chacha20 seems to be broken in OpenSSL 3.0.0alpha6

[berolinux]

When using OpenSSL 3.0.0alpha6, OpenSSH versions > 8.2p1 fail to connect anywhere, usually resulting in a "protocol error" while establishing the connection.

Bisecting OpenSSH shows this commit is what triggers the breakage:
openssh/openssh-portable@abe2b24

Defining HAVE_BROKEN_CHACHA20 in openbsd-compat/openssl-compat.h (like the openssh commit does for some versions of LibreSSL) "fixes" the problem.

Looks like EVP_chacha20 doesn't work as expected by OpenSSH.

[kaduk]

Are you in a position to attempt to bisect on openssl versions?
It would be particularly interesting to know if 1.1.1 releases (e.g., 1.1.1h) are functional for this usage.

[kroeckx]

You might want to read the commits: libressl/openbsd@1a06802, libressl/openbsd@0f67aa3, libressl/openbsd@61c1088 and the release notes for libressl 3.1.0: https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.1.0-relnotes.txt

They introduced EVP_chacha20 before RFC7539 was published, while we waited for the RFC. The RFC says it's a 32 bit counter followed by a 96 bit nonce, which is what we do. They did something else.

So libressl in 3.1.0 switched to have the same EVP_chacha20 behaviour as OpenSSL. And the commit you point to seems to suggest that that requires to have HAVE_BROKEN_CHACHA20 defined.

[berolinux]

@kroeckx This issue has nothing to do with the LibreSSL commits you're mentioning. LibreSSL is not involved here. The problem occurs with OpenSSL 3.0.0a6.
The only connection to those LibreSSL commits is that - because of its initial broken implementation - OpenSSH already has a builtin workaround for SSL implementations with broken chacha20, and activating that makes it work with OpenSSL 3.0.0a6 too.

[kroeckx]

In a later commit, they fixed it to say LIBRESSL_VERSION_NUMBER < 0x3010000fL

I can confirm that openssh 8.3p1 works with openssl 1.1.1g but not with master. Running a bisect.

[kroeckx]

3d5a757 is the first bad commit commit 3d5a757 Author: Shane Lontis <shane.lontis@oracle.com> Date: Wed Oct 16 16:18:42 2019 +1000 Add ChaCha related ciphers to default provider Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from #10081)

[beldmit]

@kroeckx, would you mind to submit a test?