From patchwork Thu Oct 23 15:35:08 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4525 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:7d42:b0:72f:f16c:e055 with SMTP id fr2csp8065248mab; Thu, 23 Oct 2025 08:35:35 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCV3SRI5Wosftb//QNmXtdiPLHMFjob1P97v3dI7YTgju0746tIePOolVLJbSEE+oFyL7jxT0428MjI=@openvpn.net X-Google-Smtp-Source: AGHT+IFa2U913R0AM/OTkce8/GNjVU2rH+aIE1gXAc/mps4gEwFvulovtBhvM2zf+KP8JEvolo5O X-Received: by 2002:a05:6808:1993:b0:438:bdb0:8999 with SMTP id 5614622812f47-443a2e90fe3mr9944228b6e.1.1761233734812; Thu, 23 Oct 2025 08:35:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1761233734; cv=none; d=google.com; s=arc-20240605; b=BJTRUb9fkuBta03+EScbIrgmRzwUXIaY4YLlY5ZarRMklHyLfDAq3nyrFH7r493jrN soQumpcibTHSPTE/8h4wRpFSLUGRxvyHeAdcrcDzVGey5jjCW65lNJVm+4z1SBjPy/Tk 9heYRxcP/H7JNJrlDlrWjnS9OyvkeIlC81ws8uJesrrFLOA2s1Pk53x+DZl47Vbsp5W5 a6wdte/0NHWFgfKU724UsPrRlOehCw0Xfb/umhgulTlmSnddVyKXuw5VWliBmCqJWxoj UdNHZv0jCo+ZfOwubJBW7wkjwhJmFvNskuEOsgxRqsk0BcPVlylGaSWMYULOM9QSBroX GvuA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=nSd9qUj6LxDWX4BJ1p5O3m8LHVJqf2TWclY59E4JZjA=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=kevHbQq+brf4j7zsyz7Fotoa22Q9yhpLPhplEOlD6JJkHFJBv3SVzRpyvlm66haBiS vcPsISbFeSvqRan+bvP8LFPStdBj3LMMPqysTZHUm/8Jd4jQNK7svQq8tO+jb3iPAiBU ULu+syOuIu9V0TGgqrpbeEgZFfa5z/7HmfabfiEJ6tAVKruVAwhGVOz0VHbAyEgJISgB 5nqthmS2IX07tXFCoJSNfzLnZW3Wn81g4YpU2DWDLOZP/g6do2xdXB5nxS0v8ed5UjAz L7EEE8RzOYNmrTh79lHSbNHSrjocGfgHgf/BZaQSUe+DO4c+QVL8vCn269zaNhkFQnb3 3l3Q==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=OHJa84M2; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=Y+pyPadM; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=Lz3Add9i; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 5614622812f47-44bd448148esi515281b6e.182.2025.10.23.08.35.34 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 23 Oct 2025 08:35:34 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=OHJa84M2; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=Y+pyPadM; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=Lz3Add9i; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=nSd9qUj6LxDWX4BJ1p5O3m8LHVJqf2TWclY59E4JZjA=; b=OHJa84M2QMPnOrA91vDuFTqRg3 UVdwcsAVoR6pxLO4DbPT088XUomeKyEMi0YWf7/QoFuaX/BlBDBA7otbo28dmRluBfxQc+wytADlv 34WCh4F/fdMI1OXqfUiQJg+/1FjYb/n6YtIkBiS7A+MGX7KZloiceQXE8w66idS/TIQY=; Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1vBxLd-0007UN-IB; Thu, 23 Oct 2025 15:35:29 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1vBxLc-0007UH-JC for openvpn-devel@lists.sourceforge.net; Thu, 23 Oct 2025 15:35:28 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=erDRi3VtQOO65zJy+TBktEQNZqEd9zkmsbSEfmSbHPM=; b=Y+pyPadMMumt8AGUVQ/ejdYWFb LsD0QtRWsvV3yD0QXk0hS99S6bYtbVZep3QY1V/7viD7erzIvRE82nO3yIaUSQG6Ss+0pEkegoo1p YhUdA6ushMoqy9gClCRmmknb/sYET4zRISAXf4lzZ01L+Q7RYeVxUP4ZTJ90UWFKpoeQ=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=erDRi3VtQOO65zJy+TBktEQNZqEd9zkmsbSEfmSbHPM=; b=Lz3Add9iS0/0Sof0MpMxZ7XszB tUyt1NYf3l/vdSn2qIekvUVU2w/RB0dpqr6sHjNq0YnCJbnaC8q8BnJYNBkcNcPLaOfrtHHawHZeE FbCYCC7eWDpyIpCbhNsFdgRpRwQa8hH5tTx5rXBcto6fTsXDQSvUXjEwYDPT/U4iDJ8A=; Received: from [193.149.48.134] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1vBxLb-0001at-8X for openvpn-devel@lists.sourceforge.net; Thu, 23 Oct 2025 15:35:28 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 59NFZFaM018710 for ; Thu, 23 Oct 2025 17:35:15 +0200 Received: (from gert@localhost) by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 59NFZFFF018709 for openvpn-devel@lists.sourceforge.net; Thu, 23 Oct 2025 17:35:15 +0200 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Thu, 23 Oct 2025 17:35:08 +0200 Message-ID: <20251023153514.18691-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.49.1 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-2.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Arne Schwabe These ciphers claim to be CBC but since they are also include an HMAC are more a mix of AEAD and CBC. Nevertheless, we do not support these and also have no (good) reason to support them. Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_DNSWL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to DNSWL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#DnsBlocklists-dnsbl-block for more information. [193.149.48.134 listed in list.dnswl.org] 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1vBxLb-0001at-8X Subject: [Openvpn-devel] [PATCH v1] Do not try to use the encrypt-then-mac ciphers from OpenSSL 3.6.0 X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1846787424568388567?= X-GMAIL-MSGID: =?utf-8?q?1846787424568388567?= From: Arne Schwabe These ciphers claim to be CBC but since they are also include an HMAC are more a mix of AEAD and CBC. Nevertheless, we do not support these and also have no (good) reason to support them. Change-Id: Iafe3c94b952cd3fbecf6f3d05816e5859f425e7d Signed-off-by: Arne Schwabe Acked-by: Gert Doering Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1295 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to release/2.6. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1295 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index 331af99..280389c 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -798,7 +798,8 @@ #ifdef EVP_CIPH_FLAG_CTS && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_CTS) #endif - && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER)); + && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) + && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_ENC_THEN_MAC)); EVP_CIPHER_free(cipher); return ret; } diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h index c9fa719..03ece13 100644 --- a/src/openvpn/openssl_compat.h +++ b/src/openvpn/openssl_compat.h @@ -817,4 +817,9 @@ #endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +/* Introduced in OpenSSL 3.6.0 */ +#ifndef EVP_CIPH_FLAG_ENC_THEN_MAC +#define EVP_CIPH_FLAG_ENC_THEN_MAC 0x10000000 +#endif + #endif /* OPENSSL_COMPAT_H_ */