search

smuellerDD / acvpparser

ACVP Parser for invocation of cryptographic implementations using the ACVP JSON test vectors
https://www.chronox.de/acvpparser
Other
36 stars 27 forks source link

Build Error: EVP_PKEY_SSHKDF #56

Closed anshah1216 closed 5 months ago

anshah1216 commented 1 year ago

Hello, I'm building on Ubuntu with a "FIPS-ified" OpenSSL-1.1.1g and seeing SSH KDF build errors (omitted some for brevity):

gcc -Wextra -Wall -pedantic -fPIE -O2 -Wno-long-long -Werror -DACVP_PARSER_IUT=\"openssl\" -g -std=c11 -Wno-variadic-macros -DUBUNTU -D_FORTIFY_SOURCE=2 -fstack-protector-all -fwrapv --param ssp-buffer-size=4 -Iparser   -c -o backends/backend_openssl.o backends/backend_openssl.c
backends/backend_openssl.c: In function ‘openssl_kdf_ssh_internal’:
backends/backend_openssl.c:1329:52: error: ‘EVP_PKEY_SSHKDF’ undeclared (first use in this function)
 # define  EVP_KDF_CTX_NEW_ID() EVP_PKEY_CTX_new_id(EVP_PKEY_SSHKDF,NULL)
                                                    ^

backends/backend_openssl.c:1367:2: error: implicit declaration of function ‘EVP_PKEY_CTX_set_sshkdf_md’ [-Werror=implicit-function-declaration]
  CKINT_O(EVP_KDF_SET_MD(ctx, md));
  ^

I checked in openssl/evp.h and did not find "EVP_PKEY_SSHKDF."

# define EVP_PKEY_NONE   NID_undef
# define EVP_PKEY_RSA    NID_rsaEncryption
# define EVP_PKEY_RSA2   NID_rsa
# define EVP_PKEY_RSA_PSS NID_rsassaPss
# define EVP_PKEY_DSA    NID_dsa
# define EVP_PKEY_DSA1   NID_dsa_2
# define EVP_PKEY_DSA2   NID_dsaWithSHA
# define EVP_PKEY_DSA3   NID_dsaWithSHA1
# define EVP_PKEY_DSA4   NID_dsaWithSHA1_2
# define EVP_PKEY_DH     NID_dhKeyAgreement
# define EVP_PKEY_DHX    NID_dhpublicnumber
# define EVP_PKEY_EC     NID_X9_62_id_ecPublicKey
# define EVP_PKEY_SM2    NID_sm2
# define EVP_PKEY_HMAC   NID_hmac
# define EVP_PKEY_CMAC   NID_cmac
# define EVP_PKEY_SCRYPT NID_id_scrypt
# define EVP_PKEY_TLS1_PRF NID_tls1_prf
# define EVP_PKEY_HKDF   NID_hkdf
# define EVP_PKEY_POLY1305 NID_poly1305
# define EVP_PKEY_SIPHASH NID_siphash
# define EVP_PKEY_X25519 NID_X25519
# define EVP_PKEY_ED25519 NID_ED25519
# define EVP_PKEY_X448 NID_X448
# define EVP_PKEY_ED448 NID_ED448

I looked for minimum required OpenSSL version in the Prerequisites but did not see it mentioned.

smuellerDD commented 1 year ago

Am Dienstag, dem 27.09.2022 um 11:10 -0700 schrieb anshah1216:

Hello,        I'm building with a "FIPS-ified" OpenSSL-1.1.1g and it's mainly complaining about SSH KDF.

gcc -Wextra -Wall -pedantic -fPIE -O2 -Wno-long-long -Werror -
DACVP_PARSER_IUT=\"openssl\" -g -std=c11 -Wno-variadic-macros -DUBUNTU -
D_FORTIFY_SOURCE=2 -fstack-protector-all -fwrapv --param ssp-buffer-size=4 -
Iparser   -c -o backends/backend_openssl.o backends/backend_openssl.c
backends/backend_openssl.c: In function ‘openssl_kdf_ssh_internal’:
backends/backend_openssl.c:1329:52: error: ‘EVP_PKEY_SSHKDF’ undeclared
(first use in this function)
 # define  EVP_KDF_CTX_NEW_ID() EVP_PKEY_CTX_new_id(EVP_PKEY_SSHKDF,NULL)
                                                    ^
backends/backend_openssl.c:1363:8: note: in expansion of macro
‘EVP_KDF_CTX_NEW_ID’
  ctx = EVP_KDF_CTX_NEW_ID();
        ^
backends/backend_openssl.c:1329:52: note: each undeclared identifier is
reported only once for each function it appears in
 # define  EVP_KDF_CTX_NEW_ID() EVP_PKEY_CTX_new_id(EVP_PKEY_SSHKDF,NULL)
                                                    ^
backends/backend_openssl.c:1363:8: note: in expansion of macro
‘EVP_KDF_CTX_NEW_ID’
  ctx = EVP_KDF_CTX_NEW_ID();
        ^
backends/backend_openssl.c:1367:2: error: implicit declaration of function
‘EVP_PKEY_CTX_set_sshkdf_md’ [-Werror=implicit-function-declaration]
  CKINT_O(EVP_KDF_SET_MD(ctx, md));
  ^

I checked in openssl/evp.h and did not find "EVP_PKEY_SSHKDF."

Then you do not have the patch that adds the SSH KDF.

To alleviate the issue, simply comment out the SSH constructor code in the backend_openssl.c: ACVP_DEFINE_CONSTRUCTOR(openssl_kdf_ssh_backend)

# define EVP_PKEY_NONE   NID_undef
# define EVP_PKEY_RSA    NID_rsaEncryption
# define EVP_PKEY_RSA2   NID_rsa
# define EVP_PKEY_RSA_PSS NID_rsassaPss
# define EVP_PKEY_DSA    NID_dsa
# define EVP_PKEY_DSA1   NID_dsa_2
# define EVP_PKEY_DSA2   NID_dsaWithSHA
# define EVP_PKEY_DSA3   NID_dsaWithSHA1
# define EVP_PKEY_DSA4   NID_dsaWithSHA1_2
# define EVP_PKEY_DH     NID_dhKeyAgreement
# define EVP_PKEY_DHX    NID_dhpublicnumber
# define EVP_PKEY_EC     NID_X9_62_id_ecPublicKey
# define EVP_PKEY_SM2    NID_sm2
# define EVP_PKEY_HMAC   NID_hmac
# define EVP_PKEY_CMAC   NID_cmac
# define EVP_PKEY_SCRYPT NID_id_scrypt
# define EVP_PKEY_TLS1_PRF NID_tls1_prf
# define EVP_PKEY_HKDF   NID_hkdf
# define EVP_PKEY_POLY1305 NID_poly1305
# define EVP_PKEY_SIPHASH NID_siphash
# define EVP_PKEY_X25519 NID_X25519
# define EVP_PKEY_ED25519 NID_ED25519
# define EVP_PKEY_X448 NID_X448
# define EVP_PKEY_ED448 NID_ED448

-- Reply to this email directly or view it on GitHub: https://github.com/smuellerDD/acvpparser/issues/56 You are receiving this because you are subscribed to this thread.

Message ID: @.***>

anshah1216 commented 1 year ago

Then you do not have the patch that adds the SSH KDF.

To alleviate the issue, simply comment out the SSH constructor code in the backend_openssl.c: ACVP_DEFINE_CONSTRUCTOR(openssl_kdf_ssh_backend)

Thank you for getting back to me. I tried commenting out what you suggested as well as the entire SSH KDF section but then all I see if a new wave of build errors so lookslike missing more than SSH KDF. I'm trying to build on Ubuntu Linux so is there an OpenSSL version you recommend that builds with Ubuntu Linux?

smuellerDD commented 1 year ago

Am Donnerstag, 13. Oktober 2022, 18:18:49 CEST schrieb anshah1216:

Hi anshah1216,

Then you do not have the patch that adds the SSH KDF.

To alleviate the issue, simply comment out the SSH constructor code in the backend_openssl.c: ACVP_DEFINE_CONSTRUCTOR(openssl_kdf_ssh_backend)

Thank you for getting back to me. I tried commenting out what you suggested as well as the entire section but then all I see if a new wave of build errors so lookslike missing more than SSH KDF. I'm trying to build on Ubuntu Linux so is there an OpenSSL version you recommend that builds with Ubuntu Linux?

You may see that a function is not used - you can comment this one out too, but the entire constructor sections are fully self contained - that is a basic principle of the parser.

Ciao Stephan