Upgrade to OpenSSL 3#162
Conversation
|
I notice new include files. What happens if this is built on a system that doesn't yet support openssl 3? |
|
The new include files already existed in OpenSSL < 3, but there needs to be the appropriate feature detection in |
|
See also #135. |
|
|
|
Rebased, and added a tiny commit which restores compatibility with OpenSSL version 1.1.1. The pull request as now proposed simply moves to the non-deprecated APIs in OpenSSL 3, but all APIs were already present in OpenSSL 1.1.1. |
|
I'm likely to merge this, but which openSSL 3 system did you test it on? |
|
@thegushi I used Ubuntu 22.04 LTS with the packaged OpenSSL 3.0.2. It’s good that for once a pull request is not received with total radio |
|
I'm using this patchset (with openssl-3.1.0). RSA and ED25519 signing as well as validation work as expected. |
Upgrade to OpenSSL 3
Upgrade to OpenSSL 3
|
This code is setting crypto_keysize (key size in bits) as EVP_PKEY_size() * 8. That's not right. EVP_PKEY_size() returns a suggested buffer size, not the key size in bytes. https://docs.openssl.org/1.1.1/man3/EVP_PKEY_size It's strange that it seems to work out for RSA. For Ed25519 it doesn't. Ed25519 always has a 256-bit key and EVP_PKEY_size() returns 64. Instead use EVP_PKEY_bits() (same man page above) which returns the number of key bits directly. It works for both RSA and Ed25519. Careful with the search & replace though. EVP_PKEY_size() is also being used to set crypto_outlen, which seems right. |
Depends-On: trusteddomainproject#162 This should be merged after PR trusteddomainproject#162, Upgrade to OpenSSL 3". 1. opendkim-genkey: require openssl >= 1.1.1 for ed25519 instead of == 1.1.1. 2. opendkim-testkey: Add options 1, 2, and e to create an rsa-sha1, rsa-sha256, or ed25519 signature, respectively. Rsa-sha256 is the default. Previously the tool only created rsa-sha1 signatures. 3. opendkim-genzone: Debian's opendkim includes nsupdate_output.patch which was added long ago for Debian bug 849540: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849540 The patch originally came from a bug reported against 2.10.3 in the opendkim sourceforge bug database: https://sourceforge.net/p/opendkim/feature-requests/200 Somehow that sourceforge bug and fix didn't make it to opendkim github. That patch fixes nsupdate output formatting and adds a key usage option. This patch does that and adds support for ed25519.
Depends on trusteddomainproject#162 This should be merged after PR trusteddomainproject#162, Upgrade to OpenSSL 3". 1. opendkim-genkey: require openssl >= 1.1.1 for ed25519 instead of == 1.1.1. 2. opendkim-testkey: Add options 1, 2, and e to create an rsa-sha1, rsa-sha256, or ed25519 signature, respectively. Rsa-sha256 is the default. Previously the tool could only create rsa-sha1 signatures. 3. opendkim-genzone: Debian's opendkim includes nsupdate_output.patch which was added long ago for Debian bug 849540: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=849540 The patch originally came from a bug reported against 2.10.3 in the opendkim sourceforge bug database: https://sourceforge.net/p/opendkim/feature-requests/200 Somehow that sourceforge bug and fix didn't make it to opendkim github. That patch fixes nsupdate output formatting and adds a key usage option. This patch does that and also adds support for ed25519 keys.
5 participants
The proposed change upgrades OpenSSL to version 3.
The change is not too big, it looks sensible to me, it is backwards compatible, and the test suite passes. I have done successful manual testing using
opendkim-testmsgfor both signing and verifying, using signature algorithmsrsa-sha256anded25519-sha256.configure.achasn’t been updated yet. Feedback welcome.