Project

General

Profile

Actions
Copy link

Bug #8384

closed

Cannot build ruby against OpenSSL build with "no-ec2m"

Added by vo.x (Vit Ondruch) over 11 years ago. Updated almost 11 years ago.

Status:
Closed
Assignee:
usa (Usaku NAKAMURA)
Target version:
-
ruby -v:
ruby -v: ruby 2.0.0p0 (2013-02-24) [x86_64-linux]
Backport:
1.9.3: DONE, 2.0.0: DONE
[ruby-core:54881]

Description

=begin
Due to recent changes in OpenSSL configuration options for Red Hat Enterprise Linux, I cannot build Ruby anymore.

These are the relevant changes in OpenSSL configuration:

@@ -227,7 +234,7 @@ sslarch=linux-ppc64
./Configure
--prefix=/usr --openssldir=%{_sysconfdir}/pki/tls ${sslflags}
zlib enable-camellia enable-seed enable-tlsext enable-rfc3779 \

  •   enable-cms enable-md2 no-mdc2 no-rc5 no-ec no-ec2m no-ecdh no-ecdsa no-srp \

  •   enable-cms enable-md2 no-mdc2 no-rc5 no-ec2m no-srp \
  --with-krb5-flavor=MIT --enginesdir=%{_libdir}/openssl/engines \
  --with-krb5-dir=/usr shared ${sslarch} %{?!nofips:fips}

I see that the "no-ec" was removed. So if I understand it correctly, the "OPENSSL_NO_EC" used to be defined, while it is not anymore and hence the whole ossl_pkey_ec.c file used to be ignored, while it is not anymore, Therefore, I observe following error:

ossl_pkey_ec.c:821:29: error: 'EC_GROUP_new_curve_GF2m' undeclared (first use in this function)
new_curve = EC_GROUP_new_curve_GF2m;

I was suggested by our OpenSSL maintainer to just #ifndef OPENSSL_NO_EC2M all the calls that contain GF2m. So I went ahead with this naive patch:

diff --git a/ext/openssl/ossl_pkey_ec.c b/ext/openssl/ossl_pkey_ec.c
index 8e6d88f..29e28ca 100644
--- a/ext/openssl/ossl_pkey_ec.c
+++ b/ext/openssl/ossl_pkey_ec.c
@@ -762,8 +762,10 @@ static VALUE ossl_ec_group_initialize(int argc, VALUE *argv, VALUE self)
method = EC_GFp_mont_method();
} else if (id == s_GFp_nist) {
method = EC_GFp_nist_method();
+#if !defined(OPENSSL_NO_EC2M)
} else if (id == s_GF2m_simple) {
method = EC_GF2m_simple_method();
+#endif
}

          if (method) {

@@ -817,8 +819,10 @@ static VALUE ossl_ec_group_initialize(int argc, VALUE *argv, VALUE self)

          if (id == s_GFp) {
              new_curve = EC_GROUP_new_curve_GFp;

+#if !defined(OPENSSL_NO_EC2M)
} else if (id == s_GF2m) {
new_curve = EC_GROUP_new_curve_GF2m;
+#endif
} else {
ossl_raise(rb_eArgError, "unknown symbol, must be :GFp or :GF2m");
}

which fixes the build issues, but the leaves the test suite failing:

  1. Error:
    test_read_private_key_pem_pw(OpenSSL::TestEC):
    OpenSSL::PKey::EC::Group::Error: unable to create curve (secp112r1): unknown group
    /builddir/build/BUILD/ruby-2.0.0-p0/test/openssl/test_pkey_ec.rb:10:in initialize' /builddir/build/BUILD/ruby-2.0.0-p0/test/openssl/test_pkey_ec.rb:10:in new'
    /builddir/build/BUILD/ruby-2.0.0-p0/test/openssl/test_pkey_ec.rb:10:in `setup'

and there are remaining references to :GF2m in exception messages, etc. Is there any chance to support this set of OpenSSL configuration options properly, i.e. make the OpenSSL work better with such fine grained configuration options?

Thanks
=end

Files

out.patch (2.3 KB) out.patch vo.x (Vit Ondruch), 05/14/2013 06:45 PM
Actions
Copy link
 #1 [ruby-core:54980]

Updated by vo.x (Vit Ondruch) over 11 years ago

So I made the patch pass the test suite. The test suite is now querying OpenSSL for built-in curves, instead of explicitly enumerating just some of them.

Actions
Copy link
 #2

Updated by Anonymous over 11 years ago

  • Status changed from Open to Closed
  • % Done changed from 0 to 100

This issue was solved with changeset r41808.
Vit, thank you for reporting this issue.
Your contribution to Ruby is greatly appreciated.
May Ruby be with you.

  • ext/openssl/ossl_pkey_ec.c: Ensure compatibility to builds of
    OpenSSL with OPENSSL_NO_EC2M defined, but OPENSSL_NO_EC not
    defined.

  • test/openssl/test_pkey_ec.rb: Iterate over built-in curves
    (and assert their non-emptiness!) instead of hard-coding them, as
    this may cause problems with respect to the different availability
    of individual curves in individual OpenSSL builds.
    [ruby-core:54881] [Bug #8384]

    Thanks to Vit Ondruch for providing the patch!

Actions
Copy link
 #3 [ruby-core:55813]

Updated by MartinBosslet (Martin Bosslet) over 11 years ago

vo.x (Vit Ondruch) wrote:

So I made the patch pass the test suite. The test suite is now querying OpenSSL for built-in curves, instead of explicitly enumerating just some of them.

Thank you, iterating over the built-in curves instead of hard-coding some of them makes a lot more sense!

Actions
Copy link
 #4 [ruby-core:55818]

Updated by vo.x (Vit Ondruch) over 11 years ago

Thanks for applying this patch.

Could this be backported into 2.0.0? Thanks.

Actions
Copy link
 #5 [ruby-core:55819]

Updated by naruse (Yui NARUSE) over 11 years ago

  • Status changed from Closed to Assigned
Actions
Copy link
 #6 [ruby-core:55821]

Updated by MartinBosslet (Martin Bosslet) over 11 years ago

naruse (Yui NARUSE) wrote:

r41808 breaks non-FIPS environments like http://u32.rubyci.org/~chkbuild/ruby-trunk/log/20130705T230301Z.diff.html.gz

Crap, compatibility is hard :) I'll fix it tomorrow!

Actions
Copy link
 #7

Updated by Anonymous over 11 years ago

  • Status changed from Assigned to Closed

This issue was solved with changeset r41829.
Vit, thank you for reporting this issue.
Your contribution to Ruby is greatly appreciated.
May Ruby be with you.

  • test/openssl/test_pkey_ec.rb: Skip tests for "Oakley" curves as
    they are not suitable for ECDSA.
    [ruby-core:54881] [Bug #8384]
Actions
Copy link
 #8 [ruby-core:55839]

Updated by MartinBosslet (Martin Bosslet) over 11 years ago

The breaking build was related to "Oakley" curves, which are part of the built-in curves, but a) not suitable for ECDSA and b) their Object Identifier seems not to be registered with OpenSSL by default. This caused the tests to fail. Workaround is to simply ignore the tests for Oakley curves.

Actions
Copy link
 #9 [ruby-core:56770]

Updated by vo.x (Vit Ondruch) about 11 years ago

  • Backport changed from 1.9.3: UNKNOWN, 2.0.0: UNKNOWN to 1.9.3: REQUIRED, 2.0.0: REQUIRED

Is there any chance to get this backported into Ruby 2.0.0 as well as Ruby 1.9.3 branches? Thanks.

Actions
Copy link
 #10 [ruby-core:56779]

Updated by vo.x (Vit Ondruch) about 11 years ago

  • Status changed from Closed to Open
Actions
Copy link
 #11 [ruby-core:57545]

Updated by vo.x (Vit Ondruch) about 11 years ago

  • Assignee changed from MartinBosslet (Martin Bosslet) to nagachika (Tomoyuki Chikanaga)
Actions
Copy link
 #12 [ruby-core:58097]

Updated by nagachika (Tomoyuki Chikanaga) about 11 years ago

sorry, I've overlooked this ticket. I'll try to backport r41808 and 41829.

Actions
Copy link
 #13 [ruby-core:58098]

Updated by nagachika (Tomoyuki Chikanaga) about 11 years ago

  • Backport changed from 1.9.3: REQUIRED, 2.0.0: REQUIRED to 1.9.3: REQUIRED, 2.0.0: DONE

r41808 and 41829 are backported to ruby_2_0_0 at r43481.

Actions
Copy link
 #14 [ruby-core:58099]

Updated by nagachika (Tomoyuki Chikanaga) about 11 years ago

  • Status changed from Open to Assigned
  • Assignee changed from nagachika (Tomoyuki Chikanaga) to usa (Usaku NAKAMURA)
Actions
Copy link
 #15 [ruby-core:58108]

Updated by usa (Usaku NAKAMURA) about 11 years ago

  • Backport changed from 1.9.3: REQUIRED, 2.0.0: DONE to 1.9.3: DONE, 2.0.0: DONE

Backported to ruby_1_9_3 at r43486 and r43494.

Actions
Copy link
 #17 [ruby-core:58746]

Updated by usa (Usaku NAKAMURA) almost 11 years ago

  • Status changed from Assigned to Closed

(already finished)

Actions
Copy link

Also available in: Atom PDF

Like0
Like0Like0Like0Like0Like0Like0Like0Like0Like0Like0Like0Like0Like0Like0Like0Like0Like0