Your message dated Sun, 13 Mar 2022 08:35:09 +0000
with message-id <e1ntjgz-000bhz...@fasolo.debian.org>
and subject line Bug#1007172: fixed in r-cran-pki 0.1-10-1
has caused the Debian Bug report #1007172,
regarding r-cran-pki incompatible with OpenSSL 3
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1007172: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007172
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: r-cran-pki
Version: 0.1-9-1
Severity: serious
Tags: patch experimental
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu jammy ubuntu-patch
Hi Andreas,
r-cran-pki is incompatible with OpenSSL 3, which is currently in
experimental. This shows up as an autopkgtest failure:
[...]
> -- Ciphers
info("Ciphers")
> skey <- PKI.random(256)
> for (cipher in c("aes256ecb", "aes256ofb", "bfcbc", "bfecb", "bfofb",
> "bfcfb"))
+ assert(cipher, all(PKI.decrypt(PKI.encrypt(charToRaw("foo!"), skey,
cipher), skey, cipher)[1:4] == charToRaw("foo!")))
. aes256ecb
. aes256ofb
. bfcbc
Error in PKI.encrypt(charToRaw("foo!"), skey, cipher) :
error:0308010C:digital envelope routines::unsupported
Calls: assert -> stopifnot -> PKI.decrypt -> PKI.encrypt
Execution halted
autopkgtest [09:48:31]: test run-unit-test: -----------------------]
[...]
(https://autopkgtest.ubuntu.com/results/autopkgtest-jammy/jammy/amd64/r/r-cran-pki/20220223_094913_a5969@/log.gz)
The issue is that r-cran-pki exposes use of various older, insecure
algorithms which are no longer available in the default crypto provider in
openssl, so additional steps are required in the code in order to enable use
of these algorithms.
I've prepared the attached patch which fixes the issue, and have uploaded it
to Ubuntu, since we are shipping OpenSSL 3 for the upcoming release. Please
consider including it in Debian as well (and forwarding upstream).
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer https://www.debian.org/
slanga...@ubuntu.com vor...@debian.org
diff -Nru r-cran-pki-0.1-9/debian/patches/openssl3-compat.patch
r-cran-pki-0.1-9/debian/patches/openssl3-compat.patch
--- r-cran-pki-0.1-9/debian/patches/openssl3-compat.patch 1969-12-31
16:00:00.000000000 -0800
+++ r-cran-pki-0.1-9/debian/patches/openssl3-compat.patch 2022-03-12
00:09:19.000000000 -0800
@@ -0,0 +1,85 @@
+Description: Fix compatibility with OpenSSL 3
+ Some algorithms exposed by PKI are now 'legacy' in OpenSSL and require
+ explicit enablement.
+Author: Steve Langasek <steve.langa...@ubuntu.com>
+Last-Update: 2022-03-12
+Forwarded: no
+
+Index: r-cran-pki-0.1-9/src/pki.h
+===================================================================
+--- r-cran-pki-0.1-9.orig/src/pki.h
++++ r-cran-pki-0.1-9/src/pki.h
+@@ -20,6 +20,10 @@
+ #include <openssl/x509_vfy.h>
+ #include <openssl/x509v3.h>
+
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++#include <openssl/provider.h>
++#endif
++
+ #if __APPLE__
+ #if defined MAC_OS_X_VERSION_10_7 && MAC_OS_X_VERSION_MIN_REQUIRED >= 1070
+ /* use accelerated crypto on OS X instead of OpenSSL crypto */
+Index: r-cran-pki-0.1-9/src/pki-x509.c
+===================================================================
+--- r-cran-pki-0.1-9.orig/src/pki-x509.c
++++ r-cran-pki-0.1-9/src/pki-x509.c
+@@ -225,6 +225,28 @@
+ static EVP_CIPHER_CTX *get_cipher(SEXP sKey, SEXP sCipher, int enc, int
*transient, SEXP sIV) {
+ EVP_CIPHER_CTX *ctx;
+ PKI_init();
++
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++ static OSSL_PROVIDER *legacy_provider = NULL;
++ static OSSL_PROVIDER *default_provider = NULL;
++ static OSSL_LIB_CTX *ossl_ctx = NULL;
++
++ if (!ossl_ctx)
++ ossl_ctx = OSSL_LIB_CTX_new();
++ if (!ossl_ctx)
++ Rf_error("OSSL_LIB_CTX_new failed\n");
++
++ if (!legacy_provider)
++ legacy_provider = OSSL_PROVIDER_load(ossl_ctx, "legacy");
++ if (!legacy_provider)
++ Rf_error("OSSL_PROVIDER_load(legacy) failed\n");
++
++ if (!default_provider)
++ default_provider = OSSL_PROVIDER_load(ossl_ctx, "default");
++ if (!default_provider)
++ Rf_error("OSSL_PROVIDER_load(default) failed\n");
++#endif
++
+ if (inherits(sKey, "symmeric.cipher")) {
+ if (transient) transient[0] = 0;
+ return (EVP_CIPHER_CTX*) R_ExternalPtrAddr(sCipher);
+@@ -265,13 +287,29 @@
+ else if (!strcmp(cipher, "aes256ofb"))
+ type = EVP_aes_256_ofb();
+ else if (!strcmp(cipher, "blowfish") || !strcmp(cipher, "bfcbc"))
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++ type = EVP_CIPHER_fetch(ossl_ctx, "BF-CBC", NULL);
++#else
+ type = EVP_bf_cbc();
++#endif
+ else if (!strcmp(cipher, "bfecb"))
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++ type = EVP_CIPHER_fetch(ossl_ctx, "BF-ECB", NULL);
++#else
+ type = EVP_bf_ecb();
++#endif
+ else if (!strcmp(cipher, "bfofb"))
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++ type = EVP_CIPHER_fetch(ossl_ctx, "BF-OFB", NULL);
++#else
+ type = EVP_bf_ofb();
++#endif
+ else if (!strcmp(cipher, "bfcfb"))
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++ type = EVP_CIPHER_fetch(ossl_ctx, "BF-CFB", NULL);
++#else
+ type = EVP_bf_cfb();
++#endif
+ else Rf_error("unknown cipher `%s'", CHAR(STRING_ELT(sCipher, 0)));
+
+ if (TYPEOF(sIV) == STRSXP) {
diff -Nru r-cran-pki-0.1-9/debian/patches/series
r-cran-pki-0.1-9/debian/patches/series
--- r-cran-pki-0.1-9/debian/patches/series 1969-12-31 16:00:00.000000000
-0800
+++ r-cran-pki-0.1-9/debian/patches/series 2022-03-12 00:09:19.000000000
-0800
@@ -0,0 +1 @@
+openssl3-compat.patch
--- End Message ---
--- Begin Message ---
Source: r-cran-pki
Source-Version: 0.1-10-1
Done: Andreas Tille <ti...@debian.org>
We believe that the bug you reported is fixed in the latest version of
r-cran-pki, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1007...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Tille <ti...@debian.org> (supplier of updated r-cran-pki package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 13 Mar 2022 08:43:13 +0100
Source: r-cran-pki
Architecture: source
Version: 0.1-10-1
Distribution: unstable
Urgency: medium
Maintainer: Debian R Packages Maintainers <r-pkg-t...@alioth-lists.debian.net>
Changed-By: Andreas Tille <ti...@debian.org>
Closes: 1007172
Changes:
r-cran-pki (0.1-10-1) unstable; urgency=medium
.
* New upstream version
* Set upstream metadata fields: Archive.
* Fix compatibility with OpenSSL 3 (Thanks to Steve Langasek for the fix)
Closes: #1007172
* Ignore one failing test
Checksums-Sha1:
b888b5ba2e1a642feeb1f92d6f75cea4ea8cc97e 2052 r-cran-pki_0.1-10-1.dsc
61eeb3769fff73cf7ae7db798d10d4f57c5dcace 83006 r-cran-pki_0.1-10.orig.tar.gz
b235c534ebf970f74390e272eb92f5b80a778a6b 4024 r-cran-pki_0.1-10-1.debian.tar.xz
8f4e480329b67bbb6fe1038ff9cc6dc82ccb7903 10732
r-cran-pki_0.1-10-1_amd64.buildinfo
Checksums-Sha256:
da1fd1896d1d2d3d0ab6aaa83cdd6ec850d838d9b383356802d3a3993c5de3d5 2052
r-cran-pki_0.1-10-1.dsc
15111969544d5060362022551a648931a1344515042a74b757a3273349550922 83006
r-cran-pki_0.1-10.orig.tar.gz
4dde1cf208d43534584d41ef3f51949620ba9aeb34ed0306e4dd21ff9ba65646 4024
r-cran-pki_0.1-10-1.debian.tar.xz
1608b2f5d61d2464f3f80948e2ae095013003ba6a9640d362d62f1e4152f3824 10732
r-cran-pki_0.1-10-1_amd64.buildinfo
Files:
c9f6ded28d8e0baacd57d21c686aad29 2052 gnu-r optional r-cran-pki_0.1-10-1.dsc
4db5896c6558ff92dcabdab38d3475c7 83006 gnu-r optional
r-cran-pki_0.1-10.orig.tar.gz
9b62d1a31b992cddb6d21f41ad8455ab 4024 gnu-r optional
r-cran-pki_0.1-10-1.debian.tar.xz
03b3d797caac1d6cd11a5af96134f228 10732 gnu-r optional
r-cran-pki_0.1-10-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCAAvFiEE8fAHMgoDVUHwpmPKV4oElNHGRtEFAmItoSMRHHRpbGxlQGRl
Ymlhbi5vcmcACgkQV4oElNHGRtEwHBAAmH3zeXpaZ44dDxdGUd5kfSSr1EAFdTUa
6kr4UP4xMLIw86Z84B7XyfnchU7Ozl07F64os0cPvZk/EXOPM3xFhHQNkf90Vicr
xoDR8I3ZJGfaU7FAeUgql6FOaYTf5gi+cqun3oaWYOV9YtYL0T8wPyTj/zTP5+M3
vFFIrnsyYH3KwWzSf0ttT4ft/roOzE1Nfo9mZbXtPtxrkbqoo5dMsDbp5V1AYPAG
2uZLEr0+iND20Rsj/25vqho51bBg1KDJOiQwFmV45kSBqFG/i6ceCTNNK/+5rn1K
PXVecwMq9jdO0d/nyqvRSBT19pkNIW7knEGKDcycMqEx6g0WNV7n0JcwpoXasAGd
gLXNYsCyyEaSSGgaY+OXZgJO1hOfCrNcQtTaX4rAcIzF4nyic+J83+tho58t63Gy
djIxHKw757N36pp8v4/SbDonOLfF1e9aiNKjfeneIIyi95rhDWzthz6NVr28JDxb
3MUSRWELHZTDeOwJ3QVsmHOxZQnxuUKgdkA1Dzm9lpWyIFvFDUVjKXATfGPEAosO
gyBFcEpN34ZurvRaZ87gcQCEqUUftv/kTtdSq5lAuczlMv+lAR3LpzuHk4gEysW5
S4r7rXNsdCtwc2+unmtiDQOVO5K5Toyx1mWedXEyt7WFetNZyxyqP4OqPI6ayfmB
8UohmWK3OPY=
=LBFw
-----END PGP SIGNATURE-----
--- End Message ---
