From d67658feeab4742b9b6f57806ba8e93c8eec75b8 Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Tue, 19 Oct 2021 20:31:10 +0200 Subject: [PATCH] Remove DES check with OpenSSL 3.0 DES is very deprecated and accidently getting on the of the 16 insecure keys that OpenSSL checks is extremely unlikely so we no longer use the deprecated functions without replacement in OpenSSL 3.0. Signed-off-by: Arne Schwabe Acked-by: Gert Doering Message-Id: <20211019183127.614175-5-arne@rfc2549.org> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg23004.html Signed-off-by: Gert Doering --- src/openvpn/crypto_openssl.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index 60fbec12d..dda46c2f8 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -525,6 +525,7 @@ key_des_num_cblocks(const EVP_CIPHER *kt) bool key_des_check(uint8_t *key, int key_len, int ndc) { +#if OPENSSL_VERSION_NUMBER < 0x30000000L int i; struct buffer b; @@ -557,6 +558,13 @@ key_des_check(uint8_t *key, int key_len, int ndc) err: ERR_clear_error(); return false; +#else + /* DES is deprecated and the method to even check the keys is deprecated + * in OpenSSL 3.0. Instead of checking for the 16 weak/semi-weak keys + * we just accept them in OpenSSL 3.0 since the risk of randomly getting + * these is pretty low (and "all DES keys are weak" anyway) */ + return true; +#endif } void -- 2.47.2