The 'nobody uses OpenSSL 1.0.1-1.0.1c'-gamble in commit 66407e11 (add AEAD
support) did not turn out well; apparently Ubuntu 12.04 LTS ships with a
broken OpenSSL 1.0.1. Since this is still a popular platform, re-add the
fixup code, now with a clear version check so it's easy to remove once we
drop support for OpenSSL 1.0.1.
Signed-off-by: Steffan Karger <stef...@karger.me>
---
src/openvpn/crypto.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index bd86679..269ec4b 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -450,6 +450,13 @@ openvpn_decrypt_aead (struct buffer *buf, struct buffer
work,
tag_ptr = BPTR(buf);
ASSERT (buf_advance (buf, tag_size));
dmsg (D_PACKET_CONTENT, "DECRYPT MAC: %s", format_hex (tag_ptr, tag_size, 0,
&gc));
+#if defined(ENABLE_CRYPTO_OPENSSL) && OPENSSL_VERSION_NUMBER < 0x10001040L
+ /* OpenSSL <= 1.0.1c bug requires set tag before processing ciphertext */
+ if (!EVP_CIPHER_CTX_ctrl (ctx->cipher, EVP_CTRL_GCM_SET_TAG, tag_size,
tag_ptr))
+ {
+ CRYPT_ERROR ("setting tag failed");
+ }
+#endif
if (buf->len < 1)
{
--
2.5.0
