Re: [Openvpn-devel] [PATCH v3] crypto: Fix OPENSSL_FIPS enabled builds
Hi On Fri, Jan 21, 2022 at 12:10 PM Gert Doering wrote: > Hi, > > On Wed, Jan 19, 2022 at 07:21:26PM +0100, David Sommerseth wrote: > > index 5626e2b6..eb0b1254 100644 > > --- a/src/openvpn/crypto.c > > +++ b/src/openvpn/crypto.c > > @@ -34,6 +34,7 @@ > > #include "error.h" > > #include "integer.h" > > #include "platform.h" > > +#include "openssl_compat.h" > > > > #include "memdbg.h" > > This breaks compilation for mbedtls builds, depending on which version > of OpenSSL happens to be installed on the system (if any). > > In this particular case, mbedtls build with a system openssl of 0.9.8, > it blows up with > > In file included from crypto.c:37: > openssl_compat.h: In function 'SSL_CTX_get_min_proto_version': > openssl_compat.h:635: error: 'SSL_OP_NO_TLSv1_1' undeclared > (first use in this > > (and more of this) > > which is unsurprising - it's not supposed to pull in these headers > in the first place. > Looking back at it, the patch and the problem it's trying to solve are both misplaced in crypto.c. That file should be ssl-lib agnostic and openssl related bits should go to crypto_openssl.c... I think we need to remove that OPENSSL_FIPS clause and think of providing that extra info somewhere else if possible. Selva ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
Re: [Openvpn-devel] [PATCH v3] crypto: Fix OPENSSL_FIPS enabled builds
Hi, On Wed, Jan 19, 2022 at 07:21:26PM +0100, David Sommerseth wrote: > index 5626e2b6..eb0b1254 100644 > --- a/src/openvpn/crypto.c > +++ b/src/openvpn/crypto.c > @@ -34,6 +34,7 @@ > #include "error.h" > #include "integer.h" > #include "platform.h" > +#include "openssl_compat.h" > > #include "memdbg.h" This breaks compilation for mbedtls builds, depending on which version of OpenSSL happens to be installed on the system (if any). In this particular case, mbedtls build with a system openssl of 0.9.8, it blows up with In file included from crypto.c:37: openssl_compat.h: In function 'SSL_CTX_get_min_proto_version': openssl_compat.h:635: error: 'SSL_OP_NO_TLSv1_1' undeclared (first use in this (and more of this) which is unsurprising - it's not supposed to pull in these headers in the first place. I wondered about this header, but did not wonder enough to verify that it indeed must not be included for non-openssl-builds. gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
[Openvpn-devel] [PATCH v3] crypto: Fix OPENSSL_FIPS enabled builds
From: David Sommerseth On Fedora and RHEL/CentOS, the standard OpenSSL library has the FIPS module enabled by default. On these platforms, the OPENSSL_FIPS macro is always defined via /usr/include/openssl/opensslconf-*.h. Without this fix, the following compilation error appears: ./src/openvpn/crypto.c: In function ‘print_cipher’: ./src/openvpn/crypto.c:1707:43: error: ‘cipher’ undeclared (first use in this function); did you mean ‘iphdr’? if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS)) ^~ The EVP_CIPHER_fetch() and EVP_CIPHER_free() methods are also provided via the openssl_compat.h for older than OpenSSL 3.0. Signed-off-by: David Sommerseth --- src/openvpn/crypto.c | 8 +++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index 5626e2b6..eb0b1254 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -34,6 +34,7 @@ #include "error.h" #include "integer.h" #include "platform.h" +#include "openssl_compat.h" #include "memdbg.h" @@ -1704,10 +1705,15 @@ print_cipher(const char *ciphername) printf(", TLS client/server mode only"); } #ifdef OPENSSL_FIPS -if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS)) +evp_cipher_type *cipher = EVP_CIPHER_fetch(NULL, ciphername, NULL); + +if (FIPS_mode() +&& (NULL != cipher) +&& !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS)) { printf(", disabled by FIPS mode"); } +EVP_CIPHER_free(cipher); #endif printf(")\n"); -- 2.27.0 ___ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel