Bug #14640
closedbhyve VNC authentication fails with openssl3
100%
Description
See https://github.com/omniosorg/illumos-omnios/pull/1157 and https://github.com/omniosorg/illumos-omnios/commit/95a238f2b60dbc52e30864816f8f07d008ff5c55
Basically, VNC authentication uses a 56-bit DES key, presented as 8 bytes: 64 bits, each byte has a parity bit. The default DES_set_key() function checks the parity bits in each DES key byte, and returns failure starting with OpenSSL 3. All OpenSSL versions have a force-parity version DES_set_key_unchecked() (similar to ipseckey(8)'s DES and 3DES key readers, which ignore the input parity bit and recomputes it), and should be used.
Updated by Robert Mustacchi 3 months ago
- Project changed from site to illumos gate
Updated by Andy Fiddaman 3 months ago
- Subject changed from bhyve VNC authentication fails with openssl3 to bhyve VNC authentication fails with openssl3
Updated by Andy Fiddaman 2 months ago
I've tested that VNC authentication is working with bhyve linked against openssl 1.0, 1.1 and 3.0 using the MacOS screen sharing client and UltraVNC on Windows.
Prior to this fix it was working if the bhyve binary was linked against 1.0 and 1.1, but not 3.0 since the latter defaults to checking the parity bits of the DES key derived from the authentication password, and these are not set/computed by the VNC server code.
Updated by Electric Monk 2 months ago
- Status changed from New to Closed
- % Done changed from 0 to 100
git commit 1aa1f41fe10c6220a7fbef328fac1b72a8355a01
commit 1aa1f41fe10c6220a7fbef328fac1b72a8355a01 Author: Andy Fiddaman <omnios@citrus-it.co.uk> Date: 2022-04-23T11:02:39.000Z 14495 bhyve VNC server should support alternate pixel formats 14494 bhyve VNC server could support multiple connections 14505 libumem's umem_update thread could be named 14506 libidspace does not expose id_allocff() 14640 bhyve VNC authentication fails with openssl3 Reviewed by: Jason King <jason.brian.king+illumos@gmail.com> Reviewed by: Michael Zeller <mike@mikezeller.net> Approved by: Robert Mustacchi <rm@fingolfin.org>