[Openvpn-devel] [PATCH] mbedtls: don't print unsupported ciphers in insecure cipher list

Steffan Karger Thu, 11 Oct 2018 00:21:31 -0700

Commit 447997dd refactored the --show-ciphers code, but introduced a bug
in mbedtls builds where non-AEAD/CBC cipher were printed too.  Those are
however unsupported (as openvpn will tell you when you try to use them).


This fixes that bug.

Signed-off-by: Steffan Karger <steffan.kar...@fox-it.com>
---
 src/openvpn/crypto_mbedtls.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/openvpn/crypto_mbedtls.c b/src/openvpn/crypto_mbedtls.c
index 46c3c60..77e84c3 100644
--- a/src/openvpn/crypto_mbedtls.c
+++ b/src/openvpn/crypto_mbedtls.c
@@ -170,7 +170,8 @@ show_available_ciphers(void)
     while (*ciphers != 0)
     {
         const cipher_kt_t *info = mbedtls_cipher_info_from_type(*ciphers);
-        if (info && cipher_kt_insecure(info))
+        if (info && cipher_kt_insecure(info)
+            && (cipher_kt_mode_aead(info) || cipher_kt_mode_cbc(info)))
         {
             print_cipher(info);
         }
-- 
2.7.4



_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH] mbedtls: don't print unsupported ciphers in insecure cipher list

Reply via email to