From: Emmanuel Deloget Date: Mon, 20 Feb 2017 14:32:34 +0000 (+0100) Subject: OpenSSL: use EVP_CipherInit_ex() instead of EVP_CipherInit() X-Git-Tag: v2.4.1~14 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0fa3df510c10820d00b8f5c77a8730f90189f30d;p=thirdparty%2Fopenvpn.git OpenSSL: use EVP_CipherInit_ex() instead of EVP_CipherInit() The behavior of EVP_CipherInit() changed in OpenSSL 1.1 -- instead of clearing the context when the cipher parameter was !NULL, it now clears the context unconditionnaly. As a result, subsequent calls to the function with additional information now fails. The bulk work is done by EVP_CipherInit_ex() which has been part of the OpenSSL interface since the dawn of time (0.9.8 already has it). Thus, the change allows us to get the old behavior back instead of relying on dirty tricks. Signed-off-by: Emmanuel Deloget Acked-by: Steffan Karger Message-Id: <2faff7647151d7fe362c1c5db9f97e520444d09b.1487600539.git.logout@free.fr> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14120.html Signed-off-by: Gert Doering (cherry picked from commit 8d00afae88b626c9cf14170a943b33a7ed378070) --- diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index a66ee71e5..5549d7083 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -671,7 +671,7 @@ cipher_ctx_init(EVP_CIPHER_CTX *ctx, uint8_t *key, int key_len, crypto_msg(M_FATAL, "EVP set key size"); } #endif - if (!EVP_CipherInit(ctx, NULL, key, NULL, enc)) + if (!EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, enc)) { crypto_msg(M_FATAL, "EVP cipher init #2"); } @@ -724,7 +724,7 @@ cipher_ctx_get_cipher_kt(const cipher_ctx_t *ctx) int cipher_ctx_reset(EVP_CIPHER_CTX *ctx, uint8_t *iv_buf) { - return EVP_CipherInit(ctx, NULL, NULL, iv_buf, -1); + return EVP_CipherInit_ex(ctx, NULL, NULL, NULL, iv_buf, -1); } int