libdnf icon indicating copy to clipboard operation
libdnf copied to clipboard

Published 20 hours ago verified publisher icon rpm-software-management

Stop using sha1 (for `dnf_sack_get_rpmdb_version`)

Open cgwalters opened this issue 4 years ago • 3 comments

Moving this from https://bugzilla.redhat.com/show_bug.cgi?id=1936664

Basically https://github.com/rpm-software-management/libdnf/blob/dnf-4-master/libdnf/utils/crypto/sha1.hpp is (AFAICS) only used by this code but AFAICS we could switch to e.g. sha256 here, at just the cost of computing a different version.

(It seems like this code should really live in librpm)

cgwalters avatar Nov 02 '21 21:11 cgwalters

We have to change the approach how to check rpmdb version. In DNF5 we will use direct information from RPM whether rpmdb changed or not. Therefore I recommend to skip movement from sha1 to sha256 to not use our own calculation at all.

j-mracek avatar Nov 08 '21 14:11 j-mracek

Note that with latest OpenSSL 3 builds, the unconditional use of SHA-1 seems to cause segfault: https://bugzilla.redhat.com/show_bug.cgi?id=2043476.

adelton avatar Jan 21 '22 11:01 adelton

In fact, the presence of any algorithm obtained from OpenSSL should be checked in run-time.

beldmit avatar Jan 21 '22 11:01 beldmit

I think this can be closed, as the "offending" code has already been removed and replaced (6fd718ba8dff16b93679028ddbc0a4aa87dfade3 and 94ab063a35b67b9940effdcd55936246b46ee0e4) and rpm itself has switched to SHA256 for the cookie value.

pmatilai avatar Oct 26 '22 07:10 pmatilai

Closing as resolved

j-mracek avatar Oct 25 '23 10:10 j-mracek