Load the legacy providers from OpenSSL 3 #9290
Conversation
Summary: This diff applies the approach similar to php/php-src@26a51e8 in order to fix behavior changes in OpenSSL 3 Pull Request resolved: facebook#9282 Test Plan: The existing tests should still pass with OpenSSL 1.1 ``` "$HHVM_BIN" hphp/test/run.php hphp/test/slow/ext_openssl/ext_openssl.php ``` Differential Revision: D40876120 Pulled By: Atry fbshipit-source-id: a0d7d9932da78f06b986096f45a03d169331f38c
Summary: `openssl_seal` is by default using RC4. However RC4 is only available from the legacy providers in OpenSSL 3, which is not loaded by default. This diff loads the legacy providers so that `openssl_seal` will not fail with default parameters. See https://www.openssl.org/docs/man3.0/man7/crypto.html#:~:text=md_whirlpool)%3B%0AEVP_MD_free(md_sha256)%3B-,OPENSSL%20PROVIDERS,-OpenSSL%20comes%20with for providers in OpenSSL 3 ## Internal: We should also consider removing the default value `'RC4'` from `openssl_seal` like [what PHP 8.0 did](https://www.php.net/manual/en/function.openssl-seal.php), because RC4 is vulnerable. Differential Revision: D40942189 fbshipit-source-id: 5669e7ba2caf09b6e2c12b7de709141276308513
|
This pull request was exported from Phabricator. Differential Revision: D40942189 |
|
Hi @Atry! Thank you for your pull request. We require contributors to sign our Contributor License Agreement, and yours needs attention. You currently have a record in our system, but the CLA is no longer valid, and will need to be resubmitted. ProcessIn order for us to review and merge your suggested changes, please sign at https://code.facebook.com/cla. If you are contributing on behalf of someone else (eg your employer), the individual CLA may not be sufficient and your employer may need to sign the corporate CLA. Once the CLA is signed, our tooling will perform checks and validations. Afterwards, the pull request will be tagged with If you have received this in error or have any questions, please contact us at cla@meta.com. Thanks! |
Summary:
openssl_sealis by default using RC4. However RC4 is only available from the legacy providers in OpenSSL 3, which is not loaded by default.This diff loads the legacy providers so that
openssl_sealwill not fail with default parameters.See https://www.openssl.org/docs/man3.0/man7/crypto.html#:~:text=md_whirlpool)%3B%0AEVP_MD_free(md_sha256)%3B-,OPENSSL%20PROVIDERS,-OpenSSL%20comes%20with for providers in OpenSSL 3
Internal:
We should also consider removing the default value
'RC4'fromopenssl_seallike what PHP 8.0 did, because RC4 is vulnerable.Differential Revision: D40942189