Re: [Rpm-maint] [rpm-software-management/rpm] Move OpenSSL code to newer API (PR #2723)
Seems I've managed to throroughly confuse myself with the recent split :joy: So yup, we still need to support the internal parser in 4.19.x but *this* change is not there, and while we still have openssl-related code in >= 4.20, DSA is not part of it. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/2723#issuecomment-2065833452 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Move OpenSSL code to newer API (PR #2723)
AFAICT the code in question was never released, so there's nothing to fix on your side. (I already fixed it in the "legacy" parser repo) -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/2723#issuecomment-2063893785 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Move OpenSSL code to newer API (PR #2723)
I would think people can just install those w/o checking the signatures ... but I am not advocating against fixes -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/2723#issuecomment-2063889533 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Move OpenSSL code to newer API (PR #2723)
There may not be DSA keys in active use but they do exist in old distros and packages people may want to install for whatever reason. If we broke it we should fix it. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/2723#issuecomment-2063471380 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Move OpenSSL code to newer API (PR #2723)
> @mlschroe there are still DSA keys in use somewhere? [FESCO decided](https://pagure.io/fesco/issue/2960) decided that Fedora 38 would continue to accept DSA keys, and that Fedora 39 should disable them. Looking at the fedora crypto policies repository, however, [they appear to still be allowed in the default policy](https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/blob/8f49dfad/policies/DEFAULT.pol#L78). -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/2723#issuecomment-2059424051 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Move OpenSSL code to newer API (PR #2723)
@mlschroe there are still DSA keys in use somewhere? -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/2723#issuecomment-2059388504 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Move OpenSSL code to newer API (PR #2723)
I think you broke DSA signatures: it calls `EVP_PKEY_verify` with `padded_sig` which is constructed from just `sig->r`. But `constructDSASignature` (called at the beginning) takes `sig->r` and `sig->s` and creates a DSA_SIG from it. I'm pretty sure PKEY_verify to be passed something DER encoded instead... We need a testcase for DSA signatures... -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/2723#issuecomment-2059096444 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Move OpenSSL code to newer API (PR #2723)
Merged #2723 into master. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/2723#event-10883272168 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Move OpenSSL code to newer API (PR #2723)
Okay, this has hung around long enough now. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/2723#issuecomment-1798004671 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Move OpenSSL code to newer API (PR #2723)
Thank would be great, it's not that I have a clue about OpenSSL either. I just banged it with a hammer until it seemed to work. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/2723#issuecomment-1772906920 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Move OpenSSL code to newer API (PR #2723)
@pmatilai: I'm not an expert on OpenSSL. [We were recently contacted by the RedHat Crypto Team](https://gitlab.com/sequoia-pgp/sequoia/-/issues/1054) (cc: @simo5, @sahanaprasad07) about a similar change, and they offered to help with the porting and review. I suspect they'll be willing to take a look at this, too. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/2723#issuecomment-1772173636 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Move OpenSSL code to newer API (PR #2723)
Ack, thought so. I don't see the version requirement as a problem (being non-default etc), just that the docs + build require needs updating, which is done now :+1: This looks fine to me but then I haven't got the slightest about the openssl API, would be nice to have someone more familiar with stuff have a look. @sgallagher , @DemiMarie , @nwalfield - can you have a look / know someone who could? -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/2723#issuecomment-1772130550 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Move OpenSSL code to newer API (PR #2723)
OK, turns out this is code based on OpenSSL 3.0 which is from 2021. So it is a bit new. Otoh it no longer is the default variant to be built and the next release shouldn't be backported to some ancient enterprise distribution. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/2723#issuecomment-1771236646 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Move OpenSSL code to newer API (PR #2723)
@ffesti pushed 1 commit. 32b12aec2d81690f271cd1cde8b8bf72c358229a Move OpenSSL code to newer API from version 3.0 -- View it on GitHub: https://github.com/rpm-software-management/rpm/pull/2723/files/009daa3ab584b0e271f08d717c19daaa18de3eed..32b12aec2d81690f271cd1cde8b8bf72c358229a You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Move OpenSSL code to newer API (PR #2723)
Doesn't this bump the required OpenSSL version to something newer than 1.0.2 which is the oldest currently supported version? -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/2723#issuecomment-1766431891 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Move OpenSSL code to newer API (PR #2723)
I'm getting this on a local build (this code isn't getting built at all in the CI): ``` /home/pmatilai/repos/rpm/rpmio/rpmpgp_legacy/digest_openssl.c: In function ‘constructRSASigningKey’: /home/pmatilai/repos/rpm/rpmio/rpmpgp_legacy/digest_openssl.c:223:5: error: ‘param_bld’ may be used uninitialized [-Werror=maybe-uninitialized] 223 | OSSL_PARAM_BLD_free(param_bld); | ^~ /home/pmatilai/repos/rpm/rpmio/rpmpgp_legacy/digest_openssl.c:201:21: note: ‘param_bld’ was declared here 201 | OSSL_PARAM_BLD *param_bld = OSSL_PARAM_BLD_new(); | ^ /home/pmatilai/repos/rpm/rpmio/rpmpgp_legacy/digest_openssl.c:224:5: error: ‘params’ may be used uninitialized [-Werror=maybe-uninitialized] 224 | OSSL_PARAM_free(params); | ^~~ /home/pmatilai/repos/rpm/rpmio/rpmpgp_legacy/digest_openssl.c:208:17: note: ‘params’ was declared here 208 | OSSL_PARAM *params = OSSL_PARAM_BLD_to_param(param_bld); | ^~ cc1: all warnings being treated as errors ``` -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/2723#issuecomment-1766311797 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Move OpenSSL code to newer API (PR #2723)
@ffesti commented on this pull request. > if (!constructDSASigningKey(key)) goto done; if (!constructDSASignature(sig)) goto done; -if (DSA_do_verify(hash, hashlen, sig->dsa_sig, key->dsa_key) == 1) +pkey_ctx = EVP_PKEY_CTX_new(key->evp_pkey, NULL); +if (!pkey_ctx) +goto done; + +if (EVP_PKEY_verify_init(pkey_ctx) != 1) +goto done; + +//if (EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PADDING) <= 0) +//goto done; Yup, It's gone now. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/2723#discussion_r1361953902 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Move OpenSSL code to newer API (PR #2723)
@ffesti pushed 1 commit. 009daa3ab584b0e271f08d717c19daaa18de3eed Move OpenSSL code to newer API -- View it on GitHub: https://github.com/rpm-software-management/rpm/pull/2723/files/f23f894620350dbe35384eb22c88fbca51d0502e..009daa3ab584b0e271f08d717c19daaa18de3eed You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Move OpenSSL code to newer API (PR #2723)
@pmatilai commented on this pull request. > if (!constructDSASigningKey(key)) goto done; if (!constructDSASignature(sig)) goto done; -if (DSA_do_verify(hash, hashlen, sig->dsa_sig, key->dsa_key) == 1) +pkey_ctx = EVP_PKEY_CTX_new(key->evp_pkey, NULL); +if (!pkey_ctx) +goto done; + +if (EVP_PKEY_verify_init(pkey_ctx) != 1) +goto done; + +//if (EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PADDING) <= 0) +//goto done; Leftovers? -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/2723#pullrequestreview-1680183986 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Move OpenSSL code to newer API (PR #2723)
You'll need to rebase this first. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/2723#issuecomment-1764567534 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
[Rpm-maint] [rpm-software-management/rpm] Move OpenSSL code to newer API (PR #2723)
Avoid the now deprecated RSA and DSA data types and use the generic EVP_PKEY Resolves: #2294 You can view, comment on, or merge this pull request online at: https://github.com/rpm-software-management/rpm/pull/2723 -- Commit Summary -- * Move OpenSSL code to newer API -- File Changes -- M rpmio/digest_openssl.c (105) -- Patch Links -- https://github.com/rpm-software-management/rpm/pull/2723.patch https://github.com/rpm-software-management/rpm/pull/2723.diff -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/2723 You are receiving this because you are subscribed to this thread. Message ID: rpm-software-management/rpm/pull/2...@github.com ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint