From patchwork Tue Oct 19 18:31:21 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: [Openvpn-devel,v3,15/21,OSSL,3.0] Do not allow CTS ciphers
X-Patchwork-Submitter: Arne Schwabe <arne@rfc2549.org>
X-Patchwork-Id: 2026
Message-Id: <20211019183127.614175-16-arne@rfc2549.org>
To: openvpn-devel@lists.sourceforge.net
Date: Tue, 19 Oct 2021 20:31:21 +0200
From: Arne Schwabe <arne@rfc2549.org>
List-Id: <openvpn-devel.lists.sourceforge.net>

We do not support CTS algorithms (cipher text stealing) algorithms.

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
---
 src/openvpn/crypto_openssl.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index ab552efab..ac8287440 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -760,6 +760,9 @@ cipher_kt_mode_cbc(const cipher_kt_t *cipher)
 {
     return cipher && cipher_kt_mode(cipher) == OPENVPN_MODE_CBC
            /* Exclude AEAD cipher modes, they require a different API */
+#ifdef EVP_CIPH_FLAG_CTS
+           && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_CTS)
+#endif
            && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER);
 }