From patchwork Mon Oct 10 04:55:15 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2811 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director14.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id ICWeDY9ARGOeBgAAIUCqbw (envelope-from ) for ; Mon, 10 Oct 2022 11:55:59 -0400 Received: from proxy17.mail.ord1d.rsapps.net ([172.30.191.6]) by director14.mail.ord1d.rsapps.net with LMTP id IG2SDY9ARGNcIwAAeJ7fFg (envelope-from ) for ; Mon, 10 Oct 2022 11:55:59 -0400 Received: from smtp19.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy17.mail.ord1d.rsapps.net with LMTPS id CCZgDY9ARGPxPgAAWC7mWg (envelope-from ) for ; Mon, 10 Oct 2022 11:55:59 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp19.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 07b7e6dc-48b4-11ed-84b2-525400d67fa8-1-1 Received: from [216.105.38.7] ([216.105.38.7:34770] helo=lists.sourceforge.net) by smtp19.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 86/F3-18942-E8044436; Mon, 10 Oct 2022 11:55:58 -0400 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1ohv7w-0007tV-B3; Mon, 10 Oct 2022 15:55:36 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1ohv7t-0007tL-RI for openvpn-devel@lists.sourceforge.net; Mon, 10 Oct 2022 15:55:33 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=KU4b9bH/NiROk/eHDLCfIsq0+kYF1Hxa7f79sbmMHSU=; b=SeO20DzexXQdVYixFfHjj5xAhF yIRTPnYtPNEA2UB8cXDathcLk96epc+RUZYpNLlVCo30Pw/B+KxUKl2vTWr9gd6KuXnewIHO0Nh7J duu9gx3cbAm/WbqFNiNSLW/SRMdi57/QlKkq50t86+eVyHYgJX83NRjSIevKHMf34mM4=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=KU4b9bH/NiROk/eHDLCfIsq0+kYF1Hxa7f79sbmMHSU=; b=ZL1XVdsuNtgsTqOHCxoDh1mx0w XdUbZBAVM67NfJhnxEJ4C55yRHX23updZIHKYjWE7QFThT4YaDBlYMs4jW1DErFvSfVLxYtz1aGR0 7AsVKnBo/0nFiYN+PxrpyHdS585PFNNpSLNHDUSZj6ck/6iU+T8wpecjHmsdZKcHl0aE=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1ohv7o-0018wc-Ln for openvpn-devel@lists.sourceforge.net; Mon, 10 Oct 2022 15:55:33 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1ohv7b-000Fbz-SJ for openvpn-devel@lists.sourceforge.net; Mon, 10 Oct 2022 17:55:15 +0200 Received: (nullmailer pid 1687197 invoked by uid 10006); Mon, 10 Oct 2022 15:55:15 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Mon, 10 Oct 2022 17:55:15 +0200 Message-Id: <20221010155515.1687151-1-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20221010154116.1685877-1-arne@rfc2549.org> References: <20221010154116.1685877-1-arne@rfc2549.org> MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Make sure cipher_valid only considered these four operations as valid. This fixes that somjething like --data-ciphers AES-256-GCM:AES-128-CCM will start but later fail when trying to use the CCM ciphe [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different X-Headers-End: 1ohv7o-0018wc-Ln Subject: [Openvpn-devel] [PATCH v2] Ensure only CBC, CFB, OFB and AEAD ciphers are considered valid data ciphers X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Make sure cipher_valid only considered these four operations as valid. This fixes that somjething like --data-ciphers AES-256-GCM:AES-128-CCM will start but later fail when trying to use the CCM cipher. We say "a supported AEAD" mode in our error since CCM is also an AEAD mode but one we support like GCM. Patch v2: add the indication if the cipher was optional into the message Signed-off-by: Arne Schwabe Acked-by: Frank Lichtenheld --- src/openvpn/ssl_ncp.c | 10 +++++++++- tests/unit_tests/openvpn/test_ncp.c | 6 ++++++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/src/openvpn/ssl_ncp.c b/src/openvpn/ssl_ncp.c index 013021d6d..16f5ad549 100644 --- a/src/openvpn/ssl_ncp.c +++ b/src/openvpn/ssl_ncp.c @@ -121,6 +121,7 @@ mutate_ncp_cipher_list(const char *list, struct gc_arena *gc) } const bool nonecipher = (strcmp(token, "none") == 0); + const char *optstr = optional ? "optional " : ""; if (nonecipher) { @@ -132,10 +133,17 @@ mutate_ncp_cipher_list(const char *list, struct gc_arena *gc) } if (!nonecipher && !cipher_valid(token)) { - const char *optstr = optional ? "optional " : ""; msg(M_WARN, "Unsupported %scipher in --data-ciphers: %s", optstr, token); error_found = error_found || !optional; } + else if (!nonecipher && !cipher_kt_mode_aead(token) + && !cipher_kt_mode_cbc(token) + && !cipher_kt_mode_ofb_cfb(token)) + { + msg(M_WARN, "Unsupported %scipher algorithm '%s'. It does not use " + "CFB, OFB, CBC, or a supported AEAD mode", optstr, token); + error_found = error_found || !optional; + } else { const char *ovpn_cipher_name = cipher_kt_name(token); diff --git a/tests/unit_tests/openvpn/test_ncp.c b/tests/unit_tests/openvpn/test_ncp.c index 2595d8c4e..bb9a28244 100644 --- a/tests/unit_tests/openvpn/test_ncp.c +++ b/tests/unit_tests/openvpn/test_ncp.c @@ -98,6 +98,12 @@ test_check_ncp_ciphers_list(void **state) /* If the last is optional, previous invalid ciphers should be ignored */ assert_ptr_equal(mutate_ncp_cipher_list("Vollbit:Littlebit:AES-256-CBC:BF-CBC:?nixbit", &gc), NULL); + /* We do not support CCM ciphers */ + assert_ptr_equal(mutate_ncp_cipher_list("AES-256-GCM:AES-128-CCM", &gc), NULL); + + assert_string_equal(mutate_ncp_cipher_list("AES-256-GCM:?AES-128-CCM:AES-128-GCM", &gc), + aes_ciphers); + /* For testing that with OpenSSL 1.1.0+ that also accepts ciphers in * a different spelling the normalised cipher output is the same */ bool have_chacha_mixed_case = cipher_valid("ChaCha20-Poly1305");