From patchwork Wed May 8 22:05:40 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 3708 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7001:a40b:b0:577:9287:30c5 with SMTP id vo11csp744860mab; Wed, 8 May 2024 15:06:14 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCUFh3FD1XINsjcWuNJGawv8+PQUEromKGZTsaeKQ5wRCuQG3GF/UMZ8jg+Hzoj/UT25zUYhYCxuA5BhfSz7LanNwCBU/Co= X-Google-Smtp-Source: AGHT+IFu8r1s7mp0r8df8qcuDmgsQpx2QAyY3ov6rx71JUweBqAIy0OzLQzIFbv167JkrC6ok3Zm X-Received: by 2002:a17:902:d504:b0:1e8:4063:6ded with SMTP id d9443c01a7336-1eeaff8c106mr43976915ad.1.1715205974495; Wed, 08 May 2024 15:06:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1715205974; cv=none; d=google.com; s=arc-20160816; b=veyCryiWu/A6Oq4Jkosdw/dw8uawrqDYShyL05AfMhNisvtebQFdUmJuehedSwps/Z B0ylVGuWsU7iuR3CGYMYyB9fntwJVZvPsKYdsnWjMCZYu9LwMFMgTr1nfNlFIv+Tmmwf Qyg4NTIyhtbtiNqT/I7k+Qj7Kc2bRjQ3a7JIfI1D4HBuJeZTGt0Y5nBiN63yYvBQN1PB XcOmgPpIdgAbWjUxfc90KGaRsunIPdr5zWhgyGPju06HNsxBkGl6S23XqvX8lf6eBvxs +RGIP01P1RD+O90s+Pj4363I+sVyOiFn4Tys8LaIfEhqvg7I1S623mYFIo+nAwzL8Q6N fOGQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature; bh=gUZXD3xJqA6cnP56lzJAZiEuPLGxWJgUGHRaqn6cVNA=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=koZ3pCkWPFOgM7DNHM5L7f3psBzXQlcTa7uSWKc4FX0f/JwDrDSA/jkUEUBTwioVpJ oBMN2MVmnTk8I5x1/4cAmTjdS78M1HsD5hWyC0IN8iTas5edQO87MM50TOXQ4mXMiJsd kMb3arJaE2FzbHiDAk1m9yaawlCc2TZMYEZvcvKrmY/XnCwRwwhlgH8B6AgGeUTHNpi7 b+w9XuV0/a4OeNPEsL1bLU3C0Zds/tRRnskjTH0kSY7v2cw5eS24QGOlyceqJ+e98zQR H02BdRRzOQP1cI2BIYFMGvGkirTW2YBTAy6IU4V5KplEC+p6dD1iBHZTfu3xYrMfi0jM XnEg==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=H83KppNH; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=ePVvuSC9; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id d9443c01a7336-1ef0bf329b3si715905ad.251.2024.05.08.15.06.14 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 08 May 2024 15:06:14 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=H83KppNH; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=ePVvuSC9; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1s4pQB-0003r3-E1; Wed, 08 May 2024 22:05:55 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1s4pQA-0003qm-G9 for openvpn-devel@lists.sourceforge.net; Wed, 08 May 2024 22:05:54 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=uEUJqjiEGadjdfayVcuRJp3AwhdfgID88CCA+Mgr/DQ=; b=H83KppNHkaTd0GfQtlMLG+WxoN OeiKqqWlO0F+HDysSb3S8/fkgnoW/Wq1BgsUuweOQNtNx0hWpm9iaztmYkQUOujw4otp5TXfqBivR 1Pb5Q4nTuswFaTnko7PFNJtW8zJnTB5BpwThmtDe4xKSCuZLAgS7WMOqqAuZ99j/XzNo=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=uEUJqjiEGadjdfayVcuRJp3AwhdfgID88CCA+Mgr/DQ=; b=ePVvuSC9GbzA4y6RizbZDcttm/ CefUcZrrvjbefS6NcB9tEgPm2Pd91gyfiHOikri6FltnVNpcEqRz9Jisy+9BIUSjFYKvP0QvRs4fj Q4wskHYKNskK8AS9qKsAm+pmSw6uzQo0FwQRKanZjRK4LewXVrXULZ23PdOTBVDR9pPQ=; Received: from dhcp-174.greenie.muc.de ([193.149.48.174] helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1s4pQA-0008MN-2D for openvpn-devel@lists.sourceforge.net; Wed, 08 May 2024 22:05:54 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.17.1.9/8.17.1.9) with ESMTP id 448M5fgu012564 for ; Thu, 9 May 2024 00:05:41 +0200 Received: (from gert@localhost) by blue.greenie.muc.de (8.17.1.9/8.17.1.9/Submit) id 448M5fla012563 for openvpn-devel@lists.sourceforge.net; Thu, 9 May 2024 00:05:41 +0200 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Thu, 9 May 2024 00:05:40 +0200 Message-ID: <20240508220540.12554-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.43.2 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: -5.0 (-----) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Arne Schwabe OpenBSD/LibreSSL reimplemented EVP_get_cipherbyname/EVP_get_digestbyname and broke calling EVP_get_cipherbynid/EVP_get_digestbyname with an invalid nid in the process so that it would segfault. Content analysis details: (-5.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: openvpn.net] -5.0 RCVD_IN_DNSWL_HI RBL: Sender listed at https://www.dnswl.org/, high trust [193.149.48.174 listed in list.dnswl.org] -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record X-Headers-End: 1s4pQA-0008MN-2D Subject: [Openvpn-devel] [PATCH v1] Workaround issue in LibreSSL crashing when enumerating digests/ciphers X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1798523819476023670?= X-GMAIL-MSGID: =?utf-8?q?1798523819476023670?= From: Arne Schwabe OpenBSD/LibreSSL reimplemented EVP_get_cipherbyname/EVP_get_digestbyname and broke calling EVP_get_cipherbynid/EVP_get_digestbyname with an invalid nid in the process so that it would segfault. Workaround but doing that NULL check in OpenVPN instead of leaving it to the library. Change-Id: Ia08a9697d0ff41721fb0acf17ccb4cfa23cb3934 Signed-off-by: Arne Schwabe Acked-by: Gert Doering --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/586 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index 61c6518..1649ab7 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -387,7 +387,19 @@ #else for (int nid = 0; nid < 10000; ++nid) { +#if defined(LIBRESSL_VERSION_NUMBER) + /* OpenBSD/LibreSSL reimplemented EVP_get_cipherbyname and broke + * calling EVP_get_cipherbynid with an invalid nid in the process + * so that it would segfault. */ + const EVP_CIPHER *cipher = NULL; + const char *name = OBJ_nid2sn(nid); + if (name) + { + cipher = EVP_get_cipherbyname(name); + } +#else /* if defined(LIBRESSL_VERSION_NUMBER) */ const EVP_CIPHER *cipher = EVP_get_cipherbynid(nid); +#endif /* We cast the const away so we can keep the function prototype * compatible with EVP_CIPHER_do_all_provided */ collect_ciphers((EVP_CIPHER *) cipher, &cipher_list); @@ -441,7 +453,19 @@ #else for (int nid = 0; nid < 10000; ++nid) { + /* OpenBSD/LibreSSL reimplemented EVP_get_digestbyname and broke + * calling EVP_get_digestbynid with an invalid nid in the process + * so that it would segfault. */ +#ifdef LIBRESSL_VERSION_NUMBER + const EVP_MD *digest = NULL; + const char *name = OBJ_nid2sn(nid); + if (name) + { + digest = EVP_get_digestbyname(name); + } +#else /* ifdef LIBRESSL_VERSION_NUMBER */ const EVP_MD *digest = EVP_get_digestbynid(nid); +#endif if (digest) { /* We cast the const away so we can keep the function prototype @@ -449,7 +473,7 @@ print_digest((EVP_MD *)digest, NULL); } } -#endif +#endif /* if OPENSSL_VERSION_NUMBER >= 0x30000000L */ printf("\n"); }