diff mbox series

[Openvpn-devel,v1] Do not try to use the encrypt-then-mac ciphers from OpenSSL 3.6.0

Message ID 20251023153514.18691-1-gert@greenie.muc.de
State New
Headers show
Series [Openvpn-devel,v1] Do not try to use the encrypt-then-mac ciphers from OpenSSL 3.6.0 | expand

Commit Message

Gert Doering Oct. 23, 2025, 3:35 p.m. UTC 
From: Arne Schwabe <arne@rfc2549.org>

These ciphers claim to be CBC but since they are also include an HMAC
are more a mix of AEAD and CBC. Nevertheless, we do not support these
and also have no (good) reason to support them.

Change-Id: Iafe3c94b952cd3fbecf6f3d05816e5859f425e7d
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1295
---

This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to release/2.6.

Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1295
This mail reflects revision 1 of this Change.

Acked-by according to Gerrit (reflected above):
Gert Doering <gert@greenie.muc.de>

Comments

Gert Doering Oct. 23, 2025, 3:50 p.m. UTC | #1 
This is basically the same as commit a69d9b665 on master, but due to 
context/formatting changes it did not directly apply and Arne was so
nice and did a 2.6 version.

BB says this is all good, did not wait for GHA results.

Your patch has been applied to the release/2.6 branch (long-term compat).

commit 0848531640f670f7f6bb79833223ac8a05c1b36e
Author: Arne Schwabe
Date:   Thu Oct 23 17:35:08 2025 +0200

     Do not try to use the encrypt-then-mac ciphers from OpenSSL 3.6.0

     Signed-off-by: Arne Schwabe <arne@rfc2549.org>
     Acked-by: Gert Doering <gert@greenie.muc.de>
     Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1295
     Message-Id: <20251023153514.18691-1-gert@greenie.muc.de>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg33849.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering
diff mbox series

Patch

diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index 331af99..280389c 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -798,7 +798,8 @@ 
 #ifdef EVP_CIPH_FLAG_CTS
                           && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_CTS)
 #endif
-                          && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER));
+                          && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER)
+                          && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_ENC_THEN_MAC));
     EVP_CIPHER_free(cipher);
     return ret;
 }
diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h
index c9fa719..03ece13 100644
--- a/src/openvpn/openssl_compat.h
+++ b/src/openvpn/openssl_compat.h
@@ -817,4 +817,9 @@ 
 
 #endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
 
+/* Introduced in OpenSSL 3.6.0 */
+#ifndef EVP_CIPH_FLAG_ENC_THEN_MAC
+#define EVP_CIPH_FLAG_ENC_THEN_MAC 0x10000000
+#endif
+
 #endif /* OPENSSL_COMPAT_H_ */