[Openvpn-devel] crypto.c: remove (dead) OpenSSL specific code

Message ID 20220126151128.5078-1-a@unstable.cc
State Changes Requested
Headers show
Series
  • [Openvpn-devel] crypto.c: remove (dead) OpenSSL specific code
Related show

Commit Message

Antonio Quartulli Jan. 26, 2022, 3:11 p.m.
Originally we wanted to move this OpenSSL specific code to its own
backend and use a proper abstraction in the crypto.c code.

However, tests have revealed that OpenVPN will never try to print a
cipher that is not supported by FIPS (assuming FIPS is enabled), because
along the chain of calls we already call cipher_get() which returns NULL
for FIPS-disabled ciphers.

For this reason, we can just remove any FIPS specific code from
print_cipher() and be done with it.

This patch fixes compilations with mbedTLS when some OpenSSL is also
installed. The issue was introduced with:
544330fe ("crypto: Fix OPENSSL_FIPS enabled builds")

Cc: David Sommerseth <davids@openvpn.net>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
---
 src/openvpn/crypto.c | 11 -----------
 1 file changed, 11 deletions(-)

Comments

Arne Schwabe Jan. 26, 2022, 4:29 p.m. | #1
Am 26.01.22 um 16:11 schrieb Antonio Quartulli:
> Originally we wanted to move this OpenSSL specific code to its own
> backend and use a proper abstraction in the crypto.c code.
> 
> However, tests have revealed that OpenVPN will never try to print a
> cipher that is not supported by FIPS (assuming FIPS is enabled), because
> along the chain of calls we already call cipher_get() which returns NULL
> for FIPS-disabled ciphers.
> 
> For this reason, we can just remove any FIPS specific code from
> print_cipher() and be done with it.
> 

Acked-By: Arne Schwabe <arne@rfc2549.org>

Patch

diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index 0aa76e05..b0a3cf81 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -34,7 +34,6 @@ 
 #include "error.h"
 #include "integer.h"
 #include "platform.h"
-#include "openssl_compat.h"
 
 #include "memdbg.h"
 
@@ -1704,16 +1703,6 @@  print_cipher(const char *ciphername)
     {
         printf(", TLS client/server mode only");
     }
-#ifdef OPENSSL_FIPS
-    evp_cipher_type *cipher = EVP_CIPHER_fetch(NULL, ciphername, NULL);
-
-    if (FIPS_mode() && cipher
-        && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS))
-    {
-        printf(", disabled by FIPS mode");
-    }
-    EVP_CIPHER_free(cipher);
-#endif
 
     printf(")\n");
 }