With
b39725cf ("Remove md_kt_t and change crypto API to use const char*")
the logic for validating ciphers and md algorithms has been changed.
We should now *always* use md_valid() when validating a digest alg.
At the same time, add '!' (negation) when validating the digest algorithm
in the tls-crypt code, in order to restore the proper logic.
Cc: Arne Schwabe <arne@rfc2549.org>
Fixes: b39725cf ("Remove md_kt_t and change crypto API to use const char*")
Reported-by: Richard T Bonhomme <tincantech@protonmail.com>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
Acked-by: Arne Schwabe <arne@rfc2549.org>
Message-Id: <
20220215123157.10615-1-a@unstable.cc>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23793.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
kt.cipher = "none";
kt.digest = "SHA256";
- if (!kt.digest)
+ if (!md_valid(kt.digest))
{
msg(M_WARN, "ERROR: --tls-crypt requires HMAC-SHA-256 support.");
return (struct key_type) { 0 };
*
* @param digest Name of the digest to verify, e.g. \c MD5).
*
- * @return A statically allocated structure containing parameters
- * for the given message digest.
+ * @return Whether a digest of the given name is available
*/
bool md_valid(const char *digest);
msg(M_WARN, "ERROR: --tls-crypt requires AES-256-CTR support.");
return (struct key_type) { 0 };
}
- if (cipher_valid(kt.digest))
+ if (!md_valid(kt.digest))
{
msg(M_WARN, "ERROR: --tls-crypt requires HMAC-SHA-256 support.");
return (struct key_type) { 0 };
projects / thirdparty / openvpn.git / commitdiff
