Make it build using OpenSSL 1.1.0

[kroeckx]

No description provided.

[Jakuje]

This is intentionally left out or like todo for future readers?

[kroeckx]

I've added the message I sent to the openssh-unix list about this. Does that clear things up?

[Jakuje]

Thank you. I noticed your message on the mailing list, but forgot to check it properly before commenting. Adding it here clears that up. Thank you.

[kroeckx]

It has the same regression tests failures as the master branch, and it has been tested with both 1.0.2 and 1.1.0.

Some comments about the patch:

• I've included an libcrypto-compat.c to add new functions from OpenSSL that are needed with 1.1.0 but didn't exist in 1.0.2. Since they are copied from the OpenSSL source code, I also added the OpenSSL license to it. If this is a problem we can probably agree to put that file under a different license.
• I've replaced the 2 EVP_CipherInit() calls in cipher_init() with 1. OpenSSL now clears everything when you call EVP_CipherInit() again, so what was passed in the first but not in the second call, and what the function calls between them did, was lost.
• The test suite was insisting that things like rsa->n where not NULL in sshkey/test_sshkey.c. sshkey_add_private was also doing something like that for the private parts. I don't agree that it should just have BN members that are not set to a real value. So I removed that code and the checks. I'm not even sure why this was done. But sshkey_add_private() ends up as a rather useless function now.
• In sshkey_private_deserialize() there was a KEY_RSA_CERT case. I'm not sure what it's about and I guess the test suite also doesn't check it. But it seems that it only has the private key in that case and OpenSSL now seems to insist that an RSA needs to have the public key information too.

[Jakuje]

This is certainly wrong. In this case, you should not allocate&put&set. It should be get&put. The same for below RSA case.

[kroeckx]

You're right, new commit added.

[Jakuje]

I noticed you didn't port the SSH1 code to OpenSSL 1.1.0 -- we don't care about this protocol, but in clients it will be among us for some time. I added a the missing (only client side) bits in the answer on the mailing list [1].

Also I noticed you created a new compat filename, even though, there is already openbsd-compat/openssl-compat.{c,h}, which should be able to accommodate these changes, though the final decisions is probably up to the upstream developers which place to choose.

Also the missing part under #if 0, which is using zero BIGNUMs for missing parts.

[1] http://lists.mindrot.org/pipermail/openssh-unix-dev/2016-November/035454.html

[noloader]

Please expedite this patch. Lack of OpenSSL 1.1.0 support is harming users. From OpenSSL 1.1.0 integrtion on the user mailing list:

The OpenSSL 1.0.2 downgrade means users lose a number of features from OpenSSL, like Poly1305, curve25519 and the project's improved security posture and testing procedures. (Other improvements are available at https://www.openssl.org/news/openssl-1.1.0-notes.html).

[cookiengineer]

@Jakuje @kroeckx What is the work that is left to be done in order to get this PR merged? Following this thread it's a bit unclear for me as a third-party guy.

[Jakuje]

@cookiengineer The most of the discussion about this topic was held on the mailing list thread linked from the previous comment. The bottom-line can be found here:

http://lists.mindrot.org/pipermail/openssh-unix-dev/2016-November/035497.html

There is no work need to be done on this PR (ok, there are few problems in this PR resolved by the patch carried in Fedora) or upstream, but some compatibility between OpenSSL releases was requested which is very unclear if it can realistically happen.

[davidben]

Someone pointed this patch out to me as something Debian was considering picking up? A few drive-by comments:

[davidben]

This should be NULL-initialized otherwise some of the goto err paths below will get confused on malloc error.

[davidben]

Nit: I believe you can just omit lines 294 and 295 (after fixing the NULL-initializing above). BN_hex2bn just allocates things for you.

[davidben]

Asking EVP_CipherInit to copy keylen bytes worth of key before telling it what keylen is (EVP_CIPHER_CTX_set_key_length) seems kind of questionable, notably for ciphers with variable-length keys. Are you sure this works? It was probably previously in two steps so it'd all happen in the right order.

[kroeckx]

I can't even remember why I did change (it's been more than a year). But I guess the same applies to the IV?

[kroeckx]

Oh, I did make a comment about this:

I've replaced the 2 EVP_CipherInit() calls in cipher_init() with 1. OpenSSL now clears
everything when you call EVP_CipherInit() again, so what was passed in the first but not
in the second call, and what the function calls between them did, was lost.

I wonder if this is actually a problem in OpenSSL.

[davidben]

I think the IV can be passed in at either time? OpenSSL doesn't have a mechanism for ciphers with variable-length IVs as far as I know.

If the EVP_CIPHER has a fixed length key [and you already took care that what you're passing as the right size, since the EVP_CipherInit API isn't bounds-checked], you don't need to do EVP_CIPHER_CTX_set_key_length first. If you have a variable-length key cipher [and you're not using whatever the default key size is], you do.

Granted, it seems the only such ciphers, barring ENGINE mischief, are Blowfish, CAST, RC2, RC4, and RC5 so this pattern is only of so much interest... :-) Though the existing EVP_CIPHER_CTX_set_key_length logic did also act as a bounds check I think.
https://git.openssl.org/gitweb/?p=openssl.git&a=search&h=HEAD&st=grep&s=EVP_CIPH_VARIABLE_LENGTH
https://git.openssl.org/gitweb/?p=openssl.git&a=search&h=HEAD&st=grep&s=EVP_CIPH_CUSTOM_KEY_LENGTH

[davidben]

Aha! I think what might actually be going on here is that openssh should have been using EVP_CipherInit_ex, not EVP_CipherInit. EVP_CipherInit was for folks who didn't call EVP_CIPHER_CTX_init (which EVP_CIPHER_CTX_new did implicitly).

But in 1.0.2, there was this weird quirk where EVP_CipherInit would skip EVP_CIPHER_CTX_init if cipher was NULL:
https://git.openssl.org/gitweb/?p=openssl.git;a=blob;f=crypto/evp/evp_enc.c;h=be577bac767fe9cf2c163be6967b20d1f6cc9014;hb=refs/heads/OpenSSL_1_0_2-stable#l94

OpenSSL 1.1.0 lost this behavior:
https://git.openssl.org/gitweb/?p=openssl.git;a=blob;f=crypto/evp/evp_enc.c;h=d21a0c7e54d54a5a77a2d5a6593e4851cf2f5291;hb=HEAD#l50

So I believe you want to revert this and merely switch those EVP_CipherInit calls to EVP_CipherInit_ex, which should work fine in 1.0.2 and 1.1.0. (Unless 1.1.0 additionally changed behavior here in ways I'm missing.) You may also wish to consider at minimum marking EVP_CipherInit as deprecated and documenting this behavior change, and possibly restoring the 1.0.2 behavior to avoid breaking folks.

[davidben]

This now leaks ret->mdctx if EVP_DigestInit_ex hits a malloc failure. You want EVP_MD_CTX_free(ret->mdctx); free(ret); or ssh_digest_free(ret).

[davidben]

(Personally I would have just made these header-only, but whatever.)

[davidben]

Nit: These blocks seem over-indented (which makes the diff a little more annoying), or is that the preferred style here? Ditto with the other case FOO: { ... } blocks.

[davidben]

pkcs11_rsa_finish doesn't free this.

[davidben]

Check that rsa_n and rsa_e are NULL.

[davidben]

Error-handling?

[davidben]

RSA_bits? (Also DSA_bits below, but you'll need to add a new compat wrapper.)

[kroeckx]

I've fixed the merge conflicts, rebased it against current master, and fixed various issues.

[Jakuje]

This needs to be rewritten to something like the following, otherwise it will segfault for non-RSA keys (ECC on yubikey):

if (rsa && RSA_get0_key(rsa, &n, &e, NULL) && n && e &&

I just noticed it with the version I run on Fedora.

[Jakuje]

nope ... the RSA_get0_key() is void function so it will not work this way. But clearly we can call this function only if we are sure the rsa is not NULL.

[noloader]

the RSA_get0_key() is void function so it will not work this way. But clearly we can call this function only if we are sure the rsa is not NULL

Just my 2¢, but if RSA_get0_key can't handle a NULL parameter, then it sounds like an OpenSSL bug. The RSA_get0_key document does not state the parameter cannot be NULL; and it also states other parameters can be NULL.

[rcombs]

Anything still blocking here, other than the RSA_get0_key issue?

[kroeckx]

I've fixed the RSA_get0_key() call.

[rcombs]

Any remaining blockers here? It seems like the primary issue that's been raised is compatibility with both the 1.0 and 1.1 APIs, which is handled here. It appears that all review comments have been addressed. Is this just pending additional review?

[noloader]

From the TLS Working Group mailing list at 3rd WGLC: draft-ietf-tls-tls13:

All,

This is the 3rd working group last call (WGLC) announcement for draft-ietf-tls-t
ls13; it will run through January 26th.  This time the WGLC is for version -23 (
https://datatracker.ietf.org/doc/draft-ietf-tls-tls13/).  This WGLC is a targete
d WGLC because it only address changes introduced since the 2nd WGLC on version
-21, i.e., changes introduced in versions -22 and -23.  Note that the editor has
 kindly included a change log in s1.2 and the datatracker can also produce diffs
 (https://www.ietf.org/rfcdiff?url1=draft-ietf-tls-tls13-21&url2=draft-ietf-tls-
tls13-23).  In general, we are considering all other material to have WG consens
us, so only critical issues should be raised about that material at this time.

Cheers,

spt

[laomaiweng]

On my Gentoo box (using OpenSSL 1.1.0g configured with --api=1.0.0 and no OPENSSL_API_COMPAT #defined at build time), this PR is still missing some stuff:

• here is a first patch (against OpenSSH 7.6p1) to fix the remaining OpenSSL API changes that prevent building on my machine: https://592578.bugs.gentoo.org/attachment.cgi?id=518526
• here is a second patch (still against OpenSSH 7.6p1) to rename pthread_{create,cancel,exit,join}() in auth-pam.c, since OpenSSL 1.1.0 with threads support on Linux unconditionally #includes <pthread.h>, which collides with these functions: https://bugs.gentoo.org/attachment.cgi?id=518528

Hope that helps!

[okias]

Will be this issue fixed in OpenSSH 7.7?

I migrated to OpenSSL 1.1.1, because of TLS 1.3 support, which is really nice to have!

[pprindeville]

Is there an obstacle with providing conditional compilation so it can be built against either LibreSSL or OpenSSL 1.0.x or OpenSSL 1.1.x?

[pprindeville]

@kroeckx Kurt, can you please rebase so the conflicts go away?

[Jakuje]

@pprindeville no, it works for all of them to my best understanding. If you are interested in rebased version, I keep around the changes in my fork so I would be able to build OpenSSH on my machine and it is rebased on master from time to time:

Jakuje@44dc0e6

[berolinux]

We apply a ported variant of the patch in our distro packaging:

https://raw.githubusercontent.com/OpenMandrivaAssociation/openssh/master/openssh-7.7p1-openssl-1.1.0-1.patch

Works perfectly with 7.7p1

[AnimusPEXUS]

as far as I can recall, openssh provides only executables. no shared objects. libssh and libssh2 build with openssl-1.1.x not bad. probably, now it is good opportunity for somebody to start concurrent project to openssh.. ;)

[xnox]

https://www.openssl.org/blog/blog/2018/09/11/release111/

Since 1.1.1 is our new LTS release we are strongly advising all users to upgrade as soon as possible.

Our previous LTS release (OpenSSL 1.0.2) will continue to receive full support until the end of this year. After that it will receive security fixes only. It will stop receiving all support at the end of 2019. Users of that release are strongly advised to upgrade to OpenSSL 1.1.1.

[emaste]

OpenSSL 1.1.x compatibility started arriving about a week ago: 482d23b

I cherry-picked the 1.1.x-compat commits on top of V_7_8_P1 (resolving trivial conflicts) and pushed the result here: https://github.com/emaste/openssh-portable/tree/v7.8p1-OpenSSL1.1

[daztucker]

OpenSSL 1.1.x is now supported. Thanks.