[OE-core] [PATCH 0/1] openssl: update to 1.0.2i (CVE-2016-6304 and more)

Patrick Ohly patrick.ohly at intel.com
Fri Sep 23 13:19:14 UTC 2016 

On Fri, 2016-09-23 at 15:11 +0300, Alexander Kanavin wrote:
> On 09/23/2016 01:27 PM, Patrick Ohly wrote:
> >
> > There is one FAIL:
> >
> > ../util/shlib_wrap.sh ./dtlstest ../apps/server.pem ../apps/server.pem
> > Starting Test 0
> > Failed to load server certificate
> > Unable to create SSL_CTX pair
> > make[2]: Leaving directory '/usr/lib/openssl/ptest/test'
> > FAIL: test_dtls
> >
> > That's because server.pem wasn't installed. I'll fix that.
> >
> > However, ptest-runner returns with 0, i.e. success? Should it do that?
> 
> What does the failing test itself return? After checking the 
> ptest-runner source code, it shouldn't return 0 if one of the tests it 
> runs fails with a non-zero exit.

openssl's test/Makefile is the culprit:

alltests:               
        @(for i in $(all-tests); do \
        ( $(MAKE) $$i && echo "PASS: $$i" ) || echo "FAIL: $$i"; \                                                   
        done)                                                                                                      

If any test fails, it'll print FAIL, but won't cause make to fail and
thus the error never results in a non-zero exit code anywhere.

Here's a version which reports the problem via the return code:

alltests:               
        @(result=0; for i in $(all-tests); do \
        if $(MAKE) $$i; then echo "PASS: $$i"; else echo "FAIL: $$i"; result=1; fi; \                                 
        done; exit $$result)                

OpenSSL seems to rely on output checking. Not sure whether a patch
changing that would be accepted.

How are ptests used in the autobuilders? Does the return code of
ptest-runner matter, or is the output checked for ^PASS|SKIP|FAIL?

Speaking of the autobuilders and openssl-ptest in general, has no-one
noticed before that occasionally tests fail because file time stamps
imply that recompilation is needed? I got that a few times now and will
send a fix. I'm just wondering why that wasn't a problem earlier.

-- 
Best Regards, Patrick Ohly

The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.

More information about the Openembedded-core mailing list