New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support initializing OpenSSL 1.1 #37772

Merged
merged 1 commit into from Nov 21, 2016

Conversation

Projects
None yet
7 participants
@bdrung
Contributor

bdrung commented Nov 18, 2016

salt-call fails to run with OpenSSL 1.1:

Traceback (most recent call last):
  File "/usr/bin/salt-call", line 11, in <module>
    salt_call()
  File "/usr/lib/python2.7/dist-packages/salt/scripts.py", line 346, in salt_call
    import salt.cli.call
  File "/usr/lib/python2.7/dist-packages/salt/cli/call.py", line 6, in <module>
    from salt.utils import parsers
  File "/usr/lib/python2.7/dist-packages/salt/utils/parsers.py", line 28, in <module>
    import salt.config as config
  File "/usr/lib/python2.7/dist-packages/salt/config/__init__.py", line 41, in <module>
    import salt.utils.sdb
  File "/usr/lib/python2.7/dist-packages/salt/utils/sdb.py", line 9, in <module>
    import salt.loader
  File "/usr/lib/python2.7/dist-packages/salt/loader.py", line 30, in <module>
    import salt.utils.event
  File "/usr/lib/python2.7/dist-packages/salt/utils/event.py", line 72, in <module>
    import salt.payload
  File "/usr/lib/python2.7/dist-packages/salt/payload.py", line 17, in <module>
    import salt.crypt
  File "/usr/lib/python2.7/dist-packages/salt/crypt.py", line 42, in <module>
    import salt.utils.rsax931
  File "/usr/lib/python2.7/dist-packages/salt/utils/rsax931.py", line 69, in <module>
    libcrypto = _init_libcrypto()
  File "/usr/lib/python2.7/dist-packages/salt/utils/rsax931.py", line 63, in _init_libcrypto
    libcrypto.OPENSSL_no_config()
  File "/usr/lib/python2.7/ctypes/__init__.py", line 375, in __getattr__
    func = self.__getitem__(name)
  File "/usr/lib/python2.7/ctypes/__init__.py", line 380, in __getitem__
    func = self._FuncPtr((name_or_ordinal, self))
AttributeError: /lib/x86_64-linux-gnu/libcrypto.so.1.1: undefined symbol: OPENSSL_no_config

OpenSSL 1.1 replaced the symbols OPENSSL_no_config and OPENSSL_add_all_algorithms_noconf by OPENSSL_init_crypto and added these definitions:

# define OPENSSL_no_config() \
    OPENSSL_init_crypto(OPENSSL_INIT_NO_LOAD_CONFIG, NULL)
#  define OPENSSL_add_all_algorithms_noconf() \
    OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS \
                        | OPENSSL_INIT_ADD_ALL_DIGESTS, NULL)

These definitions can only be used when compiling the source code, but not when loading the symbols dynamically. Thus salt needs to adapt the initialization for OpenSSL 1.1. Try to use OPENSSL_init_crypto (which was introduced in OpenSSL 1.1) and fall back to the previous behavior
for OpenSSL 1.0 and older (when OPENSSL_init_crypto is not found).

You can easily reproduce the issue on Debian unstable by running

apt install salt-master
salt-call

Bug-Debian: https://bugs.debian.org/844503

@bdrung bdrung force-pushed the bdrung:openssl1.1 branch from 16f8527 to 8e9d7cd Nov 18, 2016

Support initializing OpenSSL 1.1
salt-call fails to run with OpenSSL 1.1:

Traceback (most recent call last):
  File "/usr/bin/salt-call", line 11, in <module>
    salt_call()
  File "/usr/lib/python2.7/dist-packages/salt/scripts.py", line 346, in salt_call
    import salt.cli.call
  File "/usr/lib/python2.7/dist-packages/salt/cli/call.py", line 6, in <module>
    from salt.utils import parsers
  File "/usr/lib/python2.7/dist-packages/salt/utils/parsers.py", line 28, in <module>
    import salt.config as config
  File "/usr/lib/python2.7/dist-packages/salt/config/__init__.py", line 41, in <module>
    import salt.utils.sdb
  File "/usr/lib/python2.7/dist-packages/salt/utils/sdb.py", line 9, in <module>
    import salt.loader
  File "/usr/lib/python2.7/dist-packages/salt/loader.py", line 30, in <module>
    import salt.utils.event
  File "/usr/lib/python2.7/dist-packages/salt/utils/event.py", line 72, in <module>
    import salt.payload
  File "/usr/lib/python2.7/dist-packages/salt/payload.py", line 17, in <module>
    import salt.crypt
  File "/usr/lib/python2.7/dist-packages/salt/crypt.py", line 42, in <module>
    import salt.utils.rsax931
  File "/usr/lib/python2.7/dist-packages/salt/utils/rsax931.py", line 69, in <module>
    libcrypto = _init_libcrypto()
  File "/usr/lib/python2.7/dist-packages/salt/utils/rsax931.py", line 63, in _init_libcrypto
    libcrypto.OPENSSL_no_config()
  File "/usr/lib/python2.7/ctypes/__init__.py", line 375, in __getattr__
    func = self.__getitem__(name)
  File "/usr/lib/python2.7/ctypes/__init__.py", line 380, in __getitem__
    func = self._FuncPtr((name_or_ordinal, self))
AttributeError: /lib/x86_64-linux-gnu/libcrypto.so.1.1: undefined symbol: OPENSSL_no_config

OpenSSL 1.1 replaced the symbols OPENSSL_no_config and
OPENSSL_add_all_algorithms_noconf by OPENSSL_init_crypto and added these
definitions:

    OPENSSL_init_crypto(OPENSSL_INIT_NO_LOAD_CONFIG, NULL)
    OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS \
                        | OPENSSL_INIT_ADD_ALL_DIGESTS, NULL)

These definitions can only be used when compiling the source code, but
not when loading the symbols dynamically. Thus salt needs to adapt the
initialization for OpenSSL 1.1. Try to use OPENSSL_init_crypto (which
was introduced in OpenSSL 1.1) and fall back to the previous behavior
for OpenSSL 1.0 and older (when OPENSSL_init_crypto is not found).

You can easily reproduce the issue on Debian unstable by running

    apt install salt-master
    salt-call

Bug-Debian: https://bugs.debian.org/844503

@bdrung bdrung force-pushed the bdrung:openssl1.1 branch from 8e9d7cd to 819c965 Nov 18, 2016

@tobiasBora

This comment has been minimized.

tobiasBora commented Nov 20, 2016

I confirm that I would need such a pull request, I cannot install stack on all devices running debian unstable for 3 days. Thank you !

@aphor

This comment has been minimized.

Contributor

aphor commented Nov 20, 2016

+1

Nitpicking:

All this misses is maybe a comment around the OpenSSL 1.1 init calls to make it easy for others to find and update just in case OpenSSL 1.1 initialization API isn't as stable as we think today, and also to help identify the legacy OpenSSL init in case the old OpenSSL gets deprecated for security reasons.

Otherwise I love this.

@rallytime

This comment has been minimized.

Contributor

rallytime commented Nov 21, 2016

@thatch45 and @msteed Can you guys review this change?

@thatch45 thatch45 merged commit 485270f into saltstack:2016.3 Nov 21, 2016

6 checks passed

default Build finished.
Details
jenkins/PR/salt-pr-clone Pull Requests » Salt PR - Clone #7056 — SUCCESS
Details
jenkins/PR/salt-pr-docs-n Pull Requests » salt-pr-docs-n #2357 — SUCCESS
Details
jenkins/PR/salt-pr-linode-ubuntu14-n Pull Requests » Salt Linode Ubuntu14.04 #6704 — SUCCESS
Details
jenkins/PR/salt-pr-lint-n Pull Requests » Salt PR - Code Lint #6883 — SUCCESS
Details
jenkins/PR/salt-pr-rs-cent7-n Pull Requests » Salt PR - RS CentOS 7 #7030 — SUCCESS
Details

@bdrung bdrung deleted the bdrung:openssl1.1 branch Nov 24, 2016

@heini

This comment has been minimized.

Contributor

heini commented Nov 29, 2016

Seems this didn't make it into 2016.11.0. RC2 was working fine, though.

@heini

This comment has been minimized.

Contributor

heini commented Nov 29, 2016

Correction: Just got openssl-1.1 at the same time. RC2 is affected, too.

@cedwards

This comment has been minimized.

Member

cedwards commented Dec 4, 2016

Can we get this added to 2016.11.x? @rallytime

@heini

This comment has been minimized.

Contributor

heini commented Dec 4, 2016

In fact, it already is. It just hasn't been released, yet.

uqs pushed a commit to freebsd/freebsd-ports that referenced this pull request Dec 5, 2016

swills
sysutils/py-salt : update to 2016.3.4
While here, fix OpenSSL 1.1 compatibility

PR:		214786
PR:		214998
PR:		215051
Submitted by:	Christer Edwards <christer.edwards@gmail.com> (maintainer)
Reported by:	Melvyn Sopacua <m.r.sopacua@gmail.com> (214998)
Obtained from:	saltstack/salt#37772 (215051)


git-svn-id: svn+ssh://svn.freebsd.org/ports/head@427901 35697150-7ecd-e111-bb59-0022644237b5

uqs pushed a commit to freebsd/freebsd-ports that referenced this pull request Dec 5, 2016

sysutils/py-salt : update to 2016.3.4
While here, fix OpenSSL 1.1 compatibility

PR:		214786
PR:		214998
PR:		215051
Submitted by:	Christer Edwards <christer.edwards@gmail.com> (maintainer)
Reported by:	Melvyn Sopacua <m.r.sopacua@gmail.com> (214998)
Obtained from:	saltstack/salt#37772 (215051)

mat813 pushed a commit to mat813/freebsd-ports that referenced this pull request Dec 5, 2016

swills
sysutils/py-salt : update to 2016.3.4
While here, fix OpenSSL 1.1 compatibility

PR:		214786
PR:		214998
PR:		215051
Submitted by:	Christer Edwards <christer.edwards@gmail.com> (maintainer)
Reported by:	Melvyn Sopacua <m.r.sopacua@gmail.com> (214998)
Obtained from:	saltstack/salt#37772 (215051)


git-svn-id: https://svn.freebsd.org/ports/head@427901 35697150-7ecd-e111-bb59-0022644237b5
@rallytime

This comment has been minimized.

Contributor

rallytime commented Dec 5, 2016

Yeah, this has already been merged-forward to 2016.11. It will be available in the 2016.11.1 release.

girgen added a commit to pingpong-lms/freebsd-ports that referenced this pull request Dec 6, 2016

sysutils/py-salt : update to 2016.3.4
While here, fix OpenSSL 1.1 compatibility

PR:		214786
PR:		214998
PR:		215051
Submitted by:	Christer Edwards <christer.edwards@gmail.com> (maintainer)
Reported by:	Melvyn Sopacua <m.r.sopacua@gmail.com> (214998)
Obtained from:	saltstack/salt#37772 (215051)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment