* Re: Unable to build ELL with OpenSSL 3
@ 2022-03-11 8:52 wen zhang
0 siblings, 0 replies; 4+ messages in thread
From: wen zhang @ 2022-03-11 8:52 UTC (permalink / raw)
To: ell
[-- Attachment #1: Type: text/plain, Size: 1910 bytes --]
James Prestwood <prestwoj(a)gmail.com> 于2022年3月10日周四 02:04写道:
> Hi,
>
> On Wed, 2022-03-09 at 18:36 +0800, wen zhang wrote:
>
> I tried to build ELL library on my system built following LFS 11.1
> <https://www.linuxfromscratch.org/lfs/view/stable-systemd/>, but the make
> command failed. Adding V=1 to the make command show one openssl command
> failed to finish.
>
> openssl pkcs8 -in unit/cert-client-key-pkcs8.pem -out
> unit/cert-client-key-pkcs8-v2-des.pem -topk8 -v2 des-cbc -v2prf
> hmacWithSHA1 -passout pass:abc
>
> Maybe something need to migrate from OpenSSL 1 to OpenSSL 3?
>
>
> So it appears DES was removed from OpenSSL3 as a built in module [1]. I'm
> guessing there is some way to compile this in, but the documentation also
> mentions some runtime legacy provider. So I think you'll need to rebuild
> openssl with DES built in or figure out a way to enable this provider. I'm
> thinking we do want to support the default OpenSSL3 build at some point in
> the future, but I'm not sure if our build system can enable this feature
> automatically or not.
>
> One thing to note is that OpenSSL is only used to verify ELL's crypto APIs
> in unit testing. So this failure should not block you from using the ELL
> API or IWD. And for IWD specifically all the unit tests build with OpenSSL3
> since none use DES.
>
> Also, there is a mailing list specific to ELL ell(a)lists.01.org.
> <ell(a)lists.01.org>
>
> [1] https://wiki.openssl.org/index.php/OpenSSL_3.0#Providers
>
> _______________________________________________
> iwd mailing list -- iwd(a)lists.01.org
> To unsubscribe send an email to iwd-leave(a)lists.01.org
>
>
> I added provider default and provider legacy into the openssl lines, and
make command finished with no error.
Here's my patch, maybe can be reviewed once there's another build
environment with OpenSSL V3.
[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 3084 bytes --]
[-- Attachment #3: test_on_OpenSSLv3.patch --]
[-- Type: application/octet-stream, Size: 4829 bytes --]
diff --git a/Makefile.am b/Makefile.am
index 4e650c9..7ff08eb 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -439,7 +439,7 @@ unit/cert-client-key-pkcs1.pem:
$(AM_V_GEN)openssl genrsa -out $@ $($(AM_V_P)_redirect_openssl)
unit/cert-client-key-pkcs1-des.pem: unit/cert-client-key-pkcs1.pem
- $(AM_V_GEN)openssl rsa -in $< -out $@ -des -passout pass:abc
+ $(AM_V_GEN)openssl rsa -in $< -out $@ -des -passout pass:abc -provider default -provider-path /usr/lib/ossl-modules -provider legacy
unit/cert-client-key-pkcs1-des3.pem: unit/cert-client-key-pkcs1.pem
$(AM_V_GEN)openssl rsa -in $< -out $@ -des3 -passout pass:abc
@@ -458,19 +458,19 @@ unit/cert-client-key-pkcs8.pem: unit/cert-client-key-pkcs1.pem
unit/cert-client-key-pkcs8-md5-des.pem: unit/cert-client-key-pkcs8.pem
$(AM_V_GEN)openssl pkcs8 -in $< -out $@ \
- -topk8 -v1 PBE-MD5-DES -passout pass:abc
+ -topk8 -v1 PBE-MD5-DES -passout pass:abc -provider default -provider-path /usr/lib/ossl-modules -provider legacy
unit/cert-client-key-pkcs8-sha1-des.pem: unit/cert-client-key-pkcs8.pem
$(AM_V_GEN)openssl pkcs8 -in $< -out $@ \
- -topk8 -v1 PBE-SHA1-DES -passout pass:abc
+ -topk8 -v1 PBE-SHA1-DES -passout pass:abc -provider default -provider-path /usr/lib/ossl-modules -provider legacy
unit/cert-client-key-pkcs8-v2-des.pem: unit/cert-client-key-pkcs8.pem
$(AM_V_GEN)openssl pkcs8 -in $< -out $@ \
- -topk8 -v2 des-cbc -v2prf hmacWithSHA1 -passout pass:abc
+ -topk8 -v2 des-cbc -v2prf hmacWithSHA1 -passout pass:abc -provider default -provider-path /usr/lib/ossl-modules -provider legacy
unit/cert-client-key-pkcs8-v2-des-ede3.pem: unit/cert-client-key-pkcs8.pem
$(AM_V_GEN)openssl pkcs8 -in $< -out $@ \
- -topk8 -v2 des-ede3-cbc -v2prf hmacWithSHA224 -passout pass:abc
+ -topk8 -v2 des-ede3-cbc -v2prf hmacWithSHA224 -passout pass:abc -provider default -provider-path /usr/lib/ossl-modules -provider legacy
unit/cert-client-key-pkcs8-v2-aes128.pem: unit/cert-client-key-pkcs8.pem
$(AM_V_GEN)openssl pkcs8 -in $< -out $@ \
@@ -570,19 +570,19 @@ unit/cert-entity-pkcs12-nomac.p12: unit/cert-entity-int-key.pem unit/cert-entity
$(AM_V_GEN)openssl pkcs12 -inkey $< -in $(builddir)/unit/cert-entity-int.pem -out $@ -export -passout pass:abc -nomac # defaut ciphers
unit/cert-entity-pkcs12-rc2-sha1.p12: unit/cert-entity-int-key.pem unit/cert-entity-int.pem unit/cert-chain.pem
- $(AM_V_GEN)openssl pkcs12 -inkey $< -in $(builddir)/unit/cert-entity-int.pem -certfile $(builddir)/unit/cert-chain.pem -out $@ -export -passout pass:abc -certpbe PBE-SHA1-RC2-40 -keypbe PBE-SHA1-RC2-128 -macalg sha1
+ $(AM_V_GEN)openssl pkcs12 -inkey $< -in $(builddir)/unit/cert-entity-int.pem -certfile $(builddir)/unit/cert-chain.pem -out $@ -export -passout pass:abc -certpbe PBE-SHA1-RC2-40 -keypbe PBE-SHA1-RC2-128 -macalg sha1 -provider default -provider-path /usr/lib/ossl-modules -provider legacy
unit/cert-entity-pkcs12-des-sha256.p12: unit/cert-entity-int-key.pem unit/cert-entity-int.pem unit/cert-chain.pem
$(AM_V_GEN)openssl pkcs12 -inkey $< -in $(builddir)/unit/cert-entity-int.pem -certfile $(builddir)/unit/cert-chain.pem -out $@ -export -passout pass:abc -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-2DES -macalg sha256
unit/cert-entity-pkcs12-rc4-sha384.p12: unit/cert-entity-int-key.pem unit/cert-entity-int.pem unit/cert-chain.pem
- $(AM_V_GEN)openssl pkcs12 -inkey $< -in $(builddir)/unit/cert-entity-int.pem -certfile $(builddir)/unit/cert-chain.pem -out $@ -export -passout pass:abc -certpbe PBE-SHA1-RC4-128 -keypbe PBE-SHA1-RC2-40 -macalg sha384
+ $(AM_V_GEN)openssl pkcs12 -inkey $< -in $(builddir)/unit/cert-entity-int.pem -certfile $(builddir)/unit/cert-chain.pem -out $@ -export -passout pass:abc -certpbe PBE-SHA1-RC4-128 -keypbe PBE-SHA1-RC2-40 -macalg sha384 -provider default -provider-path /usr/lib/ossl-modules -provider legacy
unit/cert-entity-pkcs12-pkcs5-sha512.p12: unit/cert-entity-int-key.pem unit/cert-entity-int.pem unit/cert-chain.pem
- $(AM_V_GEN)openssl pkcs12 -inkey $< -in $(builddir)/unit/cert-entity-int.pem -certfile $(builddir)/unit/cert-chain.pem -out $@ -export -passout pass:abc -certpbe des-cbc -keypbe des-cbc -macalg sha512
+ $(AM_V_GEN)openssl pkcs12 -inkey $< -in $(builddir)/unit/cert-entity-int.pem -certfile $(builddir)/unit/cert-chain.pem -out $@ -export -passout pass:abc -certpbe des-cbc -keypbe des-cbc -macalg sha512 -provider default -provider-path /usr/lib/ossl-modules -provider legacy
unit/cert-entity-combined.pem: unit/cert-entity-pkcs12-rc2-sha1.p12
- $(AM_V_GEN)openssl pkcs12 -in $< -out $@ -passin pass:abc -passout pass:abc
+ $(AM_V_GEN)openssl pkcs12 -in $< -out $@ -passin pass:abc -passout pass:abc -provider default -provider-path /usr/lib/ossl-modules -provider legacy
unit/key-plaintext.h: unit/plaintext.txt
$(AM_V_GEN)xxd -i < $< > $@
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: Unable to build ELL with OpenSSL 3
@ 2022-03-11 16:46 wen zhang
0 siblings, 0 replies; 4+ messages in thread
From: wen zhang @ 2022-03-11 16:46 UTC (permalink / raw)
To: ell
[-- Attachment #1: Type: text/plain, Size: 2991 bytes --]
James Prestwood <prestwoj(a)gmail.com> 于2022年3月12日周六 00:31写道:
> Hi,
>
> On Fri, 2022-03-11 at 16:52 +0800, wen zhang wrote:
>
> James Prestwood <prestwoj(a)gmail.com> 于2022年3月10日周四 02:04写道:
>
> Hi,
>
> On Wed, 2022-03-09 at 18:36 +0800, wen zhang wrote:
>
> I tried to build ELL library on my system built following LFS 11.1
> <https://www.linuxfromscratch.org/lfs/view/stable-systemd/>, but the make
> command failed. Adding V=1 to the make command show one openssl command
> failed to finish.
>
> openssl pkcs8 -in unit/cert-client-key-pkcs8.pem -out
> unit/cert-client-key-pkcs8-v2-des.pem -topk8 -v2 des-cbc -v2prf
> hmacWithSHA1 -passout pass:abc
>
> Maybe something need to migrate from OpenSSL 1 to OpenSSL 3?
>
>
> So it appears DES was removed from OpenSSL3 as a built in module [1]. I'm
> guessing there is some way to compile this in, but the documentation also
> mentions some runtime legacy provider. So I think you'll need to rebuild
> openssl with DES built in or figure out a way to enable this provider. I'm
> thinking we do want to support the default OpenSSL3 build at some point in
> the future, but I'm not sure if our build system can enable this feature
> automatically or not.
>
> One thing to note is that OpenSSL is only used to verify ELL's crypto APIs
> in unit testing. So this failure should not block you from using the ELL
> API or IWD. And for IWD specifically all the unit tests build with OpenSSL3
> since none use DES.
>
> Also, there is a mailing list specific to ELL ell(a)lists.01.org.
> <ell(a)lists.01.org>
>
> [1] https://wiki.openssl.org/index.php/OpenSSL_3.0#Providers
>
> _______________________________________________
> iwd mailing list -- iwd(a)lists.01.org
> To unsubscribe send an email to iwd-leave(a)lists.01.org
>
>
>
> I added provider default and provider legacy into the openssl lines, and
> make command finished with no error.
> Here's my patch, maybe can be reviewed once there's another build
> environment with OpenSSL V3.
>
>
> This seems to break OpenSSL 1.1:
>
> pkcs8: Option unknown option -provider
> pkcs8: Use -help for summary.
> make[1]: *** [Makefile:3163: unit/cert-client-key-pkcs8-md5-des.pem] Error
> 1
>
> I'm not a build system expert but I'm thinking we need to detect the
> OpenSSL version and generate the PEMs using two different recipes depending
> on version. Or maybe someone else has ideas?
>
> Also you're patch was just a diff. It applied fine but in order to merge
> anything we will need an actual git commit (e.g. git format-patch).
>
> Thanks,
> James
>
> _______________________________________________
> ell mailing list -- ell(a)lists.01.org
> To unsubscribe send an email to ell-leave(a)lists.01.org
>
>
> Thanks, I just realized that openssl is only used when maintainer mode is
enabled.
Autotools is a little complex for me, I'll try to submit a patch but may
take some days.
[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 5001 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Unable to build ELL with OpenSSL 3
@ 2022-03-11 16:31 James Prestwood
0 siblings, 0 replies; 4+ messages in thread
From: James Prestwood @ 2022-03-11 16:31 UTC (permalink / raw)
To: ell
[-- Attachment #1: Type: text/plain, Size: 2726 bytes --]
Hi,
On Fri, 2022-03-11 at 16:52 +0800, wen zhang wrote:
> James Prestwood <prestwoj(a)gmail.com> 于2022年3月10日周四 02:04写道:
> > Hi,
> >
> > On Wed, 2022-03-09 at 18:36 +0800, wen zhang wrote:
> > > I tried to build ELL library on my system built following LFS
> > > 11.1, but the make command failed. Adding V=1 to the make command
> > > show one openssl command failed to finish.
> > > > openssl pkcs8 -in unit/cert-client-key-pkcs8.pem -out
> > > > unit/cert-client-key-pkcs8-v2-des.pem -topk8 -v2 des-cbc -v2prf
> > > > hmacWithSHA1 -passout pass:abc
> > > >
> > >
> > > Maybe something need to migrate from OpenSSL 1 to OpenSSL 3?
> >
> >
> > So it appears DES was removed from OpenSSL3 as a built in module
> > [1]. I'm guessing there is some way to compile this in, but the
> > documentation also mentions some runtime legacy provider. So I
> > think you'll need to rebuild openssl with DES built in or figure
> > out a way to enable this provider. I'm thinking we do want to
> > support the default OpenSSL3 build at some point in the future, but
> > I'm not sure if our build system can enable this feature
> > automatically or not.
> >
> > One thing to note is that OpenSSL is only used to verify ELL's
> > crypto APIs in unit testing. So this failure should not block you
> > from using the ELL API or IWD. And for IWD specifically all the
> > unit tests build with OpenSSL3 since none use DES.
> >
> > Also, there is a mailing list specific to ELL ell(a)lists.01.org.
> >
> > [1] https://wiki.openssl.org/index.php/OpenSSL_3.0#Providers
> >
> > > _______________________________________________
> > > iwd mailing list -- iwd(a)lists.01.org
> > > To unsubscribe send an email to iwd-leave(a)lists.01.org
> >
> >
> >
>
> I added provider default and provider legacy into the openssl lines,
> and make command finished with no error.
> Here's my patch, maybe can be reviewed once there's another build
> environment with OpenSSL V3.
This seems to break OpenSSL 1.1:
pkcs8: Option unknown option -provider
pkcs8: Use -help for summary.
make[1]: *** [Makefile:3163: unit/cert-client-key-pkcs8-md5-des.pem]
Error 1
I'm not a build system expert but I'm thinking we need to detect the
OpenSSL version and generate the PEMs using two different recipes
depending on version. Or maybe someone else has ideas?
Also you're patch was just a diff. It applied fine but in order to
merge anything we will need an actual git commit (e.g. git format-
patch).
Thanks,
James
> _______________________________________________
> ell mailing list -- ell(a)lists.01.org
> To unsubscribe send an email to ell-leave(a)lists.01.org
[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 4353 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Unable to build ELL with OpenSSL 3
@ 2022-03-09 18:04 James Prestwood
0 siblings, 0 replies; 4+ messages in thread
From: James Prestwood @ 2022-03-09 18:04 UTC (permalink / raw)
To: ell
[-- Attachment #1: Type: text/plain, Size: 1499 bytes --]
Hi,
On Wed, 2022-03-09 at 18:36 +0800, wen zhang wrote:
> I tried to build ELL library on my system built following LFS 11.1,
> but the make command failed. Adding V=1 to the make command show one
> openssl command failed to finish.
> > openssl pkcs8 -in unit/cert-client-key-pkcs8.pem -out unit/cert-
> > client-key-pkcs8-v2-des.pem -topk8 -v2 des-cbc -v2prf hmacWithSHA1
> > -passout pass:abc
> >
>
> Maybe something need to migrate from OpenSSL 1 to OpenSSL 3?
So it appears DES was removed from OpenSSL3 as a built in module [1].
I'm guessing there is some way to compile this in, but the
documentation also mentions some runtime legacy provider. So I think
you'll need to rebuild openssl with DES built in or figure out a way to
enable this provider. I'm thinking we do want to support the default
OpenSSL3 build at some point in the future, but I'm not sure if our
build system can enable this feature automatically or not.
One thing to note is that OpenSSL is only used to verify ELL's crypto
APIs in unit testing. So this failure should not block you from using
the ELL API or IWD. And for IWD specifically all the unit tests build
with OpenSSL3 since none use DES.
Also, there is a mailing list specific to ELL ell(a)lists.01.org.
[1] https://wiki.openssl.org/index.php/OpenSSL_3.0#Providers
> _______________________________________________
> iwd mailing list -- iwd(a)lists.01.org
> To unsubscribe send an email to iwd-leave(a)lists.01.org
[-- Attachment #2: attachment.htm --]
[-- Type: text/html, Size: 2423 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-03-11 16:46 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-03-11 8:52 Unable to build ELL with OpenSSL 3 wen zhang
-- strict thread matches above, loose matches on Subject: below --
2022-03-11 16:46 wen zhang
2022-03-11 16:31 James Prestwood
2022-03-09 18:04 James Prestwood
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).