Hi, On 02/11/2016 20:06, Karl Kornel wrote: > forwarded 828549 https://bugs.schedmd.com/show_bug.cgi?id=3226 tags 828549 + > patch thanks > > Hello! > > It looks like even the latest SLURM Debian package, 16.05.6-1, still has this > issue. I tested with OpenSSL package version 1.1.0b-2, building on a sid > COWbuilder. > > The issue is being tracked upstream at this URL: > > https://bugs.schedmd.com/show_bug.cgi?id=3226 >
Thanks for the reference! > The bug was filed on Oct. 31, and acknowledged on Nov. 1. > > SLURM only uses OpenSSL in one place: To create “job step credentials”. > However, this is not the default: the default is to have MUNGE create those > credentials. > > Since OpenSSL is only used in one place, and that’s not even as the default, > I have created a Quilt patch which removes OpenSSL from the build entirely. > Unfortunately, it’s not enough to change how we run ./configure; if the > configure script sees an OpenSSL installation, it will use it, so I have to > completely remove the test for OpenSSL, as well as the Makefile.am file that > would trigger the compilation of OpenSSL-using code. > I think it is easier to port Slurm to use OpenSSL 1.1. Attached is a tentative patch that makes Slurm compile against OpenSSL 1.1. I haven't tested it thoroughly and I would appreciate some help. In short, EVP_MD_CTX became opaque in OpenSSL 1.1 and we cannot use it directly anymore. Similar fixes have been applied to other softs. Another way to avoid the bug in Debian is to use OpenSSL 1.0 by choosing libssl1.0-dev in the Build-Depends line. It doesn't fix the issue but prevents the system from removing it from testing. Regards, -- Mehdi
From: Mehdi Dogguy <me...@debian.org> Date: Wed, 2 Nov 2016 22:54:38 +0100 Subject: Port to OpenSSL 1.1 --- src/plugins/crypto/openssl/crypto_openssl.c | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/src/plugins/crypto/openssl/crypto_openssl.c b/src/plugins/crypto/openssl/crypto_openssl.c index 2fa9767..87c0b55 100644 --- a/src/plugins/crypto/openssl/crypto_openssl.c +++ b/src/plugins/crypto/openssl/crypto_openssl.c @@ -179,7 +179,7 @@ extern int crypto_sign(void * key, char *buffer, int buf_size, char **sig_pp, unsigned int *sig_size_p) { - EVP_MD_CTX ectx; + EVP_MD_CTX *ectx; int rc = SLURM_SUCCESS; int ksize = EVP_PKEY_size((EVP_PKEY *) key); @@ -188,17 +188,18 @@ crypto_sign(void * key, char *buffer, int buf_size, char **sig_pp, */ *sig_pp = xmalloc(ksize * sizeof(unsigned char)); - EVP_SignInit(&ectx, EVP_sha1()); - EVP_SignUpdate(&ectx, buffer, buf_size); + ectx = EVP_MD_CTX_create(); + EVP_SignInit(ectx, EVP_sha1()); + EVP_SignUpdate(ectx, buffer, buf_size); - if (!(EVP_SignFinal(&ectx, (unsigned char *)*sig_pp, sig_size_p, + if (!(EVP_SignFinal(ectx, (unsigned char *)*sig_pp, sig_size_p, (EVP_PKEY *) key))) { rc = SLURM_ERROR; } #ifdef HAVE_EVP_MD_CTX_CLEANUP /* Note: Likely memory leak if this function is absent */ - EVP_MD_CTX_cleanup(&ectx); + EVP_MD_CTX_destroy(ectx); #endif return rc; @@ -208,13 +209,14 @@ extern int crypto_verify_sign(void * key, char *buffer, unsigned int buf_size, char *signature, unsigned int sig_size) { - EVP_MD_CTX ectx; + EVP_MD_CTX *ectx; int rc; - EVP_VerifyInit(&ectx, EVP_sha1()); - EVP_VerifyUpdate(&ectx, buffer, buf_size); + ectx = EVP_MD_CTX_create(); + EVP_VerifyInit(ectx, EVP_sha1()); + EVP_VerifyUpdate(ectx, buffer, buf_size); - rc = EVP_VerifyFinal(&ectx, (unsigned char *) signature, + rc = EVP_VerifyFinal(ectx, (unsigned char *) signature, sig_size, (EVP_PKEY *) key); if (rc <= 0) rc = SLURM_ERROR; @@ -223,7 +225,7 @@ crypto_verify_sign(void * key, char *buffer, unsigned int buf_size, #ifdef HAVE_EVP_MD_CTX_CLEANUP /* Note: Likely memory leak if this function is absent */ - EVP_MD_CTX_cleanup(&ectx); + EVP_MD_CTX_destroy(ectx); #endif return rc;