On 03/02/2022 20:36, Antonio Quartulli wrote:
Our crypto API already provides a function performing a validity check
on the specified ciphername. The OpenSSL counterpart also checks for the
cipher being FIPS-enabled.
This API is cipher_valid(). Extend it so that it can provide a reason
whenever the cipher is not valid and use it in crypto.c.
This way we move any OpenSSL specific bit to its own
backend and directly use the new cipher_valid_reason() API in the
generic code.
This patch fixes compilations with mbedTLS when some OpenSSL is also
installed. The issue was introduced with:
544330fe ("crypto: Fix OPENSSL_FIPS enabled builds")
Cc: David Sommerseth <dav...@openvpn.net>
Signed-off-by: Antonio Quartulli <a...@unstable.cc>
---
Changes from v1:
* rebased
* don't return cipher, but true in cipher_valid_reason()
src/openvpn/crypto.c | 11 +++--------
src/openvpn/crypto_backend.h | 21 ++++++++++++++++++++-
src/openvpn/crypto_mbedtls.c | 13 +++++++++----
src/openvpn/crypto_openssl.c | 6 +++++-
4 files changed, 37 insertions(+), 14 deletions(-)
I've done test builds on RHEL-8 with both openssl-1.1.1k and
mbedtls-2.16.12-1 without any issues. Just done some lightweight
testing on top of reviewing code. This looks good to me.
Acked-By: David Sommerseth <dav...@openvpn.net>
--
kind regards,
David Sommerseth
OpenVPN Inc
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
