Bug 250767

Summary: security/p5-Crypt-OpenSSL-ECDSA signature initialisation fails with OpenSSL 1.1
Product: Ports & Packages Reporter: Patrick Mackinlay <freebsd.68fba>
Component: Individual Port(s)Assignee: freebsd-perl (Nobody) <perl>
Status: New ---    
Severity: Affects Some People Flags: bugzilla: maintainer-feedback? (perl)
Priority: ---    
Version: Latest   
Hardware: Any   
OS: Any   

Description Patrick Mackinlay 2020-10-31 22:56:44 UTC
Running the perl code:

use Crypt::OpenSSL::Bignum;
use Crypt::OpenSSL::ECDSA;

my $num = Crypt::OpenSSL::Bignum->new_from_word( 1000 );
my $dsasig = Crypt::OpenSSL::ECDSA::ECDSA_SIG->new();
$dsasig->set_r($num);
$dsasig->set_s($num);

1;

Fails with 

Could not duplicate unchanged ECDSA paramater

when the port is compiled with openssl-1.1.1h_1,1  (probably all versions after openssl 1.1)

Looking at the code in 
./work/Crypt-OpenSSL-ECDSA-0.08/ECDSA.xs

I can see that the set_r and set_s methods try to duplicate the previously initialised values for s and r respectively in the $dsasig object (ECDSA_SIG structure). However, since openssl 1.1 the ECDSA_SIG_new() method no longer initialises the r and s components (see man ECDSA_SIG_get0)