Upgrade openssl to 1.1.1k for CVE-2021-3450

[debraj-manna]

FoundationDB 6.2.30 and even the latest 6.3.18 is using OpenSSL 1.1.1.h which has the vulnerability as explained in CVE-2021-3450. OpenSSL should be upgraded to at least 1.1.k.

Relevant discussion in forum.

[jzhou77]

https://github.com/apple/foundationdb/blob/3d81fd490ff6179e7d5a447215053355d5be407a/documentation/sphinx/source/release-notes/release-notes-620.rst
says at 6.2.30, we switched the main repo to use BoringSSL. Can you elaborate how you detect this OpenSSL issue? Maybe we didn't switch to BoringSSL as intended?

[sfc-gh-almiller]

I had looked at the build/Dockerfile, which still appeared to specify openssl 1.1.1h. Is that no longer an accurate reflection of the dependencies?

Even the latest foundationdb/devel docker image appears to still be using Openssl 1.1.1h

[jzhou77]

@ammolitor Since we switched to use BoringSSL, maybe we can remove openSSL from the docker files as a dependency?

[sfc-gh-almiller]

@jzhou77, could you please link the layer in the docker image that shows the download and installation of boringssl, or where the build environment is configured to provide it? I can't seem to find it. Even fdb-build-support appears to point to openssl: https://github.com/FoundationDB/fdb-build-support/blob/697af75ce38d0131e70890b0a02773ee6b74e88d/docker/centos7/Dockerfile#L152 ?

[jzhou77]

If you look at the build/Dockerfile, boringSSL is installed:

foundationdb/build/Dockerfile

Lines 103 to 126 in c1acf5f

	# install BoringSSL: TODO: They don't seem to have releases(?) I picked today's master SHA.
	RUN cd /opt &&\
	git clone https://boringssl.googlesource.com/boringssl &&\
	cd boringssl &&\
	git checkout e796cc65025982ed1fb9ef41b3f74e8115092816 &&\
	mkdir build
	# ninja doesn't respect CXXFLAGS, and the boringssl CMakeLists doesn't expose an option to define __STDC_FORMAT_MACROS
	# also, enable -fPIC.
	# this is moderately uglier than creating a patchfile, but easier to maintain.
	RUN cd /opt/boringssl &&\
	for f in crypto/fipsmodule/rand/fork_detect_test.cc \
	include/openssl/bn.h \
	ssl/test/bssl_shim.cc ; do \
	perl -p -i -e 's/#include <inttypes.h>/#define __STDC_FORMAT_MACROS 1\n#include <inttypes.h>/g;' $f ; \
	done &&\
	perl -p -i -e 's/-Werror/-Werror -fPIC/' CMakeLists.txt &&\
	git diff
	RUN cd /opt/boringssl/build &&\
	scl enable devtoolset-8 rh-python36 rh-ruby24 -- cmake -GNinja -DCMAKE_BUILD_TYPE=Release .. &&\
	scl enable devtoolset-8 rh-python36 rh-ruby24 -- ninja &&\
	./ssl/ssl_test &&\
	mkdir -p ../lib && cp crypto/libcrypto.a ssl/libssl.a ../lib

[sfc-gh-almiller]

🤦‍♂️

It appears I was confused by the disappearance of build/ from master. Thanks!

[debraj-manna]

Our appcheck on Foundationdb 6.2.30 (ubuntu packages ) is flagging for the presence of OpenSSL 1.1.1h in fdbcli, fdbserver and backup_agent.

@jzhou77 @sfc-gh-almiller - If I get the discussion, Foundationdb has switched to boringSSL but Openssl 1.1.h is still present as dependency and may be removed. Is my understanding correct?

[jzhou77]

@debraj-manna Yes, your understanding is correct. It seems that the switching to boringSSL change was lost in the https://github.com/FoundationDB/fdb-build-support/ repo. The 6.2.30 release (and probably all other releases as well) is not picking up boringSSL and used openSSL instead.

[ammolitor]

FoundationDB/fdb-build-support#19 resolves this for 7.x.x and newer builds.