[R-pkg-team] Bug#1007172: r-cran-pki incompatible with OpenSSL 3

Andreas Tille andreas at an3as.eu
Sun Mar 13 07:32:16 GMT 2022


Control: forwarded -1 Simon Urbanek <Simon.Urbanek at r-project.org>
Control: tags -1 pending

Hi Simon,

I'll upload the attached patch which also applies to the new upstream
version 0.1-10.

Kind regards

     Andreas.

Am Sat, Mar 12, 2022 at 10:37:24AM -0800 schrieb Steve Langasek:
> Package: r-cran-pki
> Version: 0.1-9-1
> Severity: serious
> Tags: patch experimental
> User: ubuntu-devel at lists.ubuntu.com
> Usertags: origin-ubuntu jammy ubuntu-patch
> 
> Hi Andreas,
> 
> r-cran-pki is incompatible with OpenSSL 3, which is currently in
> experimental.  This shows up as an autopkgtest failure:
> 
> [...]
> >  -- Ciphers
> info("Ciphers")
> > skey <- PKI.random(256)
> > for (cipher in c("aes256ecb", "aes256ofb", "bfcbc", "bfecb", "bfofb", "bfcfb"))
> +     assert(cipher, all(PKI.decrypt(PKI.encrypt(charToRaw("foo!"), skey, cipher), skey, cipher)[1:4] == charToRaw("foo!")))
>    .  aes256ecb 
>    .  aes256ofb 
>    .  bfcbc 
> Error in PKI.encrypt(charToRaw("foo!"), skey, cipher) : 
>   error:0308010C:digital envelope routines::unsupported
> Calls: assert -> stopifnot -> PKI.decrypt -> PKI.encrypt
> Execution halted
> autopkgtest [09:48:31]: test run-unit-test: -----------------------]
> [...]
> 
>   (https://autopkgtest.ubuntu.com/results/autopkgtest-jammy/jammy/amd64/r/r-cran-pki/20220223_094913_a5969@/log.gz)
> 
> The issue is that r-cran-pki exposes use of various older, insecure
> algorithms which are no longer available in the default crypto provider in
> openssl, so additional steps are required in the code in order to enable use
> of these algorithms.
> 
> I've prepared the attached patch which fixes the issue, and have uploaded it
> to Ubuntu, since we are shipping OpenSSL 3 for the upcoming release.  Please
> consider including it in Debian as well (and forwarding upstream).
> 
> -- 
> Steve Langasek                   Give me a lever long enough and a Free OS
> Debian Developer                   to set it on, and I can move the world.
> Ubuntu Developer                                   https://www.debian.org/
> slangasek at ubuntu.com                                     vorlon at debian.org

> diff -Nru r-cran-pki-0.1-9/debian/patches/openssl3-compat.patch r-cran-pki-0.1-9/debian/patches/openssl3-compat.patch
> --- r-cran-pki-0.1-9/debian/patches/openssl3-compat.patch	1969-12-31 16:00:00.000000000 -0800
> +++ r-cran-pki-0.1-9/debian/patches/openssl3-compat.patch	2022-03-12 00:09:19.000000000 -0800
> @@ -0,0 +1,85 @@
> +Description: Fix compatibility with OpenSSL 3
> + Some algorithms exposed by PKI are now 'legacy' in OpenSSL and require
> + explicit enablement.
> +Author: Steve Langasek <steve.langasek at ubuntu.com>
> +Last-Update: 2022-03-12
> +Forwarded: no
> +
> +Index: r-cran-pki-0.1-9/src/pki.h
> +===================================================================
> +--- r-cran-pki-0.1-9.orig/src/pki.h
> ++++ r-cran-pki-0.1-9/src/pki.h
> +@@ -20,6 +20,10 @@
> + #include <openssl/x509_vfy.h>
> + #include <openssl/x509v3.h>
> + 
> ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
> ++#include <openssl/provider.h>
> ++#endif
> ++
> + #if __APPLE__
> + #if defined MAC_OS_X_VERSION_10_7 && MAC_OS_X_VERSION_MIN_REQUIRED >= 1070
> + /* use accelerated crypto on OS X instead of OpenSSL crypto */
> +Index: r-cran-pki-0.1-9/src/pki-x509.c
> +===================================================================
> +--- r-cran-pki-0.1-9.orig/src/pki-x509.c
> ++++ r-cran-pki-0.1-9/src/pki-x509.c
> +@@ -225,6 +225,28 @@
> + static EVP_CIPHER_CTX *get_cipher(SEXP sKey, SEXP sCipher, int enc, int *transient, SEXP sIV) {
> +     EVP_CIPHER_CTX *ctx;
> +     PKI_init();
> ++
> ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
> ++    static OSSL_PROVIDER *legacy_provider = NULL;
> ++    static OSSL_PROVIDER *default_provider = NULL;
> ++    static OSSL_LIB_CTX *ossl_ctx = NULL;
> ++
> ++    if (!ossl_ctx)
> ++	ossl_ctx = OSSL_LIB_CTX_new();
> ++    if (!ossl_ctx)
> ++	Rf_error("OSSL_LIB_CTX_new failed\n");
> ++
> ++    if (!legacy_provider)
> ++	legacy_provider = OSSL_PROVIDER_load(ossl_ctx, "legacy");
> ++    if (!legacy_provider)
> ++	Rf_error("OSSL_PROVIDER_load(legacy) failed\n");
> ++
> ++    if (!default_provider)
> ++	default_provider = OSSL_PROVIDER_load(ossl_ctx, "default");
> ++    if (!default_provider)
> ++	Rf_error("OSSL_PROVIDER_load(default) failed\n");
> ++#endif
> ++
> +     if (inherits(sKey, "symmeric.cipher")) {
> + 	if (transient) transient[0] = 0;
> + 	return (EVP_CIPHER_CTX*) R_ExternalPtrAddr(sCipher);
> +@@ -265,13 +287,29 @@
> + 	else if (!strcmp(cipher, "aes256ofb"))
> + 	    type = EVP_aes_256_ofb();
> + 	else if (!strcmp(cipher, "blowfish") || !strcmp(cipher, "bfcbc"))
> ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
> ++	    type = EVP_CIPHER_fetch(ossl_ctx, "BF-CBC", NULL);
> ++#else
> + 	    type = EVP_bf_cbc();
> ++#endif
> + 	else if (!strcmp(cipher, "bfecb"))
> ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
> ++	    type = EVP_CIPHER_fetch(ossl_ctx, "BF-ECB", NULL);
> ++#else
> + 	    type = EVP_bf_ecb();
> ++#endif
> + 	else if (!strcmp(cipher, "bfofb"))
> ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
> ++	    type = EVP_CIPHER_fetch(ossl_ctx, "BF-OFB", NULL);
> ++#else
> + 	    type = EVP_bf_ofb();
> ++#endif
> + 	else if (!strcmp(cipher, "bfcfb"))
> ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
> ++	    type = EVP_CIPHER_fetch(ossl_ctx, "BF-CFB", NULL);
> ++#else
> + 	    type = EVP_bf_cfb();
> ++#endif
> + 	else Rf_error("unknown cipher `%s'", CHAR(STRING_ELT(sCipher, 0)));
> + 
> + 	if (TYPEOF(sIV) == STRSXP) {
> diff -Nru r-cran-pki-0.1-9/debian/patches/series r-cran-pki-0.1-9/debian/patches/series
> --- r-cran-pki-0.1-9/debian/patches/series	1969-12-31 16:00:00.000000000 -0800
> +++ r-cran-pki-0.1-9/debian/patches/series	2022-03-12 00:09:19.000000000 -0800
> @@ -0,0 +1 @@
> +openssl3-compat.patch

> _______________________________________________
> R-pkg-team mailing list
> R-pkg-team at alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/r-pkg-team


-- 
http://fam-tille.de



More information about the R-pkg-team mailing list