Am 07.11.21 um 13:13 schrieb Arne Schwabe:
Am 07.11.21 um 12:57 schrieb Matthias Andree:
Am 07.11.21 um 10:01 schrieb Arne Schwabe:
We already removed the check in d67658fee for OpenSSL 3.0. This
removes the
checks entirely for all crypto libraries.
Signed-off-by: Arne Schwabe <a...@rfc2549.org>
---
src/openvpn/crypto.c | 15 --------
src/openvpn/crypto_backend.h | 28 ---------------
src/openvpn/crypto_mbedtls.c | 56 ------------------------------
src/openvpn/crypto_openssl.c | 66
------------------------------------
4 files changed, 165 deletions(-)
- /* DES is deprecated and the method to even check the keys is
deprecated
- * in OpenSSL 3.0. Instead of checking for the 16
weak/semi-weak keys
- * we just accept them in OpenSSL 3.0 since the risk of
randomly getting
- * these is pretty low (and "all DES keys are weak" anyway) */
- return true;
Should not we nuke DES altogether in that case? Or am I misunderstanding
the patch?
The patch removes checking for weak keys and making DES just like any
other CBC cipher and not doing extra checks for this. It basically
removes the special treatment of DES.
After this, do we have any DES functionality left in OpenVPN? If so, we
should remove it.
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
