[Openvpn-devel,OpenVPN,2.5] Translate OpenSSL 3.0 digest names to OpenSSL 1.1 digest names

Message ID 20220523103546.3425388-1-arne@rfc2549.org
State Accepted
Headers show
Series
  • [Openvpn-devel,OpenVPN,2.5] Translate OpenSSL 3.0 digest names to OpenSSL 1.1 digest names
Related show

Commit Message

Arne Schwabe May 23, 2022, 10:35 a.m.
Since we used the OpenSSL <=1.1 names as part of our OCC message, they
are now unfortunately part of our wire protocol.

OpenSSL 3.0 will still accept the "old" names so we do not need to use
this translation table for lookup only for returning the name with
md_kt_name

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
---
 src/openvpn/crypto_openssl.c | 39 ++++++++++++++++++++++++++++++++++--
 1 file changed, 37 insertions(+), 2 deletions(-)

Comments

Antonio Quartulli May 23, 2022, 11:35 a.m. | #1
Hi,

On 23/05/2022 12:35, Arne Schwabe wrote:
> Since we used the OpenSSL <=1.1 names as part of our OCC message, they
> are now unfortunately part of our wire protocol.
> 
> OpenSSL 3.0 will still accept the "old" names so we do not need to use
> this translation table for lookup only for returning the name with

Same as for the patch for master:

something is missing here ^

...table for lookup", but" only for returning...

Same change should be applied to the in-code comment.

> md_kt_name
> 
> Signed-off-by: Arne Schwabe <arne@rfc2549.org>

Acked-by: Antonio Quartulli <a@unstable.cc>

> ---
>   src/openvpn/crypto_openssl.c | 39 ++++++++++++++++++++++++++++++++++--
>   1 file changed, 37 insertions(+), 2 deletions(-)
> 
> diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
> index 74685b386..8c28d2b5e 100644
> --- a/src/openvpn/crypto_openssl.c
> +++ b/src/openvpn/crypto_openssl.c
> @@ -379,7 +379,7 @@ show_available_ciphers(void)
>   void
>   print_digest(EVP_MD *digest, void *unused)
>   {
> -    printf("%s %d bit digest size\n", EVP_MD_name(digest),
> +    printf("%s %d bit digest size\n", md_kt_name(digest),
>              EVP_MD_size(digest) * 8);
>   }
>   
> @@ -982,6 +982,28 @@ md_kt_get(const char *digest)
>       return md;
>   }
>   
> +/* Since we used the OpenSSL <=1.1 names as part of our OCC message, they
> + * are now unfortunately part of our wire protocol.
> + *
> + * OpenSSL 3.0 will still accept the "old" names so we do not need to use
> + * this translation table for lookup only for returning the name with
> + * md_kt_name */
> +const cipher_name_pair digest_name_translation_table[] = {
> +    { "BLAKE2s256", "BLAKE2S-256"},
> +    { "BLAKE2b512", "BLAKE2B-512"},
> +    { "RIPEMD160", "RIPEMD-160" },
> +    { "SHA224", "SHA2-224"},
> +    { "SHA256", "SHA2-256"},
> +    { "SHA384", "SHA2-384"},
> +    { "SHA512", "SHA2-512"},
> +    { "SHA512-224", "SHA2-512/224"},
> +    { "SHA512-256", "SHA2-512/256"},
> +    { "SHAKE128", "SHAKE-128"},
> +    { "SHAKE256", "SHAKE-256"},
> +};
> +const size_t digest_name_translation_table_count =
> +    sizeof(digest_name_translation_table) / sizeof(*digest_name_translation_table);
> +
>   const char *
>   md_kt_name(const EVP_MD *kt)
>   {
> @@ -989,7 +1011,20 @@ md_kt_name(const EVP_MD *kt)
>       {
>           return "[null-digest]";
>       }
> -    return EVP_MD_name(kt);
> +
> +    const char *name = EVP_MD_name(kt);
> +
> +    /* Search for a digest name translation */
> +    for (size_t i = 0; i < digest_name_translation_table_count; i++)
> +    {
> +        const cipher_name_pair *pair = &digest_name_translation_table[i];
> +        if (!strcmp(name, pair->lib_name))
> +        {
> +            name = pair->openvpn_name;
> +        }
> +    }
> +
> +    return name;
>   }
>   
>   unsigned char
Gert Doering May 23, 2022, 2:15 p.m. | #2
This is basically the same change as commit 88342ed8277c5797 (master),
just without the Big MD Refactoring.

Tested, works :-) - --show-digests shows what to expect (without this
patch, ossl 3 builds show "SHA2-256", with this patch, "SHA256"), and
so does OCC.

Your patch has been applied to the release/2.5 branch.

commit b158125f67b49149ffd3e2617479fbd27860713c
Author: Arne Schwabe
Date:   Mon May 23 12:35:45 2022 +0200

     Translate OpenSSL 3.0 digest names to OpenSSL 1.1 digest names

     Signed-off-by: Arne Schwabe <arne@rfc2549.org>
     Acked-by: Antonio Quartulli <a@unstable.cc>
     Message-Id: <20220523103546.3425388-1-arne@rfc2549.org>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg24424.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering

Patch

diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index 74685b386..8c28d2b5e 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -379,7 +379,7 @@  show_available_ciphers(void)
 void
 print_digest(EVP_MD *digest, void *unused)
 {
-    printf("%s %d bit digest size\n", EVP_MD_name(digest),
+    printf("%s %d bit digest size\n", md_kt_name(digest),
            EVP_MD_size(digest) * 8);
 }
 
@@ -982,6 +982,28 @@  md_kt_get(const char *digest)
     return md;
 }
 
+/* Since we used the OpenSSL <=1.1 names as part of our OCC message, they
+ * are now unfortunately part of our wire protocol.
+ *
+ * OpenSSL 3.0 will still accept the "old" names so we do not need to use
+ * this translation table for lookup only for returning the name with
+ * md_kt_name */
+const cipher_name_pair digest_name_translation_table[] = {
+    { "BLAKE2s256", "BLAKE2S-256"},
+    { "BLAKE2b512", "BLAKE2B-512"},
+    { "RIPEMD160", "RIPEMD-160" },
+    { "SHA224", "SHA2-224"},
+    { "SHA256", "SHA2-256"},
+    { "SHA384", "SHA2-384"},
+    { "SHA512", "SHA2-512"},
+    { "SHA512-224", "SHA2-512/224"},
+    { "SHA512-256", "SHA2-512/256"},
+    { "SHAKE128", "SHAKE-128"},
+    { "SHAKE256", "SHAKE-256"},
+};
+const size_t digest_name_translation_table_count =
+    sizeof(digest_name_translation_table) / sizeof(*digest_name_translation_table);
+
 const char *
 md_kt_name(const EVP_MD *kt)
 {
@@ -989,7 +1011,20 @@  md_kt_name(const EVP_MD *kt)
     {
         return "[null-digest]";
     }
-    return EVP_MD_name(kt);
+
+    const char *name = EVP_MD_name(kt);
+
+    /* Search for a digest name translation */
+    for (size_t i = 0; i < digest_name_translation_table_count; i++)
+    {
+        const cipher_name_pair *pair = &digest_name_translation_table[i];
+        if (!strcmp(name, pair->lib_name))
+        {
+            name = pair->openvpn_name;
+        }
+    }
+
+    return name;
 }
 
 unsigned char