Bug #8384
closedCannot build ruby against OpenSSL build with "no-ec2m"
Description
=begin
Due to recent changes in OpenSSL configuration options for Red Hat Enterprise Linux, I cannot build Ruby anymore.
These are the relevant changes in OpenSSL configuration:
@@ -227,7 +234,7 @@ sslarch=linux-ppc64
./Configure
--prefix=/usr --openssldir=%{_sysconfdir}/pki/tls ${sslflags}
zlib enable-camellia enable-seed enable-tlsext enable-rfc3779 \
-
enable-cms enable-md2 no-mdc2 no-rc5 no-ec no-ec2m no-ecdh no-ecdsa no-srp \
-
enable-cms enable-md2 no-mdc2 no-rc5 no-ec2m no-srp \ --with-krb5-flavor=MIT --enginesdir=%{_libdir}/openssl/engines \ --with-krb5-dir=/usr shared ${sslarch} %{?!nofips:fips}
I see that the "no-ec" was removed. So if I understand it correctly, the "OPENSSL_NO_EC" used to be defined, while it is not anymore and hence the whole ossl_pkey_ec.c file used to be ignored, while it is not anymore, Therefore, I observe following error:
ossl_pkey_ec.c:821:29: error: 'EC_GROUP_new_curve_GF2m' undeclared (first use in this function)
new_curve = EC_GROUP_new_curve_GF2m;
I was suggested by our OpenSSL maintainer to just #ifndef OPENSSL_NO_EC2M all the calls that contain GF2m. So I went ahead with this naive patch:
diff --git a/ext/openssl/ossl_pkey_ec.c b/ext/openssl/ossl_pkey_ec.c
index 8e6d88f..29e28ca 100644
--- a/ext/openssl/ossl_pkey_ec.c
+++ b/ext/openssl/ossl_pkey_ec.c
@@ -762,8 +762,10 @@ static VALUE ossl_ec_group_initialize(int argc, VALUE *argv, VALUE self)
method = EC_GFp_mont_method();
} else if (id == s_GFp_nist) {
method = EC_GFp_nist_method();
+#if !defined(OPENSSL_NO_EC2M)
} else if (id == s_GF2m_simple) {
method = EC_GF2m_simple_method();
+#endif
}
if (method) {
@@ -817,8 +819,10 @@ static VALUE ossl_ec_group_initialize(int argc, VALUE *argv, VALUE self)
if (id == s_GFp) {
new_curve = EC_GROUP_new_curve_GFp;
+#if !defined(OPENSSL_NO_EC2M)
} else if (id == s_GF2m) {
new_curve = EC_GROUP_new_curve_GF2m;
+#endif
} else {
ossl_raise(rb_eArgError, "unknown symbol, must be :GFp or :GF2m");
}
which fixes the build issues, but the leaves the test suite failing:
- Error:
test_read_private_key_pem_pw(OpenSSL::TestEC):
OpenSSL::PKey::EC::Group::Error: unable to create curve (secp112r1): unknown group
/builddir/build/BUILD/ruby-2.0.0-p0/test/openssl/test_pkey_ec.rb:10:ininitialize' /builddir/build/BUILD/ruby-2.0.0-p0/test/openssl/test_pkey_ec.rb:10:in
new'
/builddir/build/BUILD/ruby-2.0.0-p0/test/openssl/test_pkey_ec.rb:10:in `setup'
and there are remaining references to :GF2m in exception messages, etc. Is there any chance to support this set of OpenSSL configuration options properly, i.e. make the OpenSSL work better with such fine grained configuration options?
Thanks
=end
Files
Updated by vo.x (Vit Ondruch) over 11 years ago
So I made the patch pass the test suite. The test suite is now querying OpenSSL for built-in curves, instead of explicitly enumerating just some of them.
Updated by Anonymous over 11 years ago
- Status changed from Open to Closed
- % Done changed from 0 to 100
This issue was solved with changeset r41808.
Vit, thank you for reporting this issue.
Your contribution to Ruby is greatly appreciated.
May Ruby be with you.
-
ext/openssl/ossl_pkey_ec.c: Ensure compatibility to builds of
OpenSSL with OPENSSL_NO_EC2M defined, but OPENSSL_NO_EC not
defined. -
test/openssl/test_pkey_ec.rb: Iterate over built-in curves
(and assert their non-emptiness!) instead of hard-coding them, as
this may cause problems with respect to the different availability
of individual curves in individual OpenSSL builds.
[ruby-core:54881] [Bug #8384]Thanks to Vit Ondruch for providing the patch!
Updated by MartinBosslet (Martin Bosslet) over 11 years ago
vo.x (Vit Ondruch) wrote:
So I made the patch pass the test suite. The test suite is now querying OpenSSL for built-in curves, instead of explicitly enumerating just some of them.
Thank you, iterating over the built-in curves instead of hard-coding some of them makes a lot more sense!
Updated by vo.x (Vit Ondruch) over 11 years ago
Thanks for applying this patch.
Could this be backported into 2.0.0? Thanks.
Updated by naruse (Yui NARUSE) over 11 years ago
- Status changed from Closed to Assigned
r41808 breaks non-FIPS environments like http://u32.rubyci.org/~chkbuild/ruby-trunk/log/20130705T230301Z.diff.html.gz
Updated by MartinBosslet (Martin Bosslet) over 11 years ago
naruse (Yui NARUSE) wrote:
r41808 breaks non-FIPS environments like http://u32.rubyci.org/~chkbuild/ruby-trunk/log/20130705T230301Z.diff.html.gz
Crap, compatibility is hard :) I'll fix it tomorrow!
Updated by Anonymous over 11 years ago
- Status changed from Assigned to Closed
This issue was solved with changeset r41829.
Vit, thank you for reporting this issue.
Your contribution to Ruby is greatly appreciated.
May Ruby be with you.
- test/openssl/test_pkey_ec.rb: Skip tests for "Oakley" curves as
they are not suitable for ECDSA.
[ruby-core:54881] [Bug #8384]
Updated by MartinBosslet (Martin Bosslet) over 11 years ago
The breaking build was related to "Oakley" curves, which are part of the built-in curves, but a) not suitable for ECDSA and b) their Object Identifier seems not to be registered with OpenSSL by default. This caused the tests to fail. Workaround is to simply ignore the tests for Oakley curves.
Updated by vo.x (Vit Ondruch) over 11 years ago
- Backport changed from 1.9.3: UNKNOWN, 2.0.0: UNKNOWN to 1.9.3: REQUIRED, 2.0.0: REQUIRED
Is there any chance to get this backported into Ruby 2.0.0 as well as Ruby 1.9.3 branches? Thanks.
Updated by vo.x (Vit Ondruch) over 11 years ago
- Status changed from Closed to Open
Updated by vo.x (Vit Ondruch) about 11 years ago
- Assignee changed from MartinBosslet (Martin Bosslet) to nagachika (Tomoyuki Chikanaga)
Updated by nagachika (Tomoyuki Chikanaga) about 11 years ago
sorry, I've overlooked this ticket. I'll try to backport r41808 and 41829.
Updated by nagachika (Tomoyuki Chikanaga) about 11 years ago
- Backport changed from 1.9.3: REQUIRED, 2.0.0: REQUIRED to 1.9.3: REQUIRED, 2.0.0: DONE
r41808 and 41829 are backported to ruby_2_0_0 at r43481.
Updated by nagachika (Tomoyuki Chikanaga) about 11 years ago
- Status changed from Open to Assigned
- Assignee changed from nagachika (Tomoyuki Chikanaga) to usa (Usaku NAKAMURA)
Updated by usa (Usaku NAKAMURA) about 11 years ago
- Backport changed from 1.9.3: REQUIRED, 2.0.0: DONE to 1.9.3: DONE, 2.0.0: DONE
Backported to ruby_1_9_3 at r43486 and r43494.
Updated by usa (Usaku NAKAMURA) about 11 years ago
- Status changed from Assigned to Closed
(already finished)