262107 – security/tinc-devel: Fails to run 1.1pre18 update: Error while encrypting: error:060A6094:digital envelope routines:EVP_DecryptUpdate:invalid operation

Bug 262107 - security/tinc-devel: Fails to run 1.1pre18 update: Error while encrypting: error:060A6094:digital envelope routines:EVP_DecryptUpdate:invalid operation

Summary: security/tinc-devel: Fails to run 1.1pre18 update: Error while encrypting: er...

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	--- Affects Some People
Assignee:	Dirk Meyer

URL:
Keywords:	needs-qa, regression

Depends on:
Blocks:

Reported:	2022-02-21 20:53 UTC by Aaron C. de Bruyn
Modified:	2022-02-25 09:38 UTC (History)
CC List:	0 users

See Also:	242162 http://bugs.debian.org/923438

Flags:	dinoex: maintainer-feedback+ dinoex: merge-quarterly-

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Aaron C. de Bruyn 2022-02-21 20:53:11 UTC

This is similar to 242162, but that bug is pretty old.


After installing tinc 1.1pre18 on ~30 routers, all of them give the following error message when trying to connect to each other:

Error while encrypting: error:060A6094:digital envelope routines:EVP_DecryptUpdate:invalid operation

Downgrading to 1.1pre17 fixes the issue and restores connectivity.

There is a related Debian bug here: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=923438

Their fix was to downgrade libssl1.1 to 1.1.1a-1.

Comment 1 Dirk Meyer freebsd_committer

2022-02-22 09:15:22 UTC

please test if removing "files/patch-cipher.c" fixes your issue.

Comment 2 Aaron C. de Bruyn 2022-02-24 03:02:14 UTC

I ran a brief test after removing the patch.
The error message changed slightly.  There's now the addition of one more line:

tinc.CORPNET[46811]: Error while encrypting: error:060A6094:digital envelope routines:EVP_DecryptUpdate:invalid operation
tinc.CORPNET[46811]: Error while encrypting metadata to -redacted-router-name- (red.act.ed.ip port 655)
tinc.CORPNET[46811]: Error while processing METAKEY from -redacted-router-name- (red.act.ed.ip port 655)

The 'METAKEY' error wasn't appearing previously.

Comment 3 Aaron C. de Bruyn 2022-02-24 03:04:57 UTC

Since I'm somewhat of a n00b to FreeBSD, I should probably also include my testing steps.

1. portsnap auto (to update ports tree)
2. cd /usr/ports/security/tinc-devel
3. make clean
4. make fetch
5. rm files/patch-cipher.c
6. make
7. make deinstall
8. make install
9. service tincd restart

Comment 4 Dirk Meyer freebsd_committer

2022-02-24 07:17:42 UTC

Still unable to reproduce the issue here.

1.1pre18 running hereon FreeBSD 12.3 successful.

Please proved more details of your setup.
using port or repo?

Pleaase provide the output of:
openssl version
ldd /usr/local/sbin/tincd

what type of keys do you use in your setup ?

Comment 5 commit-hook freebsd_committer

2022-02-25 09:35:34 UTC

A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=66b541d491a18c4b7b84504ae79210da81802f05

commit 66b541d491a18c4b7b84504ae79210da81802f05
Author:     Dirk Meyer <dinoex@FreeBSD.org>
AuthorDate: 2022-02-25 09:32:16 +0000
Commit:     Dirk Meyer <dinoex@FreeBSD.org>
CommitDate: 2022-02-25 09:35:14 +0000

    security/tinc-devel: fix regression with some openssl versions

    PR: 262107

 security/tinc-devel/Makefile                    |  1 +
 security/tinc-devel/files/patch-cipher.c (gone) | 11 -----------
 2 files changed, 1 insertion(+), 11 deletions(-)