From: Kees Cook <keescook@chromium.org>
To: Lee Jones <lee.jones@linaro.org>
Cc: David Howells <dhowells@redhat.com>,
David Woodhouse <dwmw2@infradead.org>,
keyrings@vger.kernel.org, Adam Langley <agl@google.com>,
linux-kernel@vger.kernel.org, Eric Biggers <ebiggers@kernel.org>
Subject: Re: [PATCH v2 1/1] sign-file: Do not attempt to use the ENGINE_* API if it's not available
Date: Thu, 10 Mar 2022 08:51:56 -0800 [thread overview]
Message-ID: <202203100851.C00D9AB73@keescook> (raw)
In-Reply-To: <Yicwb+Ceiu8JjVIS@google.com>
On Tue, Mar 08, 2022 at 10:31:11AM +0000, Lee Jones wrote:
> OpenSSL's ENGINE API is deprecated in OpenSSL v3.0.
>
> Use OPENSSL_NO_ENGINE to ensure the ENGINE API is only used if it is
> present. This will safeguard against compile errors when using SSL
> implementations which lack support for this deprecated API.
On Fedora rawhide, I'm still seeing a bunch of warnings:
scripts/sign-file.c: In function 'display_openssl_errors':
scripts/sign-file.c:89:9: warning: 'ERR_get_error_line' is deprecated: Since OpenSSL 3.0 [-Wdeprecat
ed-declarations]
89 | while ((e = ERR_get_error_line(&file, &line))) {
| ^~~~~
In file included from scripts/sign-file.c:29:
/usr/include/openssl/err.h:411:15: note: declared here
411 | unsigned long ERR_get_error_line(const char **file, int *line);
| ^~~~~~~~~~~~~~~~~~
scripts/sign-file.c: In function 'drain_openssl_errors':
scripts/sign-file.c:102:9: warning: 'ERR_get_error_line' is deprecated: Since OpenSSL 3.0 [-Wdepreca
ted-declarations]
102 | while (ERR_get_error_line(&file, &line)) {}
| ^~~~~
/usr/include/openssl/err.h:411:15: note: declared here
411 | unsigned long ERR_get_error_line(const char **file, int *line);
| ^~~~~~~~~~~~~~~~~~
...
>
> Cc: David Howells <dhowells@redhat.com>
> Cc: David Woodhouse <dwmw2@infradead.org>
> Cc: Eric Biggers <ebiggers@kernel.org>
> Cc: Kees Cook <keescook@chromium.org>
> Cc: keyrings@vger.kernel.org
> Co-developed-by: Adam Langley <agl@google.com>
> Signed-off-by: Lee Jones <lee.jones@linaro.org>
> ---
> v2: Clear up subject and patch description to avoid confusion
>
> scripts/sign-file.c | 19 ++++++++++---------
> 1 file changed, 10 insertions(+), 9 deletions(-)
>
> diff --git a/scripts/sign-file.c b/scripts/sign-file.c
> index fbd34b8e8f578..fa3fa59db6669 100644
> --- a/scripts/sign-file.c
> +++ b/scripts/sign-file.c
> @@ -135,7 +135,9 @@ static int pem_pw_cb(char *buf, int len, int w, void *v)
> static EVP_PKEY *read_private_key(const char *private_key_name)
> {
> EVP_PKEY *private_key;
> + BIO *b;
>
> +#ifndef OPENSSL_NO_ENGINE
> if (!strncmp(private_key_name, "pkcs11:", 7)) {
> ENGINE *e;
>
> @@ -153,17 +155,16 @@ static EVP_PKEY *read_private_key(const char *private_key_name)
> private_key = ENGINE_load_private_key(e, private_key_name,
> NULL, NULL);
> ERR(!private_key, "%s", private_key_name);
> - } else {
> - BIO *b;
> -
> - b = BIO_new_file(private_key_name, "rb");
> - ERR(!b, "%s", private_key_name);
> - private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb,
> - NULL);
> - ERR(!private_key, "%s", private_key_name);
> - BIO_free(b);
> + return private_key;
> }
> +#endif
>
> + b = BIO_new_file(private_key_name, "rb");
> + ERR(!b, "%s", private_key_name);
> + private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb,
> + NULL);
> + ERR(!private_key, "%s", private_key_name);
> + BIO_free(b);
> return private_key;
> }
--
Kees Cook
next prev parent reply other threads:[~2022-03-10 16:52 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-05 16:18 [PATCH 1/1] sign-file: Use OpenSSL provided define to compile out deprecated APIs Lee Jones
2021-10-05 17:01 ` Eric Biggers
2021-10-05 17:14 ` Adam Langley
2021-10-05 17:25 ` Eric Biggers
2021-10-05 17:33 ` Adam Langley
2021-10-05 18:11 ` Lee Jones
2022-03-02 20:52 ` Kees Cook
2022-03-03 9:26 ` Lee Jones
2022-03-03 18:05 ` Kees Cook
2022-03-08 10:31 ` [PATCH v2 1/1] sign-file: Do not attempt to use the ENGINE_* API if it's not available Lee Jones
2022-03-10 16:51 ` Kees Cook [this message]
2022-03-10 17:15 ` Adam Langley
2022-05-15 7:16 ` Salvatore Bonaccorso
2022-05-15 9:40 ` Lee Jones
2022-05-16 15:39 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202203100851.C00D9AB73@keescook \
--to=keescook@chromium.org \
--cc=agl@google.com \
--cc=dhowells@redhat.com \
--cc=dwmw2@infradead.org \
--cc=ebiggers@kernel.org \
--cc=keyrings@vger.kernel.org \
--cc=lee.jones@linaro.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).