Re: [Openvpn-devel] [PATCH v2] Remove deprecated option '--keysize'

2021-04-03 Thread Antonio Quartulli 
On 03/04/2021 11:06, Antonio Quartulli wrote:
> Compile tested on Linux against:
> * OpenSSL 1.1.1
> * OpenSSL 1.0.1

this was meant to be 1.1.0

> * OpenSSL 1.0.2
> * mbedTLS 2.26.0
> * mbedTLS 2.20.0
> * mbedTLS 2.10.0

Cheers,


-- 
Antonio Quartulli


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH v2] Remove deprecated option '--keysize'

2021-04-03 Thread Antonio Quartulli 
Hi,

On 01/04/2021 14:37, Arne Schwabe wrote:
> This option has been deprecated in OpenVPN 2.4 and the ciphers that allow
> using this option fall all into the SWEET32 category of ciphers with
> 64 bit block size.
> 
> Patch V2: Remove superflous check in OpenSSL codepath to check keysize

Thanks for removing the extra check.

> 
> Signed-off-by: Arne Schwabe 

Compile tested on Linux against:
* OpenSSL 1.1.1
* OpenSSL 1.0.1
* OpenSSL 1.0.2
* mbedTLS 2.26.0
* mbedTLS 2.20.0
* mbedTLS 2.10.0

Windows+OpenSSL-1.1.1 compiled too (mingw).

Basic connection tests (master vs master and master vs 2.5) performed
with OpenSSL 1.1.1 and mbedTLS 2.26.0 on Linux.


Acked-by: Antonio Quartulli 


-- 
Antonio Quartulli


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH v2] Remove deprecated option '--keysize'

2021-04-01 Thread Arne Schwabe 
This option has been deprecated in OpenVPN 2.4 and the ciphers that allow
using this option fall all into the SWEET32 category of ciphers with
64 bit block size.

Patch V2: Remove superflous check in OpenSSL codepath to check keysize

Signed-off-by: Arne Schwabe 
---
 config-msvc.h|  1 -
 configure.ac |  2 +-
 src/openvpn/crypto.c |  6 +-
 src/openvpn/crypto.h |  4 +---
 src/openvpn/crypto_openssl.c | 12 ++--
 src/openvpn/init.c   |  5 ++---
 src/openvpn/options.c| 33 ++---
 src/openvpn/options.h|  2 --
 src/openvpn/ssl.c|  7 +--
 9 files changed, 10 insertions(+), 62 deletions(-)

diff --git a/config-msvc.h b/config-msvc.h
index 4db9efae2..aea2628be 100644
--- a/config-msvc.h
+++ b/config-msvc.h
@@ -48,7 +48,6 @@
 #define HAVE_CHDIR 1
 #define HAVE_CHSIZE 1
 #define HAVE_CTIME 1
-#define HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH 1
 #define HAVE_IN_PKTINFO 1
 #define HAVE_MEMSET 1
 #define HAVE_PUTENV 1
diff --git a/configure.ac b/configure.ac
index 3cb9fc2fc..7bc6c7b90 100644
--- a/configure.ac
+++ b/configure.ac
@@ -878,7 +878,7 @@ if test "${with_crypto_library}" = "openssl"; then
)
fi
 
-   AC_CHECK_FUNCS([SSL_CTX_new EVP_CIPHER_CTX_set_key_length],
+   AC_CHECK_FUNCS([SSL_CTX_new],
   ,
   [AC_MSG_ERROR([openssl check failed])]
)
diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index 3a0bfbec4..b042514bf 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -739,7 +739,7 @@ warn_insecure_key_type(const char *ciphername, const 
cipher_kt_t *cipher)
  */
 void
 init_key_type(struct key_type *kt, const char *ciphername,
-  const char *authname, int keysize, bool tls_mode, bool warn)
+  const char *authname, bool tls_mode, bool warn)
 {
 bool aead_cipher = false;
 
@@ -756,10 +756,6 @@ init_key_type(struct key_type *kt, const char *ciphername,
 }
 
 kt->cipher_length = cipher_kt_key_size(kt->cipher);
-if (keysize > 0 && keysize <= MAX_CIPHER_KEY_LENGTH)
-{
-kt->cipher_length = keysize;
-}
 
 /* check legal cipher mode */
 aead_cipher = cipher_kt_mode_aead(kt->cipher);
diff --git a/src/openvpn/crypto.h b/src/openvpn/crypto.h
index 1ad669ce1..b8128c7f1 100644
--- a/src/openvpn/crypto.h
+++ b/src/openvpn/crypto.h
@@ -301,14 +301,12 @@ int read_key(struct key *key, const struct key_type *kt, 
struct buffer *buf);
  * @param kt  The struct key_type to initialize
  * @param ciphername  The name of the cipher to use
  * @param authnameThe name of the HMAC digest to use
- * @param keysize The length of the cipher key to use, in bytes.  Only 
valid
- *for ciphers that support variable length keys.
  * @param tls_modeSpecifies whether we are running in TLS mode, which 
allows
  *more ciphers than static key mode.
  * @param warnPrint warnings when null cipher / auth is used.
  */
 void init_key_type(struct key_type *kt, const char *ciphername,
-   const char *authname, int keysize, bool tls_mode, bool 
warn);
+   const char *authname, bool tls_mode, bool warn);
 
 /*
  * Key context functions
diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index 573beaed7..f3e86863e 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -292,10 +292,8 @@ show_available_ciphers(void)
 #ifndef ENABLE_SMALL
 printf("The following ciphers and cipher modes are available for use\n"
"with " PACKAGE_NAME ".  Each cipher shown below may be used as a\n"
-   "parameter to the --data-ciphers (or --cipher) option.  The\n"
-   "default key size is shown as well as whether or not it can be\n"
-   "changed with the --keysize directive.  Using a GCM or CBC mode\n"
-   "is recommended.  In static key mode only CBC mode is 
allowed.\n\n");
+   "parameter to the --data-ciphers (or --cipher) option. In static \n"
+   "key mode only CBC mode is allowed.\n\n");
 #endif
 
 for (nid = 0; nid < 1; ++nid)
@@ -776,12 +774,6 @@ cipher_ctx_init(EVP_CIPHER_CTX *ctx, const uint8_t *key, 
int key_len,
 {
 crypto_msg(M_FATAL, "EVP cipher init #1");
 }
-#ifdef HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH
-if (!EVP_CIPHER_CTX_set_key_length(ctx, key_len))
-{
-crypto_msg(M_FATAL, "EVP set key size");
-}
-#endif
 if (!EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, enc))
 {
 crypto_msg(M_FATAL, "EVP cipher init #2");
diff --git a/src/openvpn/init.c b/src/openvpn/init.c
index 132d47e4e..336da9414 100644
--- a/src/openvpn/init.c
+++ b/src/openvpn/init.c
@@ -2599,7 +2599,7 @@ do_init_crypto_static(struct context *c, const unsigned 
int flags)
 {
 /* Get cipher & hash