ports/178827: [PATCH] security/cryptopp: Bug in libc++ causes key generation to get stuck in endless loop

Michael Gmelin freebsd at grem.de
Wed May 22 01:40:01 UTC 2013 

>Number:         178827
>Category:       ports
>Synopsis:       [PATCH] security/cryptopp: Bug in libc++ causes key generation to get stuck in endless loop
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed May 22 01:40:00 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator:     Michael Gmelin
>Release:        FreeBSD 9.1-RELEASE amd64
>Organization:
Grem Equity GmbH
>Environment:
System: FreeBSD bsd64.grem.de 9.1-RELEASE-p2 FreeBSD 9.1-RELEASE-p2 #4 r249052: Wed Apr  3 18:26:19 UTC
>Description:
Due to a bug in the version of libc++ shipping with FreeBSD 9.1-RELEASE,
RSA key generation - and most likely other operations depending on
class PrimeSieve - gets stuck in an endless loop when compiled using
libc++ (CXXFLAGS+= -std=c++11 -stdlib=libc++).

The problem has been reported last year:

http://sourceforge.net/apps/trac/cryptopp/ticket/17
http://old.nabble.com/keygeneration-on-ios-using-clang(libc%2B%2B)-never-terminates-td34614981.html

It is caused by libc++'s implementation of std::find returning invalid
results when operating on std::vector<bool> (read: bitsets). The
problem has already been fixed in libc++:

http://llvm.org/viewvc/llvm-project?view=revision&revision=156546

which is also part of release 3.2 of the library. Unfortunately this is
not available in any release version of FreeBSD yet.

The attached patch works around this problem by conditionally replacing
the call to std::find with a hand written loop in case clang and an
affected version libc++ are detected. For all other compilers as well
as versions of libc++ the code is not altered at all. The ABI stays
stable, so there won't be any unpleasant surprises when upgrading the
port at a later point in time using an updated version of libc++, e.g.
after upgrading to 9.2-RELEASE.

The maintainer might want to communicate this issue upstream as well,
it's not limited to FreeBSD.

Added file(s):
- files/patch-nbtheory.cpp

Port maintainer (delphij at FreeBSD.org) is cc'd.

Generated with FreeBSD Port Tools 0.99_6 (mode: change, diff: suffix)
>How-To-Repeat:

Requires a clang and libc++ enabled FreeBSD 9.1-RELEASE installation.

cd /usr/ports/security/cryptopp
CXX=clang++ CXXFLAGS="-std=c++11 -stdlib=libc++" \
make WITHOUT=STATIC install clean

cat >/tmp/test.cpp <<EOF
#include <cryptopp/rsa.h>
#include <cryptopp/osrng.h>
#include <cryptopp/base64.h>
#include <cryptopp/files.h>
using namespace CryptoPP;
int main()
{
  AutoSeededRandomPool rng;
  InvertibleRSAFunction privkey;
  privkey.Initialize(rng, 2048, 4);
}
EOF

clang++ -pthread -std=c++11 -stdlib=libc++ -I/usr/local/include \
-L/usr/local/lib -lcryptopp -o /tmp/test /tmp/test.cpp

/tmp/test

This is supposed to return immediately, but is hanging indefinitely
instead.

>Fix:
Apply the patch attached to this PR and update the package:

cd /usr/ports/security/cryptopp
patch -p1 </path/to/cryptopp-5.6.1_3.patch
portmaster cryptopp

--- cryptopp-5.6.1_3.patch begins here ---
diff -ruN --exclude=CVS ../cryptopp.orig/Makefile ./Makefile
--- ../cryptopp.orig/Makefile	2013-05-22 02:18:44.000000000 +0200
+++ ./Makefile	2013-05-22 02:19:32.000000000 +0200
@@ -3,7 +3,7 @@
 
 PORTNAME=		cryptopp
 PORTVERSION=		5.6.1
-PORTREVISION=		2
+PORTREVISION=		3
 CATEGORIES=		security
 MASTER_SITES=		SF \
 			http://www.cryptopp.com/
diff -ruN --exclude=CVS ../cryptopp.orig/files/patch-nbtheory.cpp ./files/patch-nbtheory.cpp
--- ../cryptopp.orig/files/patch-nbtheory.cpp	1970-01-01 01:00:00.000000000 +0100
+++ ./files/patch-nbtheory.cpp	2013-05-22 02:18:29.000000000 +0200
@@ -0,0 +1,21 @@
+--- nbtheory.cpp.orig	2013-05-22 00:16:26.761193859 +0000
++++ nbtheory.cpp	2013-05-22 00:15:29.401256454 +0000
+@@ -307,7 +307,18 @@
+ 
+ bool PrimeSieve::NextCandidate(Integer &c)
+ {
++#if defined(__clang__) && defined(_LIBCPP_VERSION) &&  _LIBCPP_VERSION < 1101
++	// Workaround for a bug in libc++ in std::find on std::vector<bool>
++	std::vector<bool>::iterator pos = m_sieve.begin()+m_next;
++	for (std::vector<bool>::iterator end = m_sieve.end(); pos != end; ++pos)
++	{
++		if (*pos == false)
++			break;
++	}
++	bool safe = SafeConvert(pos - m_sieve.begin(), m_next);
++#else
+ 	bool safe = SafeConvert(std::find(m_sieve.begin()+m_next, m_sieve.end(), false) - m_sieve.begin(), m_next);
++#endif
+ 	assert(safe);
+ 	if (m_next == m_sieve.size())
+ 	{
--- cryptopp-5.6.1_3.patch ends here ---

>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list