-
Notifications
You must be signed in to change notification settings - Fork 20
Fix build with OpenSSL 3.0 #25
Fix build with OpenSSL 3.0 #25
Conversation
5b2dc27
to
a4115ef
Compare
2022-05-27: general context: this repo is use speedup RSA operations in go-libp2p-core, hidden behind a build flag. @oleg-jukovec : a few general comments:
|
|
2022-06-03 maintainer conversation: given Ubuntu 22.04 LTS has OpenSSL 3.0 is shipping without OpenSSL 1.x, we agree this should handled. We need a GitHub actions workflow that exercises the OpenSSL 3.x path. @oleg-jukovec : can you please add a seperate GitHub actions workflow file for testing against this? Per https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners#supported-runners-and-hardware-resources it looks like there is a Ubuntu 22.04 runner we can use. |
That was true - we needed to install mingw toolchain which is no longer installed by default on windows-2022 gh actions runners - #30. Might be worth mentioning that, in particular, |
@oleg-jukovec : can you handle this (basically making the code change with custom github runner)? From a core maintainer regard, this isn't a high priority. We'd appreciate any help to move this forward. Thanks! |
Hello, yes, I'm going to do it. I have no time right now, but maybe next week. |
a67734d
to
a410882
Compare
- FIPS_mode_set() does not exist in OpenSSL 3.0 [1] - X509_check_* functions declarated in openssl/x509v3.h instead of openssl/x509.h [2] - X509_chack_* functions have const char arg inserad of const unsigned char [2] - skip MD4 tests if it is unsupported by OpenSSL - the patch does not change behavior under OpenSSL version != 3 - the patch just fixes build under OpenSSL 3.0 and doesn't update deprecated code or behavior 1. https://wiki.openssl.org/index.php/OpenSSL_3.0#Upgrading_from_the_OpenSSL_2.0_FIPS_Object_Module 2. https://www.openssl.org/docs/man3.0/man3/X509_check_host.html
a410882
to
982e9fb
Compare
Thank you for your patience. I've added the Ubuntu 22.04 runner to the CI. |
.github/workflows/go-test.yml
Outdated
@@ -9,11 +9,11 @@ jobs: | |||
strategy: | |||
fail-fast: false | |||
matrix: | |||
os: [ "ubuntu", "windows", "macos" ] | |||
os: [ "ubuntu-22.04", "ubuntu-latest", "windows-latest", "macos-latest" ] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Any changes to this file will get overwritten the next time https://github.com/protocol/.github is pushed to.
Off the top of my head, the easiest way around it would be to add a new workflow in this repo only which runs go test
on ubuntu-22.04
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I also created an issue for considering making the os list configurable in Unified CI - protocol/.github#349
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh, thank you, I understand the problem. Then I think it's better to wait protocol/.github#349 .
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the best way forward would be to just add a new workflow file go-test-ubuntu-22.04.yml
, which would essentially be a copy of go-test.yml
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it's done.
33caa98
to
e5e193b
Compare
It is necessary to handle OpenSSL errors very carefully. Otherwise, errors may appear in unexpected places. For example, we didn't catch an error from EVP_DigestInit_ex() and it appears sometimes in conn.go: func (c *Conn) getErrorHandler(rv C.int, errno error) func() error { errcode := C.SSL_get_error(c.ssl, rv) // <- here
805504c
to
b87b660
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approving the CI changes. Let's go with a copy of the test workflow until we have a better story for cases like this one.
@marten-seemann is this something we're going to merge? I've heard from @Jorropo that boringcrypto coming in Go 1.19 might be better off for us and not require CGO. |
Not familiar with boringcrypto in Go, do you have a link for me? Not depending on OpenSSL seems to be a good idea, especially considering the upcoming fork and the expected split of the community. |
When you build go you can do:
It will use a boringssl (google's openssl fork) wrapper to replace most of go's crypto librairy. (and AFAIT it has runtime tricks to do cgo without the 500threads and the big overhead) You can read about it here https://github.com/golang/go/blob/cdcb4b6ef37c1ce14637323dd00b5daad7e645c4/README.boringcrypto.md and in the go compiler VCS. My main question is maybe that interfer with the unsafe hack you do for |
It won't. I removed boring support from the fork: quic-go/qtls-go1-19@2a06850
That would be a great outcome! One less libp2p package :) |
Just to be sure, quic-go doesn't support
Ok I'll, any cipher you want see tried ? |
It doesn't, and never has.
Good question. I thought the starting point would be the benchmarks this package comes with. Maybe also add RSA operations to your list, since annoyingly, RSA is still widely used in the ecosystem. |
@Jorropo : will you be able to do the benchmarking? Let me know if that is feeling like too much and we can potentially see if @oleg-jukovec can take this. |
@BigLep it's the work of 2 hours, I'll do once the bitswap split is over. This is not a priority issue. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Code LGTM and CI passes, there's no reason not to just merge this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Boringcrypto isn’t going to be a replacement for this repo. Until it is, I think we should merge this to support OpenSSL 3.0.
More discussion here: libp2p/go-libp2p#1686 (comment)
@marten-seemann let me know if there’s anything else I’m missing, but otherwise we should just merge this. |
or behavior