search

EVerest / libevse-security

Apache License 2.0
7 stars 5 forks source link

Does not build with OpenSSL 1.x #75

Closed barsnick closed 4 months ago

barsnick commented 4 months ago

Describe the bug

libevse-security no longer builds with the Docker build script in everest-utils, which uses Debian 11 with OpenSSL 1.x.

In commit https://github.com/EVerest/libevse-security/commit/acc12fe5353d8090fc8cb0a84564b52ad7301e51, a dependency to OpenSSL 3 was reintroduced, through the use of (among others) X509_add_cert().

To Reproduce

In everest-utils:

./build.sh --name everest-core-test-01 --conf /path/to/some-config.yaml

Anything else?

See also the recent issues https://github.com/EVerest/everest-utils/issues/112 and https://github.com/EVerest/libevse-security/issues/31

So I assume OpenSSL 1.x compatibility is still desired.

224.6 [ 31%] Building CXX object _deps/sqlite_cpp-build/CMakeFiles/SQLiteCpp.dir/src/Database.cpp.o
224.7 /workspace/everest/cpm_source_cache/libevse-security/f4c722882414e8cb77a2f572b45fde98e2647f8d/libevse-security/lib/evse_security/crypto/openssl/openssl_supplier.cpp: In function 'bool evse_security::s_generate_key(const evse_security::KeyGenerationInfo&, evse_security::KeyHandle_ptr&, evse_security::EVP_PKEY_CTX_ptr&)':
224.7 /workspace/everest/cpm_source_cache/libevse-security/f4c722882414e8cb77a2f572b45fde98e2647f8d/libevse-security/lib/evse_security/crypto/openssl/openssl_supplier.cpp:259:75: warning: 'RSA* RSA_generate_key(int, long unsigned int, void (*)(int, int, void*), void*)' is deprecated [-Wdeprecated-declarations]
224.7   259 |         RSA_ptr rsa_key(RSA_generate_key(bits, RSA_PRIME, nullptr, nullptr));
224.7       |                                                                           ^
224.7 In file included from /usr/include/openssl/e_os2.h:13,
224.7                  from /usr/include/openssl/bio.h:13,
224.7                  from /usr/include/openssl/x509v3.h:13,
224.7                  from /workspace/everest/cpm_source_cache/libevse-security/f4c722882414e8cb77a2f572b45fde98e2647f8d/libevse-security/include/evse_security/detail/openssl/openssl_types.hpp:6,
224.7                  from /workspace/everest/cpm_source_cache/libevse-security/f4c722882414e8cb77a2f572b45fde98e2647f8d/libevse-security/lib/evse_security/crypto/openssl/openssl_supplier.cpp:5:
224.7 /usr/include/openssl/rsa.h:235:1: note: declared here
224.7   235 | DEPRECATEDIN_0_9_8(RSA *RSA_generate_key(int bits, unsigned long e, void
224.7       | ^~~~~~~~~~~~~~~~~~
224.7 /workspace/everest/cpm_source_cache/libevse-security/f4c722882414e8cb77a2f572b45fde98e2647f8d/libevse-security/lib/evse_security/crypto/openssl/openssl_supplier.cpp: In static member function 'static evse_security::CertificateValidationResult evse_security::OpenSSLSupplier::x509_verify_certificate_chain(evse_security::X509Handle*, const std::vector<evse_security::X509Handle*>&, const std::vector<evse_security::X509Handle*>&, bool, std::optional<std::filesystem::__cxx11::path>, std::optional<std::filesystem::__cxx11::path>)':
224.7 /workspace/everest/cpm_source_cache/libevse-security/f4c722882414e8cb77a2f572b45fde98e2647f8d/libevse-security/lib/evse_security/crypto/openssl/openssl_supplier.cpp:599:21: error: 'X509_ADD_FLAG_NO_DUP' was not declared in this scope; did you mean 'X509_FLAG_NO_AUX'?
224.7   599 |         int flags = X509_ADD_FLAG_NO_DUP | X509_ADD_FLAG_NO_SS;
224.7       |                     ^~~~~~~~~~~~~~~~~~~~
224.7       |                     X509_FLAG_NO_AUX
224.8 /workspace/everest/cpm_source_cache/libevse-security/f4c722882414e8cb77a2f572b45fde98e2647f8d/libevse-security/lib/evse_security/crypto/openssl/openssl_supplier.cpp:599:44: error: 'X509_ADD_FLAG_NO_SS' was not declared in this scope; did you mean 'X509_FLAG_NO_IDS'?
224.8   599 |         int flags = X509_ADD_FLAG_NO_DUP | X509_ADD_FLAG_NO_SS;
224.8       |                                            ^~~~~~~~~~~~~~~~~~~
224.8       |                                            X509_FLAG_NO_IDS
224.8 /workspace/everest/cpm_source_cache/libevse-security/f4c722882414e8cb77a2f572b45fde98e2647f8d/libevse-security/lib/evse_security/crypto/openssl/openssl_supplier.cpp:602:22: error: 'X509_add_cert' was not declared in this scope; did you mean 'X509_add_ext'?
224.8   602 |             if (1 != X509_add_cert(untrusted.get(), get(untrusted_cert), flags)) {
224.8       |                      ^~~~~~~~~~~~~
224.8       |                      X509_add_ext
225.0 make[2]: *** [_deps/libevse-security-build/lib/evse_security/CMakeFiles/evse_security.dir/build.make:186: _deps/libevse-security-build/lib/evse_security/CMakeFiles/evse_security.dir/crypto/openssl/openssl_supplier.cpp.o] Error 1
225.0 make[1]: *** [CMakeFiles/Makefile2:4449: _deps/libevse-security-build/lib/evse_security/CMakeFiles/evse_security.dir/all] Error 2
AssemblyJohn commented 4 months ago

The openssl 1.1 compat usually causes many issues, including sometimes runtime issues, so I think we should bring up if we want to still support this lib that has been deprecated for almost 1 year.

barsnick commented 4 months ago

I just wanted to point it out.

That's fine by me, if we still manage to support enough platforms. Specifically, Ubuntu 20 will need to be dropped, unless there's a PPA for that somewhere. Debian 11 obviously doesn't work anymore either. (I can open a bug on everest-utils for that.)

barsnick commented 4 months ago

This line: https://github.com/EVerest/libevse-security/blob/4330ce2e28e25535dd01558edb2331891c146769/CMakeLists.txt#L46 should probably state version 3:

find_package(OpenSSL 3 REQUIRED)
AssemblyJohn commented 4 months ago

Closes with: https://github.com/EVerest/libevse-security/pull/76