Hi,
Sorry for chiming in late:
On Wed, Jan 19, 2022 at 10:20 AM David Sommerseth <
open...@sf.lists.topphemmelig.net> wrote:
> From: David Sommerseth <dav...@openvpn.net>
>
> On Fedora and RHEL/CentOS, the standard OpenSSL library has the FIPS
> module enabled by default. On these platforms, the OPENSSL_FIPS macro
> is always defined via /usr/include/openssl/opensslconf-*.h.
>
> Without this fix, the following compilation error appears:
>
> ./src/openvpn/crypto.c: In function ‘print_cipher’:
> ./src/openvpn/crypto.c:1707:43: error: ‘cipher’ undeclared (first use in
> this function); did you mean ‘iphdr’?
> if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS))
> ^~~~~~
>
> The EVP_CIPHER_fetch() and EVP_CIPHER_free() methods are also provided
> via the openssl_compat.h for older than OpenSSL 3.0.
>
> Signed-off-by: David Sommerseth <dav...@openvpn.net>
> ---
> src/openvpn/crypto.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
> index 5626e2b6..e489d453 100644
> --- a/src/openvpn/crypto.c
> +++ b/src/openvpn/crypto.c
> @@ -34,6 +34,7 @@
> #include "error.h"
> #include "integer.h"
> #include "platform.h"
> +#include "openssl_compat.h"
>
> #include "memdbg.h"
>
> @@ -1704,10 +1705,13 @@ print_cipher(const char *ciphername)
> printf(", TLS client/server mode only");
> }
> #ifdef OPENSSL_FIPS
> + evp_cipher_type *cipher = EVP_CIPHER_fetch(NULL, ciphername, NULL);
> +
> if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS))
>
We need to check that cipher is not NULL. Fetch can return NULL while
EVP_CIPHER_flags() requires a non-null argument. Something like: if (cipher
&& FIPS_mode && etc...) will do.
EVP_CIPHER_free() below can handle NULL, so no problem there.
{
> printf(", disabled by FIPS mode");
> }
> + EVP_CIPHER_free(cipher);
#endif
>
> printf(")\n");
>
Selva
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
