Re: OpenSSL version 3.0.0-alpha1 published

[Sam Roberts]

On Thu, Apr 30, 2020 at 9:27 PM Richard Levitte  wrote:
> Yes, running from the DESTDIR "installation" gets you into trouble.
> DESTDIR is intended to be a staging directory, i.e. a place to put

Fair enough, I don't have to use DESTDIR, I configure with openssldir
and prefix set to a sandbox now.

We statically link openssl to get a self-contained binary. I'm not
sure if --no-shared was sufficient to "build in" the legacy algs.

Provider load failed, reasonably expectedly, but whether our test
suite is failing because of missing legacy won't be clear to me until
more of the superficial failures are fixed.

Is there a reason two terms, "modules" and "providers", are both used?
Are there modules that are NOT providers? It is confusing to use
different names to describe the same thing, so if modules are
providers, perhaps one name could be used consistently.

Re: OpenSSL version 3.0.0-alpha1 published

[Guido Vranken]

Reminder that in git master and 3.0.0, CAST5 gives the wrong output:
https://github.com/openssl/openssl/issues/11459 (this proof of concept was
made before you moved CAST5 to liblegacy, so just put
OSSL_PROVIDER_load(nullptr, "legacy"); in there to make it work)

On Thu, Apr 23, 2020 at 4:30 PM OpenSSL  wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
>
>OpenSSL version 3.0 alpha 1 released
>
>
>OpenSSL - The Open Source toolkit for SSL/TLS
>https://www.openssl.org/
>
>OpenSSL 3.0 is currently in alpha.
>
>OpenSSL 3.0 alpha 1 has now been made available.
>
>Note: This OpenSSL pre-release has been provided for testing ONLY.
>It should NOT be used for security critical purposes.
>
>Specific notes on upgrading to OpenSSL 3.0 from previous versions, as
> well
>as known issues are available on the OpenSSL Wiki, here:
>
> https://wiki.openssl.org/index.php/OpenSSL_3.0
>
>The alpha release is available for download via HTTPS and FTP from the
>following master locations (you can find the various FTP mirrors under
>https://www.openssl.org/source/mirror.html):
>
>  * https://www.openssl.org/source/
>  * ftp://ftp.openssl.org/source/
>
>The distribution file name is:
>
> o openssl-3.0.0-alpha1.tar.gz
>   Size: 9530120
>   SHA1 checksum:  4db145d3d9c9d7bfaa7b2a1fe1670f7a3781bb06
>   SHA256 checksum:
> 9d5be9122194ad1d649254de5e72afd329252f134791389d0cef627b18ed9a57
>
>The checksums were calculated using the following commands:
>
> openssl sha1 openssl-3.0.0-alpha1.tar.gz
> openssl sha256 openssl-3.0.0-alpha1.tar.gz
>
>Please download and check this $LABEL release as soon as possible.
>To report a bug, open an issue on GitHub:
>
> https://github.com/openssl/openssl/issues
>
>Please check the release notes and mailing lists to avoid duplicate
>reports of known issues. (Of course, the source is also available
>on GitHub.)
>
>Yours,
>
>The OpenSSL Project Team.
>
> -BEGIN PGP SIGNATURE-
>
> iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl6hpQcACgkQ2cTSbQ5g
> RJHvtggAp7XIxm/00amD4TijQhJqMmGsj0RXqwAeSd0gWDQCf78GX4zMIW/tTgvk
> I3Mb67DsOR5gdPZN5TigyqRaXSIAzfb8ZT4Gs9lo/j8RUi5AmzT2RYexbRv6bF6E
> cQ0OabM3rk4qi4njTi/YD9YihO6/pv7tWZkkfPsN547bfm7p7fwCrEHw02En5IW8
> hyFhkpKfA3c8MEa96yLwjhkYRTAzUmxus/mNID+Ja3/VTCmHjd1c57SHFPq9noll
> Wqzhs3jEhluZKHpwmSSA0KQh1ph0kh6fnKLEn3Oge5dYV3P+JrFCRfDEMsI1Nb/F
> hIr11rxXNxtBRKUSlOUyJATZn0sV6g==
> =uRpM
> -END PGP SIGNATURE-
>

Re: OpenSSL version 3.0.0-alpha1 published

[Yann Ylavic]

On Fri, May 1, 2020 at 6:36 AM Richard Levitte  wrote:
>
> On Sun, 26 Apr 2020 11:35:14 +0200,
> Yann Ylavic wrote:
> >
> > On Sun, Apr 26, 2020 at 12:15 AM Kurt Roeckx  wrote:
> > >
> > > On Fri, Apr 24, 2020 at 01:26:05PM +0200, Yann Ylavic wrote:
> > > >
> > > > - DH_bits(dh) (used for logging only in httpd)
> > > > Replaced by BN_num_bits(DH_get0_p(dh)).
> > > > Not sure this one should be deprecated, it seems to be used in several
> > > > places in openssl codebase still, no replacement?
> > >
> > > I think the replacement is using the EVP_PKEY API and then use
> > > EVP_PKEY_bits()
> >
> > Sure, but if all you have is a DH object (say obtained by
> > DH_get_2048_256() or PEM_read_bio_DHparams()), the EVP_PKEY API does
> > not help.
> > It seems a bit odd to me that DH_bits() or DH_security_bits() are
> > deprecated, but not DH_get0_*() or DH_get_length() for instance.
>
> The DH_get0_* functions are useful in contructing other low-level DH
> objects using the same numbers as the one you currently have.  I don't
> quite see that DH_bits() would be useful in that manner.
>
> Along that line of thinking, I agree that it's odd that
> DH_get_length() wasn't deprecated.  I can't remember if it was
> discussed in particular...  it might simply be an omission.
>
> All that being said, DH_bits() was undeprecated yesterday.  See
> https://github.com/openssl/openssl/pull/11669

Thanks for that.

Regards,
Yann.

Re: OpenSSL version 3.0.0-alpha1 published

[Richard Levitte]

On Sun, 26 Apr 2020 11:35:14 +0200,
Yann Ylavic wrote:
> 
> On Sun, Apr 26, 2020 at 12:15 AM Kurt Roeckx  wrote:
> >
> > On Fri, Apr 24, 2020 at 01:26:05PM +0200, Yann Ylavic wrote:
> > >
> > > - DH_bits(dh) (used for logging only in httpd)
> > > Replaced by BN_num_bits(DH_get0_p(dh)).
> > > Not sure this one should be deprecated, it seems to be used in several
> > > places in openssl codebase still, no replacement?
> >
> > I think the replacement is using the EVP_PKEY API and then use
> > EVP_PKEY_bits()
> 
> Sure, but if all you have is a DH object (say obtained by
> DH_get_2048_256() or PEM_read_bio_DHparams()), the EVP_PKEY API does
> not help.
> It seems a bit odd to me that DH_bits() or DH_security_bits() are
> deprecated, but not DH_get0_*() or DH_get_length() for instance.

The DH_get0_* functions are useful in contructing other low-level DH
objects using the same numbers as the one you currently have.  I don't
quite see that DH_bits() would be useful in that manner.

Along that line of thinking, I agree that it's odd that
DH_get_length() wasn't deprecated.  I can't remember if it was
discussed in particular...  it might simply be an omission.

All that being said, DH_bits() was undeprecated yesterday.  See
https://github.com/openssl/openssl/pull/11669

Cheers,
Richard

-- 
Richard Levitte levi...@openssl.org
OpenSSL Project http://www.openssl.org/~levitte/

Re: OpenSSL version 3.0.0-alpha1 published

[Richard Levitte]

On Fri, 01 May 2020 01:22:34 +0200,
Sam Roberts wrote:
> 
> On Fri, Apr 24, 2020 at 9:07 AM Nicola Tuveri  wrote:
> > At https://wiki.openssl.org/index.php/OpenSSL_3.0#Providers there was 
> > already an example of how to do this programmatically, and a link to the 
> > manpage for the config file syntax.
> 
> That's not working for me:
> 
> Failed to load Legacy provider: error:2567:DSO support
> routines::could not load the shared library
> /home/sam/w/core/tls/./node[26693]: ../../src/node_crypto.cc:6804:void
> node::crypto::InitCryptoOnce(): Assertion `"Unreachable code reached"'
> failed.
>  1: 0x557630598d84 node::Abort() [/home/sam/w/core/tls/./node]
> 
> From:
>   /* Load Multiple providers into the default (NULL) library context */
>   auto legacy = OSSL_PROVIDER_load(0, "legacy");
>   if (legacy == nullptr) {
> unsigned long err = ERR_get_error();
> fprintf(stderr, "Failed to load Legacy provider: %s\n",
> ERR_error_string(err, nullptr));
> UNREACHABLE();
>   }
>   auto deflt = OSSL_PROVIDER_load(0, "default");
>   if (deflt == nullptr) {
> unsigned long err = ERR_get_error();
> fprintf(stderr, "Failed to load Default provider: %s\n",
> ERR_error_string(err, nullptr));
> OSSL_PROVIDER_unload(legacy);
> UNREACHABLE();
>   }
> 
> 
> I notice that the legacy.so isn't in the same folder as the other .so
> files, so I tried:
> 
> LD_LIBRARY_PATH=/usr/local/stow/openssl-3.0.0-alpha1/lib:/usr/local/stow/openssl-3.0.0-alpha1/lib/ossl-modules
> 
> But that didn't work.
> 
> It looks like  adding this did work:
> 
> OSSL_PROVIDER_set_default_search_path(0,
>"/usr/local/stow/openssl-3.0.0-alpha1/lib/ossl-modules");
> 
> What are the default values? I built with prefix set to /usr/local,
> but then installed to the DESTDIR directory above, is that what caused
> me trouble?

You can find out the default value with 'openssl info -modulesdir'
Yes, running from the DESTDIR "installation" gets you into trouble.
DESTDIR is intended to be a staging directory, i.e. a place to put
files that you want to put in an archive or package for more proper
(distribute) installation in the right place.  It can be used for
testing, of course, but you then need to know a little more what
you're doing.

I suggest having a look at doc/man7/openssl-env.pod, it contains a
complete enough catalogue of diverse environment variables that you
can use to affect OpenSSL's internal behaviour.  OPENSSL_MODULES is of
particular interest in this case.

Suggested command to read a .pod file comfortably:

perldoc -o man doc/man7/openssl-env.pod

I suspect, btw, that people might wonder why we install provider modules
separately from engines.  The simple reason is that they are very
different beasts, but the major one is that provider modules are
intended to be fairly OpenSSL version agnostic, by design.  Engines
are unfortunately not version agnostic at all, acutely so since
OpenSSL 1.1.0.  So while provider modules do not need to be updated
for every OpenSSL version, engines do.

Cheers,
Richard

> 
> Cheers,
> Sam
> 
> 
> 
> > I just added also a minimal config file example to load both the default 
> > and the legacy provider in the default library context.
> >
> >
> > Cheers,
> >
> > Nicola
> >
> > On Fri, 24 Apr 2020 at 17:56, Sam Roberts  wrote:
> >>
> >> On Fri, Apr 24, 2020 at 1:05 AM Matt Caswell  wrote:
> >> > This one is interesting:
> >> >
> >> > ERR_OSSL_EVP_FETCH_FAILED
> >> >
> >> >
> >> > This means that the algorithm you are trying to use isn't available in
> >> > the loaded providers. Since you should be getting the default provider
> >> > loaded automatically it could be because some legacy algorithms were
> >> > moved to the legacy provider (MD2, MD4, MDC2, RMD160, CAST5, BF
> >> > (Blowfish), IDEA, SEED, RC2, RC4, RC5 and DES (but not 3DES)). If you're
> >> > using something from that list then that would explain it.
> >>
> >> Can we add the legacy provider, via configuration, or via code?
> 
-- 
Richard Levitte levi...@openssl.org
OpenSSL Project http://www.openssl.org/~levitte/

Re: OpenSSL version 3.0.0-alpha1 published

[Sam Roberts]

On Fri, Apr 24, 2020 at 9:07 AM Nicola Tuveri  wrote:
> At https://wiki.openssl.org/index.php/OpenSSL_3.0#Providers there was already 
> an example of how to do this programmatically, and a link to the manpage for 
> the config file syntax.

That's not working for me:

Failed to load Legacy provider: error:2567:DSO support
routines::could not load the shared library
/home/sam/w/core/tls/./node[26693]: ../../src/node_crypto.cc:6804:void
node::crypto::InitCryptoOnce(): Assertion `"Unreachable code reached"'
failed.
 1: 0x557630598d84 node::Abort() [/home/sam/w/core/tls/./node]

From:
  /* Load Multiple providers into the default (NULL) library context */
  auto legacy = OSSL_PROVIDER_load(0, "legacy");
  if (legacy == nullptr) {
unsigned long err = ERR_get_error();
fprintf(stderr, "Failed to load Legacy provider: %s\n",
ERR_error_string(err, nullptr));
UNREACHABLE();
  }
  auto deflt = OSSL_PROVIDER_load(0, "default");
  if (deflt == nullptr) {
unsigned long err = ERR_get_error();
fprintf(stderr, "Failed to load Default provider: %s\n",
ERR_error_string(err, nullptr));
OSSL_PROVIDER_unload(legacy);
UNREACHABLE();
  }


I notice that the legacy.so isn't in the same folder as the other .so
files, so I tried:

LD_LIBRARY_PATH=/usr/local/stow/openssl-3.0.0-alpha1/lib:/usr/local/stow/openssl-3.0.0-alpha1/lib/ossl-modules

But that didn't work.

It looks like  adding this did work:

OSSL_PROVIDER_set_default_search_path(0,
   "/usr/local/stow/openssl-3.0.0-alpha1/lib/ossl-modules");

What are the default values? I built with prefix set to /usr/local,
but then installed to the DESTDIR directory above, is that what caused
me trouble?

Cheers,
Sam



> I just added also a minimal config file example to load both the default and 
> the legacy provider in the default library context.
>
>
> Cheers,
>
> Nicola
>
> On Fri, 24 Apr 2020 at 17:56, Sam Roberts  wrote:
>>
>> On Fri, Apr 24, 2020 at 1:05 AM Matt Caswell  wrote:
>> > This one is interesting:
>> >
>> > ERR_OSSL_EVP_FETCH_FAILED
>> >
>> >
>> > This means that the algorithm you are trying to use isn't available in
>> > the loaded providers. Since you should be getting the default provider
>> > loaded automatically it could be because some legacy algorithms were
>> > moved to the legacy provider (MD2, MD4, MDC2, RMD160, CAST5, BF
>> > (Blowfish), IDEA, SEED, RC2, RC4, RC5 and DES (but not 3DES)). If you're
>> > using something from that list then that would explain it.
>>
>> Can we add the legacy provider, via configuration, or via code?

Re: OpenSSL version 3.0.0-alpha1 published

[Yann Ylavic]

On Sun, Apr 26, 2020 at 12:15 AM Kurt Roeckx  wrote:
>
> On Fri, Apr 24, 2020 at 01:26:05PM +0200, Yann Ylavic wrote:
> >
> > - DH_bits(dh) (used for logging only in httpd)
> > Replaced by BN_num_bits(DH_get0_p(dh)).
> > Not sure this one should be deprecated, it seems to be used in several
> > places in openssl codebase still, no replacement?
>
> I think the replacement is using the EVP_PKEY API and then use
> EVP_PKEY_bits()

Sure, but if all you have is a DH object (say obtained by
DH_get_2048_256() or PEM_read_bio_DHparams()), the EVP_PKEY API does
not help.
It seems a bit odd to me that DH_bits() or DH_security_bits() are
deprecated, but not DH_get0_*() or DH_get_length() for instance.

Regards,
Yann.

Re: OpenSSL version 3.0.0-alpha1 published

[tincanteksup]

I would normally refrain but ...

On 25/04/2020 23:24, Salz, Rich via openssl-users wrote:

Yes, nice, why not reduce compile time and save prescious compiler

 memory by getting rid of all-inline one-liners.

And link-time collapsing the identical code.  I think this is an issue on some 
Solaris, for example.


  Sorry for coming

 over sarcastic, i am listening to "This monkeys gone to heaven"
 from The Pixies (from the 80s), it seemed due  :-))

Henh.  I can give a boatload of Boston bands.  Sometimes while working on 
OpenSSL I think of https://www.youtube.com/watch?v=F6z0Cv4PYvs (




https://www.youtube.com/watch?v=PDhiUh82dOo

Re: OpenSSL version 3.0.0-alpha1 published

[Steffen Nurpmeso]

Salz, Rich wrote in
<05c099a8-261f-43df-a59a-97ccf030f...@akamai.com>:
 |>Yes, nice, why not reduce compile time and save prescious compiler
 |memory by getting rid of all-inline one-liners.
 |
 |And link-time collapsing the identical code.  I think this is an issue \
 |on some Solaris, for example.
 |
 |>  Sorry for coming
 |over sarcastic, i am listening to "This monkeys gone to heaven"
 |from The Pixies (from the 80s), it seemed due  :-))
 |
 |Henh.  I can give a boatload of Boston bands.  Sometimes while working \
 |on OpenSSL I think of https://www.youtube.com/watch?v=F6z0Cv4PYvs (

Nice.  Yes.  I am hatching a bit on the story behind that..  But
then again, the Killing Joke went on stage again after meeting on
the funeral of one of their members, so something's about it.  My
interpretation.

--steffen
|
|Der Kragenbaer,The moon bear,
|der holt sich munter   he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

Re: OpenSSL version 3.0.0-alpha1 published

[Salz, Rich via openssl-users]

>Yes, nice, why not reduce compile time and save prescious compiler
memory by getting rid of all-inline one-liners.

And link-time collapsing the identical code.  I think this is an issue on some 
Solaris, for example.

>  Sorry for coming
over sarcastic, i am listening to "This monkeys gone to heaven"
from The Pixies (from the 80s), it seemed due  :-))

Henh.  I can give a boatload of Boston bands.  Sometimes while working on 
OpenSSL I think of https://www.youtube.com/watch?v=F6z0Cv4PYvs (

Re: OpenSSL version 3.0.0-alpha1 published

[Kurt Roeckx]

On Fri, Apr 24, 2020 at 01:26:05PM +0200, Yann Ylavic wrote:
> 
> - DH_bits(dh) (used for logging only in httpd)
> Replaced by BN_num_bits(DH_get0_p(dh)).
> Not sure this one should be deprecated, it seems to be used in several
> places in openssl codebase still, no replacement?

I think the replacement is using the EVP_PKEY API and then use
EVP_PKEY_bits()


Kurt

Re: OpenSSL version 3.0.0-alpha1 published

[Steffen Nurpmeso]

Hello Rich Salz,

Salz, Rich wrote in
:
 |>I do not understand one thing at the moment.  If i use
 |no-deprecated then the stack handling is not available:
 |
 |If you use no-deprecated you have to use DEFINE_STACK_OF in exactly \
 |one file.  And use DECLARE_STACK in your common header file.
 |Let me know if this works, or not, for you.

Yep, it works fine, it is only necessary in xtls.c.
Yes, nice, why not reduce compile time and save prescious compiler
memory by getting rid of all-inline one-liners.  Sorry for coming
over sarcastic, i am listening to "This monkeys gone to heaven"
from The Pixies (from the 80s), it seemed due  :-))

Can we expect that the oddity that Yann Ylavic reported
({SSL_CTX,X590_STORE}_load_verify_{dir,path}(), wrong glob:) stays
as such?  (I turned to Landslide of Fleetwood Mac..)

Ciao, a nice Sunday, (and Good luck!), 

--steffen
|
|Der Kragenbaer,The moon bear,
|der holt sich munter   he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

Re: OpenSSL version 3.0.0-alpha1 published

[Steffen Nurpmeso]

Steffen Nurpmeso wrote in
<20200425210613.scjxn%stef...@sdaoden.eu>:
 |Hello once more.
 |
 |OpenSSL wrote in
 |<20200423142936.ga24...@openssl.org>:
 ||   OpenSSL version 3.0 alpha 1 released
 |
 |I do not understand one thing at the moment.  If i use
 |no-deprecated then the stack handling is not available:
 |
 |  /*
 |   * If we're building OpenSSL, or we have no-deprecated configured,
 |   * then we don't define the inline functions (see |SKM_DEFINE_STACK_OF|,
 |   * above), we just declare the stack datatypes. Otherwise, for compatibil\
 |   ity
 |   * and to not remove the API's, we define the functions.  We have the
 |   * trailing semicolon so that uses of this never need it.
 |   */
 |  #if defined(OPENSSL_BUILDING_OPENSSL) || defined(OPENSSL_NO_DEPRECATED_3\
 |  _0)
 |  # define DEFINE_OR_DECLARE_STACK_OF(s) STACK_OF(s);
 |
 |This of course results in all the stack things not being
 |available, for example
 |
 |  /.../xtls.c:1444:20: warning: implicit declaration of function 'sk_X509_\
 |  num'; did you mean 'X509_new'? [-Wimplicit-function-declaration]
 |  for (i = 0; i < sk_X509_num(certs); ++i) {
 |
 |How can i access stacks without those accessors?
 |Is this documented somewhere, i stopped searching for answers
 |anywhere else, which is why i write this.

Hihihi, after sending this mail i thought i go git, and indeed
i found

  commit 852c2ed260
  Author: Rich Salz 
  AuthorDate: 2019-12-19 17:30:24 -0500
  Commit: Tomas Mraz 
  CommitDate: 2020-04-24 16:42:46 +0200

  In OpenSSL builds, declare STACK for datatypes ...

So i try that now.
Ciao from Germany, a nice Sunday, and Good luck!

--steffen
|
|Der Kragenbaer,The moon bear,
|der holt sich munter   he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

Re: OpenSSL version 3.0.0-alpha1 published

[Salz, Rich via openssl-users]

>I do not understand one thing at the moment.  If i use
no-deprecated then the stack handling is not available:

If you use no-deprecated you have to use DEFINE_STACK_OF in exactly one file.  
And use DECLARE_STACK in your common header file.
Let me know if this works, or not, for you.

Re: OpenSSL version 3.0.0-alpha1 published

[Steffen Nurpmeso]

Hello once more.

OpenSSL wrote in
<20200423142936.ga24...@openssl.org>:
 |   OpenSSL version 3.0 alpha 1 released

I do not understand one thing at the moment.  If i use
no-deprecated then the stack handling is not available:

  /*
   * If we're building OpenSSL, or we have no-deprecated configured,
   * then we don't define the inline functions (see |SKM_DEFINE_STACK_OF|,
   * above), we just declare the stack datatypes. Otherwise, for compatibility
   * and to not remove the API's, we define the functions.  We have the
   * trailing semicolon so that uses of this never need it.
   */
  #if defined(OPENSSL_BUILDING_OPENSSL) || defined(OPENSSL_NO_DEPRECATED_3_0)
  # define DEFINE_OR_DECLARE_STACK_OF(s) STACK_OF(s);

This of course results in all the stack things not being
available, for example

  /.../xtls.c:1444:20: warning: implicit declaration of function 'sk_X509_num'; 
did you mean 'X509_new'? [-Wimplicit-function-declaration]
  for (i = 0; i < sk_X509_num(certs); ++i) {

How can i access stacks without those accessors?
Is this documented somewhere, i stopped searching for answers
anywhere else, which is why i write this.

Ciao and thank you,

--steffen
|
|Der Kragenbaer,The moon bear,
|der holt sich munter   he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

Re: OpenSSL version 3.0.0-alpha1 published

[Steffen Nurpmeso]

Hello and Good Evening!

Matt Caswell wrote in
<94a03020-9f9e-cf31-c3e7-88fa4579b...@openssl.org>:
 |On 24/04/2020 16:12, Steffen Nurpmeso wrote:
 |make: *** [Makefile:2801: build_sw] Error 2
 |> 
 |> I have to go now, maybe this all goes away if i get myself the
 |> Test::Builder::TodoDiag perl module?
 |
 |I doubt it. This isn't code in the tests.

Ok, i have updated to git master as of ~30 minutes ago and
searched the net for that perl module, it is part of
Test-Simple-1.302175 which i extracted into external/perl, then
i did "echo Test-Simple-1.302175/lib >> MODULES.txt", updated my
openssl-blade: make rule to

  --prefix=$(MYPREFIX) \
zlib-dynamic shared no-deprecated threads no-tests no-async
-Wl,-rpath,'$(LIBRPATH)'

and with this compilation succeeds!
It is _incredibly_ fast!  Wow!

Well, i do not know.  I am on CRUX-Linux version 3.5, which is
less than a year old.  Crucial packages like libc and perl (and
i think these are all) are not updated in between releases, the
kernel is up to you, the rest is rolling.

 |Try adding this line with the other includes at at the top of the
 |providers/implementations/signature/dsa.c file:
 |
 |#include "internal/packet.h"
 |
 |I don't see it listed there already...I wonder why no one has got this
 |compilation error before now?

I tried that first, but it was a dead-end.

Thanks, ciao, and good luck! from Germany,

--steffen
|
|Der Kragenbaer,The moon bear,
|der holt sich munter   he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

Re: OpenSSL version 3.0.0-alpha1 published

[Sergio NNX]

  *   Windows 10 x64

  *   GCC 8.3.0 x86_64

$ openssl version -a

OpenSSL 3.0.0-alpha1 "23 Apr 2020" (Library: OpenSSL 3.0.0-alpha1 "23 Apr 2020")
built on: Fri Apr 24 18:14:53 2020 UTC
platform: mingw64
options:  bn(64,64)
compiler: /mingw/bin/gcc.exe -m64 -DWINVER=0x0501 -D_WIN32_WINNT=0x0501 
-D_WIN32_IE=0x0501 -D__PTW32_STATIC_LIB -D__PTW32_CLEANUP_C -m64 -O2 -pipe 
-mms-bitfields -fno-builtin -march=core2 -mtune=core2 -DL_ENDIAN 
-DOPENSSL_BUILDING_OPENSSL -DOPENSSL_PIC -DUNICODE -D_UNICODE 
-DWIN32_LEAN_AND_MEAN -D_MT -DZLIB -DNDEBUG -I/mingw/x86_64-pc-mingw32/include 
-I/mingw/x86_64-pc-mingw32/include/directx -I/mingw/include
OPENSSLDIR: "C:/OpenSSL"
ENGINESDIR: "C:/MinGW/lib/engines-3"
MODULESDIR: "C:/MinGW/lib/ossl-modules"
Seeding source: os-specific
CPUINFO: OPENSSL_ia32cap=0x7ffaf3bfffeb:0x29c67af


Some issued found:

on.obj crypto/cversion.c
In file included from include/openssl/macros.h:11,
 from include/openssl/opensslconf.h:14,
 from include/openssl/macros.h:10,
 from include/openssl/crypto.h:15,
 from include/internal/cryptlib.h:23,
 from crypto/cversion.c:10:
crypto/cversion.c: In function 'OpenSSL_version':
include/openssl/opensslv.h:91:54: error: expected ';' before numeric constant
 # define OPENSSL_VERSION_TEXT "OpenSSL 3.0.0-alpha1 "23 Apr 2020""
  ^~
crypto/cversion.c:50:16: note: in expansion of macro 'OPENSSL_VERSION_TEXT'
 return OPENSSL_VERSION_TEXT;
^~~~
make[1]: *** [crypto/libcrypto-lib-cversion.obj] Error 1
make[1]: Leaving directory `/src/openssl-3.0.0-alpha1'
make: *** [build_sw] Error 2




From: openssl-users  on behalf of OpenSSL 

Sent: Friday, 24 April 2020 12:29 AM
To: openssl-proj...@openssl.org ; OpenSSL User 
Support ML ; OpenSSL Announce ML 

Subject: OpenSSL version 3.0.0-alpha1 published

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


   OpenSSL version 3.0 alpha 1 released
   

   OpenSSL - The Open Source toolkit for SSL/TLS
   https://www.openssl.org/

   OpenSSL 3.0 is currently in alpha.

   OpenSSL 3.0 alpha 1 has now been made available.

   Note: This OpenSSL pre-release has been provided for testing ONLY.
   It should NOT be used for security critical purposes.

   Specific notes on upgrading to OpenSSL 3.0 from previous versions, as well
   as known issues are available on the OpenSSL Wiki, here:

https://wiki.openssl.org/index.php/OpenSSL_3.0

   The alpha release is available for download via HTTPS and FTP from the
   following master locations (you can find the various FTP mirrors under
   https://www.openssl.org/source/mirror.html):

 * https://www.openssl.org/source/
 * ftp://ftp.openssl.org/source/

   The distribution file name is:

o openssl-3.0.0-alpha1.tar.gz
  Size: 9530120
  SHA1 checksum:  4db145d3d9c9d7bfaa7b2a1fe1670f7a3781bb06
  SHA256 checksum:  
9d5be9122194ad1d649254de5e72afd329252f134791389d0cef627b18ed9a57

   The checksums were calculated using the following commands:

openssl sha1 openssl-3.0.0-alpha1.tar.gz
openssl sha256 openssl-3.0.0-alpha1.tar.gz

   Please download and check this $LABEL release as soon as possible.
   To report a bug, open an issue on GitHub:

https://github.com/openssl/openssl/issues

   Please check the release notes and mailing lists to avoid duplicate
   reports of known issues. (Of course, the source is also available
   on GitHub.)

   Yours,

   The OpenSSL Project Team.

-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl6hpQcACgkQ2cTSbQ5g
RJHvtggAp7XIxm/00amD4TijQhJqMmGsj0RXqwAeSd0gWDQCf78GX4zMIW/tTgvk
I3Mb67DsOR5gdPZN5TigyqRaXSIAzfb8ZT4Gs9lo/j8RUi5AmzT2RYexbRv6bF6E
cQ0OabM3rk4qi4njTi/YD9YihO6/pv7tWZkkfPsN547bfm7p7fwCrEHw02En5IW8
hyFhkpKfA3c8MEa96yLwjhkYRTAzUmxus/mNID+Ja3/VTCmHjd1c57SHFPq9noll
Wqzhs3jEhluZKHpwmSSA0KQh1ph0kh6fnKLEn3Oge5dYV3P+JrFCRfDEMsI1Nb/F
hIr11rxXNxtBRKUSlOUyJATZn0sV6g==
=uRpM
-END PGP SIGNATURE-

Re: OpenSSL version 3.0.0-alpha1 published

[The Doctor]

On Fri, Apr 24, 2020 at 09:51:48AM -0600, The Doctor wrote:
> All right, I am test 3.0 alpha 2 using sshd and squid n FreeBSD 12.1 
> I will also test on httpd , php 74 et al.
> 
> so far openssh 8.2p1 and openssl 2.0 is working.
>

And squid 5.0.2

> -- 
> Member - Liberal International This is doctor@@nl2k.ab.ca Ici 
> doctor@@nl2k.ab.ca
> Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist 
> rising!
> https://www.empire.kred/ROOTNK?t=94a1f39b  Look at Psalms 14 and 53 on Atheism
> Joy is not in things; it is in us.  -Richard Wagner

-- 
Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca
Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising!
https://www.empire.kred/ROOTNK?t=94a1f39b  Look at Psalms 14 and 53 on Atheism
Joy is not in things; it is in us.  -Richard Wagner

Re: OpenSSL version 3.0.0-alpha1 published

[Matt Caswell]

On 24/04/2020 16:12, Steffen Nurpmeso wrote:
make: *** [Makefile:2801: build_sw] Error 2
> 
> I have to go now, maybe this all goes away if i get myself the
> Test::Builder::TodoDiag perl module?

I doubt it. This isn't code in the tests.

Try adding this line with the other includes at at the top of the
providers/implementations/signature/dsa.c file:

#include "internal/packet.h"

I don't see it listed there already...I wonder why no one has got this
compilation error before now?

Matt

Re: OpenSSL version 3.0.0-alpha1 published

[Yann Ylavic]

On Fri, Apr 24, 2020 at 5:50 PM The Doctor  wrote:
>
> I will also test on httpd , php 74 et al.

This commit might help if you want to test httpd trunk/master:
https://github.com/apache/httpd/commit/316aea784d9423688ea38943d95d1d2b614fc921

Regards,
Yann.

Re: OpenSSL version 3.0.0-alpha1 published

[Nicola Tuveri]

At https://wiki.openssl.org/index.php/OpenSSL_3.0#Providers there was
already an example of how to do this programmatically, and a link to the
manpage for the config file syntax.

I just added also a minimal config file example to load both the default
and the legacy provider in the default library context.


Cheers,

Nicola

On Fri, 24 Apr 2020 at 17:56, Sam Roberts  wrote:

> On Fri, Apr 24, 2020 at 1:05 AM Matt Caswell  wrote:
> > This one is interesting:
> >
> > ERR_OSSL_EVP_FETCH_FAILED
> >
> >
> > This means that the algorithm you are trying to use isn't available in
> > the loaded providers. Since you should be getting the default provider
> > loaded automatically it could be because some legacy algorithms were
> > moved to the legacy provider (MD2, MD4, MDC2, RMD160, CAST5, BF
> > (Blowfish), IDEA, SEED, RC2, RC4, RC5 and DES (but not 3DES)). If you're
> > using something from that list then that would explain it.
>
> Can we add the legacy provider, via configuration, or via code?
>

Re: OpenSSL version 3.0.0-alpha1 published

[The Doctor]

All right, I am test 3.0 alpha 2 using sshd and squid n FreeBSD 12.1 
I will also test on httpd , php 74 et al.

so far openssh 8.2p1 and openssl 2.0 is working.

-- 
Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca
Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising!
https://www.empire.kred/ROOTNK?t=94a1f39b  Look at Psalms 14 and 53 on Atheism
Joy is not in things; it is in us.  -Richard Wagner

Re: OpenSSL version 3.0.0-alpha1 published

[Sam Roberts]

On Fri, Apr 24, 2020 at 1:05 AM Matt Caswell  wrote:
> This one is interesting:
>
> ERR_OSSL_EVP_FETCH_FAILED
>
>
> This means that the algorithm you are trying to use isn't available in
> the loaded providers. Since you should be getting the default provider
> loaded automatically it could be because some legacy algorithms were
> moved to the legacy provider (MD2, MD4, MDC2, RMD160, CAST5, BF
> (Blowfish), IDEA, SEED, RC2, RC4, RC5 and DES (but not 3DES)). If you're
> using something from that list then that would explain it.

Can we add the legacy provider, via configuration, or via code?

Re: OpenSSL version 3.0.0-alpha1 published

[Steffen Nurpmeso]

Hello!

OpenSSL wrote in
<20200423142936.ga24...@openssl.org>:
 |   OpenSSL version 3.0 alpha 1 released

That surely is "a great step" for you who work with that code!
Congratulations.

I get compile errors, maybe some config flags are not honoured
correctly yet?  So i am using a local git clone checkout at
[852c2ed260], configured via

  #?0|kent:openssl$ ./config \
--prefix=/home/steffen/usr-kent-linux-x86_64/opt/.ossl-3.0 \
zlib-dynamic no-hw shared no-deprecated no-async no-tests \
-Wl,-rpath,'$(LIBRPATH)'
  Operating system: x86_64-whatever-linux2
  * Deprecated options: no-hw
  Configuring OpenSSL version 3.0.0-alpha2-dev for target linux-x86_64
  Using os-specific seed configuration
  Creating configdata.pm
  Running configdata.pm
  Creating Makefile

  **
  ******
  ***   OpenSSL has been successfully configured ***
  ******
  ***   If you encounter a problem while building, please open an***
  ***   issue on GitHub   ***

I cannot open a github issue, i have no github account, and if
i were from Cuba, Iran or several different other states that my
parents had chosen etc etc etc.  Etc.  (I had an account ten years
or so ago, and wanted to pay for the service with cash, with they
did not want.  Only credit cards.  So i left.)

  ***   and include the output from the following command:   ***
  ******
  ***   perl configdata.pm --dump***
  ******
  ***   (If you are new to OpenSSL, you might want to consult the***
  ***   'Troubleshooting' section in the INSTALL file first) ***

This is INSTALL.md now.

  ******
  **

The "first" failure happens here, i wonder whether that shouldn't
be covered by "no-tests"?

  Can't locate Test/Builder/TodoDiag.pm in @INC (you may need to install the 
Test::Builder::TodoDiag module) (@INC contains: /tmp/openssl/util/perl . 
providers/common/der /home/steffen/src/symobj.git/lib /usr/lib/p
  erl5/site_perl/5.28/linux-thread-multi /usr/lib/perl5/site_perl/5.28 
/usr/lib/perl5/5.28/linux-thread-multi /usr/lib/perl5/5.28 
/tmp/openssl/external/perl/Text-Template-1.56/lib) at 
/usr/lib/perl5/5.28/Test/Build
  er.pm line 38.
  BEGIN failed--compilation aborted at /usr/lib/perl5/5.28/Test/Builder.pm line 
38.
  Compilation failed in require at /usr/lib/perl5/5.28/Test/Builder/Module.pm 
line 5.
  BEGIN failed--compilation aborted at 
/usr/lib/perl5/5.28/Test/Builder/Module.pm line 5.
  Compilation failed in require at /usr/lib/perl5/5.28/Test/More.pm line 22.
  BEGIN failed--compilation aborted at /usr/lib/perl5/5.28/Test/More.pm line 22.
  Compilation failed in require at /tmp/openssl/util/perl/OpenSSL/OID.pm line 
309.
  BEGIN failed--compilation aborted at /tmp/openssl/util/perl/OpenSSL/OID.pm 
line 309.
  Compilation failed in require at providers/common/der/oids_to_c.pm line 16.
  BEGIN failed--compilation aborted at providers/common/der/oids_to_c.pm line 
16.
  Compilation failed in require.
  BEGIN failed--compilation aborted.
  Can't locate Test/Builder/TodoDiag.pm in @INC (you may need to install the 
Test::Builder::TodoDiag module) (@INC contains: /tmp/openssl/util/perl . 
providers/common/der /home/steffen/src/symobj.git/lib /usr/lib/p
  erl5/site_perl/5.28/linux-thread-multi /usr/lib/perl5/site_perl/5.28 
/usr/lib/perl5/5.28/linux-thread-multi /usr/lib/perl5/5.28 
/tmp/openssl/external/perl/Text-Template-1.56/lib) at 
/usr/lib/perl5/5.28/Test/Build
  er.pm line 38.
  BEGIN failed--compilation aborted at /usr/lib/perl5/5.28/Test/Builder.pm line 
38.
  Compilation failed in require at /usr/lib/perl5/5.28/Test/Builder/Module.pm 
line 5.
  BEGIN failed--compilation aborted at 
/usr/lib/perl5/5.28/Test/Builder/Module.pm line 5.
  Compilation failed in require at /usr/lib/perl5/5.28/Test/More.pm line 22.
  BEGIN failed--compilation aborted at /usr/lib/perl5/5.28/Test/More.pm line 22.
  Compilation failed in require at /tmp/openssl/util/perl/OpenSSL/OID.pm line 
309.
  BEGIN failed--compilation aborted at /tmp/openssl/util/perl/OpenSSL/OID.pm 
line 309.
  Compilation failed in require at providers/common/der/oids_to_c.pm line 16.
  BEGIN failed--compilation aborted at providers/common/der/oids_to_c.pm line 
16.
  Compilation failed in require.
  BEGIN failed--compilation aborted.
  make[1]: *** [Makefile:20051: providers/common/include/prov/der_ec.h] Error 2
  make[1]: *** Waiting for unfinished jobs
  make[1]: *** [Makefile:20039: providers/common/include/prov/der_dsa.h] Error 2
 

Re: OpenSSL version 3.0.0-alpha1 published

[Matt Caswell]

On 24/04/2020 13:15, Yann Ylavic wrote:
> On Fri, Apr 24, 2020 at 1:26 PM Yann Ylavic  wrote:
>>
>> - Custom input BIO_METHOD (using httpd filters' stack) asserted its
>> _ctrl() was never called, so far..
>> The new BIO_eof() calls in codebase, notably from ssl3_read_n(),
>> breaks this assertion.
>> Handling the case for BIO_CTRL_EOF made it, dunno if others may be
>> bitten by that.
> 
> BTW, what is a BIO supposed to do on BIO_CTRL_EOF request when there
> is no pending data, some kind of speculative read to check whether the
> connection is still up or returning zero lazily is fine?

I'd say returning 0 lazily is fine.

Matt

Re: OpenSSL version 3.0.0-alpha1 published

[Matt Caswell]

On 24/04/2020 12:26, Yann Ylavic wrote:
> Hi team,
> 
> I gave 3.0.0-alpha1 a try with Apache httpd.
> tl;dr it works with minimal changes, congrats!

That's great to hear. Thanks for the feedback Yann!

Matt

Re: OpenSSL version 3.0.0-alpha1 published

[Yann Ylavic]

On Fri, Apr 24, 2020 at 1:26 PM Yann Ylavic  wrote:
>
> - Custom input BIO_METHOD (using httpd filters' stack) asserted its
> _ctrl() was never called, so far..
> The new BIO_eof() calls in codebase, notably from ssl3_read_n(),
> breaks this assertion.
> Handling the case for BIO_CTRL_EOF made it, dunno if others may be
> bitten by that.

BTW, what is a BIO supposed to do on BIO_CTRL_EOF request when there
is no pending data, some kind of speculative read to check whether the
connection is still up or returning zero lazily is fine?

Regards,
Yann.

Re: OpenSSL version 3.0.0-alpha1 published

[Yann Ylavic]

Hi team,

I gave 3.0.0-alpha1 a try with Apache httpd.
tl;dr it works with minimal changes, congrats!

The changes needed on httpd side:

- SSL_CTX_load_verify_locations() and X509_STORE_load_locations()
Replaced by {SSL_CTX,X590_STORE}_load_verify_file() +
{SSL_CTX,X590_STORE}_load_verify_{dir,path}().
I.e. open coding.

- DH_bits(dh) (used for logging only in httpd)
Replaced by BN_num_bits(DH_get0_p(dh)).
Not sure this one should be deprecated, it seems to be used in several
places in openssl codebase still, no replacement?

- SSL_CTX_set_tlsext_ticket_key_cb()
Replaced by SSL_CTX_set_tlsext_ticket_key_evp_cb() because of HMAC_Init_ex().
With a bit of #ifdef-ery (for compatibility), the openssl-3 version
uses EVP_MAC_CTX_set_params() for HMAC, per man page.

- ERR_peek_error_line_data() => ERR_peek_error_data()
Easy one.

- Custom input BIO_METHOD (using httpd filters' stack) asserted its
_ctrl() was never called, so far..
The new BIO_eof() calls in codebase, notably from ssl3_read_n(),
breaks this assertion.
Handling the case for BIO_CTRL_EOF made it, dunno if others may be
bitten by that.

And that's all, no intensive testing done yet, but at least the
(automatic) tests framework passes locally, nice work!

Thanks,
Yann.

Re: OpenSSL version 3.0.0-alpha1 published

[Matt Caswell]

On 24/04/2020 00:05, Sam Roberts wrote:
> Fwiw, took a quick run at building and testing Node.js against the 3.x beta.
> 
> It was API compatible enough to build.

Good to hear!

> The DH_, ECDH_, HMAC_, etc.
> deprecations make sense, will look at those.
> 
> My assumption is that EVP versions of these exist in openssl 1.1.1,
> and that if we switch our openssl 1.1.1 code to using the EVP APIs,
> that that cod will then work unchanged when we update to openssl 3.x?

Yes.

For DH_ and ECDH_ use EVP_PKEY_derive*:

https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_derive.html


HMAC_ is a bit more complicated. The preferred way of doing this is to
use the EVP_MAC_* API.

https://www.openssl.org/docs/manmaster/man3/EVP_MAC.html

However this API is newly added in 3.0. You can calculate an HMAC via
EVP in 1.1.1 (and this way still works in 3.0), but frankly the old way
of doing things is a bit of hack. It does work though. There is an
example on the wiki:

https://wiki.openssl.org/index.php/EVP_Signing_and_Verifying


> 
> ERR_func_error_string, what is its replacement? I didn't see it
> mentioned in the wiki, but its marked deprecated.
> 
> Tests didn't go so well. Minor changes in error strings are to be
> expected, but more than that changed.
> 
> I haven't looked at these yet other than scan the output, we might be
> relying on internals, but just for anyone curious, here's the test
> output:

Relying on internals would explain it. Or its also entirely possible
that we accidentally broke something. I look forward to seeing the
results of your investigations.

> 
> https://gist.github.com/sam-github/5a3b3775029efb3d31109d7e6e390f85
> 

Scanning the output I notice a couple of things.

There's a number of these:

ERR_OSSL_DH_MODULUS_TOO_SMALL

There is this in the CHANGES.md file which might explain it:

 * Enforce a minimum DH modulus size of 512 bits.


This one is interesting:

ERR_OSSL_EVP_FETCH_FAILED


This means that the algorithm you are trying to use isn't available in
the loaded providers. Since you should be getting the default provider
loaded automatically it could be because some legacy algorithms were
moved to the legacy provider (MD2, MD4, MDC2, RMD160, CAST5, BF
(Blowfish), IDEA, SEED, RC2, RC4, RC5 and DES (but not 3DES)). If you're
using something from that list then that would explain it.

Matt

Re: OpenSSL version 3.0.0-alpha1 published

[Tomas Mraz]

On Thu, 2020-04-23 at 16:05 -0700, Sam Roberts wrote:
> Fwiw, took a quick run at building and testing Node.js against the
> 3.x beta.
> 
> It was API compatible enough to build. The DH_, ECDH_, HMAC_, etc.
> deprecations make sense, will look at those.
> 
> My assumption is that EVP versions of these exist in openssl 1.1.1,
> and that if we switch our openssl 1.1.1 code to using the EVP APIs,
> that that cod will then work unchanged when we update to openssl 3.x?
> 
> ERR_func_error_string, what is its replacement? I didn't see it
> mentioned in the wiki, but its marked deprecated.

There is no replacement. The function code part of the error code is
always set to zero. I've now mentioned it in the Wiki page.

https://wiki.openssl.org/index.php/OpenSSL_3.0#Other_notable_deprecations_and_changes

-- 
Tomáš Mráz
No matter how far down the wrong road you've gone, turn back.
  Turkish proverb
[You'll know whether the road is wrong if you carefully listen to your
conscience.]

Re: OpenSSL version 3.0.0-alpha1 published

[Sam Roberts]

Fwiw, took a quick run at building and testing Node.js against the 3.x beta.

It was API compatible enough to build. The DH_, ECDH_, HMAC_, etc.
deprecations make sense, will look at those.

My assumption is that EVP versions of these exist in openssl 1.1.1,
and that if we switch our openssl 1.1.1 code to using the EVP APIs,
that that cod will then work unchanged when we update to openssl 3.x?

ERR_func_error_string, what is its replacement? I didn't see it
mentioned in the wiki, but its marked deprecated.

Tests didn't go so well. Minor changes in error strings are to be
expected, but more than that changed.

I haven't looked at these yet other than scan the output, we might be
relying on internals, but just for anyone curious, here's the test
output:

https://gist.github.com/sam-github/5a3b3775029efb3d31109d7e6e390f85

Re: OpenSSL version 3.0.0-alpha1 published

[Matt Caswell]

On 23/04/2020 18:01, Sam Roberts wrote:
> Resending to -users.
>
> On Thu, Apr 23, 2020 at 9:58 AM Sam Roberts  wrote:
>>
>> Seems to be something wrong with the way config is generating the
>> version strings:
>> gcc  -Icrypto -I. -Iinclude -Iproviders/common/include
>> -Iproviders/implementations/include -Icrypto/include  -DAES_ASM
>> -DBSAES_ASM -DCMLL_ASM -DECP_NISTZ256_ASM -DGHASH_ASM -DKECCAK1600_ASM
>> -DMD5_ASM -DOPENSSL_BN_ASM_GF2m -DOPENSSL_BN_ASM_MONT
>> -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2
>> -DPOLY1305_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DVPAES_ASM
>> -DWHIRLPOOL_ASM -DX25519_ASM -fPIC -pthread -m64 -Wa,--noexecstack
>> -Wall -O3 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_BUILDING_OPENSSL
>> -DOPENSSL_PIC -DOPENSSLDIR="\"/usr/local/ssl\""
>> -DENGINESDIR="\"/usr/local/lib/engines-3\""
>> -DMODULESDIR="\"/usr/local/lib/ossl-modules\"" -DNDEBUG  -MMD -MF
>> crypto/libcrypto-lib-cversion.d.tmp -MT
>> crypto/libcrypto-lib-cversion.o -c -o crypto/libcrypto-lib-cversion.o
>> crypto/cversion.c
>> In file included from include/openssl/macros.h:11,
>>  from include/openssl/opensslconf.h:14,
>>  from include/openssl/macros.h:10,
>>  from include/openssl/crypto.h:15,
>>  from include/internal/cryptlib.h:23,
>>  from crypto/cversion.c:10:
>> crypto/cversion.c: In function 'OpenSSL_version':
>> include/openssl/opensslv.h:91:54: error: expected ';' before numeric
constant
>>91 | # define OPENSSL_VERSION_TEXT "OpenSSL 3.0.0-alpha1 "23 Apr
2020""
>>   |  ^~
>> crypto/cversion.c:50:16: note: in expansion of macro
'OPENSSL_VERSION_TEXT'
>>50 | return OPENSSL_VERSION_TEXT;
>>   |^~~~
>> make[1]: *** [Makefile:15616: crypto/libcrypto-lib-cversion.o] Error 1
>> make[1]: Leaving directory '/home/sam/s/openssl-3.0.0-alpha1'
>> make: *** [Makefile:3009: build_sw] Error 2
>>
>>
>> I'm on Linux, just did a `./config; make`.
>>
>> Its fairly obvious what the string should have been, I edited and am
>> continuing with the build.


Yes - very annoying. The release scripts added the date in a commit and
broke the build - then they added another commit to remove it again
ready for the next release - and everything works again. So from git's
point of view it worked before and it worked after...just not in the
actual release!!!

The workaround is straightforward (remove the quotes from the
RELEASE_DATE line in the VERSION file). I've added some notes to the 3.0
release notes on the wiki about it.

Matt




>>
>>
>> On Thu, Apr 23, 2020 at 7:29 AM OpenSSL  wrote:
>>>
> 
>OpenSSL version 3.0 alpha 1 released
>
> 
>OpenSSL - The Open Source toolkit for SSL/TLS
>https://www.openssl.org/
> 
>OpenSSL 3.0 is currently in alpha.
> 
>OpenSSL 3.0 alpha 1 has now been made available.
> 
>Note: This OpenSSL pre-release has been provided for testing ONLY.
>It should NOT be used for security critical purposes.
> 
>Specific notes on upgrading to OpenSSL 3.0 from previous versions, as well
>as known issues are available on the OpenSSL Wiki, here:
> 
> https://wiki.openssl.org/index.php/OpenSSL_3.0
> 
>The alpha release is available for download via HTTPS and FTP from the
>following master locations (you can find the various FTP mirrors under
>https://www.openssl.org/source/mirror.html):
> 
>  * https://www.openssl.org/source/
>  * ftp://ftp.openssl.org/source/
> 
>The distribution file name is:
> 
> o openssl-3.0.0-alpha1.tar.gz
>   Size: 9530120
>   SHA1 checksum:  4db145d3d9c9d7bfaa7b2a1fe1670f7a3781bb06
>   SHA256 checksum:  
> 9d5be9122194ad1d649254de5e72afd329252f134791389d0cef627b18ed9a57
> 
>The checksums were calculated using the following commands:
> 
> openssl sha1 openssl-3.0.0-alpha1.tar.gz
> openssl sha256 openssl-3.0.0-alpha1.tar.gz
> 
>Please download and check this $LABEL release as soon as possible.
>To report a bug, open an issue on GitHub:
> 
> https://github.com/openssl/openssl/issues
> 
>Please check the release notes and mailing lists to avoid duplicate
>reports of known issues. (Of course, the source is also available
>on GitHub.)
> 
>Yours,
> 
>The OpenSSL Project Team.
> 
>

Re: OpenSSL version 3.0.0-alpha1 published

[Sam Roberts]

Resending to -users.

On Thu, Apr 23, 2020 at 9:58 AM Sam Roberts  wrote:
>
> Seems to be something wrong with the way config is generating the
> version strings:
> gcc  -Icrypto -I. -Iinclude -Iproviders/common/include
> -Iproviders/implementations/include -Icrypto/include  -DAES_ASM
> -DBSAES_ASM -DCMLL_ASM -DECP_NISTZ256_ASM -DGHASH_ASM -DKECCAK1600_ASM
> -DMD5_ASM -DOPENSSL_BN_ASM_GF2m -DOPENSSL_BN_ASM_MONT
> -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2
> -DPOLY1305_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DVPAES_ASM
> -DWHIRLPOOL_ASM -DX25519_ASM -fPIC -pthread -m64 -Wa,--noexecstack
> -Wall -O3 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_BUILDING_OPENSSL
> -DOPENSSL_PIC -DOPENSSLDIR="\"/usr/local/ssl\""
> -DENGINESDIR="\"/usr/local/lib/engines-3\""
> -DMODULESDIR="\"/usr/local/lib/ossl-modules\"" -DNDEBUG  -MMD -MF
> crypto/libcrypto-lib-cversion.d.tmp -MT
> crypto/libcrypto-lib-cversion.o -c -o crypto/libcrypto-lib-cversion.o
> crypto/cversion.c
> In file included from include/openssl/macros.h:11,
>  from include/openssl/opensslconf.h:14,
>  from include/openssl/macros.h:10,
>  from include/openssl/crypto.h:15,
>  from include/internal/cryptlib.h:23,
>  from crypto/cversion.c:10:
> crypto/cversion.c: In function 'OpenSSL_version':
> include/openssl/opensslv.h:91:54: error: expected ';' before numeric constant
>91 | # define OPENSSL_VERSION_TEXT "OpenSSL 3.0.0-alpha1 "23 Apr 2020""
>   |  ^~
> crypto/cversion.c:50:16: note: in expansion of macro 'OPENSSL_VERSION_TEXT'
>50 | return OPENSSL_VERSION_TEXT;
>   |^~~~
> make[1]: *** [Makefile:15616: crypto/libcrypto-lib-cversion.o] Error 1
> make[1]: Leaving directory '/home/sam/s/openssl-3.0.0-alpha1'
> make: *** [Makefile:3009: build_sw] Error 2
>
>
> I'm on Linux, just did a `./config; make`.
>
> Its fairly obvious what the string should have been, I edited and am
> continuing with the build.
>
>
> On Thu, Apr 23, 2020 at 7:29 AM OpenSSL  wrote:
> >
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA256
> >
> >
> >OpenSSL version 3.0 alpha 1 released
> >
> >
> >OpenSSL - The Open Source toolkit for SSL/TLS
> >https://www.openssl.org/
> >
> >OpenSSL 3.0 is currently in alpha.
> >
> >OpenSSL 3.0 alpha 1 has now been made available.
> >
> >Note: This OpenSSL pre-release has been provided for testing ONLY.
> >It should NOT be used for security critical purposes.
> >
> >Specific notes on upgrading to OpenSSL 3.0 from previous versions, as 
> > well
> >as known issues are available on the OpenSSL Wiki, here:
> >
> > https://wiki.openssl.org/index.php/OpenSSL_3.0
> >
> >The alpha release is available for download via HTTPS and FTP from the
> >following master locations (you can find the various FTP mirrors under
> >https://www.openssl.org/source/mirror.html):
> >
> >  * https://www.openssl.org/source/
> >  * ftp://ftp.openssl.org/source/
> >
> >The distribution file name is:
> >
> > o openssl-3.0.0-alpha1.tar.gz
> >   Size: 9530120
> >   SHA1 checksum:  4db145d3d9c9d7bfaa7b2a1fe1670f7a3781bb06
> >   SHA256 checksum:  
> > 9d5be9122194ad1d649254de5e72afd329252f134791389d0cef627b18ed9a57
> >
> >The checksums were calculated using the following commands:
> >
> > openssl sha1 openssl-3.0.0-alpha1.tar.gz
> > openssl sha256 openssl-3.0.0-alpha1.tar.gz
> >
> >Please download and check this $LABEL release as soon as possible.
> >To report a bug, open an issue on GitHub:
> >
> > https://github.com/openssl/openssl/issues
> >
> >Please check the release notes and mailing lists to avoid duplicate
> >reports of known issues. (Of course, the source is also available
> >on GitHub.)
> >
> >Yours,
> >
> >The OpenSSL Project Team.
> >
> > -BEGIN PGP SIGNATURE-
> >
> > iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl6hpQcACgkQ2cTSbQ5g
> > RJHvtggAp7XIxm/00amD4TijQhJqMmGsj0RXqwAeSd0gWDQCf78GX4zMIW/tTgvk
> > I3Mb67DsOR5gdPZN5TigyqRaXSIAzfb8ZT4Gs9lo/j8RUi5AmzT2RYexbRv6bF6E
> > cQ0OabM3rk4qi4njTi/YD9YihO6/pv7tWZkkfPsN547bfm7p7fwCrEHw02En5IW8
> > hyFhkpKfA3c8MEa96yLwjhkYRTAzUmxus/mNID+Ja3/VTCmHjd1c57SHFPq9noll
> > Wqzhs3jEhluZKHpwmSSA0KQh1ph0kh6fnKLEn3Oge5dYV3P+JrFCRfDEMsI1Nb/F
> > hIr11rxXNxtBRKUSlOUyJATZn0sV6g==
> > =uRpM
> > -END PGP SIGNATURE-