Branch: refs/heads/stable1-proposed
Home:
https://github.com/kronosnet/kronosnet
Commit: 49ef95aea3bb5a223ec12c2e33e855c8948c0204
https://github.com/kronosnet/kronosnet/commit/49ef95aea3bb5a223ec12c2e33e85…
Author: Jan Friesse <jfriesse(a)redhat.com>
Date: 2023-08-14 (Mon, 14 Aug 2023)
Changed paths:
M libknet/crypto.c
Log Message:
-----------
[crypto] Try crypt and decrypt on crypto_init
Crypt (or decrypt) operation might fail in some cases even when
initialization succeeded. This problem is known to happen when
FIPS mode is enabled and combination of openssl/aes192 and md5 is used.
This was not caught during crypto_init so knet user (corosync) was
not aware of non-working crypto so it couldn't handle it - and couldn't
send/receive any packets.
Solution is to try crypt, decrypt and compare of result buffer right
after new crypto_instance is created. If any of these operation fails,
whole crypto_init fails, crypto_instance is freed and knet user is
notified by receiving non-zero return code.
Signed-off-by: Jan Friesse <jfriesse(a)redhat.com>