Seems I've managed to throroughly confuse myself with the recent split :joy:
So yup, we still need to support the internal parser in 4.19.x but *this*
change is not there, and while we still have openssl-related code in >= 4.20,
DSA is not part of it.
--
Reply to this email directly or view
AFAICT the code in question was never released, so there's nothing to fix on
your side. (I already fixed it in the "legacy" parser repo)
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/2723#issuecomment-2063893785
You are receiving this b
I would think people can just install those w/o checking the signatures ... but
I am not advocating against fixes
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/2723#issuecomment-2063889533
You are receiving this because you are subscrib
There may not be DSA keys in active use but they do exist in old distros and
packages people may want to install for whatever reason. If we broke it we
should fix it.
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/2723#issuecomment-2063
> @mlschroe there are still DSA keys in use somewhere?
[FESCO decided](https://pagure.io/fesco/issue/2960) decided that Fedora 38
would continue to accept DSA keys, and that Fedora 39 should disable them.
Looking at the fedora crypto policies repository, however, [they appear to
still be allow
@mlschroe there are still DSA keys in use somewhere?
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/2723#issuecomment-2059388504
You are receiving this because you are subscribed to this thread.
Message ID: __
I think you broke DSA signatures: it calls `EVP_PKEY_verify` with `padded_sig`
which is constructed from just `sig->r`. But `constructDSASignature` (called
at the beginning) takes `sig->r` and `sig->s` and creates a DSA_SIG from it.
I'm pretty sure PKEY_verify to be passed something DER encoded
Merged #2723 into master.
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/2723#event-10883272168
You are receiving this because you are subscribed to this thread.
Message ID:
___
Rpm-maint mail
Okay, this has hung around long enough now.
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/2723#issuecomment-1798004671
You are receiving this because you are subscribed to this thread.
Message ID: ___
Thank would be great, it's not that I have a clue about OpenSSL either. I just
banged it with a hammer until it seemed to work.
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/2723#issuecomment-1772906920
You are receiving this because yo
@pmatilai: I'm not an expert on OpenSSL. [We were recently contacted by the
RedHat Crypto Team](https://gitlab.com/sequoia-pgp/sequoia/-/issues/1054) (cc:
@simo5, @sahanaprasad07) about a similar change, and they offered to help with
the porting and review. I suspect they'll be willing to take
Ack, thought so. I don't see the version requirement as a problem (being
non-default etc), just that the docs + build require needs updating, which is
done now :+1:
This looks fine to me but then I haven't got the slightest about the openssl
API, would be nice to have someone more familiar wit
OK, turns out this is code based on OpenSSL 3.0 which is from 2021. So it is a
bit new. Otoh it no longer is the default variant to be built and the next
release shouldn't be backported to some ancient enterprise distribution.
--
Reply to this email directly or view it on GitHub:
https://github
@ffesti pushed 1 commit.
32b12aec2d81690f271cd1cde8b8bf72c358229a Move OpenSSL code to newer API from
version 3.0
--
View it on GitHub:
https://github.com/rpm-software-management/rpm/pull/2723/files/009daa3ab584b0e271f08d717c19daaa18de3eed..32b12aec2d81690f271cd1cde8b8bf72c358229a
You are rece
Doesn't this bump the required OpenSSL version to something newer than 1.0.2
which is the oldest currently supported version?
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/2723#issuecomment-1766431891
You are receiving this because you
I'm getting this on a local build (this code isn't getting built at all in the
CI):
```
/home/pmatilai/repos/rpm/rpmio/rpmpgp_legacy/digest_openssl.c: In function
‘constructRSASigningKey’:
/home/pmatilai/repos/rpm/rpmio/rpmpgp_legacy/digest_openssl.c:223:5: error:
‘param_bld’ may be used uninit
@ffesti commented on this pull request.
> if (!constructDSASigningKey(key))
goto done;
if (!constructDSASignature(sig))
goto done;
-if (DSA_do_verify(hash, hashlen, sig->dsa_sig, key->dsa_key) == 1)
+pkey_ctx = EVP_PKEY_CTX_new(key->evp_pkey, NULL);
+i
@ffesti pushed 1 commit.
009daa3ab584b0e271f08d717c19daaa18de3eed Move OpenSSL code to newer API
--
View it on GitHub:
https://github.com/rpm-software-management/rpm/pull/2723/files/f23f894620350dbe35384eb22c88fbca51d0502e..009daa3ab584b0e271f08d717c19daaa18de3eed
You are receiving this because
@pmatilai commented on this pull request.
> if (!constructDSASigningKey(key))
goto done;
if (!constructDSASignature(sig))
goto done;
-if (DSA_do_verify(hash, hashlen, sig->dsa_sig, key->dsa_key) == 1)
+pkey_ctx = EVP_PKEY_CTX_new(key->evp_pkey, NULL);
+
You'll need to rebase this first.
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/2723#issuecomment-1764567534
You are receiving this because you are subscribed to this thread.
Message ID: ___
R
Avoid the now deprecated RSA and DSA data types and use the generic EVP_PKEY
Resolves: #2294
You can view, comment on, or merge this pull request online at:
https://github.com/rpm-software-management/rpm/pull/2723
-- Commit Summary --
* Move OpenSSL code to newer API
-- File Changes --
21 matches
Mail list logo
