Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixing use of OpenSSL 3 deprecated functions #2047

Open
wiktor-k opened this issue Sep 28, 2023 · 2 comments · May be fixed by #2380
Open

Fixing use of OpenSSL 3 deprecated functions #2047

wiktor-k opened this issue Sep 28, 2023 · 2 comments · May be fixed by #2380

Comments

@wiktor-k
Copy link
Contributor

Hi,

I'm using rust-openssl as one of the cryptographic backends in Sequoia and just recently we've got a report that we're using functions deprecated in OpenSSL 3:

  • DSA_free
  • DSA_new
  • DSA_set0_key
  • DSA_set0_pqg
  • ECDSA_do_verify
  • EC_KEY_free
  • EC_KEY_new
  • EC_KEY_set_group
  • EC_KEY_set_public_key
  • EVP_PKEY_assign
  • RSA_free
  • RSA_new
  • RSA_set0_key

I've went through the migration guide and it seems they want to encourage the usage of EVP_PKEY family of functions and quite a bit of them are missing here (EVP_PKEY_CTX_new_from_{name,pkey}) as well as the associated machinery (OSSL_PARAM_BLD, OSSL_PARAM_BLD_push_BN, ...).

Now, before I file a big PR I'd like to verify if my approach is correct:

One way to solve this would be to just expose the missing features and mark them as ossl300 but AFAICT this crate takes extra effort to provide consistent interface regardless of which library is used underneath. I wonder if a better approach would be just to fix the implementation so that it uses new functions when ossl300 is defined and uses the old API otherwise.

An example of existing code:

impl Rsa<Public> {
    pub fn from_public_components(n: BigNum, e: BigNum) -> Result<Rsa<Public>, ErrorStack> {
        unsafe {
            let rsa = cvt_p(ffi::RSA_new())?;
            RSA_set0_key(rsa, n.as_ptr(), e.as_ptr(), ptr::null_mut());
            mem::forget((n, e));
            Ok(Rsa::from_ptr(rsa))
        }
    }

This uses deprecated RSA_set0_key function and I think it should be changed to use EVP_PKEY_CTX_new_from_name passing BigNums via OSSL_PARAM_BLD_push_BN and, at the end, extracting the Rsa object out of the PKey but only when ossl300 is defined.

Not sure if all functions can be adjusted like that but from my casual skim most of them are for creating cryptographic objects.

Please confirm if this is a good approach or if there is a better one I should explore instead.

Thank you for your time! 👋
@sfackler
Copy link
Owner

AFAICT this crate takes extra effort to provide consistent interface regardless of which library is used underneath.

To the contrary - we try to provide a pretty raw interface over OpenSSL's APIs. Adding new #[cfg(ossl300)] stuff is the way to go.

Might be worth also adding a CI build against an OpenSSL built without deprecated APIs to ensure we don't regress.

@wiktor-k
Copy link
Contributor Author

Understood! Thanks for the comment. I'll be back with code.

@wiktor-k wiktor-k mentioned this issue Oct 10, 2023
Closed
Jakuje added a commit to Jakuje/rust-openssl that referenced this issue Feb 14, 2025
@Jakuje
New OpenSSL 3.* API for managing EVP_PKEY objects
76de8c2 
The OpenSSL 3.* users now do not have a way to use non-deprecated
API by using this rust bindings, which is not sustainable in the
long term as either distributions will stop building with the
deprecated API or it will be eventually removed.

This is now mostly PoC on using RSA and ECDSA keys using the new
API in tests. It does not expose all possible API that are available
as I did not have a good way to test the unused API yet.

I do not know if this API is available in some other *SSL libraries
right now so for now all of the additions are marked with #[cfg(ossl300)].

This is partially based on sfackler#2051 which was abandoned.

Fixes: sfackler#2047
@Jakuje Jakuje mentioned this issue Feb 14, 2025
Closed
Jakuje added a commit to Jakuje/rust-openssl that referenced this issue Feb 14, 2025
@Jakuje
New OpenSSL 3.* API for managing EVP_PKEY objects
11c520b 
The OpenSSL 3.* users now do not have a way to use non-deprecated
API by using this rust bindings, which is not sustainable in the
long term as either distributions will stop building with the
deprecated API or it will be eventually removed.

This is now mostly PoC on using RSA and ECDSA keys using the new
API in tests. It does not expose all possible API that are available
as I did not have a good way to test the unused API yet.

I do not know if this API is available in some other *SSL libraries
right now so for now all of the additions are marked with #[cfg(ossl300)].

This is partially based on sfackler#2051 which was abandoned.

Fixes: sfackler#2047
Jakuje added a commit to Jakuje/rust-openssl that referenced this issue Feb 14, 2025
@Jakuje
New OpenSSL 3.* API for managing EVP_PKEY objects
2ce1b9b 
The OpenSSL 3.* users now do not have a way to use non-deprecated
API by using this rust bindings, which is not sustainable in the
long term as either distributions will stop building with the
deprecated API or it will be eventually removed.

This is now mostly PoC on using RSA and ECDSA keys using the new
API in tests. It does not expose all possible API that are available
as I did not have a good way to test the unused API yet.

I do not know if this API is available in some other *SSL libraries
right now so for now all of the additions are marked with #[cfg(ossl300)].

This is partially based on sfackler#2051 which was abandoned.

Fixes: sfackler#2047
Jakuje added a commit to Jakuje/rust-openssl that referenced this issue Feb 27, 2025
@Jakuje
New OpenSSL 3.* API for managing EVP_PKEY objects
a7d1739 
The OpenSSL 3.* users now do not have a way to use non-deprecated
API by using this rust bindings, which is not sustainable in the
long term as either distributions will stop building with the
deprecated API or it will be eventually removed.

This is now mostly PoC on using RSA and ECDSA keys using the new
API in tests. It does not expose all possible API that are available
as I did not have a good way to test the unused API yet.

I do not know if this API is available in some other *SSL libraries
right now so for now all of the additions are marked with #[cfg(ossl300)].

This is partially based on sfackler#2051 which was abandoned.

Fixes: sfackler#2047
Jakuje added a commit to Jakuje/rust-openssl that referenced this issue Feb 28, 2025
@Jakuje
New OpenSSL 3.* API for managing EVP_PKEY objects
7d520ac 
The OpenSSL 3.* users now do not have a way to use non-deprecated
API by using this rust bindings, which is not sustainable in the
long term as either distributions will stop building with the
deprecated API or it will be eventually removed.

This is now mostly PoC on using RSA and ECDSA keys using the new
API in tests. It does not expose all possible API that are available
as I did not have a good way to test the unused API yet.

I do not know if this API is available in some other *SSL libraries
right now so for now all of the additions are marked with #[cfg(ossl300)].

This is partially based on sfackler#2051 which was abandoned.

Fixes: sfackler#2047
Jakuje added a commit to Jakuje/rust-openssl that referenced this issue Feb 28, 2025
@Jakuje
New OpenSSL 3.* API for managing EVP_PKEY objects
fec04ce 
The OpenSSL 3.* users now do not have a way to use non-deprecated
API by using this rust bindings, which is not sustainable in the
long term as either distributions will stop building with the
deprecated API or it will be eventually removed.

This is now mostly PoC on using RSA and ECDSA keys using the new
API in tests. It does not expose all possible API that are available
as I did not have a good way to test the unused API yet.

I do not know if this API is available in some other *SSL libraries
right now so for now all of the additions are marked with #[cfg(ossl300)].

This is partially based on sfackler#2051 which was abandoned.

Fixes: sfackler#2047
Jakuje added a commit to Jakuje/rust-openssl that referenced this issue Mar 5, 2025
@Jakuje
Use the new OpenSSL 3.* API for managing EVP_PKEY
7f260ed 
The OpenSSL 3.* users now do not have a way to use non-deprecated
API by using this rust bindings, which is not sustainable in the
long term as either distributions will stop building with the
deprecated API or it will be eventually removed.

This is now mostly PoC on using RSA keys using the new API. It does
not expose OSSL_PARAM API as that is considered fragile.

This is partially based on sfackler#2051 which was abandoned.

Fixes: sfackler#2047
@Jakuje Jakuje linked a pull request Mar 5, 2025 that will close this issue
Open
Jakuje added a commit to Jakuje/rust-openssl that referenced this issue Mar 5, 2025
@Jakuje
Use the new OpenSSL 3.* API for managing EVP_PKEY
c138e59 
The OpenSSL 3.* users now do not have a way to use non-deprecated
API by using this rust bindings, which is not sustainable in the
long term as either distributions will stop building with the
deprecated API or it will be eventually removed.

This is now mostly PoC on using RSA keys using the new API. It does
not expose OSSL_PARAM API as that is considered fragile.

This is partially based on sfackler#2051 which was abandoned.

Fixes: sfackler#2047
Jakuje added a commit to Jakuje/rust-openssl that referenced this issue Mar 5, 2025
@Jakuje
Use the new OpenSSL 3.* API for managing EVP_PKEY
c401e7b 
The OpenSSL 3.* users now do not have a way to use non-deprecated
API by using this rust bindings, which is not sustainable in the
long term as either distributions will stop building with the
deprecated API or it will be eventually removed.

This is now mostly PoC on using RSA keys using the new API. It does
not expose OSSL_PARAM API as that is considered fragile.

This is partially based on sfackler#2051 which was abandoned.

Fixes: sfackler#2047
Jakuje added a commit to Jakuje/rust-openssl that referenced this issue Mar 6, 2025
@Jakuje
Use the new OpenSSL 3.* API for managing EVP_PKEY
54d5669 
The OpenSSL 3.* users now do not have a way to use non-deprecated
API by using this rust bindings, which is not sustainable in the
long term as either distributions will stop building with the
deprecated API or it will be eventually removed.

This is now mostly PoC on using RSA keys using the new API. It does
not expose OSSL_PARAM API as that is considered fragile.

This is partially based on sfackler#2051 which was abandoned.

Fixes: sfackler#2047
Jakuje added a commit to Jakuje/rust-openssl that referenced this issue Mar 13, 2025
@Jakuje
Use the new OpenSSL 3.* API for managing EVP_PKEY
bbb1b35 
The OpenSSL 3.* users now do not have a way to use non-deprecated
API by using this rust bindings, which is not sustainable in the
long term as either distributions will stop building with the
deprecated API or it will be eventually removed.

This is now mostly PoC on using RSA keys using the new API. It does
not expose OSSL_PARAM API as that is considered fragile.

This is partially based on sfackler#2051 which was abandoned.

Fixes: sfackler#2047
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Jakuje added a commit to Jakuje/rust-openssl that referenced this issue Mar 13, 2025
@Jakuje
Use the new OpenSSL 3.* API for managing EVP_PKEY
b0afadd 
The OpenSSL 3.* users now do not have a way to use non-deprecated
API by using this rust bindings, which is not sustainable in the
long term as either distributions will stop building with the
deprecated API or it will be eventually removed.

This is now mostly PoC on using RSA keys using the new API. It does
not expose OSSL_PARAM API as that is considered fragile.

This is partially based on sfackler#2051 which was abandoned.

Fixes: sfackler#2047
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@sfackler @wiktor-k