Fix compilation error in JWT using const_cast.#18475
Conversation
soheilhy
added
the
release notes: no
I got this error on an unrelated patch, and I believe the Distribution
Test is broken:
/var/local/git/grpc/src/core/lib/security/credentials/jwt/jwt_verifier.cc:628:57: error: invalid conversion from 'const uint8_t* {aka const unsigned char*}' to 'unsigned char*' [-fpermissive]
GRPC_SLICE_LENGTH(signature)) != 1) {
^
In file included from /usr/include/openssl/pem.h:69:0,
from /var/local/git/grpc/src/core/lib/security/credentials/jwt/jwt_verifier.cc:35:
/usr/include/openssl/evp.h:642:5: note: initializing argument 2 of 'int EVP_DigestVerifyFinal(EVP_MD_CTX*, unsigned char*, size_t)'
int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, unsigned char *sig, size_t siglen);
|
I think there are many build failures from openssl https://source.cloud.google.com/results/invocations/150afc8a-de46-4b66-93b9-0486a2687ad7/targets/grpc%2Fcore%2Fpull_request%2Flinux%2Fgrpc_distribtests_standalone/log Was there a recent update? |
vjpai
left a comment
vjpai
left a comment
There was a problem hiding this comment.
LGTM for code quality but please get an approval from @yihuazhang or @jiangtaoli2016
|
It looks like there are still distrib test failures that are also SSL related.... |
|
Yes exactly that's why I didn't merge this patch. I think someone from
security team should take a look. I'm not sure if the new changes have any
correctness issues.
…On Tue, Mar 26, 2019, 2:07 PM Vijay Pai ***@***.***> wrote:
It looks like there are still distrib test failures that are also SSL
related....
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#18475 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AAYGhQkCIqiA815kxRsZk5-OUO6AgBFaks5vamHtgaJpZM4cDUbz>
.
|
|
Sorry for the delay. I am looking at the issue now. |
|
Thank you!
…On Tue, Mar 26, 2019, 2:27 PM yihuaz ***@***.***> wrote:
Sorry for the delay. I am looking at the issue now.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#18475 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AAYGhSPiekPUblQNDKxaZKmIeLFEEtdcks5vamaXgaJpZM4cDUbz>
.
|
|
From the log of distribtests, I found the test is linking openssl 1.0.1t which is out of support and that's probably the reason for SSL-related failures. I think the changes in this PR may not be necessary if linking to the up-to-date version of openssl. |
|
Well, the issue is that Debian Jessie is still within LTS, and they do their own vendoring of OpenSSL 1.0.1 patches, so... And last time we broke Debian Jessie, we caused an official Google outage. |
|
So, I have verified the manual pages and the code of OpenSSL in Debian Jessie. The behavior of Still, I'm confused as to how this is only a problem now. What did we change? |
|
Thank you @nicolasnoble ! Yes, this patch is valid, but there will other errors if/when I submit this: I guess there are undefined macros and such, but haven't taken a closer look. |
|
I see. There's a recent PR then that broke OpenSSL 1.0.1. Let's dig this up. |
|
it is due to #17868 |
|
Thank you. So I will merge this PR, but would you be able to handle the rest of breakage? |
|
We security team always wanted a more comprehensive gRPC test coverage against boringSSL and various versions of OpenSSL. I made such request 1+ years ago. Not sure what is the progress. At least Distribution Tests Linux checks compilation error again old OpenSSL. Fix on the way. @soheilhy I will take care of it. |
|
Awesome! Thank you @jiangtaoli2016 ! |
|
Yes, this is really fishy. We had the OpenSSL 1.0.1 test in there for a long time, since it's literally our distribution test for Debian Jessie that's been here since almost forever. I can confirm this is caused by #17868, but I have no idea why it didn't break then: https://source.cloud.google.com/results/invocations/e6f81e28-5d34-4003-8889-14948c13f18e/log The same exact test ran then and went back green. @jtattermusch that's really odd. |
|
Ugh, I know exactly what's going on actually. Debian Jessie started shuffling things around in preparation of the LTS ending in June. The jessie-backports repository changed, and therefore, we've started picking up a DIFFERENT version of the Jessie libssl package. @murgatroid99 may have a better fix overall coming up by applying the solution from https://unix.stackexchange.com/questions/508724/failed-to-fetch-jessie-backports-repository @jiangtaoli2016 please hold off making further changes to TSI until we try this first. |
|
SG. @nicolasnoble Let me know if I need to make the change in SSL TSI. |
|
Alright, #18530 is properly fixing this. I'm not going to issue a revert of this one, but I'm glad to see that the problem was an external factor, and not our code. |
|
Awesome! @nicolasnoble FWIW, I wouldn't mind if you prefer reverting the hack here. |
6 participants
I got this error on an unrelated patch, and I believe the Distribution Test is broken: