Am 03.02.13 14:55, schrieb Jan Just Keijser: > Arne Schwabe wrote: >> Am 16.08.12 10:38, schrieb Heiko Hund: >> >>> cipher_ctx_final() only returns an outlen in CBC mode. If CFB or OFB >>> are used the assertion outlen == iv_len is always false. >>> >>> There's no CBC mode defined for the GOST 28147-89 block cipher. Hence >>> this patch is needed for it to work. It's needed for other ciphers like >>> BF-CFB as well, though. >>> >>> Signed-off-by: Heiko Hund <heiko.h...@sophos.com> >>> --- >>> src/openvpn/crypto.c | 2 +- >>> 1 file changed, 1 insertion(+), 1 deletion(-) >>> >>> diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c >>> index ac2eecd..2f67e5e 100644 >>> --- a/src/openvpn/crypto.c >>> +++ b/src/openvpn/crypto.c >>> @@ -153,7 +153,7 @@ openvpn_encrypt (struct buffer *buf, struct >>> buffer work, >>> /* Flush the encryption buffer */ >>> ASSERT(cipher_ctx_final(ctx->cipher, BPTR (&work) + outlen, >>> &outlen)); >>> work.len += outlen; >>> - ASSERT (outlen == iv_size); >>> + ASSERT (mode != OPENVPN_MODE_CBC || outlen == iv_size); >>> >>> /* prepend the IV to the ciphertext */ >>> if (opt->flags & CO_USE_IV) >>> >> >> I have a user of my app that also tripped over this asssert line: >> >> > eeeehhh - removing the assert is nice, but do the other ciphers > actually *WORK* after that? does the test > openvpn --test-crypto > pass after that? I remember commenting out the assert for a few > elliptic curve ciphers, but openvpn was still not able to > encrypt/decrypt traffic successfully
I have no idea of the crypto involved. But if there is a known class of cryptos that fails in this "obscure" way we should exit with error much earlier. Arne
