From: Arne Schwabe <arne@rfc2549.org>
Date: Fri, 5 Jun 2020 11:25:17 +0000 (+0200)
Subject: Make cipher_kt_name always return normalised cipher name
X-Git-Tag: v2.5_beta1~119
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ff531767eafed263d7bd8243138fbb276215000d;p=thirdparty%2Fopenvpn.git

Make cipher_kt_name always return normalised cipher name

The mbed TLS variant of the call already returned the normalised
name while the OpenSSL variant did not. On top of that, all calls but
one to cipher_kt_name were translate_cipher_name_to_openvpn. This commit
moves the call of translate_cipher_name_to_openvpn into cipher_kt_name
or avoids calling it twice in the case of mbed TLS.

The one case that did not translate_cipher_name_to_openvpn is an
internal ssl_openssl.c method that should call EVP_CIPHER_name anyway.

Also simplify cipher_name_cmp function that is only used by
openvpn --show-ciphers with the modified cipher_kt_name
function.

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Steffan Karger <steffan@karger.me>
Message-Id: <20200605112519.22714-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19970.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
---

diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index 2388027c5..ba1fc0959 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -847,7 +847,7 @@ init_key_ctx(struct key_ctx *ctx, const struct key *key,
         cipher_ctx_init(ctx->cipher, key->cipher, kt->cipher_length,
                         kt->cipher, enc);
 
-        const char *ciphername = translate_cipher_name_to_openvpn(cipher_kt_name(kt->cipher));
+        const char *ciphername = cipher_kt_name(kt->cipher);
         msg(D_HANDSHAKE, "%s: Cipher '%s' initialized with %d bit key",
             prefix,
             ciphername,
@@ -1810,7 +1810,7 @@ print_cipher(const cipher_kt_t *cipher)
                                " by default" : "";
 
     printf("%s  (%d bit key%s, ",
-           translate_cipher_name_to_openvpn(cipher_kt_name(cipher)),
+           cipher_kt_name(cipher),
            cipher_kt_key_size(cipher) * 8, var_key_size);
 
     if (cipher_kt_block_size(cipher) == 1)
diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h
index 1d206a8ce..d46cb63fd 100644
--- a/src/openvpn/crypto_backend.h
+++ b/src/openvpn/crypto_backend.h
@@ -237,6 +237,8 @@ const cipher_kt_t *cipher_kt_get(const char *ciphername);
 
 /**
  * Retrieve a string describing the cipher (e.g. \c AES-128-CBC).
+ * The returned name is normalised to the OpenVPN config name in case the
+ * name differs from the name used by the crypto library.
  *
  * @param cipher_kt     Static cipher parameters
  *
diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index 94b6d85b1..6e9868b5a 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -273,12 +273,7 @@ cipher_name_cmp(const void *a, const void *b)
     const EVP_CIPHER *const *cipher_a = a;
     const EVP_CIPHER *const *cipher_b = b;
 
-    const char *cipher_name_a =
-        translate_cipher_name_to_openvpn(EVP_CIPHER_name(*cipher_a));
-    const char *cipher_name_b =
-        translate_cipher_name_to_openvpn(EVP_CIPHER_name(*cipher_b));
-
-    return strcmp(cipher_name_a, cipher_name_b);
+    return strcmp(cipher_kt_name(*cipher_a), cipher_kt_name(*cipher_b));
 }
 
 void
@@ -620,7 +615,9 @@ cipher_kt_name(const EVP_CIPHER *cipher_kt)
     {
         return "[null-cipher]";
     }
-    return EVP_CIPHER_name(cipher_kt);
+
+    const char *name = EVP_CIPHER_name(cipher_kt);
+    return translate_cipher_name_to_openvpn(name);
 }
 
 int
@@ -651,7 +648,7 @@ cipher_kt_block_size(const EVP_CIPHER *cipher)
 
     int block_size = EVP_CIPHER_block_size(cipher);
 
-    orig_name = cipher_kt_name(cipher);
+    orig_name = EVP_CIPHER_name(cipher);
     if (!orig_name)
     {
         goto cleanup;
diff --git a/src/openvpn/options.c b/src/openvpn/options.c
index 9d3a8dfed..16f9da6a9 100644
--- a/src/openvpn/options.c
+++ b/src/openvpn/options.c
@@ -3782,8 +3782,7 @@ options_string(const struct options *o,
         init_key_type(&kt, o->ciphername, o->authname, o->keysize, true,
                       false);
 
-        buf_printf(&out, ",cipher %s",
-                   translate_cipher_name_to_openvpn(cipher_kt_name(kt.cipher)));
+        buf_printf(&out, ",cipher %s", cipher_kt_name(kt.cipher));
         buf_printf(&out, ",auth %s", md_kt_name(kt.digest));
         buf_printf(&out, ",keysize %d", kt.cipher_length * 8);
         if (o->shared_secret_file)
diff --git a/src/openvpn/ssl_ncp.c b/src/openvpn/ssl_ncp.c
index 9ed6ff5fa..042b0ce05 100644
--- a/src/openvpn/ssl_ncp.c
+++ b/src/openvpn/ssl_ncp.c
@@ -116,8 +116,7 @@ mutate_ncp_cipher_list(const char *list, struct gc_arena *gc)
         }
         else
         {
-            const char *ovpn_cipher_name =
-                translate_cipher_name_to_openvpn(cipher_kt_name(ktc));
+            const char *ovpn_cipher_name = cipher_kt_name(ktc);
 
             if (buf_len(&new_list)> 0)
             {