Hi, On 26/01/2022 17:28, Antonio Quartulli wrote:
Our crypto API already provides a function performing a validity check on the specified ciphername. The OpenSSL counterpart also checks for the cipher being FIPS-enabled.This API is cipher_valid(). Extend it so that it can provide a reason whenever the cipher is not valid and use it in crypto.c. This way we move any OpenSSL specific bit to its own backend and directly use the new cipher_valid_reason() API in the generic code. This patch fixes compilations with mbedTLS when some OpenSSL is also installed. The issue was introduced with: 544330fe ("crypto: Fix OPENSSL_FIPS enabled builds") Cc: David Sommerseth <[email protected]> Signed-off-by: Antonio Quartulli <[email protected]> ---
FTR:tested on RHEL8 with FIPS enabled and I couldn't experience any misbehaviou/crash while attempting to use a FIPS-disabled cipher.
Cheers, -- Antonio Quartulli
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
