-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Handle zero value modulus for OpenSSL 1.1 #79013
Conversation
Tagging subscribers to this area: @dotnet/area-system-security, @vcsjones Issue DetailsThis reverts the revert. Original PR. This PR introduces a check when importing an RSA public key that the modulus is not zero. For OpenSSL 1.1, the import succeeded and later fails at key usage time with a less-than-helpful error. This check brings consistency with other platforms, where a zero modulus fails at key import time. @akoeplinger can you please point me to a pipeline run that reproduces the failure you observed?
|
/azp list |
Sorry for the late reply, the coreclr change you made should've triggered the job due to the condition in runtime/eng/pipelines/runtime.yml Line 75 in 2b1d11d
|
The log says
and from what I can find the additional key was introduced in 1.0.2k so that at least explains why we're not finding it. I think we get the old package somehow for the cross root. |
I think I figured it out: in https://github.com/dotnet/dotnet-buildtools-prereqs-docker/blob/a5a8882abc169ebbd30e01ee58c1fbd578affa80/src/ubuntu/18.04/cross/x86-linux/hooks/pre-build#LL5C3-L5C3 we're passing This means that the build-rootfs.sh script defaults to Ubuntu 16.04
I'll send a PR to fix the Docker container. This shouldn't have any impact on the actual product since we don't officially support Linux x86: #7335 |
The `linux` argument doesn't exist in the arcade build-rootfs.sh script, we should be passing the Ubuntu codename. It defaulted to xenial which caused outdated packages to be in the crossrootfs, see dotnet/runtime#79013 (comment)
Btw. do we need to do something about the mismatching value that @bartonjs noticed in #78339 (comment) ? |
@akoeplinger for what it's worth, I need to fix my PR to work against 1.0.2g (and prior) since 1.0.2 is still supported. I apparently looked at the latest 1.0.2 and not 1.0.2a. |
The `linux` argument doesn't exist in the arcade build-rootfs.sh script, we should be passing the Ubuntu codename. It defaulted to xenial which caused outdated packages to be in the crossrootfs, see dotnet/runtime#79013 (comment)
I pushed a change to use the staging Docker image tag which includes my change just to verify the issue is fixed, please feel free to revert it when you push your other changes. |
@bartonjs okay. I settled on |
@vcsjones This change appears to have broken non-portable source-build: /cc @MichaelSimons |
@mmitche @MichaelSimons I have a draft change that I believe will fix this, just working on validating it locally first. Apologies for the trouble. |
This reverts the revert. Original PR.
This PR introduces a check when importing an RSA public key that the modulus is not zero. For OpenSSL 1.1, the import succeeded and later fails at key usage time with a less-than-helpful error. This check brings consistency with other platforms, where a zero modulus fails at key import time.
@akoeplinger can you please point me to a pipeline run that reproduces the failure you observed?
Fixes #78293