lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <YufUAiLqKiuwdvcP@krava>
Date:   Mon, 1 Aug 2022 15:24:18 +0200
From:   Jiri Olsa <olsajiri@...il.com>
To:     Jiri Olsa <olsajiri@...il.com>,
        Stephane Eranian <eranian@...gle.com>
Cc:     谭梓煊 <tanzixuan.me@...il.com>,
        Zixuan Tan <tanzixuangg@...il.com>, terrelln@...com,
        Alexei Starovoitov <ast@...nel.org>,
        Daniel Borkmann <daniel@...earbox.net>,
        Andrii Nakryiko <andrii@...nel.org>,
        Martin KaFai Lau <kafai@...com>,
        Song Liu <songliubraving@...com>, Yonghong Song <yhs@...com>,
        John Fastabend <john.fastabend@...il.com>,
        KP Singh <kpsingh@...nel.org>, linux-kernel@...r.kernel.org,
        netdev@...r.kernel.org, bpf@...r.kernel.org
Subject: Re: [PATCH] perf build: Suppress openssl v3 deprecation warnings in
 libcrypto feature test

On Tue, Jun 28, 2022 at 08:16:06AM +0200, Jiri Olsa wrote:
> On Mon, Jun 27, 2022 at 11:08:34AM +0800, 谭梓煊 wrote:
> > On Sun, Jun 26, 2022 at 10:45 PM Jiri Olsa <olsajiri@...il.com> wrote:
> > >
> > > On Sat, Jun 25, 2022 at 11:34:38PM +0800, Zixuan Tan wrote:
> > > > With OpenSSL v3 installed, the libcrypto feature check fails as it use the
> > > > deprecated MD5_* API (and is compiled with -Werror). The error message is
> > > > as follows.
> > > >
> > > > $ make tools/perf
> > > > ```
> > > > Makefile.config:778: No libcrypto.h found, disables jitted code injection,
> > > > please install openssl-devel or libssl-dev
> > > >
> > > > Auto-detecting system features:
> > > > ...                         dwarf: [ on  ]
> > > > ...            dwarf_getlocations: [ on  ]
> > > > ...                         glibc: [ on  ]
> > > > ...                        libbfd: [ on  ]
> > > > ...                libbfd-buildid: [ on  ]
> > > > ...                        libcap: [ on  ]
> > > > ...                        libelf: [ on  ]
> > > > ...                       libnuma: [ on  ]
> > > > ...        numa_num_possible_cpus: [ on  ]
> > > > ...                       libperl: [ on  ]
> > > > ...                     libpython: [ on  ]
> > > > ...                     libcrypto: [ OFF ]
> > > > ...                     libunwind: [ on  ]
> > > > ...            libdw-dwarf-unwind: [ on  ]
> > > > ...                          zlib: [ on  ]
> > > > ...                          lzma: [ on  ]
> > > > ...                     get_cpuid: [ on  ]
> > > > ...                           bpf: [ on  ]
> > > > ...                        libaio: [ on  ]
> > > > ...                       libzstd: [ on  ]
> > > > ...        disassembler-four-args: [ on  ]
> > > > ```
> > > >
> > > > This is very confusing because the suggested library (on my Ubuntu 20.04
> > > > it is libssl-dev) is already installed. As the test only checks for the
> > > > presence of libcrypto, this commit suppresses the deprecation warning to
> > > > allow the test to pass.
> > > >
> > > > Signed-off-by: Zixuan Tan <tanzixuan.me@...il.com>
> > > > ---
> > > >  tools/build/feature/test-libcrypto.c | 6 ++++++
> > > >  1 file changed, 6 insertions(+)
> > > >
> > > > diff --git a/tools/build/feature/test-libcrypto.c b/tools/build/feature/test-libcrypto.c
> > > > index a98174e0569c..31afff093d0b 100644
> > > > --- a/tools/build/feature/test-libcrypto.c
> > > > +++ b/tools/build/feature/test-libcrypto.c
> > > > @@ -2,6 +2,12 @@
> > > >  #include <openssl/sha.h>
> > > >  #include <openssl/md5.h>
> > > >
> > > > +/*
> > > > + * The MD5_* API have been deprecated since OpenSSL 3.0, which causes the
> > > > + * feature test to fail silently. This is a workaround.
> > > > + */
> > >
> > > then we use these deprecated MD5 calls in util/genelf.c if libcrypto is detected,
> > > so I wonder how come the rest of the compilation passed for you.. do you have
> > > CONFIG_JITDUMP disabled?
> > >
> > > thanks,
> > > jirka
> > >
> > No, CONFIG_JITDUMP is not disabled. I am using the default configuration.
> > 
> > Yes, you are right. The rest of the compilation should fail, but it doesn't.
> > I checked the verbose build commands. This seems to be the result of another
> > inconsistency.
> > 
> > If libcrypto is detected, the macro "HAVE_LIBCRYPTO_SUPPORT" will be
> > defined, but in perf/util/genelf.c, "HAVE_LIBCRYPTO" without the "_SUPPORT"
> > prefix is checked. This causes urandom always be used to create build id
> > rather than MD5 and SHA1, no matter what the detection result is.
> > 
> > In perf/Makefile.config, from line 776
> > ```
> > ifndef NO_LIBCRYPTO
> >   ifneq ($(feature-libcrypto), 1)
> >     msg := $(warning No libcrypto.h found, disables jitted code injection,
> >             please install openssl-devel or libssl-dev);
> >     NO_LIBCRYPTO := 1
> >   else                                  <-- if libcrypto feature detected
> >     CFLAGS += -DHAVE_LIBCRYPTO_SUPPORT  <-- define this
> >     EXTLIBS += -lcrypto
> >     $(call detected,CONFIG_CRYPTO)
> >   endif
> > endif
> > ```
> > 
> > In perf/util/genelf.c, from line 33
> > ```
> > #ifdef HAVE_LIBCRYPTO                <-- but check this, it's always false
> 
> nice :)
> 
> > 
> > #define BUILD_ID_MD5
> > #undef BUILD_ID_SHA /* does not seem to work well when linked with Java */
> > #undef BUILD_ID_URANDOM /* different uuid for each run */
> > 
> > #ifdef BUILD_ID_SHA
> > #include <openssl/sha.h>
> > #endif
> > 
> > #ifdef BUILD_ID_MD5
> > #include <openssl/md5.h>
> > #endif
> > #endif                               <-- this block will be skipped
> > ```
> > 
> > Maybe we should fix this, to really make use of libcrypto if it is available?
> 
> yea, I think that was the original idea, let's keep the variable with
> SUPPORT suffix and use the -Wdeprecated-declarations for genelf.c
> 
> full fix would be to detect the new API and use it when it's available but..
> given that the check was false at least since 2016, perhaps we could remove
> that code? ;-) Stephane?

ping

jirka

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ