subject:"\[Openvpn\-devel\] \[PATCH v2\] crypto\: Fix OPENSSL

Re: [Openvpn-devel] [PATCH v2] crypto: Fix OPENSSL_FIPS enabled builds

2022-01-19 Thread David Sommerseth


On 19/01/2022 17:34, Selva Nair wrote:

Hi,

Sorry for chiming in late:

On Wed, Jan 19, 2022 at 10:20 AM David Sommerseth 
> wrote:


From: David Sommerseth mailto:dav...@openvpn.net>>

On Fedora and RHEL/CentOS, the standard OpenSSL library has the FIPS
module enabled by default.  On these platforms, the OPENSSL_FIPS macro
is always defined via /usr/include/openssl/opensslconf-*.h.

Without this fix, the following compilation error appears:

   ./src/openvpn/crypto.c: In function ‘print_cipher’:
   ./src/openvpn/crypto.c:1707:43: error: ‘cipher’ undeclared (first
use in this function); did you mean ‘iphdr’?
        if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) &
EVP_CIPH_FLAG_FIPS))
                                            ^~

The EVP_CIPHER_fetch() and EVP_CIPHER_free() methods are also provided
via the openssl_compat.h for older than OpenSSL 3.0.

Signed-off-by: David Sommerseth mailto:dav...@openvpn.net>>
---
  src/openvpn/crypto.c | 4 
  1 file changed, 4 insertions(+)

diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index 5626e2b6..e489d453 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -34,6 +34,7 @@
  #include "error.h"
  #include "integer.h"
  #include "platform.h"
+#include "openssl_compat.h"

  #include "memdbg.h"

@@ -1704,10 +1705,13 @@ print_cipher(const char *ciphername)
          printf(", TLS client/server mode only");
      }
  #ifdef OPENSSL_FIPS
+    evp_cipher_type *cipher = EVP_CIPHER_fetch(NULL, ciphername, NULL);
+
      if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) &
EVP_CIPH_FLAG_FIPS))


We need to check that cipher is not NULL. Fetch can return NULL while 
EVP_CIPHER_flags() requires a non-null argument. Something like: if 
(cipher && FIPS_mode && etc...) will do.


EVP_CIPHER_free() below can handle NULL, so no problem there.



Thanks!  v3 is on its way.


--
kind regards,

David Sommerseth
OpenVPN Inc



OpenPGP_signature
Description: OpenPGP digital signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH v2] crypto: Fix OPENSSL_FIPS enabled builds

2022-01-19 Thread Arne Schwabe


Am 19.01.22 um 16:19 schrieb David Sommerseth:

From: David Sommerseth 

On Fedora and RHEL/CentOS, the standard OpenSSL library has the FIPS
module enabled by default.  On these platforms, the OPENSSL_FIPS macro
is always defined via /usr/include/openssl/opensslconf-*.h.


Acked-By: Arne Schwabe 

Arne


___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH v2] crypto: Fix OPENSSL_FIPS enabled builds

2022-01-19 Thread Selva Nair

Hi,

Sorry for chiming in late:

On Wed, Jan 19, 2022 at 10:20 AM David Sommerseth <
open...@sf.lists.topphemmelig.net> wrote:

> From: David Sommerseth 
>
> On Fedora and RHEL/CentOS, the standard OpenSSL library has the FIPS
> module enabled by default.  On these platforms, the OPENSSL_FIPS macro
> is always defined via /usr/include/openssl/opensslconf-*.h.
>
> Without this fix, the following compilation error appears:
>
>   ./src/openvpn/crypto.c: In function ‘print_cipher’:
>   ./src/openvpn/crypto.c:1707:43: error: ‘cipher’ undeclared (first use in
> this function); did you mean ‘iphdr’?
>if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS))
>^~
>
> The EVP_CIPHER_fetch() and EVP_CIPHER_free() methods are also provided
> via the openssl_compat.h for older than OpenSSL 3.0.
>
> Signed-off-by: David Sommerseth 
> ---
>  src/openvpn/crypto.c | 4 
>  1 file changed, 4 insertions(+)
>
> diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
> index 5626e2b6..e489d453 100644
> --- a/src/openvpn/crypto.c
> +++ b/src/openvpn/crypto.c
> @@ -34,6 +34,7 @@
>  #include "error.h"
>  #include "integer.h"
>  #include "platform.h"
> +#include "openssl_compat.h"
>
>  #include "memdbg.h"
>
> @@ -1704,10 +1705,13 @@ print_cipher(const char *ciphername)
>  printf(", TLS client/server mode only");
>  }
>  #ifdef OPENSSL_FIPS
> +evp_cipher_type *cipher = EVP_CIPHER_fetch(NULL, ciphername, NULL);
> +
>  if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS))
>

We need to check that cipher is not NULL. Fetch can return NULL while
EVP_CIPHER_flags() requires a non-null argument. Something like: if (cipher
&& FIPS_mode && etc...) will do.

EVP_CIPHER_free() below can handle NULL, so no problem there.



   {
>  printf(", disabled by FIPS mode");
>  }
> +EVP_CIPHER_free(cipher);

 #endif
>
>  printf(")\n");
>

Selva
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH v2] crypto: Fix OPENSSL_FIPS enabled builds

2022-01-19 Thread David Sommerseth

From: David Sommerseth 

On Fedora and RHEL/CentOS, the standard OpenSSL library has the FIPS
module enabled by default.  On these platforms, the OPENSSL_FIPS macro
is always defined via /usr/include/openssl/opensslconf-*.h.

Without this fix, the following compilation error appears:

  ./src/openvpn/crypto.c: In function ‘print_cipher’:
  ./src/openvpn/crypto.c:1707:43: error: ‘cipher’ undeclared (first use in this 
function); did you mean ‘iphdr’?
   if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS))
   ^~

The EVP_CIPHER_fetch() and EVP_CIPHER_free() methods are also provided
via the openssl_compat.h for older than OpenSSL 3.0.

Signed-off-by: David Sommerseth 
---
 src/openvpn/crypto.c | 4 
 1 file changed, 4 insertions(+)

diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index 5626e2b6..e489d453 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -34,6 +34,7 @@
 #include "error.h"
 #include "integer.h"
 #include "platform.h"
+#include "openssl_compat.h"
 
 #include "memdbg.h"
 
@@ -1704,10 +1705,13 @@ print_cipher(const char *ciphername)
 printf(", TLS client/server mode only");
 }
 #ifdef OPENSSL_FIPS
+evp_cipher_type *cipher = EVP_CIPHER_fetch(NULL, ciphername, NULL);
+
 if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS))
 {
 printf(", disabled by FIPS mode");
 }
+EVP_CIPHER_free(cipher);
 #endif
 
 printf(")\n");
-- 
2.27.0



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH v2] crypto: Fix OPENSSL_FIPS enabled builds

Re: [Openvpn-devel] [PATCH v2] crypto: Fix OPENSSL_FIPS enabled builds

Re: [Openvpn-devel] [PATCH v2] crypto: Fix OPENSSL_FIPS enabled builds

[Openvpn-devel] [PATCH v2] crypto: Fix OPENSSL_FIPS enabled builds

4 matches

Site Navigation

Mail list logo

Footer information