Bug #8384

Cannot build ruby against OpenSSL build with "no-ec2m"

Added by Vit Ondruch 11 months ago. Updated 5 months ago.

[ruby-core:54881]
Status:Closed
Priority:Normal
Assignee:Usaku NAKAMURA
Category:-
Target version:-
ruby -v:ruby -v: ruby 2.0.0p0 (2013-02-24) [x86_64-linux] Backport:1.9.3: DONE, 2.0.0: DONE

Description

=begin
Due to recent changes in OpenSSL configuration options for Red Hat Enterprise Linux, I cannot build Ruby anymore.

These are the relevant changes in OpenSSL configuration:

@@ -227,7 +234,7 @@ sslarch=linux-ppc64
./Configure \
--prefix=/usr --openssldir=%{sysconfdir}/pki/tls ${sslflags} \
zlib enable-camellia enable-seed enable-tlsext enable-rfc3779 \
- enable-cms enable-md2 no-mdc2 no-rc5 no-ec no-ec2m no-ecdh no-ecdsa no-srp \
+ enable-cms enable-md2 no-mdc2 no-rc5 no-ec2m no-srp \
--with-krb5-flavor=MIT --enginesdir=%{
libdir}/openssl/engines \
--with-krb5-dir=/usr shared ${sslarch} %{?!nofips:fips}

I see that the "no-ec" was removed. So if I understand it correctly, the "OPENSSLNOEC" used to be defined, while it is not anymore and hence the whole osslpkeyec.c file used to be ignored, while it is not anymore, Therefore, I observe following error:

osslpkeyec.c:821:29: error: 'ECGROUPnewcurveGF2m' undeclared (first use in this function)
newcurve = ECGROUPnewcurve_GF2m;

I was suggested by our OpenSSL maintainer to just #ifndef OPENSSLNOEC2M all the calls that contain GF2m. So I went ahead with this naive patch:

diff --git a/ext/openssl/osslpkeyec.c b/ext/openssl/osslpkeyec.c
index 8e6d88f..29e28ca 100644
--- a/ext/openssl/osslpkeyec.c
+++ b/ext/openssl/osslpkeyec.c
@@ -762,8 +762,10 @@ static VALUE osslecgroupinitialize(int argc, VALUE *argv, VALUE self)
method = EC
GFpmontmethod();
} else if (id == sGFpnist) {
method = ECGFpnistmethod();
+#if !defined(OPENSSL
NOEC2M)
} else if (id == s
GF2msimple) {
method = EC
GF2msimplemethod();
+#endif
}

          if (method) {

@@ -817,8 +819,10 @@ static VALUE osslecgroup_initialize(int argc, VALUE *argv, VALUE self)

          if (id == s_GFp) {
              new_curve = EC_GROUP_new_curve_GFp;

+#if !defined(OPENSSLNOEC2M)
} else if (id == sGF2m) {
new
curve = ECGROUPnewcurveGF2m;
+#endif
} else {
osslraise(rbeArgError, "unknown symbol, must be :GFp or :GF2m");
}

which fixes the build issues, but the leaves the test suite failing:

7) Error:
testreadprivatekeypempw(OpenSSL::TestEC):
OpenSSL::PKey::EC::Group::Error: unable to create curve (secp112r1): unknown group
/builddir/build/BUILD/ruby-2.0.0-p0/test/openssl/test
pkeyec.rb:10:in initialize'
/builddir/build/BUILD/ruby-2.0.0-p0/test/openssl/test_pkey_ec.rb:10:in
new'
/builddir/build/BUILD/ruby-2.0.0-p0/test/openssl/test
pkey_ec.rb:10:in `setup'

and there are remaining references to :GF2m in exception messages, etc. Is there any chance to support this set of OpenSSL configuration options properly, i.e. make the OpenSSL work better with such fine grained configuration options?

Thanks
=end

out.patch Magnifier (2.3 KB) Vit Ondruch, 05/14/2013 06:45 PM

Associated revisions

Revision 41808
Added by emboss 10 months ago

  • ext/openssl/osslpkeyec.c: Ensure compatibility to builds of OpenSSL with OPENSSLNOEC2M defined, but OPENSSLNOEC not defined.
  • test/openssl/testpkeyec.rb: Iterate over built-in curves
    (and assert their non-emptiness!) instead of hard-coding them, as
    this may cause problems with respect to the different availability
    of individual curves in individual OpenSSL builds.
    [Bug #8384]

    Thanks to Vit Ondruch for providing the patch!

Revision 41829
Added by emboss 9 months ago

  • test/openssl/testpkeyec.rb: Skip tests for "Oakley" curves as they are not suitable for ECDSA. [Bug #8384]

History

#1 Updated by Vit Ondruch 11 months ago

So I made the patch pass the test suite. The test suite is now querying OpenSSL for built-in curves, instead of explicitly enumerating just some of them.

#2 Updated by Anonymous 9 months ago

  • Status changed from Open to Closed
  • % Done changed from 0 to 100

This issue was solved with changeset r41808.
Vit, thank you for reporting this issue.
Your contribution to Ruby is greatly appreciated.
May Ruby be with you.


  • ext/openssl/osslpkeyec.c: Ensure compatibility to builds of OpenSSL with OPENSSLNOEC2M defined, but OPENSSLNOEC not defined.
  • test/openssl/testpkeyec.rb: Iterate over built-in curves
    (and assert their non-emptiness!) instead of hard-coding them, as
    this may cause problems with respect to the different availability
    of individual curves in individual OpenSSL builds.
    [Bug #8384]

    Thanks to Vit Ondruch for providing the patch!

#3 Updated by Martin Bosslet 9 months ago

vo.x (Vit Ondruch) wrote:

So I made the patch pass the test suite. The test suite is now querying OpenSSL for built-in curves, instead of explicitly enumerating just some of them.

Thank you, iterating over the built-in curves instead of hard-coding some of them makes a lot more sense!

#4 Updated by Vit Ondruch 9 months ago

Thanks for applying this patch.

Could this be backported into 2.0.0? Thanks.

#5 Updated by Yui NARUSE 9 months ago

  • Status changed from Closed to Assigned

#6 Updated by Martin Bosslet 9 months ago

naruse (Yui NARUSE) wrote:

r41808 breaks non-FIPS environments like http://u32.rubyci.org/~chkbuild/ruby-trunk/log/20130705T230301Z.diff.html.gz

Crap, compatibility is hard :) I'll fix it tomorrow!

#7 Updated by Anonymous 9 months ago

  • Status changed from Assigned to Closed

This issue was solved with changeset r41829.
Vit, thank you for reporting this issue.
Your contribution to Ruby is greatly appreciated.
May Ruby be with you.


  • test/openssl/testpkeyec.rb: Skip tests for "Oakley" curves as they are not suitable for ECDSA. [Bug #8384]

#8 Updated by Martin Bosslet 9 months ago

The breaking build was related to "Oakley" curves, which are part of the built-in curves, but a) not suitable for ECDSA and b) their Object Identifier seems not to be registered with OpenSSL by default. This caused the tests to fail. Workaround is to simply ignore the tests for Oakley curves.

#9 Updated by Vit Ondruch 8 months ago

  • Backport changed from 1.9.3: UNKNOWN, 2.0.0: UNKNOWN to 1.9.3: REQUIRED, 2.0.0: REQUIRED

Is there any chance to get this backported into Ruby 2.0.0 as well as Ruby 1.9.3 branches? Thanks.

#10 Updated by Vit Ondruch 8 months ago

  • Status changed from Closed to Open

#11 Updated by Vit Ondruch 7 months ago

  • Assignee changed from Martin Bosslet to Tomoyuki Chikanaga

#12 Updated by Tomoyuki Chikanaga 6 months ago

sorry, I've overlooked this ticket. I'll try to backport r41808 and 41829.

#13 Updated by Tomoyuki Chikanaga 6 months ago

  • Backport changed from 1.9.3: REQUIRED, 2.0.0: REQUIRED to 1.9.3: REQUIRED, 2.0.0: DONE

r41808 and 41829 are backported to ruby20_0 at r43481.

#14 Updated by Tomoyuki Chikanaga 6 months ago

  • Status changed from Open to Assigned
  • Assignee changed from Tomoyuki Chikanaga to Usaku NAKAMURA

#15 Updated by Usaku NAKAMURA 6 months ago

  • Backport changed from 1.9.3: REQUIRED, 2.0.0: DONE to 1.9.3: DONE, 2.0.0: DONE

Backported to ruby19_3 at r43486 and r43494.

#16 Updated by Vit Ondruch 6 months ago

Thank you!

#17 Updated by Usaku NAKAMURA 5 months ago

  • Status changed from Assigned to Closed

(already finished)

Also available in: Atom PDF