Package: burp Version: 2.4.0-3 Severity: serious Tags: patch experimental User: ubuntu-de...@lists.ubuntu.com Usertags: origin-ubuntu jammy ubuntu-patch
Dear maintainers, Ubuntu has begun the transition to OpenSSL 3. While there are a good number of packages that will need fixes in order to be buildable against libssl3, burp builds successfully but then fails its test suite because its v1 protocol depends on the use of ciphers that are unavailable with the default provider in OpenSSL 3. The attached patch has been applied in Ubuntu for this issue. Please consider including it in Debian as well and forwarding it upstream. Thanks, -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer https://www.debian.org/ slanga...@ubuntu.com vor...@debian.org
diff -Nru burp-2.4.0/debian/patches/openssl3-compat.patch burp-2.4.0/debian/patches/openssl3-compat.patch --- burp-2.4.0/debian/patches/openssl3-compat.patch 1969-12-31 16:00:00.000000000 -0800 +++ burp-2.4.0/debian/patches/openssl3-compat.patch 2021-12-02 09:43:02.000000000 -0800 @@ -0,0 +1,79 @@ +Description: Fix compatibility with OpenSSL 3 + burp's legacy protocol depends on algorithms that are no longer available + in the default provider. + . + we also need to invoke EVP_CipherInit_ex differently. +Author: Steve Langasek <steve.langa...@ubuntu.com> +Last-Update: 2021-12-02 +Bug-Ubuntu: https://bugs.launchpad.net/bugs/1952959 +Forwarded: no + +Index: burp-2.4.0/src/protocol1/handy.c +=================================================================== +--- burp-2.4.0.orig/src/protocol1/handy.c ++++ burp-2.4.0/src/protocol1/handy.c +@@ -10,6 +10,10 @@ + #include "../log.h" + #include "handy.h" + ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++#include <openssl/provider.h> ++#endif ++ + static int do_encryption(struct asfd *asfd, EVP_CIPHER_CTX *ctx, + uint8_t *inbuf, int inlen, uint8_t *outbuf, int *outlen, + MD5_CTX *md5) +@@ -41,9 +45,42 @@ + uint8_t enc_iv[9]; + uint8_t enc_key[256]; + EVP_CIPHER_CTX *ctx=NULL; +- const EVP_CIPHER *cipher=EVP_bf_cbc(); ++ ++ const EVP_CIPHER *cipher; + int key_len; +- ++ ++#if OPENSSL_VERSION_NUMBER >= 0x30000000L ++ static OSSL_PROVIDER *legacy_provider = NULL; ++ static OSSL_PROVIDER *default_provider = NULL; ++ static OSSL_LIB_CTX *ossl_ctx = NULL; ++ ++ if (!ossl_ctx) ++ ossl_ctx = OSSL_LIB_CTX_new(); ++ if (!ossl_ctx) ++ { ++ logp("OSSL_LIB_CTX_new failed\n"); ++ goto error; ++ } ++ ++ if (!legacy_provider) ++ legacy_provider = OSSL_PROVIDER_load(ossl_ctx, "legacy"); ++ if (!legacy_provider) { ++ logp("OSSL_PROVIDER_load(legacy) failed\n"); ++ goto error; ++ } ++ ++ if (!default_provider) ++ default_provider = OSSL_PROVIDER_load(ossl_ctx, "default"); ++ if (!default_provider) { ++ logp("OSSL_PROVIDER_load(default) failed\n"); ++ goto error; ++ } ++ ++ cipher = EVP_CIPHER_fetch(ossl_ctx, "BF-CBC", NULL); ++#else ++ cipher = EVP_bf_cbc(); ++#endif ++ + if(!encryption_password) + { + logp("No encryption password in %s()\n", __func__); +@@ -84,7 +121,7 @@ + + // Don't set key or IV because we will modify the parameters. + EVP_CIPHER_CTX_init(ctx); +- if(!(EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, encrypt))) ++ if(!(EVP_CipherInit_ex(ctx, cipher, NULL, enc_key, enc_iv, encrypt))) + { + logp("EVP_CipherInit_ex failed\n"); + goto error; diff -Nru burp-2.4.0/debian/patches/series burp-2.4.0/debian/patches/series --- burp-2.4.0/debian/patches/series 2021-11-09 03:17:59.000000000 -0800 +++ burp-2.4.0/debian/patches/series 2021-12-02 09:41:44.000000000 -0800 @@ -1,2 +1,3 @@ increase_attribs_test_timeout.diff fix_ncurses_warning.diff +openssl3-compat.patch
