Bug 3238

Summary: Fix openssl-3.0 regression: fix dhgex for non-GCM ciphers
Product: Portable OpenSSH Reporter: Marc Kleine-Budde <mkl>
Component: MiscellaneousAssignee: Damien Miller <djm>
Status: CLOSED FIXED    
Severity: normal CC: djm, dtucker, rajesh.satya
Priority: P5    
Version: -current   
Hardware: All   
OS: All   
Bug Depends on:    
Bug Blocks: 3217    
Attachments:
Description Flags
cipher: fix dhgex for non-GCM ciphers for OpenSSL 3.0
none
v2
none
adapt to OpenSSL 3.x API none

Description Marc Kleine-Budde 2020-12-04 01:37:55 AEDT 
Created attachment 3461 [details]
cipher: fix dhgex for non-GCM ciphers for OpenSSL 3.0

During OpenSSL 3.0 development since OpenSSL commits:

| 718b133a5328 Implement AES CBC ciphers in the default provider
| 819a7ae9fc77 Implement AES CTR ciphers in the default provider

the dhgex tests (make t-exec LTESTS="dhgex") are failing.

The issue is that openssh needs the "current" IV state (which the
now-deprecated EVP_CIPHER_CTX_iv() used to return), but it's calling the wrong
openssl function to obtain it. See openssl PR #12233 for additional discussion.

The latest changes in OpenSSL 3.0 in combination with this patch fixes the
non-GCM ciphers. All but the chacha20-poly1305 test are not working again:

| dhgex bits 3072 diffie-hellman-group-exchange-sha1 3des-cbc
| dhgex bits 3072 diffie-hellman-group-exchange-sha256 3des-cbc
| dhgex bits 3072 diffie-hellman-group-exchange-sha1 aes128-cbc
| dhgex bits 3072 diffie-hellman-group-exchange-sha256 aes128-cbc
| dhgex bits 3072 diffie-hellman-group-exchange-sha1 aes128-ctr
| dhgex bits 3072 diffie-hellman-group-exchange-sha256 aes128-ctr
| dhgex bits 3072 diffie-hellman-group-exchange-sha1 aes128-gcm@openssh.com
| dhgex bits 3072 diffie-hellman-group-exchange-sha256 aes128-gcm@openssh.com
| dhgex bits 7680 diffie-hellman-group-exchange-sha1 aes192-cbc
| dhgex bits 7680 diffie-hellman-group-exchange-sha256 aes192-cbc
| dhgex bits 7680 diffie-hellman-group-exchange-sha1 aes192-ctr
| dhgex bits 7680 diffie-hellman-group-exchange-sha256 aes192-ctr
| dhgex bits 8192 diffie-hellman-group-exchange-sha1 aes256-cbc
| dhgex bits 8192 diffie-hellman-group-exchange-sha256 aes256-cbc
| dhgex bits 8192 diffie-hellman-group-exchange-sha1 aes256-ctr
| dhgex bits 8192 diffie-hellman-group-exchange-sha256 aes256-ctr
| dhgex bits 8192 diffie-hellman-group-exchange-sha1 aes256-gcm@openssh.com
| dhgex bits 8192 diffie-hellman-group-exchange-sha256 aes256-gcm@openssh.com
| dhgex bits 8192 diffie-hellman-group-exchange-sha1 rijndael-cbc@lysator.liu.se
| dhgex bits 8192 diffie-hellman-group-exchange-sha256 rijndael-cbc@lysator.liu.se
| dhgex bits 8192 diffie-hellman-group-exchange-sha1 chacha20-poly1305@openssh.com
| ssh failed ()
| dhgex bits 8192 diffie-hellman-group-exchange-sha256 chacha20-poly1305@openssh.com
| ssh failed ()

Link: https://www.spinics.net/lists/openssh-unix-dev/msg06860.html
Link: https://github.com/openssl/openssl/pull/12233
Comment 1 Marc Kleine-Budde 2020-12-10 00:48:00 AEDT 
Created attachment 3462 [details]
v2
Comment 2 Damien Miller 2021-01-08 13:11:29 AEDT 
*** Bug 3249 has been marked as a duplicate of this bug. ***
Comment 3 Damien Miller 2021-01-08 13:13:36 AEDT 
Current status is that we're waiting for OpenSSL to rename an incompatible API: https://github.com/openssl/openssl/issues/13411

Until then, please consider OpenSSL 3.* unsupported by OpenSSH
Comment 4 Damien Miller 2021-02-18 11:40:04 AEDT 
Created attachment 3473 [details]
adapt to OpenSSL 3.x API

It looks like OpenSSL did finally fix this: https://github.com/openssl/openssl/commit/0d83b7b9036feea680ba45751df028ff5e86cd63

Here's a patch that tries to use the new names. Darren - do you have a ossl3x builder handy to test this against?
Comment 5 Damien Miller 2021-02-18 12:58:48 AEDT 
this has been committed and will be in openssh-8.5, due real soon
Comment 6 Damien Miller 2021-03-04 09:51:43 AEDT 
close bugs that were resolved in OpenSSH 8.5 release cycle