[PATCH] lib/rsa: Remove support for OpenSSL < 1.1.0 and libressl < 2.7.0
Peter Robinson
pbrobinson at gmail.com
Thu Sep 2 19:43:58 CEST 2021
On Thu, Sep 2, 2021 at 3:38 PM Tom Rini <trini at konsulko.com> wrote:
>
> On Thu, Sep 02, 2021 at 03:36:43PM +0100, Peter Robinson wrote:
> > On Thu, Sep 2, 2021 at 2:28 PM Tom Rini <trini at konsulko.com> wrote:
> > >
> > > On Thu, Jul 29, 2021 at 01:31:21PM -0500, Alexandru Gagniuc wrote:
> > >
> > > > Older OpenSSL and libressl versions have a slightly different API.
> > > > This require #ifdefs to support. However, we still can't support it
> > > > because the ECDSA path does not compile with these older versions.
> > > > These #ifdefs are truly a vestigial appendage.
> > > >
> > > > Alternatively, the ECDSA path could be updated for older libraries,
> > > > but this requires significant extra code, and #ifdefs. Those libraries
> > > > are over three years old, and there concerns whether it makes sense to
> > > > build modern software for real world use against such old libraries.
> > > >
> > > > Thusly, remove #ifdefs and code for old OpenSSL and LibreSSL support.
> > > >
> > > > Signed-off-by: Alexandru Gagniuc <mr.nuke.me at gmail.com>
> > >
> > > Applied to u-boot/next, thanks!
> >
> > According to recent CVE announcements 1.1.0 is out of support [1],
> > does it make sense to just support 1.1.1x and later?
> >
> > [1] https://www.openssl.org/news/secadv/20210824.txt
>
> Good question. Are there API changes between 1.1.0 and 1.1.1x ?
So outside of the new TLS 1.3 feature the release says "What’s more is
that OpenSSL 1.1.1 is API and ABI compliant with OpenSSL 1.1.0" and
depending on how we use openssl it may even be API compatible with 3.0
when it comes out any time now.
https://www.openssl.org/blog/blog/2018/09/11/release111/
More information about the U-Boot
mailing list