From patchwork Tue Feb 15 01:31:57 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonio Quartulli X-Patchwork-Id: 2290 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director15.mail.ord1d.rsapps.net ([172.31.255.6]) by backend41.mail.ord1d.rsapps.net with LMTP id UAJLJmGdC2JfXAAAqwncew (envelope-from ) for ; Tue, 15 Feb 2022 07:32:33 -0500 Received: from proxy15.mail.iad3b.rsapps.net ([172.31.255.6]) by director15.mail.ord1d.rsapps.net with LMTP id MACFNmGdC2J9PQAAIcMcQg (envelope-from ) for ; Tue, 15 Feb 2022 07:32:33 -0500 Received: from smtp25.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy15.mail.iad3b.rsapps.net with LMTPS id sLabL2GdC2K/YwAAhyf7VQ (envelope-from ) for ; Tue, 15 Feb 2022 07:32:33 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp25.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=unstable.cc X-Suspicious-Flag: YES X-Classification-ID: 58f65772-8e5b-11ec-be4f-52540030a522-1-1 Received: from [216.105.38.7] ([216.105.38.7:34154] helo=lists.sourceforge.net) by smtp25.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 36/4B-17465-16D9B026; Tue, 15 Feb 2022 07:32:33 -0500 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1nJwzm-00080D-8o; Tue, 15 Feb 2022 12:31:48 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1nJwzk-0007zn-58 for openvpn-devel@lists.sourceforge.net; Tue, 15 Feb 2022 12:31:46 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=GAVmiWjEon+QsBItrRw0njWNeCjpcotObBiqQV4oUq0=; b=P3M+7BJn075HTregr/Nt0tqpOq Mkj+7xt4euNsGzCXthLr3H8wOoXABOgaYJUMCxnLoi7gLadJ+7g0/kzXRE6olDdH4fBFT2ui1DKE9 8O3MlQ41q+aH4oe5rmmG/6afi8/A+i+x5/vMtD5CnoV8ikEvotivhv8y8KgBUTsCTwDI=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:Cc:To:From :Sender:Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=GAVmiWjEon+QsBItrRw0njWNeCjpcotObBiqQV4oUq0=; b=c wP7ecz53TUsXCIP4ngKiV/cEhyfPc/u2jsXX2RZYJp/uT3x6GuRLS2FlyJRGQXxdLmwWQplF1jEXu oWlGpEOHatOhPgbn0A8knzqg0CA/oGqW9TXseKF42AVtTfUsHDEThQv8fiab+TKAF9N7srToP6Jd3 cMSomPzaMFAFCB2I=; Received: from s2.neomailbox.net ([5.148.176.60]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.94.2) id 1nJwzh-00034v-FK for openvpn-devel@lists.sourceforge.net; Tue, 15 Feb 2022 12:31:46 +0000 From: Antonio Quartulli To: openvpn-devel@lists.sourceforge.net Date: Tue, 15 Feb 2022 13:31:57 +0100 Message-Id: <20220215123157.10615-1-a@unstable.cc> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: With b39725cf ("Remove md_kt_t and change crypto API to use const char*") the logic for validating ciphers and md algorithms has been changed. We should now *always* use md_valid() when validating a digest alg. Content analysis details: (-0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record -0.0 T_SCC_BODY_TEXT_LINE No description available. X-Headers-End: 1nJwzh-00034v-FK Subject: [Openvpn-devel] [PATCH v2] auth_token/tls_crypt: fix usage of md_valid() X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Antonio Quartulli Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox With b39725cf ("Remove md_kt_t and change crypto API to use const char*") the logic for validating ciphers and md algorithms has been changed. We should now *always* use md_valid() when validating a digest alg. At the same time, add '!' (negation) when validating the digest algorithm in the tls-crypt code, in order to restore the proper logic. Cc: Arne Schwabe Fixes: b39725cf ("Remove md_kt_t and change crypto API to use const char*") Reported-by: Richard T Bonhomme Signed-off-by: Antonio Quartulli Acked-By: Arne Schwabe --- Changes from v1: * fixed doc for md_valid() src/openvpn/auth_token.c | 2 +- src/openvpn/crypto_backend.h | 3 +-- src/openvpn/tls_crypt.c | 2 +- 3 files changed, 3 insertions(+), 4 deletions(-) diff --git a/src/openvpn/auth_token.c b/src/openvpn/auth_token.c index ceae68f6..10c9dde6 100644 --- a/src/openvpn/auth_token.c +++ b/src/openvpn/auth_token.c @@ -38,7 +38,7 @@ auth_token_kt(void) kt.cipher = "none"; kt.digest = "SHA256"; - if (!kt.digest) + if (!md_valid(kt.digest)) { msg(M_WARN, "ERROR: --tls-crypt requires HMAC-SHA-256 support."); return (struct key_type) { 0 }; diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h index abf1b876..6d89b9e5 100644 --- a/src/openvpn/crypto_backend.h +++ b/src/openvpn/crypto_backend.h @@ -520,8 +520,7 @@ static inline bool md_defined(const char* mdname) * * @param digest Name of the digest to verify, e.g. \c MD5). * - * @return A statically allocated structure containing parameters - * for the given message digest. + * @return Whether a digest of the given name is available */ bool md_valid(const char *digest); diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c index 610168b0..aae2a917 100644 --- a/src/openvpn/tls_crypt.c +++ b/src/openvpn/tls_crypt.c @@ -59,7 +59,7 @@ tls_crypt_kt(void) msg(M_WARN, "ERROR: --tls-crypt requires AES-256-CTR support."); return (struct key_type) { 0 }; } - if (cipher_valid(kt.digest)) + if (!md_valid(kt.digest)) { msg(M_WARN, "ERROR: --tls-crypt requires HMAC-SHA-256 support."); return (struct key_type) { 0 };