[MacPorts] #68766: openssl3 @3.2.0_0+universal may have broken PRNG on High Sierra and older (was: openssl3 @3.2.0_0+universal may have broken PRNG on Mavericks and older)
MacPorts
noreply at macports.org
Tue Nov 28 18:07:36 UTC 2023
#68766: openssl3 @3.2.0_0+universal may have broken PRNG on High Sierra and older
------------------------+------------------------
Reporter: fhgwright | Owner: neverpanic
Type: defect | Status: assigned
Priority: Normal | Milestone:
Component: ports | Version:
Resolution: | Keywords:
Port: openssl3 |
------------------------+------------------------
Comment (by neverpanic):
Replying to [comment:49 fhgwright]:
> Note that the failure on Sierra was reported here ''before'' the summary
was changed to say "Mavericks and older".
I missed the one report about this, that's my fault. I have changed it to
High Sierra now, which I believe accurately represents the situation
unless I'm missing something?
> While I understand the "holding hostage" concept, breaking critical
programs like `ssh` and `sshd` on many platforms just to rush out (less
than an hour after the upstream release) an update that almost nobody
actually needs was hardly reasonable. There isn't even a "security fix"
excuse, given that 3.1 is still fully supported upstream (as is 3.0, for
that matter). And breaking `sshd` on headless systems can make them
difficult to fix.
Homebrew has also already updated to 3.2. OpenSSL 3.2 also includes a fix
for a timing side-channel in RSA PKCS#1v1.5 decryption that is exploitable
using the Marvin Attack: https://people.redhat.com/~hkario/marvin/. The
pull request that fixes this across all users is
https://github.com/openssl/openssl/pull/13817, but was only merged into
3.2. Without this change, higher-level libraries such as python
cryptography cannot implement RSA PKCS#1v1.5 decryption in a timing side
channel free way.
> It looks like it was only sheer luck that the major upgrade from 3.0 to
3.1 went smoothly. 1.0->1.1 was incompatible. 1.1->3.0 was incompatible.
3.1->3.2 is currently majorly broken. 3.0->3.1 seems to have been the
exception to the rule, and one shouldn't count on other major upgrades to
go smoothly.
3.1 to 3.2 isn't a major upgrade. The ABI is compatible.
I'm not sure holding off on the update would have contributed to
significantly broader test coverage, either.
> BTW, I've also seen test failures on 10.14 x86_64 and 14.x arm64
+universal. I guess folks who think Sonoma is too old to worry about can
ignore the latter.
Please stop the ad-hominem attacks.
Additionally, I did follow up on your comment saying that there are broken
tests on 14.x by running the upstream test suite. I did not encounter test
failures. Can you provide details?
> IMO, it would make sense to have subports for all the separately
maintained upstream versions, similar to what's already done for languages
(and for the 1.x versions). That would include not only `openssl31` and
`openssl32`, but also `openssl30`, not only for completeness, but also to
make that version available for testing, even though it's unlikely to be
needed as a port dependency. However, this is a significantly more
complicated change than just a rollback plus a -devel for 3.2, and the
priority should be undoing the damage ASAP.
We've had that before, and I think it's an explicit non-goal. It locks us
into not being able to update and stop maintaining the old port because
some port still depends on it. Best example: The OpenSSL 1.1 port, which
is now unmaintained, but we can't remove it because ports still use it.
> I already have a fully tested commit for the latter, which I can submit
as a PR if I'm not wasting my time. It would take the pressure off
figuring out how to fix the multiple issues in 3.2
I don't think a general rollback on all systems is the way to go, as there
are no issues I'm aware of in the range [current-3, current] (other than a
PostgreSQL issue that is apparently on the PostgreSQL side, not in
OpenSSL). I would take a pull request that rolls back older systems to
3.1.4.
--
Ticket URL: <https://trac.macports.org/ticket/68766#comment:56>
MacPorts <https://www.macports.org/>
Ports system for macOS
More information about the macports-tickets
mailing list