From: Arne Schwabe <arne@rfc2549.org>
Date: Wed, 21 Apr 2021 12:34:15 +0000 (+0200)
Subject: Allow all GCM ciphers
X-Git-Tag: v2.6_beta1~527
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0f168c9ac6c0be5145b5c19c6e79634edf158262;p=thirdparty%2Fopenvpn.git

Allow all GCM ciphers

OpenSSL also allows ARIA-GCM and that works well with our implementation
While the handpicked list was needed for earlier OpenSSL versions (and
is still needed for Chacha20-Poly1305), the API nowadays with OpenSSL
1.0.2 and 1.1.x works as expected.

Patch V2: Remove special cases for AES-GCM ciphers.

Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20210421123415.1942917-1-arne@rfc2549.org>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg22168.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
---

diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index f8b36bf85..57731ed79 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -728,16 +728,17 @@ cipher_kt_mode_aead(const cipher_kt_t *cipher)
 {
     if (cipher)
     {
-        switch (EVP_CIPHER_nid(cipher))
+        if (EVP_CIPHER_mode(cipher) == OPENVPN_MODE_GCM)
         {
-            case NID_aes_128_gcm:
-            case NID_aes_192_gcm:
-            case NID_aes_256_gcm:
+            return true;
+        }
+
 #ifdef NID_chacha20_poly1305
-            case NID_chacha20_poly1305:
-#endif
-                return true;
+        if (EVP_CIPHER_nid(cipher) == NID_chacha20_poly1305)
+        {
+            return true;
         }
+#endif
     }
 
     return false;