[Bug 3873] New: Don't include an unused EVP_CIPHER_CTX_get_iv() stub

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Tue Oct 7 05:44:57 AEDT 2025


https://bugzilla.mindrot.org/show_bug.cgi?id=3873

            Bug ID: 3873
           Summary: Don't include an unused EVP_CIPHER_CTX_get_iv() stub
           Product: Portable OpenSSH
           Version: -current
          Hardware: All
                OS: FreeBSD
            Status: NEW
          Severity: trivial
          Priority: P5
         Component: Miscellaneous
          Assignee: unassigned-bugs at mindrot.org
          Reporter: jlduran at gmail.com

Created attachment 3902
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3902&action=edit
FreeBSD patch

Obtained from FreeBSD, verbatim commit message:

This stub isn't actually used on modern versions of OpenSSL for which
OpenSSH uses EVP_CIPHER_CTX_get_updated_iv instead via a wrapper macro.

However, the wrapper macro conflicted with the existing namespace
macro triggering an error on GCC:

In file included from crypto/openssh/sshd-session.c:65:
crypto/openssh/openbsd-compat/openssl-compat.h:71:11: error:
"EVP_CIPHER_CTX_get_iv" redefined [-Werror]
   71 | #  define EVP_CIPHER_CTX_get_iv EVP_CIPHER_CTX_get_updated_iv
      |           ^~~~~~~~~~~~~~~~~~~~~
In file included from <command-line>:
crypto/openssh/ssh_namespace.h:12:9: note: this is the location of the
previous definition
   12 | #define EVP_CIPHER_CTX_get_iv                  
Fssh_EVP_CIPHER_CTX_get_iv
      |         ^~~~~~~~~~~~~~~~~~~~~

The error was masked on clang due to MIT krb5 adding a blanket
-Wno-macro-redefined.  Building sshd-session without Kerberos support
was sufficient to trigger a warning from clang.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list