From patchwork Wed Jan 19 04:19:41 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: David Sommerseth X-Patchwork-Id: 2233 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director9.mail.ord1d.rsapps.net ([172.27.255.50]) by backend41.mail.ord1d.rsapps.net with LMTP id uMlhMFos6GEWTwAAqwncew (envelope-from ) for ; Wed, 19 Jan 2022 10:20:58 -0500 Received: from proxy7.mail.iad3a.rsapps.net ([172.27.255.50]) by director9.mail.ord1d.rsapps.net with LMTP id sOWiMFos6GGQNQAAalYnBA (envelope-from ) for ; Wed, 19 Jan 2022 10:20:58 -0500 Received: from smtp23.gate.iad3a ([172.27.255.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy7.mail.iad3a.rsapps.net with LMTPS id OG9aK1os6GF6MQAAnPvY+A (envelope-from ) for ; Wed, 19 Jan 2022 10:20:58 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp23.gate.iad3a.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=sf.lists.topphemmelig.net; dmarc=fail (p=none; dis=none) header.from=sf.lists.topphemmelig.net X-Suspicious-Flag: YES X-Classification-ID: 66ac3290-793b-11ec-9dd0-52540033eb40-1-1 Received: from [216.105.38.7] ([216.105.38.7:55606] helo=lists.sourceforge.net) by smtp23.gate.iad3a.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id EA/B5-26857-95C28E16; Wed, 19 Jan 2022 10:20:58 -0500 Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1nACkr-0005PU-Uh; Wed, 19 Jan 2022 15:20:08 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1nACkq-0005PO-6I for openvpn-devel@lists.sourceforge.net; Wed, 19 Jan 2022 15:20:07 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:Content-Type:MIME-Version :Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=IUnf/N3Ivcc7nAHDcd8NXpjAg652AZp+ctMyCyRpJeA=; b=L/cr03T0Ro6lk2qcureo0vYZV2 SQqQBZLRzHr/WBaMD1hkoLXwBOKNCJjXDuzUsGJyTmQSTpBhN6nHUHHMzsdpwIXg05vong+l2SMeK 2wBEXKG+EPANjugbe+MmddwcIbw8w/CJZsJYpTVLvzwp9WA3IlFk4tv/GyBzXH7COSPM=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:Content-Type:MIME-Version:Message-Id:Date: Subject:To:From:Sender:Reply-To:Cc:Content-ID:Content-Description:Resent-Date :Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=IUnf/N3Ivcc7nAHDcd8NXpjAg652AZp+ctMyCyRpJeA=; b=H QOCrhzz8G4MKMCdNIW+624W8tkNjcPCIhDMQiLeC+eOG7ALB50lhLl1k5982+euKQWUDSGcCnuHZ1 qR6k9ZHnPqjw3l9Zge5Orb4cfJ32LmK60ESr2DmtZIJeN5Xa62PtO6ChrngqZ3uiLh/d2pGR37YoB OGtSZriZrDt8pUYk=; Received: from mx1.basenordic.cloud ([217.170.196.134]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1nACkn-003nxw-3E for openvpn-devel@lists.sourceforge.net; Wed, 19 Jan 2022 15:20:06 +0000 Received: from localhost (unknown [127.0.0.1]) by mx1.basenordic.cloud (Postfix) with ESMTP id AAB5AE715 for ; Wed, 19 Jan 2022 15:19:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sf.lists.topphemmelig.net; s=inouz9eefah2too5; t=1642605598; bh=IUnf/N3Ivcc7nAHDcd8NXpjAg652AZp+ctMyCyRpJeA=; h=From:To:Subject:Date:From; b=Jp2wJR03kLhPomCv2IOssLYeLT77hzh+AOqK4dJO1CHt7ZOmXnnQRGKetf2EhdqQu nMGeNx2yi6zaLl3Lt5pBH6StgROY3X6qv1ZN5TRvfFESmTROfph787rJzddRy0HHeJ j3Z4GRVhHJGiGrV9PGMF/2ET3K6p5uZNoWBSj16IMki6XymLxGtuFZJ7Flxjli1Ps6 zgKDhUNb8sL3JLDl6A9EK3jP0ZcayUfJhdYDoRloE25oFPeRB30oEg+VdggoPHTBDy idx4mNAfOT5stAgFEDsInN7QM9sQGQCUOKoFA1tYmWy4Z0nTommmnaL0iC205/S/tb dLL3rqjmG9rgw== Received: from mx1.basenordic.cloud ([127.0.0.1]) by localhost (mx1.basenordic.cloud [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ocDKlVoBmLB6 for ; Wed, 19 Jan 2022 16:19:58 +0100 (CET) Received: from xplorer.net (xplorer.sommerseth.xyz [10.35.7.11]) by mx1.basenordic.cloud (Postfix) with ESMTP id 223BBE712 for ; Wed, 19 Jan 2022 16:19:58 +0100 (CET) From: David Sommerseth To: openvpn-devel@lists.sourceforge.net Date: Wed, 19 Jan 2022 16:19:41 +0100 Message-Id: <20220119151941.37529-1-openvpn@sf.lists.topphemmelig.net> X-Mailer: git-send-email 2.27.0 MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: David Sommerseth On Fedora and RHEL/CentOS, the standard OpenSSL library has the FIPS module enabled by default. On these platforms, the OPENSSL_FIPS macro is always defined via /usr/include/openssl/opensslconf-*.h. Content analysis details: (-2.4 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/, medium trust [217.170.196.134 listed in list.dnswl.org] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1nACkn-003nxw-3E Subject: [Openvpn-devel] [PATCH v2] crypto: Fix OPENSSL_FIPS enabled builds X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: David Sommerseth On Fedora and RHEL/CentOS, the standard OpenSSL library has the FIPS module enabled by default. On these platforms, the OPENSSL_FIPS macro is always defined via /usr/include/openssl/opensslconf-*.h. Without this fix, the following compilation error appears: ./src/openvpn/crypto.c: In function ‘print_cipher’: ./src/openvpn/crypto.c:1707:43: error: ‘cipher’ undeclared (first use in this function); did you mean ‘iphdr’? if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS)) ^~~~~~ The EVP_CIPHER_fetch() and EVP_CIPHER_free() methods are also provided via the openssl_compat.h for older than OpenSSL 3.0. Signed-off-by: David Sommerseth Signed-off-by: David Sommerseth <davids@openvpn.net>
Acked-By: Arne Schwabe --- src/openvpn/crypto.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index 5626e2b6..e489d453 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -34,6 +34,7 @@ #include "error.h" #include "integer.h" #include "platform.h" +#include "openssl_compat.h" #include "memdbg.h" @@ -1704,10 +1705,13 @@ print_cipher(const char *ciphername) printf(", TLS client/server mode only"); } #ifdef OPENSSL_FIPS + evp_cipher_type *cipher = EVP_CIPHER_fetch(NULL, ciphername, NULL); + if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS)) { printf(", disabled by FIPS mode"); } + EVP_CIPHER_free(cipher); #endif printf(")\n");