Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support initializing OpenSSL 1.1 #37772

Merged
merged 1 commit into from Nov 21, 2016
Merged

Support initializing OpenSSL 1.1 #37772

merged 1 commit into from Nov 21, 2016

Conversation

bdrung
Copy link
Contributor

@bdrung bdrung commented Nov 18, 2016

salt-call fails to run with OpenSSL 1.1:

Traceback (most recent call last):
  File "/usr/bin/salt-call", line 11, in <module>
    salt_call()
  File "/usr/lib/python2.7/dist-packages/salt/scripts.py", line 346, in salt_call
    import salt.cli.call
  File "/usr/lib/python2.7/dist-packages/salt/cli/call.py", line 6, in <module>
    from salt.utils import parsers
  File "/usr/lib/python2.7/dist-packages/salt/utils/parsers.py", line 28, in <module>
    import salt.config as config
  File "/usr/lib/python2.7/dist-packages/salt/config/__init__.py", line 41, in <module>
    import salt.utils.sdb
  File "/usr/lib/python2.7/dist-packages/salt/utils/sdb.py", line 9, in <module>
    import salt.loader
  File "/usr/lib/python2.7/dist-packages/salt/loader.py", line 30, in <module>
    import salt.utils.event
  File "/usr/lib/python2.7/dist-packages/salt/utils/event.py", line 72, in <module>
    import salt.payload
  File "/usr/lib/python2.7/dist-packages/salt/payload.py", line 17, in <module>
    import salt.crypt
  File "/usr/lib/python2.7/dist-packages/salt/crypt.py", line 42, in <module>
    import salt.utils.rsax931
  File "/usr/lib/python2.7/dist-packages/salt/utils/rsax931.py", line 69, in <module>
    libcrypto = _init_libcrypto()
  File "/usr/lib/python2.7/dist-packages/salt/utils/rsax931.py", line 63, in _init_libcrypto
    libcrypto.OPENSSL_no_config()
  File "/usr/lib/python2.7/ctypes/__init__.py", line 375, in __getattr__
    func = self.__getitem__(name)
  File "/usr/lib/python2.7/ctypes/__init__.py", line 380, in __getitem__
    func = self._FuncPtr((name_or_ordinal, self))
AttributeError: /lib/x86_64-linux-gnu/libcrypto.so.1.1: undefined symbol: OPENSSL_no_config

OpenSSL 1.1 replaced the symbols OPENSSL_no_config and OPENSSL_add_all_algorithms_noconf by OPENSSL_init_crypto and added these definitions:

# define OPENSSL_no_config() \
    OPENSSL_init_crypto(OPENSSL_INIT_NO_LOAD_CONFIG, NULL)
#  define OPENSSL_add_all_algorithms_noconf() \
    OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS \
                        | OPENSSL_INIT_ADD_ALL_DIGESTS, NULL)

These definitions can only be used when compiling the source code, but not when loading the symbols dynamically. Thus salt needs to adapt the initialization for OpenSSL 1.1. Try to use OPENSSL_init_crypto (which was introduced in OpenSSL 1.1) and fall back to the previous behavior
for OpenSSL 1.0 and older (when OPENSSL_init_crypto is not found).

You can easily reproduce the issue on Debian unstable by running

apt install salt-master
salt-call

Bug-Debian: https://bugs.debian.org/844503

@bdrung
Support initializing OpenSSL 1.1
819c965 
salt-call fails to run with OpenSSL 1.1:

Traceback (most recent call last):
  File "/usr/bin/salt-call", line 11, in <module>
    salt_call()
  File "/usr/lib/python2.7/dist-packages/salt/scripts.py", line 346, in salt_call
    import salt.cli.call
  File "/usr/lib/python2.7/dist-packages/salt/cli/call.py", line 6, in <module>
    from salt.utils import parsers
  File "/usr/lib/python2.7/dist-packages/salt/utils/parsers.py", line 28, in <module>
    import salt.config as config
  File "/usr/lib/python2.7/dist-packages/salt/config/__init__.py", line 41, in <module>
    import salt.utils.sdb
  File "/usr/lib/python2.7/dist-packages/salt/utils/sdb.py", line 9, in <module>
    import salt.loader
  File "/usr/lib/python2.7/dist-packages/salt/loader.py", line 30, in <module>
    import salt.utils.event
  File "/usr/lib/python2.7/dist-packages/salt/utils/event.py", line 72, in <module>
    import salt.payload
  File "/usr/lib/python2.7/dist-packages/salt/payload.py", line 17, in <module>
    import salt.crypt
  File "/usr/lib/python2.7/dist-packages/salt/crypt.py", line 42, in <module>
    import salt.utils.rsax931
  File "/usr/lib/python2.7/dist-packages/salt/utils/rsax931.py", line 69, in <module>
    libcrypto = _init_libcrypto()
  File "/usr/lib/python2.7/dist-packages/salt/utils/rsax931.py", line 63, in _init_libcrypto
    libcrypto.OPENSSL_no_config()
  File "/usr/lib/python2.7/ctypes/__init__.py", line 375, in __getattr__
    func = self.__getitem__(name)
  File "/usr/lib/python2.7/ctypes/__init__.py", line 380, in __getitem__
    func = self._FuncPtr((name_or_ordinal, self))
AttributeError: /lib/x86_64-linux-gnu/libcrypto.so.1.1: undefined symbol: OPENSSL_no_config

OpenSSL 1.1 replaced the symbols OPENSSL_no_config and
OPENSSL_add_all_algorithms_noconf by OPENSSL_init_crypto and added these
definitions:

    OPENSSL_init_crypto(OPENSSL_INIT_NO_LOAD_CONFIG, NULL)
    OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS \
                        | OPENSSL_INIT_ADD_ALL_DIGESTS, NULL)

These definitions can only be used when compiling the source code, but
not when loading the symbols dynamically. Thus salt needs to adapt the
initialization for OpenSSL 1.1. Try to use OPENSSL_init_crypto (which
was introduced in OpenSSL 1.1) and fall back to the previous behavior
for OpenSSL 1.0 and older (when OPENSSL_init_crypto is not found).

You can easily reproduce the issue on Debian unstable by running

    apt install salt-master
    salt-call

Bug-Debian: https://bugs.debian.org/844503
@tobiasBora
Copy link

tobiasBora commented Nov 20, 2016
edited

I confirm that I would need such a pull request, I cannot install stack on all devices running debian unstable for 3 days. Thank you !

@tobiasBora tobiasBora mentioned this pull request Nov 20, 2016
Closed
@aphor
Copy link
Contributor

aphor commented Nov 20, 2016

+1

Nitpicking:

All this misses is maybe a comment around the OpenSSL 1.1 init calls to make it easy for others to find and update just in case OpenSSL 1.1 initialization API isn't as stable as we think today, and also to help identify the legacy OpenSSL init in case the old OpenSSL gets deprecated for security reasons.

Otherwise I love this.

@rallytime
Copy link
Contributor

@thatch45 and @msteed Can you guys review this change?

@rallytime rallytime added the Pending-Discussion The issue or pull request needs more discussion before it can be closed or merged label Nov 21, 2016
@thatch45 thatch45 merged commit 485270f into saltstack:2016.3 Nov 21, 2016
@bdrung bdrung deleted the openssl1.1 branch November 24, 2016 12:56
@heini
Copy link
Contributor

heini commented Nov 29, 2016

Seems this didn't make it into 2016.11.0. RC2 was working fine, though.

@heini
Copy link
Contributor

heini commented Nov 29, 2016

Correction: Just got openssl-1.1 at the same time. RC2 is affected, too.

@cedwards
Copy link
Contributor

cedwards commented Dec 4, 2016

Can we get this added to 2016.11.x? @rallytime

@heini
Copy link
Contributor

heini commented Dec 4, 2016

In fact, it already is. It just hasn't been released, yet.

uqs pushed a commit to freebsd/freebsd-ports that referenced this pull request Dec 5, 2016
sysutils/py-salt : update to 2016.3.4
5db7802 
While here, fix OpenSSL 1.1 compatibility

PR:		214786
PR:		214998
PR:		215051
Submitted by:	Christer Edwards <christer.edwards@gmail.com> (maintainer)
Reported by:	Melvyn Sopacua <m.r.sopacua@gmail.com> (214998)
Obtained from:	saltstack/salt#37772 (215051)


git-svn-id: svn+ssh://svn.freebsd.org/ports/head@427901 35697150-7ecd-e111-bb59-0022644237b5
uqs pushed a commit to freebsd/freebsd-ports that referenced this pull request Dec 5, 2016
@swills
sysutils/py-salt : update to 2016.3.4
04a7c6f 
While here, fix OpenSSL 1.1 compatibility

PR:		214786
PR:		214998
PR:		215051
Submitted by:	Christer Edwards <christer.edwards@gmail.com> (maintainer)
Reported by:	Melvyn Sopacua <m.r.sopacua@gmail.com> (214998)
Obtained from:	saltstack/salt#37772 (215051)
@rallytime
Copy link
Contributor

rallytime commented Dec 5, 2016
edited

Yeah, this has already been merged-forward to 2016.11. It will be available in the 2016.11.1 release.

girgen pushed a commit to pingpong-lms/freebsd-ports that referenced this pull request Dec 6, 2016
@swills @girgen
sysutils/py-salt : update to 2016.3.4
0b4570b 
While here, fix OpenSSL 1.1 compatibility

PR:		214786
PR:		214998
PR:		215051
Submitted by:	Christer Edwards <christer.edwards@gmail.com> (maintainer)
Reported by:	Melvyn Sopacua <m.r.sopacua@gmail.com> (214998)
Obtained from:	saltstack/salt#37772 (215051)
This was referenced Jul 13, 2018
Merged
Merged
nishkrishnan pushed a commit to lyft/salt that referenced this pull request Mar 24, 2021
@thatch45
Merge pull request saltstack#37772 from bdrung/openssl1.1
05b0d9b 
Support initializing OpenSSL 1.1
svmhdvn pushed a commit to svmhdvn/freebsd-ports that referenced this pull request Jan 10, 2024
@swills
sysutils/py-salt : update to 2016.3.4
d5f1652 
While here, fix OpenSSL 1.1 compatibility

PR:		214786
PR:		214998
PR:		215051
Submitted by:	Christer Edwards <christer.edwards@gmail.com> (maintainer)
Reported by:	Melvyn Sopacua <m.r.sopacua@gmail.com> (214998)
Obtained from:	saltstack/salt#37772 (215051)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Pending-Discussion The issue or pull request needs more discussion before it can be closed or merged
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@bdrung @tobiasBora @aphor @rallytime @heini @cedwards @thatch45