All of lore.kernel.org
 help / color / mirror / Atom feed
From: Salvatore Bonaccorso <carnil@debian.org>
To: Kees Cook <keescook@chromium.org>
Cc: David Howells <dhowells@redhat.com>,
	David Woodhouse <dwmw2@infradead.org>,
	Eric Biggers <ebiggers@kernel.org>,
	Shuah Khan <skhan@linuxfoundation.org>,
	keyrings@vger.kernel.org, Adam Langley <agl@google.com>,
	Lee Jones <lee.jones@linaro.org>,
	linux-kernel@vger.kernel.org, linux-hardening@vger.kernel.org
Subject: Re: [PATCH v2] sign-file: Convert API usage to support OpenSSL v3
Date: Thu, 19 May 2022 08:45:36 +0200	[thread overview]
Message-ID: <YoXnkIke2xgSuN6F@eldamar.lan> (raw)
In-Reply-To: <20220518215129.264872-1-keescook@chromium.org>

Hi Kees,

On Wed, May 18, 2022 at 02:51:29PM -0700, Kees Cook wrote:
> OpenSSL's ENGINE API is deprecated in OpenSSL v3.0, along with some
> other functions. Remove the ENGINE use and a macro work-around for
> ERR_get_error_line().
> 
> Cc: David Howells <dhowells@redhat.com>
> Cc: David Woodhouse <dwmw2@infradead.org>
> Cc: Eric Biggers <ebiggers@kernel.org>
> Cc: Shuah Khan <skhan@linuxfoundation.org>
> Cc: Salvatore Bonaccorso <carnil@debian.org>
> Cc: keyrings@vger.kernel.org
> Suggested-by: Adam Langley <agl@google.com>
> Co-developed-by: Lee Jones <lee.jones@linaro.org>
> Signed-off-by: Lee Jones <lee.jones@linaro.org>
> Signed-off-by: Kees Cook <keescook@chromium.org>
> ---
> v1: https://lore.kernel.org/lkml/20211005161833.1522737-1-lee.jones@linaro.org/
> v2: https://lore.kernel.org/lkml/Yicwb+Ceiu8JjVIS@google.com/
> v3:
>  - Eliminate all the build warnings with OpenSSL 3
>  - Fully remove ENGINE usage, if it can be optional, just drop it.
> ---
>  scripts/sign-file.c | 49 ++++++++++-----------------------------------
>  1 file changed, 11 insertions(+), 38 deletions(-)
> 
> diff --git a/scripts/sign-file.c b/scripts/sign-file.c
> index fbd34b8e8f57..2d633c5f57c3 100644
> --- a/scripts/sign-file.c
> +++ b/scripts/sign-file.c
> @@ -52,6 +52,10 @@
>  #include <openssl/pkcs7.h>
>  #endif
>  
> +#if OPENSSL_VERSION_MAJOR >= 3
> +#define ERR_get_error_line(f, l)	ERR_get_error_all(f, l, NULL, NULL, NULL)
> +#endif
> +
>  struct module_signature {
>  	uint8_t		algo;		/* Public-key crypto algorithm [0] */
>  	uint8_t		hash;		/* Digest algorithm [0] */
> @@ -92,16 +96,6 @@ static void display_openssl_errors(int l)
>  	}
>  }
>  
> -static void drain_openssl_errors(void)
> -{
> -	const char *file;
> -	int line;
> -
> -	if (ERR_peek_error() == 0)
> -		return;
> -	while (ERR_get_error_line(&file, &line)) {}
> -}
> -
>  #define ERR(cond, fmt, ...)				\
>  	do {						\
>  		bool __cond = (cond);			\
> @@ -135,35 +129,14 @@ static int pem_pw_cb(char *buf, int len, int w, void *v)
>  static EVP_PKEY *read_private_key(const char *private_key_name)
>  {
>  	EVP_PKEY *private_key;
> +	BIO *b;
>  
> -	if (!strncmp(private_key_name, "pkcs11:", 7)) {
> -		ENGINE *e;
> -
> -		ENGINE_load_builtin_engines();
> -		drain_openssl_errors();
> -		e = ENGINE_by_id("pkcs11");
> -		ERR(!e, "Load PKCS#11 ENGINE");
> -		if (ENGINE_init(e))
> -			drain_openssl_errors();
> -		else
> -			ERR(1, "ENGINE_init");
> -		if (key_pass)
> -			ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0),
> -			    "Set PKCS#11 PIN");
> -		private_key = ENGINE_load_private_key(e, private_key_name,
> -						      NULL, NULL);
> -		ERR(!private_key, "%s", private_key_name);
> -	} else {
> -		BIO *b;
> -
> -		b = BIO_new_file(private_key_name, "rb");
> -		ERR(!b, "%s", private_key_name);
> -		private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb,
> -						      NULL);
> -		ERR(!private_key, "%s", private_key_name);
> -		BIO_free(b);
> -	}
> -
> +	b = BIO_new_file(private_key_name, "rb");
> +	ERR(!b, "%s", private_key_name);
> +	private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb,
> +					      NULL);
> +	ERR(!private_key, "%s", private_key_name);
> +	BIO_free(b);
>  	return private_key;
>  }

Fixes for us as well the build warnings for sign-file.c (as you noted
the other part is still in extract-cert.c).

Tested-by: Salvatore Bonaccorso <carnil@debian.org>

Regards,
Salvatore

  parent reply	other threads:[~2022-05-19  6:45 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-05-18 21:51 [PATCH v2] sign-file: Convert API usage to support OpenSSL v3 Kees Cook
2022-05-18 21:58 ` Kees Cook
2022-05-18 22:59 ` Shuah Khan
2022-05-19  6:45 ` Salvatore Bonaccorso [this message]
2022-05-19 15:21 ` James Bottomley

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YoXnkIke2xgSuN6F@eldamar.lan \
    --to=carnil@debian.org \
    --cc=agl@google.com \
    --cc=dhowells@redhat.com \
    --cc=dwmw2@infradead.org \
    --cc=ebiggers@kernel.org \
    --cc=keescook@chromium.org \
    --cc=keyrings@vger.kernel.org \
    --cc=lee.jones@linaro.org \
    --cc=linux-hardening@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=skhan@linuxfoundation.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.