Message ID | 20220126151128.5078-1-a@unstable.cc |
---|---|
State | Changes Requested |
Headers | show |
Series | [Openvpn-devel] crypto.c: remove (dead) OpenSSL specific code | expand |
Am 26.01.22 um 16:11 schrieb Antonio Quartulli: > Originally we wanted to move this OpenSSL specific code to its own > backend and use a proper abstraction in the crypto.c code. > > However, tests have revealed that OpenVPN will never try to print a > cipher that is not supported by FIPS (assuming FIPS is enabled), because > along the chain of calls we already call cipher_get() which returns NULL > for FIPS-disabled ciphers. > > For this reason, we can just remove any FIPS specific code from > print_cipher() and be done with it. > Acked-By: Arne Schwabe <arne@rfc2549.org>
diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index 0aa76e05..b0a3cf81 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -34,7 +34,6 @@ #include "error.h" #include "integer.h" #include "platform.h" -#include "openssl_compat.h" #include "memdbg.h" @@ -1704,16 +1703,6 @@ print_cipher(const char *ciphername) { printf(", TLS client/server mode only"); } -#ifdef OPENSSL_FIPS - evp_cipher_type *cipher = EVP_CIPHER_fetch(NULL, ciphername, NULL); - - if (FIPS_mode() && cipher - && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS)) - { - printf(", disabled by FIPS mode"); - } - EVP_CIPHER_free(cipher); -#endif printf(")\n"); }
Originally we wanted to move this OpenSSL specific code to its own backend and use a proper abstraction in the crypto.c code. However, tests have revealed that OpenVPN will never try to print a cipher that is not supported by FIPS (assuming FIPS is enabled), because along the chain of calls we already call cipher_get() which returns NULL for FIPS-disabled ciphers. For this reason, we can just remove any FIPS specific code from print_cipher() and be done with it. This patch fixes compilations with mbedTLS when some OpenSSL is also installed. The issue was introduced with: 544330fe ("crypto: Fix OPENSSL_FIPS enabled builds") Cc: David Sommerseth <davids@openvpn.net> Signed-off-by: Antonio Quartulli <a@unstable.cc> --- src/openvpn/crypto.c | 11 ----------- 1 file changed, 11 deletions(-)