Tuesday, August 23, 2011

Mac OS X Lion and OpenSSL

In Mac OS X 10.7 Lion Apple deprecates the use of OpenSSL. You can see deprecation messages when compiling.

OpenSSL is deprecated in Lion

For example with the following deprecated.c source code:
#include <openssl/crypto.h>

int main(void)
{
    OPENSSL_init();
    return 0;
}

We get a compilation warning:
$ gcc deprecated.c -lcrypto
deprecated.c: In function ‘main’:
deprecated.c:5: warning: ‘OPENSSL_init’ is deprecated (declared at /usr/include/openssl/crypto.h:600)


Line 600 of /usr/include/openssl/crypto.h is:
void OPENSSL_init(void) DEPRECATED_IN_MAC_OS_X_VERSION_10_7_AND_LATER;

and is replaced by Common Cypto


Common Crypto is Apple "own" implementation of low level crypto algorithms. See the CC_crypto(3cc) man page. The manage is also available online at http://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man3/CC_crypto.3cc.html and says:

CC_crypto(3cc)                      LOCAL                  CC_crypto(3cc)

NAME
     Common Crypto -- libSystem digest library

DESCRIPTION
     The libSystem Common Crypto library implements a wide range of
cryptographic algorithms used in various Internet standards. The services
provided by this library are used by the CDSA implementations of SSL,
TLS and S/MIME.

OVERVIEW
     libSystem contains the Common Crypto collection of algorithms.
Digest and encryption algorithms contained in this library are optimized for
speed.  The algorithms have been collected from various sources and chosen
for their performance characteristics.  Since libSystem is linked into all
executables it is preferable for applications to use these functions rather
than implementing their own versions.

NOTES
     To use the digest functions with existing code which uses the
corresponding openssl functions, #define the symbol
COMMON_DIGEST_FOR_OPENSSL in your client code (BEFORE including
<CommonCrypto/CommonDigest.h> ).

     You can *NOT* mix and match functions operating on a given data type
from the two implementations; i.e., if you do a CC_MD5_Init()
on a CC_MD5_CTX object, do not assume that you can do an openssl-style
MD5_Update() on that same context.

     The interfaces to the encryption and HMAC algorithms have a calling
interface that is different from that provided by OpenSSL.

SEE ALSO
     CC_MD5(3cc), CC_SHA(3cc), CCHmac(3cc), CCCryptor(3cc)

BSD                           April 5, 2007                             BSD

Notes

The manage is quiet old (April 2007) and references CDSA. CDSA has also been deprecated in Lion but we will about that later.

Common Crypto should also be available in Leopard (the man page exists for 10.5). So you can update you project to use Common Crypto for Lion and the same source code could be used on Snow Leopard (and maybe even Leopard)

Conclusion

OpenSSL should be removed in a later Mac OS X version.

For projects using OpenSSL on Mac OS X you have two options:
  • move from OpenSSL to Common Crypto
  • provide your own version of OpenSSL in the installer (or use a static link)