OpenVPN/openvpn
1
0
Fork 0
mirror of https://github.com/OpenVPN/openvpn.git synced 2025-05-09 05:31:05 +08:00
Code Issues Packages Projects Releases Wiki Activity

Workaround issue in LibreSSL crashing when enumerating digests/ciphers

Browse Source 
OpenBSD/LibreSSL reimplemented EVP_get_cipherbyname/EVP_get_digestbyname
and broke calling EVP_get_cipherbynid/EVP_get_digestbyname with an
invalid nid in the process so that it would segfault.

Workaround but doing that NULL check in OpenVPN instead of leaving it
to the library.

Github: see also https://github.com/libressl/openbsd/issues/150

Change-Id: Ia08a9697d0ff41721fb0acf17ccb4cfa23cb3934
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20240508220540.12554-1-gert@greenie.muc.de>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28649.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
This commit is contained in:
Arne Schwabe 2024-05-09 00:05:40 +02:00 committed by Gert Doering
parent d5ba4acc29
commit b3a271b117
1 changed files with 25 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
src/openvpn/crypto_openssl.c
View File

@ -387,7 +387,19 @@ show_available_ciphers(void)
#else #else
for (int nid = 0; nid < 10000; ++nid) for (int nid = 0; nid < 10000; ++nid)
{ {
#if defined(LIBRESSL_VERSION_NUMBER)
/* OpenBSD/LibreSSL reimplemented EVP_get_cipherbyname and broke
* calling EVP_get_cipherbynid with an invalid nid in the process
* so that it would segfault. */
const EVP_CIPHER *cipher = NULL;
const char *name = OBJ_nid2sn(nid);
if (name)
{
cipher = EVP_get_cipherbyname(name);
}
#else /* if defined(LIBRESSL_VERSION_NUMBER) */
const EVP_CIPHER *cipher = EVP_get_cipherbynid(nid); const EVP_CIPHER *cipher = EVP_get_cipherbynid(nid);
#endif
/* We cast the const away so we can keep the function prototype /* We cast the const away so we can keep the function prototype
* compatible with EVP_CIPHER_do_all_provided */ * compatible with EVP_CIPHER_do_all_provided */
collect_ciphers((EVP_CIPHER *) cipher, &cipher_list); collect_ciphers((EVP_CIPHER *) cipher, &cipher_list);
@ -441,7 +453,19 @@ show_available_digests(void)
#else #else
for (int nid = 0; nid < 10000; ++nid) for (int nid = 0; nid < 10000; ++nid)
{ {
/* OpenBSD/LibreSSL reimplemented EVP_get_digestbyname and broke
* calling EVP_get_digestbynid with an invalid nid in the process
* so that it would segfault. */
#ifdef LIBRESSL_VERSION_NUMBER
const EVP_MD *digest = NULL;
const char *name = OBJ_nid2sn(nid);
if (name)
{
digest = EVP_get_digestbyname(name);
}
#else /* ifdef LIBRESSL_VERSION_NUMBER */
const EVP_MD *digest = EVP_get_digestbynid(nid); const EVP_MD *digest = EVP_get_digestbynid(nid);
#endif
if (digest) if (digest)
{ {
/* We cast the const away so we can keep the function prototype /* We cast the const away so we can keep the function prototype
@ -449,7 +473,7 @@ show_available_digests(void)
print_digest((EVP_MD *)digest, NULL); print_digest((EVP_MD *)digest, NULL);
} }
} }
#endif #endif /* if OPENSSL_VERSION_NUMBER >= 0x30000000L */
printf("\n"); printf("\n");
} }