From patchwork Wed May 8 18:09:45 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "plaisthos (Code Review)" X-Patchwork-Id: 3706 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7001:a40b:b0:577:9287:30c5 with SMTP id vo11csp646429mab; Wed, 8 May 2024 11:10:24 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCX95zmZKC08+tFWTfKDcIawP2C6qpFla95VnZYAIxHsl7LzDopMcW3+LWIvgOxakQ1UayBoPD90UON0hWbaHSJjZYASzww= X-Google-Smtp-Source: AGHT+IGh84dKwFCZl3ptv87ejpfHiKluWtq0XzhX0FmEjNmzTxH3C5/o/gx+lktqTETP/Q6s8rQi X-Received: by 2002:a05:6e02:1cac:b0:36c:3856:4386 with SMTP id e9e14a558f8ab-36caed73f1emr38264135ab.3.1715191824074; Wed, 08 May 2024 11:10:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1715191824; cv=none; d=google.com; s=arc-20160816; b=wMiiHURvxxJTNdNIxwQzQcfMii92K/guShm2NDHJcKg0FkJcRmTAOqBQiuGV40H3Ty YWoqSejjD3zlEU8jc9wTxUAlqWShYf0BzT7gXhmE21P12MxSwj7jLFPGS8wMG+zyig+Y VEwsVsALDdaoZUq8o3UOc06hN2NCqqT8Y7YQVvgMfTut2q3+sw5r2AtFpCNiy0JZice4 M1kLE23M3ylLL8uKoXjP4rV+EI6BabGIyMqT56RxoqGvgAWvSM9SqK2ouQCeSig0huwW v0XkFzSfl+ZfCKsQw3yNs8/ktBJnaB/wsjHVnWWOAx0efisZ7yTnM9OF4IU0G5j+wiRr Ms4A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:cc:reply-to:list-subscribe:list-help:list-post :list-archive:list-unsubscribe:list-id:precedence:subject:user-agent :mime-version:message-id:references:auto-submitted:to:date:from :dkim-signature:dkim-signature:dkim-signature; bh=XXvuCYojGLWGmzcSt80U/ct6uQnuXuMMCgi9KytjLkI=; fh=lm0MLPW7DntlrDqRECIiC9JlE1uPxhepE0URYHIf+eE=; b=GzOjcfAYsKdst4feLnCvixlhW9wvJwoocis07d7Y/RCuA8W1toQ9w/P5HQEG6F16Bz j60is+r8kJMbYUrJ8h9IBINbfVXdFKDLzDp+MW5r8JZYcOKCBuZHz9KGmN11VS7eEn5v ndL/Jlv++ZSTIZ5R/wWBO5B1BM0Bxnlo5q1TsE2X0YJo4fAn1yqPUVNNspi3vTwQ2sf4 /pwtiZAUoLZt9PMzWEUbDZ31i3PR7Eg/z5/SYjPL9JAgAWZvNLVgmiSYCg474PM8Wxmp s8r7c4TyDKJ788M9EfDfeTKrGugvXZyG3rNmjL+kA1395DbqRpVUEmvZCZMhbCxHC9Iz cmHQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=lOnC9yyw; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=EDL6Dv2i; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=FhOe39iy; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id q11-20020a656a8b000000b005dccf9b1656si13448667pgu.414.2024.05.08.11.10.23 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 08 May 2024 11:10:24 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=lOnC9yyw; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=EDL6Dv2i; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=FhOe39iy; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1s4lju-0007mS-HR; Wed, 08 May 2024 18:10:03 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1s4ljs-0007ln-Ee for openvpn-devel@lists.sourceforge.net; Wed, 08 May 2024 18:10:01 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:Content-Transfer-Encoding:MIME-Version :Message-ID:Reply-To:References:Subject:List-Unsubscribe:List-Id:Cc:To:Date: From:Sender:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help: List-Subscribe:List-Post:List-Owner:List-Archive; bh=tinT3z/C6HzT/orFJHgl3G44e9dAI9EdEiyU0ieqsTo=; b=lOnC9yywgOVp6w/qyK1u1l5mnS D3fY7mPXJBTqfOJ9lyrS2eVSBgbN2m0mOUwK/7oziyf/Xlgs8LFiePkBmnoKIy4xUdzcBwnMhNeXT qp8krxPg/RCe6AJM/y1XI3+3B0FrOKD4ZmGSzXqvMa08wbdYvJQVCP7xJgdlAuObt5UU=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:Content-Transfer-Encoding:MIME-Version:Message-ID:Reply-To: References:Subject:List-Unsubscribe:List-Id:Cc:To:Date:From:Sender:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help:List-Subscribe:List-Post: List-Owner:List-Archive; bh=tinT3z/C6HzT/orFJHgl3G44e9dAI9EdEiyU0ieqsTo=; b=E DL6Dv2iYIdxeKBm5NKooGx4QfbwKO0WHUTl7tlHGZDwriqNGXn+cb76egnzs5DD11C9JJKnHgYybN CLNSd6CrLjF2JTGgieCi7iQ+uE4CzKkB7uq83lVKQ1M0LVp7DQhL9i7HiIo9St4V1XztTfWIADGdz pL/pKaRJAZWMIOIM=; Received: from mail-lj1-f170.google.com ([209.85.208.170]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1s4ljt-00036P-95 for openvpn-devel@lists.sourceforge.net; Wed, 08 May 2024 18:10:01 +0000 Received: by mail-lj1-f170.google.com with SMTP id 38308e7fff4ca-2e34e85ebf4so478841fa.2 for ; Wed, 08 May 2024 11:10:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openvpn.net; s=google; t=1715191788; x=1715796588; darn=lists.sourceforge.net; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from:from:to:cc :subject:date:message-id:reply-to; bh=tinT3z/C6HzT/orFJHgl3G44e9dAI9EdEiyU0ieqsTo=; b=FhOe39iy130VGx+Y59i06lo8RQrUJw8GV/ayGZIs8jjRJjxk+vATmc6DstdBEelBPz Hb3LZEjhydihlamPOvXBTIVk6Og2yy8mF6+gOZrKY9HlZPRiMQHaPRT0xtmlhAsrxlVH 4vuOjiqGwLzU785L1H/UwR59vcmjv4Uljg9JFThLZkCJc9II+so4uZFkqA0KUxnf6qPK mr7OOu53qV0AcfgkTRCjSBZbLCYDAMAqzr2BtYZFdGHB0rKIGqTCgVDNL7jqePE6N0/Y Qs2ofMRM7ulpDQBA3POVXLZiy5ktzsVaLNKnXUUrU4Blrbl2+EHKxVd4/vljV59vUwZM j/mA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1715191788; x=1715796588; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=tinT3z/C6HzT/orFJHgl3G44e9dAI9EdEiyU0ieqsTo=; b=ax+XHFIgvv43PjwLrNpZu3mp4ThK3ejOtBPkpZv6nq28uDZPze/5r5jhwLA7/OWvWv oildcs8F8HMlqTMLun/m+1VHyhj4hZWORgjeazhLIoEx43h3YNBN5RvvTf+MUOKXdPLq Fvj6/7gQLAB7leX18A/iItthgEp22vuojHm+SKH67qSLrEUOsRBX+N70Fy5823bWHJb4 NO+0LDssTTfgR+wyTo1SHxF+OjmBThaiycXFjWLt8ZsdB0qK2ID4+KCzgJhx+HP1mzk2 xA3ymxGjXK3I1ka5W/KIjm4Zc1VX47BIK9mwCRdfam4MnFCUV2f1mM8Msdw2a6yigwFf ldMQ== X-Gm-Message-State: AOJu0Yx9JOq9a77OJQu9bB1pRhkNhzo30I1gmaTURw4phG4IhkHwZ+Zr Ox61My5oKULNkYqTTfOIfHowiUsI/jqHv7X42Yi3LM9OcfnRqmHNYdTLQQoqaGzLckbiq4l7WrI I X-Received: by 2002:a2e:9e8f:0:b0:2de:a65:979c with SMTP id 38308e7fff4ca-2e446d83cfamr22072201fa.8.1715191786142; Wed, 08 May 2024 11:09:46 -0700 (PDT) Received: from gerrit.openvpn.in (ec2-18-159-0-78.eu-central-1.compute.amazonaws.com. [18.159.0.78]) by smtp.gmail.com with ESMTPSA id e14-20020adfe38e000000b0034eba48cd17sm11128900wrm.117.2024.05.08.11.09.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 08 May 2024 11:09:45 -0700 (PDT) From: "plaisthos (Code Review)" X-Google-Original-From: "plaisthos (Code Review)" X-Gerrit-PatchSet: 1 Date: Wed, 8 May 2024 18:09:45 +0000 To: flichtenheld Auto-Submitted: auto-generated X-Gerrit-MessageType: newchange X-Gerrit-Change-Id: Ia08a9697d0ff41721fb0acf17ccb4cfa23cb3934 X-Gerrit-Change-Number: 586 X-Gerrit-Project: openvpn X-Gerrit-ChangeURL: X-Gerrit-Commit: 405a5d36f13d87666dd5f4fe9f4a4903c6a16538 References: Message-ID: <8d0a0a251e08739204f66849157127fec88eb0cc-HTML@gerrit.openvpn.net> MIME-Version: 1.0 User-Agent: Gerrit/3.8.2 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Attention is currently required from: flichtenheld. Hello flichtenheld, I'd like you to do a code review. Please visit Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: openvpn.net] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.208.170 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.208.170 listed in wl.mailspike.net] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 WEIRD_PORT URI: Uses non-standard port number for HTTP 0.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML X-Headers-End: 1s4ljt-00036P-95 Subject: [Openvpn-devel] [S] Change in openvpn[master]: Workaround issue in LibreSSL crashing when enumerating digests/ciphers X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: arne-openvpn@rfc2549.org, openvpn-devel@lists.sourceforge.net, frank@lichtenheld.com Cc: openvpn-devel Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1798508981993440414?= X-GMAIL-MSGID: =?utf-8?q?1798508981993440414?= X-getmail-filter-classifier: gerrit message type newchange Attention is currently required from: flichtenheld. Hello flichtenheld, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/586?usp=email to review the following change. Change subject: Workaround issue in LibreSSL crashing when enumerating digests/ciphers ...................................................................... Workaround issue in LibreSSL crashing when enumerating digests/ciphers OpenBSD/LibreSSL reimplemented EVP_get_cipherbyname/EVP_get_digestbyname and broke calling EVP_get_cipherbynid/EVP_get_digestbyname with an invalid nid in the process so that it would segfault. Workaround but doing that NULL check in OpenVPN instead of leaving it to the library. Change-Id: Ia08a9697d0ff41721fb0acf17ccb4cfa23cb3934 Signed-off-by: Arne Schwabe --- M src/openvpn/crypto_openssl.c 1 file changed, 25 insertions(+), 1 deletion(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/86/586/1 diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index 61c6518..1649ab7 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -387,7 +387,19 @@ #else for (int nid = 0; nid < 10000; ++nid) { +#if defined(LIBRESSL_VERSION_NUMBER) + /* OpenBSD/LibreSSL reimplemented EVP_get_cipherbyname and broke + * calling EVP_get_cipherbynid with an invalid nid in the process + * so that it would segfault. */ + const EVP_CIPHER *cipher = NULL; + const char *name = OBJ_nid2sn(nid); + if (name) + { + cipher = EVP_get_cipherbyname(name); + } +#else /* if defined(LIBRESSL_VERSION_NUMBER) */ const EVP_CIPHER *cipher = EVP_get_cipherbynid(nid); +#endif /* We cast the const away so we can keep the function prototype * compatible with EVP_CIPHER_do_all_provided */ collect_ciphers((EVP_CIPHER *) cipher, &cipher_list); @@ -441,7 +453,19 @@ #else for (int nid = 0; nid < 10000; ++nid) { + /* OpenBSD/LibreSSL reimplemented EVP_get_digestbyname and broke + * calling EVP_get_digestbynid with an invalid nid in the process + * so that it would segfault. */ +#ifdef LIBRESSL_VERSION_NUMBER + const EVP_MD *digest = NULL; + const char *name = OBJ_nid2sn(nid); + if (name) + { + digest = EVP_get_digestbyname(name); + } +#else /* ifdef LIBRESSL_VERSION_NUMBER */ const EVP_MD *digest = EVP_get_digestbynid(nid); +#endif if (digest) { /* We cast the const away so we can keep the function prototype @@ -449,7 +473,7 @@ print_digest((EVP_MD *)digest, NULL); } } -#endif +#endif /* if OPENSSL_VERSION_NUMBER >= 0x30000000L */ printf("\n"); }