mirror of
https://github.com/OpenVPN/openvpn.git
synced 2024-09-20 03:52:28 +02:00
Detect unusable ciphers on patched OpenSSL of RHEL/Centos
OpenSSL on RHEL 8 and CentOS 8 system when these system are put into FIPS mode need extra code to figure out if a specific cipher algorithm is usable on these system. This is particularly problem in data-ciphers as the errors might occur much later when a client connects and as these cipher are not caught during config initialisation. This also prepares for adding Chacha20-Poly1305 when available to data-ciphers by making the detection logic used to check if cipher_kt_get returns non-NULL work on these systems. Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: David Sommerseth <davids@openvpn.net> Message-Id: <20210818213354.687736-1-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22746.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
This commit is contained in:
parent
79367a3fde
commit
8f25cefea1
@ -1806,6 +1806,12 @@ print_cipher(const cipher_kt_t *cipher)
|
||||
{
|
||||
printf(", TLS client/server mode only");
|
||||
}
|
||||
#ifdef OPENSSL_FIPS
|
||||
if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS))
|
||||
{
|
||||
printf(", disabled by FIPS mode");
|
||||
}
|
||||
#endif
|
||||
|
||||
printf(")\n");
|
||||
}
|
||||
|
@ -599,7 +599,17 @@ cipher_kt_get(const char *ciphername)
|
||||
return NULL;
|
||||
}
|
||||
|
||||
#ifdef OPENSSL_FIPS
|
||||
/* Rhel 8/CentOS 8 have a patched OpenSSL version that return a cipher
|
||||
* here that is actually not usable if in FIPS mode */
|
||||
|
||||
if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS))
|
||||
{
|
||||
msg(D_LOW, "Cipher algorithm '%s' is known by OpenSSL library but "
|
||||
"currently disabled by running in FIPS mode.", ciphername);
|
||||
return NULL;
|
||||
}
|
||||
#endif
|
||||
if (EVP_CIPHER_key_length(cipher) > MAX_CIPHER_KEY_LENGTH)
|
||||
{
|
||||
msg(D_LOW, "Cipher algorithm '%s' uses a default key size (%d bytes) "
|
||||
|
Loading…
Reference in New Issue
Block a user