From patchwork Tue Nov 9 03:48:11 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2066 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director13.mail.ord1d.rsapps.net ([172.27.255.58]) by backend30.mail.ord1d.rsapps.net with LMTP id MDHJEXWKimHnGwAAIUCqbw (envelope-from ) for ; Tue, 09 Nov 2021 09:49:25 -0500 Received: from proxy12.mail.iad3a.rsapps.net ([172.27.255.58]) by director13.mail.ord1d.rsapps.net with LMTP id gJ2ZEXWKimFANAAA91zNiA (envelope-from ) for ; Tue, 09 Nov 2021 09:49:25 -0500 Received: from smtp9.gate.iad3a ([172.27.255.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy12.mail.iad3a.rsapps.net with LMTPS id gOj1CnWKimEvWAAAh9K5Vw (envelope-from ) for ; Tue, 09 Nov 2021 09:49:25 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp9.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 3a7c405e-416c-11ec-a99b-52540097fc8c-1-1 Received: from [216.105.38.7] ([216.105.38.7:46174] helo=lists.sourceforge.net) by smtp9.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 61/FD-00864-47A8A816; Tue, 09 Nov 2021 09:49:24 -0500 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1mkSQN-000768-5C; Tue, 09 Nov 2021 14:48:35 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1mkSQG-00075f-2h for openvpn-devel@lists.sourceforge.net; Tue, 09 Nov 2021 14:48:28 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=1/WkBBbf65MHiNapyu5KktrG1HYz92YIr6CEwpqRhBw=; b=LyjqhKZPAUo5z4CDo21nnVTMc7 YDYdpTUl6Zf64MBxNG69oAI4yCgrviv6HY5ePJwskVIWK14psz04Fk9soH0DNwuwqmL88d4dxfik3 yZTI6G1Tk1RdH3686fYcm4hhyQ+lOpSMTyEa0mgJAqLqqT4fmGcWTEfzYpmPBiC18FMk=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=1/WkBBbf65MHiNapyu5KktrG1HYz92YIr6CEwpqRhBw=; b=DYkuPDhrSGb56mmbw+TAYOJ15+ gQWycMKyc4VmJY+034m2fTkxTiwDlvX6+aV5cWakaZ/zgsxocs8Lg4LwvgRE4jUT5Sk9BHX2Vo/ae Sq5qcELZui3JTCpjmQS+P0gxAKMCEn5aGixPkJVCy3H0xl3WYmnfQ+zzHLYqwOPBMeHY=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1mkSQF-0005Qf-4m for openvpn-devel@lists.sourceforge.net; Tue, 09 Nov 2021 14:48:28 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD)) (envelope-from ) id 1mkSPz-000K95-AA for openvpn-devel@lists.sourceforge.net; Tue, 09 Nov 2021 15:48:11 +0100 Received: (nullmailer pid 3426976 invoked by uid 10006); Tue, 09 Nov 2021 14:48:11 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Tue, 9 Nov 2021 15:48:11 +0100 Message-Id: <20211109144811.3426928-1-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210520151148.2565578-7-arne@rfc2549.org> References: <20210520151148.2565578-7-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: With OpenSSL 3.0 the use of nid values is deprecated and new algorithms do not even have NID values anymore. This also works nicely with providers now: openvpn --provider legacy:default --show-ciphers Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different X-Headers-End: 1mkSQF-0005Qf-4m Subject: [Openvpn-devel] [PATCH v4] [OSSL 3.0] Use TYPE_do_all_provided function for listing cipher/digest X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox With OpenSSL 3.0 the use of nid values is deprecated and new algorithms do not even have NID values anymore. This also works nicely with providers now: openvpn --provider legacy:default --show-ciphers shows more ciphers (e.g. BF-CBC) than just openvpn --show-ciphers when compiled with OpenSSL 3.0 Patch v4: Use SIZE instead size(x)/sizeof(*x) Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- src/openvpn/crypto_openssl.c | 95 +++++++++++++++++++++++------------- 1 file changed, 61 insertions(+), 34 deletions(-) diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index 24ef9e90d..ab38d6e5c 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -316,86 +316,113 @@ cipher_name_cmp(const void *a, const void *b) return strcmp(cipher_kt_name(*cipher_a), cipher_kt_name(*cipher_b)); } +struct collect_ciphers { + /* If we ever exceed this, we must be more selective */ + const EVP_CIPHER *list[1000]; + size_t num; +}; + +static void collect_ciphers(EVP_CIPHER *cipher, void *list) +{ + struct collect_ciphers* cipher_list = list; + if (cipher_list->num == SIZE(cipher_list->list)) + { + msg(M_WARN, "WARNING: Too many ciphers, not showing all"); + return; + } + + if (cipher && (cipher_kt_mode_cbc(cipher) +#ifdef ENABLE_OFB_CFB_MODE + || cipher_kt_mode_ofb_cfb(cipher) +#endif + || cipher_kt_mode_aead(cipher) + )) + { + cipher_list->list[cipher_list->num++] = cipher; + } +} + void show_available_ciphers(void) { - int nid; - size_t i; + struct collect_ciphers cipher_list = { 0 }; - /* If we ever exceed this, we must be more selective */ - const EVP_CIPHER *cipher_list[1000]; - size_t num_ciphers = 0; #ifndef ENABLE_SMALL printf("The following ciphers and cipher modes are available for use\n" "with " PACKAGE_NAME ". Each cipher shown below may be used as a\n" "parameter to the --data-ciphers (or --cipher) option. In static \n" - "key mode only CBC mode is allowed.\n\n"); + "key mode only CBC mode is allowed.\n"); + printf("See also openssl list -cipher-algorithms\n\n"); #endif - for (nid = 0; nid < 10000; ++nid) +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_CIPHER_do_all_provided(NULL, collect_ciphers, &cipher_list); +#else + for (int nid = 0; nid < 10000; ++nid) { const EVP_CIPHER *cipher = EVP_get_cipherbynid(nid); - if (cipher && (cipher_kt_mode_cbc(cipher) -#ifdef ENABLE_OFB_CFB_MODE - || cipher_kt_mode_ofb_cfb(cipher) -#endif - || cipher_kt_mode_aead(cipher) - )) - { - cipher_list[num_ciphers++] = cipher; - } - if (num_ciphers == (sizeof(cipher_list)/sizeof(*cipher_list))) - { - msg(M_WARN, "WARNING: Too many ciphers, not showing all"); - break; - } + /* We cast the const away so we can keep the function prototype + * compatible with EVP_CIPHER_do_all_provided */ + collect_ciphers((EVP_CIPHER *)cipher, &cipher_list); } +#endif /* cast to non-const to prevent warning */ - qsort((EVP_CIPHER *)cipher_list, num_ciphers, sizeof(*cipher_list), cipher_name_cmp); + qsort((EVP_CIPHER *)cipher_list.list, cipher_list.num, sizeof(*cipher_list.list), cipher_name_cmp); - for (i = 0; i < num_ciphers; i++) + for (size_t i = 0; i < cipher_list.num; i++) { - if (!cipher_kt_insecure(cipher_list[i])) + if (!cipher_kt_insecure(cipher_list.list[i])) { - print_cipher(cipher_list[i]); + print_cipher(cipher_list.list[i]); } } printf("\nThe following ciphers have a block size of less than 128 bits, \n" "and are therefore deprecated. Do not use unless you have to.\n\n"); - for (i = 0; i < num_ciphers; i++) + for (int i = 0; i < cipher_list.num; i++) { - if (cipher_kt_insecure(cipher_list[i])) + if (cipher_kt_insecure(cipher_list.list[i])) { - print_cipher(cipher_list[i]); + print_cipher(cipher_list.list[i]); } } printf("\n"); } void -show_available_digests(void) +print_digest(EVP_MD* digest, void* unused) { - int nid; + printf("%s %d bit digest size\n", EVP_MD_get0_name(digest), + EVP_MD_size(digest) * 8); +} +void +show_available_digests(void) +{ #ifndef ENABLE_SMALL printf("The following message digests are available for use with\n" PACKAGE_NAME ". A message digest is used in conjunction with\n" "the HMAC function, to authenticate received packets.\n" "You can specify a message digest as parameter to\n" - "the --auth option.\n\n"); + "the --auth option.\n"); + printf("See also openssl list -digest-algorithms\n\n"); #endif - for (nid = 0; nid < 10000; ++nid) +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_MD_do_all_provided(NULL, print_digest, NULL); +#else + for (int nid = 0; nid < 10000; ++nid) { const EVP_MD *digest = EVP_get_digestbynid(nid); if (digest) { - printf("%s %d bit digest size\n", - OBJ_nid2sn(nid), EVP_MD_size(digest) * 8); + /* We cast the const away so we can keep the function prototype + * compatible with EVP_MD_do_all_provided */ + print_digest((EVP_MD *)digest, NULL); } } +#endif printf("\n"); }