[R-pkg-team] Bug#1007172: r-cran-pki incompatible with OpenSSL 3
Andreas Tille
andreas at an3as.eu
Sun Mar 13 07:32:16 GMT 2022
Control: forwarded -1 Simon Urbanek <Simon.Urbanek at r-project.org>
Control: tags -1 pending
Hi Simon,
I'll upload the attached patch which also applies to the new upstream
version 0.1-10.
Kind regards
Andreas.
Am Sat, Mar 12, 2022 at 10:37:24AM -0800 schrieb Steve Langasek:
> Package: r-cran-pki
> Version: 0.1-9-1
> Severity: serious
> Tags: patch experimental
> User: ubuntu-devel at lists.ubuntu.com
> Usertags: origin-ubuntu jammy ubuntu-patch
>
> Hi Andreas,
>
> r-cran-pki is incompatible with OpenSSL 3, which is currently in
> experimental. This shows up as an autopkgtest failure:
>
> [...]
> > -- Ciphers
> info("Ciphers")
> > skey <- PKI.random(256)
> > for (cipher in c("aes256ecb", "aes256ofb", "bfcbc", "bfecb", "bfofb", "bfcfb"))
> + assert(cipher, all(PKI.decrypt(PKI.encrypt(charToRaw("foo!"), skey, cipher), skey, cipher)[1:4] == charToRaw("foo!")))
> . aes256ecb
> . aes256ofb
> . bfcbc
> Error in PKI.encrypt(charToRaw("foo!"), skey, cipher) :
> error:0308010C:digital envelope routines::unsupported
> Calls: assert -> stopifnot -> PKI.decrypt -> PKI.encrypt
> Execution halted
> autopkgtest [09:48:31]: test run-unit-test: -----------------------]
> [...]
>
> (https://autopkgtest.ubuntu.com/results/autopkgtest-jammy/jammy/amd64/r/r-cran-pki/20220223_094913_a5969@/log.gz)
>
> The issue is that r-cran-pki exposes use of various older, insecure
> algorithms which are no longer available in the default crypto provider in
> openssl, so additional steps are required in the code in order to enable use
> of these algorithms.
>
> I've prepared the attached patch which fixes the issue, and have uploaded it
> to Ubuntu, since we are shipping OpenSSL 3 for the upcoming release. Please
> consider including it in Debian as well (and forwarding upstream).
>
> --
> Steve Langasek Give me a lever long enough and a Free OS
> Debian Developer to set it on, and I can move the world.
> Ubuntu Developer https://www.debian.org/
> slangasek at ubuntu.com vorlon at debian.org
> diff -Nru r-cran-pki-0.1-9/debian/patches/openssl3-compat.patch r-cran-pki-0.1-9/debian/patches/openssl3-compat.patch
> --- r-cran-pki-0.1-9/debian/patches/openssl3-compat.patch 1969-12-31 16:00:00.000000000 -0800
> +++ r-cran-pki-0.1-9/debian/patches/openssl3-compat.patch 2022-03-12 00:09:19.000000000 -0800
> @@ -0,0 +1,85 @@
> +Description: Fix compatibility with OpenSSL 3
> + Some algorithms exposed by PKI are now 'legacy' in OpenSSL and require
> + explicit enablement.
> +Author: Steve Langasek <steve.langasek at ubuntu.com>
> +Last-Update: 2022-03-12
> +Forwarded: no
> +
> +Index: r-cran-pki-0.1-9/src/pki.h
> +===================================================================
> +--- r-cran-pki-0.1-9.orig/src/pki.h
> ++++ r-cran-pki-0.1-9/src/pki.h
> +@@ -20,6 +20,10 @@
> + #include <openssl/x509_vfy.h>
> + #include <openssl/x509v3.h>
> +
> ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
> ++#include <openssl/provider.h>
> ++#endif
> ++
> + #if __APPLE__
> + #if defined MAC_OS_X_VERSION_10_7 && MAC_OS_X_VERSION_MIN_REQUIRED >= 1070
> + /* use accelerated crypto on OS X instead of OpenSSL crypto */
> +Index: r-cran-pki-0.1-9/src/pki-x509.c
> +===================================================================
> +--- r-cran-pki-0.1-9.orig/src/pki-x509.c
> ++++ r-cran-pki-0.1-9/src/pki-x509.c
> +@@ -225,6 +225,28 @@
> + static EVP_CIPHER_CTX *get_cipher(SEXP sKey, SEXP sCipher, int enc, int *transient, SEXP sIV) {
> + EVP_CIPHER_CTX *ctx;
> + PKI_init();
> ++
> ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
> ++ static OSSL_PROVIDER *legacy_provider = NULL;
> ++ static OSSL_PROVIDER *default_provider = NULL;
> ++ static OSSL_LIB_CTX *ossl_ctx = NULL;
> ++
> ++ if (!ossl_ctx)
> ++ ossl_ctx = OSSL_LIB_CTX_new();
> ++ if (!ossl_ctx)
> ++ Rf_error("OSSL_LIB_CTX_new failed\n");
> ++
> ++ if (!legacy_provider)
> ++ legacy_provider = OSSL_PROVIDER_load(ossl_ctx, "legacy");
> ++ if (!legacy_provider)
> ++ Rf_error("OSSL_PROVIDER_load(legacy) failed\n");
> ++
> ++ if (!default_provider)
> ++ default_provider = OSSL_PROVIDER_load(ossl_ctx, "default");
> ++ if (!default_provider)
> ++ Rf_error("OSSL_PROVIDER_load(default) failed\n");
> ++#endif
> ++
> + if (inherits(sKey, "symmeric.cipher")) {
> + if (transient) transient[0] = 0;
> + return (EVP_CIPHER_CTX*) R_ExternalPtrAddr(sCipher);
> +@@ -265,13 +287,29 @@
> + else if (!strcmp(cipher, "aes256ofb"))
> + type = EVP_aes_256_ofb();
> + else if (!strcmp(cipher, "blowfish") || !strcmp(cipher, "bfcbc"))
> ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
> ++ type = EVP_CIPHER_fetch(ossl_ctx, "BF-CBC", NULL);
> ++#else
> + type = EVP_bf_cbc();
> ++#endif
> + else if (!strcmp(cipher, "bfecb"))
> ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
> ++ type = EVP_CIPHER_fetch(ossl_ctx, "BF-ECB", NULL);
> ++#else
> + type = EVP_bf_ecb();
> ++#endif
> + else if (!strcmp(cipher, "bfofb"))
> ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
> ++ type = EVP_CIPHER_fetch(ossl_ctx, "BF-OFB", NULL);
> ++#else
> + type = EVP_bf_ofb();
> ++#endif
> + else if (!strcmp(cipher, "bfcfb"))
> ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
> ++ type = EVP_CIPHER_fetch(ossl_ctx, "BF-CFB", NULL);
> ++#else
> + type = EVP_bf_cfb();
> ++#endif
> + else Rf_error("unknown cipher `%s'", CHAR(STRING_ELT(sCipher, 0)));
> +
> + if (TYPEOF(sIV) == STRSXP) {
> diff -Nru r-cran-pki-0.1-9/debian/patches/series r-cran-pki-0.1-9/debian/patches/series
> --- r-cran-pki-0.1-9/debian/patches/series 1969-12-31 16:00:00.000000000 -0800
> +++ r-cran-pki-0.1-9/debian/patches/series 2022-03-12 00:09:19.000000000 -0800
> @@ -0,0 +1 @@
> +openssl3-compat.patch
> _______________________________________________
> R-pkg-team mailing list
> R-pkg-team at alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/r-pkg-team
--
http://fam-tille.de
More information about the R-pkg-team
mailing list