Hi,
On 21/01/2022 21:10, David Sommerseth wrote:
From: David Sommerseth <dav...@openvpn.net>
With commit 544330fefedc87, the openssl_compat.h got included in
crypto.c. This caused issues when building against mbed TLS, which this
compat layer is not targeting.
This issue is resolved by only including this header when the OpenSSL
library is in use. The OPENSSL_FIPS macro should never be set when
compiling against the mbed TLS library. But we check against the main
ENABLE_CRYPTO_OPENSSL macro here, in case future updates adds more
OpenSSL specific fragments.
Signed-off-by: David Sommerseth <dav...@openvpn.net>
I am personally NAK'ing this patch, however, after further discussion on
IRC I can say that this was the consensus reached with David and Arne as
well.
The idea is that having OpenSSL specific code in crypto.c is a no-go.
Like all other functionalities, we need to hide the FIPS check behind
our SSL abstraction, so that each backend can decie what to do (mbedtls
will probably just say "sure, go ahead").
So this patch should be dropped.
Best Regards,
--
Antonio Quartulli
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
