Uploaded image for project: 'Guacamole'
  1. Guacamole
  2. GUACAMOLE-205

libguac_common_ssh build fails with OpenSSL 1.1

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 0.9.11-incubating
    • Fix Version/s: 0.9.13-incubating
    • Component/s: guacamole-server, SSH
    • Labels:
      None
    • Environment:
      Linux 4.9.0-1-686-pae #1 SMP Debian 4.9.2-2 (2017-01-12) i686 GNU/Linux

      Description

      There are a number of changes in OpenSSL 1.1 which break compatibility with older versions of the API, and which break the Guacamole build if OpenSSL 1.1 is present, particularly the removal of threading callbacks (replaced with no-op macros) and the migration to opaque structures with public accessor functions. The error below is due to the no-op macros, and fixing those reveals further errors due to the new and required public accessor functions.

      A rough list is here:

      https://wiki.openssl.org/index.php/1.1_API_Changes

      The Guacamole build will need to be updated to take these changes into account. The original issue report:

      I have compiled and used guacamole since v. 9.8 or so. I just downloaded the source for 9.11-incubating. ./configure works fine. Make terminates with the following error:

      make[2]: Entering directory '/home/xxx/guacamole-server-0.9.11-incubating/src/common-ssh'
        CC       libguac_common_ssh_la-guac_sftp.lo
        CC       libguac_common_ssh_la-guac_ssh.lo
      guac_ssh.c:89:22: error: ‘guac_common_ssh_openssl_id_callback’ defined but not used [-Werror=unused-function]
       static unsigned long guac_common_ssh_openssl_id_callback() {
                            ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      guac_ssh.c:70:13: error: ‘guac_common_ssh_openssl_locking_callback’ defined but not used [-Werror=unused-function]
       static void guac_common_ssh_openssl_locking_callback(int mode, int n,
                   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      cc1: all warnings being treated as errors
      Makefile:479: recipe for target 'libguac_common_ssh_la-guac_ssh.lo' failed
      make[2]: *** [libguac_common_ssh_la-guac_ssh.lo] Error 1
      make[2]: Leaving directory '/home/mark/guacamole-server-0.9.11-incubating/src/common-ssh'
      Makefile:486: recipe for target 'all-recursive' failed
      make[1]: *** [all-recursive] Error 1
      make[1]: Leaving directory '/home/xxx/guacamole-server-0.9.11-incubating'
      Makefile:418: recipe for target 'all' failed
      make: *** [all] Error 2
      

      Make files is not my strong suit, but it seems like there's a problem with the configure script?

        Activity

        Hide
        mike.jumper Michael Jumper added a comment -

        I was able to make it work with 0.9.13 but it has since disappeared from git.

        The deletion of the staging branch is one of the final steps in our release process: http://guacamole.incubator.apache.org/release-procedures-part3/#delete-branch

        When might 0.9.13 be released?

        It will be released soon, but this really isn't the place for that discussion - this issue is fixed and closed. Any other questions, including those related to the pending release, would be better served by the mailing lists.

        Thanks,

        • Mike
        Show
        mike.jumper Michael Jumper added a comment - I was able to make it work with 0.9.13 but it has since disappeared from git. The deletion of the staging branch is one of the final steps in our release process: http://guacamole.incubator.apache.org/release-procedures-part3/#delete-branch When might 0.9.13 be released? It will be released soon, but this really isn't the place for that discussion - this issue is fixed and closed. Any other questions, including those related to the pending release, would be better served by the mailing lists. Thanks, Mike
        Hide
        jacksonp2008 jackson Pollock added a comment -

        thanks Michael

        I was able to make it work with 0.9.13 but it has since disappeared from git. Oddly, once I had compile from source, I was able to build the previous version on the same system from the distributions. However, when I start with a clean 16.04 it fails with the same error.

        Anyway, I don't see a version to use at this point unless I retool and pull from master.

        When might 0.9.13 be released?

        thanks

        Show
        jacksonp2008 jackson Pollock added a comment - thanks Michael I was able to make it work with 0.9.13 but it has since disappeared from git. Oddly, once I had compile from source, I was able to build the previous version on the same system from the distributions. However, when I start with a clean 16.04 it fails with the same error. Anyway, I don't see a version to use at this point unless I retool and pull from master. When might 0.9.13 be released? thanks
        Hide
        mike.jumper Michael Jumper added a comment - - edited

        No, this is not part of 0.9.12, but rather 0.9.13 (note the "Fix Version/s" field at the top), which is not yet released. You can find these changes either on git master or the staging branch for the pending release ("staging/0.9.13-incubating"),

        (https://issues.apache.org/jira/browse/GUACAMOLE-205?focusedCommentId=16066867&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-16066867)

        Show
        mike.jumper Michael Jumper added a comment - - edited No, this is not part of 0.9.12, but rather 0.9.13 (note the "Fix Version/s" field at the top), which is not yet released. You can find these changes either on git master or the staging branch for the pending release ("staging/0.9.13-incubating"), ( https://issues.apache.org/jira/browse/GUACAMOLE-205?focusedCommentId=16066867&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-16066867 )
        Hide
        jacksonp2008 jackson Pollock added a comment -

        Thanks, then when will it be fixed? Is my only recourse to load from git at this time?

        Show
        jacksonp2008 jackson Pollock added a comment - Thanks, then when will it be fixed? Is my only recourse to load from git at this time?
        Hide
        mike.jumper Michael Jumper added a comment -

        jackson Pollock, please see the comments above. This was not fixed for 0.9.12.

        Show
        mike.jumper Michael Jumper added a comment - jackson Pollock , please see the comments above. This was not fixed for 0.9.12.
        Hide
        jacksonp2008 jackson Pollock added a comment -

        Same here, I just loaded the 0.9.12 from here: https://guacamole.incubator.apache.org/releases/0.9.12-incubating/

        Seeing the error. It shows resolved but I am still seeing the error in the public distribution.

        ssh.c:70:13: error: ‘guac_common_ssh_openssl_locking_callback’ defined but not used [-Werror=unused-function]

        Any help appreciated.

        Show
        jacksonp2008 jackson Pollock added a comment - Same here, I just loaded the 0.9.12 from here: https://guacamole.incubator.apache.org/releases/0.9.12-incubating/ Seeing the error. It shows resolved but I am still seeing the error in the public distribution. ssh.c:70:13: error: ‘guac_common_ssh_openssl_locking_callback’ defined but not used [-Werror=unused-function] Any help appreciated.
        Hide
        mgoldey Mark Goldey added a comment -

        Thanks, Michael. I do see that now. I was able to compile 0.9.13 from git and can confirm that the errors have vanished.

        Ironically, I'm back to where I started those many months ago, when I upgraded my Debian box from Jessie to Stretch and 0.9.9 stopped authenticating despite having worked fine before and no change in user-mapping.xml or any other configuration files. I get this in catalina.out:

        20:55:12.899 [https-jsse-nio-8443-exec-3] WARN  o.a.g.r.auth.AuthenticationService - Authentication attempt from xx.xxx.xx.xxx for user "mark" failed.

        I tried using the 0.9.12 guacamole.war and it does the same thing. Is there a specific .war file to instead use with 0.9.13? I couldn't find one.

        Again, thanks for all your help.

        Show
        mgoldey Mark Goldey added a comment - Thanks, Michael. I do see that now. I was able to compile 0.9.13 from git and can confirm that the errors have vanished. Ironically, I'm back to where I started those many months ago, when I upgraded my Debian box from Jessie to Stretch and 0.9.9 stopped authenticating despite having worked fine before and no change in user-mapping.xml or any other configuration files. I get this in catalina.out: 20:55:12.899 [https-jsse-nio-8443-exec-3] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from xx.xxx.xx.xxx for user "mark" failed. I tried using the 0.9.12 guacamole.war and it does the same thing. Is there a specific .war file to instead use with 0.9.13? I couldn't find one. Again, thanks for all your help.
        Hide
        mike.jumper Michael Jumper added a comment -

        Should this be fixed in 0.9.12?

        No, this is not part of 0.9.12, but rather 0.9.13 (note the "Fix Version/s" field at the top), which is not yet released. You can find these changes either on git master or the staging branch for the pending release ("staging/0.9.13-incubating"),

        Show
        mike.jumper Michael Jumper added a comment - Should this be fixed in 0.9.12? No, this is not part of 0.9.12, but rather 0.9.13 (note the "Fix Version/s" field at the top), which is not yet released. You can find these changes either on git master or the staging branch for the pending release ("staging/0.9.13-incubating"),
        Hide
        mgoldey Mark Goldey added a comment - - edited

        I am finally getting around to trying to build Guacamole again, but I'm seeing the same error in 0.9.12:

        Making install in src/common-ssh
        make[1]: Entering directory '/home/mark/guacamole-server-0.9.12-incubating/src/common-ssh'
          CC       libguac_common_ssh_la-ssh.lo
        ssh.c:89:22: error: ‘guac_common_ssh_openssl_id_callback’ defined but not used [-Werror=unused-function]
         static unsigned long guac_common_ssh_openssl_id_callback() {
                              ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        ssh.c:70:13: error: ‘guac_common_ssh_openssl_locking_callback’ defined but not used [-Werror=unused-function]
         static void guac_common_ssh_openssl_locking_callback(int mode, int n,
                     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        cc1: all warnings being treated as errors
        Makefile:488: recipe for target 'libguac_common_ssh_la-ssh.lo' failed
        make[1]: Leaving directory '/home/mark/guacamole-server-0.9.12-incubating/src/common-ssh'
        Makefile:494: recipe for target 'install-recursive' failed
        make: *** [install-recursive] Error 1
        root@faf2:/home/mark/guacamole-server-0.9.12-incubating# 
        

        Should this be fixed in 0.9.12? If not any suggestions for a successful build? Commenting out the two functions as suggested results in the error shown above. I'm not enough of a guru to think of other solutions.

        Thanks.

        Show
        mgoldey Mark Goldey added a comment - - edited I am finally getting around to trying to build Guacamole again, but I'm seeing the same error in 0.9.12: Making install in src/common-ssh make[1]: Entering directory '/home/mark/guacamole-server-0.9.12-incubating/src/common-ssh' CC libguac_common_ssh_la-ssh.lo ssh.c:89:22: error: ‘guac_common_ssh_openssl_id_callback’ defined but not used [-Werror=unused-function] static unsigned long guac_common_ssh_openssl_id_callback() { ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ssh.c:70:13: error: ‘guac_common_ssh_openssl_locking_callback’ defined but not used [-Werror=unused-function] static void guac_common_ssh_openssl_locking_callback(int mode, int n, ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cc1: all warnings being treated as errors Makefile:488: recipe for target 'libguac_common_ssh_la-ssh.lo' failed make[1]: Leaving directory '/home/mark/guacamole-server-0.9.12-incubating/src/common-ssh' Makefile:494: recipe for target 'install-recursive' failed make: *** [install-recursive] Error 1 root@faf2:/home/mark/guacamole-server-0.9.12-incubating# Should this be fixed in 0.9.12? If not any suggestions for a successful build? Commenting out the two functions as suggested results in the error shown above. I'm not enough of a guru to think of other solutions. Thanks.
        Hide
        mike.jumper Michael Jumper added a comment -

        This should now be fixed on master.

        Show
        mike.jumper Michael Jumper added a comment - This should now be fixed on master.
        Hide
        mgoldey Mark Goldey added a comment - - edited

        Example of further errors once the two CRYPTO_set_XXXX functions are commented out:

        root@faf2:/home/mark/guacamole-server-0.9.11-incubating/src/common-ssh# make
          CC       libguac_common_ssh_la-guac_sftp.lo
          CC       libguac_common_ssh_la-guac_ssh.lo
          CC       libguac_common_ssh_la-guac_ssh_buffer.lo
          CC       libguac_common_ssh_la-guac_ssh_key.lo
        guac_ssh_key.c: In function ‘guac_common_ssh_key_alloc’:
        guac_ssh_key.c:74:58: error: dereferencing pointer to incomplete type
        ‘RSA {aka struct rsa_st}’
                 guac_common_ssh_buffer_write_bignum(&pos, rsa_key->e);
                                                                  ^~
        guac_ssh_key.c:108:58: error: dereferencing pointer to incomplete type
        ‘DSA {aka struct dsa_st}’
                 guac_common_ssh_buffer_write_bignum(&pos, dsa_key->p);
                                                                  ^~
        guac_ssh_key.c: In function ‘guac_common_ssh_key_sign’:
        guac_ssh_key.c:159:16: error: storage size of ‘md_ctx’ isn’t known
             EVP_MD_CTX md_ctx;
                        ^~~~~~
        In file included from guac_ssh_buffer.h:25:0,
                         from guac_ssh_key.c:22:
        guac_ssh_key.c:187:48: error: dereferencing pointer to incomplete type
        ‘DSA_SIG {aka struct DSA_SIG_st}’
                         int rlen = BN_num_bytes(dsa_sig->r);
                                                        ^
        guac_ssh_key.c:159:16: error: unused variable ‘md_ctx’
        [-Werror=unused-variable]
             EVP_MD_CTX md_ctx;
                        ^~~~~~
        cc1: all warnings being treated as errors
        Makefile:493: recipe for target 'libguac_common_ssh_la-guac_ssh_key.lo'
        failed
        make: *** [libguac_common_ssh_la-guac_ssh_key.lo] Error 1
        
        Show
        mgoldey Mark Goldey added a comment - - edited Example of further errors once the two CRYPTO_set_XXXX functions are commented out: root@faf2:/home/mark/guacamole-server-0.9.11-incubating/src/common-ssh# make CC libguac_common_ssh_la-guac_sftp.lo CC libguac_common_ssh_la-guac_ssh.lo CC libguac_common_ssh_la-guac_ssh_buffer.lo CC libguac_common_ssh_la-guac_ssh_key.lo guac_ssh_key.c: In function ‘guac_common_ssh_key_alloc’: guac_ssh_key.c:74:58: error: dereferencing pointer to incomplete type ‘RSA {aka struct rsa_st}’ guac_common_ssh_buffer_write_bignum(&pos, rsa_key->e); ^~ guac_ssh_key.c:108:58: error: dereferencing pointer to incomplete type ‘DSA {aka struct dsa_st}’ guac_common_ssh_buffer_write_bignum(&pos, dsa_key->p); ^~ guac_ssh_key.c: In function ‘guac_common_ssh_key_sign’: guac_ssh_key.c:159:16: error: storage size of ‘md_ctx’ isn’t known EVP_MD_CTX md_ctx; ^~~~~~ In file included from guac_ssh_buffer.h:25:0, from guac_ssh_key.c:22: guac_ssh_key.c:187:48: error: dereferencing pointer to incomplete type ‘DSA_SIG {aka struct DSA_SIG_st}’ int rlen = BN_num_bytes(dsa_sig->r); ^ guac_ssh_key.c:159:16: error: unused variable ‘md_ctx’ [-Werror=unused-variable] EVP_MD_CTX md_ctx; ^~~~~~ cc1: all warnings being treated as errors Makefile:493: recipe for target 'libguac_common_ssh_la-guac_ssh_key.lo' failed make: *** [libguac_common_ssh_la-guac_ssh_key.lo] Error 1
        Hide
        mike.jumper Michael Jumper added a comment -

        OK - I've managed to reproduce the error. On the platform in question, the CRYPTO_set_id_callback() and CRYPTO_set_locking_callback() functions do not exist, but are defined as macros which do nothing (for compatibility). Because these macros do nothing, those lines may as well be commented out, and GCC (correctly) determines that those static functions are never used.

        Show
        mike.jumper Michael Jumper added a comment - OK - I've managed to reproduce the error. On the platform in question, the CRYPTO_set_id_callback() and CRYPTO_set_locking_callback() functions do not exist, but are defined as macros which do nothing (for compatibility). Because these macros do nothing, those lines may as well be commented out, and GCC (correctly) determines that those static functions are never used.
        Hide
        mgoldey Mark Goldey added a comment - - edited

        The error is when using Guacamole's GUI-based login, and thus SSL, but not SSH directly

        It's as if Tomcat can't find or read user-mapping.xml (although it could read it just fine a few days ago). Tomcat reports:

        08:27:39.096 [https-jsse-nio-8443-exec-6] WARN  o.g.g.n.b.r.a.AuthenticationService - Authentication attempt from xx.xxx.xx.xxx for user "xxxx" failed.
        

        Not terribly helpful, unfortunately.

        The machine is Debian Stretch:

        $ uname -a
        Linux faf2 4.9.0-1-686-pae #1 SMP Debian 4.9.6-3 (2017-01-28) i686 GNU/Linux
        

        GCC is straight out of the box as follows:

        $ gcc -v
        Using built-in specs.
        COLLECT_GCC=gcc
        COLLECT_LTO_WRAPPER=/usr/lib/gcc/i686-linux-gnu/6/lto-wrapper
        Target: i686-linux-gnu
        Configured with: ../src/configure -v --with-pkgversion='Debian 6.3.0-6' --with-bugurl=file:///usr/share/doc/gcc-6/README.Bugs --enable-languages=c,ada,c++,java,go,d,fortran,objc,obj-c++ --prefix=/usr --program-suffix=-6 --program-prefix=i686-linux-gnu- --enable-shared --enable-linker-build-id --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --libdir=/usr/lib --enable-nls --with-sysroot=/ --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --with-default-libstdcxx-abi=new --enable-gnu-unique-object --disable-vtable-verify --enable-libmpx --enable-plugin --enable-default-pie --with-system-zlib --disable-browser-plugin --enable-java-awt=gtk --enable-gtk-cairo --with-java-home=/usr/lib/jvm/java-1.5.0-gcj-6-i386/jre --enable-java-home --with-jvm-root-dir=/usr/lib/jvm/java-1.5.0-gcj-6-i386 --with-jvm-jar-dir=/usr/lib/jvm-exports/java-1.5.0-gcj-6-i386 --with-arch-directory=i386 --with-ecj-jar=/usr/share/java/eclipse-ecj.jar --with-target-system-zlib --enable-objc-gc=auto --enable-targets=all --enable-multiarch --with-arch-32=i686 --with-multilib-list=m32,m64,mx32 --enable-multilib --with-tune=generic --enable-checking=release --build=i686-linux-gnu --host=i686-linux-gnu --target=i686-linux-gnu
        Thread model: posix
        gcc version 6.3.0 20170205 (Debian 6.3.0-6)
        

        Hope that helps.

        Show
        mgoldey Mark Goldey added a comment - - edited The error is when using Guacamole's GUI-based login, and thus SSL, but not SSH directly It's as if Tomcat can't find or read user-mapping.xml (although it could read it just fine a few days ago). Tomcat reports: 08:27:39.096 [https-jsse-nio-8443-exec-6] WARN o.g.g.n.b.r.a.AuthenticationService - Authentication attempt from xx.xxx.xx.xxx for user "xxxx" failed. Not terribly helpful, unfortunately. The machine is Debian Stretch: $ uname -a Linux faf2 4.9.0-1-686-pae #1 SMP Debian 4.9.6-3 (2017-01-28) i686 GNU/Linux GCC is straight out of the box as follows: $ gcc -v Using built-in specs. COLLECT_GCC=gcc COLLECT_LTO_WRAPPER=/usr/lib/gcc/i686-linux-gnu/6/lto-wrapper Target: i686-linux-gnu Configured with: ../src/configure -v --with-pkgversion='Debian 6.3.0-6' --with-bugurl=file:///usr/share/doc/gcc-6/README.Bugs --enable-languages=c,ada,c++,java,go,d,fortran,objc,obj-c++ --prefix=/usr --program-suffix=-6 --program-prefix=i686-linux-gnu- --enable-shared --enable-linker-build-id --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --libdir=/usr/lib --enable-nls --with-sysroot=/ --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --with-default-libstdcxx-abi=new --enable-gnu-unique-object --disable-vtable-verify --enable-libmpx --enable-plugin --enable-default-pie --with-system-zlib --disable-browser-plugin --enable-java-awt=gtk --enable-gtk-cairo --with-java-home=/usr/lib/jvm/java-1.5.0-gcj-6-i386/jre --enable-java-home --with-jvm-root-dir=/usr/lib/jvm/java-1.5.0-gcj-6-i386 --with-jvm-jar-dir=/usr/lib/jvm-exports/java-1.5.0-gcj-6-i386 --with-arch-directory=i386 --with-ecj-jar=/usr/share/java/eclipse-ecj.jar --with-target-system-zlib --enable-objc-gc=auto --enable-targets=all --enable-multiarch --with-arch-32=i686 --with-multilib-list=m32,m64,mx32 --enable-multilib --with-tune=generic --enable-checking=release --build=i686-linux-gnu --host=i686-linux-gnu --target=i686-linux-gnu Thread model: posix gcc version 6.3.0 20170205 (Debian 6.3.0-6) Hope that helps.
        Hide
        mike.jumper Michael Jumper added a comment -

        The reason I am building 9.11 is that 9.9 stop authenticating me when I did an apt-get dist-upgrade on the box. Hard to know how that might relate, but since the upgrade, 9.9 reports "Invalid Login" when using the same credentials that have worked since 2015 or so.

        Are you getting that error when logging in to Guacamole or when connecting via SSH using Guacamole? "Invalid Login" sounds like the error you would see during Guacamole's own login process, independent of SSH.

        Possible connection to SSH and this compiling error? I dunno.

        What Linux distribution, version, etc. are you using? And which C compiler is installed?

        Show
        mike.jumper Michael Jumper added a comment - The reason I am building 9.11 is that 9.9 stop authenticating me when I did an apt-get dist-upgrade on the box. Hard to know how that might relate, but since the upgrade, 9.9 reports "Invalid Login" when using the same credentials that have worked since 2015 or so. Are you getting that error when logging in to Guacamole or when connecting via SSH using Guacamole? "Invalid Login" sounds like the error you would see during Guacamole's own login process, independent of SSH. Possible connection to SSH and this compiling error? I dunno. What Linux distribution, version, etc. are you using? And which C compiler is installed?
        Hide
        mgoldey Mark Goldey added a comment -

        No changes to the source. I'm just an innocent bystander.

        The reason I am building 9.11 is that 9.9 stop authenticating me when I did an apt-get dist-upgrade on the box. Hard to know how that might relate, but since the upgrade, 9.9 reports "Invalid Login" when using the same credentials that have worked since 2015 or so. Possible connection to SSH and this compiling error? I dunno.

        Show
        mgoldey Mark Goldey added a comment - No changes to the source. I'm just an innocent bystander. The reason I am building 9.11 is that 9.9 stop authenticating me when I did an apt-get dist-upgrade on the box. Hard to know how that might relate, but since the upgrade, 9.9 reports "Invalid Login" when using the same credentials that have worked since 2015 or so. Possible connection to SSH and this compiling error? I dunno.
        Hide
        mike.jumper Michael Jumper added a comment -

        This doesn't look related to the configure script, but I'm not sure why you're seeing the error your seeing. Both of those functions are indeed used:

        https://github.com/apache/incubator-guacamole-server/blob/0.9.11-incubating/src/common-ssh/guac_ssh.c#L150-L151

        Did you make any changes to the source?

        Show
        mike.jumper Michael Jumper added a comment - This doesn't look related to the configure script, but I'm not sure why you're seeing the error your seeing. Both of those functions are indeed used: https://github.com/apache/incubator-guacamole-server/blob/0.9.11-incubating/src/common-ssh/guac_ssh.c#L150-L151 Did you make any changes to the source?

          People

          • Assignee:
            mike.jumper Michael Jumper
            Reporter:
            mgoldey Mark Goldey
          • Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development