Upgrade to OpenSSL 3.x #5291

jumaffre · 2023-05-22T09:46:18Z

We should add support for OpenSSL 3.x before OpenSSL 1.1.1 end of life.

Updated plan (16/06/02023)

OpenSSL 1.1.1 will be supported by Canonical on Ubuntu 20.04 until 20.04 EOL (May 2025) so CCF will remain on Ubuntu 20.04 and use the distribution OpenSSL 1.1.1 for the host on SGX, but also for SNP and Virtual enclaves.
Open Enclave will update to OpenSSL 3.x (see Meta issue for upgrade to openssl 3.0 openenclave/openenclave#4759), which we'll use for SGX enclaves.
We should therefore provide support for both OpenSSL 1.1.1 (host + SNP/Virtual) and 3.x (SGX) and be able to run CCF enclaves from both.

Tasks (see #5293 for pointers)

Give feedback

SHA256 (Update OpenSSL SHA digest API #5336): SHA256_Init, SHA256_Update, SHA256_Final
EC_KEY (OpenSSL3: remove use of deprecated functions #5481): EC_KEY_new_by_curve_name, EC_KEY_free, EC_KEY_set_public_key_affine_coordinates, EC_KEY_get0_group, EC_KEY_set_public_key, EC_KEY_set_private_key
EVP_PKEY (OpenSSL3: remove use of deprecated functions #5481): EVP_PKEY_set1_EC_KEY, EVP_PKEY_get0_EC_KEY, EVP_PKEY_get0_RSA, EVP_PKEY_set1_RSA, EVP_PKEY_get1_EC_KEY
RSA (OpenSSL3: remove use of deprecated functions #5481): RSA_new, RSA_generate_key_ex, RSA_free, RSA_set0_key, RSA_set0_factors, RSA_set0_crt_params, RSA_get0_n, RSA_get0_e, RSA_get0_d, RSA_get0_p, RSA_get0_q, RSA_get0_dmp1, RSA_get0_dmq1, RSA_get0_iqmp
d2i (OpenSSL3: remove use of deprecated functions #5481): d2i_RSA_PUBKEY
Engine (Use of RDSEED/RDRAND on AMD with OpenSSL 3.x #5569): ENGINE_load_rdrand, ENGINE_by_id, ENGINE_init, ENGINE_set_default, ENGINE_free
Update (Update merklecpp from 1.0.1 to 1.1.0 #5572) merklecpp, which makes use of SHA256 API.
Options

Some notes:

/opt/openenclave/lib/openenclave/host/liboehostverify.a pulls /usr/lib/x86_64-linux-gnu/libcrypto.so (the installed OpenSSL crypto library). This is OK, but makes it hard to build a CCF enclave with a custom installation of OpenSSL.
As discussed with @achamayou, because the OpenSSL 3.x deb package is only available on Ubuntu 22.04, we can (and should!) upgrade the Virtual/SNP images to use Ubuntu 22.04. However, these platforms still require Open Enclave HostVerify, which is currently only tested with Ubuntu 20.04.

The text was updated successfully, but these errors were encountered:

jumaffre added the enhancement label May 22, 2023

jumaffre self-assigned this May 22, 2023

This was referenced May 22, 2023

Fixes to support OpenSSL 3.1.0 #5293

Closed

Allow for SNP/Virtual builds with no dependency on Open Enclave #5308

Merged

jumaffre mentioned this issue Jun 9, 2023

Update OpenSSL SHA digest API #5336

Merged

achamayou added this to the 4.x milestone Jun 14, 2023

jumaffre mentioned this issue Jun 16, 2023

Upgrade from python3.8 to python3.10 #5311

Closed

jumaffre mentioned this issue Jul 28, 2023

OpenSSL3: remove use of deprecated functions #5481

Merged

This was referenced Aug 15, 2023

Faster SHA256 OpenSSL hashing #5548

Merged

Update merklecpp from 1.0.1 to 1.1.0 #5572

Merged

jumaffre closed this as completed Aug 22, 2023

maxtropets mentioned this issue Oct 23, 2024

Solve OpenSSL on Azure Linux #6588

Open

3 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Upgrade to OpenSSL 3.x #5291

Upgrade to OpenSSL 3.x #5291

jumaffre commented May 22, 2023 •

edited

Loading

Tasks (see #5293 for pointers)

Upgrade to OpenSSL 3.x #5291

Upgrade to OpenSSL 3.x #5291

Comments

jumaffre commented May 22, 2023 • edited Loading

Tasks (see #5293 for pointers)

jumaffre commented May 22, 2023 •

edited

Loading