[ssh_x509] use EVP_chacha20 from cryptographic library / Re: PKIX-SSH release 12.5

ssh_x509 at roumenpetrov.info ssh_x509 at roumenpetrov.info
Wed Jun 3 09:42:10 EEST 2020


ssh_x509 at roumenpetrov.info wrote:
> Dear list members,
> New regular 12.5 release ( https://roumenpetrov.info/secsh/#news20200531 ) is uploaded.
> [SNIP]
> (x) Features:
> [SNIP]
> * use EVP_chacha20 from cryptographic library (ignored for broken LibreSSL)

When functionality "EVP_chacha20 from cryptographic library" was pushed to repository working chacha20 was not published yet as stable LibreSSL .

Now LibreSSL 3.1* branch is considered stable and EVP_chacha20 from cryptographic could be used with this release.
Remark: program code uses build-in ChaCha20-Poly1305 cipher for LibreSSL before 3.1.

EVP_chacha20 is part of OpenSSL 1.1.0. Unfortunately it is not usable with earlier releases. Definitely it fail for release up to OpenSSL 1.1.0f and works-fine with latest 1.1.0 stable branch. The status between is not known yet. As result it should be considered as "broken" in all 1.1.0* releases.
Note that you could build with working release but client may run program on "broken" version.

Remark: Support for 1.1.0 OpenSSL ends on 11th September 2019 so 1.1.0l is last 1.1.0 release from the project.

Work around is to set environment variable ac_cv_func_EVP_chacha20 to on at configuration time if build is with OpenSSL 1.1.0*. For example:
ac_cv_func_EVP_chacha20=no .../configure ...

As result will be activated working build-in implementation.

Issue with OpenSSL 1.1.0* EVP_chacha20 is still under investigation.

Roumen Petrov

More information about the ssh_x509 mailing list