This repository has been archived by the owner on Jan 23, 2023. It is now read-only.
[release/3.1] WIP: Openssl 3.0 support #43078
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
With this change all RSA private key operations (excluding import/export) use the EVP_PKEY APIs. * RSAPaddingProcessor is no longer used in conjunction with the private keys, on Linux. * The pal_rsa.c copy of HasPrivateKey has been removed.
Building against OpenSSL 3's headers fails to compile, as X509_V_ERR_INVALID_CA has changed from 24 to 79, tripping a static assert. * Rename the managed X509VerifyStatusCode enum to X509VerifyStatusCodeUniversal, to represent the name/values that are present in all current versions of OpenSSL (1.0.2, 1.1.1, 3.0 alpha) * Add new enums for the name/value pairs that are unique to a given version * Add an X509VerifyStatusCode struct that just wraps the int and is a faux-union of the various enums * Use the OpenSSL runtime version to determine which mapping table to use (after the Universal table fails) In addition to that, there are a few const-related changes in the 3.0 headers that are addressed. `corefx/src/Native$ ./build_native.sh -portablebuild=false` on systems where find_package(OpenSSL) maps to 3.0 succeeds with these changes. Portable builds still fail. Not all tests pass with OpenSSL 3.0 (alpha 13) with these changes, but it does reduce to three categories of error: * ICryptoTransform reset/reuse tests fail (OpenSSL regression is open) * DSA small key generation fails (OpenSSL has fixed the regression for the next alpha/beta release) * Some OuterLoop X.509 tests are failing as positively revoked when they expect ambiguous revocation states (investigation pending)
Overall structure of changes * Pull compatibility headers out into separate include files, because opensslshim.h is too big. * Use forward definition of EVP_PKEY_CTX_set_rsa_keygen_bits and friends. * These are in a new apibridge file because they're for bridging up to 3.0, and the existing one was for 1.1(.1) * Some constants needed for this file changed between 1.1 and 3.0, so there are a lot of asserts and redefines. * On OpenSSL 3.0, build a legacy version of ERR_put_error since it has the easier signature to work with. * FALLBACK_FUNCTION doesn't care which version it bound to, if it doesn't find it use a local_ function. * Renamed NEW_REQUIRED_FUNCTION to REQUIRED_FUNCTION_110 because "new" is now "sort of old". * There's a manual sanity test that either ERR_put_error or the three new functions that together replace it are found, so we don't end up in a state where we can't report shim-injected errors. Portable build checker: * Built with OpenSSL 1.0.2 headers (Ubuntu 16.04 default libssl-dev) * Ran with 1.0.2 (Ubuntu 16.04 default libssl) * Ran with 1.1.1 (Ubuntu 18.04 default libssl) * Ran with 3.0 (Ubuntu 16.04 with local build of OpenSSL 3.0 alpha 13) * Built with OpenSSL 1.1.1 headers (Ubuntu 18.04 default libssl-dev) * Ran with 1.0.2 (Ubuntu 16.04 default libssl) * Ran with 1.1.1 (Ubuntu 18.04 default libssl) * Ran with 3.0 (Ubuntu 16.04 with local build of OpenSSL 3.0 alpha 13) * Built with OpenSSL 3.0 headers (Ubuntu 16.04 with local build of OpenSSL 3.0 alpha 13 and some surgery to the extra_libs.cmake) * Ran with 1.0.2 (Ubuntu 16.04 default libssl) * Ran with 1.1.1 (Ubuntu 18.04 default libssl) * Ran with 3.0 (Ubuntu 16.04 with local build of OpenSSL 3.0 alpha 13) 3.0 doesn't run error-free, but it runs with the same error rate from portable and direct builds. All verification was limited to the System.Security.Cryptography.Algorithms.Tests run, but that's generally representative of the bindings.
12 tasks
|
cc @wfurt |
|
I am thinking of abandoning this PR. My use-case (RHEL 9) is being addressed by actually dropping .NET Core 3.1 and using .NET 6 instead, which supports OpenSSL 3.0 out of the box. I haven't see any interest from any other parties or users. It doesn't sound like anyone else needs this PR either. I will leave it open for now but plain to close it soon unless I get different feedback. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.