int
cipher_kt_block_size(const EVP_CIPHER *cipher)
{
/*
* OpenSSL reports OFB/CFB/GCM cipher block sizes as '1 byte'. To work
* around that, try to replace the mode with 'CBC' and return the block size
* reported for that cipher, if possible. If that doesn't work, just return
* the value reported by OpenSSL.
*/
char *name = NULL;
char *mode_str = NULL;
const char *orig_name = NULL;
const EVP_CIPHER *cbc_cipher = NULL;
int block_size = EVP_CIPHER_block_size(cipher);
orig_name = cipher_kt_name(cipher);
if (!orig_name)
{
goto cleanup;
}
name = string_alloc(translate_cipher_name_to_openvpn(orig_name), NULL);
mode_str = strrchr(name, '-');
if (!mode_str || strlen(mode_str) < 4)
{
goto cleanup;
}
strcpy(mode_str, "-CBC");
cbc_cipher = EVP_get_cipherbyname(translate_cipher_name_from_openvpn(name));
if (cbc_cipher)
{
block_size = EVP_CIPHER_block_size(cbc_cipher);
}
cleanup:
free(name);
return block_size;
}
/*
* Build a struct key_type.
*/
void
init_key_type (struct key_type *kt, const char *ciphername,
bool ciphername_defined, const char *authname,
bool authname_defined, int keysize,
bool cfb_ofb_allowed, bool warn)
{
CLEAR (*kt);
if (ciphername && ciphername_defined)
{
kt->cipher = cipher_kt_get (translate_cipher_name_from_openvpn(ciphername));
kt->cipher_length = cipher_kt_key_size (kt->cipher);
if (keysize > 0 && keysize <= MAX_CIPHER_KEY_LENGTH)
kt->cipher_length = keysize;
/* check legal cipher mode */
{
if (!(cipher_kt_mode_cbc(kt->cipher)
#ifdef ENABLE_OFB_CFB_MODE
|| (cfb_ofb_allowed && cipher_kt_mode_ofb_cfb(kt->cipher))
#endif
))
msg (M_FATAL, "Cipher '%s' mode not supported", ciphername);
}
}
else
{
if (warn)
msg (M_WARN, "******* WARNING *******: null cipher specified, no encryption will be used");
}
if (authname && authname_defined)
{
kt->digest = md_kt_get (authname);
kt->hmac_length = md_kt_size (kt->digest);
}
else
{
if (warn)
msg (M_WARN, "******* WARNING *******: null MAC specified, no authentication will be used");
}
}
