Arne Schwabe wrote:
Am 16.08.12 10:38, schrieb Heiko Hund:
cipher_ctx_final() only returns an outlen in CBC mode. If CFB or OFB
are used the assertion outlen == iv_len is always false.
There's no CBC mode defined for the GOST 28147-89 block cipher. Hence
this patch is needed for it to work. It's needed for other ciphers like
BF-CFB as well, though.
Signed-off-by: Heiko Hund <heiko.h...@sophos.com>
---
src/openvpn/crypto.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index ac2eecd..2f67e5e 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -153,7 +153,7 @@ openvpn_encrypt (struct buffer *buf, struct buffer work,
/* Flush the encryption buffer */
ASSERT(cipher_ctx_final(ctx->cipher, BPTR (&work) + outlen, &outlen));
work.len += outlen;
- ASSERT (outlen == iv_size);
+ ASSERT (mode != OPENVPN_MODE_CBC || outlen == iv_size);
/* prepend the IV to the ciphertext */
if (opt->flags & CO_USE_IV)
I have a user of my app that also tripped over this asssert line:
eeeehhh - removing the assert is nice, but do the other ciphers actually
*WORK* after that? does the test
openvpn --test-crypto
pass after that? I remember commenting out the assert for a few elliptic
curve ciphers, but openvpn was still not able to encrypt/decrypt
traffic successfully.
JJK
