On 06/11/2016 02:30 PM, Kurt Roeckx wrote: > There is an upstream wiki page for this at: > https://wiki.openssl.org/index.php/1.1_API_Changes > > If things aren't clear, you have questions, are there are missing > access functions please contact us.
I'm currently packaging a piece of software (open-isns, [1]) that uses libcrypto functions internally. While trying to make sure that it will compile against OpenSSL 1.1 (and hence be binNMU-able), most of the things were straight-forward (opaque structures now requiring getters), but I have encountered the following issue that doesn't appear to be completely trivial to me: the software uses DSA+SHA1 as its signature algoritm [2], and effectively boils down to the following code to generate signatures: md_ctx = EVP_MD_CTX_new(); EVP_SignInit(md_ctx, EVP_dss1()); EVP_DigestUpdate(md_ctx, /* stuff */); EVP_SignFinal(md_ctx, signature, &sig_len, pkey); EVP_MD_CTX_free(md_ctx); (Verification is analogous with VerifyInit/VerifyFinal.) The problem is that EVP_dss1() doesn't exist anymore in OpenSSL 1.1. If I understand the man page correctly, EVP_dss1 is a hack in really old OpenSSL versions (how old btw.?) to support SHA1 signatures with DSA, because back then the hash algorithms were tied to the public key algorithms. So is it correct to simply replace EVP_dss1() with EVP_sha1() in the above code and it will still produce DSA signatures? Or do I have to do something else to achieve the same results? Regards, Christian [1] ITP: https://bugs.debian.org/799061 [2] This is demanded by the iSNS protocol, RFC 4171. I know that one would want to use other algorithms today.
