search

biblepay / biblepay_legacy

BiblePay
MIT License
35 stars 34 forks source link

Incompatible with newer OpenSSL Version? #24

Closed Lichtsucher closed 6 years ago

Lichtsucher commented 6 years ago

Hi,

I tried to build packages for ubuntu 18.04, but it failed every time. thesnat21 on bitcointalk pointed out that it is most likely a problem with a newer openssl version:

Error: wallet/crypter.cpp: In function ‘bool BibleEncrypt(std::vector, std::vector&)’: wallet/crypter.cpp:196:17: error: aggregate ‘EVP_CIPHER_CTX ctx’ has incomplete type and cannot be defined EVP_CIPHER_CTX ctx; ^~~ wallet/crypter.cpp: In function ‘bool BibleDecrypt(const std::vector&, std::vector&)’: wallet/crypter.cpp:214:20: error: aggregate ‘EVP_CIPHER_CTX ctx’ has incomplete type and cannot be defined EVP_CIPHER_CTX ctx;

His solution:

file: src/wallet/crypter.cpp

OLD:

bool BibleEncrypt(std::vector<unsigned char> vchPlaintext, std::vector<unsigned char> &vchCiphertext)
{
    if (!fKeySetBiblePay) LoadBibleKey("biblepay","eb5a781ea9da2ef36");
    int nLen = vchPlaintext.size();
    int nCLen = nLen + AES_BLOCK_SIZE, nFLen = 0;
    vchCiphertext = std::vector<unsigned char> (nCLen);
    EVP_CIPHER_CTX ctx;
    // EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
    bool fOk = true;
    EVP_CIPHER_CTX_init(&ctx);
    if (fOk) fOk = EVP_EncryptInit_ex(&ctx, EVP_aes_256_cbc(), NULL, chKeyBiblePay, chIVBiblePay);
    if (fOk) fOk = EVP_EncryptUpdate(&ctx, &vchCiphertext[0], &nCLen, &vchPlaintext[0], nLen);
    if (fOk) fOk = EVP_EncryptFinal_ex(&ctx, (&vchCiphertext[0])+nCLen, &nFLen);
    EVP_CIPHER_CTX_cleanup(&ctx);
    if (!fOk) return false;
    vchCiphertext.resize(nCLen + nFLen);
    return true;
}

bool BibleDecrypt(const std::vector<unsigned char>& vchCiphertext,std::vector<unsigned char>& vchPlaintext)
{
    LoadBibleKey("biblepay","eb5a781ea9da2ef36");
    int nLen = vchCiphertext.size();
    int nPLen = nLen, nFLen = 0;
    EVP_CIPHER_CTX ctx;
    // EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
    bool fOk = true;
    EVP_CIPHER_CTX_init(&ctx);
    if (fOk) fOk = EVP_DecryptInit_ex(&ctx, EVP_aes_256_cbc(), NULL, chKeyBiblePay, chIVBiblePay);
    if (fOk) fOk = EVP_DecryptUpdate(&ctx, &vchPlaintext[0], &nPLen, &vchCiphertext[0], nLen);
    if (fOk) fOk = EVP_DecryptFinal_ex(&ctx, (&vchPlaintext[0])+nPLen, &nFLen);
    EVP_CIPHER_CTX_cleanup(&ctx);
    if (!fOk) return false;
    vchPlaintext.resize(nPLen + nFLen);
    return true;
}

NEW:

bool BibleEncrypt(std::vector<unsigned char> vchPlaintext, std::vector<unsigned char> &vchCiphertext)
{
        if (!fKeySetBiblePay) LoadBibleKey("biblepay","eb5a781ea9da2ef36");
    int nLen = vchPlaintext.size();
    int nCLen = nLen + AES_BLOCK_SIZE, nFLen = 0;
    vchCiphertext = std::vector<unsigned char> (nCLen);
//      EVP_CIPHER_CTX ctx;
     EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
    bool fOk = true;
    EVP_CIPHER_CTX_init(ctx);
    if (fOk) fOk = EVP_EncryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, chKeyBiblePay, chIVBiblePay);
    if (fOk) fOk = EVP_EncryptUpdate(ctx, &vchCiphertext[0], &nCLen, &vchPlaintext[0], nLen);
    if (fOk) fOk = EVP_EncryptFinal_ex(ctx, (&vchCiphertext[0])+nCLen, &nFLen);
    EVP_CIPHER_CTX_cleanup(ctx);
    if (!fOk) return false;
    vchCiphertext.resize(nCLen + nFLen);
    return true;
}

bool BibleDecrypt(const std::vector<unsigned char>& vchCiphertext,std::vector<unsigned char>& vchPlaintext)
{
        LoadBibleKey("biblepay","eb5a781ea9da2ef36");
        int nLen = vchCiphertext.size();
    int nPLen = nLen, nFLen = 0;
    //EVP_CIPHER_CTX ctx;
  EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
    bool fOk = true;
    EVP_CIPHER_CTX_init(ctx);
    if (fOk) fOk = EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, chKeyBiblePay, chIVBiblePay);
    if (fOk) fOk = EVP_DecryptUpdate(ctx, &vchPlaintext[0], &nPLen, &vchCiphertext[0], nLen);
    if (fOk) fOk = EVP_DecryptFinal_ex(ctx, (&vchPlaintext[0])+nPLen, &nFLen);
    EVP_CIPHER_CTX_cleanup(ctx);
    if (!fOk) return false;
    vchPlaintext.resize(nPLen + nFLen);
    return true;
}

Not sure if it works, or if it creates any other problems. But if it is right that a new openssl version will brake biblepay, then we need a fix, or no newer Linux distribution will work in the near future :)

biblepay commented 6 years ago

This is not a completely a correct assessment of the problem nor a safe way to fix the problem. There are tens of things to consider when switching open ssl versions. The newer versions use cutting edge functions and are more risky to put in production than the well known version.

Its already been established that BEAST and CRIME back in 2016-2017 were a threat because of the newer openssl versions, and certain versions I believe up to 101k were not subject to the problem.

The safe way to upgrade openssl is to use the latest fully tested version and stay on it until it is deemed safe to make a major change.

The state of the config mgmt situation is not to make it easy for distros to compile- it is for the config manager to compile to Our spec (we require 1.0.1k until we say otherwise).

If you want to do the proper research on this I recommend we go to Bitcoin and follow their threads and find when a major change takes place. Then in a compatible environment, compatible with Gitian we can propose to make a change.

Im not against changing the cipher declaration, but that is dependent on actually switching to an upgraded version which depends on the above.

NOTE: Since we are highly compatible with dash, it would be prudent to check their compilation pattern and notes on openssl as we may want to upgrade when they find it safe to upgrade.