[LU-15896] gss/sk_utils.c error: 'DH_check' is deprecated: Since OpenSSL 3.0 Created: 26/May/22  Updated: 21/Aug/22  Resolved: 08/Aug/22

Status: Resolved
Project: Lustre
Component/s: None
Affects Version/s: None
Fix Version/s: Lustre 2.16.0, Lustre 2.15.2

Type: Improvement Priority: Minor
Reporter: Jian Yu Assignee: Sebastien Buisson
Resolution: Fixed Votes: 0
Labels: ubuntu

Issue Links:
Related
is related to LU-15781 Ubuntu 22.04 LTS release support Open
Rank (Obsolete): 9223372036854775807

 Description   

While building gss/sk_utils.c with OpenSSL 3.0.x and gcc 11 on Ubuntu 22.04, it failed with the following errors:

gss/sk_utils.c: In function 'sk_is_dh_valid':
gss/sk_utils.c:714:17: error: 'DH_check' is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-declarations]
  714 |                 rc = DH_check(dh, &codes);
      |                 ^~
In file included from gss/sk_utils.c:36:
/usr/include/openssl/dh.h:220:27: note: declared here
  220 | OSSL_DEPRECATEDIN_3_0 int DH_check(const DH *dh, int *codes);
      |                           ^~~~~~~~
gss/sk_utils.c:723:9: error: 'DH_get0_pqg' is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-declarations]
  723 |         DH_get0_pqg(dh, &p, NULL, &g);
      |         ^~~~~~~~~~~
In file included from gss/sk_utils.c:36:
/usr/include/openssl/dh.h:253:28: note: declared here
  253 | OSSL_DEPRECATEDIN_3_0 void DH_get0_pqg(const DH *dh, const BIGNUM **p,
      |                            ^~~~~~~~~~~
gss/sk_utils.c:747:9: error: 'BN_is_prime_ex' is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-declarations]
  747 |         rc = BN_is_prime_ex(p, num_rounds, ctx, NULL);
      |         ^~
In file included from /usr/include/openssl/asn1.h:33,
                 from /usr/include/openssl/dh.h:85,
                 from gss/sk_utils.c:36:
/usr/include/openssl/bn.h:373:5: note: declared here
  373 | int BN_is_prime_ex(const BIGNUM *p, int nchecks, BN_CTX *ctx, BN_GENCB *cb);
      |     ^~~~~~~~~~~~~~
gss/sk_utils.c:759:9: error: 'BN_is_prime_ex' is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-declarations]
  759 |         rc = BN_is_prime_ex(r, num_rounds, ctx, NULL);
      |         ^~
In file included from /usr/include/openssl/asn1.h:33,
                 from /usr/include/openssl/dh.h:85,
                 from gss/sk_utils.c:36:
/usr/include/openssl/bn.h:373:5: note: declared here
  373 | int BN_is_prime_ex(const BIGNUM *p, int nchecks, BN_CTX *ctx, BN_GENCB *cb);
      |     ^~~~~~~~~~~~~~
gss/sk_utils.c: In function 'sk_speedtest_dh_valid':
gss/sk_utils.c:809:9: error: 'DH_new' is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-declarations]
  809 |         dh = DH_new();
      |         ^~
In file included from gss/sk_utils.c:36:
/usr/include/openssl/dh.h:199:27: note: declared here
  199 | OSSL_DEPRECATEDIN_3_0 DH *DH_new(void);
      |                           ^~~~~~
gss/sk_utils.c:825:9: error: 'DH_set0_pqg' is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-declarations]
  825 |         if (!DH_set0_pqg(dh, p, NULL, g)) {
      |         ^~
In file included from gss/sk_utils.c:36:
/usr/include/openssl/dh.h:255:27: note: declared here
  255 | OSSL_DEPRECATEDIN_3_0 int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g);
      |                           ^~~~~~~~~~~
gss/sk_utils.c:873:9: error: 'DH_free' is deprecated: Since OpenSSL 3.0 [-Werror=deprecated-declarations]
  873 |         DH_free(dh);
      |         ^~~~~~~
<~snip~>

https://build.whamcloud.com/view/all/job/sandbox/1/arch=x86_64,build_type=client,distro=ubuntu2204,ib_stack=inkernel/consoleFull

# gcc --version
gcc (Ubuntu 11.2.0-19ubuntu1) 11.2.0

# openssl version
OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)


 Comments   
Comment by Jian Yu [ 26/May/22 ]

https://www.openssl.org/docs/man3.0/man7/migration_guide.html

OpenSSL has historically provided two sets of APIs for invoking cryptographic algorithms: the "high level" APIs (such as the EVP APIs) and the "low level" APIs. The high level APIs are typically designed to work across all algorithm types. The "low level" APIs are targeted at a specific algorithm implementation. For example, the EVP APIs provide the functions EVP_EncryptInit_ex(3), EVP_EncryptUpdate(3) and EVP_EncryptFinal(3) to perform symmetric encryption. Those functions can be used with the algorithms AES, CHACHA, 3DES etc. On the other hand, to do AES encryption using the low level APIs you would have to call AES specific functions such as AES_set_encrypt_key(3), AES_encrypt(3), and so on. The functions for 3DES are different. Use of the low level APIs has been informally discouraged by the OpenSSL development team for a long time. However in OpenSSL 3.0 this is made more formal. All such low level APIs have been deprecated. You may still use them in your applications, but you may start to see deprecation warnings during compilation (dependent on compiler support for this). Deprecated APIs may be removed from future versions of OpenSSL so you are strongly encouraged to update your code to use the high level APIs instead.

Comment by Jian Yu [ 26/May/22 ]

Hi sebastien,
Could you please take a look at this issue?

Comment by Gerrit Updater [ 30/May/22 ]

"Sebastien Buisson <sbuisson@ddn.com>" uploaded a new patch: https://review.whamcloud.com/47485
Subject: LU-15896 gss: ignore OpenSSLv3 deprecated API
Project: fs/lustre-release
Branch: master
Current Patch Set: 1
Commit: 05d5b73ebb253c0e3ed5a7954b751ebbdb2d61bf

Comment by Sebastien Buisson [ 30/May/22 ]

Hi yujian can you please give a try to https://review.whamcloud.com/47485 ?

Comment by Jian Yu [ 30/May/22 ]

It works. Thank you, sebastien.

Comment by Gerrit Updater [ 18/Jun/22 ]

"Oleg Drokin <green@whamcloud.com>" merged in patch https://review.whamcloud.com/47485/
Subject: LU-15896 gss: ignore OpenSSLv3 deprecated API
Project: fs/lustre-release
Branch: master
Current Patch Set:
Commit: ee60c14360839ab9955ff968d082dfdc269c05bf

Comment by Gerrit Updater [ 23/Jun/22 ]

"Sebastien Buisson <sbuisson@ddn.com>" uploaded a new patch: https://review.whamcloud.com/47717
Subject: LU-15896 gss: support OpenSSLv3
Project: fs/lustre-release
Branch: master
Current Patch Set: 1
Commit: 37c901e794f7cdd814436244ac68e93b8b3aea0b

Comment by Gerrit Updater [ 24/Jun/22 ]

"Jian Yu <yujian@whamcloud.com>" uploaded a new patch: https://review.whamcloud.com/47739
Subject: LU-15896 gss: ignore OpenSSLv3 deprecated API
Project: fs/lustre-release
Branch: b2_15
Current Patch Set: 1
Commit: 254f1102c86347b7e9337c469df192f0d436b639

Comment by Gerrit Updater [ 05/Jul/22 ]

"Oleg Drokin <green@whamcloud.com>" merged in patch https://review.whamcloud.com/47739/
Subject: LU-15896 gss: ignore OpenSSLv3 deprecated API
Project: fs/lustre-release
Branch: b2_15
Current Patch Set:
Commit: c5e282e51df4c8e99d35e7e17d5107f5aa0aafaa

Comment by Gerrit Updater [ 08/Aug/22 ]

"Oleg Drokin <green@whamcloud.com>" merged in patch https://review.whamcloud.com/47717/
Subject: LU-15896 gss: support OpenSSLv3
Project: fs/lustre-release
Branch: master
Current Patch Set:
Commit: 615691a531a80b75c4dd054dbb86d0bdbf4cf808

Comment by Peter Jones [ 08/Aug/22 ]

Landed for 2.16

Comment by Gerrit Updater [ 10/Aug/22 ]

"Sebastien Buisson <sbuisson@ddn.com>" uploaded a new patch: https://review.whamcloud.com/48184
Subject: LU-15896 gss: support OpenSSLv3
Project: fs/lustre-release
Branch: b2_15
Current Patch Set: 1
Commit: 41fa4f5a871989a189a90130d9811e164204f58d

Comment by Gerrit Updater [ 20/Aug/22 ]

"Oleg Drokin <green@whamcloud.com>" merged in patch https://review.whamcloud.com/48184/
Subject: LU-15896 gss: support OpenSSLv3
Project: fs/lustre-release
Branch: b2_15
Current Patch Set:
Commit: 8843418a5e8acd86d112327862524ff6f900c3fa

Generated at Sat Feb 10 03:22:13 UTC 2024 using Jira 9.4.14#940014-sha1:734e6822bbf0d45eff9af51f82432957f73aa32c.