glusterfs icon indicating copy to clipboard operation
glusterfs copied to clipboard

Published 20 hours ago verified publisher icon gluster

Replace SHA deprecated functions with newer ones

Open mykaul opened this issue 3 years ago • 15 comments

See https://www.openssl.org/docs/manmaster/man3/SHA256.html : SHA256_Init() and others are deprecated in newer versions of OpenSSL (3.0 and above). RHEL 9 is going to use it, which will break Gluster. [Update - it won't break Gluster, you'll get a deprecation warning. In some configurations with more strict hardening, it will not work]. Overall, worth moving to newer APIs.

mykaul avatar Nov 01 '21 10:11 mykaul

@mykaul You working on this or should I go ahead and start implementing the newer APIs?

black-dragon74 avatar Dec 28 '21 07:12 black-dragon74

@mykaul You working on this or should I go ahead and start implementing the newer APIs?

I am not - I think OpenSSL 3.0 is only available from Fedora 36 and RHEL 9, I have neither right now. Go ahead and take it if you can.

mykaul avatar Dec 28 '21 10:12 mykaul

Alright, I will take care of it.

black-dragon74 avatar Dec 29 '21 05:12 black-dragon74

This is how it looks like with OpenSSL 3.0:

common-utils.c: In function ‘glusterfs_compute_sha256’:
common-utils.c:4209:5: warning: ‘SHA256_Init’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
 4209 |     SHA256_Init(&sha256);
      |     ^~~~~~~~~~~
In file included from ./glusterfs/glusterfs.h:27,
                 from ./glusterfs/mem-pool.h:18,
                 from glusterfs/common-utils.h:48,
                 from common-utils.c:46:
/usr/include/openssl/sha.h:73:27: note: declared here
   73 | OSSL_DEPRECATEDIN_3_0 int SHA256_Init(SHA256_CTX *c);
      |                           ^~~~~~~~~~~
common-utils.c:4210:5: warning: ‘SHA256_Update’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
 4210 |     SHA256_Update(&sha256, (const unsigned char *)(content), size);
      |     ^~~~~~~~~~~~~
/usr/include/openssl/sha.h:74:27: note: declared here
   74 | OSSL_DEPRECATEDIN_3_0 int SHA256_Update(SHA256_CTX *c,
      |                           ^~~~~~~~~~~~~
common-utils.c:4211:5: warning: ‘SHA256_Final’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations]
 4211 |     SHA256_Final((unsigned char *)sha256_hash, &sha256);
      |     ^~~~~~~~~~~~
/usr/include/openssl/sha.h:76:27: note: declared here
   76 | OSSL_DEPRECATEDIN_3_0 int SHA256_Final(unsigned char *md, SHA256_CTX *c);

mykaul avatar Apr 04 '22 13:04 mykaul

Thank you for your contributions. Noticed that this issue is not having any activity in last ~6 months! We are marking this issue as stale because it has not had recent activity. It will be closed in 2 weeks if no one responds with a comment here.

stale[bot] avatar Nov 01 '22 19:11 stale[bot]

Commenting to keep this open as it is still a WIP.

Ref: #3149, #3853

Regards

black-dragon74 avatar Nov 07 '22 08:11 black-dragon74

Closing this issue as there was no update since my last update on issue. If this is an issue which is still valid, feel free to open it.

stale[bot] avatar Dec 24 '22 09:12 stale[bot]

i am new to this getting ning: ‘int SHA256_Init(SHA256_CTX*)’ is deprecated: Since OpenSSL 3.0 [-Wdeprecated-declarations] 40 | SHA256_Init(&sha256); | ~~~~~~~~~~~^~~~~~~~~

neetesshhr avatar Apr 10 '23 12:04 neetesshhr

any solution to this

neetesshhr avatar Apr 10 '23 12:04 neetesshhr

Nothing?

Zprime137 avatar Sep 02 '23 10:09 Zprime137

@HazemMonir - some of the changes to support OpenSSL 3 and beyond were not completed (personally, I cannot devote more time to complete this work). Your contribution will be greatly appreciated !

mykaul avatar Sep 02 '23 12:09 mykaul

@mykaul I used the link in your first comment, and after using the new methods, it resolved all the issues. And thank you for your great work :)

Zprime137 avatar Sep 02 '23 15:09 Zprime137

//////////////////////////////////////////////////// // Deprecated examples //////////////////////////////////////////////////// memset(dst, 0, sizeof(dst)); t = clock(); for (long i = 0; i < N; i++) { SHA256_CTX ctx;

    SHA256_Init(&ctx);
    SHA256_Update(&ctx, src, sizeof(src));
    SHA256_Final(dst, &ctx);
}
cout << "\nB: SHA256_xxx " << (float)(clock()-t)/CLOCKS_PER_SEC << 's' << endl;
cout << "check " << ((unsigned long*)dst)[0] << endl;

////////////////////////////////////////////////////
// Suggested by OpenSSL 3.0 documentation
////////////////////////////////////////////////////
memset(dst, 0, sizeof(dst));
t = clock();
EVP_MD_CTX *mdctx = EVP_MD_CTX_create();
const EVP_MD *md = EVP_sha256();

for (long i = 0; i < N; i++) {
    EVP_DigestInit_ex(mdctx, md, NULL); // ex or ex2
    EVP_DigestUpdate(mdctx, src, sizeof(src));
    EVP_DigestFinal_ex(mdctx, dst, 0);
}

EVP_MD_CTX_destroy(mdctx);
cout << "\nC: EVP_xxx " << (float)(clock()-t)/CLOCKS_PER_SEC << 's' << endl;
cout << "check " << ((unsigned long*)dst)[0] << endl;

alexismailov2 avatar Nov 17 '23 18:11 alexismailov2

for (long i = 0; i < N; i++) { EVP_DigestInit_ex(mdctx, md, NULL); // ex or ex2 EVP_DigestUpdate(mdctx, src, sizeof(src)); EVP_DigestFinal_ex(mdctx, dst, 0); }

EVP_MD_CTX_destroy(mdctx);

You can do it even more simply with non-deprecated EVP_* functions available since OpenSSL 0.9.7. No need for conditional #ifdef code (like in PR https://github.com/gluster/glusterfs/pull/3149).

Something like

EVP_Digest(src, sizeof(src), dst, NULL, EVP_sha256(), NULL);

barsnick avatar Mar 20 '24 13:03 barsnick

BTW, this particular SHA256 code was fixed (albeit with keeping the unnecessary legacy code) in https://github.com/gluster/glusterfs/commit/8742a8d3d3d5d571d99e886ef84548b4cb443be1.

barsnick avatar Mar 20 '24 13:03 barsnick