Does CryptX support really require CryptX 0.080? #2255

spwhitton · 2025-05-22T09:40:04Z

spwhitton
May 22, 2025

Hello,

Thanks for Mojolicious, including the new support for using CryptX to generate secure default session secrets. I'm looking at backporting that support to older Mojolicious in order to address CVE-2024-58135 in older releases of Debian.

Commit c820715 adding the support specifies that CryptX 0.080 is required. @kraih, are you sure it's required? Looking at the Changes for CryptX, it doesn't seem like the fixes in that release are essential to the new functionality.

Would it be possible for the reasons for requiring 0.080 to be expanded upon, and possibly the dependency bound weakened?

Thanks.

kraih · 2025-05-23T20:54:29Z

kraih
May 23, 2025
Maintainer

We have not tested older versions and therefore don't know which older versions work.

0 replies

s1037989 · 2025-05-24T15:01:27Z

s1037989
May 24, 2025

Looks like it starts breaking at 0.061.
CryptX-0.062 Changelog:
0.062 2018-10-30
- bundled libtommath update branch:develop (commit:8b9f98ba 2018-09-23) + stdint.h workaround
- bundled libtomcrypt update branch:develop (commit:f413335b 2018-10-29)
- fix #45 doc only - sign_message_rfc7518 / sign_message_rfc7518
- fix #46 tests only - t/mbi_ltm_bigintpm.t etc. started to fail with latest Math::BigInt
- fix #47 gcm_decrypt_verify + chacha20poly1305_decrypt_verify don't verify the tag - SERIOUS SECURITY BUG!
- improved CBC/ECB padding (using libtomcrypt's functions: padding_depad + padding_pad)
- enable pkcs#8 encrypted RSA keys (supported by the latest libtomcrypt)
- exclude wycheproof tests (too big) from dist tarball (via MANIFEST.SKIP)

$ for i in $(seq 10 86 | tac); do rm -rf perlbrew/libs/perl-5.40.0@default/lib/perl5/x86_64-linux ; sed -i "s/0\.0../0.0$i/" cpanfile ; sed -i "s/CryptX->VERSION.*/CryptX->VERSION('0.0$i');/" perlbrew/libs/perl-5.40.0@default/lib/perl5/Mojo/Util.pm ; cpanm -n --installdeps . | grep -e Fetching -e 'Successfully installed'; perl -Mojo -E 'say sprintf "Perl=%s | Mojolicious=%s | CryptX=%s | Mojo::Util::CRYPTX=%s | Mojo/Util.pm: %s", $], Mojolicious->VERSION, CryptX->VERSION, Mojo::Util::CRYPTX, b(f("perlbrew/libs/perl-5.40.0\@default/lib/perl5/Mojo/Util.pm")->slurp)->split("\n")->grep(qr(CryptX->VERSION))->join("\n")'; MOJO_LOG_LEVEL=fatal prove -v t/util.t t/session_lite_app.t | grep -P '(^\w+\s+62|encrypted)' ; done
Fetching http://www.cpan.org/authors/id/M/MI/MIK/CryptX-0.086.tar.gz ... OK
Successfully installed CryptX-0.086
Perl=5.040000 | Mojolicious=9.40 | CryptX=0.086 | Mojo::Util::CRYPTX=1 | Mojo/Util.pm:   CryptX->VERSION('0.086');
        ok 1 - encrypted
    ok 2 - not encrypted
ok 62 - encrypt_cookie/decrypt_cookie
    ok 1 - not encrypted by default
# Subtest: User session (encrypted cookie)
    ok 13 - encrypted cookie format
ok 2 - User session (encrypted cookie)
    # Subtest: User session (encrypted cookie)
    ok 2 - User session (encrypted cookie)
Fetching http://backpan.perl.org/authors/id/M/MI/MIK/CryptX-0.085.tar.gz ... OK
Successfully installed CryptX-0.085
Perl=5.040000 | Mojolicious=9.40 | CryptX=0.085 | Mojo::Util::CRYPTX=1 | Mojo/Util.pm:   CryptX->VERSION('0.085');
        ok 1 - encrypted
    ok 2 - not encrypted
ok 62 - encrypt_cookie/decrypt_cookie
    ok 1 - not encrypted by default
# Subtest: User session (encrypted cookie)
    ok 13 - encrypted cookie format
ok 2 - User session (encrypted cookie)
    # Subtest: User session (encrypted cookie)
    ok 2 - User session (encrypted cookie)
Fetching http://backpan.perl.org/authors/id/M/MI/MIK/CryptX-0.084.tar.gz ... OK
Successfully installed CryptX-0.084
Perl=5.040000 | Mojolicious=9.40 | CryptX=0.084 | Mojo::Util::CRYPTX=1 | Mojo/Util.pm:   CryptX->VERSION('0.084');
        ok 1 - encrypted
    ok 2 - not encrypted
ok 62 - encrypt_cookie/decrypt_cookie
    ok 1 - not encrypted by default
# Subtest: User session (encrypted cookie)
    ok 13 - encrypted cookie format
ok 2 - User session (encrypted cookie)
    # Subtest: User session (encrypted cookie)
    ok 2 - User session (encrypted cookie)
Fetching http://backpan.perl.org/authors/id/M/MI/MIK/CryptX-0.083.tar.gz ... OK
Successfully installed CryptX-0.083
Perl=5.040000 | Mojolicious=9.40 | CryptX=0.083 | Mojo::Util::CRYPTX=1 | Mojo/Util.pm:   CryptX->VERSION('0.083');
        ok 1 - encrypted
    ok 2 - not encrypted
ok 62 - encrypt_cookie/decrypt_cookie
    ok 1 - not encrypted by default
# Subtest: User session (encrypted cookie)
    ok 13 - encrypted cookie format
ok 2 - User session (encrypted cookie)
    # Subtest: User session (encrypted cookie)
    ok 2 - User session (encrypted cookie)
Fetching http://backpan.perl.org/authors/id/M/MI/MIK/CryptX-0.082.tar.gz ... OK
Successfully installed CryptX-0.082
Perl=5.040000 | Mojolicious=9.40 | CryptX=0.082 | Mojo::Util::CRYPTX=1 | Mojo/Util.pm:   CryptX->VERSION('0.082');
        ok 1 - encrypted
    ok 2 - not encrypted
ok 62 - encrypt_cookie/decrypt_cookie
    ok 1 - not encrypted by default
# Subtest: User session (encrypted cookie)
    ok 13 - encrypted cookie format
ok 2 - User session (encrypted cookie)
    # Subtest: User session (encrypted cookie)
    ok 2 - User session (encrypted cookie)
Fetching http://backpan.perl.org/authors/id/M/MI/MIK/CryptX-0.081.tar.gz ... OK
Successfully installed CryptX-0.081
Perl=5.040000 | Mojolicious=9.40 | CryptX=0.081 | Mojo::Util::CRYPTX=1 | Mojo/Util.pm:   CryptX->VERSION('0.081');
        ok 1 - encrypted
    ok 2 - not encrypted
ok 62 - encrypt_cookie/decrypt_cookie
    ok 1 - not encrypted by default
# Subtest: User session (encrypted cookie)
    ok 13 - encrypted cookie format
ok 2 - User session (encrypted cookie)
    # Subtest: User session (encrypted cookie)
    ok 2 - User session (encrypted cookie)
Fetching http://backpan.perl.org/authors/id/M/MI/MIK/CryptX-0.080.tar.gz ... OK
Successfully installed CryptX-0.080
Perl=5.040000 | Mojolicious=9.40 | CryptX=0.080 | Mojo::Util::CRYPTX=1 | Mojo/Util.pm:   CryptX->VERSION('0.080');
        ok 1 - encrypted
    ok 2 - not encrypted
ok 62 - encrypt_cookie/decrypt_cookie
    ok 1 - not encrypted by default
# Subtest: User session (encrypted cookie)
    ok 13 - encrypted cookie format
ok 2 - User session (encrypted cookie)
    # Subtest: User session (encrypted cookie)
    ok 2 - User session (encrypted cookie)
Fetching http://backpan.perl.org/authors/id/M/MI/MIK/CryptX-0.079.tar.gz ... OK
Successfully installed CryptX-0.079
Perl=5.040000 | Mojolicious=9.40 | CryptX=0.079 | Mojo::Util::CRYPTX=1 | Mojo/Util.pm:   CryptX->VERSION('0.079');
        ok 1 - encrypted
    ok 2 - not encrypted
ok 62 - encrypt_cookie/decrypt_cookie
    ok 1 - not encrypted by default
# Subtest: User session (encrypted cookie)
    ok 13 - encrypted cookie format
ok 2 - User session (encrypted cookie)
    # Subtest: User session (encrypted cookie)
    ok 2 - User session (encrypted cookie)
Fetching http://backpan.perl.org/authors/id/M/MI/MIK/CryptX-0.078.tar.gz ... OK
Successfully installed CryptX-0.078
Perl=5.040000 | Mojolicious=9.40 | CryptX=0.078 | Mojo::Util::CRYPTX=1 | Mojo/Util.pm:   CryptX->VERSION('0.078');
        ok 1 - encrypted
    ok 2 - not encrypted
ok 62 - encrypt_cookie/decrypt_cookie
    ok 1 - not encrypted by default
# Subtest: User session (encrypted cookie)
    ok 13 - encrypted cookie format
ok 2 - User session (encrypted cookie)
    # Subtest: User session (encrypted cookie)
    ok 2 - User session (encrypted cookie)
Fetching http://backpan.perl.org/authors/id/M/MI/MIK/CryptX-0.077.tar.gz ... OK
Successfully installed CryptX-0.077
Perl=5.040000 | Mojolicious=9.40 | CryptX=0.077 | Mojo::Util::CRYPTX=1 | Mojo/Util.pm:   CryptX->VERSION('0.077');
        ok 1 - encrypted
    ok 2 - not encrypted
ok 62 - encrypt_cookie/decrypt_cookie
    ok 1 - not encrypted by default
# Subtest: User session (encrypted cookie)
    ok 13 - encrypted cookie format
ok 2 - User session (encrypted cookie)
    # Subtest: User session (encrypted cookie)
    ok 2 - User session (encrypted cookie)
Fetching http://backpan.perl.org/authors/id/M/MI/MIK/CryptX-0.076.tar.gz ... OK
Successfully installed CryptX-0.076
Perl=5.040000 | Mojolicious=9.40 | CryptX=0.076 | Mojo::Util::CRYPTX=1 | Mojo/Util.pm:   CryptX->VERSION('0.076');
        ok 1 - encrypted
    ok 2 - not encrypted
ok 62 - encrypt_cookie/decrypt_cookie
    ok 1 - not encrypted by default
# Subtest: User session (encrypted cookie)
    ok 13 - encrypted cookie format
ok 2 - User session (encrypted cookie)
    # Subtest: User session (encrypted cookie)
    ok 2 - User session (encrypted cookie)
Fetching http://backpan.perl.org/authors/id/M/MI/MIK/CryptX-0.075.tar.gz ... OK
Successfully installed CryptX-0.075
Perl=5.040000 | Mojolicious=9.40 | CryptX=0.075 | Mojo::Util::CRYPTX=1 | Mojo/Util.pm:   CryptX->VERSION('0.075');
        ok 1 - encrypted
    ok 2 - not encrypted
ok 62 - encrypt_cookie/decrypt_cookie
    ok 1 - not encrypted by default
# Subtest: User session (encrypted cookie)
    ok 13 - encrypted cookie format
ok 2 - User session (encrypted cookie)
    # Subtest: User session (encrypted cookie)
    ok 2 - User session (encrypted cookie)
Fetching http://backpan.perl.org/authors/id/M/MI/MIK/CryptX-0.074.tar.gz ... OK
Successfully installed CryptX-0.074
Perl=5.040000 | Mojolicious=9.40 | CryptX=0.074 | Mojo::Util::CRYPTX=1 | Mojo/Util.pm:   CryptX->VERSION('0.074');
        ok 1 - encrypted
    ok 2 - not encrypted
ok 62 - encrypt_cookie/decrypt_cookie
    ok 1 - not encrypted by default
# Subtest: User session (encrypted cookie)
    ok 13 - encrypted cookie format
ok 2 - User session (encrypted cookie)
    # Subtest: User session (encrypted cookie)
    ok 2 - User session (encrypted cookie)
Fetching http://backpan.perl.org/authors/id/M/MI/MIK/CryptX-0.073.tar.gz ... OK
Successfully installed CryptX-0.073
Perl=5.040000 | Mojolicious=9.40 | CryptX=0.073 | Mojo::Util::CRYPTX=1 | Mojo/Util.pm:   CryptX->VERSION('0.073');
        ok 1 - encrypted
    ok 2 - not encrypted
ok 62 - encrypt_cookie/decrypt_cookie
    ok 1 - not encrypted by default
# Subtest: User session (encrypted cookie)
    ok 13 - encrypted cookie format
ok 2 - User session (encrypted cookie)
    # Subtest: User session (encrypted cookie)
    ok 2 - User session (encrypted cookie)
Fetching http://backpan.perl.org/authors/id/M/MI/MIK/CryptX-0.072.tar.gz ... OK
Successfully installed CryptX-0.072
Perl=5.040000 | Mojolicious=9.40 | CryptX=0.072 | Mojo::Util::CRYPTX=1 | Mojo/Util.pm:   CryptX->VERSION('0.072');
        ok 1 - encrypted
    ok 2 - not encrypted
ok 62 - encrypt_cookie/decrypt_cookie
    ok 1 - not encrypted by default
# Subtest: User session (encrypted cookie)
    ok 13 - encrypted cookie format
ok 2 - User session (encrypted cookie)
    # Subtest: User session (encrypted cookie)
    ok 2 - User session (encrypted cookie)
Fetching http://backpan.perl.org/authors/id/M/MI/MIK/CryptX-0.071.tar.gz ... OK
Successfully installed CryptX-0.071
Perl=5.040000 | Mojolicious=9.40 | CryptX=0.071 | Mojo::Util::CRYPTX=1 | Mojo/Util.pm:   CryptX->VERSION('0.071');
        ok 1 - encrypted
    ok 2 - not encrypted
ok 62 - encrypt_cookie/decrypt_cookie
    ok 1 - not encrypted by default
# Subtest: User session (encrypted cookie)
    ok 13 - encrypted cookie format
ok 2 - User session (encrypted cookie)
    # Subtest: User session (encrypted cookie)
    ok 2 - User session (encrypted cookie)
Fetching http://backpan.perl.org/authors/id/M/MI/MIK/CryptX-0.070.tar.gz ... OK
Successfully installed CryptX-0.070
Perl=5.040000 | Mojolicious=9.40 | CryptX=0.070 | Mojo::Util::CRYPTX=1 | Mojo/Util.pm:   CryptX->VERSION('0.070');
        ok 1 - encrypted
    ok 2 - not encrypted
ok 62 - encrypt_cookie/decrypt_cookie
    ok 1 - not encrypted by default
# Subtest: User session (encrypted cookie)
    ok 13 - encrypted cookie format
ok 2 - User session (encrypted cookie)
    # Subtest: User session (encrypted cookie)
    ok 2 - User session (encrypted cookie)
Fetching http://backpan.perl.org/authors/id/M/MI/MIK/CryptX-0.069.tar.gz ... OK
Successfully installed CryptX-0.069
Perl=5.040000 | Mojolicious=9.40 | CryptX=0.069 | Mojo::Util::CRYPTX=1 | Mojo/Util.pm:   CryptX->VERSION('0.069');
        ok 1 - encrypted
    ok 2 - not encrypted
ok 62 - encrypt_cookie/decrypt_cookie
    ok 1 - not encrypted by default
# Subtest: User session (encrypted cookie)
    ok 13 - encrypted cookie format
ok 2 - User session (encrypted cookie)
    # Subtest: User session (encrypted cookie)
    ok 2 - User session (encrypted cookie)
Fetching http://backpan.perl.org/authors/id/M/MI/MIK/CryptX-0.068.tar.gz ... OK
Successfully installed CryptX-0.068
Perl=5.040000 | Mojolicious=9.40 | CryptX=0.068 | Mojo::Util::CRYPTX=1 | Mojo/Util.pm:   CryptX->VERSION('0.068');
        ok 1 - encrypted
    ok 2 - not encrypted
ok 62 - encrypt_cookie/decrypt_cookie
    ok 1 - not encrypted by default
# Subtest: User session (encrypted cookie)
    ok 13 - encrypted cookie format
ok 2 - User session (encrypted cookie)
    # Subtest: User session (encrypted cookie)
    ok 2 - User session (encrypted cookie)
Fetching http://backpan.perl.org/authors/id/M/MI/MIK/CryptX-0.067.tar.gz ... OK
Successfully installed CryptX-0.067
Perl=5.040000 | Mojolicious=9.40 | CryptX=0.067 | Mojo::Util::CRYPTX=1 | Mojo/Util.pm:   CryptX->VERSION('0.067');
        ok 1 - encrypted
    ok 2 - not encrypted
ok 62 - encrypt_cookie/decrypt_cookie
    ok 1 - not encrypted by default
# Subtest: User session (encrypted cookie)
    ok 13 - encrypted cookie format
ok 2 - User session (encrypted cookie)
    # Subtest: User session (encrypted cookie)
    ok 2 - User session (encrypted cookie)
Fetching http://backpan.perl.org/authors/id/M/MI/MIK/CryptX-0.066.tar.gz ... OK
Successfully installed CryptX-0.066
Perl=5.040000 | Mojolicious=9.40 | CryptX=0.066 | Mojo::Util::CRYPTX=1 | Mojo/Util.pm:   CryptX->VERSION('0.066');
        ok 1 - encrypted
    ok 2 - not encrypted
ok 62 - encrypt_cookie/decrypt_cookie
    ok 1 - not encrypted by default
# Subtest: User session (encrypted cookie)
    ok 13 - encrypted cookie format
ok 2 - User session (encrypted cookie)
    # Subtest: User session (encrypted cookie)
    ok 2 - User session (encrypted cookie)
Fetching http://backpan.perl.org/authors/id/M/MI/MIK/CryptX-0.065.tar.gz ... OK
Successfully installed CryptX-0.065
Perl=5.040000 | Mojolicious=9.40 | CryptX=0.065 | Mojo::Util::CRYPTX=1 | Mojo/Util.pm:   CryptX->VERSION('0.065');
        ok 1 - encrypted
    ok 2 - not encrypted
ok 62 - encrypt_cookie/decrypt_cookie
    ok 1 - not encrypted by default
# Subtest: User session (encrypted cookie)
    ok 13 - encrypted cookie format
ok 2 - User session (encrypted cookie)
    # Subtest: User session (encrypted cookie)
    ok 2 - User session (encrypted cookie)
Fetching http://backpan.perl.org/authors/id/M/MI/MIK/CryptX-0.064.tar.gz ... OK
Successfully installed CryptX-0.064
Perl=5.040000 | Mojolicious=9.40 | CryptX=0.064 | Mojo::Util::CRYPTX=1 | Mojo/Util.pm:   CryptX->VERSION('0.064');
        ok 1 - encrypted
    ok 2 - not encrypted
ok 62 - encrypt_cookie/decrypt_cookie
    ok 1 - not encrypted by default
# Subtest: User session (encrypted cookie)
    ok 13 - encrypted cookie format
ok 2 - User session (encrypted cookie)
    # Subtest: User session (encrypted cookie)
    ok 2 - User session (encrypted cookie)
Fetching http://backpan.perl.org/authors/id/M/MI/MIK/CryptX-0.063.tar.gz ... OK
Successfully installed CryptX-0.063
Perl=5.040000 | Mojolicious=9.40 | CryptX=0.063 | Mojo::Util::CRYPTX=1 | Mojo/Util.pm:   CryptX->VERSION('0.063');
        ok 1 - encrypted
    ok 2 - not encrypted
ok 62 - encrypt_cookie/decrypt_cookie
    ok 1 - not encrypted by default
# Subtest: User session (encrypted cookie)
    ok 13 - encrypted cookie format
ok 2 - User session (encrypted cookie)
    # Subtest: User session (encrypted cookie)
    ok 2 - User session (encrypted cookie)
Fetching http://backpan.perl.org/authors/id/M/MI/MIK/CryptX-0.062.tar.gz ... OK
Successfully installed CryptX-0.062
Perl=5.040000 | Mojolicious=9.40 | CryptX=0.062 | Mojo::Util::CRYPTX=1 | Mojo/Util.pm:   CryptX->VERSION('0.062');
        ok 1 - encrypted
    ok 2 - not encrypted
ok 62 - encrypt_cookie/decrypt_cookie
    ok 1 - not encrypted by default
# Subtest: User session (encrypted cookie)
    ok 13 - encrypted cookie format
ok 2 - User session (encrypted cookie)
    # Subtest: User session (encrypted cookie)
    ok 2 - User session (encrypted cookie)
Fetching http://backpan.perl.org/authors/id/M/MI/MIK/CryptX-0.061.tar.gz ... OK
Successfully installed CryptX-0.061
Perl=5.040000 | Mojolicious=9.40 | CryptX=0.061 | Mojo::Util::CRYPTX=1 | Mojo/Util.pm:   CryptX->VERSION('0.061');

    #   Failed test 'wrong tag'
    #   at t/util.t line 669.
    #          got: 'test'
    #     expected: undef

    #   Failed test 'wrong random bytes'
    #   at t/util.t line 670.
    #          got: '�[��'
    #     expected: undef

    #   Failed test 'wrong password'
    #   at t/util.t line 671.
    #          got: '���'
    #     expected: undef

    #   Failed test 'wrong salt'
    #   at t/util.t line 672.
    #          got: '���'
    #     expected: undef
    # Looks like you failed 4 tests of 7.

#   Failed test 'encrypt_cookie/decrypt_cookie'
#   at t/util.t line 674.
# Looks like you failed 1 test of 64.
        ok 1 - encrypted
    ok 2 - not encrypted
Mojo::Reactor::Poll: I/O watcher failed: Input is not UTF-8 encoded

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Does CryptX support really require CryptX 0.080? #2255

Uh oh!

{{title}}

Uh oh!

Replies: 2 comments

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Select a reply

Uh oh!

Does CryptX support really require CryptX 0.080? #2255

Uh oh!

spwhitton May 22, 2025

Replies: 2 comments

Uh oh!

kraih May 23, 2025 Maintainer

Uh oh!

Uh oh!

s1037989 May 24, 2025

spwhitton
May 22, 2025

kraih
May 23, 2025
Maintainer

s1037989
May 24, 2025