Do not try to use the encrypt-then-mac ciphers from OpenSSL 3.6.0

These ciphers claim to be CBC but since they are also include an HMAC are more a mix of AEAD and CBC. Nevertheless, we do not support these and also have no (good) reason to support them. Change-Id: Iafe3c94b952cd3fbecf6f3d05816e5859f425e7d Signed-off-by: Arne Schwabe <arne@rfc2549.org> Acked-by: Gert Doering <gert@greenie.muc.de> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1295 Message-Id: <20251023153514.18691-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg33849.html Signed-off-by: Gert Doering <gert@greenie.muc.de>
2026-05-28 04:03:29 -04:00 · 2025-10-23 17:35:08 +02:00 · 2025-10-23 17:35:08 +02:00 · 0848531640
commit 0848531640
parent cf6c12f92a
2 changed files with 7 additions and 1 deletions
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@ -798,7 +798,8 @@ cipher_kt_mode_cbc(const char *ciphername)
 #ifdef EVP_CIPH_FLAG_CTS
                          && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_CTS)
 #endif
-                          && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER));
+                          && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER)
+                          && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_ENC_THEN_MAC));
    EVP_CIPHER_free(cipher);
    return ret;
 }
--- a/src/openvpn/openssl_compat.h
+++ b/src/openvpn/openssl_compat.h
@ -817,4 +817,9 @@ ERR_get_error_all(const char **file, int *line,

 #endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */

+/* Introduced in OpenSSL 3.6.0 */
+#ifndef EVP_CIPH_FLAG_ENC_THEN_MAC
+#define EVP_CIPH_FLAG_ENC_THEN_MAC 0x10000000
+#endif
+
 #endif /* OPENSSL_COMPAT_H_ */