New crypto provider via OpenSSL library #5382
Open
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This new
ossl
crypto provider encapsulates the ability to use log encryption in theomfile
module. It provides the same functionality asgcry
, additionaly:EVP_CIPHER_fetch()
call. The same applies to the mode parameter.--enable-openssl
, the ossl crypto provider will also be included in bothomfile
and alsorscryutil
.https://lists.gnupg.org/pipermail/gcrypt-devel/2024-March/005607.html (see the whole thread)
Some might be worried about other side-channel vulnerabilities against it, like the
Minerva Attack[1], and the Raccoon Attack[2], given the way they handled one of the oldest, well known, and
most straightforward side-channel attacks. They did downgrade their threat model as a result of Marvin too: https://gnupg.org/documentation/security.html. I don't see it as a proper way to deal with potential threats.
[1] https://minerva.crocs.fi.muni.cz/
[2] https://raccoon-attack.com/
Default behavior is preserved. I've tested a few different scenarios and the two crypto providers can work in tandem, but I don't suggest to mix them.
In order to put it into action, add
cry.provider="ossl"
to an omfile action. Generate some syslog messages, and finally use the therscryutil
with--lib=ossl
. The only difference if altering the algorithm/mode then you must do it in one step, e.g.:./tools/rscryutil -k keyfile -l ossl -a AES-256-CBC encryptedfile
for ossl./tools/rscryutil -k keyfile -l gcry -a AES256 -m CBC encryptedfile
for gcryThe documentation is currently missing, I will create it if the patch is accepted. Thanks.