Bug #8384

Cannot build ruby against OpenSSL build with "no-ec2m"

Added by Vit Ondruch almost 2 years ago. Updated over 1 year ago.

[ruby-core:54881]
Status:Closed
Priority:Normal
Assignee:Usaku NAKAMURA
ruby -v:ruby -v: ruby 2.0.0p0 (2013-02-24) [x86_64-linux] Backport:1.9.3: DONE, 2.0.0: DONE

Description

=begin
Due to recent changes in OpenSSL configuration options for Red Hat Enterprise Linux, I cannot build Ruby anymore.

These are the relevant changes in OpenSSL configuration:

@@ -227,7 +234,7 @@ sslarch=linux-ppc64
./Configure \
--prefix=/usr --openssldir=%{sysconfdir}/pki/tls ${sslflags} \
zlib enable-camellia enable-seed enable-tlsext enable-rfc3779 \
- enable-cms enable-md2 no-mdc2 no-rc5 no-ec no-ec2m no-ecdh no-ecdsa no-srp \
+ enable-cms enable-md2 no-mdc2 no-rc5 no-ec2m no-srp \
--with-krb5-flavor=MIT --enginesdir=%{
libdir}/openssl/engines \
--with-krb5-dir=/usr shared ${sslarch} %{?!nofips:fips}

I see that the "no-ec" was removed. So if I understand it correctly, the "OPENSSL_NO_EC" used to be defined, while it is not anymore and hence the whole ossl_pkey_ec.c file used to be ignored, while it is not anymore, Therefore, I observe following error:

ossl_pkey_ec.c:821:29: error: 'EC_GROUP_new_curve_GF2m' undeclared (first use in this function)
new_curve = EC_GROUP_new_curve_GF2m;

I was suggested by our OpenSSL maintainer to just #ifndef OPENSSL_NO_EC2M all the calls that contain GF2m. So I went ahead with this naive patch:

diff --git a/ext/openssl/ossl_pkey_ec.c b/ext/openssl/ossl_pkey_ec.c
index 8e6d88f..29e28ca 100644
--- a/ext/openssl/ossl_pkey_ec.c
+++ b/ext/openssl/ossl_pkey_ec.c
@@ -762,8 +762,10 @@ static VALUE ossl_ec_group_initialize(int argc, VALUE *argv, VALUE self)
method = EC_GFp_mont_method();
} else if (id == s_GFp_nist) {
method = EC_GFp_nist_method();
+#if !defined(OPENSSL_NO_EC2M)
} else if (id == s_GF2m_simple) {
method = EC_GF2m_simple_method();
+#endif
}

          if (method) {

@@ -817,8 +819,10 @@ static VALUE ossl_ec_group_initialize(int argc, VALUE *argv, VALUE self)

          if (id == s_GFp) {
              new_curve = EC_GROUP_new_curve_GFp;

+#if !defined(OPENSSL_NO_EC2M)
} else if (id == s_GF2m) {
new_curve = EC_GROUP_new_curve_GF2m;
+#endif
} else {
ossl_raise(rb_eArgError, "unknown symbol, must be :GFp or :GF2m");
}

which fixes the build issues, but the leaves the test suite failing:

7) Error:
test_read_private_key_pem_pw(OpenSSL::TestEC):
OpenSSL::PKey::EC::Group::Error: unable to create curve (secp112r1): unknown group
/builddir/build/BUILD/ruby-2.0.0-p0/test/openssl/test_pkey_ec.rb:10:in initialize'
/builddir/build/BUILD/ruby-2.0.0-p0/test/openssl/test_pkey_ec.rb:10:in
new'
/builddir/build/BUILD/ruby-2.0.0-p0/test/openssl/test_pkey_ec.rb:10:in `setup'

and there are remaining references to :GF2m in exception messages, etc. Is there any chance to support this set of OpenSSL configuration options properly, i.e. make the OpenSSL work better with such fine grained configuration options?

Thanks
=end

out.patch Magnifier (2.3 KB) Vit Ondruch, 05/14/2013 06:45 PM

Associated revisions

Revision 41808
Added by emboss over 1 year ago

  • ext/openssl/ossl_pkey_ec.c: Ensure compatibility to builds of OpenSSL with OPENSSL_NO_EC2M defined, but OPENSSL_NO_EC not defined.
  • test/openssl/test_pkey_ec.rb: Iterate over built-in curves (and assert their non-emptiness!) instead of hard-coding them, as this may cause problems with respect to the different availability of individual curves in individual OpenSSL builds. [Bug #8384]

Thanks to Vit Ondruch for providing the patch!

Revision 41808
Added by emboss over 1 year ago

  • ext/openssl/ossl_pkey_ec.c: Ensure compatibility to builds of OpenSSL with OPENSSL_NO_EC2M defined, but OPENSSL_NO_EC not defined.
  • test/openssl/test_pkey_ec.rb: Iterate over built-in curves (and assert their non-emptiness!) instead of hard-coding them, as this may cause problems with respect to the different availability of individual curves in individual OpenSSL builds. [Bug #8384]

Thanks to Vit Ondruch for providing the patch!

Revision 41829
Added by emboss over 1 year ago

  • test/openssl/test_pkey_ec.rb: Skip tests for "Oakley" curves as they are not suitable for ECDSA. [Bug #8384]

Revision 41829
Added by emboss over 1 year ago

  • test/openssl/test_pkey_ec.rb: Skip tests for "Oakley" curves as they are not suitable for ECDSA. [Bug #8384]

History

#1 Updated by Vit Ondruch almost 2 years ago

So I made the patch pass the test suite. The test suite is now querying OpenSSL for built-in curves, instead of explicitly enumerating just some of them.

#2 Updated by Anonymous over 1 year ago

  • Status changed from Open to Closed
  • % Done changed from 0 to 100

This issue was solved with changeset r41808.
Vit, thank you for reporting this issue.
Your contribution to Ruby is greatly appreciated.
May Ruby be with you.


  • ext/openssl/ossl_pkey_ec.c: Ensure compatibility to builds of OpenSSL with OPENSSL_NO_EC2M defined, but OPENSSL_NO_EC not defined.
  • test/openssl/test_pkey_ec.rb: Iterate over built-in curves (and assert their non-emptiness!) instead of hard-coding them, as this may cause problems with respect to the different availability of individual curves in individual OpenSSL builds. [Bug #8384]

Thanks to Vit Ondruch for providing the patch!

#3 Updated by Martin Bosslet over 1 year ago

vo.x (Vit Ondruch) wrote:

So I made the patch pass the test suite. The test suite is now querying OpenSSL for built-in curves, instead of explicitly enumerating just some of them.

Thank you, iterating over the built-in curves instead of hard-coding some of them makes a lot more sense!

#4 Updated by Vit Ondruch over 1 year ago

Thanks for applying this patch.

Could this be backported into 2.0.0? Thanks.

#5 Updated by Yui NARUSE over 1 year ago

  • Status changed from Closed to Assigned

#6 Updated by Martin Bosslet over 1 year ago

naruse (Yui NARUSE) wrote:

r41808 breaks non-FIPS environments like http://u32.rubyci.org/~chkbuild/ruby-trunk/log/20130705T230301Z.diff.html.gz

Crap, compatibility is hard :) I'll fix it tomorrow!

#7 Updated by Anonymous over 1 year ago

  • Status changed from Assigned to Closed

This issue was solved with changeset r41829.
Vit, thank you for reporting this issue.
Your contribution to Ruby is greatly appreciated.
May Ruby be with you.


  • test/openssl/test_pkey_ec.rb: Skip tests for "Oakley" curves as they are not suitable for ECDSA. [Bug #8384]

#8 Updated by Martin Bosslet over 1 year ago

The breaking build was related to "Oakley" curves, which are part of the built-in curves, but a) not suitable for ECDSA and b) their Object Identifier seems not to be registered with OpenSSL by default. This caused the tests to fail. Workaround is to simply ignore the tests for Oakley curves.

#9 Updated by Vit Ondruch over 1 year ago

  • Backport changed from 1.9.3: UNKNOWN, 2.0.0: UNKNOWN to 1.9.3: REQUIRED, 2.0.0: REQUIRED

Is there any chance to get this backported into Ruby 2.0.0 as well as Ruby 1.9.3 branches? Thanks.

#10 Updated by Vit Ondruch over 1 year ago

  • Status changed from Closed to Open

#11 Updated by Vit Ondruch over 1 year ago

  • Assignee changed from Martin Bosslet to Tomoyuki Chikanaga

#12 Updated by Tomoyuki Chikanaga over 1 year ago

sorry, I've overlooked this ticket. I'll try to backport r41808 and 41829.

#13 Updated by Tomoyuki Chikanaga over 1 year ago

  • Backport changed from 1.9.3: REQUIRED, 2.0.0: REQUIRED to 1.9.3: REQUIRED, 2.0.0: DONE

r41808 and 41829 are backported to ruby_2_0_0 at r43481.

#14 Updated by Tomoyuki Chikanaga over 1 year ago

  • Assignee changed from Tomoyuki Chikanaga to Usaku NAKAMURA
  • Status changed from Open to Assigned

#15 Updated by Usaku NAKAMURA over 1 year ago

  • Backport changed from 1.9.3: REQUIRED, 2.0.0: DONE to 1.9.3: DONE, 2.0.0: DONE

Backported to ruby_1_9_3 at r43486 and r43494.

#16 Updated by Vit Ondruch over 1 year ago

Thank you!

#17 Updated by Usaku NAKAMURA over 1 year ago

  • Status changed from Assigned to Closed

(already finished)

Also available in: Atom PDF