| Message ID | 20220215102609.14671-1-a@unstable.cc |
|---|---|
| State | Superseded |
| Headers | show |
| Series | [Openvpn-devel] auth_token/tls_crypt: fix usage of md_valid() | expand |
Am 15.02.22 um 11:26 schrieb Antonio Quartulli: > With b39725cf ("Remove md_kt_t and change crypto API to use const char*") > the logic for validating ciphers and md algorithms has been changed. > > We should now *always* use md_valid() when validating a digest alg. > > At the same time, add '!' (negation) when validating the digest algorithm > in the tls-crypt code, in order to restore the proper logic. > > Cc: Arne Schwabe <arne@rfc2549.org> > Fixes: b39725cf ("Remove md_kt_t and change crypto API to use const char*") > Reported-by: Richard T Bonhomme <tincantech@protonmail.com> > Signed-off-by: Antonio Quartulli <a@unstable.cc> Acked-By: Arne Schwabe <arne@rfc2549.org>
diff --git a/src/openvpn/auth_token.c b/src/openvpn/auth_token.c index ceae68f6..10c9dde6 100644 --- a/src/openvpn/auth_token.c +++ b/src/openvpn/auth_token.c @@ -38,7 +38,7 @@ auth_token_kt(void) kt.cipher = "none"; kt.digest = "SHA256"; - if (!kt.digest) + if (!md_valid(kt.digest)) { msg(M_WARN, "ERROR: --tls-crypt requires HMAC-SHA-256 support."); return (struct key_type) { 0 }; diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c index 610168b0..aae2a917 100644 --- a/src/openvpn/tls_crypt.c +++ b/src/openvpn/tls_crypt.c @@ -59,7 +59,7 @@ tls_crypt_kt(void) msg(M_WARN, "ERROR: --tls-crypt requires AES-256-CTR support."); return (struct key_type) { 0 }; } - if (cipher_valid(kt.digest)) + if (!md_valid(kt.digest)) { msg(M_WARN, "ERROR: --tls-crypt requires HMAC-SHA-256 support."); return (struct key_type) { 0 };
With b39725cf ("Remove md_kt_t and change crypto API to use const char*") the logic for validating ciphers and md algorithms has been changed. We should now *always* use md_valid() when validating a digest alg. At the same time, add '!' (negation) when validating the digest algorithm in the tls-crypt code, in order to restore the proper logic. Cc: Arne Schwabe <arne@rfc2549.org> Fixes: b39725cf ("Remove md_kt_t and change crypto API to use const char*") Reported-by: Richard T Bonhomme <tincantech@protonmail.com> Signed-off-by: Antonio Quartulli <a@unstable.cc> --- src/openvpn/auth_token.c | 2 +- src/openvpn/tls_crypt.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)