Menu
▾
▴
openvpn-devel
|
From: plaisthos (C. Review) <ge...@op...> - 2025-10-23 11:20:19
|
Attention is currently required from: flichtenheld.
Hello flichtenheld,
I'd like you to do a code review.
Please visit
http://gerrit.openvpn.net/c/openvpn/+/1295?usp=email
to review the following change.
Change subject: Do not try to use the encrypt-then-mac ciphers from OpenSSL 3.6.0
......................................................................
Do not try to use the encrypt-then-mac ciphers from OpenSSL 3.6.0
These ciphers claim to be CBC but since they are also include an HMAC
are more a mix of AEAD and CBC. Nevertheless, we do not support these
and also have no (good) reason to support them.
Change-Id: Iafe3c94b952cd3fbecf6f3d05816e5859f425e7d
Signed-off-by: Arne Schwabe <ar...@rf...>
---
M src/openvpn/crypto_openssl.c
M src/openvpn/openssl_compat.h
2 files changed, 7 insertions(+), 1 deletion(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/95/1295/1
diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index 331af99..280389c 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -798,7 +798,8 @@
#ifdef EVP_CIPH_FLAG_CTS
&& !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_CTS)
#endif
- && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER));
+ && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER)
+ && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_ENC_THEN_MAC));
EVP_CIPHER_free(cipher);
return ret;
}
diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h
index c9fa719..03ece13 100644
--- a/src/openvpn/openssl_compat.h
+++ b/src/openvpn/openssl_compat.h
@@ -817,4 +817,9 @@
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
+/* Introduced in OpenSSL 3.6.0 */
+#ifndef EVP_CIPH_FLAG_ENC_THEN_MAC
+#define EVP_CIPH_FLAG_ENC_THEN_MAC 0x10000000
+#endif
+
#endif /* OPENSSL_COMPAT_H_ */
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1295?usp=email
To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email
Gerrit-MessageType: newchange
Gerrit-Project: openvpn
Gerrit-Branch: release/2.6
Gerrit-Change-Id: Iafe3c94b952cd3fbecf6f3d05816e5859f425e7d
Gerrit-Change-Number: 1295
Gerrit-PatchSet: 1
Gerrit-Owner: plaisthos <arn...@rf...>
Gerrit-Reviewer: flichtenheld <fr...@li...>
Gerrit-CC: openvpn-devel <ope...@li...>
Gerrit-Attention: flichtenheld <fr...@li...>
|
|
From: cron2 (C. Review) <ge...@op...> - 2025-10-23 15:35:07
|
Attention is currently required from: flichtenheld, plaisthos. cron2 has posted comments on this change by plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/1295?usp=email ) Change subject: Do not try to use the encrypt-then-mac ciphers from OpenSSL 3.6.0 ...................................................................... Patch Set 1: Code-Review+2 -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1295?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: comment Gerrit-Project: openvpn Gerrit-Branch: release/2.6 Gerrit-Change-Id: Iafe3c94b952cd3fbecf6f3d05816e5859f425e7d Gerrit-Change-Number: 1295 Gerrit-PatchSet: 1 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-CC: openvpn-devel <ope...@li...> Gerrit-Attention: plaisthos <arn...@rf...> Gerrit-Attention: flichtenheld <fr...@li...> Gerrit-Comment-Date: Thu, 23 Oct 2025 15:34:57 +0000 Gerrit-HasComments: No Gerrit-Has-Labels: Yes |
|
From: Gert D. <ge...@gr...> - 2025-10-23 15:35:28
|
From: Arne Schwabe <ar...@rf...> These ciphers claim to be CBC but since they are also include an HMAC are more a mix of AEAD and CBC. Nevertheless, we do not support these and also have no (good) reason to support them. Change-Id: Iafe3c94b952cd3fbecf6f3d05816e5859f425e7d Signed-off-by: Arne Schwabe <ar...@rf...> Acked-by: Gert Doering <ge...@gr...> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1295 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to release/2.6. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1295 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering <ge...@gr...> diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index 331af99..280389c 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -798,7 +798,8 @@ #ifdef EVP_CIPH_FLAG_CTS && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_CTS) #endif - && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER)); + && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) + && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_ENC_THEN_MAC)); EVP_CIPHER_free(cipher); return ret; } diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h index c9fa719..03ece13 100644 --- a/src/openvpn/openssl_compat.h +++ b/src/openvpn/openssl_compat.h @@ -817,4 +817,9 @@ #endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +/* Introduced in OpenSSL 3.6.0 */ +#ifndef EVP_CIPH_FLAG_ENC_THEN_MAC +#define EVP_CIPH_FLAG_ENC_THEN_MAC 0x10000000 +#endif + #endif /* OPENSSL_COMPAT_H_ */ |
|
From: Gert D. <ge...@gr...> - 2025-10-23 15:50:56
|
This is basically the same as commit a69d9b665 on master, but due to
context/formatting changes it did not directly apply and Arne was so
nice and did a 2.6 version.
BB says this is all good, did not wait for GHA results.
Your patch has been applied to the release/2.6 branch (long-term compat).
commit 0848531640f670f7f6bb79833223ac8a05c1b36e
Author: Arne Schwabe
Date: Thu Oct 23 17:35:08 2025 +0200
Do not try to use the encrypt-then-mac ciphers from OpenSSL 3.6.0
Signed-off-by: Arne Schwabe <ar...@rf...>
Acked-by: Gert Doering <ge...@gr...>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1295
Message-Id: <202...@gr...>
URL: https://www.mail-archive.com/ope...@li.../msg33849.html
Signed-off-by: Gert Doering <ge...@gr...>
--
kind regards,
Gert Doering
|
|
From: cron2 (C. Review) <ge...@op...> - 2025-10-23 15:51:05
|
cron2 has uploaded a new patch set (#2) to the change originally created by plaisthos. ( http://gerrit.openvpn.net/c/openvpn/+/1295?usp=email ) The following approvals got outdated and were removed: Code-Review+2 by cron2 Change subject: Do not try to use the encrypt-then-mac ciphers from OpenSSL 3.6.0 ...................................................................... Do not try to use the encrypt-then-mac ciphers from OpenSSL 3.6.0 These ciphers claim to be CBC but since they are also include an HMAC are more a mix of AEAD and CBC. Nevertheless, we do not support these and also have no (good) reason to support them. Change-Id: Iafe3c94b952cd3fbecf6f3d05816e5859f425e7d Signed-off-by: Arne Schwabe <ar...@rf...> Acked-by: Gert Doering <ge...@gr...> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1295 Message-Id: <202...@gr...> URL: https://www.mail-archive.com/ope...@li.../msg33849.html Signed-off-by: Gert Doering <ge...@gr...> --- M src/openvpn/crypto_openssl.c M src/openvpn/openssl_compat.h 2 files changed, 7 insertions(+), 1 deletion(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/95/1295/2 diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index 331af99..280389c 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -798,7 +798,8 @@ #ifdef EVP_CIPH_FLAG_CTS && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_CTS) #endif - && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER)); + && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) + && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_ENC_THEN_MAC)); EVP_CIPHER_free(cipher); return ret; } diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h index c9fa719..03ece13 100644 --- a/src/openvpn/openssl_compat.h +++ b/src/openvpn/openssl_compat.h @@ -817,4 +817,9 @@ #endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +/* Introduced in OpenSSL 3.6.0 */ +#ifndef EVP_CIPH_FLAG_ENC_THEN_MAC +#define EVP_CIPH_FLAG_ENC_THEN_MAC 0x10000000 +#endif + #endif /* OPENSSL_COMPAT_H_ */ -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1295?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: newpatchset Gerrit-Project: openvpn Gerrit-Branch: release/2.6 Gerrit-Change-Id: Iafe3c94b952cd3fbecf6f3d05816e5859f425e7d Gerrit-Change-Number: 1295 Gerrit-PatchSet: 2 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-CC: openvpn-devel <ope...@li...> |
|
From: cron2 (C. Review) <ge...@op...> - 2025-10-23 15:51:07
|
cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/1295?usp=email ) Change subject: Do not try to use the encrypt-then-mac ciphers from OpenSSL 3.6.0 ...................................................................... Do not try to use the encrypt-then-mac ciphers from OpenSSL 3.6.0 These ciphers claim to be CBC but since they are also include an HMAC are more a mix of AEAD and CBC. Nevertheless, we do not support these and also have no (good) reason to support them. Change-Id: Iafe3c94b952cd3fbecf6f3d05816e5859f425e7d Signed-off-by: Arne Schwabe <ar...@rf...> Acked-by: Gert Doering <ge...@gr...> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1295 Message-Id: <202...@gr...> URL: https://www.mail-archive.com/ope...@li.../msg33849.html Signed-off-by: Gert Doering <ge...@gr...> --- M src/openvpn/crypto_openssl.c M src/openvpn/openssl_compat.h 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index 331af99..280389c 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -798,7 +798,8 @@ #ifdef EVP_CIPH_FLAG_CTS && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_CTS) #endif - && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER)); + && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) + && !(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_ENC_THEN_MAC)); EVP_CIPHER_free(cipher); return ret; } diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h index c9fa719..03ece13 100644 --- a/src/openvpn/openssl_compat.h +++ b/src/openvpn/openssl_compat.h @@ -817,4 +817,9 @@ #endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +/* Introduced in OpenSSL 3.6.0 */ +#ifndef EVP_CIPH_FLAG_ENC_THEN_MAC +#define EVP_CIPH_FLAG_ENC_THEN_MAC 0x10000000 +#endif + #endif /* OPENSSL_COMPAT_H_ */ -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1295?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: merged Gerrit-Project: openvpn Gerrit-Branch: release/2.6 Gerrit-Change-Id: Iafe3c94b952cd3fbecf6f3d05816e5859f425e7d Gerrit-Change-Number: 1295 Gerrit-PatchSet: 2 Gerrit-Owner: plaisthos <arn...@rf...> Gerrit-Reviewer: cron2 <ge...@gr...> Gerrit-Reviewer: flichtenheld <fr...@li...> Gerrit-CC: openvpn-devel <ope...@li...> |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X