From 544330fefedc87a74b4e17e105ad9151b8ad1dc9 Mon Sep 17 00:00:00 2001 From: David Sommerseth Date: Wed, 19 Jan 2022 19:21:26 +0100 Subject: [PATCH] crypto: Fix OPENSSL_FIPS enabled builds MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit On Fedora and RHEL/CentOS, the standard OpenSSL library has the FIPS module enabled by default. On these platforms, the OPENSSL_FIPS macro is always defined via /usr/include/openssl/opensslconf-*.h. Without this fix, the following compilation error appears: ./src/openvpn/crypto.c: In function ‘print_cipher’: ./src/openvpn/crypto.c:1707:43: error: ‘cipher’ undeclared (first use in this function); did you mean ‘iphdr’? if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS)) ^~~~~~ The EVP_CIPHER_fetch() and EVP_CIPHER_free() methods are also provided via the openssl_compat.h for older than OpenSSL 3.0. Signed-off-by: David Sommerseth Acked-by: Gert Doering Message-Id: <20220119182126.56880-1-openvpn@sf.lists.topphemmelig.net> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23570.html Signed-off-by: Gert Doering --- src/openvpn/crypto.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index 5626e2b61..5f6ad6751 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -34,6 +34,7 @@ #include "error.h" #include "integer.h" #include "platform.h" +#include "openssl_compat.h" #include "memdbg.h" @@ -1704,10 +1705,14 @@ print_cipher(const char *ciphername) printf(", TLS client/server mode only"); } #ifdef OPENSSL_FIPS - if (FIPS_mode() && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS)) + evp_cipher_type *cipher = EVP_CIPHER_fetch(NULL, ciphername, NULL); + + if (FIPS_mode() && cipher + && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_FIPS)) { printf(", disabled by FIPS mode"); } + EVP_CIPHER_free(cipher); #endif printf(")\n"); -- 2.47.2