From patchwork Wed Jan 19 07:21:26 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: David Sommerseth X-Patchwork-Id: 2234 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director14.mail.ord1d.rsapps.net ([172.31.255.6]) by backend41.mail.ord1d.rsapps.net with LMTP id 0FEoGv1W6GGTUwAAqwncew (envelope-from ) for ; Wed, 19 Jan 2022 13:22:53 -0500 Received: from proxy6.mail.iad3b.rsapps.net ([172.31.255.6]) by director14.mail.ord1d.rsapps.net with LMTP id cHTyHv1W6GH8YgAAeJ7fFg (envelope-from ) for ; Wed, 19 Jan 2022 13:22:53 -0500 Received: from smtp34.gate.iad3b ([172.31.255.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy6.mail.iad3b.rsapps.net with LMTPS id wBBcGf1W6GGfEgAARawThA (envelope-from ) for ; Wed, 19 Jan 2022 13:22:53 -0500 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp34.gate.iad3b.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=sf.lists.topphemmelig.net; dmarc=fail (p=none; dis=none) header.from=sf.lists.topphemmelig.net X-Suspicious-Flag: YES X-Classification-ID: d0563f10-7954-11ec-a204-5254005e8ddb-1-1 Received: from [216.105.38.7] ([216.105.38.7:56834] helo=lists.sourceforge.net) by smtp34.gate.iad3b.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 88/E6-02284-CF658E16; Wed, 19 Jan 2022 13:22:52 -0500 Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.94.2) (envelope-from ) id 1nAFam-0004br-By; Wed, 19 Jan 2022 18:21:55 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1nAFal-0004a1-1v for openvpn-devel@lists.sourceforge.net; Wed, 19 Jan 2022 18:21:53 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:Content-Type:MIME-Version :Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=2ScjCkb/54Ni2ZAt1gbQRAYIrWB0zVqiwjXe9GVu7Gg=; b=MIG51Pl2wp0UzDXp00j1nSGgfM RbrUC/PNsizyKlockc76M6rMUc5480Bd3V9f46IfLg2cE2GGK3kHQwor1NO9ofgH7Ae3vo1KOVjmG P+U09UHrYN4EfnjxLk4CNxnqTHehYDsp/M0wRibRL07HmWFa12Q0KwFmgMdGtnMxaWE0=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:Content-Type:MIME-Version:Message-Id:Date: Subject:To:From:Sender:Reply-To:Cc:Content-ID:Content-Description:Resent-Date :Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=2ScjCkb/54Ni2ZAt1gbQRAYIrWB0zVqiwjXe9GVu7Gg=; b=B Y7l9b3LvVGAuzKaLI1mZWhZEGlzm01Qd5RlK4/jQMV6Pm0rhkBnanWM/aGw6wa5Ee5tXyUAgDAfnn w1qnNQ2yoI7v2/erkVRI1dpjQvLOqjw9WSdLWJnonTBH8S2COZehx9Fw0J9U7LPG7kTePAISKpxCR pGhW2Ym5R6imq8Nk=; Received: from mx1.basenordic.cloud ([217.170.196.134]) by sfi-mx-1.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3) id 1nAFai-0040os-O7 for openvpn-devel@lists.sourceforge.net; Wed, 19 Jan 2022 18:21:53 +0000 Received: from localhost (unknown [127.0.0.1]) by mx1.basenordic.cloud (Postfix) with ESMTP id BCE90E713 for ; Wed, 19 Jan 2022 18:21:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sf.lists.topphemmelig.net; s=inouz9eefah2too5; t=1642616503; bh=2ScjCkb/54Ni2ZAt1gbQRAYIrWB0zVqiwjXe9GVu7Gg=; h=From:To:Subject:Date:From; b=WkX795DdwuB0jukwDDUO3D+BsU1pmECPaAYu72lVOUJo0gvPbMMK7R2z2ywlREHo2 /Wa8D50nV7hOVCaroZiQwOqpDqqC0R0XNtmcb4J8eGta2q7g0+CDf7BPt2cn35UYYR P2OYX1+pZKsYJ7XkAW37eueMvbHWHyJB30FZMErfqJUvJ8KPDeJj6XMdZc1oo+2Inn IXkcKirXkUGcb9Dkn+iXecoWFh0a8dhHZ4J5J7FzvgFIQBCY4ONYPZxrbF54sKO0/t 6sGiU1dQsMsCFCjoU5JAfJTEpWL7qrnAR0UNtSp1eU2xKrEZJCW1DNafxngATlTDir ybX217S+TDtsw== Received: from mx1.basenordic.cloud ([127.0.0.1]) by localhost (mx1.basenordic.cloud [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tBVXV6tQP_I2 for ; Wed, 19 Jan 2022 19:21:43 +0100 (CET) Received: from xplorer.net (xplorer.sommerseth.xyz [10.35.7.11]) by mx1.basenordic.cloud (Postfix) with ESMTP id 18D77E712 for ; Wed, 19 Jan 2022 19:21:43 +0100 (CET) From: David Sommerseth To: openvpn-devel@lists.sourceforge.net Date: Wed, 19 Jan 2022 19:21:26 +0100 Message-Id: <20220119182126.56880-1-openvpn@sf.lists.topphemmelig.net> X-Mailer: git-send-email 2.27.0 MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: David Sommerseth On Fedora and RHEL/CentOS, the standard OpenSSL library has the FIPS module enabled by default. On these platforms, the OPENSSL_FIPS macro is always defined via /usr/include/openssl/opensslconf-*.h. Content analysis details: (-2.4 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_HELO_PASS SPF: HELO matches SPF record -0.0 SPF_PASS SPF: sender matches SPF record -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/, medium trust [217.170.196.134 listed in list.dnswl.org] -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1nAFai-0040os-O7 Subject: [Openvpn-devel] [PATCH v3] crypto: Fix OPENSSL_FIPS enabled builds X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: David Sommerseth On Fedora and RHEL/CentOS, the standard OpenSSL library has the FIPS module enabled by default. On these platforms, the OPENSSL_FIPS macro is always defined via /usr/include/openssl/opensslconf-*.h. Without this fix, the following compilation error appears: ./src/openvpn/crypto.c: In function ‘print_cipher’: ./src/openvpn/crypto.c:1707:43: error: ‘cipher’ undeclared (first use in this function); did you mean ‘iphdr’? if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS)) ^~~~~~ The EVP_CIPHER_fetch() and EVP_CIPHER_free() methods are also provided via the openssl_compat.h for older than OpenSSL 3.0. Signed-off-by: David Sommerseth Acked-by: Gert Doering --- src/openvpn/crypto.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index 5626e2b6..eb0b1254 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -34,6 +34,7 @@ #include "error.h" #include "integer.h" #include "platform.h" +#include "openssl_compat.h" #include "memdbg.h" @@ -1704,10 +1705,15 @@ print_cipher(const char *ciphername) printf(", TLS client/server mode only"); } #ifdef OPENSSL_FIPS - if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS)) + evp_cipher_type *cipher = EVP_CIPHER_fetch(NULL, ciphername, NULL); + + if (FIPS_mode() + && (NULL != cipher) + && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS)) { printf(", disabled by FIPS mode"); } + EVP_CIPHER_free(cipher); #endif printf(")\n");