openssl icon indicating copy to clipboard operation
openssl copied to clipboard
verified publisher icon ruby

[OpenSSL 3] OpenSSL::Cipher.new fails with supported cipher

Open lucaskanashiro opened this issue 3 years ago • 3 comments

net-ssh has some test failures because it tries to call OpenSSL::Cipher.new with the following ciphers: bf-cbc, bf-ecb, cast-cbc, and cast5-ecb. The error is: OpenSSL::Cipher::CipherError: unsupported.

I checked if those ciphers are still supported in the OpenSSL 3 library version available in Ubuntu and they are:

$ openssl version
OpenSSL 3.0.1 14 Dec 2021 (Library: OpenSSL 3.0.1 14 Dec 2021)
$ irb
irb(main):001:0> require 'openssl'
=> true
irb(main):002:0> OpenSSL::Cipher.ciphers.include?('cast5-ecb')
=> true
irb(main):003:0> OpenSSL::Cipher.new('cast5-ecb')
(irb):3:in `initialize': unsupported (OpenSSL::Cipher::CipherError)
	from (irb):13:in `new'
	from (irb):13:in `<main>'
	from /usr/lib/ruby/gems/3.0.0/gems/irb-1.3.5/exe/irb:11:in `<top (required)>'
	from /usr/bin/irb:23:in `load'
	from /usr/bin/irb:23:in `<main>'

With OpenSSL 1.1.1f it works just fine:

$ openssl version
OpenSSL 1.1.1f  31 Mar 202
$ irb
irb(main):001:0> require 'openssl'
=> true
irb(main):002:0> OpenSSL::Cipher.ciphers.include?('cast5-ecb')
=> true
irb(main):003:0> OpenSSL::Cipher.new('cast5-ecb')
=> #<OpenSSL::Cipher:0x0000558d761cdcf8>

AFAIU those calls to OpenSSL::Cipher.new should work since the cipher is available in OpenSSL::Cipher::ciphers. Please, correct me if I am wrong.

lucaskanashiro avatar Mar 12 '22 04:03 lucaskanashiro 

$ openssl version
OpenSSL 3.0.1 14 Dec 2021 (Library: OpenSSL 3.0.1 14 Dec 2021)

the following ciphers: bf-cbc, bf-ecb, cast-cbc, and cast5-ecb

In OpenSSL 3.0, these algorithms belong to the OpenSSL legacy provider. The legacy provider is not enabled by default in a fresh installation of OpenSSL 3.0 and has to be enabled using openssl.cnf.

https://www.openssl.org/docs/man3.0/man7/OSSL_PROVIDER-legacy.html

# ...
[provider_sect]
default = default_sect
legacy = legacy_sect

[default_sect]
activate = 1

[legacy_sect]
activate = 1

It could also be programmatically by using "propquery" string of EVP_PKEY_CTX_new_from_name(), but this is currently not available through ruby/openssl.

rhenium avatar Apr 16 '22 13:04 rhenium

AFAIU those calls to OpenSSL::Cipher.new should work since the cipher is available in OpenSSL::Cipher::ciphers. Please, correct me if I am wrong.

It lists known OIDs/algorithm names for which an implementation can be registered, rather than actually available algorithms. I'm not sure if there is any way to know the latter using OpenSSL API.

The rdoc should probably be clarified.

rhenium avatar Apr 16 '22 13:04 rhenium

The still in-use NTLM authentication, mainly supported by the rubyntlm, probably needs a way to reach this functionality to be able to access the RC4 and DES-CBC ciphers, as well as the MD4 digest. Can this be added somehow?

I saw that the gss-ntlmsspi also added code to load the legacy provider for the same reason, see: https://github.com/gssapi/gss-ntlmssp/pull/72/files

paulvt avatar Apr 28 '22 11:04 paulvt

Experiencing the same issue in netsnmp, following.

HoneyryderChuck avatar Feb 21 '23 09:02 HoneyryderChuck