OpenSSL 1.1 support

Question

OpenSSL 1.1 support

ysvenkat opened this issue 8 years ago · 7 comments

In trying to compile GSI-OpenSSH with the HPN patch included, compilation fails as follows:

gcc -g -O2 -I/usr/local/ulyaoth/ssl/openssl1.1.0/include -Wall -Wpointer-arith -Wsign-compare -Wformat-security -Wno-pointer-sign -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-all -fPIE -g -O2 -I/usr/local/ulyaoth/ssl/openssl1.1.0/include -I/usr/local/ulyaoth/ssl/openssl1.1.0/include -I/usr/include/globus -I. -I. -I/usr/local/ulyaoth/ssl/openssl1.1.0//include -D_PATH_SSH_ASKPASS_DEFAULT="/home/ysvenkat/gsi-openssh.install/libexec/ssh-askpass" -DGSISSHDIR=""/home/ysvenkat/gsi-openssh.install/etc"" -D_PATH_SSH_PIDDIR="/var/run" -D_PATH_PRIVSEP_CHROOT_DIR="/var/empty" -DHAVE_CONFIG_H -c cipher-ctr-mt.c -o cipher-ctr-mt.o
cipher-ctr-mt.c: In function ‘ssh_aes_ctr’:
cipher-ctr-mt.c:425: error: dereferencing pointer to incomplete type
cipher-ctr-mt.c: In function ‘ssh_aes_ctr_init’:
cipher-ctr-mt.c:503: error: dereferencing pointer to incomplete type
cipher-ctr-mt.c:509: error: dereferencing pointer to incomplete type
cipher-ctr-mt.c:512: error: dereferencing pointer to incomplete type
cipher-ctr-mt.c: In function ‘evp_aes_ctr_mt’:
cipher-ctr-mt.c:585: error: storage size of ‘aes_ctr’ isn’t known
cipher-ctr-mt.c:587: error: invalid application of ‘sizeof’ to incomplete type ‘EVP_CIPHER’
cipher-ctr-mt.c:585: warning: unused variable ‘aes_ctr’
make: *** [cipher-ctr-mt.o] Error 1
$

Answer 1 · 2017-02-15T18:51:19.000Z

Is this for the 7.4 patch set? Also, recent investigations indicate that the AES-CTR-MT cipher may be slower than the stock AES-CTR cipher since the introduction of AES-NI on intel CPUs (westmere and later). Until we figure out how to incorporate the AES-NI calls into AES-CTR-MT not using the MT version may produce better throughput. I'll be coming out with a full patch set for 7.4 in the next week. I'll also be looking at this specific issue at that time.

…

On 2/15/17 11:53 AM, Venkat Yekkirala wrote: In trying to compile GSI-OpenSSH with the HPN patch included, compilation fails as follows: gcc -g -O2 -I/usr/local/ulyaoth/ssl/openssl1.1.0/include -Wall -Wpointer-arith -Wsign-compare -Wformat-security -Wno-pointer-sign -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-all -fPIE -g -O2 -I/usr/local/ulyaoth/ssl/openssl1.1.0/include -I/usr/local/ulyaoth/ssl/openssl1.1.0/include -I/usr/include/globus -I. -I. -I/usr/local/ulyaoth/ssl/openssl1.1.0//include -D_PATH_SSH_ASKPASS_DEFAULT="/home/ysvenkat/gsi-openssh.install/libexec/ssh-askpass" -DGSISSHDIR=""/home/ysvenkat/gsi-openssh.install/etc"" -D_PATH_SSH_PIDDIR="/var/run" -D_PATH_PRIVSEP_CHROOT_DIR="/var/empty" -DHAVE_CONFIG_H -c cipher-ctr-mt.c -o cipher-ctr-mt.o cipher-ctr-mt.c: In function ‘ssh_aes_ctr’: cipher-ctr-mt.c:425: error: dereferencing pointer to incomplete type cipher-ctr-mt.c: In function ‘ssh_aes_ctr_init’: cipher-ctr-mt.c:503: error: dereferencing pointer to incomplete type cipher-ctr-mt.c:509: error: dereferencing pointer to incomplete type cipher-ctr-mt.c:512: error: dereferencing pointer to incomplete type cipher-ctr-mt.c: In function ‘evp_aes_ctr_mt’: cipher-ctr-mt.c:585: error: storage size of ‘aes_ctr’ isn’t known cipher-ctr-mt.c:587: error: invalid application of ‘sizeof’ to incomplete type ‘EVP_CIPHER’ cipher-ctr-mt.c:585: warning: unused variable ‘aes_ctr’ make: *** [cipher-ctr-mt.o] Error 1 $ — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#14>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABS_eNOSWqlZYAuJKSqBvpppnD3Li_vaks5rcy2TgaJpZM4MB9wt>.

Answer 2 · 2017-02-15T19:36:26.000Z

It's actually for 7.3p1 with the Fedora OpenSSL 1.1 patch for OpenSSH applied. Below is a patch to HPN for OpenSSL 1.1. If you can review and let me know of any issues, I would appreciate it. Thanks.

https://github.com/globus/gsi-openssh/commit/516d21a0794d42680dc9e0d6788d8fd9c380b713

Answer 3 · 2017-05-16T00:40:32.000Z

The above patch only fixes the compilation errors, but AES-CTR-MT remains inoperable with the Fedora OpenSSL 1.1 patch for OpenSSH at runtime as recorded in the below:

https://github.com/globus/gsi-openssh/issues/18

Answer 4 · 2020-02-03T15:45:06.000Z

Note that openssl 1.0.2 isn't supported anymore, at least not for free: https://www.openssl.org/news/secadv/20191206.txt EDIT: in other words, it's likely to become vulnerable soon.

Answer 5 · 2020-02-03T17:57:26.000Z

@vcunat Sorry to pollute this thread, but I really like your avatar.

Answer 6 · 2020-06-16T17:07:22.000Z

It seems the new release hpn-KitchenSink-8_3_P1 can be compiled with newer OpenSSL and this issue can be closed

Answer 7 · 2020-06-16T17:53:15.000Z

Crazy, I just put that one up. I'm glad it's working for you. Chris

…

On 6/16/20 1:07 PM, Pavol Rusnak wrote: It seems the new release |hpn-KitchenSink-8_3_P1| can be compiled with newer OpenSSL and this issue can be closed — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#14 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAKL66GA6YKY3SJFNLYCZELRW6RFTANCNFSM4DAH3QWQ>.