[PATCH] cipher: fix dhgex for non-GCM ciphers for OpenSSL 3.0
djm at mindrot.org
Thu Dec 10 10:29:06 AEDT 2020
On Tue, 8 Dec 2020, Marc Kleine-Budde wrote:
> On 12/7/20 5:10 PM, Marc Kleine-Budde wrote:
> > On 12/4/20 3:36 AM, Darren Tucker wrote:
> >> Thanks for the investigation.
> >>> The issue is that openssh needs the "current" IV state (which the
> >>> now-deprecated EVP_CIPHER_CTX_iv() used to return), but it's calling the
> >>> wrong openssl function to obtain it.
> >> It's not that simple.
> >> In 2018, LibreSSL added EVP_CIPHER_CTX_get_iv (
> >> https://github.com/libressl-portable/openbsd/commit/db321d7792) which
> >> returns the current IV, and OpenSSH has been using it ever since.
> >> In 2020, OpenSSL added a function of the same name (
> >> https://github.com/openssl/openssl/commit/79f4417ed94) which behaves
> >> differently. Maybe OpenSSL could change it before 3.0 instead of shipping
> >> an incompatible API? EVP_CIPHER_CTX_get_original_iv would be consistent
> >> with the function they deprecated. ie
> >> EVP_CIPHER_CTX_get_iv -> EVP_CIPHER_CTX_get_original_iv
> >> EVP_CIPHER_CTX_get_iv_state -> EVP_CIPHER_CTX_get_iv
> > I tried to wrap up the problem and created an openssl issue:
> > https://github.com/openssl/openssl/issues/13631
> Which turned out to be a duplicate of
> Are you interested in another take on a patch to fix OpenSSH with the current
It looks like OpenSSL are considering renaming the API. I think we can wait
for them to make up their minds before proceeding. If the go ahead with
the plan to rename EVP_CIPHER_CTX_get_iv_state to get_running_iv then the
fix will be a single #define in one of our compat headers AFAIK.
More information about the openssh-unix-dev