New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Using EVP_md_null results in crash in OpenSSL 3 #16660
Comments
I suspected a possible workaround might be to use
to allow the While this allows for |
I think things are more complicated. I don't think we should allocate the null algorithm it's own NID because this will likely cause all manner of issues. @levitte any ideas? |
Yeah, I'm not quite sure what is going on with all of that code. I stared at it for hours, and concluded that it would probably be best if OpenSSL upstream figured this one out. However, this is breaking a few real-world applications, like apk-tools, which sometimes uses the null algorithm. |
Using However there is clearly a discrepancy here. We have some "special" handling for Lines 172 to 176 in 8b6a7da
|
@kaniini I stumbled over your post on alpinelinux.org and I'm sorry to hear that the stalled state of this issue seems to create some frustration in the alpine Linux community. Mind telling us why you did not just ping us here and tell us about it? cc @openssl/otc |
This is necessary to keep compatibility with 1.1.1. Fixes openssl#16660
Fix in #17016 |
We already had a workaround for apk-tools, e.g. just not using On top of that, we were quite busy reverting back to OpenSSL 1.1 due to other regressions caused by the providers modularization (this bug, also programs expecting the legacy provider to be available but not loading it themselves) and lack of downstream preparedness. No amount of pinging OpenSSL developers would resolve the fact that MariaDB is not ready. As the Alpine OpenSSL 3 transition was something I owned responsibility for, I had to explain why it got aborted to the TSC regardless, as that is our policy whenever a contingency plan is triggered. As for the frustration, it is not just this issue, but all of the issues I outlined in my report. Given that the OpenSSL 3 migration had an outcome where our contingency plan came into effect, I believe it to be the most prudent course of action to evaluate all possible options before committing to trying the OpenSSL 3 migration again, such an evaluation would be required by the TSC anyway. |
I'm waiting to start the transition to 3.0 in Debian because I
know there are over a 100 packages that have an issue with it.
After such a large change, I expect things to break one way or an
other. But I do expect to start it soon.
|
This is necessary to keep compatibility with 1.1.1. Fixes openssl#16660 Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from openssl#17016)
Consider the following code:
When run under OpenSSL 1.1, this code will finish successfully. Under OpenSSL 3, it crashes.
The reason why is because the null
EVP_MD
object has atypical behavior for a legacy module, soEVP_DigestInit_ex
exits and returns 0 at crypto/evp/digest.c:233, becauseEVP_MD_fetch
does not supportmd_null
.One option might be to make
EVP_MD_fetch
returnmd_null
, when theNID_undef
is passed in. Another option might be to updatemd_null
to the new API, making it no longer a "legacy" module.I'm willing to investigate doing either, but would like some guidance first.
The text was updated successfully, but these errors were encountered: