Simo Sorce simo@redhat.com writes:
On Tue, 2023-12-05 at 13:17 +1300, Amos Jeffries wrote:
FWIW, In Squid with OpenSSLv3 we use this:
EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL)
EVP_PKEY_CTX_new_from_name is the more proper way in OpenSSL 3.0
My current version uses EVP_RSA_gen and EVP_EC_gen, then I only need EVP_PKEY, no EVP_PKEY_CTX. As far as I can tell from the docs, those functions are recommended and not deprecated.
With that change, the valgrind warning disappeared as well.
I've also had to make some changes to nettle-benchmark, it seems blowfish, cast128 and des are no longer supported for the default provider, one would need to somehow enable the "legacy" provider, and crashed (assert failure in the glue code) with recent openssl. It seemed easier to just delete those benchmarks; comparative benchmarking of those algorithms doesn't seem that interesting.
Tangent: Not sure why openssl has demoted blowfish to "legacy", if it's just the shorter 64-bit blocksize that is considered a problem? (According to https://www.schneier.com/academic/blowfish/: "Blowfish was created in 1993. While there is still no practical attack against the cipher, it only has a 64-bit block length and was optimized for 32-bit CPUs. If you are thinking of using this algorithm, I recommend that you use Twofish instead").
Regards, /Niels