From patchwork Wed May  8 18:09:45 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "ralf_lici (Code Review)" <gerrit@openvpn.net>
X-Patchwork-Id: 3706
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Received: by 2002:a05:7001:a40b:b0:577:9287:30c5 with SMTP id
 vo11csp646429mab;
        Wed, 8 May 2024 11:10:24 -0700 (PDT)
X-Forwarded-Encrypted: i=2;
 AJvYcCX95zmZKC08+tFWTfKDcIawP2C6qpFla95VnZYAIxHsl7LzDopMcW3+LWIvgOxakQ1UayBoPD90UON0hWbaHSJjZYASzww=
X-Google-Smtp-Source: 
 AGHT+IGh84dKwFCZl3ptv87ejpfHiKluWtq0XzhX0FmEjNmzTxH3C5/o/gx+lktqTETP/Q6s8rQi
X-Received: by 2002:a05:6e02:1cac:b0:36c:3856:4386 with SMTP id
 e9e14a558f8ab-36caed73f1emr38264135ab.3.1715191824074;
        Wed, 08 May 2024 11:10:24 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1715191824; cv=none;
        d=google.com; s=arc-20160816;
        b=wMiiHURvxxJTNdNIxwQzQcfMii92K/guShm2NDHJcKg0FkJcRmTAOqBQiuGV40H3Ty
         YWoqSejjD3zlEU8jc9wTxUAlqWShYf0BzT7gXhmE21P12MxSwj7jLFPGS8wMG+zyig+Y
         VEwsVsALDdaoZUq8o3UOc06hN2NCqqT8Y7YQVvgMfTut2q3+sw5r2AtFpCNiy0JZice4
         M1kLE23M3ylLL8uKoXjP4rV+EI6BabGIyMqT56RxoqGvgAWvSM9SqK2ouQCeSig0huwW
         v0XkFzSfl+ZfCKsQw3yNs8/ktBJnaB/wsjHVnWWOAx0efisZ7yTnM9OF4IU0G5j+wiRr
         Ms4A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=errors-to:cc:reply-to:list-subscribe:list-help:list-post
         :list-archive:list-unsubscribe:list-id:precedence:subject:user-agent
         :mime-version:message-id:references:auto-submitted:to:date:from
         :dkim-signature:dkim-signature:dkim-signature;
        bh=XXvuCYojGLWGmzcSt80U/ct6uQnuXuMMCgi9KytjLkI=;
        fh=lm0MLPW7DntlrDqRECIiC9JlE1uPxhepE0URYHIf+eE=;
        b=GzOjcfAYsKdst4feLnCvixlhW9wvJwoocis07d7Y/RCuA8W1toQ9w/P5HQEG6F16Bz
         j60is+r8kJMbYUrJ8h9IBINbfVXdFKDLzDp+MW5r8JZYcOKCBuZHz9KGmN11VS7eEn5v
         ndL/Jlv++ZSTIZ5R/wWBO5B1BM0Bxnlo5q1TsE2X0YJo4fAn1yqPUVNNspi3vTwQ2sf4
         /pwtiZAUoLZt9PMzWEUbDZ31i3PR7Eg/z5/SYjPL9JAgAWZvNLVgmiSYCg474PM8Wxmp
         s8r7c4TyDKJ788M9EfDfeTKrGugvXZyG3rNmjL+kA1395DbqRpVUEmvZCZMhbCxHC9Iz
         cmHQ==;
        dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=lOnC9yyw;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=EDL6Dv2i;
       dkim=neutral (body hash did not verify) header.i=@openvpn.net
 header.s=google header.b=FhOe39iy;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net
Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7])
        by mx.google.com with ESMTPS id
 q11-20020a656a8b000000b005dccf9b1656si13448667pgu.414.2024.05.08.11.10.23
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 08 May 2024 11:10:24 -0700 (PDT)
Received-SPF: pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) client-ip=216.105.38.7;
Authentication-Results: mx.google.com;
       dkim=neutral (body hash did not verify) header.i=@sourceforge.net
 header.s=x header.b=lOnC9yyw;
       dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x
 header.b=EDL6Dv2i;
       dkim=neutral (body hash did not verify) header.i=@openvpn.net
 header.s=google header.b=FhOe39iy;
       spf=pass (google.com: domain of
 openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as
 permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net
Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com)
	by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1s4lju-0007mS-HR;
	Wed, 08 May 2024 18:10:03 +0000
Received: from [172.30.20.202] (helo=mx.sourceforge.net)
 by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95)
 (envelope-from <gerrit@openvpn.net>) id 1s4ljs-0007ln-Ee
 for openvpn-devel@lists.sourceforge.net;
 Wed, 08 May 2024 18:10:01 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Type:Content-Transfer-Encoding:MIME-Version
 :Message-ID:Reply-To:References:Subject:List-Unsubscribe:List-Id:Cc:To:Date:
 From:Sender:Content-ID:Content-Description:Resent-Date:Resent-From:
 Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=tinT3z/C6HzT/orFJHgl3G44e9dAI9EdEiyU0ieqsTo=; b=lOnC9yywgOVp6w/qyK1u1l5mnS
 D3fY7mPXJBTqfOJ9lyrS2eVSBgbN2m0mOUwK/7oziyf/Xlgs8LFiePkBmnoKIy4xUdzcBwnMhNeXT
 qp8krxPg/RCe6AJM/y1XI3+3B0FrOKD4ZmGSzXqvMa08wbdYvJQVCP7xJgdlAuObt5UU=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Type:Content-Transfer-Encoding:MIME-Version:Message-ID:Reply-To:
 References:Subject:List-Unsubscribe:List-Id:Cc:To:Date:From:Sender:Content-ID
 :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:
 Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help:List-Subscribe:List-Post:
 List-Owner:List-Archive; bh=tinT3z/C6HzT/orFJHgl3G44e9dAI9EdEiyU0ieqsTo=; b=E
 DL6Dv2iYIdxeKBm5NKooGx4QfbwKO0WHUTl7tlHGZDwriqNGXn+cb76egnzs5DD11C9JJKnHgYybN
 CLNSd6CrLjF2JTGgieCi7iQ+uE4CzKkB7uq83lVKQ1M0LVp7DQhL9i7HiIo9St4V1XztTfWIADGdz
 pL/pKaRJAZWMIOIM=;
Received: from mail-lj1-f170.google.com ([209.85.208.170])
 by sfi-mx-2.v28.lw.sourceforge.com with esmtps
 (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95)
 id 1s4ljt-00036P-95 for openvpn-devel@lists.sourceforge.net;
 Wed, 08 May 2024 18:10:01 +0000
Received: by mail-lj1-f170.google.com with SMTP id
 38308e7fff4ca-2e34e85ebf4so478841fa.2
 for <openvpn-devel@lists.sourceforge.net>;
 Wed, 08 May 2024 11:10:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=openvpn.net; s=google; t=1715191788; x=1715796588;
 darn=lists.sourceforge.net;
 h=user-agent:content-disposition:content-transfer-encoding
 :mime-version:message-id:reply-to:references:subject
 :list-unsubscribe:list-id:auto-submitted:cc:to:date:from:from:to:cc
 :subject:date:message-id:reply-to;
 bh=tinT3z/C6HzT/orFJHgl3G44e9dAI9EdEiyU0ieqsTo=;
 b=FhOe39iy130VGx+Y59i06lo8RQrUJw8GV/ayGZIs8jjRJjxk+vATmc6DstdBEelBPz
 Hb3LZEjhydihlamPOvXBTIVk6Og2yy8mF6+gOZrKY9HlZPRiMQHaPRT0xtmlhAsrxlVH
 4vuOjiqGwLzU785L1H/UwR59vcmjv4Uljg9JFThLZkCJc9II+so4uZFkqA0KUxnf6qPK
 mr7OOu53qV0AcfgkTRCjSBZbLCYDAMAqzr2BtYZFdGHB0rKIGqTCgVDNL7jqePE6N0/Y
 Qs2ofMRM7ulpDQBA3POVXLZiy5ktzsVaLNKnXUUrU4Blrbl2+EHKxVd4/vljV59vUwZM
 j/mA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1715191788; x=1715796588;
 h=user-agent:content-disposition:content-transfer-encoding
 :mime-version:message-id:reply-to:references:subject
 :list-unsubscribe:list-id:auto-submitted:cc:to:date:from
 :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=tinT3z/C6HzT/orFJHgl3G44e9dAI9EdEiyU0ieqsTo=;
 b=ax+XHFIgvv43PjwLrNpZu3mp4ThK3ejOtBPkpZv6nq28uDZPze/5r5jhwLA7/OWvWv
 oildcs8F8HMlqTMLun/m+1VHyhj4hZWORgjeazhLIoEx43h3YNBN5RvvTf+MUOKXdPLq
 Fvj6/7gQLAB7leX18A/iItthgEp22vuojHm+SKH67qSLrEUOsRBX+N70Fy5823bWHJb4
 NO+0LDssTTfgR+wyTo1SHxF+OjmBThaiycXFjWLt8ZsdB0qK2ID4+KCzgJhx+HP1mzk2
 xA3ymxGjXK3I1ka5W/KIjm4Zc1VX47BIK9mwCRdfam4MnFCUV2f1mM8Msdw2a6yigwFf
 ldMQ==
X-Gm-Message-State: AOJu0Yx9JOq9a77OJQu9bB1pRhkNhzo30I1gmaTURw4phG4IhkHwZ+Zr
 Ox61My5oKULNkYqTTfOIfHowiUsI/jqHv7X42Yi3LM9OcfnRqmHNYdTLQQoqaGzLckbiq4l7WrI
 I
X-Received: by 2002:a2e:9e8f:0:b0:2de:a65:979c with SMTP id
 38308e7fff4ca-2e446d83cfamr22072201fa.8.1715191786142;
 Wed, 08 May 2024 11:09:46 -0700 (PDT)
Received: from gerrit.openvpn.in
 (ec2-18-159-0-78.eu-central-1.compute.amazonaws.com. [18.159.0.78])
 by smtp.gmail.com with ESMTPSA id
 e14-20020adfe38e000000b0034eba48cd17sm11128900wrm.117.2024.05.08.11.09.45
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Wed, 08 May 2024 11:09:45 -0700 (PDT)
From: "plaisthos (Code Review)" <gerrit@openvpn.net>
X-Google-Original-From: "plaisthos (Code Review)" <gerrit@gerrit.openvpn.in>
X-Gerrit-PatchSet: 1
Date: Wed, 8 May 2024 18:09:45 +0000
To: flichtenheld <frank@lichtenheld.com>
Auto-Submitted: auto-generated
X-Gerrit-MessageType: newchange
X-Gerrit-Change-Id: Ia08a9697d0ff41721fb0acf17ccb4cfa23cb3934
X-Gerrit-Change-Number: 586
X-Gerrit-Project: openvpn
X-Gerrit-ChangeURL: <http://gerrit.openvpn.net/c/openvpn/+/586?usp=email>
X-Gerrit-Commit: 405a5d36f13d87666dd5f4fe9f4a4903c6a16538
References: 
 <gerrit.1715191782000.Ia08a9697d0ff41721fb0acf17ccb4cfa23cb3934@gerrit.openvpn.net>
Message-ID: <8d0a0a251e08739204f66849157127fec88eb0cc-HTML@gerrit.openvpn.net>
MIME-Version: 1.0
User-Agent: Gerrit/3.8.2
X-Spam-Score: -0.2 (/)
X-Spam-Report: Spam detection software,
 running on the system "util-spamd-1.v13.lw.sourceforge.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview:  Attention is currently required from: flichtenheld. Hello
 flichtenheld, I'd like you to do a code review. Please visit
 Content analysis details:   (-0.2 points, 6.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 0.0 URIBL_BLOCKED          ADMINISTRATOR NOTICE: The query to URIBL was
 blocked.  See
 http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
 for more information. [URIs: openvpn.net]
 -0.0 RCVD_IN_DNSWL_NONE     RBL: Sender listed at https://www.dnswl.org/,
 no trust [209.85.208.170 listed in list.dnswl.org]
 -0.0 RCVD_IN_MSPIKE_H2      RBL: Average reputation (+2)
 [209.85.208.170 listed in wl.mailspike.net]
 -0.0 SPF_PASS               SPF: sender matches SPF record
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 0.0 WEIRD_PORT             URI: Uses non-standard port number for HTTP
 0.0 HTML_MESSAGE           BODY: HTML included in message
 -0.1 DKIM_VALID_EF          Message has a valid DKIM or DK signature from
 envelope-from domain
 -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
 0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
 not necessarily
 valid
 -0.1 DKIM_VALID_AU          Message has a valid DKIM or DK signature from
 author's domain
 0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted
 Colors in HTML
X-Headers-End: 1s4ljt-00036P-95
Subject: [Openvpn-devel] [S] Change in openvpn[master]: Workaround issue in
 LibreSSL crashing when enumerating digests/ciphers
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Reply-To: arne-openvpn@rfc2549.org, openvpn-devel@lists.sourceforge.net,
 frank@lichtenheld.com
Cc: openvpn-devel <openvpn-devel@lists.sourceforge.net>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox
X-GMAIL-THRID: =?utf-8?q?1798508981993440414?=
X-GMAIL-MSGID: =?utf-8?q?1798508981993440414?=
X-getmail-filter-classifier: gerrit message type newchange

Attention is currently required from: flichtenheld.

Hello flichtenheld,

I'd like you to do a code review.
Please visit

    http://gerrit.openvpn.net/c/openvpn/+/586?usp=email

to review the following change.


Change subject: Workaround issue in LibreSSL crashing when enumerating digests/ciphers
......................................................................

Workaround issue in LibreSSL crashing when enumerating digests/ciphers

OpenBSD/LibreSSL reimplemented EVP_get_cipherbyname/EVP_get_digestbyname
and broke calling EVP_get_cipherbynid/EVP_get_digestbyname with an
invalid nid in the process so that it would segfault.

Workaround but doing that NULL check in OpenVPN instead of leaving it
to the library.

Change-Id: Ia08a9697d0ff41721fb0acf17ccb4cfa23cb3934
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
---
M src/openvpn/crypto_openssl.c
1 file changed, 25 insertions(+), 1 deletion(-)



  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/86/586/1

diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index 61c6518..1649ab7 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -387,7 +387,19 @@
 #else
     for (int nid = 0; nid < 10000; ++nid)
     {
+#if defined(LIBRESSL_VERSION_NUMBER)
+        /* OpenBSD/LibreSSL reimplemented EVP_get_cipherbyname and broke
+         * calling EVP_get_cipherbynid with an invalid nid in the process
+         * so that it would segfault. */
+        const EVP_CIPHER *cipher = NULL;
+        const char *name = OBJ_nid2sn(nid);
+        if (name)
+        {
+            cipher = EVP_get_cipherbyname(name);
+        }
+#else  /* if defined(LIBRESSL_VERSION_NUMBER) */
         const EVP_CIPHER *cipher = EVP_get_cipherbynid(nid);
+#endif
         /* We cast the const away so we can keep the function prototype
          * compatible with EVP_CIPHER_do_all_provided */
         collect_ciphers((EVP_CIPHER *) cipher, &cipher_list);
@@ -441,7 +453,19 @@
 #else
     for (int nid = 0; nid < 10000; ++nid)
     {
+        /* OpenBSD/LibreSSL reimplemented EVP_get_digestbyname and broke
+         * calling EVP_get_digestbynid with an invalid nid in the process
+         * so that it would segfault. */
+#ifdef LIBRESSL_VERSION_NUMBER
+        const EVP_MD *digest = NULL;
+        const char *name = OBJ_nid2sn(nid);
+        if (name)
+        {
+            digest = EVP_get_digestbyname(name);
+        }
+#else  /* ifdef LIBRESSL_VERSION_NUMBER */
         const EVP_MD *digest = EVP_get_digestbynid(nid);
+#endif
         if (digest)
         {
             /* We cast the const away so we can keep the function prototype
@@ -449,7 +473,7 @@
             print_digest((EVP_MD *)digest, NULL);
         }
     }
-#endif
+#endif /* if OPENSSL_VERSION_NUMBER >= 0x30000000L */
     printf("\n");
 }