-
Notifications
You must be signed in to change notification settings - Fork 730
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Migration to OpenSSL 3.0 API #2438
Conversation
(GOST expert hat on) I'd suggest not to rely on EC_KEY layer dealing with the GOST stuff. I'd suggest to make a buffer using a technique described in RFC 5933, and then load the GOST key to a EVP_PKEY object. In this case you will be able to use normal EVP layer which is the same for OpenSSL 1.0+ versions. I can ask my colleagues in Russia to test the code, if necessary, though can't promise the fast response. |
When trying to test with OpenSSL-3.0.0 the use of `FIPS_mode()` in two places pkcs11-tool.c and framework-pkcs11.c causes a run time error like: "./pkcs11-tool: symbol lookup error: /opt/ossl-3.0.0/lib/opensc-pkcs11.so: undefined symbol: FIPS_mode" sc-ossl-sc-ossl-compat.h was modified to use `OSSL_PROVIDER_available(NULL, "fips")` which is is in OpenSSL 3.0.0 This patch is based on OpenSC#2438 OpenSC@1272521 but OpenSC#2438 contains many other changes and and may not be commited for some time. Date: Sat Nov 27 07:39:39 2021 -0600 Changes to be committed: modified: src/libopensc/sc-ossl-compat.h
When trying to test with OpenSSL-3.0.0 the use of `FIPS_mode()` in two places pkcs11-tool.c and framework-pkcs11.c causes a run time error like: "./pkcs11-tool: symbol lookup error: /opt/ossl-3.0.0/lib/opensc-pkcs11.so: undefined symbol: FIPS_mode" sc-ossl-sc-ossl-compat.h was modified to use `OSSL_PROVIDER_available(NULL, "fips")` which is is in OpenSSL 3.0.0 This patch is based on #2438 1272521 but #2438 contains many other changes and and may not be commited for some time. Date: Sat Nov 27 07:39:39 2021 -0600 Changes to be committed: modified: src/libopensc/sc-ossl-compat.h
@frankmorgner @dengert Do you have some comments to this PR or can I merge it during the next week? Or do you need more time for review? AFAIK this should not conflict with #2053. |
Is this intended to be in the next release? Do we have a way to test There are still questions about @xhanulik Can you say some more about what options where used to build OpenSSL-3.0.0? When building OpenSC, rather then using I am OK with it committing to master, as that is the only way this will get tested. Developers can use |
I tried to reproduce the error caught by test-oseid-openssl-3. RSA key 2048, signature mechanism SHA512-RSA-PKCS-PSS. It seems that the signature has not been generated correctly:
This error can come from OsEID simulation - I can't guarantee the complete error-free algorithms used in OsEID. For now, I am unable to reproduce this error. Test environment: lxc debian bullseye, openssl from https://github.com/openssl/openssl, openssl-3.0 branch, commit 015e3f59434651c454c94888d0c6d57c2203cd42 , opensc from https://github.com/xhanulik/OpenSC/tree/openssl-3 , commit 87fd906 |
@dengert OpenSSL was from package (rel 4.el9), so mentioned options for OpenSSL were tested in container (as in 383c8f2, OpenSSL built from github, tag openssl-3.0.0). With As of building OpenSC, omitting |
Thanks for taking the time for updating to the new API. The changes look good. I fear we're punished with such messy code at least until the en of 2023. In the long run, we should try to extract individual OpenSSL code to some more generic crypto layer... DNIe and CWA are the two cards that have the most individual changes. @germanblanco @rickyepoderi, would you mind testing the changes? |
This is certainly worth the effort in case 1) We will be able to create a better API 2) We would need to support different crypto backends. In other cases, creating abstraction layer just on different OpenSSL versions would only cause more work maintaining IMHO.
Thanks for checking. Looks like the failure is gone, am I right? |
Hi! The current status of this PR makes DNIe core-dump. At least with my current openssl 1.1.1l the changes in this commit are needed. But I also did a quick test with openssl 3.0.0 and it core-dumps even with my changes (something related with the RSA private key, it's like it's not created OK). But I don't know if I have to check 3.0.0 more at this moment, I think the PR is just moving from old API to the new API. If you need more tests I'll try to do them but be calm with me, I have very little time nowadays. |
OK, it was faster than expected. Now it works woth openssl 1.1.1l and 3.0.0. With 3.0.0 there are deprecated warnings but not in the DNIe area so I did not touch that part. There were several minor issues in dnie so please contact people that tests the affected cards because doing a mistake is easy. Please @xhanulik incorporate this commit on top of this PR. Thanks! |
@rickyepoderi, thank you for your time for testing and fixing the issues!
These warnings are connected with gost and SHA internal structures, as mentioned above. |
if (certtype & EVP_PKT_EXCH) { | ||
usage |= SC_PKCS15_PRKEY_USAGE_WRAP; | ||
usage |= SC_PKCS15_PRKEY_USAGE_UNWRAP; | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@dengert did you get back to this comment? Can you help us to figure out the purpose of this function and if we still need it for something?
#878 appears to be first time LibresSSL was requested. Today, with OpenSC master as of 12/13/2020 c96ec18 using libressl v3.3.3 OpenSC fails to compile with problems with: I have not tried it with #2438 as the effort did not appear to be worth it. Maybe after #2438 is merged I could try again and with newer version of LibreSSL. https://openports.se/security/opensc says OpenSC is ported to OpenBSD. |
How crucial is it to support LibReSSL? I'd personage prefer not to bother. |
I personally don't use LibreSSL and don't know if anyone uses OpenSC with LibreSSL out side of OpenBSD. So it very low on my list. Someone is porting OpenSC to OpenBSD and patching it. |
Thanks for highlighting the limited scope of BoringSSL; I agree that we don't need to be compatible with it. Also, LibreSSL is not an high priority target, but it seems that we're breaking compatibility with OpenSSL 1.0.2. OpenSSL 1.0.2 is not supported since one year now and systems building a newer version of OpenSC will surely upgrade OpenSSL as well. If this is what we agree on, then we should adjust the OpenSSL version in configure.ac. |
IMHO, it is Ok to break compatibility with OpenSSL-1.0.2. LibreSSL - simply don't care. |
Installed openbsd 7.0 as Virtualbox guest. Attach card reader with card to the VM then:
using ldd it looks like they have built OpenSC using libreSSL. /usr/include/openssl/ has Hopefully no one is using openssl < 1.0.2. https://openports.pl/path/security/openssl/1.1 says: "openssl-1.1.1m ... This package is not intended for general-purpose use in OpenBSD - it is present for test/comparison purposes, and occasionally to provide support for applications which cannot be made compatible with LibreSSL (mostly due to use of removed APIs); in the latter case care must be taken - it will conflict if library dependencies use LibreSSL libraries." So they are taking the OpenSC source and using the fact that we are testing for the above two defines and building OpenSC using the OpenBSDB LibreSSL. So we should be OK testing and setting minimal OpenSSL number to 1.0.2 or 1.1 |
@xhanulik can you update the minimal version in the configura.ac I think it is reasonable to not support 1.0.2 as it is no longer supported by openssl upstream. |
No older version is longer supported by the OpenSSL team.
thank you |
All green. Thank you Veronika for the contribution and all the others for your inputs! |
Compiling on Ubuntu against 3.0.0 I get a lot of warnings about redefines from this this section: https://github.com/OpenSC/OpenSC/blob/master/src/libopensc/sc-ossl-compat.h#L50-L72 There are 45 lines like: "../../../src/src/libopensc/sc-ossl-compat.h:68: note: this is the location of the previous definition" All OpenSSL includes need to be done before This appears to fix these: Only other warnings are about ENGINE_* routines are depricated. |
Thank you for checking. The proposed changes look good to me. Please, add them as a new PR. Weirdly enough, I do not see these with OpenSSL 3.0 in RHEL9 or CentOS9 Stream where we have OpenSSL 3.0 already package nor in the ubuntu in the CI.. But these changes should not harm. |
Looks like may be my fault. I will have to look at how to handle this. So hold off on the fix above it may not be needed. |
https://github.com/OpenSC/OpenSC/blob/master/src/libopensc/sc-ossl-compat.h#L50-L72 allows us to use older definitions of 5 macros or defines that have been renamed over the years (or are still used by libressl). The above is complicated by the use of OpenSSL For example in OpenSSL-3.0.1, https://github.com/openssl/openssl/blob/master/include/openssl/evp.h#L869-L872
https://github.com/openssl/openssl/blob/master/include/openssl/err.h.in#L456-L460 So what do we do?
Doing 1. may lead to unexpected errors as our version may not work as expected as noted in the Doing 2. may cause problems with libressl, but that will be their problem and not ours. Doing 3. means we always use the definition provided by OpenSSL, and only use ours if OpenSSL did not provide a version. In #2438 (comment) I addressed only 2 routines that had warning messages, There are 6 other files that need the order of include fixed: card-authentic.c, card-npa.c, card-westcos.c, cryptoflex-tool.c, gids-tool.c and pkcs15-init.c. There may be others these are the ones that produced warnings. |
Doing (3) makes the most sense to me. |
No. It makes no sense at all, because includes should almost never depend on any order. If sc-ossl-compat.h needs any openssl headers to be included first, it those includes need to be in sc-ossl-compat.h before anything meaningful is done. |
OK, I won't do anything. |
To my understanding, sc-ossl-compat.h allows using the 1.1.0 API of OpenSSL throughout the whole codebase of OpenSC. This PR touched all places, which were not easily mappable to the 3.0 API. At the end of 2023 when 1.1.1 is not supported anymore, someone will eventually have to rewrite all code so that OpenSC uses the 3.0 API and only that API. Above, I've suggested a dedicated crypto-layer to hide this version complexity, because it is starting to get messy... but that, too, is a lot of work... |
78c66a5 part of this PR sets Then leave up to the porting of OpenSC to the libressl people. Openssl 1.1.1 used EVP_CIPHER_CTX_reset, we could change EVP_CIPHER_CTX_cleanup(x) to EVP_CIPHER_CTX_reset(x) and change in code base ERR_load_crypto_strings to OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL) Drop the mapping of SSL_load_error_strings as it is only used in sc-ossl-compat.h ERR_free_strings is a nop so could be removed ERR_load_crypto_strings was deprecated in 1.1 and could removed. Thus |
PR #2492 was submitted to address some of the remaining issues with What remains is a few differenced between 1.1.1 and 3.0.x. that were introduced by #2438 and these lines:
remain and only be needed by the As @frankmorgner pointed out "No. It makes no sense at all, because includes should almost never depend on any order." Looking at the I would like to ask @xhanulik and @Jakuje to look at these tests and #2492 #2492 has one failure in a test and it is not clear why the simplest RSA-PKCS would fail and only for test-oseid.sh |
We already had a problem with OpenSSL 3.0 and oseid #2438 (comment) but with a different mechanism - SHA512-RSA-PKCS-PSS. I can't guarantee that oseid will calculate RSA absolutely safely - there can be a bug in every program. It is strange that this manifests itself when using openssl 3.0. I did not notice a similar error when testing with an older version of openssl. I have tried to reproduce this error so far without success. The OsEID code (for RSA) has not changed since September 2019. The error in test https://github.com/OpenSC/OpenSC/runs/4873291258?check_suite_focus=true can be caused in oseid, opensc or even openssl pkeyutl.It can even be caused by a bitflip when executing a program. I will add another debug output to OsEID tests, so that in case of another error it is easier to analyze where the error occurred. |
I also tried running that segment of the code on my Ubuntu with a real card. Worked OK against OpenSSL 1.1.1m, 3.0.0 and 3.0.1 Are any of these tests run in parallel? The data to be signed, is only 3 bytes, usually the data to be padded is a hash or some multiple of 8. Some problem with the OSEID code? It looks like from the output of the |
I found what's wrong. The RSA calculation in the OsEID project assumes that prime1 > prime2. Even if prime1 < prime2, it still depends on the sign/decrypt input whether the result is correct or incorrect. openssl from debian (1.1.1k-1+deb11u1): openssl commit ca048994ae1431965a068b17e1f17afa2345e1f5 (HEAD -> openssl-3.0, origin/openssl-3.0) I will prepare a fix for OsEID, which will eliminate this problem. |
Follows on from: #2337, related: #2308
This PR rewrites OpenSSL API deprecated in version 3.0. Where possible, it is replaced with EVP interface:
i2d_*
andd2i_*
functionsbut there is some code, which can not be simply rewritten in that way, this includes:
EVP_PKEY_get_*_param()
OSSL_PARAM
andEVP_PKEY_fromdata()
, keys should be immutable once they are created, therefore for setting new parameters, it is needed to create new key with use ofEVP_PKEY_todata()
andOSSL_PARAM_merge()
EVP_des_ecb()
incardos-tool.c
andRIPEMD160
inpkcs11-tool.c
pkcs15-westcos.
-OSSL_ENCODER
usedPEM_read_bio_RSAPrivateKey()
- withOSSL_DECODER
In these situations, the alternate code is wrapped in
#if
for given version of OpenSSL.What is not resolved yet:
openssl.c
card-iasecc.c
Also, added container and test for build with OpenSSL 3.0. For the above mentioned deprecated calls it is building without
-Werror
.Checklist