Learn more about these different git repos.
Other Git URLs
A recent commit 6839e67 requires EVP_PKEY_new_raw_private_key unconditionally, but that interface is only available with very recent OpenSSL releases.
While I know that the intent behind the code change is good, i think we should have a conditional build or some compatible interface because not all distributions can be expected to have this new version of OpenSSL.
I caught this while testing SSSD on one of my VMs which was still F-28 based by the way.
CC @sbose @atikhonov
Metadata Update from @atikhonov: - Issue assigned to atikhonov
Right, this is OpenSSL 1.1.1 API.
Unfortunately, this is not as straightforward as other "compatibility wrappers" in util/crypto/libcrypto/sss_openssl.h
util/crypto/libcrypto/sss_openssl.h
The easiest way would be to give up using EVP_DigestSign* API and to use openssl/hmac.h :: HMAC API instead. This is available and is the same in all currently supported OpenSSL branches: * https://www.openssl.org/docs/man1.1.1/man3/HMAC.html * https://www.openssl.org/docs/man1.1.0/man3/HMAC.html * https://www.openssl.org/docs/man1.0.2/man3/HMAC.html
EVP_DigestSign*
openssl/hmac.h :: HMAC
Please do nt use HMAC() directly, use EVP_DigestSign()
HMAC() maybe ok to be use in a "fallback" function to be enabled conditionally at build time if EVP_DigestSign() is not available.
I do not see many reasons not to use the HMAC() calls from openssl/hmac.h and they are not particularly low-level as they still call the EVP functions for the hash operations.
There is one caveat though. These functions should be considered as deprecated in the current master (that will be 3.0.0 version) and replaced with EVP_MAC functions.
I'd recommend using the HMAC() functions for now though. There is no point in using the EVP_DigestSign interface for MAC operations as the preferred API for MACs will be changed to the EVP_MAC API in 3.0.0 anyway.
Yes the mainissue I wanted to avoid is to use functions that are going to be deprecated. In 3.0 plans there will be new crypto backend in OpenSSL that will not be hooked up to the legacy function, and eventually those legacy functions will go away.
However I guess we can stick to HMAC() for a little while longer while we wait for the new API in 3.0, and then just move directly there skipping the EVP_DigestSign API.
PR: https://github.com/SSSD/sssd/pull/833
Metadata Update from @atikhonov: - Issue tagged with: PR
Commit ee23b8e fixes this issue
Metadata Update from @jhrozek: - Issue set to the milestone: SSSD 2.3
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/4996
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Log in to comment on this ticket.