From 749384a154025e268b53cf3cc79eaeddde2b3ceb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Frings-F=C3=BCrst?= Date: Tue, 27 Jun 2017 13:56:16 +0200 Subject: initial stretch branch release 2.4.0-6 --- src/openvpn/crypto_openssl.c | 78 +++++++++++++------------------------------- 1 file changed, 22 insertions(+), 56 deletions(-) (limited to 'src/openvpn/crypto_openssl.c') diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index a55e65c..b016d98 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -17,9 +17,10 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License along - * with this program; if not, write to the Free Software Foundation, Inc., - * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + * You should have received a copy of the GNU General Public License + * along with this program (see the file COPYING included with this + * distribution); if not, write to the Free Software Foundation, Inc., + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ /** @@ -41,7 +42,6 @@ #include "integer.h" #include "crypto.h" #include "crypto_backend.h" -#include "openssl_compat.h" #include #include @@ -186,14 +186,14 @@ crypto_clear_error(void) } void -crypto_print_openssl_errors(const unsigned int flags) -{ +crypto_print_openssl_errors(const unsigned int flags) { size_t err = 0; while ((err = ERR_get_error())) { /* Be more clear about frequently occurring "no shared cipher" error */ - if (ERR_GET_REASON(err) == SSL_R_NO_SHARED_CIPHER) + if (err == ERR_PACK(ERR_LIB_SSL,SSL_F_SSL3_GET_CLIENT_HELLO, + SSL_R_NO_SHARED_CIPHER)) { msg(D_CRYPT_ERRORS, "TLS error: The server has no TLS ciphersuites " "in common with the client. Your --tls-cipher setting might be " @@ -286,7 +286,8 @@ show_available_ciphers() size_t i; /* If we ever exceed this, we must be more selective */ - const EVP_CIPHER *cipher_list[1000]; + const size_t cipher_list_len = 1000; + const EVP_CIPHER *cipher_list[cipher_list_len]; size_t num_ciphers = 0; #ifndef ENABLE_SMALL printf("The following ciphers and cipher modes are available for use\n" @@ -311,7 +312,7 @@ show_available_ciphers() { cipher_list[num_ciphers++] = cipher; } - if (num_ciphers == (sizeof(cipher_list)/sizeof(*cipher_list))) + if (num_ciphers == cipher_list_len) { msg(M_WARN, "WARNING: Too many ciphers, not showing all"); break; @@ -550,10 +551,8 @@ cipher_kt_iv_size(const EVP_CIPHER *cipher_kt) } int -cipher_kt_block_size(const EVP_CIPHER *cipher) -{ - /* - * OpenSSL reports OFB/CFB/GCM cipher block sizes as '1 byte'. To work +cipher_kt_block_size(const EVP_CIPHER *cipher) { + /* OpenSSL reports OFB/CFB/GCM cipher block sizes as '1 byte'. To work * around that, try to replace the mode with 'CBC' and return the block size * reported for that cipher, if possible. If that doesn't work, just return * the value reported by OpenSSL. @@ -650,19 +649,6 @@ cipher_kt_mode_aead(const cipher_kt_t *cipher) * */ -cipher_ctx_t * -cipher_ctx_new(void) -{ - EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new(); - check_malloc_return(ctx); - return ctx; -} - -void -cipher_ctx_free(EVP_CIPHER_CTX *ctx) -{ - EVP_CIPHER_CTX_free(ctx); -} void cipher_ctx_init(EVP_CIPHER_CTX *ctx, uint8_t *key, int key_len, @@ -670,6 +656,8 @@ cipher_ctx_init(EVP_CIPHER_CTX *ctx, uint8_t *key, int key_len, { ASSERT(NULL != kt && NULL != ctx); + CLEAR(*ctx); + EVP_CIPHER_CTX_init(ctx); if (!EVP_CipherInit(ctx, kt, NULL, NULL, enc)) { @@ -681,7 +669,7 @@ cipher_ctx_init(EVP_CIPHER_CTX *ctx, uint8_t *key, int key_len, crypto_msg(M_FATAL, "EVP set key size"); } #endif - if (!EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, enc)) + if (!EVP_CipherInit(ctx, NULL, key, NULL, enc)) { crypto_msg(M_FATAL, "EVP cipher init #2"); } @@ -734,7 +722,7 @@ cipher_ctx_get_cipher_kt(const cipher_ctx_t *ctx) int cipher_ctx_reset(EVP_CIPHER_CTX *ctx, uint8_t *iv_buf) { - return EVP_CipherInit_ex(ctx, NULL, NULL, NULL, iv_buf, -1); + return EVP_CipherInit(ctx, NULL, NULL, iv_buf, -1); } int @@ -855,24 +843,13 @@ md_full(const EVP_MD *kt, const uint8_t *src, int src_len, uint8_t *dst) return EVP_Digest(src, src_len, dst, &in_md_len, kt, NULL); } -EVP_MD_CTX * -md_ctx_new(void) -{ - EVP_MD_CTX *ctx = EVP_MD_CTX_new(); - check_malloc_return(ctx); - return ctx; -} - -void md_ctx_free(EVP_MD_CTX *ctx) -{ - EVP_MD_CTX_free(ctx); -} - void md_ctx_init(EVP_MD_CTX *ctx, const EVP_MD *kt) { ASSERT(NULL != ctx && NULL != kt); + CLEAR(*ctx); + EVP_MD_CTX_init(ctx); EVP_DigestInit(ctx, kt); } @@ -880,7 +857,7 @@ md_ctx_init(EVP_MD_CTX *ctx, const EVP_MD *kt) void md_ctx_cleanup(EVP_MD_CTX *ctx) { - EVP_MD_CTX_reset(ctx); + EVP_MD_CTX_cleanup(ctx); } int @@ -910,19 +887,6 @@ md_ctx_final(EVP_MD_CTX *ctx, uint8_t *dst) * */ -HMAC_CTX * -hmac_ctx_new(void) -{ - HMAC_CTX *ctx = HMAC_CTX_new(); - check_malloc_return(ctx); - return ctx; -} - -void -hmac_ctx_free(HMAC_CTX *ctx) -{ - HMAC_CTX_free(ctx); -} void hmac_ctx_init(HMAC_CTX *ctx, const uint8_t *key, int key_len, @@ -930,6 +894,8 @@ hmac_ctx_init(HMAC_CTX *ctx, const uint8_t *key, int key_len, { ASSERT(NULL != kt && NULL != ctx); + CLEAR(*ctx); + HMAC_CTX_init(ctx); HMAC_Init_ex(ctx, key, key_len, kt, NULL); @@ -940,7 +906,7 @@ hmac_ctx_init(HMAC_CTX *ctx, const uint8_t *key, int key_len, void hmac_ctx_cleanup(HMAC_CTX *ctx) { - HMAC_CTX_reset(ctx); + HMAC_CTX_cleanup(ctx); } int -- cgit v1.2.3