Re: [Openvpn-devel] [PATCH v2] crypto: Fix OPENSSL_FIPS enabled builds

Wed, 19 Jan 2022 10:22:52 -0800 

On 19/01/2022 17:34, Selva Nair wrote:

Hi,

Sorry for chiming in late:
On Wed, Jan 19, 2022 at 10:20 AM David Sommerseth <open...@sf.lists.topphemmelig.net <mailto:open...@sf.lists.topphemmelig.net>> wrote: 

    From: David Sommerseth <dav...@openvpn.net <mailto:dav...@openvpn.net>>

    On Fedora and RHEL/CentOS, the standard OpenSSL library has the FIPS
    module enabled by default.  On these platforms, the OPENSSL_FIPS macro
    is always defined via /usr/include/openssl/opensslconf-*.h.

    Without this fix, the following compilation error appears:

       ./src/openvpn/crypto.c: In function ‘print_cipher’:
       ./src/openvpn/crypto.c:1707:43: error: ‘cipher’ undeclared (first
    use in this function); did you mean ‘iphdr’?
            if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) &
    EVP_CIPH_FLAG_FIPS))
                                                ^~~~~~

    The EVP_CIPHER_fetch() and EVP_CIPHER_free() methods are also provided
    via the openssl_compat.h for older than OpenSSL 3.0.

    Signed-off-by: David Sommerseth <dav...@openvpn.net
    <mailto:dav...@openvpn.net>>
    ---
      src/openvpn/crypto.c | 4 ++++
      1 file changed, 4 insertions(+)

    diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
    index 5626e2b6..e489d453 100644
    --- a/src/openvpn/crypto.c
    +++ b/src/openvpn/crypto.c
    @@ -34,6 +34,7 @@
      #include "error.h"
      #include "integer.h"
      #include "platform.h"
    +#include "openssl_compat.h"

      #include "memdbg.h"

    @@ -1704,10 +1705,13 @@ print_cipher(const char *ciphername)
              printf(", TLS client/server mode only");
          }
      #ifdef OPENSSL_FIPS
    +    evp_cipher_type *cipher = EVP_CIPHER_fetch(NULL, ciphername, NULL);
    +
          if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) &
    EVP_CIPH_FLAG_FIPS))
We need to check that cipher is not NULL. Fetch can return NULL while EVP_CIPHER_flags() requires a non-null argument. Something like: if (cipher && FIPS_mode && etc...) will do. 

EVP_CIPHER_free() below can handle NULL, so no problem there.



Thanks!  v3 is on its way.


--
kind regards,

David Sommerseth
OpenVPN Inc

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel






















					Reply via email to