Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1939427
Summary: | perl-Dancer-Session-Cookie-0.30-11.fc35 FTBFS: WARNING: The key derivation method "opensslv1" is deprecated. Using -pbkdf=>'pbkdf2' would be better. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Petr Pisar <ppisar> |
Component: | perl-Session-Storage-Secure | Assignee: | Petr Pisar <ppisar> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 34 | CC: | jplesnik, perl-devel, ppisar |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
URL: | https://koschei.fedoraproject.org/package/perl-Dancer-Session-Cookie | ||
Whiteboard: | |||
Fixed In Version: | perl-Session-Storage-Secure-0.011-11.fc35 perl-Session-Storage-Secure-0.011-11.fc34 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-03-23 00:15:40 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1927309 |
Description
Petr Pisar
2021-03-16 11:57:08 UTC
This is triggered by a change in Crypt-CBC-3.01: Revision history for Perl extension Crypt::CBC. 3.01 - Warn when the deprecated opensslv1 PBKDF (key derivation function) is used for encryption. Turn off with -nodeprecate=>1 or by choosing a different PBKDF, such as -pbkdf=>'pbkdf2'. and caused by Session::Storage::Secure->encode() which does not override the default Crypt::CBC->new() -pbkdf argument: my $cbc = Crypt::CBC->new( -key => $key, -cipher => 'Rijndael' ); my ( $ciphertext, $mac ); eval { $ciphertext = $self->transport_encoder->( $cbc->encrypt( $self->_freeze($data) ) ); $mac = $self->transport_encoder->( hmac_sha256( "$expires$sep$ciphertext", $key ) ); }; Reproducer: $ perl -MSession::Storage::Secure -e 'Session::Storage::Secure->new(secret_key=>1)->encode()' WARNING: The key derivation method "opensslv1" is deprecated. Using -pbkdf=>'pbkdf2' would be better. Pass -nodeprecate=>1 to inhibit this message. at /usr/share/perl5/vendor_perl/Session/Storage/Secure.pm line 213. The new CBC::Encrypt defaults to -pbkdf => 'opensslv1' to preserve compatibility and warns about that at the same time. Session::Storage::Secure can either pass -nodeprecate=>1 to silent the warning, or pass -pbkdf => 'pbkdf2' to use stronger encryption key. pbkdf2. Since changing -pkbkdf makes the encrypted data nondecryptable, Session::Storage::Secure should come up with a transition plan how to move to the stronger PBKDF (e.g with using an old_secrets-like argument). Please note that -pbkdf => 'opensslv1' uses MD5 underneath and that could become unavailable in the future because of the system-wide crypto-policy enforced by Fedora or OpenSSL upstream decision. I know that Session::Storage::Secure uses Digest::SHA::hmac_sha256() to populate the -key argument. And that is currently strong enough. Thus I recommend patching Fedora with -nodeprecate=>1 until upstream resolves it. FEDORA-2021-ed3306a0fe has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-ed3306a0fe FEDORA-2021-ed3306a0fe has been pushed to the Fedora 34 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-ed3306a0fe` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-ed3306a0fe See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2021-ed3306a0fe has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report. |