From: Steffan Karger <steffan.karger@fox-it.com>
Date: Thu, 11 Oct 2018 07:20:00 +0000 (+0200)
Subject: mbedtls: don't print unsupported ciphers in insecure cipher list
X-Git-Tag: v2.5_beta1~403
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4ada4a7d8b3db7ae9722624d745c220fef4c77fd;p=thirdparty%2Fopenvpn.git

mbedtls: don't print unsupported ciphers in insecure cipher list

Commit 447997dd refactored the --show-ciphers code, but introduced a bug
in mbedtls builds where non-AEAD/CBC cipher were printed too.  Those are
however unsupported (as openvpn will tell you when you try to use them).

This fixes that bug.

Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1539242400-27614-1-git-send-email-steffan.karger@fox-it.com>
URL: https://sourceforge.net/p/openvpn/mailman/message/36438012/
Signed-off-by: Gert Doering <gert@greenie.muc.de>
---

diff --git a/src/openvpn/crypto_mbedtls.c b/src/openvpn/crypto_mbedtls.c
index 46c3c606d..77e84c3c3 100644
--- a/src/openvpn/crypto_mbedtls.c
+++ b/src/openvpn/crypto_mbedtls.c
@@ -170,7 +170,8 @@ show_available_ciphers(void)
     while (*ciphers != 0)
     {
         const cipher_kt_t *info = mbedtls_cipher_info_from_type(*ciphers);
-        if (info && cipher_kt_insecure(info))
+        if (info && cipher_kt_insecure(info)
+            && (cipher_kt_mode_aead(info) || cipher_kt_mode_cbc(info)))
         {
             print_cipher(info);
         }