☂️ATS is incompatible with OpenSSL 3.0

[maskit]

Several functions are going to be deprecated since OpenSSL 3.0. It's still buildable by tweaking compile options but should be fixed sooner rather than later.

Last check was done with OpenSSL maser (b971d4198def0b29654e8fbf7987f7157741aed2) on Jan 5 2022.

• Core
  • SHA256_Init/Update/Final (Use OpeSSL EVP API instead of SHA256_Init/Update/Final #7342)
  • ERR_get_error_line_data (Use ERR_get_error_all if available #7354)
  • ENGINE API (e.g. ENGINE_get_default_RSA)
  • HMAC API (e.g. HMAC_Init_ex) (Use EVP MAC API if available #7363)
  • DH API (e.g. DH_new, DH_get_2048_256)
  • PEM_read_bio_DHparams
  • SSL_get_peer_certificate (Use SSL_get1_peer_certificate on OpenSSL3 build #9460)
• Plugins
  • SHA1_Init/Update/Final (cache_promote, prefetch) (Use OpenSSL EVP API if SHA1 API is not available (cache_promote) #7447, Use OpenSSL EVP API if SHA1 API is not available (prefetch) #7448)
  • MD5 (certifier, ja3_fingerprint)
  • HMAC API (s3_auth, access_control) (Use EVP API instead of legacy APIs (s3 auth) #7449)
  • SHA256_Init/Update/Final (s3_auth, metalink) (Use EVP API instead of legacy APIs (s3 auth) #7449)
• Examples
  • MD5 (secure_link) (Use EVP API instead of MD5_Init/Update/Final (secure_link plugin) #7355)
• Tests
  • ENGINE API (tools/plugins/async_engine)

These below may be temporal issues

• OCSP_REQ_CTX_add1_header and OCSP_REQ_CTX_free are undefined (not deprecated, maybe a bug on OpenSSL side)

[maskit]

We are expecting 3.0 actual to be released in Q3 of this year.

https://mta.openssl.org/pipermail/openssl-users/2021-June/013900.html

[bneradt]

Openssl 3.0 has been released now. @maskit : can you please update this issue with anything relevant now that it is released?

[maskit]

I updated the list. The biggest change since the last check is that HMAC() function (one-shot HMAC function) was un-deprecated. HMAC low level functions were kept deprecated.

Also, this is not new info though, I realized that some deprecated functions are actually faster than the current equivalent functions (see #7447). It means we should not simply replace the deprecated functions with new ones.

[jeredfloyd]

Fedora 36 has switched to OpenSSL 3.0.2 by default. ATS builds successfully, but the tscore HKDF tests fail.

src/tscore/HKDF_openssl.cc:extract/expand() fail with EVP_PKEY_derive() returning failure. These interfaces are deprecated in favor of the EVP_KDF_* interfaces, but I suspect this is an upstream bug that this simply fails.

I can build against the openssl1.1 compat packages in Fedora 36 for now so further investigation is lower on my priority list, but I welcome insight from OpenSSL experts!

[jeredfloyd]

RHEL 9 does not ship with OpenSSL 1.1 compatibility libraries, so I'm looking to tackle the HKDF failures. Before I dig in, has anyone here already investigated?

-------------------------------------------------------------------------------
HKDF tests
  Basic test case with SHA-256
-------------------------------------------------------------------------------
unit_tests/test_HKDF.cc:30
...............................................................................

unit_tests/test_HKDF.cc:60: FAILED:
  CHECK( hkdf.extract(prk, &prk_len, salt, sizeof(salt), ikm, sizeof(ikm)) == 1 )
with expansion:
  -6 == 1

[jeredfloyd]

Actual error message from OpenSSL is:
405710F3867F0000:error:1C80008B:Provider routines:HKDF_Extract:wrong output buffer size:providers/implementations/kdfs/hkdf.c:414:

I'll have time to look at this tomorrow afternoon.

[jeredfloyd]

This commit to OpenSSL (openssl/openssl@5a285ad#diff-08361b6b082f3fc0700d4c885eb97ba8fe8c8b18df13ad1d169558313ae373e3) changed the behavior of EVP_PKEY_derive() to require the output buffer be the exact size of the output data.

The documentation (https://www.openssl.org/docs/man3.0/man3/EVP_PKEY_derive.html) still states:

If key is not NULL then before the call the keylen parameter should contain the length of the key buffer, if the call is successful the shared secret is written to key and the amount of data written to keylen.

However the code now says:

    if (prk_len != (size_t)EVP_MD_size(evp_md)) {
        KDFerr(KDF_F_HKDF_EXTRACT, KDF_R_WRONG_OUTPUT_BUFFER_SIZE);
        return 0;
    }

I'll verify that usage of the HKDF functions still works, and patch the test to use correct buffer sizes. (And report to OpenSSL the doc inconsistency: openssl/openssl#18517.)