Added
Link Here
|
0 |
- |
1 |
From 819c9658ed5d1eb80b8d48e6a033268340aa4445 Mon Sep 17 00:00:00 2001 |
|
|
2 |
From: Benjamin Drung <benjamin.drung@profitbricks.com> |
3 |
Date: Fri, 18 Nov 2016 14:41:19 +0100 |
4 |
Subject: [PATCH] Support initializing OpenSSL 1.1 |
5 |
|
6 |
salt-call fails to run with OpenSSL 1.1: |
7 |
|
8 |
Traceback (most recent call last): |
9 |
File "/usr/bin/salt-call", line 11, in <module> |
10 |
salt_call() |
11 |
File "/usr/lib/python2.7/dist-packages/salt/scripts.py", line 346, in salt_call |
12 |
import salt.cli.call |
13 |
File "/usr/lib/python2.7/dist-packages/salt/cli/call.py", line 6, in <module> |
14 |
from salt.utils import parsers |
15 |
File "/usr/lib/python2.7/dist-packages/salt/utils/parsers.py", line 28, in <module> |
16 |
import salt.config as config |
17 |
File "/usr/lib/python2.7/dist-packages/salt/config/__init__.py", line 41, in <module> |
18 |
import salt.utils.sdb |
19 |
File "/usr/lib/python2.7/dist-packages/salt/utils/sdb.py", line 9, in <module> |
20 |
import salt.loader |
21 |
File "/usr/lib/python2.7/dist-packages/salt/loader.py", line 30, in <module> |
22 |
import salt.utils.event |
23 |
File "/usr/lib/python2.7/dist-packages/salt/utils/event.py", line 72, in <module> |
24 |
import salt.payload |
25 |
File "/usr/lib/python2.7/dist-packages/salt/payload.py", line 17, in <module> |
26 |
import salt.crypt |
27 |
File "/usr/lib/python2.7/dist-packages/salt/crypt.py", line 42, in <module> |
28 |
import salt.utils.rsax931 |
29 |
File "/usr/lib/python2.7/dist-packages/salt/utils/rsax931.py", line 69, in <module> |
30 |
libcrypto = _init_libcrypto() |
31 |
File "/usr/lib/python2.7/dist-packages/salt/utils/rsax931.py", line 63, in _init_libcrypto |
32 |
libcrypto.OPENSSL_no_config() |
33 |
File "/usr/lib/python2.7/ctypes/__init__.py", line 375, in __getattr__ |
34 |
func = self.__getitem__(name) |
35 |
File "/usr/lib/python2.7/ctypes/__init__.py", line 380, in __getitem__ |
36 |
func = self._FuncPtr((name_or_ordinal, self)) |
37 |
AttributeError: /lib/x86_64-linux-gnu/libcrypto.so.1.1: undefined symbol: OPENSSL_no_config |
38 |
|
39 |
OpenSSL 1.1 replaced the symbols OPENSSL_no_config and |
40 |
OPENSSL_add_all_algorithms_noconf by OPENSSL_init_crypto and added these |
41 |
definitions: |
42 |
|
43 |
OPENSSL_init_crypto(OPENSSL_INIT_NO_LOAD_CONFIG, NULL) |
44 |
OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS \ |
45 |
| OPENSSL_INIT_ADD_ALL_DIGESTS, NULL) |
46 |
|
47 |
These definitions can only be used when compiling the source code, but |
48 |
not when loading the symbols dynamically. Thus salt needs to adapt the |
49 |
initialization for OpenSSL 1.1. Try to use OPENSSL_init_crypto (which |
50 |
was introduced in OpenSSL 1.1) and fall back to the previous behavior |
51 |
for OpenSSL 1.0 and older (when OPENSSL_init_crypto is not found). |
52 |
|
53 |
You can easily reproduce the issue on Debian unstable by running |
54 |
|
55 |
apt install salt-master |
56 |
salt-call |
57 |
|
58 |
Bug-Debian: https://bugs.debian.org/844503 |
59 |
--- |
60 |
salt/utils/rsax931.py | 16 ++++++++++++++-- |
61 |
1 file changed, 14 insertions(+), 2 deletions(-) |
62 |
|
63 |
diff --git a/salt/utils/rsax931.py b/salt/utils/rsax931.py |
64 |
index 9eb1f4a..bccdad6 100644 |
65 |
--- salt/utils/rsax931.py.orig |
66 |
+++ salt/utils/rsax931.py |
67 |
@@ -16,6 +16,11 @@ import salt.utils |
68 |
from ctypes import cdll, c_char_p, c_int, c_void_p, pointer, create_string_buffer |
69 |
from ctypes.util import find_library |
70 |
|
71 |
+# Constants taken from openssl-1.1.0c/include/openssl/crypto.h |
72 |
+OPENSSL_INIT_ADD_ALL_CIPHERS = 0x00000004 |
73 |
+OPENSSL_INIT_ADD_ALL_DIGESTS = 0x00000008 |
74 |
+OPENSSL_INIT_NO_LOAD_CONFIG = 0x00000080 |
75 |
+ |
76 |
|
77 |
def _load_libcrypto(): |
78 |
''' |
79 |
@@ -60,8 +65,15 @@ def _init_libcrypto(): |
80 |
libcrypto.RSA_private_encrypt.argtypes = (c_int, c_char_p, c_char_p, c_void_p, c_int) |
81 |
libcrypto.RSA_public_decrypt.argtypes = (c_int, c_char_p, c_char_p, c_void_p, c_int) |
82 |
|
83 |
- libcrypto.OPENSSL_no_config() |
84 |
- libcrypto.OPENSSL_add_all_algorithms_noconf() |
85 |
+ try: |
86 |
+ if libcrypto.OPENSSL_init_crypto(OPENSSL_INIT_NO_LOAD_CONFIG | |
87 |
+ OPENSSL_INIT_ADD_ALL_CIPHERS | |
88 |
+ OPENSSL_INIT_ADD_ALL_DIGESTS, None) != 1: |
89 |
+ raise OSError("Failed to initialize OpenSSL library (OPENSSL_init_crypto failed)") |
90 |
+ except AttributeError: |
91 |
+ # Support for OpenSSL < 1.1 (OPENSSL_API_COMPAT < 0x10100000L) |
92 |
+ libcrypto.OPENSSL_no_config() |
93 |
+ libcrypto.OPENSSL_add_all_algorithms_noconf() |
94 |
|
95 |
return libcrypto |
96 |
|
97 |
-- |
98 |
2.10.1 |
99 |
|