From: Steffan Karger <steffan@karger.me>
Date: Sun, 6 Mar 2016 09:31:55 +0000 (+0100)
Subject: Make AEAD modes work with OpenSSL 1.0.1-1.0.1c
X-Git-Tag: v2.4_alpha1~125
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=13de0103ea361e2be24ab8b16f5be269c6ab7496;p=thirdparty%2Fopenvpn.git

Make AEAD modes work with OpenSSL 1.0.1-1.0.1c

The 'nobody uses OpenSSL 1.0.1-1.0.1c'-gamble in commit 66407e11 (add AEAD
support) did not turn out well; apparently Ubuntu 12.04 LTS ships with a
broken OpenSSL 1.0.1.  Since this is still a popular platform, re-add the
fixup code, now with a clear version check so it's easy to remove once we
drop support for OpenSSL 1.0.1.

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1457256715-4467-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/11322
Signed-off-by: Gert Doering <gert@greenie.muc.de>
---

diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index bd866799b..269ec4b53 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -450,6 +450,13 @@ openvpn_decrypt_aead (struct buffer *buf, struct buffer work,
   tag_ptr = BPTR(buf);
   ASSERT (buf_advance (buf, tag_size));
   dmsg (D_PACKET_CONTENT, "DECRYPT MAC: %s", format_hex (tag_ptr, tag_size, 0, &gc));
+#if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER < 0x10001040L
+  /* OpenSSL <= 1.0.1c bug requires set tag before processing ciphertext */
+  if (!EVP_CIPHER_CTX_ctrl (ctx->cipher, EVP_CTRL_GCM_SET_TAG, tag_size, tag_ptr))
+    {
+      CRYPT_ERROR ("setting tag failed");
+    }
+#endif
 
   if (buf->len < 1)
     {