Openvpn segfaults on RHEL5/CentOS5 when using --tls-crypt, because it
doesn't have AES-256-CTR support:
openvpn[15330]: OpenVPN 2.4.0 x86_64-redhat-linux-gnu [SSL (OpenSSL)]
[LZO] [LZ4] [EPOLL] [MH/PKTINFO] built on Jan 17 2017
openvpn[15330]: library versions: OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008,
LZO 2.09, LZ4 1.7.5
openvpn[15331]: NOTE: the current --script-security setting may allow this
configuration to call user-defined scripts
kernel: openvpn[15331]: segfault at 0000000000000008 rip 000000000040ebe0
rsp 00007fffdcfc5738 error 4
This patch fixes it so it shows:
openvpn[424]: ERROR: --tls-crypt requires AES-256-CTR support.
openvpn[424]: Exiting due to fatal error
Trac: #825
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <345db0ac-f6e8-8490-a80a-ffbd81972c07@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14138.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
... | ... |
@@ -51,9 +51,7 @@ tls_crypt_init_key(struct key_ctx_bi *key, const char *key_file, |
51 | 51 |
|
52 | 52 |
struct key_type kt; |
53 | 53 |
kt.cipher = cipher_kt_get("AES-256-CTR"); |
54 |
- kt.cipher_length = cipher_kt_key_size(kt.cipher); |
|
55 | 54 |
kt.digest = md_kt_get("SHA256"); |
56 |
- kt.hmac_length = md_kt_size(kt.digest); |
|
57 | 55 |
|
58 | 56 |
if (!kt.cipher) |
59 | 57 |
{ |
... | ... |
@@ -64,6 +62,9 @@ tls_crypt_init_key(struct key_ctx_bi *key, const char *key_file, |
64 | 64 |
msg(M_FATAL, "ERROR: --tls-crypt requires HMAC-SHA-256 support."); |
65 | 65 |
} |
66 | 66 |
|
67 |
+ kt.cipher_length = cipher_kt_key_size(kt.cipher); |
|
68 |
+ kt.hmac_length = md_kt_size(kt.digest); |
|
69 |
+ |
|
67 | 70 |
crypto_read_openvpn_key(&kt, key, key_file, key_inline, key_direction, |
68 | 71 |
"Control Channel Encryption", "tls-crypt"); |
69 | 72 |
} |