Re: [PATCH] build: Check for openssl legacy provider requirement

Re: [PATCH] build: Check for openssl legacy provider requirement

[Mat Martineau]

[-- Attachment #1: Type: text/plain, Size: 1576 bytes --]

On Fri, 20 May 2022, Marcel Holtmann wrote:

> Hi Mat,
>
>> OpenSSL 3 introduced some command line incompatibilities and removed
>> some old algorithms from the defaults. This broke some of the unit test
>> cert generation commands on distros like Ubuntu 22.04 and Fedora 36.
>>
>> Detect support of "providers" by the system openssl command and insert
>> the necessary command line parameters to enable legacy algorithms for
>> openssl v3, but leave the commands unchanged for older openssl versions.
>> ---
>>
>> Tested on Ubuntu 22.04, Fedora 36, and Fedora 35.
>>
>> ---
>> Makefile.am  | 26 ++++++++++++++++++--------
>> configure.ac |  3 +++
>> 2 files changed, 21 insertions(+), 8 deletions(-)
>
> what would it take to just use OpenSSL 3 since these are just required 
> on the development systems. I need to check my release system since that 
> is historically always behind, but I feel this business of supporting 
> two OpenSSL versions will get out of hand quickly. It is too bad that we 
> can not generate the certificates with our own tools.

Well, that's slightly simpler: substitute "-provider legacy -provider 
default" to the commands in Makefile.am where I added $(openssl_legacy). 
It only cuts 9 lines out of the patch though.

These distros and OpenSSL 3 itself are still fairly new - as much as it 
seems like ELL gets used on older or limited systems the small 
compatibility effort seems worth it to me.

I'll send the OpenSSL3-only patch too and you can decide what direction 
to take.

--
Mat Martineau
Intel

Re: [PATCH] build: Check for openssl legacy provider requirement

[Marcel Holtmann]

Hi Mat,

> OpenSSL 3 introduced some command line incompatibilities and removed
> some old algorithms from the defaults. This broke some of the unit test
> cert generation commands on distros like Ubuntu 22.04 and Fedora 36.
> 
> Detect support of "providers" by the system openssl command and insert
> the necessary command line parameters to enable legacy algorithms for
> openssl v3, but leave the commands unchanged for older openssl versions.
> ---
> 
> Tested on Ubuntu 22.04, Fedora 36, and Fedora 35.
> 
> ---
> Makefile.am  | 26 ++++++++++++++++++--------
> configure.ac |  3 +++
> 2 files changed, 21 insertions(+), 8 deletions(-)

patch has been applied.

Regards

Marcel

Re: [PATCH] build: Check for openssl legacy provider requirement

[Marcel Holtmann]

[-- Attachment #1: Type: text/plain, Size: 1023 bytes --]

Hi Mat,

> OpenSSL 3 introduced some command line incompatibilities and removed
> some old algorithms from the defaults. This broke some of the unit test
> cert generation commands on distros like Ubuntu 22.04 and Fedora 36.
> 
> Detect support of "providers" by the system openssl command and insert
> the necessary command line parameters to enable legacy algorithms for
> openssl v3, but leave the commands unchanged for older openssl versions.
> ---
> 
> Tested on Ubuntu 22.04, Fedora 36, and Fedora 35.
> 
> ---
> Makefile.am  | 26 ++++++++++++++++++--------
> configure.ac |  3 +++
> 2 files changed, 21 insertions(+), 8 deletions(-)

what would it take to just use OpenSSL 3 since these are just required on the development systems. I need to check my release system since that is historically always behind, but I feel this business of supporting two OpenSSL versions will get out of hand quickly. It is too bad that we can not generate the certificates with our own tools.

Regards

Marcel

[PATCH] build: Check for openssl legacy provider requirement

[Mat Martineau]

[-- Attachment #1: Type: text/plain, Size: 5515 bytes --]

OpenSSL 3 introduced some command line incompatibilities and removed
some old algorithms from the defaults. This broke some of the unit test
cert generation commands on distros like Ubuntu 22.04 and Fedora 36.

Detect support of "providers" by the system openssl command and insert
the necessary command line parameters to enable legacy algorithms for
openssl v3, but leave the commands unchanged for older openssl versions.
---

Tested on Ubuntu 22.04, Fedora 36, and Fedora 35.

---
 Makefile.am  | 26 ++++++++++++++++++--------
 configure.ac |  3 +++
 2 files changed, 21 insertions(+), 8 deletions(-)

diff --git a/Makefile.am b/Makefile.am
index d8ba99caa47e..df99e0dfc6bc 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -355,6 +355,12 @@ if GLIB
 examples += examples/glib-eventloop
 endif
 
+if OPENSSL_PROVIDER
+openssl_legacy = -provider legacy -provider default
+else
+openssl_legacy =
+endif
+
 if MAINTAINER_MODE
 noinst_PROGRAMS += $(examples)
 endif
@@ -444,7 +450,8 @@ unit/cert-client-key-pkcs1.pem:
 	$(AM_V_GEN)openssl genrsa -out $@ $($(AM_V_P)_redirect_openssl)
 
 unit/cert-client-key-pkcs1-des.pem: unit/cert-client-key-pkcs1.pem
-	$(AM_V_GEN)openssl rsa -in $< -out $@ -des -passout pass:abc
+	$(AM_V_GEN)openssl rsa -in $< -out $@ -des -passout pass:abc \
+			$(openssl_legacy)
 
 unit/cert-client-key-pkcs1-des3.pem: unit/cert-client-key-pkcs1.pem
 	$(AM_V_GEN)openssl rsa -in $< -out $@ -des3 -passout pass:abc
@@ -463,15 +470,18 @@ unit/cert-client-key-pkcs8.pem: unit/cert-client-key-pkcs1.pem
 
 unit/cert-client-key-pkcs8-md5-des.pem: unit/cert-client-key-pkcs8.pem
 	$(AM_V_GEN)openssl pkcs8 -in $< -out $@ \
-			-topk8 -v1 PBE-MD5-DES -passout pass:abc
+			-topk8 -v1 PBE-MD5-DES -passout pass:abc \
+			$(openssl_legacy)
 
 unit/cert-client-key-pkcs8-sha1-des.pem: unit/cert-client-key-pkcs8.pem
 	$(AM_V_GEN)openssl pkcs8 -in $< -out $@ \
-			-topk8 -v1 PBE-SHA1-DES -passout pass:abc
+			-topk8 -v1 PBE-SHA1-DES -passout pass:abc \
+			$(openssl_legacy)
 
 unit/cert-client-key-pkcs8-v2-des.pem: unit/cert-client-key-pkcs8.pem
 	$(AM_V_GEN)openssl pkcs8 -in $< -out $@ \
-			-topk8 -v2 des-cbc -v2prf hmacWithSHA1 -passout pass:abc
+			-topk8 -v2 des-cbc -v2prf hmacWithSHA1 -passout pass:abc \
+			$(openssl_legacy)
 
 unit/cert-client-key-pkcs8-v2-des-ede3.pem: unit/cert-client-key-pkcs8.pem
 	$(AM_V_GEN)openssl pkcs8 -in $< -out $@ \
@@ -575,19 +585,19 @@ unit/cert-entity-pkcs12-nomac.p12: unit/cert-entity-int-key.pem unit/cert-entity
 	$(AM_V_GEN)openssl pkcs12 -inkey $< -in $(builddir)/unit/cert-entity-int.pem -out $@ -export -passout pass:abc -nomac # defaut ciphers
 
 unit/cert-entity-pkcs12-rc2-sha1.p12: unit/cert-entity-int-key.pem unit/cert-entity-int.pem unit/cert-chain.pem
-	$(AM_V_GEN)openssl pkcs12 -inkey $< -in $(builddir)/unit/cert-entity-int.pem -certfile $(builddir)/unit/cert-chain.pem -out $@ -export -passout pass:abc -certpbe PBE-SHA1-RC2-40 -keypbe PBE-SHA1-RC2-128 -macalg sha1
+	$(AM_V_GEN)openssl pkcs12 -inkey $< -in $(builddir)/unit/cert-entity-int.pem -certfile $(builddir)/unit/cert-chain.pem -out $@ -export -passout pass:abc -certpbe PBE-SHA1-RC2-40 -keypbe PBE-SHA1-RC2-128 -macalg sha1 $(openssl_legacy)
 
 unit/cert-entity-pkcs12-des-sha256.p12: unit/cert-entity-int-key.pem unit/cert-entity-int.pem unit/cert-chain.pem
 	$(AM_V_GEN)openssl pkcs12 -inkey $< -in $(builddir)/unit/cert-entity-int.pem -certfile $(builddir)/unit/cert-chain.pem -out $@ -export -passout pass:abc -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-2DES -macalg sha256
 
 unit/cert-entity-pkcs12-rc4-sha384.p12: unit/cert-entity-int-key.pem unit/cert-entity-int.pem unit/cert-chain.pem
-	$(AM_V_GEN)openssl pkcs12 -inkey $< -in $(builddir)/unit/cert-entity-int.pem -certfile $(builddir)/unit/cert-chain.pem -out $@ -export -passout pass:abc -certpbe PBE-SHA1-RC4-128 -keypbe PBE-SHA1-RC2-40 -macalg sha384
+	$(AM_V_GEN)openssl pkcs12 -inkey $< -in $(builddir)/unit/cert-entity-int.pem -certfile $(builddir)/unit/cert-chain.pem -out $@ -export -passout pass:abc -certpbe PBE-SHA1-RC4-128 -keypbe PBE-SHA1-RC2-40 -macalg sha384 $(openssl_legacy)
 
 unit/cert-entity-pkcs12-pkcs5-sha512.p12: unit/cert-entity-int-key.pem unit/cert-entity-int.pem unit/cert-chain.pem
-	$(AM_V_GEN)openssl pkcs12 -inkey $< -in $(builddir)/unit/cert-entity-int.pem -certfile $(builddir)/unit/cert-chain.pem -out $@ -export -passout pass:abc -certpbe des-cbc -keypbe des-cbc -macalg sha512
+	$(AM_V_GEN)openssl pkcs12 -inkey $< -in $(builddir)/unit/cert-entity-int.pem -certfile $(builddir)/unit/cert-chain.pem -out $@ -export -passout pass:abc -certpbe des-cbc -keypbe des-cbc -macalg sha512 $(openssl_legacy)
 
 unit/cert-entity-combined.pem: unit/cert-entity-pkcs12-rc2-sha1.p12
-	$(AM_V_GEN)openssl pkcs12 -in $< -out $@ -passin pass:abc -passout pass:abc
+	$(AM_V_GEN)openssl pkcs12 -in $< -out $@ -passin pass:abc -passout pass:abc $(openssl_legacy)
 
 unit/key-plaintext.h: unit/plaintext.txt
 	$(AM_V_GEN)xxd -i < $< > $@
diff --git a/configure.ac b/configure.ac
index 62338079bc50..87894dba8a6b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -131,6 +131,9 @@ fi
 
 AM_CONDITIONAL(DBUS_TESTS, test "${little_endian}" = "yes")
 AM_CONDITIONAL(CERT_TESTS, test "${have_openssl}" = "yes")
+AM_CONDITIONAL(OPENSSL_PROVIDER, test "${have_openssl}" = "yes" &&
+		openssl list -providers > /dev/null 2>&1 )
+AC_SUBST(OPENSSL_PROVIDER)
 
 AC_CONFIG_FILES(Makefile ell/ell.pc)
 
-- 
2.36.1