On Tue, Oct 26, 2021 at 1:50 PM Max Fillinger <
maximilian.fillin...@foxcrypto.com> wrote:
> On 19/10/2021 20:31, Arne Schwabe wrote:
> > With OpenSSL 3.0 the use of nid values is deprecated and new algorithms
> > do not even have NID values anymore.
> >
> > This also works nicely with providers now:
> >
> > openvpn --provider legacy:default --show-ciphers
> >
> > shows more ciphers (e.g. BF-CBC) than just
> >
> > openvpn --show-ciphers
> >
> > when compiled with OpenSSL 3.0
> >
> > Signed-off-by: Arne Schwabe <a...@rfc2549.org>
>
> Looks good, and the tests work with OpenSSL 3 and OpenSSL 1.1.1 when I
> also apply the "Do not allow CTS ciphers" patch.
>
> One nitpick:
>
> > +struct collect_ciphers {
> > + /* If we ever exceed this, we must be more selective */
> > + const EVP_CIPHER *list[1000];
> > + size_t num;
> > +};
> > +
> > +static void collect_ciphers(EVP_CIPHER *cipher, void *list)
> > +{
> > + struct collect_ciphers* cipher_list = list;
> > + if (cipher_list->num ==
> (sizeof(cipher_list->list)/sizeof(*cipher_list->list)))
> > + {
> > + msg(M_WARN, "WARNING: Too many ciphers, not showing all");
> > + return;
> > + }
>
> I think it would be more readable to use a const (or a #define) for the
> length of the cipher list array, instead of using sizeof.
>
IIRC, we have SIZE(x) = sizeof(x)/sizeof(*x) defined in some header for
this.
Selva
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
