subject:"\[Openvpn\-devel\] \[PATCH v3\] crypto\: Fix OPENSSL

Re: [Openvpn-devel] [PATCH v3] crypto: Fix OPENSSL_FIPS enabled builds

2022-01-21 Thread Selva Nair

Hi

On Fri, Jan 21, 2022 at 12:10 PM Gert Doering  wrote:

> Hi,
>
> On Wed, Jan 19, 2022 at 07:21:26PM +0100, David Sommerseth wrote:
> > index 5626e2b6..eb0b1254 100644
> > --- a/src/openvpn/crypto.c
> > +++ b/src/openvpn/crypto.c
> > @@ -34,6 +34,7 @@
> >  #include "error.h"
> >  #include "integer.h"
> >  #include "platform.h"
> > +#include "openssl_compat.h"
> >
> >  #include "memdbg.h"
>
> This breaks compilation for mbedtls builds, depending on which version
> of OpenSSL happens to be installed on the system (if any).
>
> In this particular case, mbedtls build with a system openssl of 0.9.8,
> it blows up with
>
> In file included from crypto.c:37:
> openssl_compat.h: In function 'SSL_CTX_get_min_proto_version':
> openssl_compat.h:635: error: 'SSL_OP_NO_TLSv1_1' undeclared
> (first use in this
>
> (and more of this)
>
> which is unsurprising - it's not supposed to pull in these headers
> in the first place.
>

Looking back at it, the patch and the problem it's trying to solve are both
misplaced in crypto.c. That file should be ssl-lib agnostic and openssl
related bits should go to crypto_openssl.c...

I think we need to remove that OPENSSL_FIPS clause and think of providing
that extra info somewhere else if possible.

Selva
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH v3] crypto: Fix OPENSSL_FIPS enabled builds

2022-01-21 Thread Gert Doering

Hi,

On Wed, Jan 19, 2022 at 07:21:26PM +0100, David Sommerseth wrote:
> index 5626e2b6..eb0b1254 100644
> --- a/src/openvpn/crypto.c
> +++ b/src/openvpn/crypto.c
> @@ -34,6 +34,7 @@
>  #include "error.h"
>  #include "integer.h"
>  #include "platform.h"
> +#include "openssl_compat.h"
>  
>  #include "memdbg.h"

This breaks compilation for mbedtls builds, depending on which version
of OpenSSL happens to be installed on the system (if any).

In this particular case, mbedtls build with a system openssl of 0.9.8,
it blows up with

In file included from crypto.c:37:
openssl_compat.h: In function 'SSL_CTX_get_min_proto_version':
openssl_compat.h:635: error: 'SSL_OP_NO_TLSv1_1' undeclared 
(first use in this

(and more of this)

which is unsurprising - it's not supposed to pull in these headers
in the first place.


I wondered about this header, but did not wonder enough to verify
that it indeed must not be included for non-openssl-builds.

gert

-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
 Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany g...@greenie.muc.de


signature.asc
Description: PGP signature
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH v3] crypto: Fix OPENSSL_FIPS enabled builds

2022-01-19 Thread David Sommerseth

From: David Sommerseth 

On Fedora and RHEL/CentOS, the standard OpenSSL library has the FIPS
module enabled by default.  On these platforms, the OPENSSL_FIPS macro
is always defined via /usr/include/openssl/opensslconf-*.h.

Without this fix, the following compilation error appears:

  ./src/openvpn/crypto.c: In function ‘print_cipher’:
  ./src/openvpn/crypto.c:1707:43: error: ‘cipher’ undeclared (first use in this 
function); did you mean ‘iphdr’?
   if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS))
   ^~
The EVP_CIPHER_fetch() and EVP_CIPHER_free() methods are also provided
via the openssl_compat.h for older than OpenSSL 3.0.

Signed-off-by: David Sommerseth 
---
 src/openvpn/crypto.c | 8 +++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index 5626e2b6..eb0b1254 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -34,6 +34,7 @@
 #include "error.h"
 #include "integer.h"
 #include "platform.h"
+#include "openssl_compat.h"
 
 #include "memdbg.h"
 
@@ -1704,10 +1705,15 @@ print_cipher(const char *ciphername)
 printf(", TLS client/server mode only");
 }
 #ifdef OPENSSL_FIPS
-if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS))
+evp_cipher_type *cipher = EVP_CIPHER_fetch(NULL, ciphername, NULL);
+
+if (FIPS_mode()
+&& (NULL != cipher)
+&& !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS))
 {
 printf(", disabled by FIPS mode");
 }
+EVP_CIPHER_free(cipher);
 #endif
 
 printf(")\n");
-- 
2.27.0



___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH v3] crypto: Fix OPENSSL_FIPS enabled builds

Re: [Openvpn-devel] [PATCH v3] crypto: Fix OPENSSL_FIPS enabled builds

[Openvpn-devel] [PATCH v3] crypto: Fix OPENSSL_FIPS enabled builds

3 matches

Site Navigation

Mail list logo

Footer information