From patchwork Sun Sep 19 06:29:52 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Arne Schwabe <arne@rfc2549.org>
X-Patchwork-Id: 1955
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Delivered-To: patchwork@openvpn.net
Received: from director7.mail.ord1d.rsapps.net ([172.30.191.6])
	by backend30.mail.ord1d.rsapps.net with LMTP
	id aJTTINhlR2FzHgAAIUCqbw
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	for <patchwork@openvpn.net>; Sun, 19 Sep 2021 12:31:20 -0400
Received: from proxy11.mail.ord1d.rsapps.net ([172.30.191.6])
	by director7.mail.ord1d.rsapps.net with LMTP
	id cAu5INhlR2E0ZQAAovjBpQ
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	for <patchwork@openvpn.net>; Sun, 19 Sep 2021 12:31:20 -0400
Received: from smtp29.gate.ord1d ([172.30.191.6])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	by proxy11.mail.ord1d.rsapps.net with LMTPS
	id kCbpD8hlR2F4NgAAgKDEHA
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	for <patchwork@openvpn.net>; Sun, 19 Sep 2021 12:31:04 -0400
X-Spam-Threshold: 95
X-Spam-Score: 0
X-Spam-Flag: NO
X-Virus-Scanned: OK
X-Orig-To: openvpnslackdevel@openvpn.net
X-Originating-Ip: [216.105.38.7]
Authentication-Results: smtp29.gate.ord1d.rsapps.net;
 iprev=pass policy.iprev="216.105.38.7";
 spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net"
 smtp.helo="lists.sourceforge.net";
 dkim=fail (signature verification failed) header.d=sourceforge.net;
 dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil;
 dis=none) header.from=rfc2549.org
X-Suspicious-Flag: YES
X-Classification-ID: 0506db3c-1967-11ec-ad97-525400f257a9-1-1
Received: from [216.105.38.7] ([216.105.38.7:50826]
 helo=lists.sourceforge.net)
	by smtp29.gate.ord1d.rsapps.net (envelope-from
 <openvpn-devel-bounces@lists.sourceforge.net>)
	(ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384)
	id FA/20-02359-8D567416; Sun, 19 Sep 2021 12:31:20 -0400
Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com)
	by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1mRzi0-0002rJ-Hx; Sun, 19 Sep 2021 16:30:28 +0000
Received: from [172.30.20.202] (helo=mx.sourceforge.net)
 by sfs-ml-1.v29.lw.sourceforge.com with esmtps
 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1)
 (envelope-from <arne@kamera.blinkt.de>) id 1mRzht-0002pD-6A
 for openvpn-devel@lists.sourceforge.net; Sun, 19 Sep 2021 16:30:21 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References:
 In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=aAZGYDP/4Q7A2Hdh1yiyLAN2ZqEw+EEJpuBmJZEq4JM=; b=GbLjNJc8lJqtoggGtrEEliiA7G
 l5qgR9J+21ux28J/Ax1QJ6Y8OzOLqZsMSoY2TQ3nVz4qZCw2rJR9bhdnNMoCaXfmupyvrlTTDoBZ1
 yTtXxVS2azyEH48QdpqdIz/06jVzmqJowz4Rz2tKfZPQo4el7o95j/N2tEx1t7+U8tS4=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id:
 Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=aAZGYDP/4Q7A2Hdh1yiyLAN2ZqEw+EEJpuBmJZEq4JM=; b=XWXUpaJ01MC1xqghL32GGZp5jt
 dIAZoWp19B6GMwoEesxPo2+Ya6qVOBiHuownUgYswixAgf70PTtHBk3lmjMM+3vvzLOw0Kpi9B8dP
 7AK6YJt0SiB/MNeozJUthj21sAqegzSbUbjak8rVQDrWOI6UXfjtRc+9vWJhYKpf7sbg=;
Received: from mail.blinkt.de ([192.26.174.232])
 by sfi-mx-1.v28.lw.sourceforge.com with esmtps
 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3)
 id 1mRzhi-00Fy7S-EM
 for openvpn-devel@lists.sourceforge.net; Sun, 19 Sep 2021 16:30:13 +0000
Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c])
 by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD))
 (envelope-from <arne@kamera.blinkt.de>) id 1mRzhU-0002Yd-HK
 for openvpn-devel@lists.sourceforge.net; Sun, 19 Sep 2021 18:29:56 +0200
Received: (nullmailer pid 695558 invoked by uid 10006);
 Sun, 19 Sep 2021 16:29:56 -0000
From: Arne Schwabe <arne@rfc2549.org>
To: openvpn-devel@lists.sourceforge.net
Date: Sun, 19 Sep 2021 18:29:52 +0200
Message-Id: <20210919162956.695496-4-arne@rfc2549.org>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20210919162956.695496-1-arne@rfc2549.org>
References: <20210919162956.695496-1-arne@rfc2549.org>
MIME-Version: 1.0
X-Spam-Report: Spam detection software,
 running on the system "util-spamd-2.v13.lw.sourceforge.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview: DES is very deprecated and accidently getting on the of the
 16 insecure keys that OpenSSL checks is extremely unlikely so we no longer
 use the deprecated functions without replacement in OpenSSL 3.0. [...]
 Content analysis details:   (0.3 points, 6.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 0.0 SPF_NONE               SPF: sender does not publish an SPF Record
 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
 mail domains are different
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
X-Headers-End: 1mRzhi-00Fy7S-EM
Subject: [Openvpn-devel] [PATCH 4/8] [OSSL 3.0] Remove DES check with
 OpenSSL 3.0
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox

DES is very deprecated and accidently getting on the of the 16 insecure
keys that OpenSSL checks is extremely unlikely so we no longer use the
deprecated functions without replacement in OpenSSL 3.0.
---
 src/openvpn/crypto_openssl.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index b4c59557b..9df6da02c 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -522,6 +522,11 @@ key_des_num_cblocks(const EVP_CIPHER *kt)
 bool
 key_des_check(uint8_t *key, int key_len, int ndc)
 {
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+    /* DES is deprecated and the method to even check the keys is deprecated
+     * in OpenSSL 3.0. Instead of checking for the 16 weak/semi-weak keys
+     * we just accept them in OpenSSL 3.0 since the risk of randomly getting
+     * these is pretty weak */
     int i;
     struct buffer b;
 
@@ -554,6 +559,9 @@ key_des_check(uint8_t *key, int key_len, int ndc)
 err:
     ERR_clear_error();
     return false;
+#else
+    return true;
+#endif
 }
 
 void