Make yapet work again openssl 3.0.13 and later #29
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
yapet did for blowfish: | EVP_CipherInit_ex(ctx, cipher, NULL, KEY, iv, mode); | EVP_CIPHER_CTX_set_key_length(ctx, KEY_LENGTH); | EVP_CipherUpdate(ctx, …); this worked in earlier OpenSSL versions and stopped working in openssl-3.0.13. The problem here is that the EVP_CIPHER_CTX_set_key_length() is ignored and the later OpenSSL version returns rightfully an error "Provider routines::no key set" here. Blowfish does support variable key lenghts but the key length has to be set first followed by the actual key. Otherwise the blocksize (16) will be used. The correct way to deal with this would be: | EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, mode); | EVP_CIPHER_CTX_set_key_length(ctx, KEY_LENGTH); | EVP_CipherInit_ex(ctx, NULL, NULL, KEY, IV, mode); | EVP_CipherUpdate(ctx, …); Using now the proper way will break earlier databases because in the blowfish case, always the default blocksize / 16 has been used. In order to keep compatibility with earlier versions of the database and openssl remove the EVP_CIPHER_CTX_set_key_length() invocation. Fixes RafaelOstertag#26 Fixes RafaelOstertag#24 Signed-off-by: Sebastian Andrzej Siewior <[email protected]>
The EVP_CIPHER_CTX_set_key_length() in the AES-256-CBC case is pointless because the key here is fixed EVP_CIPHER_CTX_set_key_length() and the function does not change the size. Remove the EVP_CIPHER_CTX_set_key_length() invocation. Signed-off-by: Sebastian Andrzej Siewior <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
OpenSSL 3.0.13 added stricted error checking which revealed an error in the blowfish implementation with yapet.
The blowfish bits are needed to get everything to work. The aes bits are cosmetic (their order it wrong and a nop).
I suggest to add a big banner to motivate people to migrate away from the blowfish database towards the aes one.
Sebastian