From: David Woodhouse <dwmw2@infradead.org>
Date: Mon, 10 Jun 2019 11:34:43 +0000 (+0100)
Subject: Disable encrypt-then-mac where possible with DTLS and OpenSSL
X-Git-Tag: v8.04~34
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=97cafd182f5a5c2d13f57d7faeac8432aea9bbf8;p=users%2Fdwmw2%2Fopenconnect.git

Disable encrypt-then-mac where possible with DTLS and OpenSSL

There is pain here. Just don't bother.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>
---

diff --git a/openssl-dtls.c b/openssl-dtls.c
index 9e3c5d46..646bf71c 100644
--- a/openssl-dtls.c
+++ b/openssl-dtls.c
@@ -406,7 +406,17 @@ int start_dtls_handshake(struct openconnect_info *vpninfo, int dtls_fd)
 			cipher = "PSK";
 		}
 #endif /* OPENSSL_NO_PSK */
-
+#ifdef SSL_OP_NO_ENCRYPT_THEN_MAC
+		/* I'm fairly sure I wasn't lying when I said I had tested
+		 * https://github.com/openssl/openssl/commit/e23d5071ec4c7aa6bb2b
+		 * against GnuTLS both with and without EtM in 2016.
+		 * Nevertheless, in 2019 it seems to be failing to negotiate
+		 * at least for DTLS1_BAD_VER against ocserv with GnuTLS 3.6.7.
+		 * Just turn it off. Real Cisco servers don't do it for
+		 * DTLS1_BAD_VER, and we should be using GCM ciphersuites in
+		 * newer versions of DTLS anyway so it's irrelevant. */
+		SSL_CTX_set_options(vpninfo->dtls_ctx, SSL_OP_NO_ENCRYPT_THEN_MAC);
+#endif
 		/* If we don't readahead, then we do short reads and throw
 		   away the tail of data packets. */
 		SSL_CTX_set_read_ahead(vpninfo->dtls_ctx, 1);