549.org>
MIME-Version: 1.0
X-Spam-Report: Spam detection software,
 running on the system "util-spamd-1.v13.lw.sourceforge.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview: DES is very deprecated and accidently getting on the of the
 16 insecure keys that OpenSSL checks is extremely unlikely so we no longer
 use the deprecated functions without replacement in OpenSSL 3.0.
 Content analysis details:   (0.3 points, 6.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
 mail domains are different
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 0.0 SPF_NONE               SPF: sender does not publish an SPF Record
X-Headers-End: 1mctm4-006Tek-6O
Subject: [Openvpn-devel] [PATCH v2 04/20] [OSSL 3.0] Remove DES check with
 OpenSSL 3.0
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox

DES is very deprecated and accidently getting on the of the 16 insecure
keys that OpenSSL checks is extremely unlikely so we no longer use the
deprecated functions without replacement in OpenSSL 3.0.

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
---
 src/openvpn/crypto_openssl.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index 021698f12..8db2ddd09 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -521,6 +521,11 @@ key_des_num_cblocks(const EVP_CIPHER *kt)
 bool
 key_des_check(uint8_t *key, int key_len, int ndc)
 {
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+    /* DES is deprecated and the method to even check the keys is deprecated
+     * in OpenSSL 3.0. Instead of checking for the 16 weak/semi-weak keys
+     * we just accept them in OpenSSL 3.0 since the risk of randomly getting
+     * these is pretty weak */
     int i;
     struct buffer b;
 
@@ -553,6 +558,9 @@ key_des_check(uint8_t *key, int key_len, int ndc)
 err:
     ERR_clear_error();
     return false;
+#else
+    return true;
+#endif
 }
 
 void