Replace EVP_get_cipherbyname with EVP_CIPHER_fetch

In OpenSSL 3.0 EVP_get_cipherbyname return a non NULL algorithm
even if the algorithm is not available with the currently available
provider. Luckily EVP_get_cipherbyname can be used here as drop
in replacement and returns only non NULL if the algorithm is actually
currently supported.

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
Message-Id: <20211019183127.614175-11-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23005.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index 6b18551eade984ac79075b73f69376c1dab0d825..66cc38255a8a11f6ab890ac65e142cf3f4a76f08 100644 (file)
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -576,7 +576,7 @@ cipher_kt_get(const char *ciphername)
     ASSERT(ciphername);
 
     ciphername = translate_cipher_name_from_openvpn(ciphername);
-    cipher = EVP_get_cipherbyname(ciphername);
+    cipher = EVP_CIPHER_fetch(NULL, ciphername, NULL);
 
     if (NULL == cipher)
     {
@@ -662,7 +662,7 @@ cipher_kt_block_size(const EVP_CIPHER *cipher)
 
     strcpy(mode_str, "-CBC");
 
-    cbc_cipher = EVP_get_cipherbyname(translate_cipher_name_from_openvpn(name));
+    cbc_cipher = EVP_CIPHER_fetch(NULL,translate_cipher_name_from_openvpn(name), NULL);
     if (cbc_cipher)
     {
         block_size = EVP_CIPHER_block_size(cbc_cipher);
@@ -885,7 +885,7 @@ md_kt_get(const char *digest)
 {
     const EVP_MD *md = NULL;
     ASSERT(digest);
-    md = EVP_get_digestbyname(digest);
+    md = EVP_MD_fetch(NULL, digest, NULL);
     if (!md)
     {
         crypto_msg(M_FATAL, "Message hash algorithm '%s' not found", digest);

diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h
index 3951d9aca554bcc4e6720eb64b5804d19cbeb6ce..9049b09d6a7829839a8ea94e7d46254f99a62903 100644 (file)
--- a/src/openvpn/openssl_compat.h
+++ b/src/openvpn/openssl_compat.h
@@ -754,4 +754,25 @@ int EVP_PKEY_get_group_name(EVP_PKEY *pkey, char *gname, size_t gname_sz,
     return 1;
 }
 #endif
+
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
+/* Mimics the functions but only when the default context without
+ * options is chosen */
+static inline const EVP_CIPHER *
+EVP_CIPHER_fetch(void *ctx, const char *algorithm, const char *properties)
+{
+    ASSERT(!ctx);
+    ASSERT(!properties);
+    return EVP_get_cipherbyname(algorithm);
+}
+
+static inline const EVP_MD*
+EVP_MD_fetch(void *ctx, const char *algorithm, const char *properties)
+{
+    ASSERT(!ctx);
+    ASSERT(!properties);
+    return EVP_get_digestbyname(algorithm);
+}
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+
 #endif /* OPENSSL_COMPAT_H_ */