3238 – Fix openssl-3.0 regression: fix dhgex for non-GCM ciphers

Bug 3238 - Fix openssl-3.0 regression: fix dhgex for non-GCM ciphers

Summary: Fix openssl-3.0 regression: fix dhgex for non-GCM ciphers

Status:	CLOSED FIXED

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	Miscellaneous (show other bugs)
Version:	-current
Hardware:	All All

Importance:	P5 normal
Assignee:	Damien Miller

URL:
Keywords:

Duplicates (1):	3249 (view as bug list)
Depends on:
Blocks:	V_8_5
	Show dependency tree / graph

Reported:	2020-12-04 01:37 AEDT by Marc Kleine-Budde
Modified:	2023-01-13 13:32 AEDT (History)
CC List:	3 users (show)

See Also:

Attachments
cipher: fix dhgex for non-GCM ciphers for OpenSSL 3.0 (4.98 KB, patch) 2020-12-04 01:37 AEDT, Marc Kleine-Budde	no flags	Details \| Diff
v2 (5.77 KB, patch) 2020-12-10 00:48 AEDT, Marc Kleine-Budde	no flags	Details \| Diff
adapt to OpenSSL 3.x API (1.05 KB, patch) 2021-02-18 11:40 AEDT, Damien Miller	no flags	Details \| Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marc Kleine-Budde 2020-12-04 01:37:55 AEDT

Created attachment 3461 [details]
cipher: fix dhgex for non-GCM ciphers for OpenSSL 3.0

During OpenSSL 3.0 development since OpenSSL commits:

| 718b133a5328 Implement AES CBC ciphers in the default provider
| 819a7ae9fc77 Implement AES CTR ciphers in the default provider

the dhgex tests (make t-exec LTESTS="dhgex") are failing.

The issue is that openssh needs the "current" IV state (which the
now-deprecated EVP_CIPHER_CTX_iv() used to return), but it's calling the wrong
openssl function to obtain it. See openssl PR #12233 for additional discussion.

The latest changes in OpenSSL 3.0 in combination with this patch fixes the
non-GCM ciphers. All but the chacha20-poly1305 test are not working again:

| dhgex bits 3072 diffie-hellman-group-exchange-sha1 3des-cbc
| dhgex bits 3072 diffie-hellman-group-exchange-sha256 3des-cbc
| dhgex bits 3072 diffie-hellman-group-exchange-sha1 aes128-cbc
| dhgex bits 3072 diffie-hellman-group-exchange-sha256 aes128-cbc
| dhgex bits 3072 diffie-hellman-group-exchange-sha1 aes128-ctr
| dhgex bits 3072 diffie-hellman-group-exchange-sha256 aes128-ctr
| dhgex bits 3072 diffie-hellman-group-exchange-sha1 aes128-gcm@openssh.com
| dhgex bits 3072 diffie-hellman-group-exchange-sha256 aes128-gcm@openssh.com
| dhgex bits 7680 diffie-hellman-group-exchange-sha1 aes192-cbc
| dhgex bits 7680 diffie-hellman-group-exchange-sha256 aes192-cbc
| dhgex bits 7680 diffie-hellman-group-exchange-sha1 aes192-ctr
| dhgex bits 7680 diffie-hellman-group-exchange-sha256 aes192-ctr
| dhgex bits 8192 diffie-hellman-group-exchange-sha1 aes256-cbc
| dhgex bits 8192 diffie-hellman-group-exchange-sha256 aes256-cbc
| dhgex bits 8192 diffie-hellman-group-exchange-sha1 aes256-ctr
| dhgex bits 8192 diffie-hellman-group-exchange-sha256 aes256-ctr
| dhgex bits 8192 diffie-hellman-group-exchange-sha1 aes256-gcm@openssh.com
| dhgex bits 8192 diffie-hellman-group-exchange-sha256 aes256-gcm@openssh.com
| dhgex bits 8192 diffie-hellman-group-exchange-sha1 rijndael-cbc@lysator.liu.se
| dhgex bits 8192 diffie-hellman-group-exchange-sha256 rijndael-cbc@lysator.liu.se
| dhgex bits 8192 diffie-hellman-group-exchange-sha1 chacha20-poly1305@openssh.com
| ssh failed ()
| dhgex bits 8192 diffie-hellman-group-exchange-sha256 chacha20-poly1305@openssh.com
| ssh failed ()

Link: https://www.spinics.net/lists/openssh-unix-dev/msg06860.html
Link: https://github.com/openssl/openssl/pull/12233

Comment 1 Marc Kleine-Budde 2020-12-10 00:48:00 AEDT

Created attachment 3462 [details]
v2

Comment 2 Damien Miller 2021-01-08 13:11:29 AEDT

*** Bug 3249 has been marked as a duplicate of this bug. ***

Comment 3 Damien Miller 2021-01-08 13:13:36 AEDT

Current status is that we're waiting for OpenSSL to rename an incompatible API: https://github.com/openssl/openssl/issues/13411

Until then, please consider OpenSSL 3.* unsupported by OpenSSH

Comment 4 Damien Miller 2021-02-18 11:40:04 AEDT

Created attachment 3473 [details]
adapt to OpenSSL 3.x API

It looks like OpenSSL did finally fix this: https://github.com/openssl/openssl/commit/0d83b7b9036feea680ba45751df028ff5e86cd63

Here's a patch that tries to use the new names. Darren - do you have a ossl3x builder handy to test this against?

Comment 5 Damien Miller 2021-02-18 12:58:48 AEDT

this has been committed and will be in openssh-8.5, due real soon

Comment 6 Damien Miller 2021-03-04 09:51:43 AEDT

close bugs that were resolved in OpenSSH 8.5 release cycle