Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Load the legacy providers from OpenSSL 3 #9290

Open
wants to merge 3 commits into
base: master
Choose a base branch
from

Conversation

Atry
Copy link
Contributor

@Atry Atry commented Nov 2, 2022

Summary:
openssl_seal is by default using RC4. However RC4 is only available from the legacy providers in OpenSSL 3, which is not loaded by default.

This diff loads the legacy providers so that openssl_seal will not fail with default parameters.

See https://www.openssl.org/docs/man3.0/man7/crypto.html#:~:text=md_whirlpool)%3B%0AEVP_MD_free(md_sha256)%3B-,OPENSSL%20PROVIDERS,-OpenSSL%20comes%20with for providers in OpenSSL 3

Internal:

We should also consider removing the default value 'RC4' from openssl_seal like what PHP 8.0 did, because RC4 is vulnerable.

Differential Revision: D40942189

Atry and others added 3 commits November 2, 2022 10:46
Differential Revision: D40942193

fbshipit-source-id: 3b58a588ad34cda7831feed4d62321ce2411e66b
Summary:
This diff applies the approach similar to php/php-src@26a51e8 in order to fix behavior changes in OpenSSL 3

Pull Request resolved: facebook#9282

Test Plan:
The existing tests should still pass with OpenSSL 1.1
```
"$HHVM_BIN" hphp/test/run.php hphp/test/slow/ext_openssl/ext_openssl.php
```

Differential Revision: D40876120

Pulled By: Atry

fbshipit-source-id: a0d7d9932da78f06b986096f45a03d169331f38c
Summary:
`openssl_seal` is by default using RC4. However RC4 is only available from the legacy providers in OpenSSL 3, which is not loaded by default.

This diff loads the legacy providers so that `openssl_seal` will not fail with default parameters.

See https://www.openssl.org/docs/man3.0/man7/crypto.html#:~:text=md_whirlpool)%3B%0AEVP_MD_free(md_sha256)%3B-,OPENSSL%20PROVIDERS,-OpenSSL%20comes%20with for providers in OpenSSL 3

## Internal:
We should also consider removing the default value `'RC4'` from `openssl_seal` like [what PHP 8.0 did](https://www.php.net/manual/en/function.openssl-seal.php), because RC4 is vulnerable.

Differential Revision: D40942189

fbshipit-source-id: 5669e7ba2caf09b6e2c12b7de709141276308513
@facebook-github-bot
Copy link
Contributor

This pull request was exported from Phabricator. Differential Revision: D40942189

@facebook-github-bot
Copy link
Contributor

Hi @Atry!

Thank you for your pull request.

We require contributors to sign our Contributor License Agreement, and yours needs attention.

You currently have a record in our system, but the CLA is no longer valid, and will need to be resubmitted.

Process

In order for us to review and merge your suggested changes, please sign at https://code.facebook.com/cla. If you are contributing on behalf of someone else (eg your employer), the individual CLA may not be sufficient and your employer may need to sign the corporate CLA.

Once the CLA is signed, our tooling will perform checks and validations. Afterwards, the pull request will be tagged with CLA signed. The tagging process may take up to 1 hour after signing. Please give it that time before contacting us about it.

If you have received this in error or have any questions, please contact us at cla@meta.com. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants