Am 26.03.21 um 07:58 schrieb Gert Doering: > Hi, > > On Fri, Mar 26, 2021 at 12:12:40AM +0100, Antonio Quartulli wrote: >>> -#ifdef HAVE_EVP_CIPHER_CTX_SET_KEY_LENGTH >>> + /* This serves as a check that the keylen is the correct as this fails >>> + * when key_len and the fixed size of cipher disagree */ >>> if (!EVP_CIPHER_CTX_set_key_length(ctx, key_len)) >> >> Are you sure we need to keep this check? > > Indeed, that also got me wondering (and is the reason why I didn't > just ack-and-merge it right away :-) - but I was waiting for someone > else to understand and ACK this) >
The reason I kept it that it doesn't hurt but fails if something fishy happend in cipher handling. For mbed TLS the check is more useful as it doesn't set the keylen before doing this check. Arne _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
