Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Drop support for OpenSSL pre-1.1.1 #1951

Merged
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Drop support for OpenSSL pre-1.1.1
OpenSSL versions older than 1.1.1 have all been dead for over 4 years. I don't see why an
Cyclone would have to continue supporting the bad practice of not updating EOL'd security
sensitive libraries full of known vulnerabilities.

Of course nobody should be using OpenSSL 1.1.1 anymore (it has been EOL'd about half a
year ago), but I know there are still plenty of systems in the field that rely on it and
even the CI on Azure gets the latest Linux images with it pre-installed.

Signed-off-by: Erik Boasson <eb@ilities.com>
  • Loading branch information
eboasson committed Mar 25, 2024
commit bee45b11c61d354c19b741f7375a3296a2b72ea6
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -114,7 +114,7 @@ In order to build Cyclone DDS you need a Linux, Mac or Windows 10 machine (or, w
* C compiler (most commonly GCC on Linux, Visual Studio on Windows, Xcode on macOS);
* Optionally GIT version control system;
* [CMake](https://cmake.org/download/), version 3.16 or later;
* Optionally [OpenSSL](https://www.openssl.org/), preferably version 1.1;
* Optionally [OpenSSL](https://www.openssl.org/), we recommend a fully patched and supported version but 1.1.1 will still work;
* Optionally [Eclipse Iceoryx](https://iceoryx.io) version 2.0 for shared memory and zero-copy support;
* Optionally [Bison](https://www.gnu.org/software/bison/) parser generator. A cached source is checked into the repository.

Expand Down
4 changes: 1 addition & 3 deletions docs/dev/dds_security_effort.md
Original file line number Diff line number Diff line change
Expand Up @@ -137,9 +137,7 @@ No major changes between the DDS Security plugins in OpenSplice and Cyclone
are expected.

The DDS Security plugins require OpenSSL. Cyclone DDS already uses OpenSSL.
However, it expects (or at least it's preferred to have) version 1.1 or newer,
while the OpenSplice Security plugins are build against 1.0.2. There are some
API changes between the two versions. This will take some porting effort.
We recommend a fully patched and supported version but 1.1.1 will still work.

The build system should be ported from makefiles to cmake files.

Expand Down
79 changes: 0 additions & 79 deletions src/core/ddsi/src/ddsi_ssl.c
Original file line number Diff line number Diff line change
Expand Up @@ -129,52 +129,6 @@ static ssize_t ddsi_ssl_write (SSL *ssl, const void *buf, size_t len, dds_return
return sent;
}

/* Standard OpenSSL init and thread support routines. See O'Reilly. */
#if OPENSSL_VERSION_NUMBER < 0x10100000L
static unsigned long ddsi_ssl_id (void)
{
return (unsigned long) ddsrt_gettid ();
}

typedef struct CRYPTO_dynlock_value {
ddsrt_mutex_t m_mutex;
} CRYPTO_dynlock_value;

static CRYPTO_dynlock_value *ddsi_ssl_locks = NULL;

static void ddsi_ssl_dynlock_lock (int mode, CRYPTO_dynlock_value *lock, const char *file, int line)
{
(void) file;
(void) line;
if (mode & CRYPTO_LOCK)
ddsrt_mutex_lock (&lock->m_mutex);
else
ddsrt_mutex_unlock (&lock->m_mutex);
}

static void ddsi_ssl_lock (int mode, int n, const char *file, int line)
{
ddsi_ssl_dynlock_lock (mode, &ddsi_ssl_locks[n], file, line);
}

static CRYPTO_dynlock_value *ddsi_ssl_dynlock_create (const char *file, int line)
{
(void) file;
(void) line;
CRYPTO_dynlock_value *val = ddsrt_malloc (sizeof (*val));
ddsrt_mutex_init (&val->m_mutex);
return val;
}

static void ddsi_ssl_dynlock_destroy (CRYPTO_dynlock_value *lock, const char *file, int line)
{
(void) file;
(void) line;
ddsrt_mutex_destroy (&lock->m_mutex);
ddsrt_free (lock);
}
#endif

static int ddsi_ssl_password (char *buf, int num, int rwflag, void *udata)
{
size_t cnt;
Expand Down Expand Up @@ -361,48 +315,15 @@ static bool ddsi_ssl_init (struct ddsi_domaingv *gv)
SSL_load_error_strings ();
SSL_library_init ();
OpenSSL_add_all_algorithms ();

#if OPENSSL_VERSION_NUMBER < 0x10100000L
{
const int locks = CRYPTO_num_locks ();
assert (locks >= 0);
ddsi_ssl_locks = ddsrt_malloc (sizeof (CRYPTO_dynlock_value) * (size_t) locks);
for (int i = 0; i < locks; i++)
ddsrt_mutex_init (&ddsi_ssl_locks[i].m_mutex);
}
#endif
/* Leave these in place: OpenSSL 1.1 defines them as no-op macros that not even reference the symbol,
therefore leaving them in means we get compile time errors if we the library expects the callbacks
to be defined and we somehow failed to detect that previously */
CRYPTO_set_id_callback (ddsi_ssl_id);
CRYPTO_set_locking_callback (ddsi_ssl_lock);
CRYPTO_set_dynlock_create_callback (ddsi_ssl_dynlock_create);
CRYPTO_set_dynlock_lock_callback (ddsi_ssl_dynlock_lock);
CRYPTO_set_dynlock_destroy_callback (ddsi_ssl_dynlock_destroy);
ddsi_ssl_ctx = ddsi_ssl_ctx_init (gv);

return (ddsi_ssl_ctx != NULL);
}

static void ddsi_ssl_fini (void)
{
SSL_CTX_free (ddsi_ssl_ctx);
CRYPTO_set_id_callback (0);
CRYPTO_set_locking_callback (0);
CRYPTO_set_dynlock_create_callback (0);
CRYPTO_set_dynlock_lock_callback (0);
CRYPTO_set_dynlock_destroy_callback (0);
ERR_free_strings ();
EVP_cleanup ();

#if OPENSSL_VERSION_NUMBER < 0x10100000L
{
const int locks = CRYPTO_num_locks ();
for (int i = 0; i < locks; i++)
ddsrt_mutex_destroy (&ddsi_ssl_locks[i].m_mutex);
ddsrt_free (ddsi_ssl_locks);
}
#endif
}

void ddsi_ssl_config_plugin (struct ddsi_ssl_plugins *plugin)
Expand Down
16 changes: 1 addition & 15 deletions src/security/builtin_plugins/authentication/src/auth_utils.c
Original file line number Diff line number Diff line change
Expand Up @@ -887,23 +887,9 @@ DDS_Security_ValidationResult_t generate_dh_keys(EVP_PKEY **dhkey, Authenticatio

static const BIGNUM *dh_get_public_key(DH *dhkey)
{
#ifdef AUTH_INCLUDE_DH_ACCESSORS
const BIGNUM *pubkey, *privkey;
DH_get0_key(dhkey, &pubkey, &privkey);
return pubkey;
#else
return dhkey->pub_key;
#endif
}

static int dh_set_public_key(DH *dhkey, BIGNUM *pubkey)
{
#ifdef AUTH_INCLUDE_DH_ACCESSORS
return DH_set0_key(dhkey, pubkey, NULL);
#else
dhkey->pub_key = pubkey;
#endif
return 1;
}

static DDS_Security_ValidationResult_t dh_public_key_to_oct_modp(EVP_PKEY *pkey, unsigned char **buffer, uint32_t *length, DDS_Security_SecurityException *ex)
Expand Down Expand Up @@ -1014,7 +1000,7 @@ static DDS_Security_ValidationResult_t dh_oct_to_public_key_modp(EVP_PKEY **pkey
}

dhkey = DH_get_2048_256();
if (dh_set_public_key(dhkey, pubkey) == 0)
if (DH_set0_key(dhkey, pubkey, NULL) == 0)
{
DDS_Security_Exception_set_with_openssl_error(ex, DDS_AUTH_PLUGIN_CONTEXT, DDS_SECURITY_ERR_UNDEFINED_CODE, DDS_SECURITY_VALIDATION_FAILED, "Failed to set DH public key: ");
goto fail_get_pubkey;
Expand Down
21 changes: 1 addition & 20 deletions src/security/builtin_plugins/tests/common/src/handshake_helper.c
Original file line number Diff line number Diff line change
Expand Up @@ -50,26 +50,9 @@ static const BIGNUM *
dh_get_public_key(
DH *dhkey)
{
#ifdef AUTH_INCLUDE_DH_ACCESSORS
const BIGNUM *pubkey, *privkey;
DH_get0_key(dhkey, &pubkey, &privkey);
return pubkey;
#else
return dhkey->pub_key;
#endif
}

static int
dh_set_public_key(
DH *dhkey,
BIGNUM *pubkey)
{
#ifdef AUTH_INCLUDE_DH_ACCESSORS
return DH_set0_key(dhkey, pubkey, NULL);
#else
dhkey->pub_key = pubkey;
#endif
return 1;
}

ASN1_INTEGER *
Expand Down Expand Up @@ -208,8 +191,7 @@ modp_data_to_pubkey(
goto fail_dhkey;
}

dh_set_public_key(dhkey,bn);

DH_set0_key(dhkey, bn, NULL);
if (!(pkey = EVP_PKEY_new())) {
char *msg = get_openssl_error_message_for_test();
printf("Failed to allocate pkey: %s", msg);
Expand Down Expand Up @@ -688,7 +670,6 @@ create_dh_key_ecdh(

#endif


/* for DEBUG purposes */
void print_binary_test( char* name, unsigned char *value, uint32_t size){
uint32_t i;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,10 +23,6 @@
#include "common/src/loader.h"
#include "config_env.h"

#if OPENSLL_VERSION_NUMBER >= 0x10002000L
#define AUTH_INCLUDE_EC
#endif

static const char *RELATIVE_PATH_TO_ETC_DIR = "/get_xxx_sec_attributes/etc/";

static const char *IDENTITY_CERTIFICATE =
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -25,10 +25,6 @@
#include "common/src/crypto_helper.h"
#include "crypto_objects.h"

#if OPENSLL_VERSION_NUMBER >= 0x10002000L
#define AUTH_INCLUDE_EC
#endif

#define TEST_SHARED_SECRET_SIZE 32

static struct plugins_hdl *plugins = NULL;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -25,10 +25,6 @@
#include "common/src/crypto_helper.h"
#include "crypto_objects.h"

#if OPENSLL_VERSION_NUMBER >= 0x10002000L
#define AUTH_INCLUDE_EC
#endif

#define TEST_SHARED_SECRET_SIZE 32

static struct plugins_hdl *plugins = NULL;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -24,10 +24,6 @@
#include "common/src/loader.h"
#include "crypto_objects.h"

#if OPENSLL_VERSION_NUMBER >= 0x10002000L
#define AUTH_INCLUDE_EC
#endif

static struct plugins_hdl *plugins = NULL;
static dds_security_cryptography *crypto = NULL;

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -25,10 +25,6 @@
#include "common/src/crypto_helper.h"
#include "crypto_objects.h"

#if OPENSLL_VERSION_NUMBER >= 0x10002000L
#define AUTH_INCLUDE_EC
#endif

#define TEST_SHARED_SECRET_SIZE 32

static struct plugins_hdl *plugins = NULL;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -25,10 +25,6 @@
#include "common/src/crypto_helper.h"
#include "crypto_objects.h"

#if OPENSLL_VERSION_NUMBER >= 0x10002000L
#define AUTH_INCLUDE_EC
#endif

#define TEST_SHARED_SECRET_SIZE 32

static struct plugins_hdl *plugins = NULL;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -22,10 +22,6 @@
#include "common/src/loader.h"
#include "crypto_objects.h"

#if OPENSLL_VERSION_NUMBER >= 0x10002000L
#define AUTH_INCLUDE_EC
#endif

#define TEST_SHARED_SECRET_SIZE 32

static struct plugins_hdl *plugins = NULL;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -333,15 +333,7 @@ static DDS_Security_GUID_t remote_participant_guid2;
static bool future_challenge_done = false;


#if OPENSSL_VERSION_NUMBER >= 0x1000200fL
#define AUTH_INCLUDE_EC
#include <openssl/ec.h>
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
#define AUTH_INCLUDE_DH_ACCESSORS
#endif
#else
#error "version not found"
#endif

static void
serializer_participant_data(
Expand Down
35 changes: 0 additions & 35 deletions src/security/openssl/include/dds/security/openssl_support.h
Original file line number Diff line number Diff line change
Expand Up @@ -13,26 +13,6 @@

#include "dds/security/dds_security_api_types.h"

/* There's OpenSSL 1.1.x and there's OpenSSL 1.0.2 and the difference is like
night and day: 1.1.0 deprecated all the initialization and cleanup routines
and so any library can link with OpenSSL and use it safely without breaking
the application code or some other library in the same process.

OpenSSL 1.0.2h deprecated the cleanup functions such as EVP_cleanup because
calling the initialisation functions multiple times was survivable, but an
premature invocation of the cleanup functions deadly. It still has the per-
thread error state that one ought to clean up, but that firstly requires
keeping track of which threads make OpenSSL calls, and secondly we do
perform OpenSSL calls on the applications main-thread and so cleaning up
might interfere with the application code.

Compatibility with 1.0.2 exists merely as a courtesy to those who insist on
using it with that problematic piece of code. We only initialise it, and we
don't clean up thread state. If Cyclone DDS is the only part of the process
that uses OpenSSL, it should be ok (just some some minor leaks at the end),
if the application code or another library also uses it, it'll probably be
fine too. */

#ifdef _WIN32
/* WinSock2 must be included before openssl 1.0.2 headers otherwise winsock will be used */
#include <WinSock2.h>
Expand All @@ -47,19 +27,10 @@
#include <openssl/bio.h>
#include <openssl/conf.h>

#if OPENSSL_VERSION_NUMBER >= 0x1000200fL
#define AUTH_INCLUDE_EC
#include <openssl/ec.h>
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
#define AUTH_INCLUDE_DH_ACCESSORS
#endif
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
#include <openssl/core_names.h>
#endif
#else
#error "OpenSSL version is not supported"
#endif

#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/hmac.h>
Expand All @@ -73,12 +44,6 @@

void dds_openssl_init (void);

#if OPENSSL_VERSION_NUMBER < 0x10100000L
/* 1.1.0 has it as a supported API. 1.0.2 has it in practice and since that has been
obsolete for ages, chances are that we can safely use it */
struct tm *OPENSSL_gmtime(const time_t *timer, struct tm *result);
#endif

void DDS_Security_Exception_set_with_openssl_error (DDS_Security_SecurityException *ex, const char *context, int code, int minor_code, const char *error_area)
ddsrt_nonnull_all;

Expand Down
Loading
Loading