Am 07.11.21 um 12:57 schrieb Matthias Andree:
Am 07.11.21 um 10:01 schrieb Arne Schwabe:
We already removed the check in d67658fee for OpenSSL 3.0. This
removes the
checks entirely for all crypto libraries.
Signed-off-by: Arne Schwabe <a...@rfc2549.org>
---
src/openvpn/crypto.c | 15 --------
src/openvpn/crypto_backend.h | 28 ---------------
src/openvpn/crypto_mbedtls.c | 56 ------------------------------
src/openvpn/crypto_openssl.c | 66 ------------------------------------
4 files changed, 165 deletions(-)
- /* DES is deprecated and the method to even check the keys is
deprecated
- * in OpenSSL 3.0. Instead of checking for the 16 weak/semi-weak
keys
- * we just accept them in OpenSSL 3.0 since the risk of randomly
getting
- * these is pretty low (and "all DES keys are weak" anyway) */
- return true;
Should not we nuke DES altogether in that case? Or am I misunderstanding
the patch?
The patch removes checking for weak keys and making DES just like any
other CBC cipher and not doing extra checks for this. It basically
removes the special treatment of DES.
Arne
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
