Originally we wanted to move this OpenSSL specific code to its own
backend and use a proper abstraction in the crypto.c code.
However, tests have revealed that OpenVPN will never try to print a
cipher that is not supported by FIPS (assuming FIPS is enabled), because
along the chain of calls we already call cipher_get() which returns NULL
for FIPS-disabled ciphers.
For this reason, we can just remove any FIPS specific code from
print_cipher() and be done with it.
This patch fixes compilations with mbedTLS when some OpenSSL is also
installed. The issue was introduced with:
544330fe ("crypto: Fix OPENSSL_FIPS enabled builds")
Cc: David Sommerseth <[email protected]>
Signed-off-by: Antonio Quartulli <[email protected]>
---
src/openvpn/crypto.c | 11 -----------
1 file changed, 11 deletions(-)
diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index 0aa76e05..b0a3cf81 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -34,7 +34,6 @@
#include "error.h"
#include "integer.h"
#include "platform.h"
-#include "openssl_compat.h"
#include "memdbg.h"
@@ -1704,16 +1703,6 @@ print_cipher(const char *ciphername)
{
printf(", TLS client/server mode only");
}
-#ifdef OPENSSL_FIPS
- evp_cipher_type *cipher = EVP_CIPHER_fetch(NULL, ciphername, NULL);
-
- if (FIPS_mode() && cipher
- && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS))
- {
- printf(", disabled by FIPS mode");
- }
- EVP_CIPHER_free(cipher);
-#endif
printf(")\n");
}
--
2.34.1
_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
