Fedora and EPEL updates for various AWS C lib packages

> posts > 2024 > Nov

Published:

Among the Fedora and EPEL packages I maintain are 11 AWS C lib packages. I wrote some time ago about there function and challenge to package them. Today 9 of those packages received updates to the latest available release. 2 are pending because of dependencies, but I should get them through the door within the next 2-3 weeks as well.

The majority went smoothly, no breaking changes, minor bug fixes, sometimes a patch that had to be updated. But aws-c-cal required a bit more work. Whenever tests are available, I run them as part of the package build. And they started to fail when I wanted to update the package:

98% tests passed, 3 tests failed out of 137
Total Test time (real) =   3.58 sec
The following tests FAILED:
    66 - rsa_signing_roundtrip_pkcs1_sha1_from_user (Failed)
    71 - rsa_verify_signing_pkcs1_sha1 (Failed)
    77 - rsa_signing_mismatch_pkcs1_sha1 (Failed)
Errors while running CTest

The sha1 in the test name lead me pretty fast to the problem. In version 0.8.1 there was some SHA1 related code and tests added:

I can only assume it's for backward compatibility reasons. The thing is, SHA1 is distrusted in Fedora 41 (Archive: [1], [2]) and RHEL 9 (Archive: [1], [2]).

The code provides additional functionality and will not be called on systems that don't use SHA1 anymore. So the fastest way forward was to patch out the three failing tests and call it a day.

diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
index 346e38a..e3966cb 100644
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@@ -77,18 +77,15 @@ add_test_case(rsa_encryption_roundtrip_oaep_sha256_from_user)
add_test_case(rsa_encryption_roundtrip_oaep_sha512_from_user)
add_test_case(rsa_signing_roundtrip_pkcs1_sha256_from_user)
add_test_case(rsa_signing_roundtrip_pss_sha256_from_user)
-add_test_case(rsa_signing_roundtrip_pkcs1_sha1_from_user)
add_test_case(rsa_getters)
add_test_case(rsa_private_pkcs1_der_parsing)
add_test_case(rsa_public_pkcs1_der_parsing)
add_test_case(rsa_verify_signing_pkcs1_sha256)
-add_test_case(rsa_verify_signing_pkcs1_sha1)
add_test_case(rsa_verify_signing_pss_sha256)
add_test_case(rsa_decrypt_pkcs1)
add_test_case(rsa_decrypt_oaep256)
add_test_case(rsa_decrypt_oaep512)
add_test_case(rsa_signing_mismatch_pkcs1_sha256)
-add_test_case(rsa_signing_mismatch_pkcs1_sha1)

add_test_case(aes_cbc_NIST_CBCGFSbox256_case_1)
add_test_case(aes_cbc_NIST_CBCVarKey256_case_254)

An Overview of all updates today, available in Rawhide (F42) latest tomorrow. Around one week till they arrive in all stable Fedora and EPEL branches.

Pending are the updates for aws-c-io and aws-c-http. For Rawhide that's a matter of a couple days. Stable Fedora and EPEL branches going to take a bit longer, probably 2-3 weeks.

[ Show Source | Download PDF ]