[Openvpn-devel,v3,18/21] Fix error when BF-CBC is not available

Message ID 20211019183127.614175-19-arne@rfc2549.org
State Accepted
Headers show
Series
  • OpenSSL 3.0 improvements for OpenVPN
Related show

Commit Message

Arne Schwabe Oct. 19, 2021, 6:31 p.m.
Through the multiple iteration of allowing OpenVPN to run without
BF-CBC we accidentially made a regression and still required BF-CBC.

This patch fixes the code path and restores its intended function.

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
---
 src/openvpn/options.c | 3 +++
 1 file changed, 3 insertions(+)

Comments

Maximilian Fillinger Oct. 26, 2021, 5:48 p.m. | #1
On 19/10/2021 20:31, Arne Schwabe wrote:
> Through the multiple iteration of allowing OpenVPN to run without
> BF-CBC we accidentially made a regression and still required BF-CBC.
> 
> This patch fixes the code path and restores its intended function.
> 
> Signed-off-by: Arne Schwabe <arne@rfc2549.org>

Acked-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>

This fixes running with --mode server when BF-CBC is unavailable.
Gert Doering Nov. 5, 2021, 3:05 p.m. | #2
As discussed online, this is really just about OCC initialization,
and that really shouldn't pull in BF-CBC if not requested :-)

I have rewrapped the comment - one overlong line + one short line looked
avoidably silly :-)

Your patch has been applied to the master branch.

commit 056991925633ea27a1536bb610e0055072631ce7
Author: Arne Schwabe
Date:   Tue Oct 19 20:31:24 2021 +0200

     Fix error when BF-CBC is not available

     Signed-off-by: Arne Schwabe <arne@rfc2549.org>
     Acked-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
     Message-Id: <20211019183127.614175-19-arne@rfc2549.org>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23010.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering

Patch

diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index ab7b00783..fe873944b 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -3797,6 +3797,9 @@  calc_options_string_link_mtu(const struct options *o, const struct frame *frame)
 
             /* overhead of BF-CBC: 64 bit block size, 64 bit IV size */
             frame_add_to_extra_frame(&fake_frame, 64/8 + 64/8);
+            /* set ciphername to none, so its size does get added in the fake_kt and
+             * the cipher is not tried to be resolved */
+            ciphername = "none";
         }
 
         init_key_type(&fake_kt, ciphername, o->authname, true, false);