openssl enc doesn't really support AEAD ciphers and XTS mode

Do not display such ciphers in the usage display and error out if they are given. As pointed out by Pauli Dale, the current situation is confusing. Fixes GH issues #786 and #819 ok jsing
author: tb <> 2023-03-04 21:58:54 +0000
committer: tb <> 2023-03-04 21:58:54 +0000
commit: ad2ac0541e01a33248c12fc85d8e27f5746f82df (patch)
tree: d9b96920dc0a56ea4d8a85dec650f3520dd2c62d /src/usr.bin/openssl/enc.c
parent: be594807b1f75a62f74edd26d7a68bbaf76e0eff (diff)
download: openbsd-ad2ac0541e01a33248c12fc85d8e27f5746f82df.tar.gz
openbsd-ad2ac0541e01a33248c12fc85d8e27f5746f82df.tar.bz2
openbsd-ad2ac0541e01a33248c12fc85d8e27f5746f82df.zip
1 files changed, 30 insertions, 2 deletions
diff --git a/src/usr.bin/openssl/enc.c b/src/usr.bin/openssl/enc.c
index 5a07113f7c..6be0a30dec 100644
--- a/src/usr.bin/openssl/enc.c
+++ b/src/usr.bin/openssl/enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: enc.c,v 1.25 2022/11/11 17:07:39 joshua Exp $ */
+/* $OpenBSD: enc.c,v 1.26 2023/03/04 21:58:54 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -304,6 +304,22 @@ static const struct option enc_options[] = {
 };
 static void
+skip_aead_and_xts(const OBJ_NAME *name, void *arg)
+{
+        const EVP_CIPHER *cipher;
+        if ((cipher = EVP_get_cipherbyname(name->name)) == NULL)
+                return;
+        if ((EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) != 0)
+                return;
+        if (EVP_CIPHER_mode(cipher) == EVP_CIPH_XTS_MODE)
+                return;
+        show_cipher(name, arg);
+}
+static void
 enc_usage(void)
 {
        int n = 0;
@@ -318,7 +334,7 @@ enc_usage(void)
        fprintf(stderr, "\n");
        fprintf(stderr, "Valid ciphername values:\n\n");
-        OBJ_NAME_do_all_sorted(OBJ_NAME_TYPE_CIPHER_METH, show_cipher, &n);
+        OBJ_NAME_do_all_sorted(OBJ_NAME_TYPE_CIPHER_METH, skip_aead_and_xts, &n);
        fprintf(stderr, "\n");
 }
@@ -412,6 +428,18 @@ enc_main(int argc, char **argv)
                enc_config.keystr = buf;
        }
+        if (enc_config.cipher != NULL &&
+            (EVP_CIPHER_flags(enc_config.cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) != 0) {
+                BIO_printf(bio_err, "enc does not support AEAD ciphers\n");
+                goto end;
+        }
+        if (enc_config.cipher != NULL &&
+            EVP_CIPHER_mode(enc_config.cipher) == EVP_CIPH_XTS_MODE) {
+                BIO_printf(bio_err, "enc does not support XTS mode\n");
+                goto end;
+        }
        if (enc_config.md != NULL &&
            (dgst = EVP_get_digestbyname(enc_config.md)) == NULL) {
                BIO_printf(bio_err,
author	tb <>	2023-03-04 21:58:54 +0000
committer	tb <>	2023-03-04 21:58:54 +0000
commit	ad2ac0541e01a33248c12fc85d8e27f5746f82df (patch)
tree	d9b96920dc0a56ea4d8a85dec650f3520dd2c62d /src/usr.bin/openssl/enc.c
parent	be594807b1f75a62f74edd26d7a68bbaf76e0eff (diff)
download	openbsd-ad2ac0541e01a33248c12fc85d8e27f5746f82df.tar.gz openbsd-ad2ac0541e01a33248c12fc85d8e27f5746f82df.tar.bz2 openbsd-ad2ac0541e01a33248c12fc85d8e27f5746f82df.zip

diff --git a/src/usr.bin/openssl/enc.c b/src/usr.bin/openssl/enc.c index 5a07113f7c..6be0a30dec 100644 --- a/src/usr.bin/openssl/enc.c +++ b/src/usr.bin/openssl/enc.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: enc.c,v 1.25 2022/11/11 17:07:39 joshua Exp $ */	1	/* $OpenBSD: enc.c,v 1.26 2023/03/04 21:58:54 tb Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -304,6 +304,22 @@ static const struct option enc_options[] = {
304	};	304	};
305		305
306	static void	306	static void
		307	skip_aead_and_xts(const OBJ_NAME name, void arg)
		308	{
		309	const EVP_CIPHER *cipher;
		310
		311	if ((cipher = EVP_get_cipherbyname(name->name)) == NULL)
		312	return;
		313
		314	if ((EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) != 0)
		315	return;
		316	if (EVP_CIPHER_mode(cipher) == EVP_CIPH_XTS_MODE)
		317	return;
		318
		319	show_cipher(name, arg);
		320	}
		321
		322	static void
307	enc_usage(void)	323	enc_usage(void)
308	{	324	{
309	int n = 0;	325	int n = 0;
@@ -318,7 +334,7 @@ enc_usage(void)
318	fprintf(stderr, "\n");	334	fprintf(stderr, "\n");
319		335
320	fprintf(stderr, "Valid ciphername values:\n\n");	336	fprintf(stderr, "Valid ciphername values:\n\n");
321	OBJ_NAME_do_all_sorted(OBJ_NAME_TYPE_CIPHER_METH, show_cipher, &n);	337	OBJ_NAME_do_all_sorted(OBJ_NAME_TYPE_CIPHER_METH, skip_aead_and_xts, &n);
322	fprintf(stderr, "\n");	338	fprintf(stderr, "\n");
323	}	339	}
324		340
@@ -412,6 +428,18 @@ enc_main(int argc, char **argv)
412	enc_config.keystr = buf;	428	enc_config.keystr = buf;
413	}	429	}
414		430
		431	if (enc_config.cipher != NULL &&
		432	(EVP_CIPHER_flags(enc_config.cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) != 0) {
		433	BIO_printf(bio_err, "enc does not support AEAD ciphers\n");
		434	goto end;
		435	}
		436
		437	if (enc_config.cipher != NULL &&
		438	EVP_CIPHER_mode(enc_config.cipher) == EVP_CIPH_XTS_MODE) {
		439	BIO_printf(bio_err, "enc does not support XTS mode\n");
		440	goto end;
		441	}
		442
415	if (enc_config.md != NULL &&	443	if (enc_config.md != NULL &&
416	(dgst = EVP_get_digestbyname(enc_config.md)) == NULL) {	444	(dgst = EVP_get_digestbyname(enc_config.md)) == NULL) {
417	BIO_printf(bio_err,	445	BIO_printf(bio_err,