OpenSSL version 3.0.0-alpha1 published

classic Classic list List threaded Threaded
38 messages Options
12
Reply | Threaded
Open this post in threaded view
|

OpenSSL version 3.0.0-alpha1 published

openssl
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


   OpenSSL version 3.0 alpha 1 released
   ====================================

   OpenSSL - The Open Source toolkit for SSL/TLS
   https://www.openssl.org/

   OpenSSL 3.0 is currently in alpha.

   OpenSSL 3.0 alpha 1 has now been made available.

   Note: This OpenSSL pre-release has been provided for testing ONLY.
   It should NOT be used for security critical purposes.

   Specific notes on upgrading to OpenSSL 3.0 from previous versions, as well
   as known issues are available on the OpenSSL Wiki, here:

        https://wiki.openssl.org/index.php/OpenSSL_3.0

   The alpha release is available for download via HTTPS and FTP from the
   following master locations (you can find the various FTP mirrors under
   https://www.openssl.org/source/mirror.html):

     * https://www.openssl.org/source/
     * ftp://ftp.openssl.org/source/

   The distribution file name is:

    o openssl-3.0.0-alpha1.tar.gz
      Size: 9530120
      SHA1 checksum:  4db145d3d9c9d7bfaa7b2a1fe1670f7a3781bb06
      SHA256 checksum:  9d5be9122194ad1d649254de5e72afd329252f134791389d0cef627b18ed9a57

   The checksums were calculated using the following commands:

    openssl sha1 openssl-3.0.0-alpha1.tar.gz
    openssl sha256 openssl-3.0.0-alpha1.tar.gz

   Please download and check this $LABEL release as soon as possible.
   To report a bug, open an issue on GitHub:

    https://github.com/openssl/openssl/issues

   Please check the release notes and mailing lists to avoid duplicate
   reports of known issues. (Of course, the source is also available
   on GitHub.)

   Yours,

   The OpenSSL Project Team.

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl6hpQcACgkQ2cTSbQ5g
RJHvtggAp7XIxm/00amD4TijQhJqMmGsj0RXqwAeSd0gWDQCf78GX4zMIW/tTgvk
I3Mb67DsOR5gdPZN5TigyqRaXSIAzfb8ZT4Gs9lo/j8RUi5AmzT2RYexbRv6bF6E
cQ0OabM3rk4qi4njTi/YD9YihO6/pv7tWZkkfPsN547bfm7p7fwCrEHw02En5IW8
hyFhkpKfA3c8MEa96yLwjhkYRTAzUmxus/mNID+Ja3/VTCmHjd1c57SHFPq9noll
Wqzhs3jEhluZKHpwmSSA0KQh1ph0kh6fnKLEn3Oge5dYV3P+JrFCRfDEMsI1Nb/F
hIr11rxXNxtBRKUSlOUyJATZn0sV6g==
=uRpM
-----END PGP SIGNATURE-----
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL version 3.0.0-alpha1 published

Sam Roberts
Resending to -users.

On Thu, Apr 23, 2020 at 9:58 AM Sam Roberts <[hidden email]> wrote:

>
> Seems to be something wrong with the way config is generating the
> version strings:
> gcc  -Icrypto -I. -Iinclude -Iproviders/common/include
> -Iproviders/implementations/include -Icrypto/include  -DAES_ASM
> -DBSAES_ASM -DCMLL_ASM -DECP_NISTZ256_ASM -DGHASH_ASM -DKECCAK1600_ASM
> -DMD5_ASM -DOPENSSL_BN_ASM_GF2m -DOPENSSL_BN_ASM_MONT
> -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2
> -DPOLY1305_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DVPAES_ASM
> -DWHIRLPOOL_ASM -DX25519_ASM -fPIC -pthread -m64 -Wa,--noexecstack
> -Wall -O3 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_BUILDING_OPENSSL
> -DOPENSSL_PIC -DOPENSSLDIR="\"/usr/local/ssl\""
> -DENGINESDIR="\"/usr/local/lib/engines-3\""
> -DMODULESDIR="\"/usr/local/lib/ossl-modules\"" -DNDEBUG  -MMD -MF
> crypto/libcrypto-lib-cversion.d.tmp -MT
> crypto/libcrypto-lib-cversion.o -c -o crypto/libcrypto-lib-cversion.o
> crypto/cversion.c
> In file included from include/openssl/macros.h:11,
>                  from include/openssl/opensslconf.h:14,
>                  from include/openssl/macros.h:10,
>                  from include/openssl/crypto.h:15,
>                  from include/internal/cryptlib.h:23,
>                  from crypto/cversion.c:10:
> crypto/cversion.c: In function 'OpenSSL_version':
> include/openssl/opensslv.h:91:54: error: expected ';' before numeric constant
>    91 | # define OPENSSL_VERSION_TEXT "OpenSSL 3.0.0-alpha1 "23 Apr 2020""
>       |                                                      ^~
> crypto/cversion.c:50:16: note: in expansion of macro 'OPENSSL_VERSION_TEXT'
>    50 |         return OPENSSL_VERSION_TEXT;
>       |                ^~~~~~~~~~~~~~~~~~~~
> make[1]: *** [Makefile:15616: crypto/libcrypto-lib-cversion.o] Error 1
> make[1]: Leaving directory '/home/sam/s/openssl-3.0.0-alpha1'
> make: *** [Makefile:3009: build_sw] Error 2
>
>
> I'm on Linux, just did a `./config; make`.
>
> Its fairly obvious what the string should have been, I edited and am
> continuing with the build.
>
>
> On Thu, Apr 23, 2020 at 7:29 AM OpenSSL <[hidden email]> wrote:
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA256
> >
> >
> >    OpenSSL version 3.0 alpha 1 released
> >    ====================================
> >
> >    OpenSSL - The Open Source toolkit for SSL/TLS
> >    https://www.openssl.org/
> >
> >    OpenSSL 3.0 is currently in alpha.
> >
> >    OpenSSL 3.0 alpha 1 has now been made available.
> >
> >    Note: This OpenSSL pre-release has been provided for testing ONLY.
> >    It should NOT be used for security critical purposes.
> >
> >    Specific notes on upgrading to OpenSSL 3.0 from previous versions, as well
> >    as known issues are available on the OpenSSL Wiki, here:
> >
> >         https://wiki.openssl.org/index.php/OpenSSL_3.0
> >
> >    The alpha release is available for download via HTTPS and FTP from the
> >    following master locations (you can find the various FTP mirrors under
> >    https://www.openssl.org/source/mirror.html):
> >
> >      * https://www.openssl.org/source/
> >      * ftp://ftp.openssl.org/source/
> >
> >    The distribution file name is:
> >
> >     o openssl-3.0.0-alpha1.tar.gz
> >       Size: 9530120
> >       SHA1 checksum:  4db145d3d9c9d7bfaa7b2a1fe1670f7a3781bb06
> >       SHA256 checksum:  9d5be9122194ad1d649254de5e72afd329252f134791389d0cef627b18ed9a57
> >
> >    The checksums were calculated using the following commands:
> >
> >     openssl sha1 openssl-3.0.0-alpha1.tar.gz
> >     openssl sha256 openssl-3.0.0-alpha1.tar.gz
> >
> >    Please download and check this $LABEL release as soon as possible.
> >    To report a bug, open an issue on GitHub:
> >
> >     https://github.com/openssl/openssl/issues
> >
> >    Please check the release notes and mailing lists to avoid duplicate
> >    reports of known issues. (Of course, the source is also available
> >    on GitHub.)
> >
> >    Yours,
> >
> >    The OpenSSL Project Team.
> >
> > -----BEGIN PGP SIGNATURE-----
> >
> > iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl6hpQcACgkQ2cTSbQ5g
> > RJHvtggAp7XIxm/00amD4TijQhJqMmGsj0RXqwAeSd0gWDQCf78GX4zMIW/tTgvk
> > I3Mb67DsOR5gdPZN5TigyqRaXSIAzfb8ZT4Gs9lo/j8RUi5AmzT2RYexbRv6bF6E
> > cQ0OabM3rk4qi4njTi/YD9YihO6/pv7tWZkkfPsN547bfm7p7fwCrEHw02En5IW8
> > hyFhkpKfA3c8MEa96yLwjhkYRTAzUmxus/mNID+Ja3/VTCmHjd1c57SHFPq9noll
> > Wqzhs3jEhluZKHpwmSSA0KQh1ph0kh6fnKLEn3Oge5dYV3P+JrFCRfDEMsI1Nb/F
> > hIr11rxXNxtBRKUSlOUyJATZn0sV6g==
> > =uRpM
> > -----END PGP SIGNATURE-----
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL version 3.0.0-alpha1 published

Matt Caswell-2


On 23/04/2020 18:01, Sam Roberts wrote:

> Resending to -users.
>
> On Thu, Apr 23, 2020 at 9:58 AM Sam Roberts <[hidden email]> wrote:
>>
>> Seems to be something wrong with the way config is generating the
>> version strings:
>> gcc  -Icrypto -I. -Iinclude -Iproviders/common/include
>> -Iproviders/implementations/include -Icrypto/include  -DAES_ASM
>> -DBSAES_ASM -DCMLL_ASM -DECP_NISTZ256_ASM -DGHASH_ASM -DKECCAK1600_ASM
>> -DMD5_ASM -DOPENSSL_BN_ASM_GF2m -DOPENSSL_BN_ASM_MONT
>> -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2
>> -DPOLY1305_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DVPAES_ASM
>> -DWHIRLPOOL_ASM -DX25519_ASM -fPIC -pthread -m64 -Wa,--noexecstack
>> -Wall -O3 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_BUILDING_OPENSSL
>> -DOPENSSL_PIC -DOPENSSLDIR="\"/usr/local/ssl\""
>> -DENGINESDIR="\"/usr/local/lib/engines-3\""
>> -DMODULESDIR="\"/usr/local/lib/ossl-modules\"" -DNDEBUG  -MMD -MF
>> crypto/libcrypto-lib-cversion.d.tmp -MT
>> crypto/libcrypto-lib-cversion.o -c -o crypto/libcrypto-lib-cversion.o
>> crypto/cversion.c
>> In file included from include/openssl/macros.h:11,
>>                  from include/openssl/opensslconf.h:14,
>>                  from include/openssl/macros.h:10,
>>                  from include/openssl/crypto.h:15,
>>                  from include/internal/cryptlib.h:23,
>>                  from crypto/cversion.c:10:
>> crypto/cversion.c: In function 'OpenSSL_version':
>> include/openssl/opensslv.h:91:54: error: expected ';' before numeric
constant
>>    91 | # define OPENSSL_VERSION_TEXT "OpenSSL 3.0.0-alpha1 "23 Apr
2020""
>>       |                                                      ^~
>> crypto/cversion.c:50:16: note: in expansion of macro
'OPENSSL_VERSION_TEXT'

>>    50 |         return OPENSSL_VERSION_TEXT;
>>       |                ^~~~~~~~~~~~~~~~~~~~
>> make[1]: *** [Makefile:15616: crypto/libcrypto-lib-cversion.o] Error 1
>> make[1]: Leaving directory '/home/sam/s/openssl-3.0.0-alpha1'
>> make: *** [Makefile:3009: build_sw] Error 2
>>
>>
>> I'm on Linux, just did a `./config; make`.
>>
>> Its fairly obvious what the string should have been, I edited and am
>> continuing with the build.


Yes - very annoying. The release scripts added the date in a commit and
broke the build - then they added another commit to remove it again
ready for the next release - and everything works again. So from git's
point of view it worked before and it worked after...just not in the
actual release!!!

The workaround is straightforward (remove the quotes from the
RELEASE_DATE line in the VERSION file). I've added some notes to the 3.0
release notes on the wiki about it.

Matt




>>
>>
>> On Thu, Apr 23, 2020 at 7:29 AM OpenSSL <[hidden email]> wrote:
>>>
>
>    OpenSSL version 3.0 alpha 1 released
>    ====================================
>
>    OpenSSL - The Open Source toolkit for SSL/TLS
>    https://www.openssl.org/
>
>    OpenSSL 3.0 is currently in alpha.
>
>    OpenSSL 3.0 alpha 1 has now been made available.
>
>    Note: This OpenSSL pre-release has been provided for testing ONLY.
>    It should NOT be used for security critical purposes.
>
>    Specific notes on upgrading to OpenSSL 3.0 from previous versions, as well
>    as known issues are available on the OpenSSL Wiki, here:
>
>         https://wiki.openssl.org/index.php/OpenSSL_3.0
>
>    The alpha release is available for download via HTTPS and FTP from the
>    following master locations (you can find the various FTP mirrors under
>    https://www.openssl.org/source/mirror.html):
>
>      * https://www.openssl.org/source/
>      * ftp://ftp.openssl.org/source/
>
>    The distribution file name is:
>
>     o openssl-3.0.0-alpha1.tar.gz
>       Size: 9530120
>       SHA1 checksum:  4db145d3d9c9d7bfaa7b2a1fe1670f7a3781bb06
>       SHA256 checksum:  9d5be9122194ad1d649254de5e72afd329252f134791389d0cef627b18ed9a57
>
>    The checksums were calculated using the following commands:
>
>     openssl sha1 openssl-3.0.0-alpha1.tar.gz
>     openssl sha256 openssl-3.0.0-alpha1.tar.gz
>
>    Please download and check this $LABEL release as soon as possible.
>    To report a bug, open an issue on GitHub:
>
>     https://github.com/openssl/openssl/issues
>
>    Please check the release notes and mailing lists to avoid duplicate
>    reports of known issues. (Of course, the source is also available
>    on GitHub.)
>
>    Yours,
>
>    The OpenSSL Project Team.
>
>
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL version 3.0.0-alpha1 published

Sam Roberts
Fwiw, took a quick run at building and testing Node.js against the 3.x beta.

It was API compatible enough to build. The DH_, ECDH_, HMAC_, etc.
deprecations make sense, will look at those.

My assumption is that EVP versions of these exist in openssl 1.1.1,
and that if we switch our openssl 1.1.1 code to using the EVP APIs,
that that cod will then work unchanged when we update to openssl 3.x?

ERR_func_error_string, what is its replacement? I didn't see it
mentioned in the wiki, but its marked deprecated.

Tests didn't go so well. Minor changes in error strings are to be
expected, but more than that changed.

I haven't looked at these yet other than scan the output, we might be
relying on internals, but just for anyone curious, here's the test
output:

https://gist.github.com/sam-github/5a3b3775029efb3d31109d7e6e390f85
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL version 3.0.0-alpha1 published

Tomas Mraz-2
On Thu, 2020-04-23 at 16:05 -0700, Sam Roberts wrote:

> Fwiw, took a quick run at building and testing Node.js against the
> 3.x beta.
>
> It was API compatible enough to build. The DH_, ECDH_, HMAC_, etc.
> deprecations make sense, will look at those.
>
> My assumption is that EVP versions of these exist in openssl 1.1.1,
> and that if we switch our openssl 1.1.1 code to using the EVP APIs,
> that that cod will then work unchanged when we update to openssl 3.x?
>
> ERR_func_error_string, what is its replacement? I didn't see it
> mentioned in the wiki, but its marked deprecated.

There is no replacement. The function code part of the error code is
always set to zero. I've now mentioned it in the Wiki page.

https://wiki.openssl.org/index.php/OpenSSL_3.0#Other_notable_deprecations_and_changes

--
Tomáš Mráz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
[You'll know whether the road is wrong if you carefully listen to your
conscience.]


Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL version 3.0.0-alpha1 published

Matt Caswell-2
In reply to this post by Sam Roberts


On 24/04/2020 00:05, Sam Roberts wrote:
> Fwiw, took a quick run at building and testing Node.js against the 3.x beta.
>
> It was API compatible enough to build.

Good to hear!

> The DH_, ECDH_, HMAC_, etc.
> deprecations make sense, will look at those.
>
> My assumption is that EVP versions of these exist in openssl 1.1.1,
> and that if we switch our openssl 1.1.1 code to using the EVP APIs,
> that that cod will then work unchanged when we update to openssl 3.x?

Yes.

For DH_ and ECDH_ use EVP_PKEY_derive*:

https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_derive.html


HMAC_ is a bit more complicated. The preferred way of doing this is to
use the EVP_MAC_* API.

https://www.openssl.org/docs/manmaster/man3/EVP_MAC.html

However this API is newly added in 3.0. You can calculate an HMAC via
EVP in 1.1.1 (and this way still works in 3.0), but frankly the old way
of doing things is a bit of hack. It does work though. There is an
example on the wiki:

https://wiki.openssl.org/index.php/EVP_Signing_and_Verifying


>
> ERR_func_error_string, what is its replacement? I didn't see it
> mentioned in the wiki, but its marked deprecated.
>
> Tests didn't go so well. Minor changes in error strings are to be
> expected, but more than that changed.
>
> I haven't looked at these yet other than scan the output, we might be
> relying on internals, but just for anyone curious, here's the test
> output:

Relying on internals would explain it. Or its also entirely possible
that we accidentally broke something. I look forward to seeing the
results of your investigations.

>
> https://gist.github.com/sam-github/5a3b3775029efb3d31109d7e6e390f85
>

Scanning the output I notice a couple of things.

There's a number of these:

ERR_OSSL_DH_MODULUS_TOO_SMALL

There is this in the CHANGES.md file which might explain it:

 * Enforce a minimum DH modulus size of 512 bits.


This one is interesting:

ERR_OSSL_EVP_FETCH_FAILED


This means that the algorithm you are trying to use isn't available in
the loaded providers. Since you should be getting the default provider
loaded automatically it could be because some legacy algorithms were
moved to the legacy provider (MD2, MD4, MDC2, RMD160, CAST5, BF
(Blowfish), IDEA, SEED, RC2, RC4, RC5 and DES (but not 3DES)). If you're
using something from that list then that would explain it.

Matt

Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL version 3.0.0-alpha1 published

Yann Ylavic
In reply to this post by openssl
Hi team,

I gave 3.0.0-alpha1 a try with Apache httpd.
tl;dr it works with minimal changes, congrats!

The changes needed on httpd side:

- SSL_CTX_load_verify_locations() and X509_STORE_load_locations()
Replaced by {SSL_CTX,X590_STORE}_load_verify_file() +
{SSL_CTX,X590_STORE}_load_verify_{dir,path}().
I.e. open coding.

- DH_bits(dh) (used for logging only in httpd)
Replaced by BN_num_bits(DH_get0_p(dh)).
Not sure this one should be deprecated, it seems to be used in several
places in openssl codebase still, no replacement?

- SSL_CTX_set_tlsext_ticket_key_cb()
Replaced by SSL_CTX_set_tlsext_ticket_key_evp_cb() because of HMAC_Init_ex().
With a bit of #ifdef-ery (for compatibility), the openssl-3 version
uses EVP_MAC_CTX_set_params() for HMAC, per man page.

- ERR_peek_error_line_data() => ERR_peek_error_data()
Easy one.

- Custom input BIO_METHOD (using httpd filters' stack) asserted its
_ctrl() was never called, so far..
The new BIO_eof() calls in codebase, notably from ssl3_read_n(),
breaks this assertion.
Handling the case for BIO_CTRL_EOF made it, dunno if others may be
bitten by that.

And that's all, no intensive testing done yet, but at least the
(automatic) tests framework passes locally, nice work!

Thanks,
Yann.
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL version 3.0.0-alpha1 published

Yann Ylavic
On Fri, Apr 24, 2020 at 1:26 PM Yann Ylavic <[hidden email]> wrote:
>
> - Custom input BIO_METHOD (using httpd filters' stack) asserted its
> _ctrl() was never called, so far..
> The new BIO_eof() calls in codebase, notably from ssl3_read_n(),
> breaks this assertion.
> Handling the case for BIO_CTRL_EOF made it, dunno if others may be
> bitten by that.

BTW, what is a BIO supposed to do on BIO_CTRL_EOF request when there
is no pending data, some kind of speculative read to check whether the
connection is still up or returning zero lazily is fine?

Regards,
Yann.
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL version 3.0.0-alpha1 published

Matt Caswell-2
In reply to this post by Yann Ylavic


On 24/04/2020 12:26, Yann Ylavic wrote:
> Hi team,
>
> I gave 3.0.0-alpha1 a try with Apache httpd.
> tl;dr it works with minimal changes, congrats!

That's great to hear. Thanks for the feedback Yann!

Matt

Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL version 3.0.0-alpha1 published

Matt Caswell-2
In reply to this post by Yann Ylavic


On 24/04/2020 13:15, Yann Ylavic wrote:

> On Fri, Apr 24, 2020 at 1:26 PM Yann Ylavic <[hidden email]> wrote:
>>
>> - Custom input BIO_METHOD (using httpd filters' stack) asserted its
>> _ctrl() was never called, so far..
>> The new BIO_eof() calls in codebase, notably from ssl3_read_n(),
>> breaks this assertion.
>> Handling the case for BIO_CTRL_EOF made it, dunno if others may be
>> bitten by that.
>
> BTW, what is a BIO supposed to do on BIO_CTRL_EOF request when there
> is no pending data, some kind of speculative read to check whether the
> connection is still up or returning zero lazily is fine?

I'd say returning 0 lazily is fine.

Matt

Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL version 3.0.0-alpha1 published

Steffen Nurpmeso-2
In reply to this post by openssl
Hello!

OpenSSL wrote in
<[hidden email]>:
 |   OpenSSL version 3.0 alpha 1 released

That surely is "a great step" for you who work with that code!
Congratulations.

I get compile errors, maybe some config flags are not honoured
correctly yet?  So i am using a local git clone checkout at
[852c2ed260], configured via

  #?0|kent:openssl$ ./config \
    --prefix=/home/steffen/usr-kent-linux-x86_64/opt/.ossl-3.0 \
    zlib-dynamic no-hw shared no-deprecated no-async no-tests \
    -Wl,-rpath,'$(LIBRPATH)'
  Operating system: x86_64-whatever-linux2
  ***** Deprecated options: no-hw
  Configuring OpenSSL version 3.0.0-alpha2-dev for target linux-x86_64
  Using os-specific seed configuration
  Creating configdata.pm
  Running configdata.pm
  Creating Makefile

  **********************************************************************
  ***                                                                ***
  ***   OpenSSL has been successfully configured                     ***
  ***                                                                ***
  ***   If you encounter a problem while building, please open an    ***
  ***   issue on GitHub <https://github.com/openssl/openssl/issues>  ***

I cannot open a github issue, i have no github account, and if
i were from Cuba, Iran or several different other states that my
parents had chosen etc etc etc.  Etc.  (I had an account ten years
or so ago, and wanted to pay for the service with cash, with they
did not want.  Only credit cards.  So i left.)

  ***   and include the output from the following command:           ***
  ***                                                                ***
  ***       perl configdata.pm --dump                                ***
  ***                                                                ***
  ***   (If you are new to OpenSSL, you might want to consult the    ***
  ***   'Troubleshooting' section in the INSTALL file first)         ***

This is INSTALL.md now.

  ***                                                                ***
  **********************************************************************

The "first" failure happens here, i wonder whether that shouldn't
be covered by "no-tests"?

  Can't locate Test/Builder/TodoDiag.pm in @INC (you may need to install the Test::Builder::TodoDiag module) (@INC contains: /tmp/openssl/util/perl . providers/common/der /home/steffen/src/symobj.git/lib /usr/lib/p
  erl5/site_perl/5.28/linux-thread-multi /usr/lib/perl5/site_perl/5.28 /usr/lib/perl5/5.28/linux-thread-multi /usr/lib/perl5/5.28 /tmp/openssl/external/perl/Text-Template-1.56/lib) at /usr/lib/perl5/5.28/Test/Build
  er.pm line 38.
  BEGIN failed--compilation aborted at /usr/lib/perl5/5.28/Test/Builder.pm line 38.
  Compilation failed in require at /usr/lib/perl5/5.28/Test/Builder/Module.pm line 5.
  BEGIN failed--compilation aborted at /usr/lib/perl5/5.28/Test/Builder/Module.pm line 5.
  Compilation failed in require at /usr/lib/perl5/5.28/Test/More.pm line 22.
  BEGIN failed--compilation aborted at /usr/lib/perl5/5.28/Test/More.pm line 22.
  Compilation failed in require at /tmp/openssl/util/perl/OpenSSL/OID.pm line 309.
  BEGIN failed--compilation aborted at /tmp/openssl/util/perl/OpenSSL/OID.pm line 309.
  Compilation failed in require at providers/common/der/oids_to_c.pm line 16.
  BEGIN failed--compilation aborted at providers/common/der/oids_to_c.pm line 16.
  Compilation failed in require.
  BEGIN failed--compilation aborted.
  Can't locate Test/Builder/TodoDiag.pm in @INC (you may need to install the Test::Builder::TodoDiag module) (@INC contains: /tmp/openssl/util/perl . providers/common/der /home/steffen/src/symobj.git/lib /usr/lib/p
  erl5/site_perl/5.28/linux-thread-multi /usr/lib/perl5/site_perl/5.28 /usr/lib/perl5/5.28/linux-thread-multi /usr/lib/perl5/5.28 /tmp/openssl/external/perl/Text-Template-1.56/lib) at /usr/lib/perl5/5.28/Test/Build
  er.pm line 38.
  BEGIN failed--compilation aborted at /usr/lib/perl5/5.28/Test/Builder.pm line 38.
  Compilation failed in require at /usr/lib/perl5/5.28/Test/Builder/Module.pm line 5.
  BEGIN failed--compilation aborted at /usr/lib/perl5/5.28/Test/Builder/Module.pm line 5.
  Compilation failed in require at /usr/lib/perl5/5.28/Test/More.pm line 22.
  BEGIN failed--compilation aborted at /usr/lib/perl5/5.28/Test/More.pm line 22.
  Compilation failed in require at /tmp/openssl/util/perl/OpenSSL/OID.pm line 309.
  BEGIN failed--compilation aborted at /tmp/openssl/util/perl/OpenSSL/OID.pm line 309.
  Compilation failed in require at providers/common/der/oids_to_c.pm line 16.
  BEGIN failed--compilation aborted at providers/common/der/oids_to_c.pm line 16.
  Compilation failed in require.
  BEGIN failed--compilation aborted.
  make[1]: *** [Makefile:20051: providers/common/include/prov/der_ec.h] Error 2
  make[1]: *** Waiting for unfinished jobs....
  make[1]: *** [Makefile:20039: providers/common/include/prov/der_dsa.h] Error 2
  make[1]: Leaving directory '/tmp/openssl'
  make: *** [Makefile:2801: build_sw] Error 2

So if i blindly hit "make" again i then get

  gcc  -Iproviders/common/include/prov -I. -Icrypto -Iinclude -Iproviders/implementations/include -Iproviders/common/include  -DAES_ASM -DBSAES_ASM -DECP_NISTZ256_ASM -DGHASH_ASM -DKECCAK1600_ASM -DMD5_ASM -DOPENSSL_BN_ASM_GF2m -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DVPAES_ASM -DWHIRLPOOL_ASM -DX25519_ASM -fPIC -pthread -m64 -Wa,--noexecstack -O1 -g -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSLDIR="\"/home/steffen/usr-kent-linux-x86_64/opt/.ossl-3.0/ssl\"" -DENGINESDIR="\"/home/steffen/usr-kent-linux-x86_64/opt/.ossl-3.0/lib/engines-3\"" -DMODULESDIR="\"/home/steffen/usr-kent-linux-x86_64/opt/.ossl-3.0/lib/ossl-modules\"" -DOPENSSL_BUILDING_OPENSSL -DZLIB -DZLIB_SHARED -DNDEBUG  -MMD -MF providers/implementations/signature/libimplementations-lib-dsa.d.tmp -MT providers/implementations/signature/libimplementations-lib-dsa.o -c -o providers/implementations/signature/libimplementations-lib-dsa.o providers/implementations/signature/dsa.c
  providers/implementations/signature/dsa.c: In function 'dsa_setup_md':
  providers/implementations/signature/dsa.c:152:9: error: unknown type name 'WPACKET'
           WPACKET pkt;
           ^~~~~~~
  providers/implementations/signature/dsa.c:170:13: warning: implicit declaration of function 'WPACKET_init_der' [-Wimplicit-function-declaration]
           if (WPACKET_init_der(&pkt, ctx->aid_buf, sizeof(ctx->aid_buf))
               ^~~~~~~~~~~~~~~~
  providers/implementations/signature/dsa.c:171:16: warning: implicit declaration of function 'DER_w_algorithmIdentifier_DSA_with'; did you mean 'dsa_algorithmidentifier_encoding'? [-Wimplicit-function-declaration]
               && DER_w_algorithmIdentifier_DSA_with(&pkt, -1, ctx->dsa, md_nid)
                  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                  dsa_algorithmidentifier_encoding
  providers/implementations/signature/dsa.c:172:16: warning: implicit declaration of function 'WPACKET_finish' [-Wimplicit-function-declaration]
               && WPACKET_finish(&pkt)) {
                  ^~~~~~~~~~~~~~
  providers/implementations/signature/dsa.c:173:13: warning: implicit declaration of function 'WPACKET_get_total_written' [-Wimplicit-function-declaration]
               WPACKET_get_total_written(&pkt, &ctx->aid_len);
               ^~~~~~~~~~~~~~~~~~~~~~~~~
  providers/implementations/signature/dsa.c:174:24: warning: implicit declaration of function 'WPACKET_get_curr' [-Wimplicit-function-declaration]
               ctx->aid = WPACKET_get_curr(&pkt);
                          ^~~~~~~~~~~~~~~~
  providers/implementations/signature/dsa.c:174:22: warning: assignment to 'unsigned char *' from 'int' makes pointer from integer without a cast [-Wint-conversion]
               ctx->aid = WPACKET_get_curr(&pkt);
                        ^
  providers/implementations/signature/dsa.c:176:9: warning: implicit declaration of function 'WPACKET_cleanup'; did you mean 'EVP_PBE_cleanup'? [-Wimplicit-function-declaration]
           WPACKET_cleanup(&pkt);
           ^~~~~~~~~~~~~~~
           EVP_PBE_cleanup
  make[1]: *** [Makefile:20928: providers/implementations/signature/libimplementations-lib-dsa.o] Error 1
  make[1]: Leaving directory '/tmp/openssl'
  make: *** [Makefile:2801: build_sw] Error 2

I have to go now, maybe this all goes away if i get myself the
Test::Builder::TodoDiag perl module?

Ciao and Good luck! from Germany,

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL version 3.0.0-alpha1 published

The Doctor
All right, I am test 3.0 alpha 2 using sshd and squid n FreeBSD 12.1
I will also test on httpd , php 74 et al.

so far openssh 8.2p1 and openssl 2.0 is working.

--
Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca
Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising!
https://www.empire.kred/ROOTNK?t=94a1f39b  Look at Psalms 14 and 53 on Atheism
Joy is not in things; it is in us.  -Richard Wagner
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL version 3.0.0-alpha1 published

Sam Roberts
In reply to this post by Matt Caswell-2
On Fri, Apr 24, 2020 at 1:05 AM Matt Caswell <[hidden email]> wrote:

> This one is interesting:
>
> ERR_OSSL_EVP_FETCH_FAILED
>
>
> This means that the algorithm you are trying to use isn't available in
> the loaded providers. Since you should be getting the default provider
> loaded automatically it could be because some legacy algorithms were
> moved to the legacy provider (MD2, MD4, MDC2, RMD160, CAST5, BF
> (Blowfish), IDEA, SEED, RC2, RC4, RC5 and DES (but not 3DES)). If you're
> using something from that list then that would explain it.

Can we add the legacy provider, via configuration, or via code?
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL version 3.0.0-alpha1 published

Nicola Tuveri-2
At https://wiki.openssl.org/index.php/OpenSSL_3.0#Providers there was already an example of how to do this programmatically, and a link to the manpage for the config file syntax.

I just added also a minimal config file example to load both the default and the legacy provider in the default library context.


Cheers,

Nicola

On Fri, 24 Apr 2020 at 17:56, Sam Roberts <[hidden email]> wrote:
On Fri, Apr 24, 2020 at 1:05 AM Matt Caswell <[hidden email]> wrote:
> This one is interesting:
>
> ERR_OSSL_EVP_FETCH_FAILED
>
>
> This means that the algorithm you are trying to use isn't available in
> the loaded providers. Since you should be getting the default provider
> loaded automatically it could be because some legacy algorithms were
> moved to the legacy provider (MD2, MD4, MDC2, RMD160, CAST5, BF
> (Blowfish), IDEA, SEED, RC2, RC4, RC5 and DES (but not 3DES)). If you're
> using something from that list then that would explain it.

Can we add the legacy provider, via configuration, or via code?
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL version 3.0.0-alpha1 published

Yann Ylavic
In reply to this post by The Doctor
On Fri, Apr 24, 2020 at 5:50 PM The Doctor <[hidden email]> wrote:
>
> I will also test on httpd , php 74 et al.

This commit might help if you want to test httpd trunk/master:
https://github.com/apache/httpd/commit/316aea784d9423688ea38943d95d1d2b614fc921

Regards,
Yann.
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL version 3.0.0-alpha1 published

Matt Caswell-2
In reply to this post by Steffen Nurpmeso-2


On 24/04/2020 16:12, Steffen Nurpmeso wrote:
make: *** [Makefile:2801: build_sw] Error 2
>
> I have to go now, maybe this all goes away if i get myself the
> Test::Builder::TodoDiag perl module?

I doubt it. This isn't code in the tests.

Try adding this line with the other includes at at the top of the
providers/implementations/signature/dsa.c file:

#include "internal/packet.h"

I don't see it listed there already...I wonder why no one has got this
compilation error before now?

Matt
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL version 3.0.0-alpha1 published

The Doctor
In reply to this post by The Doctor
On Fri, Apr 24, 2020 at 09:51:48AM -0600, The Doctor wrote:
> All right, I am test 3.0 alpha 2 using sshd and squid n FreeBSD 12.1
> I will also test on httpd , php 74 et al.
>
> so far openssh 8.2p1 and openssl 2.0 is working.
>

And squid 5.0.2

> --
> Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca
> Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising!
> https://www.empire.kred/ROOTNK?t=94a1f39b  Look at Psalms 14 and 53 on Atheism
> Joy is not in things; it is in us.  -Richard Wagner

--
Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca
Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising!
https://www.empire.kred/ROOTNK?t=94a1f39b  Look at Psalms 14 and 53 on Atheism
Joy is not in things; it is in us.  -Richard Wagner
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL version 3.0.0-alpha1 published

Sergio NNX
In reply to this post by openssl
  • Windows 10 x64
  • GCC 8.3.0 x86_64

$ openssl version -a

OpenSSL 3.0.0-alpha1 "23 Apr 2020" (Library: OpenSSL 3.0.0-alpha1 "23 Apr 2020")
built on: Fri Apr 24 18:14:53 2020 UTC
platform: mingw64
options:  bn(64,64)
compiler: /mingw/bin/gcc.exe -m64 -DWINVER=0x0501 -D_WIN32_WINNT=0x0501 -D_WIN32_IE=0x0501 -D__PTW32_STATIC_LIB -D__PTW32_CLEANUP_C -m64 -O2 -pipe -mms-bitfields -fno-builtin -march=core2 -mtune=core2 -DL_ENDIAN -DOPENSSL_BUILDING_OPENSSL -DOPENSSL_PIC -DUNICODE -D_UNICODE -DWIN32_LEAN_AND_MEAN -D_MT -DZLIB -DNDEBUG -I/mingw/x86_64-pc-mingw32/include -I/mingw/x86_64-pc-mingw32/include/directx -I/mingw/include
OPENSSLDIR: "C:/OpenSSL"
ENGINESDIR: "C:/MinGW/lib/engines-3"
MODULESDIR: "C:/MinGW/lib/ossl-modules"
Seeding source: os-specific
CPUINFO: OPENSSL_ia32cap=0x7ffaf3bfffebffff:0x29c67af


Some issued found:

on.obj crypto/cversion.c
In file included from include/openssl/macros.h:11,
                 from include/openssl/opensslconf.h:14,
                 from include/openssl/macros.h:10,
                 from include/openssl/crypto.h:15,
                 from include/internal/cryptlib.h:23,
                 from crypto/cversion.c:10:
crypto/cversion.c: In function 'OpenSSL_version':
include/openssl/opensslv.h:91:54: error: expected ';' before numeric constant
 # define OPENSSL_VERSION_TEXT "OpenSSL 3.0.0-alpha1 "23 Apr 2020""
                                                      ^~
crypto/cversion.c:50:16: note: in expansion of macro 'OPENSSL_VERSION_TEXT'
         return OPENSSL_VERSION_TEXT;
                ^~~~~~~~~~~~~~~~~~~~
make[1]: *** [crypto/libcrypto-lib-cversion.obj] Error 1
make[1]: Leaving directory `/src/openssl-3.0.0-alpha1'
make: *** [build_sw] Error 2




From: openssl-users <[hidden email]> on behalf of OpenSSL <[hidden email]>
Sent: Friday, 24 April 2020 12:29 AM
To: [hidden email] <[hidden email]>; OpenSSL User Support ML <[hidden email]>; OpenSSL Announce ML <[hidden email]>
Subject: OpenSSL version 3.0.0-alpha1 published
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


   OpenSSL version 3.0 alpha 1 released
   ====================================

   OpenSSL - The Open Source toolkit for SSL/TLS
   https://www.openssl.org/

   OpenSSL 3.0 is currently in alpha.

   OpenSSL 3.0 alpha 1 has now been made available.

   Note: This OpenSSL pre-release has been provided for testing ONLY.
   It should NOT be used for security critical purposes.

   Specific notes on upgrading to OpenSSL 3.0 from previous versions, as well
   as known issues are available on the OpenSSL Wiki, here:

        https://wiki.openssl.org/index.php/OpenSSL_3.0

   The alpha release is available for download via HTTPS and FTP from the
   following master locations (you can find the various FTP mirrors under
   https://www.openssl.org/source/mirror.html):

     * https://www.openssl.org/source/
     * ftp://ftp.openssl.org/source/

   The distribution file name is:

    o openssl-3.0.0-alpha1.tar.gz
      Size: 9530120
      SHA1 checksum:  4db145d3d9c9d7bfaa7b2a1fe1670f7a3781bb06
      SHA256 checksum:  9d5be9122194ad1d649254de5e72afd329252f134791389d0cef627b18ed9a57

   The checksums were calculated using the following commands:

    openssl sha1 openssl-3.0.0-alpha1.tar.gz
    openssl sha256 openssl-3.0.0-alpha1.tar.gz

   Please download and check this $LABEL release as soon as possible.
   To report a bug, open an issue on GitHub:

    https://github.com/openssl/openssl/issues

   Please check the release notes and mailing lists to avoid duplicate
   reports of known issues. (Of course, the source is also available
   on GitHub.)

   Yours,

   The OpenSSL Project Team.

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEEhlersmDwVrHlGQg52cTSbQ5gRJEFAl6hpQcACgkQ2cTSbQ5g
RJHvtggAp7XIxm/00amD4TijQhJqMmGsj0RXqwAeSd0gWDQCf78GX4zMIW/tTgvk
I3Mb67DsOR5gdPZN5TigyqRaXSIAzfb8ZT4Gs9lo/j8RUi5AmzT2RYexbRv6bF6E
cQ0OabM3rk4qi4njTi/YD9YihO6/pv7tWZkkfPsN547bfm7p7fwCrEHw02En5IW8
hyFhkpKfA3c8MEa96yLwjhkYRTAzUmxus/mNID+Ja3/VTCmHjd1c57SHFPq9noll
Wqzhs3jEhluZKHpwmSSA0KQh1ph0kh6fnKLEn3Oge5dYV3P+JrFCRfDEMsI1Nb/F
hIr11rxXNxtBRKUSlOUyJATZn0sV6g==
=uRpM
-----END PGP SIGNATURE-----
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL version 3.0.0-alpha1 published

Steffen Nurpmeso-2
In reply to this post by Matt Caswell-2
Hello and Good Evening!

Matt Caswell wrote in
<[hidden email]>:
 |On 24/04/2020 16:12, Steffen Nurpmeso wrote:
 |make: *** [Makefile:2801: build_sw] Error 2
 |>
 |> I have to go now, maybe this all goes away if i get myself the
 |> Test::Builder::TodoDiag perl module?
 |
 |I doubt it. This isn't code in the tests.

Ok, i have updated to git master as of ~30 minutes ago and
searched the net for that perl module, it is part of
Test-Simple-1.302175 which i extracted into external/perl, then
i did "echo Test-Simple-1.302175/lib >> MODULES.txt", updated my
openssl-blade: make rule to

  --prefix=$(MYPREFIX) \
    zlib-dynamic shared no-deprecated threads no-tests no-async
    -Wl,-rpath,'$(LIBRPATH)'

and with this compilation succeeds!
It is _incredibly_ fast!  Wow!

Well, i do not know.  I am on CRUX-Linux version 3.5, which is
less than a year old.  Crucial packages like libc and perl (and
i think these are all) are not updated in between releases, the
kernel is up to you, the rest is rolling.

 |Try adding this line with the other includes at at the top of the
 |providers/implementations/signature/dsa.c file:
 |
 |#include "internal/packet.h"
 |
 |I don't see it listed there already...I wonder why no one has got this
 |compilation error before now?

I tried that first, but it was a dead-end.

Thanks, ciao, and good luck! from Germany,

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)
Reply | Threaded
Open this post in threaded view
|

Re: OpenSSL version 3.0.0-alpha1 published

Steffen Nurpmeso-2
Hello once more.

OpenSSL wrote in
<[hidden email]>:
 |   OpenSSL version 3.0 alpha 1 released

I do not understand one thing at the moment.  If i use
no-deprecated then the stack handling is not available:

  /*
   * If we're building OpenSSL, or we have no-deprecated configured,
   * then we don't define the inline functions (see |SKM_DEFINE_STACK_OF|,
   * above), we just declare the stack datatypes. Otherwise, for compatibility
   * and to not remove the API's, we define the functions.  We have the
   * trailing semicolon so that uses of this never need it.
   */
  #if defined(OPENSSL_BUILDING_OPENSSL) || defined(OPENSSL_NO_DEPRECATED_3_0)
  # define DEFINE_OR_DECLARE_STACK_OF(s) STACK_OF(s);

This of course results in all the stack things not being
available, for example

  /.../xtls.c:1444:20: warning: implicit declaration of function 'sk_X509_num'; did you mean 'X509_new'? [-Wimplicit-function-declaration]
      for (i = 0; i < sk_X509_num(certs); ++i) {

How can i access stacks without those accessors?
Is this documented somewhere, i stopped searching for answers
anywhere else, which is why i write this.

Ciao and thank you,

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)
12