Opened 5 years ago

Closed 5 years ago

#16454 closed defect (fixed)

Update openssl package to latest version.

Reported by: tmonteil Owned by:
Priority: critical Milestone: sage-6.3
Component: packages: optional Keywords:
Cc: ​jhpalmieri, mariah, ​was Merged in:
Authors: Thierry Monteil Reviewers: Sébastien Labbé
Report Upstream: N/A Work issues:
Branch: f870116 (Commits) Commit: f8701162940876cc82278d1802c09fb3ec3a2901
Dependencies: Stopgaps:

Description (last modified by tmonteil)

The current (optional) openssl package we ship is still 1.0.1e, which is heartbleed vulnerable, let us update it to latest version.

Link to the latest tarball is https://www.openssl.org/source/openssl-1.0.1h.tar.gz

Change History (15)

comment:1 Changed 5 years ago by tmonteil

  • Component changed from PLEASE CHANGE to packages: optional
  • Description modified (diff)
  • Type changed from PLEASE CHANGE to defect

comment:2 Changed 5 years ago by tmonteil

  • Description modified (diff)

comment:3 Changed 5 years ago by tmonteil

  • Branch set to u/tmonteil/update_openssl_package_to_latest_version_

comment:4 Changed 5 years ago by tmonteil

  • Authors set to Thierry Monteil
  • Cc ​jhpalmieri mariah ​was added
  • Commit set to b5f372e4610123ead04a49786fd77d5ac045793f
  • Description modified (diff)
  • Priority changed from major to critical
  • Status changed from new to needs_review

New commits:

b5f372e#16454 : update openssl to 1.0.1h, remove inapplicable doc patch, remove old-spkg-style changelog

comment:5 Changed 5 years ago by slabbe

Why do you delete the changelog part?

comment:6 Changed 5 years ago by tmonteil

See http://www.sagemath.org/doc/developer/packaging.html#the-spkg-txt-file (last sentence) and https://groups.google.com/forum/#!searchin/sage-devel/numpy/sage-devel/FNjYGRCxaUc/WDKM0pM9QJYJ

By the way, could you check whether the Configure.patch is still needed for Darwin (looks like the same -arch fix as in pyzmq) ?

comment:7 Changed 5 years ago by slabbe

With the current branch, running ./sage -i openssl on my (32bit) machine ends with the following error:

Found local metadata for openssl-1.0.1h
Found local sources at /Users/slabbe/Applications/sage-review/upstream/openssl-1.0.1h.tar.gz
Checksum: 8d6d684a9430d5cc98a62a5d8fbda8cf vs 8d6d684a9430d5cc98a62a5d8fbda8cf
openssl-1.0.1h
====================================================
Setting up build directory for openssl-1.0.1h
Finished set up
****************************************************
Host system:
Darwin pol 9.8.0 Darwin Kernel Version 9.8.0: Wed Jul 15 16:55:01 PDT 2009; root:xnu-1228.15.4~1/RELEASE_I386 i386
****************************************************
C compiler: gcc
C compiler version:
Using built-in specs.
COLLECT_GCC=/Users/slabbe/Applications/sage-review/local/bin/gcc
COLLECT_LTO_WRAPPER=/Users/slabbe/Applications/sage-review/local/libexec/gcc/i386-apple-darwin9.8.0/4.7.3/lto-wrapper
Target: i386-apple-darwin9.8.0
Configured with: ../src/configure --prefix=/Users/slabbe/Applications/sage-review/local --with-local-prefix=/Users/slabbe/Applications/sage-review/local --with-gmp=/Users/slabbe/Applications/sage-review/local --with-mpfr=/Users/slabbe/Applications/sage-review/local --with-mpc=/Users/slabbe/Applications/sage-review/local --with-system-zlib --disable-multilib --disable-nls  
Thread model: posix
gcc version 4.7.3 (GCC) 
****************************************************

[...]
Configured for darwin64-x86_64-cc.
[...]
x86_64cpuid.s:85:`movzbq' is only supported in 64-bit mode
[...]
x86_64cpuid.s:209:bad register name `%xmm14'
x86_64cpuid.s:210:bad register name `%xmm15'
x86_64cpuid.s:211:bad register name `%rcx'
x86_64cpuid.s:212:bad register name `%rdx'
x86_64cpuid.s:213:bad register name `%rsi'
x86_64cpuid.s:214:bad register name `%rdi'
x86_64cpuid.s:215:bad register name `%r8'
x86_64cpuid.s:216:bad register name `%r9'
x86_64cpuid.s:217:bad register name `%r10'
x86_64cpuid.s:218:bad register name `%r11'
x86_64cpuid.s:219:bad register name `%rsp)'
x86_64cpuid.s:232:bad register name `%rax'
x86_64cpuid.s:233:bad register name `%rcx'
make[1]: *** [x86_64cpuid.o] Error 1
make: *** [build_crypto] Error 1
Error building openssl.

real	0m8.937s
user	0m3.822s
sys	0m1.561s
************************************************************************
Error installing package openssl-1.0.1h
************************************************************************

As you suggested me, I tried after deleting the Configure.patch, and it worked:

$ ./sage -i openssl

[...]

real	4m9.688s
user	2m47.278s
sys	0m49.557s
Successfully installed openssl-1.0.1h

Here is my git status:

10 slabbe@pol ~/Applications/sage-review $ git status
# On branch t/16454
# Changes not staged for commit:
#   (use "git add/rm <file>..." to update what will be committed)
#   (use "git checkout -- <file>..." to discard changes in working directory)
#
#	deleted:    build/pkgs/openssl/patches/Configure.patch
#
no changes added to commit (use "git add" and/or "git commit -a")

comment:8 Changed 5 years ago by git

  • Commit changed from b5f372e4610123ead04a49786fd77d5ac045793f to f8701162940876cc82278d1802c09fb3ec3a2901

Branch pushed to git repo; I updated commit sha1. New commits:

f870116#16454 : remove Configure.patch

comment:9 Changed 5 years ago by tmonteil

Thanks for testing, so i removed Configure.patch. Could you also try if tests work without the patch:

export SAGE_CHECK='yes'
sage -f openssl

comment:10 Changed 5 years ago by slabbe

$ export SAGE_CHECK='yes'
$ ./sage -f openssl

[...]

real	1m34.519s
user	0m16.406s
sys	0m18.216s
Successfully installed openssl-1.0.1h
Running the test suite for openssl-1.0.1h...

[...]

data content test streaming PEM format: OK
encrypted content test streaming PEM format, 128 bit RC2 key: OK
encrypted content test streaming PEM format, 40 bit RC2 key: OK
encrypted content test streaming PEM format, triple DES key: OK
encrypted content test streaming PEM format, 128 bit AES key: OK
Zlib not supported: compression tests skipped
ALL TESTS SUCCESSFUL.
../util/shlib_wrap.sh ./heartbeat_test
OPENSSL_CONF=apps/openssl.cnf util/opensslwrap.sh version -a
OpenSSL 1.0.1h 5 Jun 2014
built on: Fri Jun 13 10:36:56 CEST 2014
platform: darwin64-x86_64-cc
options:  bn(64,64) rc4(ptr,char) des(idx,cisc,16,int) idea(int) blowfish(idx) 
compiler: gcc -fPIC -fno-common -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -arch x86_64 -O3 -DL_ENDIAN -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/Users/slabbe/Applications/sage-review/local/openssl"

real	1m17.717s
user	0m40.606s
sys	0m31.799s
Deleting temporary build directory
/Users/slabbe/Applications/sage-review/local/var/tmp/sage/build/openssl-1.0.1h
Finished installing openssl-1.0.1h.spkg

It works! ... on my old 32 bit machine. For me it is a positive review. Do jhpalmieri, mariah or ​was want to double check on other machine before closing this ticket?

comment:11 Changed 5 years ago by slabbe

  • Status changed from needs_review to positive_review

comment:12 Changed 5 years ago by vbraun

Reviewer name

comment:13 Changed 5 years ago by vbraun

  • Status changed from positive_review to needs_work

comment:14 Changed 5 years ago by slabbe

  • Reviewers set to Sébastien Labbé
  • Status changed from needs_work to positive_review

Sorry, my bad.

Sébastien

comment:15 Changed 5 years ago by vbraun

  • Branch changed from u/tmonteil/update_openssl_package_to_latest_version_ to f8701162940876cc82278d1802c09fb3ec3a2901
  • Resolution set to fixed
  • Status changed from positive_review to closed
Note: See TracTickets for help on using tickets.