OpenSSL 3.0 (or 4.0) API goals
Hi all. I'm reading with interest the details coming out with respect to the next release of OpenSSL. I'm curious if there's any consideration being given to updating the API for existing interfaces, and/or checking the APIs of any new interfaces for issues that are seen in the current API. I'm talking about things like: * Const-correctness for arguments * Signed vs. unsigned values for integer values * Avoiding non-portable types in the API (the most obvious example: using "int" as the type for socket descriptors, which is only portable to Windows due to an implementation detail). * Possibly using something like uint8_t* for pointers to buffers containing binary "stuff" (this could be more annoying than helpful, requiring a lot of casting, so I'm not sure about that). Just wondering... seems like a good time to think about cleanups like that, if feasible.
Re: Online docs have broken links
The problem isn't a lack of test_docs, the issue lies in how we organised the manuals before (in an apps, a crypto and a ssl directory), and the script that builds up these pages haven't been updated to prefix properly per actual man section. There's a PR that I think fixes the problem: https://github.com/openssl/web/pull/124 Cheers, Richard On Fri, 01 Mar 2019 21:15:48 +0100, Sam Roberts wrote: > > I ran linklint on the output of `make install_html_docs`, and there > are a fair amount of refs to non-existent pages as well. Maybe its > worth adding a `test-docs` target? > > Would PRs to fix the below be welcomed? > > # > # ERROR 18 missing html files (cross referenced) > # > /../man1/version.html > used in 1 file: > /man3/CTLOG_STORE_new.html > > /../man3/EVP_EncryptInit.html > used in 1 file: > /man3/EVP_CIPHER_meth_new.html > > /../man3/OSSL_STORE_SEARCH.html > used in 3 files: > /man3/OSSL_STORE_expect.html > /man3/OSSL_STORE_find.html > /man3/OSSL_STORE_supports_search.html > > /../man3/SSL_CTX_set_security_level.html > used in 2 files: > /man1/ciphers.html > /man1/openssl-ciphers.html > > /../man7/bio.html > used in 4 files: > /man3/BIO_pop.html > /man3/BIO_push.html > /man3/BIO_should_retry.html > /man3/SCT_print.html > > /man1/curl.html > used in 2 files: > /man1/openssl-tsget.html > /man1/tsget.html > > /man1/perl.html > used in 2 files: > /man1/openssl-ts.html > /man1/ts.html > > /man1/procmail.html > used in 2 files: > /man1/openssl-ts.html > /man1/ts.html > > /man3/EVP_MD_CTX_set_ctx.html > used in 2 files: > /man3/EVP_DigestSignInit.html > /man3/EVP_DigestVerifyInit.html > > /man3/EVP_bf.html > used in 5 files: > /man3/EVP_CIPHER_CTX_reset.html > /man3/EVP_DecryptInit.html > /man3/EVP_DecryptInit_ex.html > /man3/EVP_EncryptInit.html > /man3/EVP_EncryptInit_ex.html > > /man3/EVP_cast5.html > used in 5 files: > /man3/EVP_CIPHER_CTX_reset.html > /man3/EVP_DecryptInit.html > /man3/EVP_DecryptInit_ex.html > /man3/EVP_EncryptInit.html > /man3/EVP_EncryptInit_ex.html > > /man3/EVP_desx.html > used in 5 files: > /man3/EVP_CIPHER_CTX_reset.html > /man3/EVP_DecryptInit.html > /man3/EVP_DecryptInit_ex.html > /man3/EVP_EncryptInit.html > /man3/EVP_EncryptInit_ex.html > > /man3/EVP_idea.html > used in 5 files: > /man3/EVP_CIPHER_CTX_reset.html > /man3/EVP_DecryptInit.html > /man3/EVP_DecryptInit_ex.html > /man3/EVP_EncryptInit.html > /man3/EVP_EncryptInit_ex.html > > /man3/EVP_rc2.html > used in 5 files: > /man3/EVP_CIPHER_CTX_reset.html > /man3/EVP_DecryptInit.html > /man3/EVP_DecryptInit_ex.html > /man3/EVP_EncryptInit.html > /man3/EVP_EncryptInit_ex.html > > /man3/EVP_rc5.html > used in 5 files: > /man3/EVP_CIPHER_CTX_reset.html > /man3/EVP_DecryptInit.html > /man3/EVP_DecryptInit_ex.html > /man3/EVP_EncryptInit.html > /man3/EVP_EncryptInit_ex.html > > /man3/EVP_seed.html > used in 5 files: > /man3/EVP_CIPHER_CTX_reset.html > /man3/EVP_DecryptInit.html > /man3/EVP_DecryptInit_ex.html > /man3/EVP_EncryptInit.html > /man3/EVP_EncryptInit_ex.html > > /man3/EVP_sm4.html > used in 5 files: > /man3/EVP_CIPHER_CTX_reset.html > /man3/EVP_DecryptInit.html > /man3/EVP_DecryptInit_ex.html > /man3/EVP_EncryptInit.html > /man3/EVP_EncryptInit_ex.html > > /man3/X509_check_purpose.html > used in 1 file: > /man3/X509_get_extension_flags.html > -- Richard Levitte levi...@openssl.org OpenSSL Project http://www.openssl.org/~levitte/
Re: OpenSSL 3.0 vs. SSL 3.0
On Wed 2019-02-27 16:02:32 +0100, Christian Heimes wrote: > In my humble opinion, it's problematic and confusing to use "OpenSSL > 3.0" for the next major version of OpenSSL and first release of > OpenSSL with SSL 3.0 support. Sigh. You're right, but i wish you weren't. :) Part of the problem of course is the "SSL" in "OpenSSL" itself, which has held back the industry from adopting the more accurate "TLS" label. But i understand the value of the brand, and why that won't be changed either. fwiw, i support the suggestion to skip 3.0, and call it OpenSSL 4.0 directly. Reducing confusion matters. --dkg
Re: Online docs have broken links
I ran linklint on the output of `make install_html_docs`, and there are a fair amount of refs to non-existent pages as well. Maybe its worth adding a `test-docs` target? Would PRs to fix the below be welcomed? # # ERROR 18 missing html files (cross referenced) # /../man1/version.html used in 1 file: /man3/CTLOG_STORE_new.html /../man3/EVP_EncryptInit.html used in 1 file: /man3/EVP_CIPHER_meth_new.html /../man3/OSSL_STORE_SEARCH.html used in 3 files: /man3/OSSL_STORE_expect.html /man3/OSSL_STORE_find.html /man3/OSSL_STORE_supports_search.html /../man3/SSL_CTX_set_security_level.html used in 2 files: /man1/ciphers.html /man1/openssl-ciphers.html /../man7/bio.html used in 4 files: /man3/BIO_pop.html /man3/BIO_push.html /man3/BIO_should_retry.html /man3/SCT_print.html /man1/curl.html used in 2 files: /man1/openssl-tsget.html /man1/tsget.html /man1/perl.html used in 2 files: /man1/openssl-ts.html /man1/ts.html /man1/procmail.html used in 2 files: /man1/openssl-ts.html /man1/ts.html /man3/EVP_MD_CTX_set_ctx.html used in 2 files: /man3/EVP_DigestSignInit.html /man3/EVP_DigestVerifyInit.html /man3/EVP_bf.html used in 5 files: /man3/EVP_CIPHER_CTX_reset.html /man3/EVP_DecryptInit.html /man3/EVP_DecryptInit_ex.html /man3/EVP_EncryptInit.html /man3/EVP_EncryptInit_ex.html /man3/EVP_cast5.html used in 5 files: /man3/EVP_CIPHER_CTX_reset.html /man3/EVP_DecryptInit.html /man3/EVP_DecryptInit_ex.html /man3/EVP_EncryptInit.html /man3/EVP_EncryptInit_ex.html /man3/EVP_desx.html used in 5 files: /man3/EVP_CIPHER_CTX_reset.html /man3/EVP_DecryptInit.html /man3/EVP_DecryptInit_ex.html /man3/EVP_EncryptInit.html /man3/EVP_EncryptInit_ex.html /man3/EVP_idea.html used in 5 files: /man3/EVP_CIPHER_CTX_reset.html /man3/EVP_DecryptInit.html /man3/EVP_DecryptInit_ex.html /man3/EVP_EncryptInit.html /man3/EVP_EncryptInit_ex.html /man3/EVP_rc2.html used in 5 files: /man3/EVP_CIPHER_CTX_reset.html /man3/EVP_DecryptInit.html /man3/EVP_DecryptInit_ex.html /man3/EVP_EncryptInit.html /man3/EVP_EncryptInit_ex.html /man3/EVP_rc5.html used in 5 files: /man3/EVP_CIPHER_CTX_reset.html /man3/EVP_DecryptInit.html /man3/EVP_DecryptInit_ex.html /man3/EVP_EncryptInit.html /man3/EVP_EncryptInit_ex.html /man3/EVP_seed.html used in 5 files: /man3/EVP_CIPHER_CTX_reset.html /man3/EVP_DecryptInit.html /man3/EVP_DecryptInit_ex.html /man3/EVP_EncryptInit.html /man3/EVP_EncryptInit_ex.html /man3/EVP_sm4.html used in 5 files: /man3/EVP_CIPHER_CTX_reset.html /man3/EVP_DecryptInit.html /man3/EVP_DecryptInit_ex.html /man3/EVP_EncryptInit.html /man3/EVP_EncryptInit_ex.html /man3/X509_check_purpose.html used in 1 file: /man3/X509_get_extension_flags.html
Re: 1.1.1b crash (RUN_ONCE problem?)
On Fri, Mar 01, 2019 at 11:16:52AM -0800, Norm Green wrote: [ Please avoid non-breaking spaces in your posts. ] > I'm debugging a failure in a debug build on Solaris SPARC in the below > code in rand_lib.c. On line 744, rand_meth_lock is NULL, which suggests > the RUN_ONCE code is not working. Wondering if anyone else has seen > this problem? > We did not see this issue in 1.1.1a. Perhaps changes in the RUN_ONCE > code in this commit are responsible? > https://github.com/openssl/openssl/commit/f725fe5b4b6504df08e30f5194d321c3025e2336 That PR looks correct, and has no effect on the behaviour of RUN_ONCE below. It only introduces RUN_ONCE_ALT() and uses it in a few special cases. > 741 if (!RUN_ONCE(&rand_init, do_rand_init)) > 742 return NULL; > 743 > 744 CRYPTO_THREAD_write_lock(rand_meth_lock); Are you sure you're compiling linking and running with the desired set of headers and libraries? -- Viktor.
1.1.1b crash (RUN_ONCE problem?)
I'm debugging a failure in a debug build on Solaris SPARC in the below code in rand_lib.c. On line 744, rand_meth_lock is NULL, which suggests the RUN_ONCE code is not working. Wondering if anyone else has seen this problem? We did not see this issue in 1.1.1a. Perhaps changes in the RUN_ONCE code in this commit are responsible? https://github.com/openssl/openssl/commit/f725fe5b4b6504df08e30f5194d321c3025e2336 737 const RAND_METHOD *RAND_get_rand_method(void) 738 { 739 const RAND_METHOD *tmp_meth = NULL; 740 741 if (!RUN_ONCE(&rand_init, do_rand_init)) 742 return NULL; 743 744 CRYPTO_THREAD_write_lock(rand_meth_lock); 745 if (default_RAND_meth == NULL) { 746 #ifndef OPENSSL_NO_ENGINE 747 ENGINE *e; 748 749 /* If we have an engine that can do RAND, use it. */ 750 if ((e = ENGINE_get_default_RAND()) != NULL 751 && (tmp_meth = ENGINE_get_RAND(e)) != NULL) { 752 funct_ref = e; 753 default_RAND_meth = tmp_meth; 754 } else { 755 ENGINE_finish(e); 756 default_RAND_meth = &rand_meth; 757 } 758 #else 759 default_RAND_meth = &rand_meth; 760 #endif 761 } 762 tmp_meth = default_RAND_meth; 763 CRYPTO_THREAD_unlock(rand_meth_lock); 764 return tmp_meth; 765 }
Re: openSSL 1.1.1b compatibility with GLIBC
On 01/03/2019 12:38, Chethan Kumar wrote: Dear all, In need of some assistance. I compiled openssl1.1.1b on Debian and executed openssl commands on another Debian machine. Its giving below error: openssl: */lib/i386-linux-gnu/libc.so.6: version `GLIBC_2.25' not found (required by /home/SYSROM_SRC/build/release/lib/libcrypto.so.1.1)* Debian glibc versions with a given so-name (such as libc.so.6) are backwards compatible, but not forward compatible. Thus compiling against glibc from an older version of Debian 8 (jessie) such as Debian glibc 2.19-18 should work with glibc from a later version (such as "Debian GLIBC 2.19-18+deb8u10"). But the other way around is not guaranteed to work, nor is running with a non-Debian glibc when compiled against a Debian glibc. Your executing environment seems to contain a glibc which is a plain version 2.19 with none of the Debian fixes added between May 2014 and 16 Jun 2017 (see the file /usr/share/doc/libc6/changelog.Debian.gz). The package versions that need to match (or be in the correct order) are package libc6-dev (when compiling) being same or older than libc6 when running. The command "dpkg --compare-versions" compares package version numbers according to the correct rules. When using the Debian packaging tools to package a compiled file such as libcrypto.so.1.1, the resulting .deb file will typically instruct the system to not install it unless a new enough glibc is installed in the executing environment. Even when I start HTTP services which uses openssl gives same error. Starting webserverhttpd: Syntax error on line 208 of /config/httpd.conf: Cannot load lib/mod_ssl.so into server: */lib/i386-linux-gnu/libc.so.6: version `GLIBC_2.25' not found (required by /usr/local/ebx/lib/libcrypto.so.1.1)* Environment used for the same is below: *Compilation Environment:* cat /proc/version Linux version 3.16.0-6-amd64 (debian-ker...@lists.debian.org) (gcc version 4.9.2 (Debian 4.9.2-10+deb8u1) ) ldd --version ldd (Debian GLIBC 2.19-18+deb8u10) 2.19 ** *Executing Environment:* cat /proc/version Linux version 4.4.130-cip23-eBN-kernel (jenkins@skelios-plt) (gcc version 4.9.2 (Debian 4.9.2-10+deb8u1) ) ldd --version ldd (GNU libc) 2.19 I need to know, how did the compilation was successful though GLIBC version was less and what should be done to make it work apart from updating GLIBC. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded
openSSL 1.1.1b compatibility with GLIBC
Dear all, In need of some assistance. I compiled openssl1.1.1b on Debian and executed openssl commands on another Debian machine. Its giving below error: openssl: /lib/i386-linux-gnu/libc.so.6: version `GLIBC_2.25' not found (required by /home/SYSROM_SRC/build/release/lib/libcrypto.so.1.1) Even when I start HTTP services which uses openssl gives same error. Starting webserverhttpd: Syntax error on line 208 of /config/httpd.conf: Cannot load lib/mod_ssl.so into server: /lib/i386-linux-gnu/libc.so.6: version `GLIBC_2.25' not found (required by /usr/local/ebx/lib/libcrypto.so.1.1) Environment used for the same is below: Compilation Environment: cat /proc/version Linux version 3.16.0-6-amd64 (debian-ker...@lists.debian.org) (gcc version 4.9.2 (Debian 4.9.2-10+deb8u1) ) ldd --version ldd (Debian GLIBC 2.19-18+deb8u10) 2.19 Executing Environment: cat /proc/version Linux version 4.4.130-cip23-eBN-kernel (jenkins@skelios-plt) (gcc version 4.9.2 (Debian 4.9.2-10+deb8u1) ) ldd --version ldd (GNU libc) 2.19 I need to know, how did the compilation was successful though GLIBC version was less and what should be done to make it work apart from updating GLIBC. Thanking you, Chethan Kumar The information contained in this e-mail message and in any attachments/annexure/appendices is confidential to the recipient and may contain privileged information. If you are not the intended recipient, please notify the sender and delete the message along with any attachments/annexure/appendices. You should not disclose, copy or otherwise use the information contained in the message or any annexure. Any views expressed in this e-mail are those of the individual sender except where the sender specifically states them to be the views of Toshiba Software India Pvt. Ltd. (TSIP),Bangalore. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by Toshiba Embedded Software India Pvt. Ltd, for any loss or damage arising in any way from its use.
Re: Compilation errors with 1.1.1b
On 01/03/2019 12.34, Sravani Maddukuri via openssl-users wrote: > Hi, > > Earlier our application used OpenSSL version 1.0.2n. Now we wanted to > upgrade to 1.1.1b. > After upgrade when i compile OpenSSL, i see the following errors: > > Tried to generate the Makefile with both the ways mentioned below.. > > But getting compilation errors as attached mainly at places > where DEPRECATEDIN_1_1_0 and DEPRECATEDIN_0_9_8 are used. Your system is missing 'struct hostent': error: 'struct hostent' declared inside parameter list [-Werror] The structure is provided by netdb.h. Does the error go away if you put "#include " before you include any OpenSSL headers? Christian
Compilation errors with 1.1.1b
Hi, Earlier our application used OpenSSL version 1.0.2n. Now we wanted to upgrade to 1.1.1b. After upgrade when i compile OpenSSL, i see the following errors: Tried to generate the Makefile with both the ways mentioned below.. But getting compilation errors as attached mainly at places where DEPRECATEDIN_1_1_0 and DEPRECATEDIN_0_9_8 are used. ./config >> ../build.log \ no-idea no-md2 no-md4 no-mdc2 no-rc2 no-rc5 \ -DOPENSSL_SYSNAME_LINUX -DOPENSSL_USE_IPV6 -DOPENSSL_IMPLEMENTS_strncasecmp \ -DOPENSSL_API_COMPAT=0x1010102fL \ -ffunction-sections -fdata-sections \ no-hw shared no-asm ./config >> ../build.log \ no-idea no-md2 no-md4 no-mdc2 no-rc2 no-rc5 \ -DOPENSSL_SYSNAME_LINUX -DOPENSSL_USE_IPV6 -DOPENSSL_IMPLEMENTS_strncasecmp \ disable-deprecated \ -ffunction-sections -fdata-sections \ no-hw shared no-asm Can you please suggest the possible solution to fix the errors? Regards, Sravani COMPILING[openssl] : vendor/openssl/crypto/cpt_err.c In file included from ../../../../vendor/openssl/include/openssl/err.h:21:0, from ../../../../vendor/openssl/crypto/cpt_err.c:11: ../../../../vendor/openssl/include/openssl/bio.h:689:27: error: 'struct hostent' declared inside parameter list [-Werror] DEPRECATEDIN_1_1_0(struct hostent *BIO_gethostbyname(const char *name)) ^ ../../../../vendor/openssl/include/openssl/bio.h:689:27: error: its scope is only this definition or declaration, which is probably not what you want [-Werror] ../../../../vendor/openssl/include/openssl/bio.h:689:1: error: return type defaults to 'int' [-Werror=implicit-int] DEPRECATEDIN_1_1_0(struct hostent *BIO_gethostbyname(const char *name)) ^ ../../../../vendor/openssl/include/openssl/bio.h: In function 'DEPRECATEDIN_1_1_0': ../../../../vendor/openssl/include/openssl/bio.h:690:1: error: expected declaration specifiers before 'DEPRECATEDIN_1_1_0' DEPRECATEDIN_1_1_0(int BIO_get_port(const char *str, unsigned short *port_ptr)) ^ ../../../../vendor/openssl/include/openssl/bio.h:697:2: error: expected declaration specifiers before ';' token }; ^ ../../../../vendor/openssl/include/openssl/bio.h:698:1: error: empty declaration [-Werror] enum BIO_sock_info_type { ^ ../../../../vendor/openssl/include/openssl/bio.h:702:55: error: 'union BIO_sock_info_u' declared inside parameter list [-Werror] enum BIO_sock_info_type type, union BIO_sock_info_u *info); ^ In file included from ../../../../vendor/openssl/include/openssl/err.h:22:0, from ../../../../vendor/openssl/crypto/cpt_err.c:11: ../../../../vendor/openssl/include/openssl/lhash.h:24:30: error: storage class specified for parameter 'OPENSSL_LH_NODE' typedef struct lhash_node_st OPENSSL_LH_NODE; ^ ../../../../vendor/openssl/include/openssl/lhash.h:25:15: error: storage class specified for parameter 'OPENSSL_LH_COMPFUNC' typedef int (*OPENSSL_LH_COMPFUNC) (const void *, const void *); ^ ../../../../vendor/openssl/include/openssl/lhash.h:26:25: error: storage class specified for parameter 'OPENSSL_LH_HASHFUNC' typedef unsigned long (*OPENSSL_LH_HASHFUNC) (const void *); ^ ../../../../vendor/openssl/include/openssl/lhash.h:27:16: error: storage class specified for parameter 'OPENSSL_LH_DOALL_FUNC' typedef void (*OPENSSL_LH_DOALL_FUNC) (void *); ^ ../../../../vendor/openssl/include/openssl/lhash.h:28:16: error: storage class specified for parameter 'OPENSSL_LH_DOALL_FUNCARG' typedef void (*OPENSSL_LH_DOALL_FUNCARG) (void *, void *); ^ ../../../../vendor/openssl/include/openssl/lhash.h:29:25: error: storage class specified for parameter 'OPENSSL_LHASH' typedef struct lhash_st OPENSSL_LHASH; ^ ../../../../vendor/openssl/include/openssl/lhash.h:72:22: error: expected declaration specifiers or '...' before 'OPENSSL_LHASH' int OPENSSL_LH_error(OPENSSL_LHASH *lh); ^ ../../../../vendor/openssl/include/openssl/lhash.h:73:1: error: expected declaration specifiers before 'OPENSSL_LHASH' OPENSSL_LHASH *OPENSSL_LH_new(OPENSSL_LH_HASHFUNC h, OPENSSL_LH_COMPFUNC c); ^ ../../../../vendor/openssl/include/openssl/lhash.h:74:22: error: expected declaration specifiers or '...' before 'OPENSSL_LHASH' void OPENSSL_LH_free(OPENSSL_LHASH *lh); ^ ../../../../vendor/openssl/include/openssl/lhash.h:75:25: error: expected declaration specifiers or '...' before 'OPENSSL_LHASH' void *OPENSSL_LH_insert(OPENSSL_LHASH *lh, void *data); ^ ../../../../vendor/openssl/include/openssl/lhash.h:76:25: error: expected declaration specifiers or '...' before 'OPENSSL_LHASH' void *OPENSSL_LH_delete(OPENSSL_LHASH *lh, const void *data);
Re: Online docs have broken links
Good catch! That does answer a mystery with the current HTML producing script... Thanks. Cheers, Richard On Thu, 28 Feb 2019 20:48:02 +0100, Paul Smith wrote: > > Not sure if anyone is aware or not, but many of the man pages on the > openssl.org site contain broken links. Basically anywhere a man page > refers to a man page in a different section, the link is broken because > it uses the same section. > > So for example: > > https://www.openssl.org/docs/man1.1.1/man7/ssl.html > > is in section 7, but it refers to functions in section 3... however all > the links are broken because they still point to section 7. See the > link in the second paragraph of the description to SSL_CTX_NEW, which > has this HTML linkage: > > SSL_CTX_new > > which does not exist; this should be .../man3/SSL_CTX_new.html instead. > > I've found other links in the man3 section which want to refer to this > "ssl" page, and look for it in section 3 instead of section 7, also > broken. > > Cheers! > -- Richard Levitte levi...@openssl.org OpenSSL Project http://www.openssl.org/~levitte/