Hi, Sorry for chiming in late:
On Wed, Jan 19, 2022 at 10:20 AM David Sommerseth < open...@sf.lists.topphemmelig.net> wrote: > From: David Sommerseth <dav...@openvpn.net> > > On Fedora and RHEL/CentOS, the standard OpenSSL library has the FIPS > module enabled by default. On these platforms, the OPENSSL_FIPS macro > is always defined via /usr/include/openssl/opensslconf-*.h. > > Without this fix, the following compilation error appears: > > ./src/openvpn/crypto.c: In function ‘print_cipher’: > ./src/openvpn/crypto.c:1707:43: error: ‘cipher’ undeclared (first use in > this function); did you mean ‘iphdr’? > if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS)) > ^~~~~~ > > The EVP_CIPHER_fetch() and EVP_CIPHER_free() methods are also provided > via the openssl_compat.h for older than OpenSSL 3.0. > > Signed-off-by: David Sommerseth <dav...@openvpn.net> > --- > src/openvpn/crypto.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c > index 5626e2b6..e489d453 100644 > --- a/src/openvpn/crypto.c > +++ b/src/openvpn/crypto.c > @@ -34,6 +34,7 @@ > #include "error.h" > #include "integer.h" > #include "platform.h" > +#include "openssl_compat.h" > > #include "memdbg.h" > > @@ -1704,10 +1705,13 @@ print_cipher(const char *ciphername) > printf(", TLS client/server mode only"); > } > #ifdef OPENSSL_FIPS > + evp_cipher_type *cipher = EVP_CIPHER_fetch(NULL, ciphername, NULL); > + > if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS)) > We need to check that cipher is not NULL. Fetch can return NULL while EVP_CIPHER_flags() requires a non-null argument. Something like: if (cipher && FIPS_mode && etc...) will do. EVP_CIPHER_free() below can handle NULL, so no problem there. { > printf(", disabled by FIPS mode"); > } > + EVP_CIPHER_free(cipher); #endif > > printf(")\n"); > Selva
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel