OpenSSL on RHEL 8 and CentOS 8 system when these system are put into
FIPS mode need extra code to figure out if a specific cipher algorithm
is usable on these system. This is particularly problem in data-ciphers
as the errors might occur much later when a client connects and as these
cipher are not caught during config initialisation.
This also prepares for adding Chacha20-Poly1305 when available to
data-ciphers by making the detection logic used to check if
cipher_kt_get returns non-NULL work on these systems.
Signed-off-by: Arne Schwabe <a...@rfc2549.org>
---
src/openvpn/crypto.c | 6 ++++++
src/openvpn/crypto_openssl.c | 10 ++++++++++
2 files changed, 16 insertions(+)
diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index b9c95225a..1dfc760f9 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -1806,6 +1806,12 @@ print_cipher(const cipher_kt_t *cipher)
{
printf(", TLS client/server mode only");
}
+#ifdef OPENSSL_FIPS
+ if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS))
+ {
+ printf(", disabled by FIPS mode");
+ }
+#endif
printf(")\n");
}
diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index b55d32b2c..419265a51 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -599,7 +599,17 @@ cipher_kt_get(const char *ciphername)
return NULL;
}
+#ifdef OPENSSL_FIPS
+ /* Rhel 8/CentOS 8 have a patched OpenSSL version that return a cipher
+ * here that is actually not usable if in FIPS mode */
+ if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS))
+ {
+ msg(D_LOW, "Cipher algorithm '%s' is known by OpenSSL library but "
+ "currently disabled by running in FIPS mode.", ciphername);
+ return NULL;
+ }
+#endif
if (EVP_CIPHER_key_length(cipher) > MAX_CIPHER_KEY_LENGTH)
{
msg(D_LOW, "Cipher algorithm '%s' uses a default key size (%d bytes) "
--
2.32.0
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
