From 0fa3df510c10820d00b8f5c77a8730f90189f30d Mon Sep 17 00:00:00 2001 From: Emmanuel Deloget Date: Mon, 20 Feb 2017 15:32:34 +0100 Subject: [PATCH] OpenSSL: use EVP_CipherInit_ex() instead of EVP_CipherInit() The behavior of EVP_CipherInit() changed in OpenSSL 1.1 -- instead of clearing the context when the cipher parameter was !NULL, it now clears the context unconditionnaly. As a result, subsequent calls to the function with additional information now fails. The bulk work is done by EVP_CipherInit_ex() which has been part of the OpenSSL interface since the dawn of time (0.9.8 already has it). Thus, the change allows us to get the old behavior back instead of relying on dirty tricks. Signed-off-by: Emmanuel Deloget Acked-by: Steffan Karger Message-Id: <2faff7647151d7fe362c1c5db9f97e520444d09b.1487600539.git.logout@free.fr> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14120.html Signed-off-by: Gert Doering (cherry picked from commit 8d00afae88b626c9cf14170a943b33a7ed378070) --- src/openvpn/crypto_openssl.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index a66ee71e5..5549d7083 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -671,7 +671,7 @@ cipher_ctx_init(EVP_CIPHER_CTX *ctx, uint8_t *key, int key_len, crypto_msg(M_FATAL, "EVP set key size"); } #endif - if (!EVP_CipherInit(ctx, NULL, key, NULL, enc)) + if (!EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, enc)) { crypto_msg(M_FATAL, "EVP cipher init #2"); } @@ -724,7 +724,7 @@ cipher_ctx_get_cipher_kt(const cipher_ctx_t *ctx) int cipher_ctx_reset(EVP_CIPHER_CTX *ctx, uint8_t *iv_buf) { - return EVP_CipherInit(ctx, NULL, NULL, iv_buf, -1); + return EVP_CipherInit_ex(ctx, NULL, NULL, NULL, iv_buf, -1); } int -- 2.47.2