Hi, On 26/03/2021 12:05, Arne Schwabe wrote: > Am 26.03.21 um 07:58 schrieb Gert Doering: >> Hi, >> >> On Fri, Mar 26, 2021 at 12:12:40AM +0100, Antonio Quartulli wrote: >>>> -#ifdef HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH >>>> + /* This serves as a check that the keylen is the correct as this fails >>>> + * when key_len and the fixed size of cipher disagree */ >>>> if (!EVP_CIPHER_CTX_set_key_length(ctx, key_len)) >>> >>> Are you sure we need to keep this check? >> >> Indeed, that also got me wondering (and is the reason why I didn't >> just ack-and-merge it right away :-) - but I was waiting for someone >> else to understand and ACK this) >> > > The reason I kept it that it doesn't hurt but fails if something fishy > happend in cipher handling. For mbed TLS the check is more useful as it > doesn't set the keylen before doing this check. >
I'd dare to say that if we don't trust OpenSSL in returning a meaningful key length, I am not sure why we should trust it when calling EVP_CIPHER_CTX_set_key_length. If OpenSSL went cocoon, more calls will fail for sure. This said, if you really wanna stick with EVP_CIPHER_CTX_set_key_length, I presume you should add it back to the configure.ac and you should also add again the ifdef around the invocation? Or that's not needed in this case? Regarding mbedtls I am not sure how it is related to calling EVP_CIPHER_CTX_set_key_length. Cheers! -- Antonio Quartulli _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
