Browse code
Make AEAD modes work with OpenSSL 1.0.1-1.0.1c
The 'nobody uses OpenSSL 1.0.1-1.0.1c'-gamble in commit 66407e11 (add AEAD
support) did not turn out well; apparently Ubuntu 12.04 LTS ships with a
broken OpenSSL 1.0.1. Since this is still a popular platform, re-add the
fixup code, now with a clear version check so it's easy to remove once we
drop support for OpenSSL 1.0.1.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1457256715-4467-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11322
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger authored on 2016/03/06 18:31:55Showing 1 changed files
| ... | ... |
@@ -450,6 +450,13 @@ openvpn_decrypt_aead (struct buffer *buf, struct buffer work, |
| 450 | 450 |
tag_ptr = BPTR(buf); |
| 451 | 451 |
ASSERT (buf_advance (buf, tag_size)); |
| 452 | 452 |
dmsg (D_PACKET_CONTENT, "DECRYPT MAC: %s", format_hex (tag_ptr, tag_size, 0, &gc)); |
| 453 |
+#if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER < 0x10001040L |
|
| 454 |
+ /* OpenSSL <= 1.0.1c bug requires set tag before processing ciphertext */ |
|
| 455 |
+ if (!EVP_CIPHER_CTX_ctrl (ctx->cipher, EVP_CTRL_GCM_SET_TAG, tag_size, tag_ptr)) |
|
| 456 |
+ {
|
|
| 457 |
+ CRYPT_ERROR ("setting tag failed");
|
|
| 458 |
+ } |
|
| 459 |
+#endif |
|
| 453 | 460 |
|
| 454 | 461 |
if (buf->len < 1) |
| 455 | 462 |
{
|