Build Error: EVP_PKEY_SSHKDF
Closed this issue · 3 comments
anshah1216 commented
Hello,
I'm building on Ubuntu with a "FIPS-ified" OpenSSL-1.1.1g and seeing SSH KDF build errors (omitted some for brevity):
gcc -Wextra -Wall -pedantic -fPIE -O2 -Wno-long-long -Werror -DACVP_PARSER_IUT=\"openssl\" -g -std=c11 -Wno-variadic-macros -DUBUNTU -D_FORTIFY_SOURCE=2 -fstack-protector-all -fwrapv --param ssp-buffer-size=4 -Iparser -c -o backends/backend_openssl.o backends/backend_openssl.c
backends/backend_openssl.c: In function ‘openssl_kdf_ssh_internal’:
backends/backend_openssl.c:1329:52: error: ‘EVP_PKEY_SSHKDF’ undeclared (first use in this function)
# define EVP_KDF_CTX_NEW_ID() EVP_PKEY_CTX_new_id(EVP_PKEY_SSHKDF,NULL)
^
backends/backend_openssl.c:1367:2: error: implicit declaration of function ‘EVP_PKEY_CTX_set_sshkdf_md’ [-Werror=implicit-function-declaration]
CKINT_O(EVP_KDF_SET_MD(ctx, md));
^
I checked in openssl/evp.h and did not find "EVP_PKEY_SSHKDF."
# define EVP_PKEY_NONE NID_undef
# define EVP_PKEY_RSA NID_rsaEncryption
# define EVP_PKEY_RSA2 NID_rsa
# define EVP_PKEY_RSA_PSS NID_rsassaPss
# define EVP_PKEY_DSA NID_dsa
# define EVP_PKEY_DSA1 NID_dsa_2
# define EVP_PKEY_DSA2 NID_dsaWithSHA
# define EVP_PKEY_DSA3 NID_dsaWithSHA1
# define EVP_PKEY_DSA4 NID_dsaWithSHA1_2
# define EVP_PKEY_DH NID_dhKeyAgreement
# define EVP_PKEY_DHX NID_dhpublicnumber
# define EVP_PKEY_EC NID_X9_62_id_ecPublicKey
# define EVP_PKEY_SM2 NID_sm2
# define EVP_PKEY_HMAC NID_hmac
# define EVP_PKEY_CMAC NID_cmac
# define EVP_PKEY_SCRYPT NID_id_scrypt
# define EVP_PKEY_TLS1_PRF NID_tls1_prf
# define EVP_PKEY_HKDF NID_hkdf
# define EVP_PKEY_POLY1305 NID_poly1305
# define EVP_PKEY_SIPHASH NID_siphash
# define EVP_PKEY_X25519 NID_X25519
# define EVP_PKEY_ED25519 NID_ED25519
# define EVP_PKEY_X448 NID_X448
# define EVP_PKEY_ED448 NID_ED448
I looked for minimum required OpenSSL version in the Prerequisites but did not see it mentioned.
smuellerDD commented
Am Dienstag, dem 27.09.2022 um 11:10 -0700 schrieb anshah1216:
Hello,
I'm building with a "FIPS-ified" OpenSSL-1.1.1g and it's mainly
complaining about SSH KDF.
```
gcc -Wextra -Wall -pedantic -fPIE -O2 -Wno-long-long -Werror -
DACVP_PARSER_IUT=\"openssl\" -g -std=c11 -Wno-variadic-macros -DUBUNTU -
D_FORTIFY_SOURCE=2 -fstack-protector-all -fwrapv --param ssp-buffer-size=4 -
Iparser -c -o backends/backend_openssl.o backends/backend_openssl.c
backends/backend_openssl.c: In function ‘openssl_kdf_ssh_internal’:
backends/backend_openssl.c:1329:52: error: ‘EVP_PKEY_SSHKDF’ undeclared
(first use in this function)
# define EVP_KDF_CTX_NEW_ID() EVP_PKEY_CTX_new_id(EVP_PKEY_SSHKDF,NULL)
^
backends/backend_openssl.c:1363:8: note: in expansion of macro
‘EVP_KDF_CTX_NEW_ID’
ctx = EVP_KDF_CTX_NEW_ID();
^
backends/backend_openssl.c:1329:52: note: each undeclared identifier is
reported only once for each function it appears in
# define EVP_KDF_CTX_NEW_ID() EVP_PKEY_CTX_new_id(EVP_PKEY_SSHKDF,NULL)
^
backends/backend_openssl.c:1363:8: note: in expansion of macro
‘EVP_KDF_CTX_NEW_ID’
ctx = EVP_KDF_CTX_NEW_ID();
^
backends/backend_openssl.c:1367:2: error: implicit declaration of function
‘EVP_PKEY_CTX_set_sshkdf_md’ [-Werror=implicit-function-declaration]
CKINT_O(EVP_KDF_SET_MD(ctx, md));
^
```
I checked in openssl/evp.h and did not find "EVP_PKEY_SSHKDF."
Then you do not have the patch that adds the SSH KDF.
To alleviate the issue, simply comment out the SSH constructor code in the
backend_openssl.c: ACVP_DEFINE_CONSTRUCTOR(openssl_kdf_ssh_backend)
…
```
# define EVP_PKEY_NONE NID_undef
# define EVP_PKEY_RSA NID_rsaEncryption
# define EVP_PKEY_RSA2 NID_rsa
# define EVP_PKEY_RSA_PSS NID_rsassaPss
# define EVP_PKEY_DSA NID_dsa
# define EVP_PKEY_DSA1 NID_dsa_2
# define EVP_PKEY_DSA2 NID_dsaWithSHA
# define EVP_PKEY_DSA3 NID_dsaWithSHA1
# define EVP_PKEY_DSA4 NID_dsaWithSHA1_2
# define EVP_PKEY_DH NID_dhKeyAgreement
# define EVP_PKEY_DHX NID_dhpublicnumber
# define EVP_PKEY_EC NID_X9_62_id_ecPublicKey
# define EVP_PKEY_SM2 NID_sm2
# define EVP_PKEY_HMAC NID_hmac
# define EVP_PKEY_CMAC NID_cmac
# define EVP_PKEY_SCRYPT NID_id_scrypt
# define EVP_PKEY_TLS1_PRF NID_tls1_prf
# define EVP_PKEY_HKDF NID_hkdf
# define EVP_PKEY_POLY1305 NID_poly1305
# define EVP_PKEY_SIPHASH NID_siphash
# define EVP_PKEY_X25519 NID_X25519
# define EVP_PKEY_ED25519 NID_ED25519
# define EVP_PKEY_X448 NID_X448
# define EVP_PKEY_ED448 NID_ED448
```
--
Reply to this email directly or view it on GitHub:
#56
You are receiving this because you are subscribed to this thread.
Message ID: ***@***.***>
anshah1216 commented
Then you do not have the patch that adds the SSH KDF.
To alleviate the issue, simply comment out the SSH constructor code in the
backend_openssl.c: ACVP_DEFINE_CONSTRUCTOR(openssl_kdf_ssh_backend)
Thank you for getting back to me.
I tried commenting out what you suggested as well as the entire SSH KDF section but then all I see if a new wave of build errors so lookslike missing more than SSH KDF. I'm trying to build on Ubuntu Linux so is there an OpenSSL version you recommend that builds with Ubuntu Linux?
smuellerDD commented
Am Donnerstag, 13. Oktober 2022, 18:18:49 CEST schrieb anshah1216:
Hi anshah1216,
> Then you do not have the patch that adds the SSH KDF.
>
> To alleviate the issue, simply comment out the SSH constructor code in the
> backend_openssl.c: ACVP_DEFINE_CONSTRUCTOR(openssl_kdf_ssh_backend)
Thank you for getting back to me.
I tried commenting out what you suggested as well as the entire section but
then all I see if a new wave of build errors so lookslike missing more than
SSH KDF. I'm trying to build on Ubuntu Linux so is there an OpenSSL version
you recommend that builds with Ubuntu Linux?
You may see that a function is not used - you can comment this one out too,
but the entire constructor sections are fully self contained - that is a basic
principle of the parser.
Ciao
Stephan