On 06/10/2014 09:29 PM, Lorenzo wrote:
On 06/08/2014 11:24 PM, Julien Cristau wrote:
On Sun, Jun 8, 2014 at 17:48:18 +0200, Lorenzo wrote:
after the latest openssl upgrade it happened again :)
While waiting to see upstream's reaction, could you rebuild the package
against the new version of the library?
No, this should be fixed by removing the broken check, not papering over
it with a rebuild.
Cheers,
Julien
Yep, my problem is that I don't know if the broken check is supposed to
do something useful, or how to fix it (I'd like to stay away from
openssl as much as I can), and therefore if removing it does any harm.
Btw, good news! I "sudo apt-get upgrade"'d about a couple of hours ago,
and on reboot opensmtpd works just fine!
It makes me think that there might have been something wrong with
SSLeay() rather than the version check (going to check that).
It took a few minutes to git-svn debian's openssl repo (I'm sure there's
a way to see history online :), and unless I'm mistaken I fear that
opensmtpd got back to work by sheer luck, ie they're checking the wrong
part of the version number, and the latest upgrade got it right by chance.
See the following program:
/*
* Copyright (c) 2001 Damien Miller. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
*notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
*notice, this list of conditions and the following disclaimer in the
*documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include
#include
#include
//#include "ssh.h"
//#include "misc.h"
//#include "xmalloc.h"
//#include "atomicio.h"
//#include "pathnames.h"
//#include "buffer.h"
#include
#define fatal printf
/* unsigned long x = 1; p(x) ==> "1 == x" */
#define p(UL) printf("0x%lx == %s\n", (unsigned long)(UL), #UL)
void
seed_rng(void)
{
/*
* OpenSSL version numbers: MNNFFPPS: major minor fix patch status
* We match major, minor, fix and status (not patch) for <1.0.0.
* After that, we acceptable compatible fix versions (so we
* allow 1.0.1 to work with 1.0.0). Going backwards is only allowed
* within a patch series.
*/
u_long version_mask = SSLeay() >= 0x100f ? ~0x0L : ~0xff0L;
if (((SSLeay() ^ OPENSSL_VERSION_NUMBER) & version_mask) ||
(SSLeay() >> 12) < (OPENSSL_VERSION_NUMBER >> 12))
fatal ("OpenSSL version mismatch. Built against %lx, you "
"have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay());
/* print the individual parts of it */
p(SSLeay());
p(OPENSSL_VERSION_NUMBER);
p(SSLeay() ^ OPENSSL_VERSION_NUMBER);
// ./branches/1.0.1/debian/patches/git_snapshot.patch
p(0x1000108fL ^ OPENSSL_VERSION_NUMBER);
p(0x10001090L ^ OPENSSL_VERSION_NUMBER);
p((SSLeay() ^ OPENSSL_VERSION_NUMBER) & version_mask);
printf("=== The following line!!! ===\n");
/*
* OPENSSL_VERSION_NUMBER is a constant; say we compiled with the
* old version, 0x1000108fL rather than 0x10001090L...
*/
p((SSLeay() ^ 0x1000108fL) & version_mask);
p(SSLeay() >> 12);
p(OPENSSL_VERSION_NUMBER >> 12);
}
int main()
{
seed_rng();
return 0;
}
That's because (again: if I'm not mistaken!)
u_long version_mask = SSLeay() >= 0x100f ? ~0x0L : ~0xff0L;
since the version is greater than 0x100f, version mask is ~0x0L,
is 0xf..ffL, meaning that any difference in the lowest byte will
make opensmtpd call fatal().
If you can find any mistake please point it out (and thanks btw);
otherwise I guess this should be reported upstream.
loreb
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
