From: Arne Schwabe Date: Wed, 18 Aug 2021 21:33:53 +0000 (+0200) Subject: Detect unusable ciphers on patched OpenSSL of RHEL/Centos X-Git-Tag: v2.6_beta1~440 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8f25cefea15481cc0338bca40a89d96fbe745b9f;p=thirdparty%2Fopenvpn.git Detect unusable ciphers on patched OpenSSL of RHEL/Centos OpenSSL on RHEL 8 and CentOS 8 system when these system are put into FIPS mode need extra code to figure out if a specific cipher algorithm is usable on these system. This is particularly problem in data-ciphers as the errors might occur much later when a client connects and as these cipher are not caught during config initialisation. This also prepares for adding Chacha20-Poly1305 when available to data-ciphers by making the detection logic used to check if cipher_kt_get returns non-NULL work on these systems. Signed-off-by: Arne Schwabe Acked-by: David Sommerseth Message-Id: <20210818213354.687736-1-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22746.html Signed-off-by: Gert Doering --- diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index b9c95225a..1dfc760f9 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -1806,6 +1806,12 @@ print_cipher(const cipher_kt_t *cipher) { printf(", TLS client/server mode only"); } +#ifdef OPENSSL_FIPS + if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS)) + { + printf(", disabled by FIPS mode"); + } +#endif printf(")\n"); } diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index b55d32b2c..419265a51 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -599,7 +599,17 @@ cipher_kt_get(const char *ciphername) return NULL; } +#ifdef OPENSSL_FIPS + /* Rhel 8/CentOS 8 have a patched OpenSSL version that return a cipher + * here that is actually not usable if in FIPS mode */ + if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS)) + { + msg(D_LOW, "Cipher algorithm '%s' is known by OpenSSL library but " + "currently disabled by running in FIPS mode.", ciphername); + return NULL; + } +#endif if (EVP_CIPHER_key_length(cipher) > MAX_CIPHER_KEY_LENGTH) { msg(D_LOW, "Cipher algorithm '%s' uses a default key size (%d bytes) "