New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[18.03] openssl 1.0.2p & 1.1.0i #45082
Conversation
this addresses: - Client DoS due to large DH parameter (CVE-2018-0732) - Cache timing vulnerability in RSA Key Generation (CVE-2018-0737) Changelog: https://www.openssl.org/news/cl102.txt (cherry picked from commit 98a7b92)
this addresses: - Client DoS due to large DH parameter (CVE-2018-0732) - Cache timing vulnerability in RSA Key Generation (CVE-2018-0737) Changelog: https://www.openssl.org/news/changelog.html#x1 (cherry picked from commit 0a40875)
Success on x86_64-linux (full log) Attempted: openssl_1_0_2, openssl_1_1_0 Partial log (click to expand)
|
Success on aarch64-linux (full log) Attempted: openssl_1_0_2, openssl_1_1_0 Partial log (click to expand)
|
Timed out, unknown build status on x86_64-darwin (full log) Attempted: openssl_1_0_2, openssl_1_1_0 Partial log (click to expand)
|
Interesting: a tor test started segfaulting inside openssl https://hydra.nixos.org/build/79642697 (reproduced locally) |
I would say even thought it is crashing within openssl its Tor's fault since it is documented... from the changelog:
the backtrace of the test:
and the actual test code: static void
test_tortls_cert_matches_key(void *ignored)
{
(void)ignored;
int res;
tor_tls_t *tls;
tor_x509_cert_t *cert;
X509 *one = NULL, *two = NULL;
EVP_PKEY_ASN1_METHOD *meth = EVP_PKEY_asn1_new(999, 0, NULL, NULL);
EVP_PKEY_asn1_set_public(meth, NULL, NULL, fixed_pub_cmp, NULL, NULL, NULL); If you (or anyone) doesn't beat me to it I'll try to look into this this evening or tomorrow. |
Moving tor to OpenSSL 1.1.0 also fixes the problem. |
This works around an issue introduced with the OpenSSL 1.0.2p bump. The test tortls/cert_matches_key is using `EVP_PKEY_asn1_new` in a now unsupported way. From the changelog of OpenSSL 1.0.2p: *) Make EVP_PKEY_asn1_new() a bit stricter about its input. A NULL pem_str parameter is no longer accepted, as it leads to a corrupt table. NULL pem_str is reserved for alias entries only. Using the 1.1.0 releases seesm to be fine.
@GrahamcOfBorg build tor @vcunat you might want to pick the commit (2ad3d8b) onto staging as you did yesterday. I figured since the PR is still open I should just append it here and leave it to you. |
No attempt on aarch64-linux (full log) The following builds were skipped because they don't evaluate on aarch64-linux: tests.tor Partial log (click to expand)
|
No attempt on x86_64-linux (full log) The following builds were skipped because they don't evaluate on x86_64-linux: tests.tor Partial log (click to expand)
|
No attempt on x86_64-darwin (full log) The following builds were skipped because they don't evaluate on x86_64-darwin: tor Partial log (click to expand)
|
Success on x86_64-linux (full log) Attempted: openssl_1_0_2, openssl_1_1_0, tor Partial log (click to expand)
|
Success on x86_64-linux (full log) Attempted: tor Partial log (click to expand)
|
Timed out, unknown build status on x86_64-darwin (full log) Attempted: openssl_1_0_2, openssl_1_1_0 The following builds were skipped because they don't evaluate on x86_64-darwin: tor Partial log (click to expand)
|
Success on aarch64-linux (full log) Attempted: openssl_1_0_2, openssl_1_1_0, tor Partial log (click to expand)
|
Success on aarch64-linux (full log) Attempted: tor Partial log (click to expand)
|
tor: I think for a stable release it will be best to just disable (or patch-up) this single test. |
Alright, closing this. |
Done in 5d28c48. |
Motivation for this change
This is the backport of the stable updates to openssl 1.0.2p & 1.1.0i.
Things done
sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)nix path-info -S
before and after)