Mailing List Archive

On Fri, 24 Jul 2020 at 22:46, The Doctor <doctor@doctor.nl2k.ab.ca> wrote:
> Anyone trying openssl 3 against openssh?

I used to test OpenSSH head against OpenSSL head but it was broken
enough that I didn't have time to keep up and I ended up giving up.
Here's what I found as of a few months ago in case it provides any
clues, I have not attempted since then:

Several months ago a commit to OpenSSL head broke OpenSSH Portable's
AES-GCM ciphers. I didn't have time to look at this for a while, and
by the time I did there were at least 2 other unrelated breakages that
muddied the waters sufficiently that I never got to the bottom of it.

I tried retesting at the hackathon and didn't get the results I
expected: now the GCM ones worked and the NON-GCM ones didn't

After some clues from tb and a lot of time bisecting I have identified
commits #1 and #3 below as the likely culprits. I don't know if they
or we are doing the wrong thing. Can anyone tell me?

Thanks.

Setup to reproduce these tests at the bottom.

Commit #1: This broke OpenSSH AES GCM ciphers:
a672a02a6443a29aa368c0d8abeebc809c1a9f28 is the first bad commit
commit a672a02a6443a29aa368c0d8abeebc809c1a9f28
Author: Shane Lontis <shane.lontis@oracle.com>
Date: Wed Jul 31 21:55:16 2019 +1000

Add gcm ciphers (aes and aria) to providers.

The code has been modularized so that it can be shared by algorithms.

A fixed size IV is now used instead of being allocated.
The IV is not set into the low level struct now until the update (it uses an
iv_state for this purpose).

Hardware specific methods have been added to a PROV_GCM_HW object.

The S390 code has been changed to just contain methods that can be
accessed in
a modular way. There are equivalent generic methods also for the other
platforms.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Patrick Steuer <patrick.steuer@de.ibm.com>
(Merged from https://github.com/openssl/openssl/pull/9231)

result:
$ sh ../run.sh
run test dhgex.sh ...
dhgex bits 3072 diffie-hellman-group-exchange-sha1 3des-cbc
dhgex bits 3072 diffie-hellman-group-exchange-sha256 3des-cbc
dhgex bits 3072 diffie-hellman-group-exchange-sha1 aes128-gcm@openssh.com
ssh failed ()
dhgex bits 3072 diffie-hellman-group-exchange-sha256 aes128-gcm@openssh.com
ssh failed ()
dhgex bits 8192 diffie-hellman-group-exchange-sha1 aes256-gcm@openssh.com
ssh failed ()
dhgex bits 8192 diffie-hellman-group-exchange-sha256 aes256-gcm@openssh.com
ssh failed ()
dhgex bits 8192 diffie-hellman-group-exchange-sha1 rijndael-cbc@lysator.liu.se
dhgex bits 8192 diffie-hellman-group-exchange-sha256 rijndael-cbc@lysator.liu.se
dhgex bits 8192 diffie-hellman-group-exchange-sha1 chacha20-poly1305@openssh.com
dhgex bits 8192 diffie-hellman-group-exchange-sha256
chacha20-poly1305@openssh.com
failed dhgex

Commit #2: The Red Herring. This broke building without engine.
commit 2f17cc493cfaa5c77a77d4f174dd2403188c41da
Author: Pauli <paul.dale@oracle.com>
Date: Thu Sep 5 13:53:20 2019 +1000

Unify the digest getting code inside providers.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9770)

Commit #3: This commit broke the non-GCM ciphers.

commit 089cb623be76b88a1eea6fcd135101037661bbc3
Author: Shane Lontis <shane.lontis@oracle.com>
Date: Tue Oct 8 09:19:10 2019 +1000

Move cipher ctx 'original iv' parameter into the provider

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10026)

run test dhgex.sh ...
dhgex bits 3072 diffie-hellman-group-exchange-sha1 3des-cbc
ssh failed ()
dhgex bits 3072 diffie-hellman-group-exchange-sha256 3des-cbc
ssh failed ()
dhgex bits 3072 diffie-hellman-group-exchange-sha1 aes128-gcm@openssh.com
ssh failed ()
dhgex bits 3072 diffie-hellman-group-exchange-sha256 aes128-gcm@openssh.com
ssh failed ()
dhgex bits 8192 diffie-hellman-group-exchange-sha1 aes256-gcm@openssh.com
ssh failed ()
dhgex bits 8192 diffie-hellman-group-exchange-sha256 aes256-gcm@openssh.com
ssh failed ()
dhgex bits 8192 diffie-hellman-group-exchange-sha1 rijndael-cbc@lysator.liu.se
ssh failed ()
dhgex bits 8192 diffie-hellman-group-exchange-sha256 rijndael-cbc@lysator.liu.se
ssh failed ()
dhgex bits 8192 diffie-hellman-group-exchange-sha1 chacha20-poly1305@openssh.com
dhgex bits 8192 diffie-hellman-group-exchange-sha256
chacha20-poly1305@openssh.com
failed dhgex

Environment setup on OpenBSD:
git clone https://github.com/openssh/openssh-portable.git openssh
git clone https://github.com/openssl/openssl.git openssl
(cd openssh && AUTOCONF_VERSION=2.69 autoreconf)
cat >run.sh <<EOD
#!/bin/sh
set -e

rm -rf ~/tmp/openssl-install
LDLIBS=-lc ./config no-threads no-fips no-engine --prefix=~/tmp/openssl-install
make clean
make
make install_sw

(cd ../openssh &&
./configure --with-ssl-dir=~/tmp/openssl-install --with-rpath=-Wl,-rpath, &&
make clean &&
make -j4 &&
make t-exec LTESTS="dhgex")
EOD

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

On Fri, Jul 24, 2020 at 11:01:41PM +1000, Darren Tucker wrote:
> On Fri, 24 Jul 2020 at 22:46, The Doctor <doctor@doctor.nl2k.ab.ca> wrote:
> > Anyone trying openssl 3 against openssh?
>
> I used to test OpenSSH head against OpenSSL head but it was broken
> enough that I didn't have time to keep up and I ended up giving up.
> Here's what I found as of a few months ago in case it provides any
> clues, I have not attempted since then:
>
> Several months ago a commit to OpenSSL head broke OpenSSH Portable's
> AES-GCM ciphers. I didn't have time to look at this for a while, and
> by the time I did there were at least 2 other unrelated breakages that
> muddied the waters sufficiently that I never got to the bottom of it.
>
> I tried retesting at the hackathon and didn't get the results I
> expected: now the GCM ones worked and the NON-GCM ones didn't
>
> After some clues from tb and a lot of time bisecting I have identified
> commits #1 and #3 below as the likely culprits. I don't know if they
> or we are doing the wrong thing. Can anyone tell me?
>
> Thanks.
>
> Setup to reproduce these tests at the bottom.
>
> Commit #1: This broke OpenSSH AES GCM ciphers:
> a672a02a6443a29aa368c0d8abeebc809c1a9f28 is the first bad commit
> commit a672a02a6443a29aa368c0d8abeebc809c1a9f28
> Author: Shane Lontis <shane.lontis@oracle.com>
> Date: Wed Jul 31 21:55:16 2019 +1000
>
> Add gcm ciphers (aes and aria) to providers.
>
> The code has been modularized so that it can be shared by algorithms.
>
> A fixed size IV is now used instead of being allocated.
> The IV is not set into the low level struct now until the update (it uses an
> iv_state for this purpose).
>
> Hardware specific methods have been added to a PROV_GCM_HW object.
>
> The S390 code has been changed to just contain methods that can be
> accessed in
> a modular way. There are equivalent generic methods also for the other
> platforms.
>
> Reviewed-by: Matt Caswell <matt@openssl.org>
> Reviewed-by: Patrick Steuer <patrick.steuer@de.ibm.com>
> (Merged from https://github.com/openssl/openssl/pull/9231)
>
> result:
> $ sh ../run.sh
> run test dhgex.sh ...
> dhgex bits 3072 diffie-hellman-group-exchange-sha1 3des-cbc
> dhgex bits 3072 diffie-hellman-group-exchange-sha256 3des-cbc
> dhgex bits 3072 diffie-hellman-group-exchange-sha1 aes128-gcm@openssh.com
> ssh failed ()
> dhgex bits 3072 diffie-hellman-group-exchange-sha256 aes128-gcm@openssh.com
> ssh failed ()
> dhgex bits 8192 diffie-hellman-group-exchange-sha1 aes256-gcm@openssh.com
> ssh failed ()
> dhgex bits 8192 diffie-hellman-group-exchange-sha256 aes256-gcm@openssh.com
> ssh failed ()
> dhgex bits 8192 diffie-hellman-group-exchange-sha1 rijndael-cbc@lysator.liu.se
> dhgex bits 8192 diffie-hellman-group-exchange-sha256 rijndael-cbc@lysator.liu.se
> dhgex bits 8192 diffie-hellman-group-exchange-sha1 chacha20-poly1305@openssh.com
> dhgex bits 8192 diffie-hellman-group-exchange-sha256
> chacha20-poly1305@openssh.com
> failed dhgex
>
> Commit #2: The Red Herring. This broke building without engine.
> commit 2f17cc493cfaa5c77a77d4f174dd2403188c41da
> Author: Pauli <paul.dale@oracle.com>
> Date: Thu Sep 5 13:53:20 2019 +1000
>
> Unify the digest getting code inside providers.
>
> Reviewed-by: Richard Levitte <levitte@openssl.org>
> (Merged from https://github.com/openssl/openssl/pull/9770)
>
> Commit #3: This commit broke the non-GCM ciphers.
>
> commit 089cb623be76b88a1eea6fcd135101037661bbc3
> Author: Shane Lontis <shane.lontis@oracle.com>
> Date: Tue Oct 8 09:19:10 2019 +1000
>
> Move cipher ctx 'original iv' parameter into the provider
>
> Reviewed-by: Richard Levitte <levitte@openssl.org>
> (Merged from https://github.com/openssl/openssl/pull/10026)
>
> run test dhgex.sh ...
> dhgex bits 3072 diffie-hellman-group-exchange-sha1 3des-cbc
> ssh failed ()
> dhgex bits 3072 diffie-hellman-group-exchange-sha256 3des-cbc
> ssh failed ()
> dhgex bits 3072 diffie-hellman-group-exchange-sha1 aes128-gcm@openssh.com
> ssh failed ()
> dhgex bits 3072 diffie-hellman-group-exchange-sha256 aes128-gcm@openssh.com
> ssh failed ()
> dhgex bits 8192 diffie-hellman-group-exchange-sha1 aes256-gcm@openssh.com
> ssh failed ()
> dhgex bits 8192 diffie-hellman-group-exchange-sha256 aes256-gcm@openssh.com
> ssh failed ()
> dhgex bits 8192 diffie-hellman-group-exchange-sha1 rijndael-cbc@lysator.liu.se
> ssh failed ()
> dhgex bits 8192 diffie-hellman-group-exchange-sha256 rijndael-cbc@lysator.liu.se
> ssh failed ()
> dhgex bits 8192 diffie-hellman-group-exchange-sha1 chacha20-poly1305@openssh.com
> dhgex bits 8192 diffie-hellman-group-exchange-sha256
> chacha20-poly1305@openssh.com
> failed dhgex
>
> Environment setup on OpenBSD:
> git clone https://github.com/openssh/openssh-portable.git openssh
> git clone https://github.com/openssl/openssl.git openssl
> (cd openssh && AUTOCONF_VERSION=2.69 autoreconf)
> cat >run.sh <<EOD
> #!/bin/sh
> set -e
>
> rm -rf ~/tmp/openssl-install
> LDLIBS=-lc ./config no-threads no-fips no-engine --prefix=~/tmp/openssl-install
> make clean
> make
> make install_sw
>
> (cd ../openssh &&
> ./configure --with-ssl-dir=~/tmp/openssl-install --with-rpath=-Wl,-rpath, &&
> make clean &&
> make -j4 &&
> make t-exec LTESTS="dhgex")
> EOD
>
> --
> Darren Tucker (dtucker at dtucker.net)
> GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
> Good judgement comes with experience. Unfortunately, the experience
> usually comes from bad judgement.
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


Well even simple tests are broken. Hopefully this can be
copied to
openssl-dev@openssl.org .

--
Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca
Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising!
https://www.empire.kred/ROOTNK?t=94a1f39b
Put more trust in nobility of character than in an oath. -Solon
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

For what it's worth, the latest changes in OpenSSL 3.0 (specifically, PR
#12233) in combination with this patch fixed the non-GCM ciphers for me:

Index: openssh-8.0p1/cipher.c
===================================================================
--- openssh-8.0p1/cipher.c (revision 136940)
+++ openssh-8.0p1/cipher.c (working copy)
@@ -594,7 +594,7 @@ cipher_get_keyiv(struct sshcipher_ctx *cc, u_char
if (!EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_IV_GEN,
len, iv))
return SSH_ERR_LIBCRYPTO_ERROR;
- } else if (!EVP_CIPHER_CTX_get_iv(cc->evp, iv, len))
+ } else if (!EVP_CIPHER_CTX_get_iv_state(cc->evp, iv, len))
return SSH_ERR_LIBCRYPTO_ERROR;
#endif
return 0;


Regards,
Tom.III


>On Fri, 24 Jul 2020 at 22:46, The Doctor <doctor at doctor.nl2k.ab.ca>
wrote:
>> Anyone trying openssl 3 against openssh?
>
>I used to test OpenSSH head against OpenSSL head but it was broken
>enough that I didn't have time to keep up and I ended up giving up.
>Here's what I found as of a few months ago in case it provides any
>clues, I have not attempted since then:
>
>Several months ago a commit to OpenSSL head broke OpenSSH Portable's
>AES-GCM ciphers. I didn't have time to look at this for a while, and
>by the time I did there were at least 2 other unrelated breakages that
>muddied the waters sufficiently that I never got to the bottom of it.
>
>I tried retesting at the hackathon and didn't get the results I
>expected: now the GCM ones worked and the NON-GCM ones didn't
>
>After some clues from tb and a lot of time bisecting I have identified
>commits #1 and #3 below as the likely culprits. I don't know if they
>or we are doing the wrong thing. Can anyone tell me?
>
>Thanks.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev