From patchwork Tue Oct 19 07:31:21 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Arne Schwabe <arne@rfc2549.org>
X-Patchwork-Id: 2026
Return-Path: <openvpn-devel-bounces@lists.sourceforge.net>
Delivered-To: patchwork@openvpn.net
Delivered-To: patchwork@openvpn.net
Received: from director14.mail.ord1d.rsapps.net ([172.28.255.1])
	by backend30.mail.ord1d.rsapps.net with LMTP
	id aIK3OjIPb2GxQgAAIUCqbw
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	for <patchwork@openvpn.net>; Tue, 19 Oct 2021 14:32:18 -0400
Received: from proxy8.mail.ord1c.rsapps.net ([172.28.255.1])
	by director14.mail.ord1d.rsapps.net with LMTP
	id 8J53OjIPb2GWAQAAeJ7fFg
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	for <patchwork@openvpn.net>; Tue, 19 Oct 2021 14:32:18 -0400
Received: from smtp11.gate.ord1c ([172.28.255.1])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	by proxy8.mail.ord1c.rsapps.net with LMTPS
	id CBpOOjIPb2EeGwAAHz/atg
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	for <patchwork@openvpn.net>; Tue, 19 Oct 2021 14:32:18 -0400
X-Spam-Threshold: 95
X-Spam-Score: 0
X-Spam-Flag: NO
X-Virus-Scanned: OK
X-Orig-To: openvpnslackdevel@openvpn.net
X-Originating-Ip: [216.105.38.7]
Authentication-Results: smtp11.gate.ord1c.rsapps.net;
 iprev=pass policy.iprev="216.105.38.7";
 spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net"
 smtp.helo="lists.sourceforge.net";
 dkim=fail (signature verification failed) header.d=sourceforge.net;
 dkim=fail (signature verification failed) header.d=sf.net; dmarc=none (p=nil;
 dis=none) header.from=rfc2549.org
X-Suspicious-Flag: YES
X-Classification-ID: e39831e2-310a-11ec-9eb5-bc305beffa54-1-1
Received: from [216.105.38.7] ([216.105.38.7:55682]
 helo=lists.sourceforge.net)
	by smtp11.gate.ord1c.rsapps.net (envelope-from
 <openvpn-devel-bounces@lists.sourceforge.net>)
	(ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384)
	id BC/FF-03661-23F0F616; Tue, 19 Oct 2021 14:32:18 -0400
Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com)
	by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1)
	(envelope-from <openvpn-devel-bounces@lists.sourceforge.net>)
	id 1mcttj-0006Zj-3d; Tue, 19 Oct 2021 18:31:39 +0000
Received: from [172.30.20.202] (helo=mx.sourceforge.net)
 by sfs-ml-1.v29.lw.sourceforge.com with esmtps
 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1)
 (envelope-from <arne@kamera.blinkt.de>) id 1mcttf-0006Y8-Vu
 for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 18:31:35 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References:
 In-Reply-To:Message-Id:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:
 Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
 Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
 List-Subscribe:List-Post:List-Owner:List-Archive;
 bh=a4JLqJwLW4T280ohE4dvZVriJdyFAZ0pSyffCYSSZKs=; b=VFe2YRcUtoszuBsbOluZltL+CM
 Lo6tAtocx6BWGQ62iCNB+VARWxgI4xIDmGljRiSijOn/6+7a1MtuXutTVaJbZDJ4bwstqxB5ibNBO
 gUR5Vi8UKaMMTTcHFDvyQI5abkP5ZC6qVERugRzel14DNME1D1xMt8Lv9OuiJfKSqihc=;
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x
 ;
 h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-Id:
 Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=a4JLqJwLW4T280ohE4dvZVriJdyFAZ0pSyffCYSSZKs=; b=WkONniwtMOAJj8/m43fzIAMJjw
 4FuerhfNQEYv5QXuguIMhtVBXRn5TZxIBgguHcBA+GymMirZw3hJfrb3JRO4KCfc9F3vVi7rE3+X5
 KIYYaYHTyD6B5/Bsfvw12y/GI5rBgM+91etj2Bl+1BEyj5eN+awr1CfyjhFbDjBifSbQ=;
Received: from mail.blinkt.de ([192.26.174.232])
 by sfi-mx-2.v28.lw.sourceforge.com with esmtps
 (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92.3)
 id 1mcttf-0005u0-74
 for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 18:31:35 +0000
Received: from kamera.blinkt.de ([2001:638:502:390:20c:29ff:fec8:535c])
 by mail.blinkt.de with smtp (Exim 4.94.2 (FreeBSD))
 (envelope-from <arne@kamera.blinkt.de>) id 1mcttY-0008iK-82
 for openvpn-devel@lists.sourceforge.net; Tue, 19 Oct 2021 20:31:28 +0200
Received: (nullmailer pid 614268 invoked by uid 10006);
 Tue, 19 Oct 2021 18:31:28 -0000
From: Arne Schwabe <arne@rfc2549.org>
To: openvpn-devel@lists.sourceforge.net
Date: Tue, 19 Oct 2021 20:31:21 +0200
Message-Id: <20211019183127.614175-16-arne@rfc2549.org>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20211019183127.614175-1-arne@rfc2549.org>
References: <20211019183127.614175-1-arne@rfc2549.org>
MIME-Version: 1.0
X-Spam-Report: Spam detection software,
 running on the system "util-spamd-1.v13.lw.sourceforge.com",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 the administrator of that system for details.
 Content preview: We do not support CTS algorithms (cipher text stealing)
 algorithms. Signed-off-by: Arne Schwabe <arne@rfc2549.org> ---
 src/openvpn/crypto_openssl.c | 3 +++ 1 file changed,
 3 insertions(+) diff --git a/src/openvpn/crypto_openssl.c
 b/src/openvpn/crypto_openssl.c index ab552efab..ac8287440 100644 ---
 a/src/openvpn/crypto_openssl.c
 +++ b/src/openvpn/crypto_openssl.c @@ -760,6 +760,9 @@ cip [...]
 Content analysis details:   (0.3 points, 6.0 required)
 pts rule name              description
 ---- ----------------------
 --------------------------------------------------
 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level
 mail domains are different
 0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record
 0.0 SPF_NONE               SPF: sender does not publish an SPF Record
X-Headers-End: 1mcttf-0005u0-74
Subject: [Openvpn-devel] [PATCH v3 15/21] [OSSL 3.0] Do not allow CTS ciphers
X-BeenThere: openvpn-devel@lists.sourceforge.net
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: <openvpn-devel.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/options/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: 
 <http://sourceforge.net/mailarchive/forum.php?forum_name=openvpn-devel>
List-Post: <mailto:openvpn-devel@lists.sourceforge.net>
List-Help: <mailto:openvpn-devel-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/openvpn-devel>,
 <mailto:openvpn-devel-request@lists.sourceforge.net?subject=subscribe>
Errors-To: openvpn-devel-bounces@lists.sourceforge.net
X-getmail-retrieved-from-mailbox: Inbox

We do not support CTS algorithms (cipher text stealing) algorithms.

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
---
 src/openvpn/crypto_openssl.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index ab552efab..ac8287440 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -760,6 +760,9 @@ cipher_kt_mode_cbc(const cipher_kt_t *cipher)
 {
     return cipher && cipher_kt_mode(cipher) == OPENVPN_MODE_CBC
            /* Exclude AEAD cipher modes, they require a different API */
+#ifdef EVP_CIPH_FLAG_CTS
+           && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_CTS)
+#endif
            && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER);
 }