From patchwork Thu May 12 02:14:28 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2447 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director15.mail.ord1d.rsapps.net ([172.28.255.1]) by backend41.mail.ord1d.rsapps.net with LMTP id mH0DD4L6fGKwVwAAqwncew (envelope-from ) for ; Thu, 12 May 2022 08:16:02 -0400 Received: from proxy7.mail.ord1c.rsapps.net ([172.28.255.1]) by director15.mail.ord1d.rsapps.net with LMTP id gABiIoL6fGJffQAAIcMcQg (envelope-from ) for ; Thu, 12 May 2022 08:16:02 -0400 Received: from smtp18.gate.ord1c ([172.28.255.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy7.mail.ord1c.rsapps.net with LMTPS id iOz1IYL6fGJeKwAAknS3pQ (envelope-from ) for ; Thu, 12 May 2022 08:16:02 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp18.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 49b47b42-d1ed-11ec-aa5f-bc305bf00c68-1-1 Received: from [216.105.38.7] ([216.105.38.7:48788] helo=lists.sourceforge.net) by smtp18.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 39/3A-02782-18AFC726; Thu, 12 May 2022 08:16:02 -0400 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1np7if-00088E-FG; Thu, 12 May 2022 12:15:00 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1np7iS-00087i-2t for openvpn-devel@lists.sourceforge.net; Thu, 12 May 2022 12:14:47 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=fo8BMYg3uP+CWzMffwjesgjSGym4ErxbxkM+BqFAIr0=; b=hTkptXFTx7g6Ky0HRelJ0wgB1b dbWVnOv6TSod0cg/6dLyv5EJu/mOwd9JMVaDfRAHB5w1pME0euTDydWiLWzfda6QT0zcWZQ2tIBJJ I0K6TRNYsP9sSgaEfPnFWaJm5+j3R34KrrIF3sAtTEzKgTFFKF4aG61fcqmyF7RgYtqw=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=fo8BMYg3uP+CWzMffwjesgjSGym4ErxbxkM+BqFAIr0=; b=hyrGQJc95KRW1gRyiwjt0M/7ZN qkfla3F+66QgxAPEiPO0A2T62Rq9dyg3lGhLg8LBsupoNkjIdBKx4EVCBQzoNnkrZXj3hWXl+0hag 0lKdQyBMYJILUKf1XpH0S86w2I6D9yKoEwd9DcE/xs1LBrJQk3oSavuVdUzXvJgXfWQk=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.94.2) id 1np7iL-009ivn-KL for openvpn-devel@lists.sourceforge.net; Thu, 12 May 2022 12:14:42 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1np7i9-0004tZ-Ql for openvpn-devel@lists.sourceforge.net; Thu, 12 May 2022 14:14:29 +0200 Received: (nullmailer pid 2096228 invoked by uid 10006); Thu, 12 May 2022 12:14:29 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Thu, 12 May 2022 14:14:28 +0200 Message-Id: <20220512121429.2096164-7-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20220512121429.2096164-1-arne@rfc2549.org> References: <20220512121429.2096164-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This is a minimal version to hide the non-supported ciphers in these show-cipher/show-digests listings. It also adds code to the kt_md_get/ kt_cipher_get functions to error out early instead of gettin [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_NONE SPF: sender does not publish an SPF Record X-Headers-End: 1np7iL-009ivn-KL Subject: [Openvpn-devel] [PATCH 6/7] Fix allowing/showing unsupported ciphers and digests X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox This is a minimal version to hide the non-supported ciphers in these show-cipher/show-digests listings. It also adds code to the kt_md_get/ kt_cipher_get functions to error out early instead of getting an ugly backtrace with OpenSSL errors later when actually trying to use the ciphers. This allows make check to work again on with OpenSSL 3.0. The changes are kept minimal to avoid pulling in all the other refactoring for OpenSSL 3.0. This commit is partly cherry-picked from ab3f32b9. Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- src/openvpn/crypto_openssl.c | 50 +++++++++++++++++++++++++++++++++--- 1 file changed, 47 insertions(+), 3 deletions(-) diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index beeaee4b7..ad6c9353a 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -339,7 +339,11 @@ show_available_ciphers(void) || cipher_kt_mode_aead(cipher) )) { - cipher_list[num_ciphers++] = cipher; + /* Check explicit availibility (for OpenSSL 3.0) */ + if (cipher_kt_get(cipher_kt_name(cipher))) + { + cipher_list[num_ciphers++] = cipher; + } } if (num_ciphers == (sizeof(cipher_list)/sizeof(*cipher_list))) { @@ -371,6 +375,13 @@ show_available_ciphers(void) printf("\n"); } +void +print_digest(EVP_MD *digest, void *unused) +{ + printf("%s %d bit digest size\n", EVP_MD_name(digest), + EVP_MD_size(digest) * 8); +} + void show_available_digests(void) { @@ -384,16 +395,22 @@ show_available_digests(void) "the --auth option.\n\n"); #endif +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_MD_do_all_provided(NULL, print_digest, NULL); +#else for (nid = 0; nid < 10000; ++nid) { + const EVP_MD *digest = EVP_get_digestbynid(nid); if (digest) { - printf("%s %d bit digest size\n", - OBJ_nid2sn(nid), EVP_MD_size(digest) * 8); + /* We cast the const away so we can keep the function prototype + * compatible with EVP_MD_do_all_provided */ + print_digest((EVP_MD *)digest, NULL); } } printf("\n"); +#endif } void @@ -624,6 +641,19 @@ cipher_kt_get(const char *ciphername) ciphername = translate_cipher_name_from_openvpn(ciphername); cipher = EVP_get_cipherbyname(ciphername); + /* This is a workaround for OpenSSL 3.0 to infer if the cipher is valid + * without doing all the refactoring that OpenVPN 2.6 has. This will + * not support custom algorithm from providers but at least ignore + * algorithms that are not available without providers (legacy) */ +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_CIPHER *tmpcipher = EVP_CIPHER_fetch(NULL, ciphername, NULL); + if (!tmpcipher) + { + cipher = NULL; + } + EVP_CIPHER_free(tmpcipher); +#endif + if (NULL == cipher) { crypto_msg(D_LOW, "Cipher algorithm '%s' not found", ciphername); @@ -924,6 +954,20 @@ md_kt_get(const char *digest) const EVP_MD *md = NULL; ASSERT(digest); md = EVP_get_digestbyname(digest); + + /* This is a workaround for OpenSSL 3.0 to infer if the digest is valid + * without doing all the refactoring that OpenVPN 2.6 has. This will + * not support custom algorithm from providers but at least ignore + * algorithms that are not available without providers (legacy) */ +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_MD *tmpmd = EVP_MD_fetch(NULL, digest, NULL); + if (!tmpmd) + { + md = NULL; + } + EVP_MD_free(tmpmd); +#endif + if (!md) { crypto_msg(M_FATAL, "Message hash algorithm '%s' not found", digest);