Bug#1001014: marked as done (burp: Incompatible with openssl 3.0)

Thu, 16 Dec 2021 04:12:42 -0800 

Your message dated Thu, 16 Dec 2021 13:00:57 +0100
with message-id <9d3b7a59-b89c-903c-195f-d5647ad4a...@nerdrug.org>
and subject line Re: burp: Incompatible with openssl 3.0
has caused the Debian Bug report #1001014,
regarding burp: Incompatible with openssl 3.0
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1001014: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1001014
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: burp
Version: 2.4.0-3
Severity: serious
Tags: patch experimental
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu jammy ubuntu-patch

Dear maintainers,

Ubuntu has begun the transition to OpenSSL 3.  While there are a good number
of packages that will need fixes in order to be buildable against libssl3,
burp builds successfully but then fails its test suite because its v1
protocol depends on the use of ciphers that are unavailable with the default
provider in OpenSSL 3.

The attached patch has been applied in Ubuntu for this issue.  Please
consider including it in Debian as well and forwarding it upstream.

Thanks,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                   https://www.debian.org/
slanga...@ubuntu.com                                     vor...@debian.org

diff -Nru burp-2.4.0/debian/patches/openssl3-compat.patch 
burp-2.4.0/debian/patches/openssl3-compat.patch
--- burp-2.4.0/debian/patches/openssl3-compat.patch     1969-12-31 
16:00:00.000000000 -0800
+++ burp-2.4.0/debian/patches/openssl3-compat.patch     2021-12-02 
09:43:02.000000000 -0800
@@ -0,0 +1,79 @@
+Description: Fix compatibility with OpenSSL 3
+ burp's legacy protocol depends on algorithms that are no longer available
+ in the default provider.
+ .
+ we also need to invoke EVP_CipherInit_ex differently.
+Author: Steve Langasek <steve.langa...@ubuntu.com>
+Last-Update: 2021-12-02
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1952959
+Forwarded: no
+
+Index: burp-2.4.0/src/protocol1/handy.c
+===================================================================
+--- burp-2.4.0.orig/src/protocol1/handy.c
++++ burp-2.4.0/src/protocol1/handy.c
+@@ -10,6 +10,10 @@
+ #include "../log.h"
+ #include "handy.h"
+ 
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++#include <openssl/provider.h>
++#endif
++
+ static int do_encryption(struct asfd *asfd, EVP_CIPHER_CTX *ctx,
+       uint8_t *inbuf, int inlen, uint8_t *outbuf, int *outlen,
+       MD5_CTX *md5)
+@@ -41,9 +45,42 @@
+       uint8_t enc_iv[9];
+       uint8_t enc_key[256];
+       EVP_CIPHER_CTX *ctx=NULL;
+-      const EVP_CIPHER *cipher=EVP_bf_cbc();
++
++      const EVP_CIPHER *cipher;
+       int key_len;
+-      
++
++#if OPENSSL_VERSION_NUMBER >= 0x30000000L
++      static OSSL_PROVIDER *legacy_provider = NULL;
++      static OSSL_PROVIDER *default_provider = NULL;
++      static OSSL_LIB_CTX *ossl_ctx = NULL;
++
++      if (!ossl_ctx)
++              ossl_ctx = OSSL_LIB_CTX_new();
++      if (!ossl_ctx)
++      {
++              logp("OSSL_LIB_CTX_new failed\n");
++              goto error;
++      }
++
++      if (!legacy_provider)
++              legacy_provider = OSSL_PROVIDER_load(ossl_ctx, "legacy");
++      if (!legacy_provider) {
++              logp("OSSL_PROVIDER_load(legacy) failed\n");
++              goto error;
++      }
++
++      if (!default_provider)
++              default_provider = OSSL_PROVIDER_load(ossl_ctx, "default");
++      if (!default_provider) {
++              logp("OSSL_PROVIDER_load(default) failed\n");
++              goto error;
++      }
++
++      cipher = EVP_CIPHER_fetch(ossl_ctx, "BF-CBC", NULL);
++#else
++      cipher = EVP_bf_cbc();
++#endif
++
+       if(!encryption_password)
+       {
+               logp("No encryption password in %s()\n", __func__);
+@@ -84,7 +121,7 @@
+ 
+       // Don't set key or IV because we will modify the parameters.
+       EVP_CIPHER_CTX_init(ctx);
+-      if(!(EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, encrypt)))
++      if(!(EVP_CipherInit_ex(ctx, cipher, NULL, enc_key, enc_iv, encrypt)))
+       {
+               logp("EVP_CipherInit_ex failed\n");
+               goto error;
diff -Nru burp-2.4.0/debian/patches/series burp-2.4.0/debian/patches/series
--- burp-2.4.0/debian/patches/series    2021-11-09 03:17:59.000000000 -0800
+++ burp-2.4.0/debian/patches/series    2021-12-02 09:41:44.000000000 -0800
@@ -1,2 +1,3 @@
 increase_attribs_test_timeout.diff
 fix_ncurses_warning.diff
+openssl3-compat.patch

--- End Message ---
--- Begin Message --- 
Thank you so much.

I've patched burp package:
https://salsa.debian.org/debian/burp/-/commit/09a5c2e7fd85c384d16b31d39ba4d643ae4a1454

The new version, 2.4.0-4, contain this fix.

Thanks!

--- End Message ---

Reply via email to