Arne Schwabe wrote:
Am 16.08.12 10:38, schrieb Heiko Hund:
cipher_ctx_final() only returns an outlen in CBC mode. If CFB or OFB
are used the assertion outlen == iv_len is always false.

There's no CBC mode defined for the GOST 28147-89 block cipher. Hence
this patch is needed for it to work. It's needed for other ciphers like
BF-CFB as well, though.

Signed-off-by: Heiko Hund <heiko.h...@sophos.com>
---
 src/openvpn/crypto.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index ac2eecd..2f67e5e 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -153,7 +153,7 @@ openvpn_encrypt (struct buffer *buf, struct buffer work,
          /* Flush the encryption buffer */
          ASSERT(cipher_ctx_final(ctx->cipher, BPTR (&work) + outlen, &outlen));
          work.len += outlen;
-         ASSERT (outlen == iv_size);
+         ASSERT (mode != OPENVPN_MODE_CBC || outlen == iv_size);
/* prepend the IV to the ciphertext */
          if (opt->flags & CO_USE_IV)

I have a user of my app that also tripped over this asssert line:

eeeehhh - removing the assert is nice, but do the other ciphers actually *WORK* after that? does the test
 openvpn --test-crypto
pass after that? I remember commenting out the assert for a few elliptic curve ciphers, but openvpn was still not able to encrypt/decrypt traffic successfully.


JJK


Reply via email to