Hi Tim, thanks for the patch. I did a test build and can confirm that it works. I am now preparing an upload to Debian proper. Should come within the next few hours.
Thanks for taking care of this issue! Michael On Sat, Nov 26, 2016 at 04:50:21PM -0600, Tim Theisen wrote: > I have been working on getting HTCondor working with OpenSSL 1.1. > > Although we would prefer to compile with VOMS support, it is preferable > to turn this off, rather than miss getting into stretch. I have a patch > to turn off compilation with VOMS. (rules.patch) We should revert this > patch when the VOMS folks fix up their OpenSSL issues. > > Once the VOMS dependency was eliminated, I found a few minor changes > that needed to be addressed within HTCondor itself. I have included a > patch to 8.4.9 (OpenSSL1.1.patch). This update will be released as part > of the HTCondor 8.4.10 release, expected on December 1st. > > Let me know if you need anything more, ...Tim > > On 11/04/2016 06:31 AM, Michael Hanke wrote: > > Relaying information from upstream's triaging: > > > > > > ------------ > > I concluded that the problem was not with HTCondor. It had to do with the > > following packages: libglobus-gsi-proxy-core, libglobus-gsi-proxy-ssl and > > voms. The Globus folks addressed the first two issues. However, the VOMS > > issue > > (#828595) is a blocker for us. > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=828595 > > https://github.com/italiangrid/voms/issues/50 > > ------------ > > _______________________________________________ > > htcondor-debian mailing list > > htcondor-deb...@cs.wisc.edu > > https://lists.cs.wisc.edu/mailman/listinfo/htcondor-debian > > -- > Tim Theisen > Release Manager > HTCondor & Open Science Grid > Center for High Throughput Computing > Department of Computer Sciences > University of Wisconsin - Madison > 4261 Computer Sciences and Statistics > 1210 W Dayton St > Madison, WI 53706-1685 > +1 608 265 5736 > > diff --git a/src/condor_includes/condor_crypt_3des.h > b/src/condor_includes/condor_crypt_3des.h > index e2967d8..dc29b6a 100644 > --- a/src/condor_includes/condor_crypt_3des.h > +++ b/src/condor_includes/condor_crypt_3des.h > @@ -61,7 +61,7 @@ class Condor_Crypt_3des : public Condor_Crypt_Base { > //------------------------------------------ > // Private constructor > //------------------------------------------ > - des_key_schedule keySchedule1_, keySchedule2_, keySchedule3_; > + DES_key_schedule keySchedule1_, keySchedule2_, keySchedule3_; > unsigned char ivec_[8]; > int num_; > }; > diff --git a/src/condor_io/condor_auth_ssl.cpp > b/src/condor_io/condor_auth_ssl.cpp > index b8bb6cf..3c366b3 100644 > --- a/src/condor_io/condor_auth_ssl.cpp > +++ b/src/condor_io/condor_auth_ssl.cpp > @@ -36,7 +36,9 @@ > #endif > > // Symbols from libssl > +#if OPENSSL_VERSION_NUMBER < 0x10100000L > static long (*SSL_CTX_ctrl_ptr)(SSL_CTX *, int, long, void *) = NULL; > +#endif > static void (*SSL_CTX_free_ptr)(SSL_CTX *) = NULL; > static int (*SSL_CTX_load_verify_locations_ptr)(SSL_CTX *, const char *, > const char *) = NULL; > #if OPENSSL_VERSION_NUMBER < 0x10000000L > @@ -55,8 +57,12 @@ static void (*SSL_free_ptr)(SSL *) = NULL; > static int (*SSL_get_error_ptr)(const SSL *, int) = NULL; > static X509 *(*SSL_get_peer_certificate_ptr)(const SSL *) = NULL; > static long (*SSL_get_verify_result_ptr)(const SSL *) = NULL; > +#if OPENSSL_VERSION_NUMBER < 0x10100000L > static int (*SSL_library_init_ptr)() = NULL; > static void (*SSL_load_error_strings_ptr)() = NULL; > +#else > +static int (*OPENSSL_init_ssl_ptr)(uint64_t, const OPENSSL_INIT_SETTINGS *) > = NULL; > +#endif > static SSL *(*SSL_new_ptr)(SSL_CTX *) = NULL; > static int (*SSL_read_ptr)(SSL *, void *, int) = NULL; > static void (*SSL_set_bio_ptr)(SSL *, BIO *, BIO *) = NULL; > @@ -79,7 +85,11 @@ Condor_Auth_SSL :: Condor_Auth_SSL(ReliSock * sock, int /* > remote */) > > Condor_Auth_SSL :: ~Condor_Auth_SSL() > { > +#if OPENSSL_VERSION_NUMBER < 0x10000000L > ERR_remove_state( 0 ); > +#elif OPENSSL_VERSION_NUMBER < 0x10100000L > + ERR_remove_thread_state( 0 ); > +#endif > if(m_crypto) delete(m_crypto); > } > > @@ -96,7 +106,9 @@ bool Condor_Auth_SSL::Initialize() > > if ( Condor_Auth_Kerberos::Initialize() == false || > (dl_hdl = dlopen(LIBSSL_SO, RTLD_LAZY)) == NULL || > +#if OPENSSL_VERSION_NUMBER < 0x10100000L > !(SSL_CTX_ctrl_ptr = (long (*)(SSL_CTX *, int, long, void > *))dlsym(dl_hdl, "SSL_CTX_ctrl")) || > +#endif > !(SSL_CTX_free_ptr = (void (*)(SSL_CTX *))dlsym(dl_hdl, > "SSL_CTX_free")) || > !(SSL_CTX_load_verify_locations_ptr = (int (*)(SSL_CTX *, > const char *, const char *))dlsym(dl_hdl, "SSL_CTX_load_verify_locations")) || > #if OPENSSL_VERSION_NUMBER < 0x10000000L > @@ -115,8 +127,12 @@ bool Condor_Auth_SSL::Initialize() > !(SSL_get_error_ptr = (int (*)(const SSL *, int))dlsym(dl_hdl, > "SSL_get_error")) || > !(SSL_get_peer_certificate_ptr = (X509 *(*)(const SSL > *))dlsym(dl_hdl, "SSL_get_peer_certificate")) || > !(SSL_get_verify_result_ptr = (long (*)(const SSL > *))dlsym(dl_hdl, "SSL_get_verify_result")) || > +#if OPENSSL_VERSION_NUMBER < 0x10100000L > !(SSL_library_init_ptr = (int (*)())dlsym(dl_hdl, > "SSL_library_init")) || > !(SSL_load_error_strings_ptr = (void (*)())dlsym(dl_hdl, > "SSL_load_error_strings")) || > +#else > + !(OPENSSL_init_ssl_ptr = (int (*)(uint64_t, const > OPENSSL_INIT_SETTINGS *))dlsym(dl_hdl, "OPENSSL_init_ssl")) || > +#endif > !(SSL_new_ptr = (SSL *(*)(SSL_CTX *))dlsym(dl_hdl, "SSL_new")) > || > !(SSL_read_ptr = (int (*)(SSL *, void *, int))dlsym(dl_hdl, > "SSL_read")) || > !(SSL_set_bio_ptr = (void (*)(SSL *, BIO *, BIO > *))dlsym(dl_hdl, "SSL_set_bio")) || > @@ -141,7 +157,9 @@ bool Condor_Auth_SSL::Initialize() > m_initSuccess = true; > } > #else > +#if OPENSSL_VERSION_NUMBER < 0x10100000L > SSL_CTX_ctrl_ptr = SSL_CTX_ctrl; > +#endif > SSL_CTX_free_ptr = SSL_CTX_free; > SSL_CTX_load_verify_locations_ptr = SSL_CTX_load_verify_locations; > SSL_CTX_new_ptr = SSL_CTX_new; > @@ -156,8 +174,12 @@ bool Condor_Auth_SSL::Initialize() > SSL_get_error_ptr = SSL_get_error; > SSL_get_peer_certificate_ptr = SSL_get_peer_certificate; > SSL_get_verify_result_ptr = SSL_get_verify_result; > +#if OPENSSL_VERSION_NUMBER < 0x10100000L > SSL_library_init_ptr = SSL_library_init; > SSL_load_error_strings_ptr = SSL_load_error_strings; > +#else > + OPENSSL_init_ssl_ptr = OPENSSL_init_ssl; > +#endif > SSL_new_ptr = SSL_new; > SSL_read_ptr = SSL_read; > SSL_set_bio_ptr = SSL_set_bio; > @@ -747,10 +769,17 @@ Condor_Auth_SSL::unwrap(char * input, > > int Condor_Auth_SSL :: init_OpenSSL(void) > { > +#if OPENSSL_VERSION_NUMBER < 0x10100000L > if (!(*SSL_library_init_ptr)()) { > return AUTH_SSL_ERROR; > } > (*SSL_load_error_strings_ptr)(); > +#else > + if (!(*OPENSSL_init_ssl_ptr)(OPENSSL_INIT_LOAD_SSL_STRINGS \ > + | OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL)) { > + return AUTH_SSL_ERROR; > + } > +#endif > // seed_pnrg(); TODO: > return AUTH_SSL_A_OK; > } > @@ -1125,9 +1154,11 @@ SSL_CTX *Condor_Auth_SSL :: setup_ssl_ctx( bool > is_server ) > goto setup_server_ctx_err; > } > > +#if OPENSSL_VERSION_NUMBER < 0x10100000L > // disable SSLv2. it has vulnerabilities. > //SSL_CTX_set_options( ctx, SSL_OP_NO_SSLv2 ); > (*SSL_CTX_ctrl_ptr)( ctx, SSL_CTRL_OPTIONS, SSL_OP_NO_SSLv2, NULL ); > +#endif > > if( (*SSL_CTX_load_verify_locations_ptr)( ctx, cafile, cadir ) != 1 ) { > ouch( "Error loading CA file and/or directory\n" ); > @@ -1147,8 +1178,10 @@ SSL_CTX *Condor_Auth_SSL :: setup_ssl_ctx( bool > is_server ) > // TODO where's this? > (*SSL_CTX_set_verify_ptr)( ctx, SSL_VERIFY_PEER, verify_callback ); > (*SSL_CTX_set_verify_depth_ptr)( ctx, 4 ); // TODO arbitrary? > +#if OPENSSL_VERSION_NUMBER < 0x10100000L > //SSL_CTX_set_options( ctx, SSL_OP_ALL|SSL_OP_NO_SSLv2 ); > (*SSL_CTX_ctrl_ptr)( ctx, SSL_CTRL_OPTIONS, SSL_OP_ALL|SSL_OP_NO_SSLv2, > NULL ); > +#endif > if((*SSL_CTX_set_cipher_list_ptr)( ctx, cipherlist ) != 1 ) { > ouch( "Error setting cipher list (no valid ciphers)\n" ); > goto setup_server_ctx_err; > diff --git a/src/condor_io/condor_crypt_3des.cpp > b/src/condor_io/condor_crypt_3des.cpp > index 2537e2f..5c8b4e7 100644 > --- a/src/condor_io/condor_crypt_3des.cpp > +++ b/src/condor_io/condor_crypt_3des.cpp > @@ -35,9 +35,9 @@ Condor_Crypt_3des :: Condor_Crypt_3des(const KeyInfo& key) > unsigned char * keyData = k.getPaddedKeyData(24); > ASSERT(keyData); > > - des_set_key((des_cblock *) keyData , keySchedule1_); > - des_set_key((des_cblock *) (keyData+8) , keySchedule2_); > - des_set_key((des_cblock *) (keyData+16), keySchedule3_); > + DES_set_key((DES_cblock *) keyData , &keySchedule1_); > + DES_set_key((DES_cblock *) (keyData+8) , &keySchedule2_); > + DES_set_key((DES_cblock *) (keyData+16), &keySchedule3_); > > // initialize ivsec > resetState(); > @@ -71,9 +71,9 @@ bool Condor_Crypt_3des :: encrypt(unsigned char * input, > output = (unsigned char *) malloc(input_len); > > if (output) { > - des_ede3_cfb64_encrypt(input, output, output_len, > - keySchedule1_, keySchedule2_, keySchedule3_, > - (des_cblock *)ivec_, &num_, DES_ENCRYPT); > + DES_ede3_cfb64_encrypt(input, output, output_len, > + &keySchedule1_, &keySchedule2_, > &keySchedule3_, > + (DES_cblock *)ivec_, &num_, DES_ENCRYPT); > return true; > } > else { > @@ -95,9 +95,9 @@ bool Condor_Crypt_3des :: decrypt(unsigned char * input, > if (output) { > output_len = input_len; > > - des_ede3_cfb64_encrypt(input, output, output_len, > - keySchedule1_, keySchedule2_, keySchedule3_, > - (des_cblock *)ivec_, &num_, DES_DECRYPT); > + DES_ede3_cfb64_encrypt(input, output, output_len, > + &keySchedule1_, &keySchedule2_, > &keySchedule3_, > + (DES_cblock *)ivec_, &num_, DES_DECRYPT); > > return true; // Should be changed > } > diff --git a/src/condor_utils/condor_dh.cpp b/src/condor_utils/condor_dh.cpp > deleted file mode 100644 > index 8450244..0000000 > --- a/src/condor_utils/condor_dh.cpp > +++ /dev/null > @@ -1,204 +0,0 @@ > -/*************************************************************** > - * > - * Copyright (C) 1990-2011, Condor Team, Computer Sciences Department, > - * University of Wisconsin-Madison, WI. > - * > - * Licensed under the Apache License, Version 2.0 (the "License"); you > - * may not use this file except in compliance with the License. You may > - * obtain a copy of the License at > - * > - * http://www.apache.org/licenses/LICENSE-2.0 > - * > - * Unless required by applicable law or agreed to in writing, software > - * distributed under the License is distributed on an "AS IS" BASIS, > - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. > - * See the License for the specific language governing permissions and > - * limitations under the License. > - * > - ***************************************************************/ > - > - > -#include "condor_common.h" > -#include "condor_dh.h" > -#include "condor_debug.h" > -#include "condor_config.h" > - > -#if HAVE_EXT_OPENSSL > - > -//#include <openssl/pem.h> > -//#include <openssl/bn.h> > - > -const char DH_CONFIG_FILE[] = "CONDOR_DH_CONFIG"; > - > -Condor_Diffie_Hellman :: Condor_Diffie_Hellman() > - : dh_ (0), > - secret_ (0), > - keySize_(0) > -{ > - initialize(); > -} > - > -Condor_Diffie_Hellman :: ~Condor_Diffie_Hellman() > -{ > - if (dh_) { > - DH_free(dh_); > - } > - if (secret_) { > - free(secret_); > - } > - keySize_ = 0; > - > -} > - > -int Condor_Diffie_Hellman :: compute_shared_secret(const char * pk) > -{ > - // the input pk is assumed to be an encoded string representing > - // the binary data for the remote party's public key -- y (or x) > - // the local DH knows about g and x, now, it will compute > - // (g^x)^y, or (g^y)^x > - > - BIGNUM * remote_pubKey = NULL; > - > - if (BN_hex2bn(&remote_pubKey, pk) == 0) { > - dprintf(D_ALWAYS, "Unable to obtain remote public key\n"); > - goto error; > - } > - > - if ((dh_ != NULL) && (remote_pubKey != NULL)) { > - > - secret_ = (unsigned char *) malloc(DH_size(dh_)); > - > - // Now compute > - keySize_ = DH_compute_key(secret_, remote_pubKey, dh_); > - BN_clear_free(remote_pubKey); > - > - if (keySize_ == -1) { > - dprintf(D_ALWAYS, "Unable to compute shared secret\n"); > - goto error; > - } > - } > - else { > - goto error; > - } > - return 1; > - > - error: > - if (remote_pubKey) { > - BN_clear_free(remote_pubKey); > - } > - if (secret_) { > - free(secret_); > - secret_ = NULL; > - } > - return 0; > -} > - > -char * Condor_Diffie_Hellman :: getPublicKeyChar() > -{ > - // This will return g^x, x is the secret, encoded in HEX format > - if (dh_ && dh_->pub_key) { > - return BN_bn2hex(dh_->pub_key); > - } > - else { > - return NULL; > - } > -} > - > -BIGNUM * Condor_Diffie_Hellman::getPrime() > -{ > - if (dh_) { > - return dh_->p; > - } > - else { > - return 0; > - } > -} > - > -char * Condor_Diffie_Hellman :: getPrimeChar() > -{ > - if (dh_ && dh_->p) { > - return BN_bn2hex(dh_->p); > - } > - else { > - return NULL; > - } > -} > - > -BIGNUM * Condor_Diffie_Hellman :: getGenerator() > -{ > - if (dh_) { > - return dh_->g; > - } > - else { > - return 0; > - } > -} > - > -char * Condor_Diffie_Hellman :: getGeneratorChar() > -{ > - if (dh_ && dh_->g) { > - return BN_bn2hex(dh_->g); > - } > - else { > - return NULL; > - } > -} > - > -const unsigned char * Condor_Diffie_Hellman :: getSecret() const > -{ > - return secret_; > -} > - > -int Condor_Diffie_Hellman :: getSecretSize() const > -{ > - return keySize_; > -} > - > -int Condor_Diffie_Hellman :: initialize() > -{ > - // First, check the config file to find out where is the file > - // with all the parameters > - config(); > - char * dh_config = param(DH_CONFIG_FILE); > - > - FILE * fp = 0; > - if ( dh_config ) { > - if ( (fp = safe_fopen_wrapper_follow(dh_config, "r")) == NULL) { > - dprintf(D_ALWAYS, "Unable to open condor_dh_config file %s\n", > dh_config); > - goto error; > - } > - > - dh_ = PEM_read_DHparams(fp, NULL, NULL, NULL); > - if (dh_ == NULL) { > - dprintf(D_ALWAYS, "Unable to read DH structure from the > configuration file.\n"); > - goto error; > - } > - > - // Now generate private key > - if (DH_generate_key(dh_) == 0) { > - dprintf(D_ALWAYS, "Unable to generate a private key \n"); > - goto error; > - } > - } > - else { > - dprintf(D_ALWAYS, "The required configuration parameter > CONDOR_DH_CONFIG is not specified in the condor configuration file!\n"); > - goto error; > - } > - fclose(fp); > - free(dh_config); > - return 1; > - error: > - if (dh_) { > - DH_free(dh_); > - dh_ = 0; > - } > - if (dh_config) { > - free(dh_config); > - } > - if (fp) { > - fclose(fp); > - } > - return 0; > -} > - > -#endif > diff --git a/src/condor_utils/condor_dh.h b/src/condor_utils/condor_dh.h > deleted file mode 100644 > index 63ba8ed..0000000 > --- a/src/condor_utils/condor_dh.h > +++ /dev/null > @@ -1,73 +0,0 @@ > -/*************************************************************** > - * > - * Copyright (C) 1990-2007, Condor Team, Computer Sciences Department, > - * University of Wisconsin-Madison, WI. > - * > - * Licensed under the Apache License, Version 2.0 (the "License"); you > - * may not use this file except in compliance with the License. You may > - * obtain a copy of the License at > - * > - * http://www.apache.org/licenses/LICENSE-2.0 > - * > - * Unless required by applicable law or agreed to in writing, software > - * distributed under the License is distributed on an "AS IS" BASIS, > - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. > - * See the License for the specific language governing permissions and > - * limitations under the License. > - * > - ***************************************************************/ > - > -#ifndef CONDOR_DH > -#define CONDOR_DH > - > -#include "condor_common.h" > - > -#if HAVE_EXT_OPENSSL > - > -#include <openssl/ssl.h> > -//#include <openssl/rand.h> > - > -//---------------------------------------------------------------------- > -// Diffie-Hellman key exchange, based on API provided by OpenSSL > -// privately known variables: x and y -- the secret, one for each > -// party > -// publicly known variables: g -- the generator, p -- the prime, > -// g^x -- the public key > -//---------------------------------------------------------------------- > - > -class Condor_Diffie_Hellman { > - > - public: > - Condor_Diffie_Hellman(); > - ~Condor_Diffie_Hellman(); > - > - char * getPublicKeyChar(); > - //------------------------------------------ > - // PURPOSE: Return public key in HEX encoded format > - // REQUIRE: None > - // RETURNS: HEX string or NULL > - //------------------------------------------ > - > - BIGNUM * getPrime(); > - BIGNUM * getGenerator(); > - // These two methods return the prime and the generator > - > - char * getPrimeChar(); > - char * getGeneratorChar(); > - // These two methods return the prime and the generator > - // in HEX encoded format if they exist. Otherwise, NULL is returned. > - > - int compute_shared_secret(const char * pk); > - const unsigned char * getSecret() const; > - int getSecretSize() const; > - > - private: > - int initialize(); > - > - DH * dh_; > - unsigned char * secret_; > - int keySize_; > -}; > -#endif > - > -#endif > --- rules.orig 2016-08-19 03:14:12.000000000 -0500 > +++ rules 2016-11-26 16:30:32.150213560 -0600 > @@ -35,6 +35,8 @@ > -DHAVE_EXT_LIBXML2:BOOL=ON \ > -DHAVE_EXT_OPENSSL:BOOL=ON \ > -DHAVE_EXT_PCRE:BOOL=ON \ > + -DHAVE_EXT_VOMS:BOOL=OFF \ > + -DWITH_VOMS:BOOL=OFF \ > -DWITH_LIBCGROUP:BOOL=ON \ > -DWANT_CONTRIB:BOOL=OFF \ > -DWITH_BOSCO:BOOL=OFF \ -- Michael Hanke GPG: 4096R/C073D2287FFB9E9B http://psychoinformatics.de
