upstream: Fix EVP_CIPHER_CTX_ctrl() return checks

While this API tries to translate negative return values (i.e. -1) to 0
in BoringSSL and LibreSSL, it is still possible for it to return negative
values in prinicple. We even incorrectly document that -1 can be returned
while Boring and OpenSSL plead the Fifth.

In OpenSSL 3 there are now code paths that explicitly return -1 and they
started shifting their return checks to <= 0 - of course they do this in
inconsistent and sometimes incorrect manner. While these paths aren't
reachable from ssh right now, who can really tell what happens in the two
hundred lines of inscrutable bloated mess this has become.

So error check with <= 0 to ensure that we don't accidentally translate an
error to success.

ok markus schwarze

OpenBSD-Commit-ID: a855c833cf4ecfce43bedc761f26ad924f70483c

diff --git a/cipher.c b/cipher.c
index 7d6e7d8c65ea3e3c391b42ef7f66843ad5e18bba..8a18da2df8d1f8d4dcff5c69a751da2ffcb14cbb 100644 (file)
--- a/cipher.c
+++ b/cipher.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cipher.c,v 1.123 2024/08/23 04:51:00 deraadt Exp $ */
+/* $OpenBSD: cipher.c,v 1.124 2025/03/14 09:49:49 tb Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -298,8 +298,8 @@ cipher_init(struct sshcipher_ctx **ccp, const struct sshcipher *cipher,
                goto out;
        }
        if (cipher_authlen(cipher) &&
-           !EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_SET_IV_FIXED,
-           -1, (u_char *)iv)) {
+           EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_SET_IV_FIXED,
+           -1, (u_char *)iv) <= 0) {
                ret = SSH_ERR_LIBCRYPTO_ERROR;
                goto out;
        }
@@ -369,13 +369,13 @@ cipher_crypt(struct sshcipher_ctx *cc, u_int seqnr, u_char *dest,
                if (authlen != cipher_authlen(cc->cipher))
                        return SSH_ERR_INVALID_ARGUMENT;
                /* increment IV */
-               if (!EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_IV_GEN,
-                   1, lastiv))
+               if (EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_IV_GEN,
+                   1, lastiv) <= 0)
                        return SSH_ERR_LIBCRYPTO_ERROR;
                /* set tag on decryption */
                if (!cc->encrypt &&
-                   !EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_SET_TAG,
-                   authlen, (u_char *)src + aadlen + len))
+                   EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_SET_TAG,
+                   authlen, (u_char *)src + aadlen + len) <= 0)
                        return SSH_ERR_LIBCRYPTO_ERROR;
        }
        if (aadlen) {
@@ -395,8 +395,8 @@ cipher_crypt(struct sshcipher_ctx *cc, u_int seqnr, u_char *dest,
                        return cc->encrypt ?
                            SSH_ERR_LIBCRYPTO_ERROR : SSH_ERR_MAC_INVALID;
                if (cc->encrypt &&
-                   !EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_GET_TAG,
-                   authlen, dest + aadlen + len))
+                   EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_GET_TAG,
+                   authlen, dest + aadlen + len) <= 0)
                        return SSH_ERR_LIBCRYPTO_ERROR;
        }
        return 0;
@@ -465,10 +465,10 @@ cipher_get_keyiv(struct sshcipher_ctx *cc, u_char *iv, size_t len)
        if ((size_t)evplen != len)
                return SSH_ERR_INVALID_ARGUMENT;
        if (cipher_authlen(c)) {
-               if (!EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_IV_GEN,
-                   len, iv))
+               if (EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_IV_GEN, len,
+                   iv) <= 0)
                        return SSH_ERR_LIBCRYPTO_ERROR;
-       } else if (!EVP_CIPHER_CTX_get_iv(cc->evp, iv, len))
+       } else if (EVP_CIPHER_CTX_get_iv(cc->evp, iv, len) <= 0)
                return SSH_ERR_LIBCRYPTO_ERROR;
 #endif
        return 0;
@@ -495,8 +495,8 @@ cipher_set_keyiv(struct sshcipher_ctx *cc, const u_char *iv, size_t len)
                return SSH_ERR_INVALID_ARGUMENT;
        if (cipher_authlen(c)) {
                /* XXX iv arg is const, but EVP_CIPHER_CTX_ctrl isn't */
-               if (!EVP_CIPHER_CTX_ctrl(cc->evp,
-                   EVP_CTRL_GCM_SET_IV_FIXED, -1, (void *)iv))
+               if (EVP_CIPHER_CTX_ctrl(cc->evp,
+                   EVP_CTRL_GCM_SET_IV_FIXED, -1, (void *)iv) <= 0)
                        return SSH_ERR_LIBCRYPTO_ERROR;
        } else if (!EVP_CIPHER_CTX_set_iv(cc->evp, iv, evplen))
                return SSH_ERR_LIBCRYPTO_ERROR;