-
Notifications
You must be signed in to change notification settings - Fork 375
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Move OpenSSL code to newer API #2723
Conversation
You'll need to rebase this first. |
rpmio/digest_openssl.c
Outdated
goto done; | ||
|
||
//if (EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PADDING) <= 0) | ||
// goto done; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Leftovers?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yup, It's gone now.
I'm getting this on a local build (this code isn't getting built at all in the CI):
|
Doesn't this bump the required OpenSSL version to something newer than 1.0.2 which is the oldest currently supported version? |
Avoid the now deprecated RSA and DSA data types and use the generic EVP_PKEY Resolves: rpm-software-management#2294
OK, turns out this is code based on OpenSSL 3.0 which is from 2021. So it is a bit new. Otoh it no longer is the default variant to be built and the next release shouldn't be backported to some ancient enterprise distribution. |
Ack, thought so. I don't see the version requirement as a problem (being non-default etc), just that the docs + build require needs updating, which is done now 👍 This looks fine to me but then I haven't got the slightest about the openssl API, would be nice to have someone more familiar with stuff have a look. @sgallagher , @DemiMarie , @nwalfield - can you have a look / know someone who could? |
@pmatilai: I'm not an expert on OpenSSL. We were recently contacted by the RedHat Crypto Team (cc: @simo5, @sahanaprasad07) about a similar change, and they offered to help with the porting and review. I suspect they'll be willing to take a look at this, too. |
That would be great! It's not that I have a clue about OpenSSL either. I just banged it with a hammer until it seemed to work. |
Okay, this has hung around long enough now. |
I think you broke DSA signatures: it calls I'm pretty sure PKEY_verify to be passed something DER encoded instead... We need a testcase for DSA signatures... |
@mlschroe there are still DSA keys in use somewhere? |
FESCO decided decided that Fedora 38 would continue to accept DSA keys, and that Fedora 39 should disable them. Looking at the fedora crypto policies repository, however, they appear to still be allowed in the default policy. |
There may not be DSA keys in active use but they do exist in old distros and packages people may want to install for whatever reason. If we broke it we should fix it. |
I would think people can just install those w/o checking the signatures ... but I am not advocating against fixes |
AFAICT the code in question was never released, so there's nothing to fix on your side. (I already fixed it in the "legacy" parser repo) |
Seems I've managed to throroughly confuse myself with the recent split 😂 So yup, we still need to support the internal parser in 4.19.x but this change is not there, and while we still have openssl-related code in >= 4.20, DSA is not part of it. |
Avoid the now deprecated RSA and DSA data types and use the generic EVP_PKEY
Resolves: #2294