[Bug 272240] net-p2p/transmission: crashes with OpenSSL 3.0 (on -CURRENT) due to broken RC4 cipher

From: <bugzilla-noreply_at_freebsd.org>
Date: Tue, 27 Jun 2023 01:54:48 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=272240

            Bug ID: 272240
           Summary: net-p2p/transmission: crashes with OpenSSL 3.0 (on
                    -CURRENT) due to broken RC4 cipher
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: rigoletto@freebsd.org
          Reporter: jbeich@FreeBSD.org
            Blocks: 271656
          Assignee: rigoletto@freebsd.org
             Flags: maintainer-feedback?(rigoletto@freebsd.org)

$ echo foo | openssl rc4 -pbkdf2 -k test >/dev/null
Error setting cipher RC4
002019A720020000:error:0308010C:digital envelope
routines:inner_evp_generic_fetch:unsupported:/usr/src/crypto/openssl/crypto/evp/evp_fetch.c:373:Global
default library context, Algorithm (RC4 : 21), Properties ()

$ pkg install transmission-cli
$ transmission-cli -w /tmp
'magnet:?xt=urn:btih:ed291407659319611e2fc5336437348c55e685a9&dn=FreeBSD-13.2-RELEASE-amd64-bootonly.iso.xz'
transmission-cli 3.00 (0)
Transmission 3.00 (0) started
RPC Server: Adding address to whitelist: 127.0.0.1
RPC Server: Adding address to whitelist: ::1
UDP: Failed to set receive buffer: No buffer space available
UDP: Failed to set receive buffer: requested 4194304, got 41600
DHT: Reusing old id
DHT: Bootstrapping from 290 IPv4 nodes
Saved
"/home/foo/.config/transmission/torrents/ed291407659319611e2fc5336437348c55e685a9.torrent"
FreeBSD-13.2-RELEASE-amd64-bootonly.iso.xz: Pausing
Changed open file limit from 1877643 to 1024
Saved
"/home/foo/.config/transmission/resume/ed291407659319611e2fc5336437348c55e685a9.resume"
FreeBSD-13.2-RELEASE-amd64-bootonly.iso.xz: Queued for verification
FreeBSD-13.2-RELEASE-amd64-bootonly.iso.xz: Verifying torrent
Port Forwarding (NAT-PMP): initnatpmp succeeded (0)
Port Forwarding (NAT-PMP): sendpublicaddressrequest succeeded (2)
Port Forwarding: Starting
Port Forwarding: Starting
Progress: 0.0%, dl from 0 of 0 peers (0 kB/s)
FreeBSD-13.2-RELEASE-amd64-bootonly.iso.xz: Starting IPv4 DHT announce (poor,
12 nodes)
Progress: tr_crypto_utils: OpenSSL error: error:0308010C:digital envelope
routines::unsupported
Segmentation fault

* thread #2, name = 'transmission-cli', stop reason = signal SIGSEGV: invalid
address (fault address: 0x0)
    frame #0: 0x0000000823ad95d4
libcrypto.so.30`EVP_CIPHER_CTX_set_key_length(c=0x0000000000000000, keylen=20)
at evp_enc.c:994:12
   991
   992  int EVP_CIPHER_CTX_set_key_length(EVP_CIPHER_CTX *c, int keylen)
   993  {
-> 994      if (c->cipher->prov != NULL) {
   995          int ok;
   996          OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END };
   997          size_t len = keylen;
(lldb) bt
* thread #2, name = 'transmission-cli', stop reason = signal SIGSEGV: invalid
address (fault address: 0x0)
    frame #0: 0x0000000823ad95d4
libcrypto.so.30`EVP_CIPHER_CTX_set_key_length(c=0x0000000000000000, keylen=20)
at evp_enc.c:994:12
  * frame #1: 0x0000000000234c23
transmission-cli`tr_rc4_set_key(handle=0x0000000000000000,
key="\xd79\xc3\r(K=7lB쑙\xa4\U0000001a\U00000018P\U0000001a1E\b", key_length=20)
at crypto-utils-openssl.c:213:10
    frame #2: 0x000000000023d015
transmission-cli`initRC4(crypto=0x00000008377821c0, setme=0x00000008377821c8,
key="keyA") at crypto.c:106:9
    frame #3: 0x000000000023d11a
transmission-cli`tr_cryptoEncryptInit(crypto=0x00000008377821c0) at
crypto.c:140:5
    frame #4: 0x0000000000259857
transmission-cli`readYb(handshake=0x000000083762b5b0, inbuf=0x00000008376b3640)
at handshake.c:460:9
    frame #5: 0x00000000002575aa
transmission-cli`canRead(io=0x0000000837781e00, arg=0x000000083762b5b0,
piece=0x0000000836063a10) at handshake.c:1060:19
    frame #6: 0x000000000023c1b7
transmission-cli`canReadWrapper(io=0x0000000837781e00) at peer-io.c:211:29
    frame #7: 0x000000000023bb66
transmission-cli`utp_on_read(closure=0x0000000837781e00,
buf="q\"H\U0000001a\xbbyK\xd7\U0000001d\x91\x82x\xcb\xd6\xfc\xb7\xef\xa0g\v\xed\xc4.\xc6\xd4R8\U00000011`^\U00000017\x9d\xbcb˷\x95\xfd>d!\xef\x9e1U8\x9c\x99rqNIB\xb8\xe3\xcfQ\x92\xf3+g_\xe2\x8e
\xef\x82w\t*.\x83A\xc2\xcd\U0000000eԛ\xf8˦\x87\xe1`<\x8a\"\xbd\xfb\U00000002D\xed\xe85\U00000001\xb3kV\xd3\xf9\xe6QNJ\rZ\xc3\xc9\xee|{\xbd\xf0L\x86\x82\xc3/\x99[I\U00000010\xe5\U00000005\xf3\xee%\xbc뮸\x9d$tep\xc9^X{\U00000013\xbf.\xe6\x8e\U00000018t\U00000001'\x95\x8c\xd9@/T\x96\xe9\xc3\U00000018\xf1\xf0HU\xf5\xd7c\U00000011\xc4\U00000016/\xeb\r\U00000006e\x85\U00000012nue\xb8D\xaeNo\xa5\xad\xba\U00000003\x83鐸\x95O\"\x97#*\U0000001c\xb1j\x85R\xd6=\xdf\xc4\xc0{\U00000006b\U0000001d\xa4Ylif\xb0e\xd6\U0000001e\v[\x91H\x86ʰ5\xfa:['\xfc\xea\x95ǢQ\x89\xb1}\U00000001\x81-\xb0\U00000013\U0000000e\x82\\\xa9\x8d\xcc\xfa\xa6\n\U0000001c\xef\x884:\xc9i\x8f~6:valuesl6:\xa9\xe5\xc8F\xb2\xb1ee1:t4:gp\xfe\xaf1:v4:LT\U00000001/1:y1:re",
buflen=259) at peer-io.c:459:5
    frame #8: 0x000000082653e997 libutp.so`UTP_ProcessIncoming(UTPSocket*,
unsigned char const*, unsigned long, bool) + 2199
    frame #9: 0x000000082653f8fc libutp.so`UTP_IsIncomingUTP + 1020
    frame #10: 0x0000000000287de4
transmission-cli`tr_utpPacket(buf="\U00000001", buflen=279,
from=0x0000000836063cb0, fromlen=16, ss=0x00000008324f7000) at tr-utp.c:181:12
    frame #11: 0x000000000028778b transmission-cli`event_callback(s=8, type=2,
sv=0x00000008324f7000) at tr-udp.c:285:22
    frame #12: 0x000000082475d7a3
libevent-2.1.so.7`event_persist_closure(base=0x0000000837615000,
ev=0x000000083771e680) at event.c:1623:9
    frame #13: 0x000000082475cd15
libevent-2.1.so.7`event_process_active_single_queue(base=0x0000000837615000,
activeq=0x0000000837625000, max_to_process=2147483647,
endtime=0x0000000000000000) at event.c:1682:4
    frame #14: 0x0000000824757416
libevent-2.1.so.7`event_process_active(base=0x0000000837615000) at
event.c:1783:9
    frame #15: 0x000000082475625a
libevent-2.1.so.7`event_base_loop(base=0x0000000837615000, flags=0) at
event.c:2006:12
    frame #16: 0x0000000824755f27
libevent-2.1.so.7`event_base_dispatch(event_base=0x0000000837615000) at
event.c:1817:10
    frame #17: 0x000000000028475a
transmission-cli`libeventThreadFunc(veh=0x00000008324970c0) at trevent.c:263:9
    frame #18: 0x000000000022ccf2
transmission-cli`ThreadFunc(_t=0x0000000832498120) at platform.c:104:5
    frame #19: 0x0000000822edbb75
libthr.so.3`thread_start(curthread=0x0000000832490700) at thr_create.c:292:16

Note, upstream (unlike the port) also supports WolfSSL (bug 207664) or mbedTLS.
See also https://github.com/transmission/transmission/commit/a459e5e11b2d


Referenced Bugs:

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=271656
[Bug 271656] [exp-run] with OpenSSL 3.0 in the base system
-- 
You are receiving this mail because:
You are the assignee for the bug.