diff options
author | Antonio Quartulli | 2022-02-03 20:36:55 +0100 |
---|---|---|
committer | Gert Doering | 2022-02-04 12:11:48 +0100 |
commit | 2914444e7cd514eb03e6cd7949e5219557710ae8 (patch) | |
tree | 4f460fb8d817e2fa2ad44d398fbbaf4897806fef /src/openvpn/crypto_backend.h | |
parent | 2d822550ad990fbd498523fb1ab62ca19b3bb93c (diff) | |
download | openvpn-2914444e7cd514eb03e6cd7949e5219557710ae8.zip openvpn-2914444e7cd514eb03e6cd7949e5219557710ae8.tar.gz |
crypto: move OpenSSL specific FIPS check to its backend
Our crypto API already provides a function performing a validity check
on the specified ciphername. The OpenSSL counterpart also checks for the
cipher being FIPS-enabled.
This API is cipher_valid(). Extend it so that it can provide a reason
whenever the cipher is not valid and use it in crypto.c.
This way we move any OpenSSL specific bit to its own
backend and directly use the new cipher_valid_reason() API in the
generic code.
This patch fixes compilations with mbedTLS when some OpenSSL is also
installed. The issue was introduced with:
544330fe ("crypto: Fix OPENSSL_FIPS enabled builds")
Cc: David Sommerseth <davids@openvpn.net>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: David Sommerseth <davids@openvpn.net>
Message-Id: <20220203193655.28791-2-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23714.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Diffstat (limited to 'src/openvpn/crypto_backend.h')
-rw-r--r-- | src/openvpn/crypto_backend.h | 21 |
1 files changed, 20 insertions, 1 deletions
diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h index 7beaf9c..abf1b87 100644 --- a/src/openvpn/crypto_backend.h +++ b/src/openvpn/crypto_backend.h @@ -188,6 +188,21 @@ void cipher_des_encrypt_ecb(const unsigned char key[DES_KEY_LENGTH], #define MAX_CIPHER_KEY_LENGTH 64 /** + * Returns if the cipher is valid, based on the given cipher name and provides a + * reason if invalid. + * + * @param ciphername Name of the cipher to check for validity (e.g. + * \c AES-128-CBC). Will be translated to the library name + * from the openvpn config name if needed. + * @param reason Pointer where a static string indicating the reason + * for rejecting the cipher should be stored. It is set to + * NULL if the cipher is valid. + * + * @return if the cipher is valid + */ +bool cipher_valid_reason(const char *ciphername, const char **reason); + +/** * Returns if the cipher is valid, based on the given cipher name. * * @param ciphername Name of the cipher to check for validity (e.g. @@ -196,7 +211,11 @@ void cipher_des_encrypt_ecb(const unsigned char key[DES_KEY_LENGTH], * * @return if the cipher is valid */ -bool cipher_valid(const char *ciphername); +static inline bool cipher_valid(const char *ciphername) +{ + const char *reason; + return cipher_valid_reason(ciphername, &reason); +} /** * Checks if the cipher is defined and is not the null (none) cipher |