Hi,
On Tue, Oct 19, 2021 at 2:32 PM Arne Schwabe <a...@rfc2549.org> wrote:
> Even though DES is super outdated and also NTLM is super outdated,
> eliminating the warnings for OpenSSL 3.0 is still a step in the right
> direction and using the correct APIs.
>
> Signed-off-by: Arne Schwabe <a...@rfc2549.org>
> ---
> src/openvpn/crypto_openssl.c | 22 +++++++++++++++++++---
> 1 file changed, 19 insertions(+), 3 deletions(-)
>
> diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
> index 1c800df7f..021698f12 100644
> --- a/src/openvpn/crypto_openssl.c
> +++ b/src/openvpn/crypto_openssl.c
> @@ -879,10 +879,26 @@ cipher_des_encrypt_ecb(const unsigned char
> key[DES_KEY_LENGTH],
> unsigned char src[DES_KEY_LENGTH],
> unsigned char dst[DES_KEY_LENGTH])
> {
> - DES_key_schedule sched;
> + EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
> + if (!ctx)
> + {
> + crypto_msg(M_FATAL, "%s: EVP_CIPHER_CTX_new() failed", __func__);
> + }
> + if (!EVP_EncryptInit_ex(ctx, EVP_bf_ecb(), NULL, key, 0))
>
Apart from the wrong cipher type that Max pointed out, this call will fail
in OpenSSL 3.0 unless legacy is loaded, right? Causing a run-time error in
that case sounds good to me but a helpful error message like legacy
provider may be required or even a check whether legacy is loaded and error
out appropriately would be helpful.
PS: can't we just get rid of the use of DES altogether?
Selva
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
