GitList

Browse code

mbedtls: don't print unsupported ciphers in insecure cipher list

Commit 447997dd refactored the --show-ciphers code, but introduced a bug
in mbedtls builds where non-AEAD/CBC cipher were printed too. Those are
however unsupported (as openvpn will tell you when you try to use them).

This fixes that bug.

Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1539242400-27614-1-git-send-email-steffan.karger@fox-it.com>
URL: https://sourceforge.net/p/openvpn/mailman/message/36438012/
Signed-off-by: Gert Doering <gert@greenie.muc.de>

Steffan Karger authored on 2018/10/11 16:20:00
Showing 1 changed files

src/openvpn/crypto_mbedtls.c index 46c3c60..77e84c3 100644

src/openvpn/crypto_mbedtls.c

History View file @ 4ada4a7

@@ -170,7 +170,8 @@ show_available_ciphers(void)
     while (*ciphers != 0)
     {
         const cipher_kt_t *info = mbedtls_cipher_info_from_type(*ciphers);
-        if (info && cipher_kt_insecure(info))
+        if (info && cipher_kt_insecure(info)
+            && (cipher_kt_mode_aead(info) || cipher_kt_mode_cbc(info)))
         {
             print_cipher(info);
         }

...	...	@@ -170,7 +170,8 @@ show_available_ciphers(void)
170	170	while (*ciphers != 0)
171	171	{
172	172	const cipher_kt_t info = mbedtls_cipher_info_from_type(ciphers);
173		- if (info && cipher_kt_insecure(info))
	173	+ if (info && cipher_kt_insecure(info)
	174	+ && (cipher_kt_mode_aead(info) \|\| cipher_kt_mode_cbc(info)))
174	175	{
175	176	print_cipher(info);
176	177	}