From patchwork Mon Feb 14 23:26:09 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Antonio Quartulli <a@unstable.cc>
X-Patchwork-Id: 2288
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Delivered-To: patchwork@openvpn.net
Received: from director10.mail.ord1d.rsapps.net ([172.30.191.6])
	by backend41.mail.ord1d.rsapps.net with LMTP
	id +C/LIPV/C2KlSAAAqwncew
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	for <patchwork@openvpn.net>; Tue, 15 Feb 2022 05:27:01 -0500
Received: from proxy16.mail.ord1d.rsapps.net ([172.30.191.6])
	by director10.mail.ord1d.rsapps.net with LMTP
	id KDswIfV/C2LCZwAApN4f7A
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	for <patchwork@openvpn.net>; Tue, 15 Feb 2022 05:27:01 -0500
Received: from smtp18.gate.ord1d ([172.30.191.6])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	by proxy16.mail.ord1d.rsapps.net with LMTPS
	id mAJtIPV/C2I2FAAAetu3IA
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	for <patchwork@openvpn.net>; Tue, 15 Feb 2022 05:27:01 -0500
X-Spam-Threshold: 95
X-Spam-Score: 0
X-Spam-Flag: NO
X-Virus-Scanned: OK
X-Orig-To: openvpnslackdevel@openvpn.net
X-Originating-Ip: [216.105.38.7]
Authentication-Results: smtp18.gate.ord1d.rsapps.net;
 iprev=pass policy.iprev="216.105.38.7";
 spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net"
 smtp.helo="lists.sourceforge.net";
 dkim=fail (signature verification failed) header.d=sourceforge.net;
 dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil;
 dis=none) header.from=unstable.cc
X-Suspicious-Flag: YES
X-Classification-ID: cf7b450e-8e49-11ec-9405-5254005167a7-1-1
Received: from [216.105.38.7] ([216.105.38.7:44374]
 helo=lists.sourceforge.net)
	by smtp18.gate.ord1d.rsapps.net (envelope-from
 <openvpn-devel-bounces@lists.sourceforge.net>)
	(ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384)
	id FF/25-32138-5FF7B026; Tue, 15 Feb 2022 05:27:01 -0500
Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com)
	by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.94.2)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1nJv2A-00037D-3S; Tue, 15 Feb 2022 10:26:08 +0000
Received: from [172.30.20.202] (helo=mx.sourceforge.net)
 by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2)
 (envelope-from <a@unstable.cc>) id 1nJv28-000372-Rb
 for openvpn-devel@lists.sourceforge.net; Tue, 15 Feb 2022 10:26:07 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id:
 Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=Yt7WSZAF7s9gvlSVNeP1vDmRkVhNe+1M8FsDFGMeRi4=; b=WXLyUV8AOTH+WfslJcTyf9OSy0
 VNNDOQJjlDVNMskBq7bao0UYurgqY3zMRtGCdRF1XTnixp21huMfRXb5wxVz1OTMTvB/LeR+QmylW
 egljq9FUFr03cLgkN3twseTpLYdEtZnOT8NtWXX8JwHnFQ0jFYvP1wWARia+Q29mxc2E=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:Cc:To:From
 :Sender:Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date:
 Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:
 References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post:
 List-Owner:List-Archive; bh=Yt7WSZAF7s9gvlSVNeP1vDmRkVhNe+1M8FsDFGMeRi4=; b=n
 LlflkXwDqN6oYbev85BOvDHUZggEGgyrK1dtiH0B1BycSYJYWADz0NRjXiVCcNHWAnWGYntymP+Wv
 1ZtSargVOAKeyoncwRHHUGD10IafWmNU9gptZwtOIL3p1xB5mOdmJ8VK/Q+eCD+uK28pAH3ZFP7vD
 ro7ycZV6gtkvcaW0=;
Received: from [5.148.176.60] (helo=s2.neomailbox.net)
 by sfi-mx-2.v28.lw.sourceforge.com with esmtps
 (TLS1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.94.2)
 id 1nJv22-0003q3-Al
 for openvpn-devel@lists.sourceforge.net; Tue, 15 Feb 2022 10:26:07 +0000
From: Antonio Quartulli <a@unstable.cc>
To: openvpn-devel@lists.sourceforge.net
Date: Tue, 15 Feb 2022 11:26:09 +0100
Message-Id: <20220215102609.14671-1-a@unstable.cc>
MIME-Version: 1.0
X-Spam-Report: Spam detection software,
 running on the system "util-spamd-2.v13.lw.sourceforge.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview: With b39725cf ("Remove md_kt_t and change crypto API to use
 const char*") the logic for validating ciphers and md algorithms has been
 changed. We should now *always* use md_valid() when validating a digest alg.
 Content analysis details:   (1.3 points, 6.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 -0.0 SPF_HELO_PASS          SPF: HELO matches SPF record
 -0.0 SPF_PASS               SPF: sender matches SPF record
 -0.0 T_SCC_BODY_TEXT_LINE   No description available.
 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS
X-Headers-End: 1nJv22-0003q3-Al
Subject: [Openvpn-devel] [PATCH] auth_token/tls_crypt: fix usage of
 md_valid()
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Cc: Antonio Quartulli <a@unstable.cc>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox

With b39725cf ("Remove md_kt_t and change crypto API to use const char*")
the logic for validating ciphers and md algorithms has been changed.

We should now *always* use md_valid() when validating a digest alg.

At the same time, add '!' (negation) when validating the digest algorithm
in the tls-crypt code, in order to restore the proper logic.

Cc: Arne Schwabe <arne@rfc2549.org>
Fixes: b39725cf ("Remove md_kt_t and change crypto API to use const char*")
Reported-by: Richard T Bonhomme <tincantech@protonmail.com>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-By: Arne Schwabe <arne@rfc2549.org>
---
 src/openvpn/auth_token.c | 2 +-
 src/openvpn/tls_crypt.c  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/openvpn/auth_token.c b/src/openvpn/auth_token.c
index ceae68f6..10c9dde6 100644
--- a/src/openvpn/auth_token.c
+++ b/src/openvpn/auth_token.c
@@ -38,7 +38,7 @@ auth_token_kt(void)
     kt.cipher = "none";
     kt.digest = "SHA256";
 
-    if (!kt.digest)
+    if (!md_valid(kt.digest))
     {
         msg(M_WARN, "ERROR: --tls-crypt requires HMAC-SHA-256 support.");
         return (struct key_type) { 0 };
diff --git a/src/openvpn/tls_crypt.c b/src/openvpn/tls_crypt.c
index 610168b0..aae2a917 100644
--- a/src/openvpn/tls_crypt.c
+++ b/src/openvpn/tls_crypt.c
@@ -59,7 +59,7 @@ tls_crypt_kt(void)
         msg(M_WARN, "ERROR: --tls-crypt requires AES-256-CTR support.");
         return (struct key_type) { 0 };
     }
-    if (cipher_valid(kt.digest))
+    if (!md_valid(kt.digest))
     {
         msg(M_WARN, "ERROR: --tls-crypt requires HMAC-SHA-256 support.");
         return (struct key_type) { 0 };