Fix segfault when using crypto lib without AES-256-CTR or SHA256
Openvpn segfaults on RHEL5/CentOS5 when using --tls-crypt, because it
doesn't have AES-256-CTR support:
openvpn[15330]: OpenVPN 2.4.0 x86_64-redhat-linux-gnu [SSL (OpenSSL)]
[LZO] [LZ4] [EPOLL] [MH/PKTINFO] built on Jan 17 2017
openvpn[15330]: library versions: OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008,
LZO 2.09, LZ4 1.7.5
openvpn[15331]: NOTE: the current --script-security setting may allow this
configuration to call user-defined scripts
kernel: openvpn[15331]: segfault at 0000000000000008 rip 000000000040ebe0
rsp 00007fffdcfc5738 error 4
This patch fixes it so it shows:
openvpn[424]: ERROR: --tls-crypt requires AES-256-CTR support.
openvpn[424]: Exiting due to fatal error
Trac: #825
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <345db0ac-f6e8-8490-a80a-ffbd81972c07@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14138.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Simon Matter authored on 2017/02/22 04:34:15Showing 1 changed files
| ... | ... |
@@ -51,9 +51,7 @@ tls_crypt_init_key(struct key_ctx_bi *key, const char *key_file, |
| 51 | 51 |
|
| 52 | 52 |
struct key_type kt; |
| 53 | 53 |
kt.cipher = cipher_kt_get("AES-256-CTR");
|
| 54 |
- kt.cipher_length = cipher_kt_key_size(kt.cipher); |
|
| 55 | 54 |
kt.digest = md_kt_get("SHA256");
|
| 56 |
- kt.hmac_length = md_kt_size(kt.digest); |
|
| 57 | 55 |
|
| 58 | 56 |
if (!kt.cipher) |
| 59 | 57 |
{
|
| ... | ... |
@@ -64,6 +62,9 @@ tls_crypt_init_key(struct key_ctx_bi *key, const char *key_file, |
| 64 | 64 |
msg(M_FATAL, "ERROR: --tls-crypt requires HMAC-SHA-256 support."); |
| 65 | 65 |
} |
| 66 | 66 |
|
| 67 |
+ kt.cipher_length = cipher_kt_key_size(kt.cipher); |
|
| 68 |
+ kt.hmac_length = md_kt_size(kt.digest); |
|
| 69 |
+ |
|
| 67 | 70 |
crypto_read_openvpn_key(&kt, key, key_file, key_inline, key_direction, |
| 68 | 71 |
"Control Channel Encryption", "tls-crypt"); |
| 69 | 72 |
} |