#4026 EVP_PKEY_new_raw_private_key() was only added in OpenSSL 1.1.1
Closed: Fixed 2 years ago by jhrozek. Opened 2 years ago by jhrozek.

A recent commit 6839e67 requires EVP_PKEY_new_raw_private_key unconditionally, but that interface is only available with very recent OpenSSL releases.

While I know that the intent behind the code change is good, i think we should have a conditional build or some compatible interface because not all distributions can be expected to have this new version of OpenSSL.

I caught this while testing SSSD on one of my VMs which was still F-28 based by the way.


Metadata Update from @atikhonov:
- Issue assigned to atikhonov

2 years ago

A recent commit 6839e67 requires EVP_PKEY_new_raw_private_key unconditionally, but that interface is only available with very recent OpenSSL releases.

Right, this is OpenSSL 1.1.1 API.

While I know that the intent behind the code change is good, i think we should have a conditional build or some compatible interface because not all distributions can be expected to have this new version of OpenSSL.

Unfortunately, this is not as straightforward as other "compatibility wrappers" in util/crypto/libcrypto/sss_openssl.h

The easiest way would be to give up using EVP_DigestSign* API and to use openssl/hmac.h :: HMAC API instead. This is available and is the same in all currently supported OpenSSL branches:
* https://www.openssl.org/docs/man1.1.1/man3/HMAC.html
* https://www.openssl.org/docs/man1.1.0/man3/HMAC.html
* https://www.openssl.org/docs/man1.0.2/man3/HMAC.html

Please do nt use HMAC() directly, use EVP_DigestSign()

HMAC() maybe ok to be use in a "fallback" function to be enabled conditionally at build time if EVP_DigestSign() is not available.

I do not see many reasons not to use the HMAC() calls from
openssl/hmac.h and they are not particularly low-level as they still
call the EVP functions for the hash operations.

There is one caveat though. These functions should be considered as
deprecated in the current master (that will be 3.0.0 version) and
replaced with EVP_MAC functions.

I'd recommend using the HMAC() functions for now though. There is no
point in using the EVP_DigestSign interface for MAC operations as the
preferred API for MACs will be changed to the EVP_MAC API in 3.0.0
anyway.

Yes the mainissue I wanted to avoid is to use functions that are going to be deprecated.
In 3.0 plans there will be new crypto backend in OpenSSL that will not be hooked up to the legacy function, and eventually those legacy functions will go away.

However I guess we can stick to HMAC() for a little while longer while we wait for the new API in 3.0, and then just move directly there skipping the EVP_DigestSign API.

Metadata Update from @atikhonov:
- Issue tagged with: PR

2 years ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 2.3

2 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4996

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata