The behavior of EVP_CipherInit() changed in OpenSSL 1.1 -- instead
of clearing the context when the cipher parameter was !NULL, it now
clears the context unconditionnaly. As a result, subsequent calls
to the function with additional information now fails.
The bulk work is done by EVP_CipherInit_ex() which has been part of the
OpenSSL interface since the dawn of time (0.9.8 already has it). Thus,
the change allows us to get the old behavior back instead of relying
on dirty tricks.
Signed-off-by: Emmanuel Deloget <logout@free.fr>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <2faff7647151d7fe362c1c5db9f97e520444d09b.1487600539.git.logout@free.fr>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14120.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
... | ... |
@@ -671,7 +671,7 @@ cipher_ctx_init(EVP_CIPHER_CTX *ctx, uint8_t *key, int key_len, |
671 | 671 |
crypto_msg(M_FATAL, "EVP set key size"); |
672 | 672 |
} |
673 | 673 |
#endif |
674 |
- if (!EVP_CipherInit(ctx, NULL, key, NULL, enc)) |
|
674 |
+ if (!EVP_CipherInit_ex(ctx, NULL, NULL, key, NULL, enc)) |
|
675 | 675 |
{ |
676 | 676 |
crypto_msg(M_FATAL, "EVP cipher init #2"); |
677 | 677 |
} |
... | ... |
@@ -724,7 +724,7 @@ cipher_ctx_get_cipher_kt(const cipher_ctx_t *ctx) |
724 | 724 |
int |
725 | 725 |
cipher_ctx_reset(EVP_CIPHER_CTX *ctx, uint8_t *iv_buf) |
726 | 726 |
{ |
727 |
- return EVP_CipherInit(ctx, NULL, NULL, iv_buf, -1); |
|
727 |
+ return EVP_CipherInit_ex(ctx, NULL, NULL, NULL, iv_buf, -1); |
|
728 | 728 |
} |
729 | 729 |
|
730 | 730 |
int |