From: David Sommerseth <dav...@openvpn.net>
On Fedora and RHEL/CentOS, the standard OpenSSL library has the FIPS
module enabled by default. On these platforms, the OPENSSL_FIPS macro
is always defined via /usr/include/openssl/opensslconf-*.h.
Without this fix, the following compilation error appears:
./src/openvpn/crypto.c: In function ‘print_cipher’:
./src/openvpn/crypto.c:1707:43: error: ‘cipher’ undeclared (first use in this
function); did you mean ‘iphdr’?
if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS))
^~~~~~
The EVP_CIPHER_fetch() and EVP_CIPHER_free() methods are also provided
via the openssl_compat.h for older than OpenSSL 3.0.
Signed-off-by: David Sommerseth <dav...@openvpn.net>
---
src/openvpn/crypto.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index 5626e2b6..eb0b1254 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -34,6 +34,7 @@
#include "error.h"
#include "integer.h"
#include "platform.h"
+#include "openssl_compat.h"
#include "memdbg.h"
@@ -1704,10 +1705,15 @@ print_cipher(const char *ciphername)
printf(", TLS client/server mode only");
}
#ifdef OPENSSL_FIPS
- if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS))
+ evp_cipher_type *cipher = EVP_CIPHER_fetch(NULL, ciphername, NULL);
+
+ if (FIPS_mode()
+ && (NULL != cipher)
+ && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS))
{
printf(", disabled by FIPS mode");
}
+ EVP_CIPHER_free(cipher);
#endif
printf(")\n");
--
2.27.0
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
