From patchwork Mon Oct 10 04:41:16 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Arne Schwabe X-Patchwork-Id: 2810 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director7.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id aFyzGXY9RGPJaQAAIUCqbw (envelope-from ) for ; Mon, 10 Oct 2022 11:42:46 -0400 Received: from proxy8.mail.ord1d.rsapps.net ([172.30.191.6]) by director7.mail.ord1d.rsapps.net with LMTP id EJS6GXY9RGNtMAAAovjBpQ (envelope-from ) for ; Mon, 10 Oct 2022 11:42:46 -0400 Received: from smtp40.gate.ord1c ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy8.mail.ord1d.rsapps.net with LMTPS id AH1kGXY9RGNjPwAAGdz6CA (envelope-from ) for ; Mon, 10 Oct 2022 11:42:46 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp40.gate.ord1c.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil; dis=none) header.from=rfc2549.org X-Suspicious-Flag: YES X-Classification-ID: 2f4ec7b2-48b2-11ed-87f7-525400b3abc9-1-1 Received: from [216.105.38.7] ([216.105.38.7:56640] helo=lists.sourceforge.net) by smtp40.gate.ord1c.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 5C/67-15118-57D34436; Mon, 10 Oct 2022 11:42:45 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1ohuuL-0005Yx-Hn; Mon, 10 Oct 2022 15:41:33 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1ohuuJ-0005Yh-PU for openvpn-devel@lists.sourceforge.net; Mon, 10 Oct 2022 15:41:31 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:Message-Id: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=T61ZjaROryRfwLlMTfWz4rP7sL8YNl6fnY2y1UhG+pI=; b=hDrAf1GM7io+YVTbGJNTbPhuXG 894XAW9cbe2Qrto3GEJnpJfYlSof4n6n/4XAfhtIFitB6lx+UrxW30VkP+eKWrv0uyaxJDaajfxw1 2mKZc2xITK9Dug3AmnRstbEsimZgPtIaMLqu1ZEHMFtrrjabzeBlA/dEoiza1CWqN9r0=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:Message-Id:Date:Subject:To:From: Sender:Reply-To:Cc:Content-Type:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=T61ZjaROryRfwLlMTfWz4rP7sL8YNl6fnY2y1UhG+pI=; b=C LeMGkAiGIdKnPXRWi4PhxC9rlVi4uKB3wT7/AM5Y4BIPL0PLxp5g5mGVcNaSFRyDDxOeJ5/ZAqgQX 7cqKLjhicVZHbW4sYNJoe4n70KraITEOoAVAYnCyMFM6ciO+2E4jhL/XP9fvbeQqyxy4Qiu8aridf 0Ur6BPM+YgWEakRQ=; Received: from mail.blinkt.de ([192.26.174.232]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1ohuuD-0006R6-Ul for openvpn-devel@lists.sourceforge.net; Mon, 10 Oct 2022 15:41:31 +0000 Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c]) by mail.blinkt.de with smtp (Exim 4.95 (FreeBSD)) (envelope-from ) id 1ohuu4-000FZ8-Bk for openvpn-devel@lists.sourceforge.net; Mon, 10 Oct 2022 17:41:16 +0200 Received: (nullmailer pid 1685923 invoked by uid 10006); Mon, 10 Oct 2022 15:41:16 -0000 From: Arne Schwabe To: openvpn-devel@lists.sourceforge.net Date: Mon, 10 Oct 2022 17:41:16 +0200 Message-Id: <20221010154116.1685877-1-arne@rfc2549.org> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Make sure cipher_valid only considered these four operations as valid. This fixes that somjething like --data-ciphers AES-256-GCM:AES-128-CCM will start but later fail when trying to use the CCM ciphe [...] Content analysis details: (0.3 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different X-Headers-End: 1ohuuD-0006R6-Ul Subject: [Openvpn-devel] [PATCH] Ensure only CBC, CFB, OFB and AEAD ciphers are considered valid data ciphers X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox Make sure cipher_valid only considered these four operations as valid. This fixes that somjething like --data-ciphers AES-256-GCM:AES-128-CCM will start but later fail when trying to use the CCM cipher. We say "a supported AEAD" mode in our error since CCM is also an AEAD mode but one we support like GCM. Signed-off-by: Arne Schwabe --- src/openvpn/ssl_ncp.c | 8 ++++++++ tests/unit_tests/openvpn/test_ncp.c | 6 ++++++ 2 files changed, 14 insertions(+) diff --git a/src/openvpn/ssl_ncp.c b/src/openvpn/ssl_ncp.c index 013021d6d..14a4e223d 100644 --- a/src/openvpn/ssl_ncp.c +++ b/src/openvpn/ssl_ncp.c @@ -136,6 +136,14 @@ mutate_ncp_cipher_list(const char *list, struct gc_arena *gc) msg(M_WARN, "Unsupported %scipher in --data-ciphers: %s", optstr, token); error_found = error_found || !optional; } + else if (!nonecipher && !cipher_kt_mode_aead(token) + && !cipher_kt_mode_cbc(token) + && !cipher_kt_mode_ofb_cfb(token)) + { + msg(M_WARN, "Cipher algorithm '%s' does use CFB, OFB, CBC, or " + "a supported AEAD mode", token); + error_found = error_found || !optional; + } else { const char *ovpn_cipher_name = cipher_kt_name(token); diff --git a/tests/unit_tests/openvpn/test_ncp.c b/tests/unit_tests/openvpn/test_ncp.c index 2595d8c4e..bb9a28244 100644 --- a/tests/unit_tests/openvpn/test_ncp.c +++ b/tests/unit_tests/openvpn/test_ncp.c @@ -98,6 +98,12 @@ test_check_ncp_ciphers_list(void **state) /* If the last is optional, previous invalid ciphers should be ignored */ assert_ptr_equal(mutate_ncp_cipher_list("Vollbit:Littlebit:AES-256-CBC:BF-CBC:?nixbit", &gc), NULL); + /* We do not support CCM ciphers */ + assert_ptr_equal(mutate_ncp_cipher_list("AES-256-GCM:AES-128-CCM", &gc), NULL); + + assert_string_equal(mutate_ncp_cipher_list("AES-256-GCM:?AES-128-CCM:AES-128-GCM", &gc), + aes_ciphers); + /* For testing that with OpenSSL 1.1.0+ that also accepts ciphers in * a different spelling the normalised cipher output is the same */ bool have_chacha_mixed_case = cipher_valid("ChaCha20-Poly1305");