Message ID | 20210818213354.687736-1-arne@rfc2549.org |
---|---|
State | Accepted |
Delegated to: | David Sommerseth |
Headers | show |
Series | [Openvpn-devel,1/2] Detect unusable ciphers on patched OpenSSL of RHEL/Centos | expand |
On 18/08/2021 23:33, Arne Schwabe wrote: > OpenSSL on RHEL 8 and CentOS 8 system when these system are put into > FIPS mode need extra code to figure out if a specific cipher algorithm > is usable on these system. This is particularly problem in data-ciphers > as the errors might occur much later when a client connects and as these > cipher are not caught during config initialisation. > > This also prepares for adding Chacha20-Poly1305 when available to > data-ciphers by making the detection logic used to check if > cipher_kt_get returns non-NULL work on these systems. > > Signed-off-by: Arne Schwabe <arne@rfc2549.org> > --- > src/openvpn/crypto.c | 6 ++++++ > src/openvpn/crypto_openssl.c | 10 ++++++++++ > 2 files changed, 16 insertions(+) > I've Looked at the code, built it on a RHEL-8.4 box with FIPS enabled and tested the binary with FIPS both enabled and disabled. It works smoothly there. The OPENSSL_FIPS macro is defined in /usr/include/openssl/opensslconf-x86_64.h. So is handled outside of OpenVPN, and without that macro we don't need to be concerned about the FIPS_mode() function. As mentioned in the community developer meeting today, there are some concerns about the recently released OpenSSL 3.0 and FIPS - but lets tackle that further down the road once we have distributions with the latest OpenSSL library more easily available. The bottom line is ... Acked-By: David Sommerseth <davids@openvpn.net>
Thanks for the test on CentOS 8. I have skimmed the code, but since I have no FIPS enabled OpenSSL around, haven't tested anything. Your patch has been applied to the master branch. commit 8f25cefea15481cc0338bca40a89d96fbe745b9f Author: Arne Schwabe Date: Wed Aug 18 23:33:53 2021 +0200 Detect unusable ciphers on patched OpenSSL of RHEL/Centos Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: David Sommerseth <davids@openvpn.net> Message-Id: <20210818213354.687736-1-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22746.html Signed-off-by: Gert Doering <gert@greenie.muc.de> -- kind regards, Gert Doering
diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index b9c95225a..1dfc760f9 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -1806,6 +1806,12 @@ print_cipher(const cipher_kt_t *cipher) { printf(", TLS client/server mode only"); } +#ifdef OPENSSL_FIPS + if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS)) + { + printf(", disabled by FIPS mode"); + } +#endif printf(")\n"); } diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index b55d32b2c..419265a51 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -599,7 +599,17 @@ cipher_kt_get(const char *ciphername) return NULL; } +#ifdef OPENSSL_FIPS + /* Rhel 8/CentOS 8 have a patched OpenSSL version that return a cipher + * here that is actually not usable if in FIPS mode */ + if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS)) + { + msg(D_LOW, "Cipher algorithm '%s' is known by OpenSSL library but " + "currently disabled by running in FIPS mode.", ciphername); + return NULL; + } +#endif if (EVP_CIPHER_key_length(cipher) > MAX_CIPHER_KEY_LENGTH) { msg(D_LOW, "Cipher algorithm '%s' uses a default key size (%d bytes) "
OpenSSL on RHEL 8 and CentOS 8 system when these system are put into FIPS mode need extra code to figure out if a specific cipher algorithm is usable on these system. This is particularly problem in data-ciphers as the errors might occur much later when a client connects and as these cipher are not caught during config initialisation. This also prepares for adding Chacha20-Poly1305 when available to data-ciphers by making the detection logic used to check if cipher_kt_get returns non-NULL work on these systems. Signed-off-by: Arne Schwabe <arne@rfc2549.org> --- src/openvpn/crypto.c | 6 ++++++ src/openvpn/crypto_openssl.c | 10 ++++++++++ 2 files changed, 16 insertions(+)