[Openvpn-devel,v2] crypto: Fix OPENSSL_FIPS enabled builds

Message ID 20220119151941.37529-1-openvpn@sf.lists.topphemmelig.net
State Superseded
Headers show
Series [Openvpn-devel,v2] crypto: Fix OPENSSL_FIPS enabled builds | expand

Commit Message

David Sommerseth Jan. 19, 2022, 3:19 p.m. UTC
From: David Sommerseth <davids@openvpn.net>

On Fedora and RHEL/CentOS, the standard OpenSSL library has the FIPS
module enabled by default.  On these platforms, the OPENSSL_FIPS macro
is always defined via /usr/include/openssl/opensslconf-*.h.

Without this fix, the following compilation error appears:

  ./src/openvpn/crypto.c: In function ‘print_cipher’:
  ./src/openvpn/crypto.c:1707:43: error: ‘cipher’ undeclared (first use in this function); did you mean ‘iphdr’?
       if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS))
                                           ^~~~~~

The EVP_CIPHER_fetch() and EVP_CIPHER_free() methods are also provided
via the openssl_compat.h for older than OpenSSL 3.0.

Signed-off-by: David Sommerseth <davids@openvpn.net>
---
 src/openvpn/crypto.c | 4 ++++
 1 file changed, 4 insertions(+)

Comments

Selva Nair Jan. 19, 2022, 4:34 p.m. UTC | #1
Hi,

Sorry for chiming in late:

On Wed, Jan 19, 2022 at 10:20 AM David Sommerseth <
openvpn@sf.lists.topphemmelig.net> wrote:

> From: David Sommerseth <davids@openvpn.net>
>
> On Fedora and RHEL/CentOS, the standard OpenSSL library has the FIPS
> module enabled by default.  On these platforms, the OPENSSL_FIPS macro
> is always defined via /usr/include/openssl/opensslconf-*.h.
>
> Without this fix, the following compilation error appears:
>
>   ./src/openvpn/crypto.c: In function ‘print_cipher’:
>   ./src/openvpn/crypto.c:1707:43: error: ‘cipher’ undeclared (first use in
> this function); did you mean ‘iphdr’?
>        if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS))
>                                            ^~~~~~
>
> The EVP_CIPHER_fetch() and EVP_CIPHER_free() methods are also provided
> via the openssl_compat.h for older than OpenSSL 3.0.
>
> Signed-off-by: David Sommerseth <davids@openvpn.net>
> ---
>  src/openvpn/crypto.c | 4 ++++
>  1 file changed, 4 insertions(+)
>
> diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
> index 5626e2b6..e489d453 100644
> --- a/src/openvpn/crypto.c
> +++ b/src/openvpn/crypto.c
> @@ -34,6 +34,7 @@
>  #include "error.h"
>  #include "integer.h"
>  #include "platform.h"
> +#include "openssl_compat.h"
>
>  #include "memdbg.h"
>
> @@ -1704,10 +1705,13 @@ print_cipher(const char *ciphername)
>          printf(", TLS client/server mode only");
>      }
>  #ifdef OPENSSL_FIPS
> +    evp_cipher_type *cipher = EVP_CIPHER_fetch(NULL, ciphername, NULL);
> +
>      if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS))
>

We need to check that cipher is not NULL. Fetch can return NULL while
EVP_CIPHER_flags() requires a non-null argument. Something like: if (cipher
&& FIPS_mode && etc...) will do.

EVP_CIPHER_free() below can handle NULL, so no problem there.



   {
>          printf(", disabled by FIPS mode");
>      }
> +    EVP_CIPHER_free(cipher);

 #endif
>
>      printf(")\n");
>

Selva
<div dir="ltr"><div>Hi,</div><div><br></div>Sorry for chiming in late:<div><br><div><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Jan 19, 2022 at 10:20 AM David Sommerseth &lt;<a href="mailto:openvpn@sf.lists.topphemmelig.net">openvpn@sf.lists.topphemmelig.net</a>&gt; wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">From: David Sommerseth &lt;<a href="mailto:davids@openvpn.net" target="_blank">davids@openvpn.net</a>&gt;<br>
<br>
On Fedora and RHEL/CentOS, the standard OpenSSL library has the FIPS<br>
module enabled by default.  On these platforms, the OPENSSL_FIPS macro<br>
is always defined via /usr/include/openssl/opensslconf-*.h.<br>
<br>
Without this fix, the following compilation error appears:<br>
<br>
  ./src/openvpn/crypto.c: In function ‘print_cipher’:<br>
  ./src/openvpn/crypto.c:1707:43: error: ‘cipher’ undeclared (first use in this function); did you mean ‘iphdr’?<br>
       if (FIPS_mode() &amp;&amp; !(EVP_CIPHER_flags(cipher) &amp; EVP_CIPH_FLAG_FIPS))<br>
                                           ^~~~~~<br>
<br>
The EVP_CIPHER_fetch() and EVP_CIPHER_free() methods are also provided<br>
via the openssl_compat.h for older than OpenSSL 3.0.<br>
<br>
Signed-off-by: David Sommerseth &lt;<a href="mailto:davids@openvpn.net" target="_blank">davids@openvpn.net</a>&gt;<br>
---<br>
 src/openvpn/crypto.c | 4 ++++<br>
 1 file changed, 4 insertions(+)<br>
<br>
diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c<br>
index 5626e2b6..e489d453 100644<br>
--- a/src/openvpn/crypto.c<br>
+++ b/src/openvpn/crypto.c<br>
@@ -34,6 +34,7 @@<br>
 #include &quot;error.h&quot;<br>
 #include &quot;integer.h&quot;<br>
 #include &quot;platform.h&quot;<br>
+#include &quot;openssl_compat.h&quot;<br>
<br>
 #include &quot;memdbg.h&quot;<br>
<br>
@@ -1704,10 +1705,13 @@ print_cipher(const char *ciphername)<br>
         printf(&quot;, TLS client/server mode only&quot;);<br>
     }<br>
 #ifdef OPENSSL_FIPS<br>
+    evp_cipher_type *cipher = EVP_CIPHER_fetch(NULL, ciphername, NULL);<br>
+<br>
     if (FIPS_mode() &amp;&amp; !(EVP_CIPHER_flags(cipher) &amp; EVP_CIPH_FLAG_FIPS))<br></blockquote><div><br></div><div>We need to check that cipher is not NULL. Fetch can return NULL while EVP_CIPHER_flags() requires a non-null argument. Something like: if (cipher &amp;&amp; FIPS_mode &amp;&amp; etc...) will do.</div><div><br></div><div>EVP_CIPHER_free() below can handle NULL, so no problem there.</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> </blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">    {<br>
         printf(&quot;, disabled by FIPS mode&quot;);<br>
     }<br>
+    EVP_CIPHER_free(cipher); </blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
 #endif<br>
<br>
     printf(&quot;)\n&quot;);<br></blockquote><div><br></div><div>Selva</div></div></div></div></div>
Arne Schwabe Jan. 19, 2022, 4:35 p.m. UTC | #2
Am 19.01.22 um 16:19 schrieb David Sommerseth:
> From: David Sommerseth <davids@openvpn.net>
> 
> On Fedora and RHEL/CentOS, the standard OpenSSL library has the FIPS
> module enabled by default.  On these platforms, the OPENSSL_FIPS macro
> is always defined via /usr/include/openssl/opensslconf-*.h.
> 
Acked-By: Arne Schwabe <arne@rfc2549.org>

Arne
David Sommerseth Jan. 19, 2022, 6:22 p.m. UTC | #3
On 19/01/2022 17:34, Selva Nair wrote:
> Hi,

> 

> Sorry for chiming in late:

> 

> On Wed, Jan 19, 2022 at 10:20 AM David Sommerseth 

> <openvpn@sf.lists.topphemmelig.net 

> <mailto:openvpn@sf.lists.topphemmelig.net>> wrote:

> 

>     From: David Sommerseth <davids@openvpn.net <mailto:davids@openvpn.net>>

> 

>     On Fedora and RHEL/CentOS, the standard OpenSSL library has the FIPS

>     module enabled by default.  On these platforms, the OPENSSL_FIPS macro

>     is always defined via /usr/include/openssl/opensslconf-*.h.

> 

>     Without this fix, the following compilation error appears:

> 

>        ./src/openvpn/crypto.c: In function ‘print_cipher’:

>        ./src/openvpn/crypto.c:1707:43: error: ‘cipher’ undeclared (first

>     use in this function); did you mean ‘iphdr’?

>             if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) &

>     EVP_CIPH_FLAG_FIPS))

>                                                 ^~~~~~

> 

>     The EVP_CIPHER_fetch() and EVP_CIPHER_free() methods are also provided

>     via the openssl_compat.h for older than OpenSSL 3.0.

> 

>     Signed-off-by: David Sommerseth <davids@openvpn.net

>     <mailto:davids@openvpn.net>>

>     ---

>       src/openvpn/crypto.c | 4 ++++

>       1 file changed, 4 insertions(+)

> 

>     diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c

>     index 5626e2b6..e489d453 100644

>     --- a/src/openvpn/crypto.c

>     +++ b/src/openvpn/crypto.c

>     @@ -34,6 +34,7 @@

>       #include "error.h"

>       #include "integer.h"

>       #include "platform.h"

>     +#include "openssl_compat.h"

> 

>       #include "memdbg.h"

> 

>     @@ -1704,10 +1705,13 @@ print_cipher(const char *ciphername)

>               printf(", TLS client/server mode only");

>           }

>       #ifdef OPENSSL_FIPS

>     +    evp_cipher_type *cipher = EVP_CIPHER_fetch(NULL, ciphername, NULL);

>     +

>           if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) &

>     EVP_CIPH_FLAG_FIPS))

> 

> 

> We need to check that cipher is not NULL. Fetch can return NULL while 

> EVP_CIPHER_flags() requires a non-null argument. Something like: if 

> (cipher && FIPS_mode && etc...) will do.

> 

> EVP_CIPHER_free() below can handle NULL, so no problem there.



Thanks!  v3 is on its way.


-- 
kind regards,

David Sommerseth
OpenVPN Inc

Patch

diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index 5626e2b6..e489d453 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -34,6 +34,7 @@ 
 #include "error.h"
 #include "integer.h"
 #include "platform.h"
+#include "openssl_compat.h"
 
 #include "memdbg.h"
 
@@ -1704,10 +1705,13 @@  print_cipher(const char *ciphername)
         printf(", TLS client/server mode only");
     }
 #ifdef OPENSSL_FIPS
+    evp_cipher_type *cipher = EVP_CIPHER_fetch(NULL, ciphername, NULL);
+
     if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS))
     {
         printf(", disabled by FIPS mode");
     }
+    EVP_CIPHER_free(cipher);
 #endif
 
     printf(")\n");