Hi,
On 05-06-2020 13:25, Arne Schwabe wrote:
> Basically calls to cipher_kt_get were calling
> translate_cipher_name_from_openvpn. The only two exception were the
> (broken) unit test and tls-crypt that uses cipher_kt_get("AES-256-CTR")
>
> Signed-off-by: Arne Schwabe <a...@rfc2549.org>
> ---
> src/openvpn/crypto.c | 2 +-
> src/openvpn/crypto_backend.h | 3 ++-
> src/openvpn/crypto_mbedtls.c | 1 +
> src/openvpn/crypto_openssl.c | 1 +
> src/openvpn/ssl_ncp.c | 8 ++++----
> 5 files changed, 9 insertions(+), 6 deletions(-)
>
> diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
> index ba1fc095..1ce98184 100644
> --- a/src/openvpn/crypto.c
> +++ b/src/openvpn/crypto.c
> @@ -763,7 +763,7 @@ init_key_type(struct key_type *kt, const char *ciphername,
> CLEAR(*kt);
> if (strcmp(ciphername, "none") != 0)
> {
> - kt->cipher =
> cipher_kt_get(translate_cipher_name_from_openvpn(ciphername));
> + kt->cipher = cipher_kt_get(ciphername);
> if (!kt->cipher)
> {
> msg(M_FATAL, "Cipher %s not supported", ciphername);
> diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h
> index d46cb63f..85cb084a 100644
> --- a/src/openvpn/crypto_backend.h
> +++ b/src/openvpn/crypto_backend.h
> @@ -227,7 +227,8 @@ void cipher_des_encrypt_ecb(const unsigned char
> key[DES_KEY_LENGTH],
> * initialise encryption/decryption.
> *
> * @param ciphername Name of the cipher to retrieve parameters for (e.g.
> - * \c AES-128-CBC).
> + * \c AES-128-CBC). Will be translated to the library
> name
> + * from the openvpn config name if needed.
> *
> * @return A statically allocated structure containing
> parameters
> * for the given cipher, or NULL if no matching
> parameters
> diff --git a/src/openvpn/crypto_mbedtls.c b/src/openvpn/crypto_mbedtls.c
> index c8dcddc8..bb752557 100644
> --- a/src/openvpn/crypto_mbedtls.c
> +++ b/src/openvpn/crypto_mbedtls.c
> @@ -465,6 +465,7 @@ cipher_kt_get(const char *ciphername)
>
> ASSERT(ciphername);
>
> + ciphername = translate_cipher_name_from_openvpn(ciphername);
> cipher = mbedtls_cipher_info_from_string(ciphername);
>
> if (NULL == cipher)
> diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
> index 13ab4859..bbaa5742 100644
> --- a/src/openvpn/crypto_openssl.c
> +++ b/src/openvpn/crypto_openssl.c
> @@ -580,6 +580,7 @@ cipher_kt_get(const char *ciphername)
>
> ASSERT(ciphername);
>
> + ciphername = translate_cipher_name_from_openvpn(ciphername);
> cipher = EVP_get_cipherbyname(ciphername);
>
> if (NULL == cipher)
> diff --git a/src/openvpn/ssl_ncp.c b/src/openvpn/ssl_ncp.c
> index 042b0ce0..ea1dc960 100644
> --- a/src/openvpn/ssl_ncp.c
> +++ b/src/openvpn/ssl_ncp.c
> @@ -103,12 +103,12 @@ mutate_ncp_cipher_list(const char *list, struct
> gc_arena *gc)
> while (token)
> {
> /*
> - * Going through a roundtrip by using
> translate_cipher_name_from_openvpn
> - * and translate_cipher_name_to_openvpn also normalises the cipher
> name,
> + * Going through a roundtrip by using cipher_kt_get/cipher_kt_name
> + * (and translate_cipher_name_from_openvpn/
> + * translate_cipher_name_to_openvpn) also normalises the cipher name,
> * e.g. replacing AeS-128-gCm with AES-128-GCM
> */
> - const char *cipher_name = translate_cipher_name_from_openvpn(token);
> - const cipher_kt_t *ktc = cipher_kt_get(cipher_name);
> + const cipher_kt_t *ktc = cipher_kt_get(token);
> if (!ktc)
> {
> msg(M_WARN, "Unsupported cipher in --ncp-ciphers: %s", token);
>
This makes the cipher_kt_name and cipher_kt_get abstractions nicely
consistent. Code looks good, and passes my tests.
Acked-by: Steffan Karger <stef...@karger.me>
-Steffan
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
