Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Failing to build against OpenSSL 3.0 (EVP_PKEY_get1_EC_KEY deprecation) #271

Closed
cpaelzer opened this issue Nov 26, 2021 · 2 comments
Closed

Failing to build against OpenSSL 3.0 (EVP_PKEY_get1_EC_KEY deprecation) #271

cpaelzer opened this issue Nov 26, 2021 · 2 comments

Comments

@cpaelzer
Copy link

Hi,
this was found as part of the Ubuntu openssl 3 transition and repoorted there as
https://bugs.launchpad.net/ubuntu/+source/qemu/+bug/1952448

Error example

It causes the following error:

...
	[ HOSTCC ] libstb/create-container.c
libstb/create-container.c: In function ‘getPublicKeyRaw’:
libstb/create-container.c:72:17: error: ‘EVP_PKEY_get1_EC_KEY’ is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-declarations]
   72 |                 key = EVP_PKEY_get1_EC_KEY(pkey);
      |                 ^~~
In file included from libstb/create-container.c:13:
/usr/include/openssl/evp.h:1374:19: note: declared here
 1374 | struct ec_key_st *EVP_PKEY_get1_EC_KEY(EVP_PKEY *pkey);
      |                   ^~~~~~~~~~~~~~~~~~~~
libstb/create-container.c:76:17: error: ‘EC_KEY_get0_group’ is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-declarations]
   76 |                 ecgrp = EC_KEY_get0_group(key);
      |                 ^~~~~
In file included from libstb/create-container.c:11:
/usr/include/openssl/ec.h:1032:39: note: declared here
 1032 | OSSL_DEPRECATEDIN_3_0 const EC_GROUP *EC_KEY_get0_group(const EC_KEY *key);
      |                                       ^~~~~~~~~~~~~~~~~
libstb/create-container.c:80:17: error: ‘EC_KEY_get0_public_key’ is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-declarations]
   80 |                 ecpoint = EC_KEY_get0_public_key(key);
      |                 ^~~~~~~
In file included from libstb/create-container.c:11:
/usr/include/openssl/ec.h:1060:39: note: declared here
 1060 | OSSL_DEPRECATEDIN_3_0 const EC_POINT *EC_KEY_get0_public_key(const EC_KEY *key);
      |                                       ^~~~~~~~~~~~~~~~~~~~~~
libstb/create-container.c:84:17: error: ‘EC_POINT_point2bn’ is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-declarations]
   84 |                 pubkeyBN = EC_POINT_point2bn(ecgrp, ecpoint, POINT_CONVERSION_UNCOMPRESSED,
      |                 ^~~~~~~~
In file included from libstb/create-container.c:11:
/usr/include/openssl/ec.h:768:31: note: declared here
  768 | OSSL_DEPRECATEDIN_3_0 BIGNUM *EC_POINT_point2bn(const EC_GROUP *,
      |                               ^~~~~~~~~~~~~~~~~
libstb/create-container.c:89:17: error: ‘EC_KEY_free’ is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-declarations]
   89 |                 EC_KEY_free(key);
      |                 ^~~~~~~~~~~
In file included from libstb/create-container.c:11:
/usr/include/openssl/ec.h:1001:28: note: declared here
 1001 | OSSL_DEPRECATEDIN_3_0 void EC_KEY_free(EC_KEY *key);
      |                            ^~~~~~~~~~~
cc1: all warnings being treated as errors
make: *** [/root/skiboot/libstb/Makefile.inc:25: libstb/create-container] Error 1

Repro steps including good/bad case steps

# Get a system with openssl 3, like jammy-proposed right now
https://cloud-images.ubuntu.com/jammy/current/

$ apt-get install gcc-powerpc64le-linux-gnu gcc valgrind \
        expect libssl-dev device-tree-compiler make \
        xz-utils libmbedtls-dev
$ git clone https://github.com/open-power/skiboot.git
$ cd skiboot
$ CROSS=powerpc64le-linux-gnu- make

Working so far, switch to openssl 3 in proposed

$ echo "deb http://archive.ubuntu.com/ubuntu jammy-proposed main restricted universe multiverse" >> /etc/apt/sources.list
$ apt update
$ apt upgrade
$ CROSS=powerpc64le-linux-gnu- make clean
$ CROSS=powerpc64le-linux-gnu- make

Currently the two ssl versions you can switch between in Ubuntu Jammy are

apt-cache policy libssl-dev
libssl-dev:
  Installed: 3.0.0-1ubuntu1
  Candidate: 3.0.0-1ubuntu1
  Version table:
 *** 3.0.0-1ubuntu1 500
        500 http://archive.ubuntu.com/ubuntu jammy-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     1.1.1l-1ubuntu1 500
        500 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages

And with the 3.0 version this time the build breaks due to a deprecation as reported above.

References

Upstream openssl outlines the steps for that deprecation at
https://www.openssl.org/docs/man3.0/man3/EVP_PKEY_get1_EC_KEY.html
@erichte-ibm
Copy link
Contributor

I've sent a patch to the mailing list that should address this problem. I haven't been able to test it fully integrated into op-build and on actual hardware yet to confirm the usage of the new API is exactly compatible with the old deprecated functions, but from my limited inspection of building inside and outside of an Ubuntu Jammy (w/ OpenSSL 3.0) docker container, the resulting data appears to be identical.

@rarbab
Copy link
Member

rarbab commented Jul 12, 2023

We can close this. The patch above was applied in commit 9a1f95f.

@rarbab rarbab closed this as completed Jul 12, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rarbab @cpaelzer @erichte-ibm