long-standing evil blow-up in blowfish conquered

this was due to openssl deprecating a number of encryption/decryption algorithms and putting them in a legacy provider.
argh.  what a pain.
example code that shows how to load both the legacy and the default providers is in ssl_init.cpp.

diff --git a/nucleus/library/crypto/blowfish_crypto.cpp b/nucleus/library/crypto/blowfish_crypto.cpp
index d1a3fec317d16d16df8c5a541193177283be0a7b..532d3392e101a6a87a9d8bfc2509e2b44e06674a 100644 (file)
--- a/nucleus/library/crypto/blowfish_crypto.cpp
+++ b/nucleus/library/crypto/blowfish_crypto.cpp
@@ -41,7 +41,7 @@ const int FUDGE = 128;
 //#undef set_key
   // get rid of a macro we don't want.
 
-#define DEBUG_BLOWFISH
+//#define DEBUG_BLOWFISH
   // uncomment for noisier version.
 
 #ifdef DEBUG_BLOWFISH
@@ -186,7 +186,7 @@ const byte_array &blowfish_crypto::init_vector()
   LOG("prior to initted check");
   if (!initted) {
     LOG("actually doing init");
-    for (int i = 0; i < EVP_MAX_IV_LENGTH; i++)
+    for (int i = 0; i < to_return.length(); i++)
       to_return[i] = abyte(214 - i);
     initted = true;
     LOG("finished init process");
@@ -205,19 +205,13 @@ bool blowfish_crypto::encrypt(const byte_array &source,
 
   // initialize an encoding session.
   EVP_CIPHER_CTX *session = EVP_CIPHER_CTX_new();
-
-LOG("enc 001");
   EVP_CIPHER_CTX_init(session);
-LOG("enc 002");
   EVP_EncryptInit_ex(session, EVP_bf_cbc(), NULL_POINTER, _key->observe(), init_vector().observe());
-LOG("enc 003");
-LOG(a_sprintf("going to do set key len with key size of %d", _key_size));
+  LOG(a_sprintf("calling set key len with key size of %d", _key_size));
   EVP_CIPHER_CTX_set_key_length(session, _key_size);
-LOG("enc 004");
 
   // allocate temporary space for encrypted data.
   byte_array encoded(source.length() + FUDGE);
-LOG("enc 005");
 
   // encrypt the entire source buffer.
   int encoded_len = 0;

diff --git a/nucleus/library/crypto/ssl_init.cpp b/nucleus/library/crypto/ssl_init.cpp
index abb62ad6e6ab68617da466e03cf405e86c843563..6e17060b743e1eba5427cc9b917844385d253c2e 100644 (file)
--- a/nucleus/library/crypto/ssl_init.cpp
+++ b/nucleus/library/crypto/ssl_init.cpp
@@ -21,6 +21,7 @@
 
 #include <openssl/crypto.h>
 #include <openssl/err.h>
+#include <openssl/provider.h>
 #include <openssl/rand.h>
 
 using namespace basis;
@@ -52,6 +53,13 @@ ssl_init::ssl_init()
 : c_rando()
 {
   FUNCDEF("ctor");
+
+  // new code needed because blowfish is considered legacy code now.  ugh.
+  OSSL_PROVIDER *legacy_provider = OSSL_PROVIDER_load(NULL_POINTER, "legacy");
+  // also load the default provider or the standard, still accepted, algorithms will not be available.
+  OSSL_PROVIDER *default_provider = OSSL_PROVIDER_load(NULL, "default");
+//hmmm: do we need to clean up these providers?
+
 #ifdef DEBUG_SSL
   LOG("prior to crypto debug init");
   CRYPTO_malloc_debug_init();
@@ -94,3 +102,4 @@ byte_array ssl_init::random_bytes(int length) const
 
 } //namespace.
 
+

diff --git a/nucleus/library/tests_crypto/test_blowfish_crypto.cpp b/nucleus/library/tests_crypto/test_blowfish_crypto.cpp
index 04e449da31e00907f677c3b3dc4760d775d87c71..6ae43d55aa673b7d867a7fbec66f946210bd190d 100644 (file)
--- a/nucleus/library/tests_crypto/test_blowfish_crypto.cpp
+++ b/nucleus/library/tests_crypto/test_blowfish_crypto.cpp
@@ -48,8 +48,7 @@ using namespace unit_test;
 
 const int TEST_RUNS_PER_KEY = 5;  // encryption test cycles done on each key.
 
-//const int THREAD_COUNT = 10;  // number of threads testing blowfish at once.
-const int THREAD_COUNT = 1;  // number of threads testing blowfish at once.
+const int THREAD_COUNT = 10;  // number of threads testing blowfish at once.
 
 const int ITERATIONS = 4;  // number of test runs in our testing threads.
 
@@ -115,13 +114,11 @@ int test_blowfish::execute()
     time_control::sleep_ms(1000);
   }
 
-#ifdef DEBUG_BLOWFISH
   int duration = int(time_stamp().value() - _program_start.value());
   LOG(a_sprintf("duration for %d keys and encrypt/decrypt=%d ms,",
       ITERATIONS * TEST_RUNS_PER_KEY * THREAD_COUNT, duration));
-  LOG(a_sprintf("that comes to %d ms per cycle.\n", int(double(duration
+  LOG(a_sprintf("that comes to %d ms per cycle.", int(double(duration
       / TEST_RUNS_PER_KEY / ITERATIONS / THREAD_COUNT))));
-#endif
 
   return final_report();
 }
@@ -141,9 +138,9 @@ void blowfish_thread::perform_activity(void *)
         (blowfish_crypto::minimum_key_size(),
          blowfish_crypto::maximum_key_size()));
 #ifdef DEBUG_BLOWFISH
-    LOG(a_sprintf("%d bit key has:", bc.key_size()));
-    astring dumped_key = byte_formatter::text_dump(bc.get_key());
-    LOG(a_sprintf("%s", dumped_key.s()));
+//    LOG(a_sprintf("%d bit key has:", bc.key_size()));
+//    astring dumped_key = byte_formatter::text_dump(bc.get_key());
+//    LOG(a_sprintf("%s", dumped_key.s()));
 #endif
     int key_dur = int(time_stamp().value() - key_start.value());
 #ifdef DEBUG_BLOWFISH
@@ -153,58 +150,49 @@ void blowfish_thread::perform_activity(void *)
     for (int i = 0; i < TEST_RUNS_PER_KEY; i++) {
       byte_array key;
       byte_array iv;
-
-LOG(a_sprintf("loop iter %d", i));
-
       int string_start = _parent.randomizer().inclusive(0, MAX_STRING - 1);
       int string_end = _parent.randomizer().inclusive(0, MAX_STRING - 1);
       flip_increasing(string_start, string_end);
       astring ranstring = _parent._fodder.substring(string_start, string_end);
 #ifdef DEBUG_BLOWFISH
-      LOG(a_sprintf("encoding %s\n", ranstring.s()));
-      LOG(a_sprintf("string length encoded: %d\n", ranstring.length()));
+//      LOG(a_sprintf("encoding %s", ranstring.s()));
+//      LOG(a_sprintf("string length encoded: %d", ranstring.length()));
 #endif
 
-LOG("point A");
       byte_array target;
       time_stamp test_start;
-LOG("point A.2");
       bool worked = bc.encrypt(byte_array(ranstring.length() + 1, (abyte*)ranstring.s()), target);
-LOG("point B");
       int enc_durat = int(time_stamp().value() - test_start.value());
       ASSERT_TRUE(worked, "phase 1 should not fail to encrypt the string");
-LOG("point C");
 
       byte_array recovered;
-LOG("point D");
       test_start.reset();
       worked = bc.decrypt(target, recovered);
-LOG("point E");
       int dec_durat = int(time_stamp().value() - test_start.value());
       ASSERT_TRUE(worked, "phase 1 should not fail to decrypt the string");
 #ifdef DEBUG_BLOWFISH
-      LOG(a_sprintf("original has %d chars, recovered has %d chars\n",
-          ranstring.length(), recovered.length() - 1));
+      astring jammer_piece = a_sprintf("--\noriginal has %d chars, recovered has %d chars",
+          ranstring.length(), recovered.length() - 1);
 #endif
 
       astring teddro = (char *)recovered.observe();
 #ifdef DEBUG_BLOWFISH
-      LOG(a_sprintf("decoded %s\n", teddro.s()));
+//      LOG(a_sprintf("decoded %s", teddro.s()));
 #endif
 
 #ifdef DEBUG_BLOWFISH
       if (teddro != ranstring) {
-        LOG(a_sprintf("error!\toriginal has %d chars, recovered has %d chars\n",
+        LOG(a_sprintf("error!\toriginal has %d chars, recovered has %d chars",
             ranstring.length(), recovered.length() - 1));
-        LOG(a_sprintf("\tencoded %s\n", ranstring.s()));
-        LOG(a_sprintf("\tdecoded %s\n", teddro.s()));
+        LOG(a_sprintf("\tencoded %s", ranstring.s()));
+        LOG(a_sprintf("\tdecoded %s", teddro.s()));
       }
 #endif
       ASSERT_EQUAL(teddro, ranstring, "should not fail to regenerate the original string");
 
 #ifdef DEBUG_BLOWFISH
-      LOG(a_sprintf("  encrypt %d ms, decrypt %d ms, data %d bytes\n",
-           enc_durat, dec_durat, string_end - string_start + 1));
+      LOG(a_sprintf("%s\nencrypt %d ms, decrypt %d ms, data %d bytes",
+           jammer_piece.s(), enc_durat, dec_durat, string_end - string_start + 1));
 #endif
       time_control::sleep_ms(0);  // take a rest.
     }