From 0848531640f670f7f6bb79833223ac8a05c1b36e Mon Sep 17 00:00:00 2001 From: Arne Schwabe Date: Thu, 23 Oct 2025 17:35:08 +0200 Subject: [PATCH] Do not try to use the encrypt-then-mac ciphers from OpenSSL 3.6.0 These ciphers claim to be CBC but since they are also include an HMAC are more a mix of AEAD and CBC. Nevertheless, we do not support these and also have no (good) reason to support them. Change-Id: Iafe3c94b952cd3fbecf6f3d05816e5859f425e7d Signed-off-by: Arne Schwabe Acked-by: Gert Doering Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1295 Message-Id: <20251023153514.18691-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg33849.html Signed-off-by: Gert Doering --- src/openvpn/crypto_openssl.c | 3 ++- src/openvpn/openssl_compat.h | 5 +++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index 331af996..280389cc 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -798,7 +798,8 @@ cipher_kt_mode_cbc(const char *ciphername) #ifdef EVP_CIPH_FLAG_CTS && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_CTS) #endif - && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER)); + && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) + && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_ENC_THEN_MAC)); EVP_CIPHER_free(cipher); return ret; } diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h index c9fa7196..03ece132 100644 --- a/src/openvpn/openssl_compat.h +++ b/src/openvpn/openssl_compat.h @@ -817,4 +817,9 @@ ERR_get_error_all(const char **file, int *line, #endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +/* Introduced in OpenSSL 3.6.0 */ +#ifndef EVP_CIPH_FLAG_ENC_THEN_MAC +#define EVP_CIPH_FLAG_ENC_THEN_MAC 0x10000000 +#endif + #endif /* OPENSSL_COMPAT_H_ */