Closed jprjr closed 2 years ago
There's still some deprecation warnings around some low-level object functions (RSA_new
, DSA_new
) but IMO, that effort could be done in a separate update, it's a bit more involved than changing some function signatures.
So I've compiled on Ubuntu 22.04 (OpenSSL 3.0.0) and Arch Linux (OpenSSL 1.1.1), and successfully ran the 95-kdf.lua
script in the regress
directory. I also ran the other scripts in the regress
directory, but I figure that 95-kdf.lua
script covers what's being updated in this PR.
Hi @daurnimator , do you plan a new release on luarocks with this fix ?
I've now tested this on debian jessie (OpenSSL 1.0.1t 3 May 2016) and confirmed it works there; I think that's as old as we need to go these days.
Could you do a new release? Thank you!
Would it also be possible to tag a new release on GH so that distros could start packaging the new version?
Thank you for providing new release!
Hi there - I took a crack at updating this Lua module to work with OpenSSL 3.0.0 (issue #195), by trying to make the EVP_KDF-emulating functions closer match the OpenSSL 3.0.0 signatures.
I'm very welcome to feedback on this, there's one area where I'm not sure if I'm doing the right thing or not -
Previously, when using EVP_KDF_ctrl with
EVP_KDF_CTRL_SET_MD
- that uses some opaque message digest type. It looks like in OpenSSL 3.0.0, if youset the digest they expect a printable string. I'm unsure ifmk_checkdigest
is just taking a regular printable string and converting it to that custom type?I'm also not super-stoked about OpenSSL adding this new
OSSL_PARAM
type and requiring its usage - this resulted in having a whole lot of#if
directives in thekdf_derive
function. The only other way I see getting around that would be actually defining theOSSL_PARAM
type and writing thoseconstruct
functions, then write a replacementEVP_KDF_CTX_set_params
function that iterates through the params and callsEVP_KDF_ctrl
with the appropriate arguments.There's a good number of deprecation warnings, but as far as I can tell it works correctly. But could/should probably get more eyes on it and tested.