Fix build with OpenSSL 3.0

[oleg-jukovec]

• FIPS_mode_set() does not exist in OpenSSL 3.0 [1]
• X509_check_* functions declarated in openssl/x509v3.h instead of openssl/x509.h [2]
• X509_chack_* functions have const char arg inserad of const unsigned char [2]
• the patch does not change behavior under OpenSSL version != 3
• the patch just fixes build under OpenSSL 3.0 and doesn't update deprecated code
  or behavior

1. https://wiki.openssl.org/index.php/OpenSSL_3.0#Upgrading_from_the_OpenSSL_2.0_FIPS_Object_Module
2. https://www.openssl.org/docs/man3.0/man3/X509_check_host.html

[BigLep]

2022-05-27: general context: this repo is use speedup RSA operations in go-libp2p-core, hidden behind a build flag.

@oleg-jukovec : a few general comments:

1. We're supporting v1.x until that is no longer an option
2. What usecase is this blocking for you?
3. In order for this to be considered more, we'd need to have tests pass.

[oleg-jukovec]

2022-05-27: general context: this repo is use speedup RSA operations in go-libp2p-core, hidden behind a build flag.

@oleg-jukovec : a few general comments:

1. We're supporting v1.x until that is no longer an option

2. What usecase is this blocking for you?

3. In order for this to be considered more, we'd need to have tests pass.

1. The pull request does not affect OpenSSL v1.x
2. Ubuntu 22.04 LTS has OpenSSL 3.0. Ubuntu is a very popular Linux distribution.
3. I think that tests on Windows are not broken by this pull request. It looks more like a test environment problem (same problems in sync: update CI config files #24):

# pkg-config --cflags  --libssl libcrypto
Can't find C:\Strawberry\perl\bin\pkg-config.bat on PATH, '.' not in PATH.
pkg-config: exit status 29

[BigLep]

2022-06-03 maintainer conversation: given Ubuntu 22.04 LTS has OpenSSL 3.0 is shipping without OpenSSL 1.x, we agree this should handled.

We need a GitHub actions workflow that exercises the OpenSSL 3.x path. @oleg-jukovec : can you please add a seperate GitHub actions workflow file for testing against this? Per https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners#supported-runners-and-hardware-resources it looks like there is a Ubuntu 22.04 runner we can use.

[galargh]

3. I think that tests on Windows are not broken by this pull request. It looks more like a test environment problem (same problems in sync: update CI config files #24):

That was true - we needed to install mingw toolchain which is no longer installed by default on windows-2022 gh actions runners - #30. Might be worth mentioning that, in particular,mingw-w64-x86_64-openssl-1.1.1.o-3 and mingw-w64-i686-openssl-1.1.1.o-3 packages are installed as part of the toolchain.

[BigLep]

@oleg-jukovec : can you handle this (basically making the code change with custom github runner)?

From a core maintainer regard, this isn't a high priority. We'd appreciate any help to move this forward. Thanks!

[oleg-jukovec]

@oleg-jukovec : can you handle this (basically making the code change with custom github runner)?

From a core maintainer regard, this isn't a high priority. We'd appreciate any help to move this forward. Thanks!

Hello, yes, I'm going to do it. I have no time right now, but maybe next week.

[oleg-jukovec]

Thank you for your patience. I've added the Ubuntu 22.04 runner to the CI.

[galargh]

Any changes to this file will get overwritten the next time https://github.com/protocol/.github is pushed to.

Off the top of my head, the easiest way around it would be to add a new workflow in this repo only which runs go test on ubuntu-22.04.

[galargh]

I also created an issue for considering making the os list configurable in Unified CI - protocol/.github#349

[oleg-jukovec]

Oh, thank you, I understand the problem. Then I think it's better to wait protocol/.github#349 .

[marten-seemann]

I think the best way forward would be to just add a new workflow file go-test-ubuntu-22.04.yml, which would essentially be a copy of go-test.yml.

[oleg-jukovec]

I think it's done.

[galargh]

Approving the CI changes. Let's go with a copy of the test workflow until we have a better story for cases like this one.

[aschmahmann]

@marten-seemann is this something we're going to merge? I've heard from @Jorropo that boringcrypto coming in Go 1.19 might be better off for us and not require CGO.

[marten-seemann]

Not familiar with boringcrypto in Go, do you have a link for me?

Not depending on OpenSSL seems to be a good idea, especially considering the upcoming fork and the expected split of the community.

[Jorropo]

Not familiar with boringcrypto in Go, do you have a link for me?

When you build go you can do:

GOEXPERIMENT=boringcrypto ./make.bash

It will use a boringssl (google's openssl fork) wrapper to replace most of go's crypto librairy. (and AFAIT it has runtime tricks to do cgo without the 500threads and the big overhead)
It's really fast (depends on the workload but you can see 2x improvements over the go implementation easily), it's seems like the same thing we are doing right now but maintained by google and more integrated into go than the thing we have now.

You can read about it here https://github.com/golang/go/blob/cdcb4b6ef37c1ce14637323dd00b5daad7e645c4/README.boringcrypto.md and in the go compiler VCS.

My main question is maybe that interfer with the unsafe hack you do for QUIC and your forked crypto lib. If it doesn't I think we should drop go-openssl package and point people to google's maintained openssl wrapper.

[marten-seemann]

My main question is maybe that interfer with the unsafe hack you do for QUIC and your forked crypto lib.

It won't. I removed boring support from the fork: quic-go/qtls-go1-19@2a06850

If it doesn't I think we should drop go-openssl package and point people to google's maintained openssl wrapper.

That would be a great outcome! One less libp2p package :)
We should run a benchmark to convince ourselves that this provides comparable performance. @Jorropo, do you want to work on this?

[Jorropo]

@marten-seemann

It won't. I removed boring support from the fork: quic-go/qtls-go1-19@2a06850

Just to be sure, quic-go doesn't support go-openssl either ?

@Jorropo, do you want to work on this?

Ok I'll, any cipher you want see tried ?
I'll try tls1.3 negociation and sending a few bytes, ed25519 key generation, signature and verification, AES CBC, AES GCM and noise (but afaik noise is implemented a third party thing).

[marten-seemann]

Just to be sure, quic-go doesn't support go-openssl either ?

It doesn't, and never has.

Ok I'll, any cipher you want see tried ?

Good question. I thought the starting point would be the benchmarks this package comes with. Maybe also add RSA operations to your list, since annoyingly, RSA is still widely used in the ecosystem.
If you want to do an end-to-end TLS test, you might need to jump through some hoops to convince crypto/tls to use the ciphersuite you want, since they're trying to be smart about ciphersuite selection (or just use TLS 1.2 and set it in tls.Config.CipherSuites).

[BigLep]

@Jorropo : will you be able to do the benchmarking? Let me know if that is feeling like too much and we can potentially see if @oleg-jukovec can take this.

[Jorropo]

@BigLep it's the work of 2 hours, I'll do once the bitswap split is over.

This is not a priority issue.

[Stebalien]

Code LGTM and CI passes, there's no reason not to just merge this.

[MarcoPolo]

Boringcrypto isn’t going to be a replacement for this repo. Until it is, I think we should merge this to support OpenSSL 3.0.

More discussion here: libp2p/go-libp2p#1686 (comment)

[MarcoPolo]

@marten-seemann let me know if there’s anything else I’m missing, but otherwise we should just merge this.