Hi,
On 07/09/2020 18:22, Arne Schwabe wrote:
> Without this OpenVPN will later segfault on a FIPS enabled system due
> to the algorithm available but not allowed.
>
> Signed-off-by: Arne Schwabe <a...@rfc2549.org>
> ---
> src/openvpn/crypto_openssl.c | 10 ++++++++--
> 1 file changed, 8 insertions(+), 2 deletions(-)
>
> diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
> index c60d4a54..75557cca 100644
> --- a/src/openvpn/crypto_openssl.c
> +++ b/src/openvpn/crypto_openssl.c
> @@ -954,7 +954,10 @@ md_ctx_init(EVP_MD_CTX *ctx, const EVP_MD *kt)
> ASSERT(NULL != ctx && NULL != kt);
>
> EVP_MD_CTX_init(ctx);
> - EVP_DigestInit(ctx, kt);
> + if (EVP_DigestInit(ctx, kt) != 1)
Based on the documentation, this function returns 0 on failure and 1 on
success (basically a bool).
How about turning this into:
if (!EVP_DigestInit(ctx, kt))
?
This way it is clear that we are not just looking for '1' as a special
return value, but simply for 'success'. (Same as we do for function
returning a real bool).
What do you think?
> + {
> + crypto_msg(M_FATAL, "EVP_DigestInit failed");
> + }
> }
>
> void
> @@ -1011,7 +1014,10 @@ hmac_ctx_init(HMAC_CTX *ctx, const uint8_t *key, int
> key_len,
> ASSERT(NULL != kt && NULL != ctx);
>
> HMAC_CTX_reset(ctx);
> - HMAC_Init_ex(ctx, key, key_len, kt, NULL);
> + if (HMAC_Init_ex(ctx, key, key_len, kt, NULL) != 1)
Same for this function.
Regards,
--
Antonio Quartulli
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
