Message ID | 1539242400-27614-1-git-send-email-steffan.karger@fox-it.com |
---|---|
State | Accepted, archived |
Headers | show |
Series | [Openvpn-devel] mbedtls: don't print unsupported ciphers in insecure cipher list | expand |
Acked-by: Gert Doering <gert@greenie.muc.de> This removes (checked by "diff") all non-CBC ciphers from "--show-ciphers" on mbedTLS builds again (like BLOWFISH-CTR, DES-EDE-ECB), and makes t_lpback.sh succeed again in "make check". Sorry for not catching this yesterday already. Your patch has been applied to the master branch. commit 4ada4a7d8b3db7ae9722624d745c220fef4c77fd Author: Steffan Karger Date: Thu Oct 11 09:20:00 2018 +0200 mbedtls: don't print unsupported ciphers in insecure cipher list Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1539242400-27614-1-git-send-email-steffan.karger@fox-it.com> URL: https://sourceforge.net/p/openvpn/mailman/message/36438012/ Signed-off-by: Gert Doering <gert@greenie.muc.de> -- kind regards, Gert Doering
diff --git a/src/openvpn/crypto_mbedtls.c b/src/openvpn/crypto_mbedtls.c index 46c3c60..77e84c3 100644 --- a/src/openvpn/crypto_mbedtls.c +++ b/src/openvpn/crypto_mbedtls.c @@ -170,7 +170,8 @@ show_available_ciphers(void) while (*ciphers != 0) { const cipher_kt_t *info = mbedtls_cipher_info_from_type(*ciphers); - if (info && cipher_kt_insecure(info)) + if (info && cipher_kt_insecure(info) + && (cipher_kt_mode_aead(info) || cipher_kt_mode_cbc(info))) { print_cipher(info); }
Commit 447997dd refactored the --show-ciphers code, but introduced a bug in mbedtls builds where non-AEAD/CBC cipher were printed too. Those are however unsupported (as openvpn will tell you when you try to use them). This fixes that bug. Signed-off-by: Steffan Karger <steffan.karger@fox-it.com> --- src/openvpn/crypto_mbedtls.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)