Make cipher_kt_get also accept OpenVPN config cipher name

Basically calls to cipher_kt_get were calling
translate_cipher_name_from_openvpn. The only two exception were the
(broken) unit test and tls-crypt that uses cipher_kt_get("AES-256-CTR")

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <20200605112519.22714-2-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19969.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index ba1fc0959dc5a20b28c34ffd1249c7248a189ca5..1ce98184114821945ccc68ab86ed3f5424359bcd 100644 (file)
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -763,7 +763,7 @@ init_key_type(struct key_type *kt, const char *ciphername,
     CLEAR(*kt);
     if (strcmp(ciphername, "none") != 0)
     {
-        kt->cipher = cipher_kt_get(translate_cipher_name_from_openvpn(ciphername));
+        kt->cipher = cipher_kt_get(ciphername);
         if (!kt->cipher)
         {
             msg(M_FATAL, "Cipher %s not supported", ciphername);

diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h
index d46cb63fd8a615cd40ec516488bda0eacd8c4077..85cb084a14ccf0df257274c52e58f186534fb0f0 100644 (file)
--- a/src/openvpn/crypto_backend.h
+++ b/src/openvpn/crypto_backend.h
@@ -227,7 +227,8 @@ void cipher_des_encrypt_ecb(const unsigned char key[DES_KEY_LENGTH],
  * initialise encryption/decryption.
  *
  * @param ciphername    Name of the cipher to retrieve parameters for (e.g.
- *                      \c AES-128-CBC).
+ *                      \c AES-128-CBC). Will be translated to the library name
+ *                      from the openvpn config name if needed.
  *
  * @return              A statically allocated structure containing parameters
  *                      for the given cipher, or NULL if no matching parameters

diff --git a/src/openvpn/crypto_mbedtls.c b/src/openvpn/crypto_mbedtls.c
index c8dcddc88aca078d86799ebe2031dd70b163433c..bb752557d349a7f5f8b5ab5145c6a3e52b5c4fa3 100644 (file)
--- a/src/openvpn/crypto_mbedtls.c
+++ b/src/openvpn/crypto_mbedtls.c
@@ -465,6 +465,7 @@ cipher_kt_get(const char *ciphername)
 
     ASSERT(ciphername);
 
+    ciphername = translate_cipher_name_from_openvpn(ciphername);
     cipher = mbedtls_cipher_info_from_string(ciphername);
 
     if (NULL == cipher)

diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index 6e9868b5a5d1f23d7ea592c092f201c60985dc3e..2027d8dc2c4e50291edeb3a26646c4975eeef8c9 100644 (file)
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -587,6 +587,7 @@ cipher_kt_get(const char *ciphername)
 
     ASSERT(ciphername);
 
+    ciphername = translate_cipher_name_from_openvpn(ciphername);
     cipher = EVP_get_cipherbyname(ciphername);
 
     if (NULL == cipher)

diff --git a/src/openvpn/ssl_ncp.c b/src/openvpn/ssl_ncp.c
index 042b0ce053a0cffcb1dc1ff8f60c0db434673fb8..ea1dc960bc83aab4e3a80b3b0a52f0e7aae96369 100644 (file)
--- a/src/openvpn/ssl_ncp.c
+++ b/src/openvpn/ssl_ncp.c
@@ -103,12 +103,12 @@ mutate_ncp_cipher_list(const char *list, struct gc_arena *gc)
     while (token)
     {
         /*
-         * Going through a roundtrip by using translate_cipher_name_from_openvpn
-         * and translate_cipher_name_to_openvpn also normalises the cipher name,
+         * Going through a roundtrip by using cipher_kt_get/cipher_kt_name
+         * (and translate_cipher_name_from_openvpn/
+         * translate_cipher_name_to_openvpn) also normalises the cipher name,
          * e.g. replacing AeS-128-gCm with AES-128-GCM
          */
-        const char *cipher_name = translate_cipher_name_from_openvpn(token);
-        const cipher_kt_t *ktc = cipher_kt_get(cipher_name);
+        const cipher_kt_t *ktc = cipher_kt_get(token);
         if (!ktc)
         {
             msg(M_WARN, "Unsupported cipher in --ncp-ciphers: %s", token);