All supported crypto libraries have AEAD support and with our
ncp/de facto default cipher AES-256-GCM we do not want to support
the obscure corner case of a library with disabled AEAD.
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Patch V2: Remove three instances of (harmless) #ifdef Steffan spotted
that can be removed now too.
Acked-by: Steffan Karger <steffan.karger@foxcrypto.com>
Message-Id: <20200720121704.20333-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20506.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
... | ... |
@@ -907,11 +907,10 @@ if test "${with_crypto_library}" = "openssl"; then |
907 | 907 |
AC_DEFINE([HAVE_OPENSSL_ENGINE], [1], [OpenSSL engine support available]) |
908 | 908 |
fi |
909 | 909 |
|
910 |
- have_crypto_aead_modes="yes" |
|
911 | 910 |
AC_CHECK_FUNC( |
912 | 911 |
[EVP_aes_256_gcm], |
913 | 912 |
, |
914 |
- [have_crypto_aead_modes="no"] |
|
913 |
+ [AC_MSG_ERROR([OpenSSL check for AES-256-GCM support failed])] |
|
915 | 914 |
) |
916 | 915 |
|
917 | 916 |
# All supported OpenSSL version (>= 1.0.2) |
... | ... |
@@ -1005,14 +1004,13 @@ elif test "${with_crypto_library}" = "mbedtls"; then |
1005 | 1005 |
[AC_MSG_ERROR([mbed TLS 2.y.z required])] |
1006 | 1006 |
) |
1007 | 1007 |
|
1008 |
- have_crypto_aead_modes="yes" |
|
1009 | 1008 |
AC_CHECK_FUNCS( |
1010 | 1009 |
[ \ |
1011 | 1010 |
mbedtls_cipher_write_tag \ |
1012 | 1011 |
mbedtls_cipher_check_tag \ |
1013 | 1012 |
], |
1014 | 1013 |
, |
1015 |
- [have_crypto_aead_modes="no"; break] |
|
1014 |
+ [AC_MSG_ERROR([mbed TLS check for AEAD support failed])] |
|
1016 | 1015 |
) |
1017 | 1016 |
|
1018 | 1017 |
have_export_keying_material="yes" |
... | ... |
@@ -1227,7 +1225,6 @@ test "${enable_pf}" = "yes" && AC_DEFINE([ENABLE_PF], [1], [Enable internal pack |
1227 | 1227 |
test "${enable_strict_options}" = "yes" && AC_DEFINE([ENABLE_STRICT_OPTIONS_CHECK], [1], [Enable strict options check between peers]) |
1228 | 1228 |
|
1229 | 1229 |
test "${enable_crypto_ofb_cfb}" = "yes" && AC_DEFINE([ENABLE_OFB_CFB_MODE], [1], [Enable OFB and CFB cipher modes]) |
1230 |
-test "${have_crypto_aead_modes}" = "yes" && AC_DEFINE([HAVE_AEAD_CIPHER_MODES], [1], [Use crypto library]) |
|
1231 | 1230 |
if test "${have_export_keying_material}" = "yes"; then |
1232 | 1231 |
AC_DEFINE( |
1233 | 1232 |
[HAVE_EXPORT_KEYING_MATERIAL], [1], |
... | ... |
@@ -64,7 +64,6 @@ static void |
64 | 64 |
openvpn_encrypt_aead(struct buffer *buf, struct buffer work, |
65 | 65 |
struct crypto_options *opt) |
66 | 66 |
{ |
67 |
-#ifdef HAVE_AEAD_CIPHER_MODES |
|
68 | 67 |
struct gc_arena gc; |
69 | 68 |
int outlen = 0; |
70 | 69 |
const struct key_ctx *ctx = &opt->key_ctx_bi.encrypt; |
... | ... |
@@ -152,9 +151,6 @@ err: |
152 | 152 |
buf->len = 0; |
153 | 153 |
gc_free(&gc); |
154 | 154 |
return; |
155 |
-#else /* HAVE_AEAD_CIPHER_MODES */ |
|
156 |
- ASSERT(0); |
|
157 |
-#endif /* ifdef HAVE_AEAD_CIPHER_MODES */ |
|
158 | 155 |
} |
159 | 156 |
|
160 | 157 |
static void |
... | ... |
@@ -361,7 +357,6 @@ openvpn_decrypt_aead(struct buffer *buf, struct buffer work, |
361 | 361 |
struct crypto_options *opt, const struct frame *frame, |
362 | 362 |
const uint8_t *ad_start) |
363 | 363 |
{ |
364 |
-#ifdef HAVE_AEAD_CIPHER_MODES |
|
365 | 364 |
static const char error_prefix[] = "AEAD Decrypt error"; |
366 | 365 |
struct packet_id_net pin = { 0 }; |
367 | 366 |
const struct key_ctx *ctx = &opt->key_ctx_bi.decrypt; |
... | ... |
@@ -482,10 +477,6 @@ error_exit: |
482 | 482 |
buf->len = 0; |
483 | 483 |
gc_free(&gc); |
484 | 484 |
return false; |
485 |
-#else /* HAVE_AEAD_CIPHER_MODES */ |
|
486 |
- ASSERT(0); |
|
487 |
- return false; |
|
488 |
-#endif /* ifdef HAVE_AEAD_CIPHER_MODES */ |
|
489 | 485 |
} |
490 | 486 |
|
491 | 487 |
/* |
... | ... |
@@ -1104,7 +1095,6 @@ test_crypto(struct crypto_options *co, struct frame *frame) |
1104 | 1104 |
/* init work */ |
1105 | 1105 |
ASSERT(buf_init(&work, FRAME_HEADROOM(frame))); |
1106 | 1106 |
|
1107 |
-#ifdef HAVE_AEAD_CIPHER_MODES |
|
1108 | 1107 |
/* init implicit IV */ |
1109 | 1108 |
{ |
1110 | 1109 |
const cipher_kt_t *cipher = |
... | ... |
@@ -1126,7 +1116,6 @@ test_crypto(struct crypto_options *co, struct frame *frame) |
1126 | 1126 |
co->key_ctx_bi.decrypt.implicit_iv_len = impl_iv_len; |
1127 | 1127 |
} |
1128 | 1128 |
} |
1129 |
-#endif /* ifdef HAVE_AEAD_CIPHER_MODES */ |
|
1130 | 1129 |
|
1131 | 1130 |
msg(M_INFO, "Entering " PACKAGE_NAME " crypto self-test mode."); |
1132 | 1131 |
for (i = 1; i <= TUN_MTU_SIZE(frame); ++i) |
... | ... |
@@ -530,12 +530,10 @@ cipher_kt_block_size(const mbedtls_cipher_info_t *cipher_kt) |
530 | 530 |
int |
531 | 531 |
cipher_kt_tag_size(const mbedtls_cipher_info_t *cipher_kt) |
532 | 532 |
{ |
533 |
-#ifdef HAVE_AEAD_CIPHER_MODES |
|
534 | 533 |
if (cipher_kt && cipher_kt_mode_aead(cipher_kt)) |
535 | 534 |
{ |
536 | 535 |
return OPENVPN_AEAD_TAG_LENGTH; |
537 | 536 |
} |
538 |
-#endif |
|
539 | 537 |
return 0; |
540 | 538 |
} |
541 | 539 |
|
... | ... |
@@ -632,7 +630,6 @@ cipher_ctx_iv_length(const mbedtls_cipher_context_t *ctx) |
632 | 632 |
int |
633 | 633 |
cipher_ctx_get_tag(cipher_ctx_t *ctx, uint8_t *tag, int tag_len) |
634 | 634 |
{ |
635 |
-#ifdef HAVE_AEAD_CIPHER_MODES |
|
636 | 635 |
if (tag_len > SIZE_MAX) |
637 | 636 |
{ |
638 | 637 |
return 0; |
... | ... |
@@ -644,9 +641,6 @@ cipher_ctx_get_tag(cipher_ctx_t *ctx, uint8_t *tag, int tag_len) |
644 | 644 |
} |
645 | 645 |
|
646 | 646 |
return 1; |
647 |
-#else /* ifdef HAVE_AEAD_CIPHER_MODES */ |
|
648 |
- ASSERT(0); |
|
649 |
-#endif /* HAVE_AEAD_CIPHER_MODES */ |
|
650 | 647 |
} |
651 | 648 |
|
652 | 649 |
int |
... | ... |
@@ -688,7 +682,6 @@ cipher_ctx_reset(mbedtls_cipher_context_t *ctx, const uint8_t *iv_buf) |
688 | 688 |
int |
689 | 689 |
cipher_ctx_update_ad(cipher_ctx_t *ctx, const uint8_t *src, int src_len) |
690 | 690 |
{ |
691 |
-#ifdef HAVE_AEAD_CIPHER_MODES |
|
692 | 691 |
if (src_len > SIZE_MAX) |
693 | 692 |
{ |
694 | 693 |
return 0; |
... | ... |
@@ -700,9 +693,6 @@ cipher_ctx_update_ad(cipher_ctx_t *ctx, const uint8_t *src, int src_len) |
700 | 700 |
} |
701 | 701 |
|
702 | 702 |
return 1; |
703 |
-#else /* ifdef HAVE_AEAD_CIPHER_MODES */ |
|
704 |
- ASSERT(0); |
|
705 |
-#endif /* HAVE_AEAD_CIPHER_MODES */ |
|
706 | 703 |
} |
707 | 704 |
|
708 | 705 |
int |
... | ... |
@@ -741,7 +731,6 @@ int |
741 | 741 |
cipher_ctx_final_check_tag(mbedtls_cipher_context_t *ctx, uint8_t *dst, |
742 | 742 |
int *dst_len, uint8_t *tag, size_t tag_len) |
743 | 743 |
{ |
744 |
-#ifdef HAVE_AEAD_CIPHER_MODES |
|
745 | 744 |
size_t olen = 0; |
746 | 745 |
|
747 | 746 |
if (MBEDTLS_DECRYPT != ctx->operation) |
... | ... |
@@ -773,9 +762,6 @@ cipher_ctx_final_check_tag(mbedtls_cipher_context_t *ctx, uint8_t *dst, |
773 | 773 |
} |
774 | 774 |
|
775 | 775 |
return 1; |
776 |
-#else /* ifdef HAVE_AEAD_CIPHER_MODES */ |
|
777 |
- ASSERT(0); |
|
778 |
-#endif /* HAVE_AEAD_CIPHER_MODES */ |
|
779 | 776 |
} |
780 | 777 |
|
781 | 778 |
void |
... | ... |
@@ -301,9 +301,7 @@ show_available_ciphers(void) |
301 | 301 |
#ifdef ENABLE_OFB_CFB_MODE |
302 | 302 |
|| cipher_kt_mode_ofb_cfb(cipher) |
303 | 303 |
#endif |
304 |
-#ifdef HAVE_AEAD_CIPHER_MODES |
|
305 | 304 |
|| cipher_kt_mode_aead(cipher) |
306 |
-#endif |
|
307 | 305 |
)) |
308 | 306 |
{ |
309 | 307 |
cipher_list[num_ciphers++] = cipher; |
... | ... |
@@ -710,11 +708,8 @@ bool |
710 | 710 |
cipher_kt_mode_cbc(const cipher_kt_t *cipher) |
711 | 711 |
{ |
712 | 712 |
return cipher && cipher_kt_mode(cipher) == OPENVPN_MODE_CBC |
713 |
-#ifdef EVP_CIPH_FLAG_AEAD_CIPHER |
|
714 | 713 |
/* Exclude AEAD cipher modes, they require a different API */ |
715 |
- && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) |
|
716 |
-#endif |
|
717 |
- ; |
|
714 |
+ && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER); |
|
718 | 715 |
} |
719 | 716 |
|
720 | 717 |
bool |
... | ... |
@@ -722,17 +717,13 @@ cipher_kt_mode_ofb_cfb(const cipher_kt_t *cipher) |
722 | 722 |
{ |
723 | 723 |
return cipher && (cipher_kt_mode(cipher) == OPENVPN_MODE_OFB |
724 | 724 |
|| cipher_kt_mode(cipher) == OPENVPN_MODE_CFB) |
725 |
-#ifdef EVP_CIPH_FLAG_AEAD_CIPHER |
|
726 | 725 |
/* Exclude AEAD cipher modes, they require a different API */ |
727 |
- && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) |
|
728 |
-#endif |
|
729 |
- ; |
|
726 |
+ && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER); |
|
730 | 727 |
} |
731 | 728 |
|
732 | 729 |
bool |
733 | 730 |
cipher_kt_mode_aead(const cipher_kt_t *cipher) |
734 | 731 |
{ |
735 |
-#ifdef HAVE_AEAD_CIPHER_MODES |
|
736 | 732 |
if (cipher) |
737 | 733 |
{ |
738 | 734 |
switch (EVP_CIPHER_nid(cipher)) |
... | ... |
@@ -746,7 +737,6 @@ cipher_kt_mode_aead(const cipher_kt_t *cipher) |
746 | 746 |
return true; |
747 | 747 |
} |
748 | 748 |
} |
749 |
-#endif |
|
750 | 749 |
|
751 | 750 |
return false; |
752 | 751 |
} |
... | ... |
@@ -806,11 +796,7 @@ cipher_ctx_iv_length(const EVP_CIPHER_CTX *ctx) |
806 | 806 |
int |
807 | 807 |
cipher_ctx_get_tag(EVP_CIPHER_CTX *ctx, uint8_t *tag_buf, int tag_size) |
808 | 808 |
{ |
809 |
-#ifdef HAVE_AEAD_CIPHER_MODES |
|
810 | 809 |
return EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, tag_size, tag_buf); |
811 |
-#else |
|
812 |
- ASSERT(0); |
|
813 |
-#endif |
|
814 | 810 |
} |
815 | 811 |
|
816 | 812 |
int |
... | ... |
@@ -841,16 +827,12 @@ cipher_ctx_reset(EVP_CIPHER_CTX *ctx, const uint8_t *iv_buf) |
841 | 841 |
int |
842 | 842 |
cipher_ctx_update_ad(EVP_CIPHER_CTX *ctx, const uint8_t *src, int src_len) |
843 | 843 |
{ |
844 |
-#ifdef HAVE_AEAD_CIPHER_MODES |
|
845 | 844 |
int len; |
846 | 845 |
if (!EVP_CipherUpdate(ctx, NULL, &len, src, src_len)) |
847 | 846 |
{ |
848 | 847 |
crypto_msg(M_FATAL, "%s: EVP_CipherUpdate() failed", __func__); |
849 | 848 |
} |
850 | 849 |
return 1; |
851 |
-#else /* ifdef HAVE_AEAD_CIPHER_MODES */ |
|
852 |
- ASSERT(0); |
|
853 |
-#endif |
|
854 | 850 |
} |
855 | 851 |
|
856 | 852 |
int |
... | ... |
@@ -874,7 +856,6 @@ int |
874 | 874 |
cipher_ctx_final_check_tag(EVP_CIPHER_CTX *ctx, uint8_t *dst, int *dst_len, |
875 | 875 |
uint8_t *tag, size_t tag_len) |
876 | 876 |
{ |
877 |
-#ifdef HAVE_AEAD_CIPHER_MODES |
|
878 | 877 |
ASSERT(tag_len < SIZE_MAX); |
879 | 878 |
if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, tag_len, tag)) |
880 | 879 |
{ |
... | ... |
@@ -882,9 +863,6 @@ cipher_ctx_final_check_tag(EVP_CIPHER_CTX *ctx, uint8_t *dst, int *dst_len, |
882 | 882 |
} |
883 | 883 |
|
884 | 884 |
return cipher_ctx_final(ctx, dst, dst_len); |
885 |
-#else /* ifdef HAVE_AEAD_CIPHER_MODES */ |
|
886 |
- ASSERT(0); |
|
887 |
-#endif |
|
888 | 885 |
} |
889 | 886 |
|
890 | 887 |
void |
... | ... |
@@ -61,13 +61,9 @@ typedef HMAC_CTX hmac_ctx_t; |
61 | 61 |
/** Cipher is in CFB mode */ |
62 | 62 |
#define OPENVPN_MODE_CFB EVP_CIPH_CFB_MODE |
63 | 63 |
|
64 |
-#ifdef HAVE_AEAD_CIPHER_MODES |
|
65 |
- |
|
66 | 64 |
/** Cipher is in GCM mode */ |
67 | 65 |
#define OPENVPN_MODE_GCM EVP_CIPH_GCM_MODE |
68 | 66 |
|
69 |
-#endif /* HAVE_AEAD_CIPHER_MODES */ |
|
70 |
- |
|
71 | 67 |
/** Cipher should encrypt */ |
72 | 68 |
#define OPENVPN_OP_ENCRYPT 1 |
73 | 69 |
|
... | ... |
@@ -104,9 +104,7 @@ const char title_string[] = |
104 | 104 |
" [MH/RECVDA]" |
105 | 105 |
#endif |
106 | 106 |
#endif |
107 |
-#ifdef HAVE_AEAD_CIPHER_MODES |
|
108 | 107 |
" [AEAD]" |
109 |
-#endif |
|
110 | 108 |
" built on " __DATE__ |
111 | 109 |
; |
112 | 110 |
|
... | ... |
@@ -871,11 +869,7 @@ init_options(struct options *o, const bool init_gc) |
871 | 871 |
o->scheduled_exit_interval = 5; |
872 | 872 |
#endif |
873 | 873 |
o->ciphername = "BF-CBC"; |
874 |
-#ifdef HAVE_AEAD_CIPHER_MODES /* IV_NCP=2 requires GCM support */ |
|
875 | 874 |
o->ncp_enabled = true; |
876 |
-#else |
|
877 |
- o->ncp_enabled = false; |
|
878 |
-#endif |
|
879 | 875 |
o->ncp_ciphers = "AES-256-GCM:AES-128-GCM"; |
880 | 876 |
o->authname = "SHA1"; |
881 | 877 |
o->prng_hash = "SHA1"; |