int cipher_kt_block_size(const EVP_CIPHER *cipher) { /* * OpenSSL reports OFB/CFB/GCM cipher block sizes as '1 byte'. To work * around that, try to replace the mode with 'CBC' and return the block size * reported for that cipher, if possible. If that doesn't work, just return * the value reported by OpenSSL. */ char *name = NULL; char *mode_str = NULL; const char *orig_name = NULL; const EVP_CIPHER *cbc_cipher = NULL; int block_size = EVP_CIPHER_block_size(cipher); orig_name = cipher_kt_name(cipher); if (!orig_name) { goto cleanup; } name = string_alloc(translate_cipher_name_to_openvpn(orig_name), NULL); mode_str = strrchr(name, '-'); if (!mode_str || strlen(mode_str) < 4) { goto cleanup; } strcpy(mode_str, "-CBC"); cbc_cipher = EVP_get_cipherbyname(translate_cipher_name_from_openvpn(name)); if (cbc_cipher) { block_size = EVP_CIPHER_block_size(cbc_cipher); } cleanup: free(name); return block_size; }
/* * Build a struct key_type. */ void init_key_type (struct key_type *kt, const char *ciphername, bool ciphername_defined, const char *authname, bool authname_defined, int keysize, bool cfb_ofb_allowed, bool warn) { CLEAR (*kt); if (ciphername && ciphername_defined) { kt->cipher = cipher_kt_get (translate_cipher_name_from_openvpn(ciphername)); kt->cipher_length = cipher_kt_key_size (kt->cipher); if (keysize > 0 && keysize <= MAX_CIPHER_KEY_LENGTH) kt->cipher_length = keysize; /* check legal cipher mode */ { if (!(cipher_kt_mode_cbc(kt->cipher) #ifdef ENABLE_OFB_CFB_MODE || (cfb_ofb_allowed && cipher_kt_mode_ofb_cfb(kt->cipher)) #endif )) msg (M_FATAL, "Cipher '%s' mode not supported", ciphername); } } else { if (warn) msg (M_WARN, "******* WARNING *******: null cipher specified, no encryption will be used"); } if (authname && authname_defined) { kt->digest = md_kt_get (authname); kt->hmac_length = md_kt_size (kt->digest); } else { if (warn) msg (M_WARN, "******* WARNING *******: null MAC specified, no authentication will be used"); } }