|
Added
Link Here
|
| 0 |
- |
1 |
From 819c9658ed5d1eb80b8d48e6a033268340aa4445 Mon Sep 17 00:00:00 2001 |
|
|
2 |
From: Benjamin Drung <benjamin.drung@profitbricks.com> |
| 3 |
Date: Fri, 18 Nov 2016 14:41:19 +0100 |
| 4 |
Subject: [PATCH] Support initializing OpenSSL 1.1 |
| 5 |
|
| 6 |
salt-call fails to run with OpenSSL 1.1: |
| 7 |
|
| 8 |
Traceback (most recent call last): |
| 9 |
File "/usr/bin/salt-call", line 11, in <module> |
| 10 |
salt_call() |
| 11 |
File "/usr/lib/python2.7/dist-packages/salt/scripts.py", line 346, in salt_call |
| 12 |
import salt.cli.call |
| 13 |
File "/usr/lib/python2.7/dist-packages/salt/cli/call.py", line 6, in <module> |
| 14 |
from salt.utils import parsers |
| 15 |
File "/usr/lib/python2.7/dist-packages/salt/utils/parsers.py", line 28, in <module> |
| 16 |
import salt.config as config |
| 17 |
File "/usr/lib/python2.7/dist-packages/salt/config/__init__.py", line 41, in <module> |
| 18 |
import salt.utils.sdb |
| 19 |
File "/usr/lib/python2.7/dist-packages/salt/utils/sdb.py", line 9, in <module> |
| 20 |
import salt.loader |
| 21 |
File "/usr/lib/python2.7/dist-packages/salt/loader.py", line 30, in <module> |
| 22 |
import salt.utils.event |
| 23 |
File "/usr/lib/python2.7/dist-packages/salt/utils/event.py", line 72, in <module> |
| 24 |
import salt.payload |
| 25 |
File "/usr/lib/python2.7/dist-packages/salt/payload.py", line 17, in <module> |
| 26 |
import salt.crypt |
| 27 |
File "/usr/lib/python2.7/dist-packages/salt/crypt.py", line 42, in <module> |
| 28 |
import salt.utils.rsax931 |
| 29 |
File "/usr/lib/python2.7/dist-packages/salt/utils/rsax931.py", line 69, in <module> |
| 30 |
libcrypto = _init_libcrypto() |
| 31 |
File "/usr/lib/python2.7/dist-packages/salt/utils/rsax931.py", line 63, in _init_libcrypto |
| 32 |
libcrypto.OPENSSL_no_config() |
| 33 |
File "/usr/lib/python2.7/ctypes/__init__.py", line 375, in __getattr__ |
| 34 |
func = self.__getitem__(name) |
| 35 |
File "/usr/lib/python2.7/ctypes/__init__.py", line 380, in __getitem__ |
| 36 |
func = self._FuncPtr((name_or_ordinal, self)) |
| 37 |
AttributeError: /lib/x86_64-linux-gnu/libcrypto.so.1.1: undefined symbol: OPENSSL_no_config |
| 38 |
|
| 39 |
OpenSSL 1.1 replaced the symbols OPENSSL_no_config and |
| 40 |
OPENSSL_add_all_algorithms_noconf by OPENSSL_init_crypto and added these |
| 41 |
definitions: |
| 42 |
|
| 43 |
OPENSSL_init_crypto(OPENSSL_INIT_NO_LOAD_CONFIG, NULL) |
| 44 |
OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS \ |
| 45 |
| OPENSSL_INIT_ADD_ALL_DIGESTS, NULL) |
| 46 |
|
| 47 |
These definitions can only be used when compiling the source code, but |
| 48 |
not when loading the symbols dynamically. Thus salt needs to adapt the |
| 49 |
initialization for OpenSSL 1.1. Try to use OPENSSL_init_crypto (which |
| 50 |
was introduced in OpenSSL 1.1) and fall back to the previous behavior |
| 51 |
for OpenSSL 1.0 and older (when OPENSSL_init_crypto is not found). |
| 52 |
|
| 53 |
You can easily reproduce the issue on Debian unstable by running |
| 54 |
|
| 55 |
apt install salt-master |
| 56 |
salt-call |
| 57 |
|
| 58 |
Bug-Debian: https://bugs.debian.org/844503 |
| 59 |
--- |
| 60 |
salt/utils/rsax931.py | 16 ++++++++++++++-- |
| 61 |
1 file changed, 14 insertions(+), 2 deletions(-) |
| 62 |
|
| 63 |
diff --git a/salt/utils/rsax931.py b/salt/utils/rsax931.py |
| 64 |
index 9eb1f4a..bccdad6 100644 |
| 65 |
--- salt/utils/rsax931.py.orig |
| 66 |
+++ salt/utils/rsax931.py |
| 67 |
@@ -16,6 +16,11 @@ import salt.utils |
| 68 |
from ctypes import cdll, c_char_p, c_int, c_void_p, pointer, create_string_buffer |
| 69 |
from ctypes.util import find_library |
| 70 |
|
| 71 |
+# Constants taken from openssl-1.1.0c/include/openssl/crypto.h |
| 72 |
+OPENSSL_INIT_ADD_ALL_CIPHERS = 0x00000004 |
| 73 |
+OPENSSL_INIT_ADD_ALL_DIGESTS = 0x00000008 |
| 74 |
+OPENSSL_INIT_NO_LOAD_CONFIG = 0x00000080 |
| 75 |
+ |
| 76 |
|
| 77 |
def _load_libcrypto(): |
| 78 |
''' |
| 79 |
@@ -60,8 +65,15 @@ def _init_libcrypto(): |
| 80 |
libcrypto.RSA_private_encrypt.argtypes = (c_int, c_char_p, c_char_p, c_void_p, c_int) |
| 81 |
libcrypto.RSA_public_decrypt.argtypes = (c_int, c_char_p, c_char_p, c_void_p, c_int) |
| 82 |
|
| 83 |
- libcrypto.OPENSSL_no_config() |
| 84 |
- libcrypto.OPENSSL_add_all_algorithms_noconf() |
| 85 |
+ try: |
| 86 |
+ if libcrypto.OPENSSL_init_crypto(OPENSSL_INIT_NO_LOAD_CONFIG | |
| 87 |
+ OPENSSL_INIT_ADD_ALL_CIPHERS | |
| 88 |
+ OPENSSL_INIT_ADD_ALL_DIGESTS, None) != 1: |
| 89 |
+ raise OSError("Failed to initialize OpenSSL library (OPENSSL_init_crypto failed)") |
| 90 |
+ except AttributeError: |
| 91 |
+ # Support for OpenSSL < 1.1 (OPENSSL_API_COMPAT < 0x10100000L) |
| 92 |
+ libcrypto.OPENSSL_no_config() |
| 93 |
+ libcrypto.OPENSSL_add_all_algorithms_noconf() |
| 94 |
|
| 95 |
return libcrypto |
| 96 |
|
| 97 |
-- |
| 98 |
2.10.1 |
| 99 |
|