From patchwork Wed Jan 26 04:11:28 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonio Quartulli X-Patchwork-Id: 2256 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director10.mail.ord1d.rsapps.net ([172.30.191.6]) by backend41.mail.ord1d.rsapps.net with LMTP id ANEOJdlk8WG+EwAAqwncew (envelope-from ) for ; Wed, 26 Jan 2022 10:12:25 -0500 Received: from proxy8.mail.ord1d.rsapps.net ([172.30.191.6]) by director10.mail.ord1d.rsapps.net with LMTP id QIpsLdlk8WF9XQAApN4f7A (envelope-from ) for ; Wed, 26 Jan 2022 10:12:25 -0500 Received: from smtp11.gate.ord1c ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy8.mail.ord1d.rsapps.net with LMTPS id QPQHLdlk8WFtAQAAGdz6CA (envelope-from ) for ; Wed, 26 Jan 2022 10:12:25 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp11.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=unstable.cc X-Suspicious-Flag: YES X-Classification-ID: 5e0618de-7eba-11ec-9eb5-bc305beffa54-1-1 Received: from [216.105.38.7] ([216.105.38.7:41258] helo=lists.sourceforge.net) by smtp11.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 23/C2-03661-9D461F16; Wed, 26 Jan 2022 10:12:25 -0500 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1nCjxJ-0006Kd-7c; Wed, 26 Jan 2022 15:11:28 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1nCjxH-0006KX-PH for openvpn-devel@lists.sourceforge.net; Wed, 26 Jan 2022 15:11:26 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=i7skQhmwqbu6hbfywUxSmg5O8sRbrNiDbmJXyoFu170=; b=NM+mFxngq+rwNubph6D6ognkA6 rfbhduI5iRT9X4ZkmQ78JmCXrBks62ZCqrukQCUhXRwattN0XrwNbskRir0yHPc6PtC/sGUKKN6uq C8EwXXjn3DBaeSbRdfRfv/f1nhqD6JLZcpr9VNjZsoKcp7fOPefTW1YiwgGFpVlklNDA=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:Cc:To:From :Sender:Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=i7skQhmwqbu6hbfywUxSmg5O8sRbrNiDbmJXyoFu170=; b=R VHU218zhJV3hKMf1lZpQkdg3MUVz9nBf1TAUxKc1ZywJ8SI7ZPrKORifq7JPBlWftE8YtggIJKxRl c9FHsrkYGKUGDVwo7+LMkxN8t7zlvdMZMtKxXp+zjto8JaHQICyA/pipQrZ0OxYLZfhc25M+QnaZH akQVDbhJ1m0zK3MQ=; Received: from s2.neomailbox.net ([5.148.176.60]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1nCjxF-00EYYP-Dc for openvpn-devel@lists.sourceforge.net; Wed, 26 Jan 2022 15:11:26 +0000 From: Antonio Quartulli To: openvpn-devel@lists.sourceforge.net Date: Wed, 26 Jan 2022 16:11:28 +0100 Message-Id: <20220126151128.5078-1-a@unstable.cc> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Originally we wanted to move this OpenSSL specific code to its own backend and use a proper abstraction in the crypto.c code. However, tests have revealed that OpenVPN will never try to print a cipher that is not supported by FIPS (assuming FIPS is enabled), because along the chain of calls we already call cipher_get() which [...] Content analysis details: (0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record X-Headers-End: 1nCjxF-00EYYP-Dc Subject: [Openvpn-devel] [PATCH] crypto.c: remove (dead) OpenSSL specific code X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: David Sommerseth , Antonio Quartulli Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Originally we wanted to move this OpenSSL specific code to its own backend and use a proper abstraction in the crypto.c code. However, tests have revealed that OpenVPN will never try to print a cipher that is not supported by FIPS (assuming FIPS is enabled), because along the chain of calls we already call cipher_get() which returns NULL for FIPS-disabled ciphers. For this reason, we can just remove any FIPS specific code from print_cipher() and be done with it. This patch fixes compilations with mbedTLS when some OpenSSL is also installed. The issue was introduced with: 544330fe ("crypto: Fix OPENSSL_FIPS enabled builds") Cc: David Sommerseth Signed-off-by: Antonio Quartulli Acked-By: Arne Schwabe --- src/openvpn/crypto.c | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index 0aa76e05..b0a3cf81 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -34,7 +34,6 @@ #include "error.h" #include "integer.h" #include "platform.h" -#include "openssl_compat.h" #include "memdbg.h" @@ -1704,16 +1703,6 @@ print_cipher(const char *ciphername) { printf(", TLS client/server mode only"); } -#ifdef OPENSSL_FIPS - evp_cipher_type *cipher = EVP_CIPHER_fetch(NULL, ciphername, NULL); - - if (FIPS_mode() && cipher - && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS)) - { - printf(", disabled by FIPS mode"); - } - EVP_CIPHER_free(cipher); -#endif printf(")\n"); }