Remove DES check with OpenSSL 3.0

DES is very deprecated and accidently getting on the of the 16 insecure
keys that OpenSSL checks is extremely unlikely so we no longer use the
deprecated functions without replacement in OpenSSL 3.0.

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20211019183127.614175-5-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23004.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>

diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index 60fbec12d8f96d5bcef06b77d520d7feee8bc8a2..dda46c2f839ee0c481ba6e492f414653b8343bb5 100644 (file)
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -525,6 +525,7 @@ key_des_num_cblocks(const EVP_CIPHER *kt)
 bool
 key_des_check(uint8_t *key, int key_len, int ndc)
 {
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
     int i;
     struct buffer b;
 
@@ -557,6 +558,13 @@ key_des_check(uint8_t *key, int key_len, int ndc)
 err:
     ERR_clear_error();
     return false;
+#else
+    /* DES is deprecated and the method to even check the keys is deprecated
+     * in OpenSSL 3.0. Instead of checking for the 16 weak/semi-weak keys
+     * we just accept them in OpenSSL 3.0 since the risk of randomly getting
+     * these is pretty low (and "all DES keys are weak" anyway) */
+    return true;
+#endif
 }
 
 void