Bug #118330 for Crypt-OpenSSL-ECDSA: Cannot build against OpenSSL 1.1.0b

Tue Oct 11 07:36:17 2016 ppisar [...] redhat.com - Ticket created

Subject:

Cannot build against OpenSSL 1.1.0b

After upgrading OpenSSL to 1.1.0b Crypt-OpenSSL-ECDSA cannot be built: gcc -c -I. -I/usr/include -D_REENTRANT -D_GNU_SOURCE -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fwrapv -fno-strict-aliasing -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -DVERSION=\"0.08\" -DXS_VERSION=\"0.08\" -fPIC "-I/usr/lib64/perl5/CORE" -DPERL5 -DOPENSSL_NO_KRB5 ECDSA.c ECDSA.c: In function 'XS_Crypt__OpenSSL__ECDSA_ECDSA_OpenSSL': ECDSA.c:399:8: error: unknown type name 'ECDSA_METHOD' const ECDSA_METHOD * RETVAL; ^~~~~~~~~~~~ and plenty of other warnings. OpenSSL 1.1.0 changed API.

Tue Oct 11 08:20:11 2016 mikem [...] airspayce.com - Correspondence added

Subject:	Re: [rt.cpan.org #118330] Cannot build against OpenSSL 1.1.0b
Date:	Tue, 11 Oct 2016 14:19:52 +0200
To:	bug-Crypt-OpenSSL-ECDSA [...] rt.cpan.org
From:	Mike McCauley <mikem [...] airspayce.com>

Thanks I won't be able to look at this until next week Sent from my iPhone Show quoted text

> On 11 Oct 2016, at 1:36 PM, Petr Pisar via RT <bug-Crypt-OpenSSL-ECDSA@rt.cpan.org> wrote: > > Tue Oct 11 07:36:17 2016: Request 118330 was acted upon. > Transaction: Ticket created by ppisar > Queue: Crypt-OpenSSL-ECDSA > Subject: Cannot build against OpenSSL 1.1.0b > Broken in: 0.08 > Severity: (no value) > Owner: Nobody > Requestors: ppisar@redhat.com > Status: new > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=118330 > > > > After upgrading OpenSSL to 1.1.0b Crypt-OpenSSL-ECDSA cannot be built: > > gcc -c -I. -I/usr/include -D_REENTRANT -D_GNU_SOURCE -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fwrapv -fno-strict-aliasing -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic -DVERSION=\"0.08\" -DXS_VERSION=\"0.08\" -fPIC "-I/usr/lib64/perl5/CORE" -DPERL5 -DOPENSSL_NO_KRB5 ECDSA.c > ECDSA.c: In function 'XS_Crypt__OpenSSL__ECDSA_ECDSA_OpenSSL': > ECDSA.c:399:8: error: unknown type name 'ECDSA_METHOD' > const ECDSA_METHOD * RETVAL; > ^~~~~~~~~~~~ > > and plenty of other warnings. OpenSSL 1.1.0 changed API.

Tue Oct 11 08:20:12 2016 The RT System itself - Status changed from 'new' to 'open'

Tue Oct 11 12:10:13 2016 ppisar [...] redhat.com - Correspondence added

From:

ppisar [...] redhat.com

Dne Út 11.říj.2016 07:36:17, ppisar napsal(a): Show quoted text

> After upgrading OpenSSL to 1.1.0b Crypt-OpenSSL-ECDSA cannot be built: >

So far, I have the attached patch that works with the old OpenSSL, but crashes with the new one. Probably because I have still Crypt::OpenSSL::EC linked to the old OpenSSL and the two could be ABI-incompatible or mix their implementations.

Subject:

0001-Port-to-OpenSSL-1.1.0.patch

From 7a707a2bb0b0c6de1eb98cef74a5d1016f0e8c9a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com> Date: Tue, 11 Oct 2016 16:15:43 +0200 Subject: [PATCH] Port to OpenSSL 1.1.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit OpenSSL 1.1.0 hid ECDSA structure internals and provided methods instead. This patch uses the methods and provides their copies in the case of older OpenSSL. Because the new OpenSSL API, ECDSA_SIG_set0(), cannot set curve parameters individually and ECDSA_SIG_get0() returns yet another reference, it's necessary to duplicate the other unchanged paramater when calling set_r() or set_s(). This patch also stops exporting ECDSA_METHOD functions that were removed from the new OpenSSL. CPAN RT#118330 Signed-off-by: Petr PÃsaÅ <ppisar@redhat.com> --- ECDSA.xs | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++-------------- 1 file changed, 61 insertions(+), 17 deletions(-) diff --git a/ECDSA.xs b/ECDSA.xs index 4016368..648303e 100644 --- a/ECDSA.xs +++ b/ECDSA.xs @@ -7,9 +7,34 @@ #include <openssl/ecdsa.h> #include <openssl/err.h> +#include <openssl/bn.h> #include "const-c.inc" + +#if OPENSSL_VERSION_NUMBER >= 0x10100000L +#include <openssl/ec.h> +#else +static void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, + const BIGNUM **ps) { + if (pr != NULL) + *pr = sig->r; + if (ps != NULL) + *ps = sig->s; +} + +static int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s) +{ + if (r == NULL || s == NULL) + return 0; + BN_clear_free(sig->r); + BN_clear_free(sig->s); + sig->r = r; + sig->s = s; + return 1; +} +#endif + MODULE = Crypt::OpenSSL::ECDSA PACKAGE = Crypt::OpenSSL::ECDSA PROTOTYPES: ENABLE @@ -17,7 +42,9 @@ INCLUDE: const-xs.inc BOOT: ERR_load_crypto_strings(); +#if OPENSSL_VERSION_NUMBER >= 0x10002000L && OPENSSL_VERSION_NUMBER < 0x10100000L ERR_load_ECDSA_strings(); +#endif #ECDSA_SIG * #ECDSA_SIG_new() @@ -61,10 +88,16 @@ ECDSA_do_verify(const unsigned char *dgst, const ECDSA_SIG *sig, EC_KEY* eckey); OUTPUT: RETVAL -# These ECDSA_METHOD functions only became available in 1.0.2 +# These ECDSA_METHOD functions only became available in 1.0.2, +# but some of them removed again in 1.1.0. #if OPENSSL_VERSION_NUMBER >= 0x10002000L +int +ECDSA_size(const EC_KEY *eckey) + +#if OPENSSL_VERSION_NUMBER < 0x10100000L + const ECDSA_METHOD * ECDSA_OpenSSL() @@ -77,9 +110,6 @@ ECDSA_get_default_method() int ECDSA_set_method(EC_KEY *eckey, const ECDSA_METHOD *meth) -int -ECDSA_size(const EC_KEY *eckey) - ECDSA_METHOD * ECDSA_METHOD_new(ECDSA_METHOD *ecdsa_method=0) @@ -95,7 +125,7 @@ ECDSA_METHOD_set_name(ECDSA_METHOD *ecdsa_method, char *name) void ERR_load_ECDSA_strings() - +#endif #endif @@ -135,11 +165,13 @@ SV * get_r(ecdsa_sig) ECDSA_SIG *ecdsa_sig PREINIT: + const BIGNUM *r; unsigned char *to; STRLEN len; CODE: to = malloc(sizeof(char) * 128); - len = BN_bn2bin(ecdsa_sig->r, to); + ECDSA_SIG_get0(ecdsa_sig, &r, NULL); + len = BN_bn2bin(r, to); RETVAL = newSVpvn((const char*)to, len); free(to); OUTPUT: @@ -149,11 +181,13 @@ SV * get_s(ecdsa_sig) ECDSA_SIG *ecdsa_sig PREINIT: + const BIGNUM *s; unsigned char *to; STRLEN len; CODE: to = malloc(sizeof(char) * 128); - len = BN_bn2bin(ecdsa_sig->s, to); + ECDSA_SIG_get0(ecdsa_sig, NULL, &s); + len = BN_bn2bin(s, to); RETVAL = newSVpvn((const char*)to, len); free(to); OUTPUT: @@ -164,26 +198,36 @@ set_r(ecdsa_sig, r_SV) ECDSA_SIG *ecdsa_sig SV * r_SV PREINIT: - char *s; + char *string; STRLEN len; + BIGNUM *r; + BIGNUM *s; CODE: - s = SvPV(r_SV, len); - if (ecdsa_sig->r) - BN_free(ecdsa_sig->r); - ecdsa_sig->r = BN_bin2bn((const unsigned char *)s, len, NULL); + string = SvPV(r_SV, len); + r = BN_bin2bn((const unsigned char *)string, len, NULL); + ECDSA_SIG_get0(ecdsa_sig, NULL, (const BIGNUM**)&s); + s = BN_dup(s); + if (NULL == s) + croak("Could not duplicate unchanged ECDSA paramater"); + ECDSA_SIG_set0(ecdsa_sig, r, s); void set_s(ecdsa_sig, s_SV) ECDSA_SIG *ecdsa_sig SV * s_SV PREINIT: - char *s; + char *string; STRLEN len; + BIGNUM *r; + BIGNUM *s; CODE: - s = SvPV(s_SV, len); - if (ecdsa_sig->s) - BN_free(ecdsa_sig->s); - ecdsa_sig->s = BN_bin2bn((const unsigned char *)s, len, NULL); + string = SvPV(s_SV, len); + s = BN_bin2bn((const unsigned char *)string, len, NULL); + ECDSA_SIG_get0(ecdsa_sig, (const BIGNUM**)&r, NULL); + r = BN_dup(r); + if (NULL == r) + croak("Could not duplicate unchanged ECDSA paramater"); + ECDSA_SIG_set0(ecdsa_sig, r, s); -- 2.7.4

Tue Oct 11 12:27:14 2016 ppisar [...] redhat.com - Correspondence added

From:

ppisar [...] redhat.com

Dne Út 11.říj.2016 12:10:13, ppisar napsal(a): Show quoted text

> Dne Út 11.říj.2016 07:36:17, ppisar napsal(a):

> > After upgrading OpenSSL to 1.1.0b Crypt-OpenSSL-ECDSA cannot be > > built: > >

> So far, I have the attached patch that works with the old OpenSSL, but > crashes with the new one. Probably because I have still > Crypt::OpenSSL::EC linked to the old OpenSSL and the two could be ABI- > incompatible or mix their implementations.

After rebuilding Crypt-OpenSSL-Bignum and Crypt-OpenSSL-EC the tests pass without a crash. The only remaining issue are the ECDSA_METHOD tests that are skipped now. Detailed OpenSSL 1.1.0 changelog <https://www.openssl.org/news/cl110.txt> reads: *) New EC_KEY_METHOD, this replaces the older ECDSA_METHOD and ECDH_METHOD and integrates ECDSA and ECDH functionality into EC. Implementations can now redirect key generation and no longer need to convert to or from ECDSA_SIG format. Note: the ecdsa.h and ecdh.h headers are now no longer needed and just include the ec.h header file instead. I think the Perl ECDSA_METHOD functions could me moved to Crypt-OpenSSL-EC.

Wed Oct 19 21:38:48 2016 mikem [...] airspayce.com - Correspondence added

Subject:	Re: [rt.cpan.org #118330] Cannot build against OpenSSL 1.1.0b
Date:	Thu, 20 Oct 2016 11:38:35 +1000
To:	bug-Crypt-OpenSSL-ECDSA [...] rt.cpan.org
From:	Mike McCauley <mikem [...] airspayce.com>

Thanks for the report. Are you able to provide a patch for any fix you need? Cheers. On Tuesday, October 11, 2016 12:27:14 PM Petr Pisar via RT wrote: Show quoted text

> Queue: Crypt-OpenSSL-ECDSA > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=118330 > > > Dne Út 11.říj.2016 12:10:13, ppisar napsal(a):

> > Dne Út 11.říj.2016 07:36:17, ppisar napsal(a):

> > > After upgrading OpenSSL to 1.1.0b Crypt-OpenSSL-ECDSA cannot be

> >

> > > built:

> > So far, I have the attached patch that works with the old OpenSSL, but > > crashes with the new one. Probably because I have still > > Crypt::OpenSSL::EC linked to the old OpenSSL and the two could be ABI- > > incompatible or mix their implementations.

> > After rebuilding Crypt-OpenSSL-Bignum and Crypt-OpenSSL-EC the tests pass > without a crash. > > The only remaining issue are the ECDSA_METHOD tests that are skipped now. > Detailed OpenSSL 1.1.0 changelog <https://www.openssl.org/news/cl110.txt> > reads: > > *) New EC_KEY_METHOD, this replaces the older ECDSA_METHOD and ECDH_METHOD > and integrates ECDSA and ECDH functionality into EC. Implementations can > now redirect key generation and no longer need to convert to or from > ECDSA_SIG format. > > Note: the ecdsa.h and ecdh.h headers are now no longer needed and just > include the ec.h header file instead. > > I think the Perl ECDSA_METHOD functions could me moved to Crypt-OpenSSL-EC.

-- Mike McCauley VK4AMM mikem@airspayce.com Airspayce Pty Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.airspayce.com Phone +61 7 5598-7474

Thu Oct 20 07:27:37 2016 ppisar [...] redhat.com - Correspondence added

Subject:	Re: [rt.cpan.org #118330] Cannot build against OpenSSL 1.1.0b
Date:	Thu, 20 Oct 2016 13:27:20 +0200
To:	Mike McCauley via RT <bug-Crypt-OpenSSL-ECDSA [...] rt.cpan.org>
From:	Petr Pisar <ppisar [...] redhat.com>

On Wed, Oct 19, 2016 at 09:38:49PM -0400, Mike McCauley via RT wrote: Show quoted text

> Are you able to provide a patch for any fix you need? >

Yes. The patch I sent was supposed to fix building against the new OpenSSL including preserving the set_r() and set_s() Perl methods. I received failed test results from Net-DNS-SEC today and that showed I had a bug in the patch I'd already sent. The problem was with calling set_r() and set_s() on an empty object. I corrected it, added a test and a new patch is attached. Regarding the unsupported ECDSA_METHOD, I'm not wery much interested in it. And actually current code treat it as an optional feature that was not available before OpenSSL 1.0.2. So it think it's not a big harm unsupporting it with OpenSSL 1.1.0. -- Petr

Message body is not shown because sender requested not to inline it.

Download signature.asc
application/pgp-signature 213b

Message body not shown because it is not plain text.