Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 844748

Summary: net-p2p/transmission-3.00-r1: assertion failed: handle != NULL w/ openssl-3.0.3
Product: Gentoo Linux Reporter: Michał Górny <mgorny>
Component: Current packagesAssignee: Mike Gilbert <floppym>
Status: RESOLVED FIXED    
Severity: normal CC: sam
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 797325    
Attachments: 0001-Switch-to-a-standalone-ARC4-implementation-1788.patch (rebased on 3.00)

Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-05-15 06:38:20 UTC 
At most a few seconds after starting transmission-3.00 built against openssl-3.0.3 (I guess when it starts hashing something):

assertion failed: handle != NULL (/tmp/portage/net-p2p/transmission-3.00-r1/work/transmission-3.00/libtransmission/crypto-utils-openssl.c:210)
Aborted (core dumped)

FWICS it's fixed in git, I'm bisecting to find the right commit right now.
Comment 1 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-05-15 07:34:16 UTC 
Found it.  Unfortunately, it's not a small patch:

commit a459e5e11b2d2524b649f7487368de30c8d2af21
Author: Mike Gelfand <mikedld@users.noreply.github.com>
Date:   Sun Sep 12 06:47:29 2021 +0300

    Switch to a standalone ARC4 implementation (#1788)
    
    * Switch to a standalone ARC4 implementation
    
    This frees us from expecting it being provided by one of the crypto
    libraries we support, all of which deprecated and/or removed it at this
    point.
    
    Fixes: #1103
    Fixes: #1777
    
    * Suppress lgtm warnings about RC4 being weak (we don't care)
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-05-15 07:40:59 UTC 
Created attachment 778997 [details, diff]
0001-Switch-to-a-standalone-ARC4-implementation-1788.patch (rebased on 3.00)

Here's a rebased patch.  Apparently we also need the bundled ARC4 library.  I can try to minimalize it (i.e. by replacing the big removals with #if 0) but I'm not sure if it wouldn't be better to just grab a snapshot at this point.
Comment 3 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-05-15 07:51:54 UTC 
Not my decision but worth noting they're in the middle of a big c->c++ rewrite and don't seem to plan a release any time soon, so even if do take a snapshot, it won't be suitable for stabilisation :(

https://github.com/transmission/transmission/discussions/2287
Comment 4 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2022-05-15 10:12:40 UTC 
I meant a snapshot prior to the refactoring.
Comment 5 Mike Gilbert gentoo-dev 2022-05-15 13:54:00 UTC 
Another possible solution would be to load the "legacy" provider via config or via a code patch.

https://wiki.openssl.org/index.php/OpenSSL_3.0#Providers
Comment 6 Larry the Git Cow gentoo-dev 2022-05-15 15:11:13 UTC 
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=49f3a2685d492f468e92e9d7fe1a72071163c726

commit 49f3a2685d492f468e92e9d7fe1a72071163c726
Author:     Mike Gilbert <floppym@gentoo.org>
AuthorDate: 2022-05-15 15:08:34 +0000
Commit:     Mike Gilbert <floppym@gentoo.org>
CommitDate: 2022-05-15 15:08:34 +0000

    net-p2p/transmission: load openssl "legacy" provider
    
    Required for RC4.
    
    Closes: https://bugs.gentoo.org/844748
    Signed-off-by: Mike Gilbert <floppym@gentoo.org>

 .../files/transmission-3.00-openssl-3.patch        |  37 ++++++
 net-p2p/transmission/transmission-3.00-r2.ebuild   | 146 +++++++++++++++++++++
 2 files changed, 183 insertions(+)