Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[18.03] openssl 1.0.2p & 1.1.0i #45082

Closed
wants to merge 3 commits into from
Closed

[18.03] openssl 1.0.2p & 1.1.0i #45082

wants to merge 3 commits into from

Conversation

andir
Copy link
Member

@andir andir commented Aug 15, 2018

Motivation for this change

This is the backport of the stable updates to openssl 1.0.2p & 1.1.0i.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Fits CONTRIBUTING.md.

@andir
openssl_1_0_2: 1.0.2o -> 1.0.2p
0353772 
this addresses:
 - Client DoS due to large DH parameter (CVE-2018-0732)
 - Cache timing vulnerability in RSA Key Generation (CVE-2018-0737)

Changelog: https://www.openssl.org/news/cl102.txt
(cherry picked from commit 98a7b92)
@andir
openssl_1_1_0: 1.1.0h -> 1.1.0i
70328c5 
this addresses:
 - Client DoS due to large DH parameter (CVE-2018-0732)
 - Cache timing vulnerability in RSA Key Generation (CVE-2018-0737)

Changelog: https://www.openssl.org/news/changelog.html#x1
(cherry picked from commit 0a40875)
@GrahamcOfBorg
Copy link

Success on x86_64-linux (full log)

Attempted: openssl_1_0_2, openssl_1_1_0

Partial log (click to expand)

checking for references to /build in /nix/store/8bz4l2xr7pl221iwv4rfc7pczyrzrzbz-openssl-1.1.0i...
shrinking RPATHs of ELF executables and libraries in /nix/store/fd9vg35wbqb214jjygph63pkrfgalhl8-openssl-1.1.0i-man
gzipping man pages under /nix/store/fd9vg35wbqb214jjygph63pkrfgalhl8-openssl-1.1.0i-man/share/man/
patching script interpreter paths in /nix/store/fd9vg35wbqb214jjygph63pkrfgalhl8-openssl-1.1.0i-man
checking for references to /build in /nix/store/fd9vg35wbqb214jjygph63pkrfgalhl8-openssl-1.1.0i-man...
shrinking RPATHs of ELF executables and libraries in /nix/store/b05yy4f1lik482z5411lfisbcw43bz6k-openssl-1.1.0i-debug
patching script interpreter paths in /nix/store/b05yy4f1lik482z5411lfisbcw43bz6k-openssl-1.1.0i-debug
checking for references to /build in /nix/store/b05yy4f1lik482z5411lfisbcw43bz6k-openssl-1.1.0i-debug...
/nix/store/3wmhxc5wfcqrsh1q1yvwkf20bhwrg923-openssl-1.0.2p-bin
/nix/store/pybhczdbj9m9g82nwdrbbg87qrzwplh8-openssl-1.1.0i-bin

@GrahamcOfBorg
Copy link

Success on aarch64-linux (full log)

Attempted: openssl_1_0_2, openssl_1_1_0

Partial log (click to expand)

checking for references to /build in /nix/store/h2sj6y126w6h60vvzp70ykcv44x79jy2-openssl-1.1.0i...
shrinking RPATHs of ELF executables and libraries in /nix/store/3nsbw4kibrpg4zm72hi0xw2y30sp3462-openssl-1.1.0i-man
gzipping man pages under /nix/store/3nsbw4kibrpg4zm72hi0xw2y30sp3462-openssl-1.1.0i-man/share/man/
patching script interpreter paths in /nix/store/3nsbw4kibrpg4zm72hi0xw2y30sp3462-openssl-1.1.0i-man
checking for references to /build in /nix/store/3nsbw4kibrpg4zm72hi0xw2y30sp3462-openssl-1.1.0i-man...
shrinking RPATHs of ELF executables and libraries in /nix/store/3cx0viy472p193a66yv2gz4g1y10z4il-openssl-1.1.0i-debug
patching script interpreter paths in /nix/store/3cx0viy472p193a66yv2gz4g1y10z4il-openssl-1.1.0i-debug
checking for references to /build in /nix/store/3cx0viy472p193a66yv2gz4g1y10z4il-openssl-1.1.0i-debug...
/nix/store/r06c6lci780kvmg63ypvaizhsrimpg9z-openssl-1.0.2p-bin
/nix/store/4jp6k1xf3kfldhh5fzjacxb6fnsk0jba-openssl-1.1.0i-bin

@vcunat vcunat self-assigned this Aug 15, 2018
vcunat added a commit that referenced this pull request Aug 15, 2018
@vcunat
Merge #45082 into staging-18.03: openssl 1.0.2p & 1.1.0i
1f1ca06
@GrahamcOfBorg
Copy link

Timed out, unknown build status on x86_64-darwin (full log)

Attempted: openssl_1_0_2, openssl_1_1_0

Partial log (click to expand)

cannot build derivation '/nix/store/4zx70k7hq4lvvblp04ndh1xqi38375ix-cctools-binutils-darwin.drv': 4 dependencies couldn't be built
cannot build derivation '/nix/store/l2wih26pjgrw7nd1hsdk9bqkl0fh4fh8-gnutar-1.30.drv': 3 dependencies couldn't be built
cannot build derivation '/nix/store/9alkylr29d8v9jgfndbiz08k0qr59cdb-CF-osx-10.10.5.drv': 7 dependencies couldn't be built
cannot build derivation '/nix/store/bf3nawipmf41xrrcgwfjwzv8p2npksk6-cctools-binutils-darwin-wrapper.drv': 7 dependencies couldn't be built
cannot build derivation '/nix/store/739cixlgxbg2bw134flqd0xmxmass1bc-clang-wrapper-5.0.2.drv': 9 dependencies couldn't be built
cannot build derivation '/nix/store/yx01b302az3dxrc671asm0ncvaxz0cc7-stdenv-darwin.drv': 35 dependencies couldn't be built
cannot build derivation '/nix/store/76a7alwr1xrzi7idh0p5xsjxacl45wry-perl-5.24.3.drv': 4 dependencies couldn't be built
cannot build derivation '/nix/store/kyxdm1a7b1icvw3d4y94215cf7w5fb78-openssl-1.0.2p.drv': 3 dependencies couldn't be built
cannot build derivation '/nix/store/k00wd1j1wn83pz46ir7mgsn11kkdd2sx-openssl-1.1.0i.drv': 3 dependencies couldn't be built
error: build of '/nix/store/k00wd1j1wn83pz46ir7mgsn11kkdd2sx-openssl-1.1.0i.drv', '/nix/store/kyxdm1a7b1icvw3d4y94215cf7w5fb78-openssl-1.0.2p.drv' failed

@vcunat
Copy link
Member

vcunat commented Aug 16, 2018
edited

Interesting: a tor test started segfaulting inside openssl https://hydra.nixos.org/build/79642697 (reproduced locally)

@andir
Copy link
Member Author

andir commented Aug 16, 2018
edited

I would say even thought it is crashing within openssl its Tor's fault since it is documented...

from the changelog:

+  *) Make EVP_PKEY_asn1_new() a bit stricter about its input.  A NULL pem_str
+     parameter is no longer accepted, as it leads to a corrupt table.  NULL
+     pem_str is reserved for alias entries only.
+     [Richard Levitte]

the backtrace of the test:

0x00007ffff70b35f5 in EVP_PKEY_asn1_set_public () from /nix/store/wqn1vcbm0za87cgxdy86p1ar1risgypr-openssl-1.0.2p/lib/libcrypto.so.1.0.0
(gdb) bt
#0  0x00007ffff70b35f5 in EVP_PKEY_asn1_set_public () from /nix/store/wqn1vcbm0za87cgxdy86p1ar1risgypr-openssl-1.0.2p/lib/libcrypto.so.1.0.0
#1  0x0000555555806ff0 in test_tortls_cert_matches_key (ignored=<optimized out>) at src/test/test_tortls.c:583

and the actual test code:

  static void
  test_tortls_cert_matches_key(void *ignored)
  {
    (void)ignored;
    int res;
    tor_tls_t *tls;
    tor_x509_cert_t *cert;
    X509 *one = NULL, *two = NULL;
    EVP_PKEY_ASN1_METHOD *meth = EVP_PKEY_asn1_new(999, 0, NULL, NULL);
    EVP_PKEY_asn1_set_public(meth, NULL, NULL, fixed_pub_cmp, NULL, NULL, NULL);

If you (or anyone) doesn't beat me to it I'll try to look into this this evening or tomorrow.

@andir
Copy link
Member Author

andir commented Aug 16, 2018

Moving tor to OpenSSL 1.1.0 also fixes the problem.

@andir
tor: use OpenSSL 1.1.0
2af3d8b 
This works around an issue introduced with the OpenSSL 1.0.2p bump.
The test tortls/cert_matches_key is using `EVP_PKEY_asn1_new` in a now
unsupported way.

From the changelog of OpenSSL 1.0.2p:
  *) Make EVP_PKEY_asn1_new() a bit stricter about its input.  A NULL pem_str
     parameter is no longer accepted, as it leads to a corrupt table.  NULL
     pem_str is reserved for alias entries only.

Using the 1.1.0 releases seesm to be fine.
@andir
Copy link
Member Author

andir commented Aug 16, 2018
edited

@GrahamcOfBorg build tor

@vcunat you might want to pick the commit (2ad3d8b) onto staging as you did yesterday. I figured since the PR is still open I should just append it here and leave it to you.

@GrahamcOfBorg
Copy link

No attempt on aarch64-linux (full log)

The following builds were skipped because they don't evaluate on aarch64-linux: tests.tor

Partial log (click to expand)

Cannot nix-instantiate `tests.tor' because:
error: attribute 'tor' in selection path 'tests.tor' not found

@GrahamcOfBorg
Copy link

No attempt on x86_64-linux (full log)

The following builds were skipped because they don't evaluate on x86_64-linux: tests.tor

Partial log (click to expand)

Cannot nix-instantiate `tests.tor' because:
error: attribute 'tor' in selection path 'tests.tor' not found

@GrahamcOfBorg
Copy link

No attempt on x86_64-darwin (full log)

The following builds were skipped because they don't evaluate on x86_64-darwin: tor

Partial log (click to expand)

Cannot nix-instantiate `tor' because:
error: while evaluating the attribute 'postPatch' of the derivation 'tor-0.3.2.10' at /private/var/lib/ofborg/builds/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/grahamc-ndnd/pkgs/stdenv/generic/make-derivation.nix:148:11:
while evaluating the attribute 'postPatch' of the derivation 'torsocks-2.2.0' at /private/var/lib/ofborg/builds/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/grahamc-ndnd/pkgs/stdenv/generic/make-derivation.nix:148:11:
while evaluating 'callPackageWith' at /private/var/lib/ofborg/builds/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/grahamc-ndnd/lib/customisation.nix:113:35, called from /private/var/lib/ofborg/builds/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/grahamc-ndnd/pkgs/top-level/all-packages.nix:13639:12:
while evaluating 'makeOverridable' at /private/var/lib/ofborg/builds/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/grahamc-ndnd/lib/customisation.nix:72:24, called from /private/var/lib/ofborg/builds/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/grahamc-ndnd/lib/customisation.nix:117:8:
while evaluating anonymous function at /private/var/lib/ofborg/builds/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/grahamc-ndnd/pkgs/os-specific/linux/libcap/default.nix:1:1, called from /private/var/lib/ofborg/builds/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/grahamc-ndnd/lib/customisation.nix:74:12:
assertion failed at /private/var/lib/ofborg/builds/repo/38dca4e3aa6bca43ea96d2fcc04e8229/builder/grahamc-ndnd/pkgs/os-specific/linux/libcap/default.nix:2:1

@GrahamcOfBorg
Copy link

Success on x86_64-linux (full log)

Attempted: openssl_1_0_2, openssl_1_1_0, tor

Partial log (click to expand)

patching script interpreter paths in /nix/store/84cvzp13cn6gjqikv2pgwhr1z9zqpz36-tor-0.3.2.10
/nix/store/84cvzp13cn6gjqikv2pgwhr1z9zqpz36-tor-0.3.2.10/bin/torify: interpreter directive changed from " /bin/sh" to "/nix/store/lw7xaqhakk0i1c631m3cvac3x4lc5gr5-bash-4.4-p12/bin/sh"
checking for references to /build in /nix/store/84cvzp13cn6gjqikv2pgwhr1z9zqpz36-tor-0.3.2.10...
shrinking RPATHs of ELF executables and libraries in /nix/store/qr66sp6kwaz167ajvsp0h55cm9cjj3r1-tor-0.3.2.10-geoip
strip is /nix/store/k8b9hqv58dd1z0j4ikak24ykndcm91s6-binutils-2.28.1/bin/strip
patching script interpreter paths in /nix/store/qr66sp6kwaz167ajvsp0h55cm9cjj3r1-tor-0.3.2.10-geoip
checking for references to /build in /nix/store/qr66sp6kwaz167ajvsp0h55cm9cjj3r1-tor-0.3.2.10-geoip...
/nix/store/3wmhxc5wfcqrsh1q1yvwkf20bhwrg923-openssl-1.0.2p-bin
/nix/store/pybhczdbj9m9g82nwdrbbg87qrzwplh8-openssl-1.1.0i-bin
/nix/store/84cvzp13cn6gjqikv2pgwhr1z9zqpz36-tor-0.3.2.10

@GrahamcOfBorg
Copy link

Success on x86_64-linux (full log)

Attempted: tor

Partial log (click to expand)

strip is /nix/store/k8b9hqv58dd1z0j4ikak24ykndcm91s6-binutils-2.28.1/bin/strip
stripping (with command strip and flags -S) in /nix/store/84cvzp13cn6gjqikv2pgwhr1z9zqpz36-tor-0.3.2.10/bin
patching script interpreter paths in /nix/store/84cvzp13cn6gjqikv2pgwhr1z9zqpz36-tor-0.3.2.10
/nix/store/84cvzp13cn6gjqikv2pgwhr1z9zqpz36-tor-0.3.2.10/bin/torify: interpreter directive changed from " /bin/sh" to "/nix/store/lw7xaqhakk0i1c631m3cvac3x4lc5gr5-bash-4.4-p12/bin/sh"
checking for references to /build in /nix/store/84cvzp13cn6gjqikv2pgwhr1z9zqpz36-tor-0.3.2.10...
shrinking RPATHs of ELF executables and libraries in /nix/store/qr66sp6kwaz167ajvsp0h55cm9cjj3r1-tor-0.3.2.10-geoip
strip is /nix/store/k8b9hqv58dd1z0j4ikak24ykndcm91s6-binutils-2.28.1/bin/strip
patching script interpreter paths in /nix/store/qr66sp6kwaz167ajvsp0h55cm9cjj3r1-tor-0.3.2.10-geoip
checking for references to /build in /nix/store/qr66sp6kwaz167ajvsp0h55cm9cjj3r1-tor-0.3.2.10-geoip...
/nix/store/84cvzp13cn6gjqikv2pgwhr1z9zqpz36-tor-0.3.2.10

@GrahamcOfBorg
Copy link

Timed out, unknown build status on x86_64-darwin (full log)

Attempted: openssl_1_0_2, openssl_1_1_0

The following builds were skipped because they don't evaluate on x86_64-darwin: tor

Partial log (click to expand)

[ 25%] Building CXX object lib/MC/CMakeFiles/LLVMMC.dir/MCObjectFileInfo.cpp.o
[ 25%] Building CXX object lib/MC/CMakeFiles/LLVMMC.dir/MCObjectStreamer.cpp.o
building of '/nix/store/r4xmpsgxnwxg8n05ciajgf6ggfppyg2z-llvm-5.0.2.drv' timed out after 1800 seconds
cannot build derivation '/nix/store/z86l2z7c9vl9zbwwvfvi9y7xcn551mbg-clang-5.0.2.drv': 1 dependencies couldn't be built
cannot build derivation '/nix/store/739cixlgxbg2bw134flqd0xmxmass1bc-clang-wrapper-5.0.2.drv': 1 dependencies couldn't be built
cannot build derivation '/nix/store/yx01b302az3dxrc671asm0ncvaxz0cc7-stdenv-darwin.drv': 3 dependencies couldn't be built
cannot build derivation '/nix/store/76a7alwr1xrzi7idh0p5xsjxacl45wry-perl-5.24.3.drv': 2 dependencies couldn't be built
cannot build derivation '/nix/store/kyxdm1a7b1icvw3d4y94215cf7w5fb78-openssl-1.0.2p.drv': 2 dependencies couldn't be built
cannot build derivation '/nix/store/k00wd1j1wn83pz46ir7mgsn11kkdd2sx-openssl-1.1.0i.drv': 2 dependencies couldn't be built
error: build of '/nix/store/k00wd1j1wn83pz46ir7mgsn11kkdd2sx-openssl-1.1.0i.drv', '/nix/store/kyxdm1a7b1icvw3d4y94215cf7w5fb78-openssl-1.0.2p.drv' failed

@GrahamcOfBorg
Copy link

Success on aarch64-linux (full log)

Attempted: openssl_1_0_2, openssl_1_1_0, tor

Partial log (click to expand)

  /nix/store/zbr22dj14syvdx1iiw63da8kmybi0873-util-linux-2.31.1.drv
  /nix/store/lypdd9nvh5qmn2a044z21d0c5jinj4g7-glib-2.54.3.drv
  /nix/store/n5d4ix0wxas42gsaqy91pv6pwz484h27-python3.6-lxml-4.1.1.drv
  /nix/store/rq9sc9psnfil42r8pq1lqgb072fzqw52-python3-3.6.6-env.drv
  /nix/store/sd6480d094is9j6wabbznc41fw2vlgvd-systemd-237.drv
  /nix/store/7i2vqcxcphajlip3rbr896w4bry8zwf5-tor-0.3.2.10.drv
waiting for locks or build slots...
/nix/store/r06c6lci780kvmg63ypvaizhsrimpg9z-openssl-1.0.2p-bin
/nix/store/4jp6k1xf3kfldhh5fzjacxb6fnsk0jba-openssl-1.1.0i-bin
/nix/store/kwv3mqv8w7kp7mwmai47r3s5sqamq8kd-tor-0.3.2.10

@GrahamcOfBorg
Copy link

Success on aarch64-linux (full log)

Attempted: tor

Partial log (click to expand)

strip is /nix/store/hy39vplmzpwckvzxgyhr54dwz0mnfv2p-binutils-2.28.1/bin/strip
stripping (with command strip and flags -S) in /nix/store/kwv3mqv8w7kp7mwmai47r3s5sqamq8kd-tor-0.3.2.10/bin
patching script interpreter paths in /nix/store/kwv3mqv8w7kp7mwmai47r3s5sqamq8kd-tor-0.3.2.10
/nix/store/kwv3mqv8w7kp7mwmai47r3s5sqamq8kd-tor-0.3.2.10/bin/torify: interpreter directive changed from " /bin/sh" to "/nix/store/i7pgaclm3qrcm9gpqxb5mbw9wsn7prd0-bash-4.4-p12/bin/sh"
checking for references to /build in /nix/store/kwv3mqv8w7kp7mwmai47r3s5sqamq8kd-tor-0.3.2.10...
shrinking RPATHs of ELF executables and libraries in /nix/store/w1bw1abh61wvrp14h80v1wbysp72wbdn-tor-0.3.2.10-geoip
strip is /nix/store/hy39vplmzpwckvzxgyhr54dwz0mnfv2p-binutils-2.28.1/bin/strip
patching script interpreter paths in /nix/store/w1bw1abh61wvrp14h80v1wbysp72wbdn-tor-0.3.2.10-geoip
checking for references to /build in /nix/store/w1bw1abh61wvrp14h80v1wbysp72wbdn-tor-0.3.2.10-geoip...
/nix/store/kwv3mqv8w7kp7mwmai47r3s5sqamq8kd-tor-0.3.2.10

@vcunat
Copy link
Member

vcunat commented Aug 17, 2018

tor: I think for a stable release it will be best to just disable (or patch-up) this single test.

@andir
Copy link
Member Author

andir commented Aug 17, 2018

Alright, closing this.

@andir andir closed this Aug 17, 2018
@vcunat
Copy link
Member

vcunat commented Aug 17, 2018

Done in 5d28c48.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@vcunat vcunat

Labels
10.rebuild-darwin: 501+ 10.rebuild-darwin-stdenv 10.rebuild-linux: 501+
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@andir @GrahamcOfBorg @vcunat