From ec882d0140b14571b103ea0b3195599e6f503555 Mon Sep 17 00:00:00 2001 From: Vladislav Sapegin Date: Mon, 30 Jun 2025 12:39:26 +0300 Subject: [PATCH] crypto: Improve AEAD cipher detection logic Modified cipher_kt_mode_aead() to: 1. Use the same detection approach as cipher_ctx_mode_aead() by checking EVP_CIPH_FLAG_AEAD_CIPHER flag instead of mode comparison 2. Apply identical version handling for ChaCha20-Poly1305: - Special case only for OpenSSL < 3.0.0 - Same NID check condition This change makes AEAD detection more robust and future-proof, especially for OpenSSL 3.0+ compatibility. --- src/openvpn/crypto_openssl.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c index 88b35806c8e..12893441949 100644 --- a/src/openvpn/crypto_openssl.c +++ b/src/openvpn/crypto_openssl.c @@ -821,15 +821,16 @@ cipher_kt_mode_aead(const char *ciphername) evp_cipher_type *cipher = cipher_get(ciphername); if (cipher) { - if (EVP_CIPHER_mode(cipher) == OPENVPN_MODE_GCM) + int flags = EVP_CIPHER_flags(cipher); + if (flags & EVP_CIPH_FLAG_AEAD_CIPHER) { isaead = true; } -#ifdef NID_chacha20_poly1305 +#if defined(NID_chacha20_poly1305) && OPENSSL_VERSION_NUMBER < 0x30000000L if (EVP_CIPHER_nid(cipher) == NID_chacha20_poly1305) { - isaead = true; + isaead = true; } #endif }