Monday, May 05, 2014
Fixing and Compiling OpenSSL on Ubuntu 14.04
I have been reading OpenSSL Valhalla Rampage almost daily since it was started. I began to wonder if I could incorporate some of their fixes into OpenSSL. I also wondered just how buggy OpenSSL really was. I went to openssl.org and downloaded the latest tarball. I unpacked it. Since I had clang installed and it has a static source code analyzer, I changed directories into the unpacked openssl-1.0.1g directory and ran the following command:
scan-build -o /home/jbmoore/openssl-bugs make -j4
The o option tells scan-build where to send its output. Upon completion, you are given a command to run:
scan-view /home/jbmoore/openssl-bugs/2014-05-04-181351-14781-1
which displays the results in a browser.
I then modified the source files based on code snippets from OpenSSL Valhalla Rampage. I reran the scanner to see if some of the bugs disappeared and they had. When I tried to compile my changes with make test and make install, I got a linker error:
../libcrypto.a(v3_alt.o):v3_alt.c:(.text+0x2478): more undefined references to `strlcpy' follow collect2: error: ld returned 1 exit status.
I tried various things, but in the end, I had to be missing a library. Since Ubuntu 14.04 does not have ia32-libs, I went and downloaded the package ia32-libs-multiarch_20090808ubuntu36_i386.deb from the Precise repository and installed it with dpkg:
dpkg -i ia32-libs-multiarch_20090808ubuntu36_i386.deb
which will fail. That result is fine because I knew it would fail a dependency check. I then ran apt-get -f install which installed all dependencies. There were a lot, 30-40 or more 32-bit libraries installed. By the time I had done this, I had downloaded the original Ubuntu source package, openssl-1.0.1f and modified it. So, the quick and dirty way is:
1. install ia32-libs-multiarch_20090808ubuntu36_i386.deb, then
2. apt-get source openssl, followed by
3. apt-get build-dep openssl,
4. modify the openssl source code using hints from the libressl project, and
5. apt-get -b source openssl.
You can run scan-build before and after you compile the debian packages to see how many bugs you've eliminated. This bug fix just shifted the segmentation fault from openssl to a glibc library function which tells me that glibc probably needs fixing as well. The openssl crash is triggered by the following code:
sudo echo ZW5jb2RlIG1lCg================================================================== | openssl enc -d -base64
This bug has been known for three years, and until now, it was not fixed. Kudos to the openBSD developers. I wish I knew a more elegant way to determine which library is missing, but I am still ignorant at this time. This framework will allow you to at least follow along with the libressl developers and give you an idea how to find and fix bugs in Linux programs. I should add that to do it properly, you should be making changes using either subversion or git. I just was curious about how difficult it would be. It is not really that hard provided you have all the 32-bit libraries you need to compile the openssl and libssl packages.
scan-build -o /home/jbmoore/openssl-bugs make -j4
The o option tells scan-build where to send its output. Upon completion, you are given a command to run:
scan-view /home/jbmoore/openssl-bugs/2014-05-04-181351-14781-1
which displays the results in a browser.
I then modified the source files based on code snippets from OpenSSL Valhalla Rampage. I reran the scanner to see if some of the bugs disappeared and they had. When I tried to compile my changes with make test and make install, I got a linker error:
../libcrypto.a(v3_alt.o):v3_alt.c:(.text+0x2478): more undefined references to `strlcpy' follow collect2: error: ld returned 1 exit status.
I tried various things, but in the end, I had to be missing a library. Since Ubuntu 14.04 does not have ia32-libs, I went and downloaded the package ia32-libs-multiarch_20090808ubuntu36_i386.deb from the Precise repository and installed it with dpkg:
dpkg -i ia32-libs-multiarch_20090808ubuntu36_i386.deb
which will fail. That result is fine because I knew it would fail a dependency check. I then ran apt-get -f install which installed all dependencies. There were a lot, 30-40 or more 32-bit libraries installed. By the time I had done this, I had downloaded the original Ubuntu source package, openssl-1.0.1f and modified it. So, the quick and dirty way is:
1. install ia32-libs-multiarch_20090808ubuntu36_i386.deb, then
2. apt-get source openssl, followed by
3. apt-get build-dep openssl,
4. modify the openssl source code using hints from the libressl project, and
5. apt-get -b source openssl.
You can run scan-build before and after you compile the debian packages to see how many bugs you've eliminated. This bug fix just shifted the segmentation fault from openssl to a glibc library function which tells me that glibc probably needs fixing as well. The openssl crash is triggered by the following code:
sudo echo ZW5jb2RlIG1lCg================================================================== | openssl enc -d -base64
This bug has been known for three years, and until now, it was not fixed. Kudos to the openBSD developers. I wish I knew a more elegant way to determine which library is missing, but I am still ignorant at this time. This framework will allow you to at least follow along with the libressl developers and give you an idea how to find and fix bugs in Linux programs. I should add that to do it properly, you should be making changes using either subversion or git. I just was curious about how difficult it would be. It is not really that hard provided you have all the 32-bit libraries you need to compile the openssl and libssl packages.