New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Test failure for tests 'blowfish', 'file_blowfish' and 'foreign' #26
Comments
This issue may be related to https://www.openssl.org/news/vulnerabilities.html#CVE-2023-5363 |
sebastianas
added a commit
to sebastianas/yapet
that referenced
this issue
Apr 8, 2024
yapet did for blowfish: | EVP_CipherInit_ex(ctx, cipher, NULL, KEY, iv, mode); | EVP_CIPHER_CTX_set_key_length(ctx, KEY_LENGTH); | EVP_CipherUpdate(ctx, …); this worked in earlier OpenSSL versions and stopped working in openssl-3.0.13. The problem here is that the EVP_CIPHER_CTX_set_key_length() is ignored and the later OpenSSL version returns rightfully an error "Provider routines::no key set" here. Blowfish does support variable key lenghts but the key length has to be set first followed by the actual key. Otherwise the blocksize (16) will be used. The correct way to deal with this would be: | EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, mode); | EVP_CIPHER_CTX_set_key_length(ctx, KEY_LENGTH); | EVP_CipherInit_ex(ctx, NULL, NULL, KEY, IV, mode); | EVP_CipherUpdate(ctx, …); Using now the proper way will break earlier databases because in the blowfish case, always the default blocksize / 16 has been used. In order to keep compatibility with earlier versions of the database and openssl remove the EVP_CIPHER_CTX_set_key_length() invocation. Fixes RafaelOstertag#26 Fixes RafaelOstertag#24 Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
sebastianas
added a commit
to sebastianas/yapet
that referenced
this issue
Apr 8, 2024
yapet did for blowfish: | EVP_CipherInit_ex(ctx, cipher, NULL, KEY, iv, mode); | EVP_CIPHER_CTX_set_key_length(ctx, KEY_LENGTH); | EVP_CipherUpdate(ctx, …); this worked in earlier OpenSSL versions and stopped working in openssl-3.0.13. The problem here is that the EVP_CIPHER_CTX_set_key_length() is ignored and the later OpenSSL version returns rightfully an error "Provider routines::no key set" here. Blowfish does support variable key lenghts but the key length has to be set first followed by the actual key. Otherwise the blocksize (16) will be used. The correct way to deal with this would be: | EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, mode); | EVP_CIPHER_CTX_set_key_length(ctx, KEY_LENGTH); | EVP_CipherInit_ex(ctx, NULL, NULL, KEY, IV, mode); | EVP_CipherUpdate(ctx, …); Using now the proper way will break earlier databases because in the blowfish case, always the default blocksize / 16 has been used. In order to keep compatibility with earlier versions of the database and openssl remove the EVP_CIPHER_CTX_set_key_length() invocation. Fixes RafaelOstertag#26 Fixes RafaelOstertag#24 Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi
In Debian after a archive rebuild, yapet 2.6 fails the testsuite for 3 tests causing a failure in building the package.
The report is at https://bugs.debian.org/1064724 and full quoting for reference:
The text was updated successfully, but these errors were encountered: