From: David Sommerseth Date: Wed, 19 Jan 2022 18:21:26 +0000 (+0100) Subject: crypto: Fix OPENSSL_FIPS enabled builds X-Git-Tag: v2.6_beta1~314 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=544330fe;p=thirdparty%2Fopenvpn.git crypto: Fix OPENSSL_FIPS enabled builds On Fedora and RHEL/CentOS, the standard OpenSSL library has the FIPS module enabled by default. On these platforms, the OPENSSL_FIPS macro is always defined via /usr/include/openssl/opensslconf-*.h. Without this fix, the following compilation error appears: ./src/openvpn/crypto.c: In function ‘print_cipher’: ./src/openvpn/crypto.c:1707:43: error: ‘cipher’ undeclared (first use in this function); did you mean ‘iphdr’? if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS)) ^~~~~~ The EVP_CIPHER_fetch() and EVP_CIPHER_free() methods are also provided via the openssl_compat.h for older than OpenSSL 3.0. Signed-off-by: David Sommerseth Acked-by: Gert Doering Message-Id: <20220119182126.56880-1-openvpn@sf.lists.topphemmelig.net> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23570.html Signed-off-by: Gert Doering --- diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index 5626e2b61..5f6ad6751 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -34,6 +34,7 @@ #include "error.h" #include "integer.h" #include "platform.h" +#include "openssl_compat.h" #include "memdbg.h" @@ -1704,10 +1705,14 @@ print_cipher(const char *ciphername) printf(", TLS client/server mode only"); } #ifdef OPENSSL_FIPS - if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS)) + evp_cipher_type *cipher = EVP_CIPHER_fetch(NULL, ciphername, NULL); + + if (FIPS_mode() && cipher + && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS)) { printf(", disabled by FIPS mode"); } + EVP_CIPHER_free(cipher); #endif printf(")\n");