Skip to content

Commit

Permalink
openvpn: fix patch (#7019)
Browse files Browse the repository at this point in the history
  • Loading branch information
@DavidKorczynski
DavidKorczynski committed Dec 15, 2021
1 parent c2f70d8 commit 7dc31b0
Showing 1 changed file with 13 additions and 18 deletions.
31 changes: 13 additions & 18 deletions projects/openvpn/crypto_patch.txt
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index a63a2619..dac0ae49 100644
index dc7ba542..68e42fea 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -131,7 +131,10 @@ openvpn_encrypt_aead(struct buffer *buf, struct buffer work,
Expand All @@ -14,7 +14,7 @@ index a63a2619..dac0ae49 100644
ASSERT(buf_inc_len(&work, outlen));

/* Write authentication tag */
@@ -723,6 +726,8 @@ warn_insecure_key_type(const char *ciphername, const cipher_kt_t *cipher)
@@ -726,6 +729,8 @@ warn_insecure_key_type(const char *ciphername)
}
}

Expand All @@ -23,15 +23,15 @@ index a63a2619..dac0ae49 100644
/*
* Build a struct key_type.
*/
@@ -741,6 +746,7 @@ init_key_type(struct key_type *kt, const char *ciphername,
kt->cipher = cipher_kt_get(ciphername);
if (!kt->cipher)
@@ -744,6 +749,7 @@ init_key_type(struct key_type *kt, const char *ciphername,
{
if (!cipher_valid(ciphername))
{
+ fuzz_success = 0;
msg(M_FATAL, "Cipher %s not supported", ciphername);
}

@@ -753,15 +759,18 @@ init_key_type(struct key_type *kt, const char *ciphername,
@@ -756,11 +762,13 @@ init_key_type(struct key_type *kt, const char *ciphername,
#endif
))
{
Expand All @@ -45,60 +45,55 @@ index a63a2619..dac0ae49 100644
msg(M_FATAL, "Cipher '%s' not allowed: block size too big.", ciphername);
}
if (warn)
{
+ fuzz_success = 0;
warn_insecure_key_type(ciphername, kt->cipher);
}
}
@@ -769,6 +778,7 @@ init_key_type(struct key_type *kt, const char *ciphername,
@@ -772,6 +780,7 @@ init_key_type(struct key_type *kt, const char *ciphername,
{
if (warn)
{
+ fuzz_success = 0;
msg(M_WARN, "******* WARNING *******: '--cipher none' was specified. "
"This means NO encryption will be performed and tunnelled "
"data WILL be transmitted in clear text over the network! "
@@ -784,6 +794,7 @@ init_key_type(struct key_type *kt, const char *ciphername,
@@ -791,6 +800,7 @@ init_key_type(struct key_type *kt, const char *ciphername,

if (OPENVPN_MAX_HMAC_SIZE < hmac_length)
{
+ fuzz_success = 0;
msg(M_FATAL, "HMAC '%s' not allowed: digest size too big.", authname);
}
}
@@ -792,6 +803,7 @@ init_key_type(struct key_type *kt, const char *ciphername,
@@ -799,6 +809,7 @@ init_key_type(struct key_type *kt, const char *ciphername,
{
if (warn)
{
+ fuzz_success = 0;
msg(M_WARN, "******* WARNING *******: '--auth none' was specified. "
"This means no authentication will be performed on received "
"packets, meaning you CANNOT trust that the data received by "
@@ -799,6 +811,7 @@ init_key_type(struct key_type *kt, const char *ciphername,
@@ -806,6 +817,7 @@ init_key_type(struct key_type *kt, const char *ciphername,
"PLEASE DO RECONSIDER THIS SETTING!");
}
}
+ fuzz_success = 1;
}

/* given a key and key_type, build a key_ctx */
@@ -966,6 +979,7 @@ generate_key_random(struct key *key, const struct key_type *kt)
@@ -973,6 +985,7 @@ generate_key_random(struct key *key, const struct key_type *kt)
if (!rand_bytes(key->cipher, cipher_len)
|| !rand_bytes(key->hmac, hmac_len))
{
+ fuzz_success = 0;
msg(M_FATAL, "ERROR: Random number generator cannot obtain entropy for key generation");
}

@@ -975,6 +989,7 @@ generate_key_random(struct key *key, const struct key_type *kt)
@@ -982,6 +995,7 @@ generate_key_random(struct key *key, const struct key_type *kt)
} while (kt && !check_key(key, kt));

gc_free(&gc);
+ fuzz_success = 1;
}

/*
@@ -1313,10 +1328,14 @@ read_key_file(struct key2 *key2, const char *file, const unsigned int flags)
@@ -1320,10 +1334,14 @@ read_key_file(struct key2 *key2, const char *file, const unsigned int flags)

if (state != PARSE_FINISHED)
{
Expand Down

0 comments on commit 7dc31b0

Please sign in to comment.