On 12/7/20 5:10 PM, Marc Kleine-Budde wrote: > On 12/4/20 3:36 AM, Darren Tucker wrote: >> Thanks for the investigation. >> >>> The issue is that openssh needs the "current" IV state (which the >>> now-deprecated EVP_CIPHER_CTX_iv() used to return), but it's calling the >>> wrong openssl function to obtain it. >> >> It's not that simple. >> >> In 2018, LibreSSL added EVP_CIPHER_CTX_get_iv ( >> https://github.com/libressl-portable/openbsd/commit/db321d7792) which >> returns the current IV, and OpenSSH has been using it ever since. >> >> In 2020, OpenSSL added a function of the same name ( >> https://github.com/openssl/openssl/commit/79f4417ed94) which behaves >> differently. Maybe OpenSSL could change it before 3.0 instead of shipping >> an incompatible API? EVP_CIPHER_CTX_get_original_iv would be consistent >> with the function they deprecated. ie >> >> EVP_CIPHER_CTX_get_iv -> EVP_CIPHER_CTX_get_original_iv >> EVP_CIPHER_CTX_get_iv_state -> EVP_CIPHER_CTX_get_iv > > I tried to wrap up the problem and created an openssl issue: > > https://github.com/openssl/openssl/issues/13631 Which turned out to be a duplicate of https://github.com/openssl/openssl/issues/13411 Are you interested in another take on a patch to fix OpenSSH with the current OpenSSL-3.0? Marc -- Pengutronix e.K. | Marc Kleine-Budde | Embedded Linux | https://www.pengutronix.de | Vertretung West/Dortmund | Phone: +49-231-2826-924 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
