[Openvpn-devel] Fix checks of SHA256 in tls-crypt and auth-token

Message ID 20220215105407.3936338-1-arne@rfc2549.org
State Not Applicable
Headers show
Series
  • [Openvpn-devel] Fix checks of SHA256 in tls-crypt and auth-token
Related show

Commit Message

Arne Schwabe Feb. 15, 2022, 10:54 a.m.
These checks were not correctly updated. The check in auth-token
did nothing at all and the check in tls-crypt was the wrong check
but that was hidden by the condition being inverted as well.

Reported-By: tincntech@protonmail.com
---
 src/openvpn/auth_token.c     | 2 +-
 src/openvpn/crypto_backend.h | 3 +--
 src/openvpn/tls_crypt.c      | 2 +-
 3 files changed, 3 insertions(+), 4 deletions(-)

Comments

Kristof Provost via Openvpn-devel Feb. 15, 2022, 2:15 p.m. | #1
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

May as well attribute this correctly.

* tincantech@protonmail.com

Protonmail, now so badly mangles mail on reply that I may have to go back to gmail.
-----BEGIN PGP SIGNATURE-----
Version: ProtonMail

wsBzBAEBCAAGBQJiC7VvACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec
9muQuJ2jFAgAjHPRhyMsY1JJuJjt7ePXPcve39xSF46BDUZyMQYXoEVC/pMC
Zrlg5SUtASqxBTis3qI8A8t1aCi+8PdYgM+e2GdSuFLwYYGHDsBMBxlohr0V
tHEVz4eaLtA5h/vQ5a5aki5g/rkPFP7Zedx1jgO7VNxF1EAmfbGK3ch1F/67
o23TePBzlNOPJLrGNPouU58msG8lv5+kB0PRSOUlNGLIN4TA86ynr9ThqvNY
NLP+IXFkmFasizioI5sFZ8wqaLyMFfiSQbUiTXu5yD2DQjuarxwqUsLP2lZv
in8LULOk9Vx+L2RWrmv/LOdCgmRNWppAOs+VN4K1P9EcU+y0P4mRjA==
=d1PC
-----END PGP SIGNATURE-----
Gert Doering Feb. 16, 2022, 8:15 a.m. | #2
Hi,

On Tue, Feb 15, 2022 at 11:54:07AM +0100, Arne Schwabe wrote:
> These checks were not correctly updated. The check in auth-token
> did nothing at all and the check in tls-crypt was the wrong check
> but that was hidden by the condition being inverted as well.

For the sake of the archives: Antonio's patch v2 fixes the same
thing, including the honorable mentioning of Richard's find.

So, setting this one to "Not Applicable" in patchwork.

(And both patches ignore the "--tls-crypt" warning in auth_token_kt() :-) )

gert

Patch

diff --git a/src/openvpn/auth_token.c b/src/openvpn/auth_token.c
index ceae68f6..10c9dde6 100644
--- a/src/openvpn/auth_token.c
+++ b/src/openvpn/auth_token.c
@@ -38,7 +38,7 @@  auth_token_kt(void)
     kt.cipher = "none";
     kt.digest = "SHA256";
 
-    if (!kt.digest)
+    if (!md_valid(kt.digest))
     {
         msg(M_WARN, "ERROR: --tls-crypt requires HMAC-SHA-256 support.");
         return (struct key_type) { 0 };
diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h
index abf1b876..78260057 100644
--- a/src/openvpn/crypto_backend.h
+++ b/src/openvpn/crypto_backend.h
@@ -520,8 +520,7 @@  static inline bool md_defined(const char* mdname)
  *
  * @param digest        Name of the digest to verify, e.g. \c MD5).
  *
- * @return              A statically allocated structure containing parameters
- *                      for the given message digest.
+ * @return              the availability of the digest of the given name.
  */
 bool md_valid(const char *digest);
 
diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c
index 610168b0..aae2a917 100644
--- a/src/openvpn/tls_crypt.c
+++ b/src/openvpn/tls_crypt.c
@@ -59,7 +59,7 @@  tls_crypt_kt(void)
         msg(M_WARN, "ERROR: --tls-crypt requires AES-256-CTR support.");
         return (struct key_type) { 0 };
     }
-    if (cipher_valid(kt.digest))
+    if (!md_valid(kt.digest))
     {
         msg(M_WARN, "ERROR: --tls-crypt requires HMAC-SHA-256 support.");
         return (struct key_type) { 0 };