[PATCH 1/1] sign-file: Use OpenSSL provided define to compile out deprecated APIs

[PATCH 1/1] sign-file: Use OpenSSL provided define to compile out deprecated APIs

[Lee Jones]

OpenSSL's ENGINE API is deprecated in OpenSSL v3.0.

Use OPENSSL_NO_ENGINE to disallow its use and fall back on the BIO API.

Cc: David Howells <dhowells@redhat.com>
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: keyrings@vger.kernel.org
Co-developed-by: Adam Langley <agl@google.com>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
---
 scripts/sign-file.c | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/scripts/sign-file.c b/scripts/sign-file.c
index fbd34b8e8f578..fa3fa59db6669 100644
--- a/scripts/sign-file.c
+++ b/scripts/sign-file.c
@@ -135,7 +135,9 @@ static int pem_pw_cb(char *buf, int len, int w, void *v)
 static EVP_PKEY *read_private_key(const char *private_key_name)
 {
 	EVP_PKEY *private_key;
+	BIO *b;
 
+#ifndef OPENSSL_NO_ENGINE
 	if (!strncmp(private_key_name, "pkcs11:", 7)) {
 		ENGINE *e;
 
@@ -153,17 +155,16 @@ static EVP_PKEY *read_private_key(const char *private_key_name)
 		private_key = ENGINE_load_private_key(e, private_key_name,
 						      NULL, NULL);
 		ERR(!private_key, "%s", private_key_name);
-	} else {
-		BIO *b;
-
-		b = BIO_new_file(private_key_name, "rb");
-		ERR(!b, "%s", private_key_name);
-		private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb,
-						      NULL);
-		ERR(!private_key, "%s", private_key_name);
-		BIO_free(b);
+		return private_key;
 	}
+#endif
 
+	b = BIO_new_file(private_key_name, "rb");
+	ERR(!b, "%s", private_key_name);
+	private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb,
+					      NULL);
+	ERR(!private_key, "%s", private_key_name);
+	BIO_free(b);
 	return private_key;
 }
 
-- 
2.33.0.800.g4c38ced690-goog

Re: [PATCH 1/1] sign-file: Use OpenSSL provided define to compile out deprecated APIs

[Eric Biggers]

On Tue, Oct 05, 2021 at 05:18:33PM +0100, Lee Jones wrote:
> OpenSSL's ENGINE API is deprecated in OpenSSL v3.0.
> 
> Use OPENSSL_NO_ENGINE to disallow its use and fall back on the BIO API.
> 
> Cc: David Howells <dhowells@redhat.com>
> Cc: David Woodhouse <dwmw2@infradead.org>
> Cc: keyrings@vger.kernel.org
> Co-developed-by: Adam Langley <agl@google.com>
> Signed-off-by: Lee Jones <lee.jones@linaro.org>
> ---
>  scripts/sign-file.c | 19 ++++++++++---------
>  1 file changed, 10 insertions(+), 9 deletions(-)
> 
> diff --git a/scripts/sign-file.c b/scripts/sign-file.c
> index fbd34b8e8f578..fa3fa59db6669 100644
> --- a/scripts/sign-file.c
> +++ b/scripts/sign-file.c
> @@ -135,7 +135,9 @@ static int pem_pw_cb(char *buf, int len, int w, void *v)
>  static EVP_PKEY *read_private_key(const char *private_key_name)
>  {
>  	EVP_PKEY *private_key;
> +	BIO *b;
>  
> +#ifndef OPENSSL_NO_ENGINE
>  	if (!strncmp(private_key_name, "pkcs11:", 7)) {
>  		ENGINE *e;
>  
> @@ -153,17 +155,16 @@ static EVP_PKEY *read_private_key(const char *private_key_name)
>  		private_key = ENGINE_load_private_key(e, private_key_name,
>  						      NULL, NULL);
>  		ERR(!private_key, "%s", private_key_name);
> -	} else {
> -		BIO *b;
> -
> -		b = BIO_new_file(private_key_name, "rb");
> -		ERR(!b, "%s", private_key_name);
> -		private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb,
> -						      NULL);
> -		ERR(!private_key, "%s", private_key_name);
> -		BIO_free(b);
> +		return private_key;
>  	}
> +#endif
>  
> +	b = BIO_new_file(private_key_name, "rb");
> +	ERR(!b, "%s", private_key_name);
> +	private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb,
> +					      NULL);
> +	ERR(!private_key, "%s", private_key_name);
> +	BIO_free(b);
>  	return private_key;
>  }

I ran into these same -Wdeprecated-declarations compiler warnings on another
project that uses the ENGINE API to access OpenSSL's support for PKCS#11 tokens.
The conclusion was that in OpenSSL 3.0, the new API for PKCS#11 support isn't
actually ready yet, so we had to keep using the ENGINE API and just add
-Wno-deprecated-declarations to the compiler flags.

Your patch just removes support for PKCS#11 in that case, which seems
undesirable.  (Unless no one is actually using it?)

- Eric

Re: [PATCH 1/1] sign-file: Use OpenSSL provided define to compile out deprecated APIs

[Adam Langley]

On Tue, Oct 5, 2021 at 10:01 AM Eric Biggers <ebiggers@kernel.org> wrote:
> I ran into these same -Wdeprecated-declarations compiler warnings on another
> project that uses the ENGINE API to access OpenSSL's support for PKCS#11 tokens.
> The conclusion was that in OpenSSL 3.0, the new API for PKCS#11 support isn't
> actually ready yet, so we had to keep using the ENGINE API and just add
> -Wno-deprecated-declarations to the compiler flags.
>
> Your patch just removes support for PKCS#11 in that case, which seems
> undesirable.  (Unless no one is actually using it?)

The patch removes support when OPENSSL_NO_ENGINE is defined, but
that's not defined by default in OpenSSL 3.0. (Unless something
changed recently.)

When OPENSSL_NO_ENGINE is defined, ENGINE support is not compiled into
OpenSSL and the headers don't include the functions:
https://github.com/openssl/openssl/blob/master/include/openssl/engine.h
.


Cheers

AGL

Re: [PATCH 1/1] sign-file: Use OpenSSL provided define to compile out deprecated APIs

[Eric Biggers]

On Tue, Oct 05, 2021 at 10:14:58AM -0700, Adam Langley wrote:
> On Tue, Oct 5, 2021 at 10:01 AM Eric Biggers <ebiggers@kernel.org> wrote:
> > I ran into these same -Wdeprecated-declarations compiler warnings on another
> > project that uses the ENGINE API to access OpenSSL's support for PKCS#11 tokens.
> > The conclusion was that in OpenSSL 3.0, the new API for PKCS#11 support isn't
> > actually ready yet, so we had to keep using the ENGINE API and just add
> > -Wno-deprecated-declarations to the compiler flags.
> >
> > Your patch just removes support for PKCS#11 in that case, which seems
> > undesirable.  (Unless no one is actually using it?)
> 
> The patch removes support when OPENSSL_NO_ENGINE is defined, but
> that's not defined by default in OpenSSL 3.0. (Unless something
> changed recently.)
> 
> When OPENSSL_NO_ENGINE is defined, ENGINE support is not compiled into
> OpenSSL and the headers don't include the functions:
> https://github.com/openssl/openssl/blob/master/include/openssl/engine.h
> .

Okay so this patch is actually a build fix for when OpenSSL doesn't include
ENGINE support?  Currently this patch claims that it's removing the use of a
"deprecated" API, which is something entirely different.

- Eric

Re: [PATCH 1/1] sign-file: Use OpenSSL provided define to compile out deprecated APIs

[Adam Langley]

On Tue, Oct 5, 2021 at 10:25 AM Eric Biggers <ebiggers@kernel.org> wrote:
> Okay so this patch is actually a build fix for when OpenSSL doesn't include
> ENGINE support?

Correct.

> Currently this patch claims that it's removing the use of a
> "deprecated" API, which is something entirely different.

The ENGINE API is deprecated in OpenSSL 3.0 but that change doesn't
remove support unless it has already been compiled out of OpenSSL
first.


Cheers

AGL

Re: [PATCH 1/1] sign-file: Use OpenSSL provided define to compile out deprecated APIs

[Lee Jones]

On Tue, 05 Oct 2021, Eric Biggers wrote:

> On Tue, Oct 05, 2021 at 10:14:58AM -0700, Adam Langley wrote:
> > On Tue, Oct 5, 2021 at 10:01 AM Eric Biggers <ebiggers@kernel.org> wrote:
> > > I ran into these same -Wdeprecated-declarations compiler warnings on another
> > > project that uses the ENGINE API to access OpenSSL's support for PKCS#11 tokens.
> > > The conclusion was that in OpenSSL 3.0, the new API for PKCS#11 support isn't
> > > actually ready yet, so we had to keep using the ENGINE API and just add
> > > -Wno-deprecated-declarations to the compiler flags.
> > >
> > > Your patch just removes support for PKCS#11 in that case, which seems
> > > undesirable.  (Unless no one is actually using it?)
> > 
> > The patch removes support when OPENSSL_NO_ENGINE is defined, but
> > that's not defined by default in OpenSSL 3.0. (Unless something
> > changed recently.)
> > 
> > When OPENSSL_NO_ENGINE is defined, ENGINE support is not compiled into
> > OpenSSL and the headers don't include the functions:
> > https://github.com/openssl/openssl/blob/master/include/openssl/engine.h
> > .
> 
> Okay so this patch is actually a build fix for when OpenSSL doesn't include
> ENGINE support?

Correct.

> Currently this patch claims that it's removing the use of a
> "deprecated" API, which is something entirely different.

I see your point.

Happy to rejig the commit message if that would help.

-- 
Lee Jones [李琼斯]
Senior Technical Lead - Developer Services
Linaro.org │ Open source software for Arm SoCs
Follow Linaro: Facebook | Twitter | Blog

Re: [PATCH 1/1] sign-file: Use OpenSSL provided define to compile out deprecated APIs

[Kees Cook]

On Tue, Oct 05, 2021 at 07:11:02PM +0100, Lee Jones wrote:
> On Tue, 05 Oct 2021, Eric Biggers wrote:
> 
> > On Tue, Oct 05, 2021 at 10:14:58AM -0700, Adam Langley wrote:
> > > On Tue, Oct 5, 2021 at 10:01 AM Eric Biggers <ebiggers@kernel.org> wrote:
> > > > I ran into these same -Wdeprecated-declarations compiler warnings on another
> > > > project that uses the ENGINE API to access OpenSSL's support for PKCS#11 tokens.
> > > > The conclusion was that in OpenSSL 3.0, the new API for PKCS#11 support isn't
> > > > actually ready yet, so we had to keep using the ENGINE API and just add
> > > > -Wno-deprecated-declarations to the compiler flags.
> > > >
> > > > Your patch just removes support for PKCS#11 in that case, which seems
> > > > undesirable.  (Unless no one is actually using it?)
> > > 
> > > The patch removes support when OPENSSL_NO_ENGINE is defined, but
> > > that's not defined by default in OpenSSL 3.0. (Unless something
> > > changed recently.)
> > > 
> > > When OPENSSL_NO_ENGINE is defined, ENGINE support is not compiled into
> > > OpenSSL and the headers don't include the functions:
> > > https://github.com/openssl/openssl/blob/master/include/openssl/engine.h
> > > .
> > 
> > Okay so this patch is actually a build fix for when OpenSSL doesn't include
> > ENGINE support?
> 
> Correct.
> 
> > Currently this patch claims that it's removing the use of a
> > "deprecated" API, which is something entirely different.
> 
> I see your point.
> 
> Happy to rejig the commit message if that would help.

*thread necromancy*

Hi,

These warnings are quite noisy on Fedora rawhide and other distros that
have moved to OpenSSL 3.0. It's not clear to me from this thread if this
patch is actually the correct fix?

-Kees

-- 
Kees Cook

Re: [PATCH 1/1] sign-file: Use OpenSSL provided define to compile out deprecated APIs

[Lee Jones]

On Wed, 02 Mar 2022, Kees Cook wrote:

> On Tue, Oct 05, 2021 at 07:11:02PM +0100, Lee Jones wrote:
> > On Tue, 05 Oct 2021, Eric Biggers wrote:
> > 
> > > On Tue, Oct 05, 2021 at 10:14:58AM -0700, Adam Langley wrote:
> > > > On Tue, Oct 5, 2021 at 10:01 AM Eric Biggers <ebiggers@kernel.org> wrote:
> > > > > I ran into these same -Wdeprecated-declarations compiler warnings on another
> > > > > project that uses the ENGINE API to access OpenSSL's support for PKCS#11 tokens.
> > > > > The conclusion was that in OpenSSL 3.0, the new API for PKCS#11 support isn't
> > > > > actually ready yet, so we had to keep using the ENGINE API and just add
> > > > > -Wno-deprecated-declarations to the compiler flags.
> > > > >
> > > > > Your patch just removes support for PKCS#11 in that case, which seems
> > > > > undesirable.  (Unless no one is actually using it?)
> > > > 
> > > > The patch removes support when OPENSSL_NO_ENGINE is defined, but
> > > > that's not defined by default in OpenSSL 3.0. (Unless something
> > > > changed recently.)
> > > > 
> > > > When OPENSSL_NO_ENGINE is defined, ENGINE support is not compiled into
> > > > OpenSSL and the headers don't include the functions:
> > > > https://github.com/openssl/openssl/blob/master/include/openssl/engine.h
> > > > .
> > > 
> > > Okay so this patch is actually a build fix for when OpenSSL doesn't include
> > > ENGINE support?
> > 
> > Correct.
> > 
> > > Currently this patch claims that it's removing the use of a
> > > "deprecated" API, which is something entirely different.
> > 
> > I see your point.
> > 
> > Happy to rejig the commit message if that would help.
> 
> *thread necromancy*
> 
> Hi,
> 
> These warnings are quite noisy on Fedora rawhide and other distros that
> have moved to OpenSSL 3.0. It's not clear to me from this thread if this
> patch is actually the correct fix?

I believe it is the correct fix.

However the commit message seemed to cause Eric some confusion.

Would you like me to resubmit?

It would be nice to get some input from the maintainers at one point.

-- 
Lee Jones [李琼斯]
Principal Technical Lead - Developer Services
Linaro.org │ Open source software for Arm SoCs
Follow Linaro: Facebook | Twitter | Blog

Re: [PATCH 1/1] sign-file: Use OpenSSL provided define to compile out deprecated APIs

[Kees Cook]

On Thu, Mar 03, 2022 at 09:26:16AM +0000, Lee Jones wrote:
> On Wed, 02 Mar 2022, Kees Cook wrote:
> 
> > On Tue, Oct 05, 2021 at 07:11:02PM +0100, Lee Jones wrote:
> > > On Tue, 05 Oct 2021, Eric Biggers wrote:
> > > 
> > > > On Tue, Oct 05, 2021 at 10:14:58AM -0700, Adam Langley wrote:
> > > > > On Tue, Oct 5, 2021 at 10:01 AM Eric Biggers <ebiggers@kernel.org> wrote:
> > > > > > I ran into these same -Wdeprecated-declarations compiler warnings on another
> > > > > > project that uses the ENGINE API to access OpenSSL's support for PKCS#11 tokens.
> > > > > > The conclusion was that in OpenSSL 3.0, the new API for PKCS#11 support isn't
> > > > > > actually ready yet, so we had to keep using the ENGINE API and just add
> > > > > > -Wno-deprecated-declarations to the compiler flags.
> > > > > >
> > > > > > Your patch just removes support for PKCS#11 in that case, which seems
> > > > > > undesirable.  (Unless no one is actually using it?)
> > > > > 
> > > > > The patch removes support when OPENSSL_NO_ENGINE is defined, but
> > > > > that's not defined by default in OpenSSL 3.0. (Unless something
> > > > > changed recently.)
> > > > > 
> > > > > When OPENSSL_NO_ENGINE is defined, ENGINE support is not compiled into
> > > > > OpenSSL and the headers don't include the functions:
> > > > > https://github.com/openssl/openssl/blob/master/include/openssl/engine.h
> > > > > .
> > > > 
> > > > Okay so this patch is actually a build fix for when OpenSSL doesn't include
> > > > ENGINE support?
> > > 
> > > Correct.
> > > 
> > > > Currently this patch claims that it's removing the use of a
> > > > "deprecated" API, which is something entirely different.
> > > 
> > > I see your point.
> > > 
> > > Happy to rejig the commit message if that would help.
> > 
> > *thread necromancy*
> > 
> > Hi,
> > 
> > These warnings are quite noisy on Fedora rawhide and other distros that
> > have moved to OpenSSL 3.0. It's not clear to me from this thread if this
> > patch is actually the correct fix?
> 
> I believe it is the correct fix.
> 
> However the commit message seemed to cause Eric some confusion.
> 
> Would you like me to resubmit?

Yes, please. :)

> It would be nice to get some input from the maintainers at one point.

David, do you have an opinion on this? I'd like to see this fixed so
that rawhide builds stop spewing warnings.

Thanks!

-Kees

-- 
Kees Cook

[PATCH v2 1/1] sign-file: Do not attempt to use the ENGINE_* API if it's not available

[Lee Jones]

OpenSSL's ENGINE API is deprecated in OpenSSL v3.0.

Use OPENSSL_NO_ENGINE to ensure the ENGINE API is only used if it is
present.  This will safeguard against compile errors when using SSL
implementations which lack support for this deprecated API.

Cc: David Howells <dhowells@redhat.com>
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Eric Biggers <ebiggers@kernel.org>
Cc: Kees Cook <keescook@chromium.org>
Cc: keyrings@vger.kernel.org
Co-developed-by: Adam Langley <agl@google.com>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
---
v2: Clear up subject and patch description to avoid confusion

scripts/sign-file.c | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/scripts/sign-file.c b/scripts/sign-file.c
index fbd34b8e8f578..fa3fa59db6669 100644
--- a/scripts/sign-file.c
+++ b/scripts/sign-file.c
@@ -135,7 +135,9 @@ static int pem_pw_cb(char *buf, int len, int w, void *v)
 static EVP_PKEY *read_private_key(const char *private_key_name)
 {
 	EVP_PKEY *private_key;
+	BIO *b;
 
+#ifndef OPENSSL_NO_ENGINE
 	if (!strncmp(private_key_name, "pkcs11:", 7)) {
 		ENGINE *e;
 
@@ -153,17 +155,16 @@ static EVP_PKEY *read_private_key(const char *private_key_name)
 		private_key = ENGINE_load_private_key(e, private_key_name,
 						      NULL, NULL);
 		ERR(!private_key, "%s", private_key_name);
-	} else {
-		BIO *b;
-
-		b = BIO_new_file(private_key_name, "rb");
-		ERR(!b, "%s", private_key_name);
-		private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb,
-						      NULL);
-		ERR(!private_key, "%s", private_key_name);
-		BIO_free(b);
+		return private_key;
 	}
+#endif
 
+	b = BIO_new_file(private_key_name, "rb");
+	ERR(!b, "%s", private_key_name);
+	private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb,
+					      NULL);
+	ERR(!private_key, "%s", private_key_name);
+	BIO_free(b);
 	return private_key;
 }

Re: [PATCH v2 1/1] sign-file: Do not attempt to use the ENGINE_* API if it's not available

[Kees Cook]

On Tue, Mar 08, 2022 at 10:31:11AM +0000, Lee Jones wrote:
> OpenSSL's ENGINE API is deprecated in OpenSSL v3.0.
>
> Use OPENSSL_NO_ENGINE to ensure the ENGINE API is only used if it is
> present.  This will safeguard against compile errors when using SSL
> implementations which lack support for this deprecated API.

On Fedora rawhide, I'm still seeing a bunch of warnings:

scripts/sign-file.c: In function 'display_openssl_errors':
scripts/sign-file.c:89:9: warning: 'ERR_get_error_line' is deprecated: Since OpenSSL 3.0 [-Wdeprecat
ed-declarations]
   89 |         while ((e = ERR_get_error_line(&file, &line))) {
      |         ^~~~~
In file included from scripts/sign-file.c:29:
/usr/include/openssl/err.h:411:15: note: declared here
  411 | unsigned long ERR_get_error_line(const char **file, int *line);
      |               ^~~~~~~~~~~~~~~~~~
scripts/sign-file.c: In function 'drain_openssl_errors':
scripts/sign-file.c:102:9: warning: 'ERR_get_error_line' is deprecated: Since OpenSSL 3.0 [-Wdepreca
ted-declarations]
  102 |         while (ERR_get_error_line(&file, &line)) {}
      |         ^~~~~
/usr/include/openssl/err.h:411:15: note: declared here
  411 | unsigned long ERR_get_error_line(const char **file, int *line);
      |               ^~~~~~~~~~~~~~~~~~
...


>
> Cc: David Howells <dhowells@redhat.com>
> Cc: David Woodhouse <dwmw2@infradead.org>
> Cc: Eric Biggers <ebiggers@kernel.org>
> Cc: Kees Cook <keescook@chromium.org>
> Cc: keyrings@vger.kernel.org
> Co-developed-by: Adam Langley <agl@google.com>
> Signed-off-by: Lee Jones <lee.jones@linaro.org>
> ---
> v2: Clear up subject and patch description to avoid confusion
>
> scripts/sign-file.c | 19 ++++++++++---------
>  1 file changed, 10 insertions(+), 9 deletions(-)
>
> diff --git a/scripts/sign-file.c b/scripts/sign-file.c
> index fbd34b8e8f578..fa3fa59db6669 100644
> --- a/scripts/sign-file.c
> +++ b/scripts/sign-file.c
> @@ -135,7 +135,9 @@ static int pem_pw_cb(char *buf, int len, int w, void *v)
>  static EVP_PKEY *read_private_key(const char *private_key_name)
>  {
>  	EVP_PKEY *private_key;
> +	BIO *b;
>
> +#ifndef OPENSSL_NO_ENGINE
>  	if (!strncmp(private_key_name, "pkcs11:", 7)) {
>  		ENGINE *e;
>
> @@ -153,17 +155,16 @@ static EVP_PKEY *read_private_key(const char *private_key_name)
>  		private_key = ENGINE_load_private_key(e, private_key_name,
>  						      NULL, NULL);
>  		ERR(!private_key, "%s", private_key_name);
> -	} else {
> -		BIO *b;
> -
> -		b = BIO_new_file(private_key_name, "rb");
> -		ERR(!b, "%s", private_key_name);
> -		private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb,
> -						      NULL);
> -		ERR(!private_key, "%s", private_key_name);
> -		BIO_free(b);
> +		return private_key;
>  	}
> +#endif
>
> +	b = BIO_new_file(private_key_name, "rb");
> +	ERR(!b, "%s", private_key_name);
> +	private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb,
> +					      NULL);
> +	ERR(!private_key, "%s", private_key_name);
> +	BIO_free(b);
>  	return private_key;
>  }

--
Kees Cook

Re: [PATCH v2 1/1] sign-file: Do not attempt to use the ENGINE_* API if it's not available

[Adam Langley]

On Thu, Mar 10, 2022 at 8:52 AM Kees Cook <keescook@chromium.org> wrote:
>
> On Tue, Mar 08, 2022 at 10:31:11AM +0000, Lee Jones wrote:
> > OpenSSL's ENGINE API is deprecated in OpenSSL v3.0.
> >
> > Use OPENSSL_NO_ENGINE to ensure the ENGINE API is only used if it is
> > present.  This will safeguard against compile errors when using SSL
> > implementations which lack support for this deprecated API.
>
> On Fedora rawhide, I'm still seeing a bunch of warnings:
>
> scripts/sign-file.c: In function 'display_openssl_errors':
> scripts/sign-file.c:89:9: warning: 'ERR_get_error_line' is deprecated: Since OpenSSL 3.0 [-Wdeprecat
> ed-declarations]

The `display_openssl_errors` function should probably just call
ERR_print_errors_fp:
https://www.openssl.org/docs/man1.0.2/man3/ERR_print_errors_fp.html

The `drain_openssl_errors` function should probably just call
ERR_clear_error:
https://www.openssl.org/docs/man3.0/man3/ERR_clear_error.html


Cheers

AGL

Re: [PATCH v2 1/1] sign-file: Do not attempt to use the ENGINE_* API if it's not available

[Salvatore Bonaccorso]

Hi,

On Thu, Mar 10, 2022 at 08:51:56AM -0800, Kees Cook wrote:
> On Tue, Mar 08, 2022 at 10:31:11AM +0000, Lee Jones wrote:
> > OpenSSL's ENGINE API is deprecated in OpenSSL v3.0.
> >
> > Use OPENSSL_NO_ENGINE to ensure the ENGINE API is only used if it is
> > present.  This will safeguard against compile errors when using SSL
> > implementations which lack support for this deprecated API.
> 
> On Fedora rawhide, I'm still seeing a bunch of warnings:
> 
> scripts/sign-file.c: In function 'display_openssl_errors':
> scripts/sign-file.c:89:9: warning: 'ERR_get_error_line' is deprecated: Since OpenSSL 3.0 [-Wdeprecat
> ed-declarations]
>    89 |         while ((e = ERR_get_error_line(&file, &line))) {
>       |         ^~~~~
> In file included from scripts/sign-file.c:29:
> /usr/include/openssl/err.h:411:15: note: declared here
>   411 | unsigned long ERR_get_error_line(const char **file, int *line);
>       |               ^~~~~~~~~~~~~~~~~~
> scripts/sign-file.c: In function 'drain_openssl_errors':
> scripts/sign-file.c:102:9: warning: 'ERR_get_error_line' is deprecated: Since OpenSSL 3.0 [-Wdepreca
> ted-declarations]
>   102 |         while (ERR_get_error_line(&file, &line)) {}
>       |         ^~~~~
> /usr/include/openssl/err.h:411:15: note: declared here
>   411 | unsigned long ERR_get_error_line(const char **file, int *line);
>       |               ^~~~~~~~~~~~~~~~~~

FWIW, we are seeing the same now on Debian as Debian unstable is
moving to OpenSSL 3.0.

https://lists.debian.org/debian-release/2022/05/msg00070.html

Regards,
Salvatore

Re: [PATCH v2 1/1] sign-file: Do not attempt to use the ENGINE_* API if it's not available

[Lee Jones]

On Sun, 15 May 2022, Salvatore Bonaccorso wrote:

> Hi,
> 
> On Thu, Mar 10, 2022 at 08:51:56AM -0800, Kees Cook wrote:
> > On Tue, Mar 08, 2022 at 10:31:11AM +0000, Lee Jones wrote:
> > > OpenSSL's ENGINE API is deprecated in OpenSSL v3.0.
> > >
> > > Use OPENSSL_NO_ENGINE to ensure the ENGINE API is only used if it is
> > > present.  This will safeguard against compile errors when using SSL
> > > implementations which lack support for this deprecated API.
> > 
> > On Fedora rawhide, I'm still seeing a bunch of warnings:
> > 
> > scripts/sign-file.c: In function 'display_openssl_errors':
> > scripts/sign-file.c:89:9: warning: 'ERR_get_error_line' is deprecated: Since OpenSSL 3.0 [-Wdeprecat
> > ed-declarations]
> >    89 |         while ((e = ERR_get_error_line(&file, &line))) {
> >       |         ^~~~~
> > In file included from scripts/sign-file.c:29:
> > /usr/include/openssl/err.h:411:15: note: declared here
> >   411 | unsigned long ERR_get_error_line(const char **file, int *line);
> >       |               ^~~~~~~~~~~~~~~~~~
> > scripts/sign-file.c: In function 'drain_openssl_errors':
> > scripts/sign-file.c:102:9: warning: 'ERR_get_error_line' is deprecated: Since OpenSSL 3.0 [-Wdepreca
> > ted-declarations]
> >   102 |         while (ERR_get_error_line(&file, &line)) {}
> >       |         ^~~~~
> > /usr/include/openssl/err.h:411:15: note: declared here
> >   411 | unsigned long ERR_get_error_line(const char **file, int *line);
> >       |               ^~~~~~~~~~~~~~~~~~
> 
> FWIW, we are seeing the same now on Debian as Debian unstable is
> moving to OpenSSL 3.0.
> 
> https://lists.debian.org/debian-release/2022/05/msg00070.html

Did this patch help?

We've had a few confirmed reports now.

My guess is the maintainers are not currently monitoring.

With some more {Reviewed,Tested}-bys I'd be prepared to submit this
via other means.  Either via my own repository or via Greg's.

-- 
Lee Jones [李琼斯]
Principal Technical Lead - Developer Services
Linaro.org │ Open source software for Arm SoCs
Follow Linaro: Facebook | Twitter | Blog

Re: [PATCH v2 1/1] sign-file: Do not attempt to use the ENGINE_* API if it's not available

[Shuah Khan]

On 5/15/22 3:40 AM, Lee Jones wrote:
> On Sun, 15 May 2022, Salvatore Bonaccorso wrote:
> 
>> Hi,
>>
>> On Thu, Mar 10, 2022 at 08:51:56AM -0800, Kees Cook wrote:
>>> On Tue, Mar 08, 2022 at 10:31:11AM +0000, Lee Jones wrote:
>>>> OpenSSL's ENGINE API is deprecated in OpenSSL v3.0.
>>>>
>>>> Use OPENSSL_NO_ENGINE to ensure the ENGINE API is only used if it is
>>>> present.  This will safeguard against compile errors when using SSL
>>>> implementations which lack support for this deprecated API.
>>>
>>> On Fedora rawhide, I'm still seeing a bunch of warnings:
>>>
>>> scripts/sign-file.c: In function 'display_openssl_errors':
>>> scripts/sign-file.c:89:9: warning: 'ERR_get_error_line' is deprecated: Since OpenSSL 3.0 [-Wdeprecat
>>> ed-declarations]
>>>     89 |         while ((e = ERR_get_error_line(&file, &line))) {
>>>        |         ^~~~~
>>> In file included from scripts/sign-file.c:29:
>>> /usr/include/openssl/err.h:411:15: note: declared here
>>>    411 | unsigned long ERR_get_error_line(const char **file, int *line);
>>>        |               ^~~~~~~~~~~~~~~~~~
>>> scripts/sign-file.c: In function 'drain_openssl_errors':
>>> scripts/sign-file.c:102:9: warning: 'ERR_get_error_line' is deprecated: Since OpenSSL 3.0 [-Wdepreca
>>> ted-declarations]
>>>    102 |         while (ERR_get_error_line(&file, &line)) {}
>>>        |         ^~~~~
>>> /usr/include/openssl/err.h:411:15: note: declared here
>>>    411 | unsigned long ERR_get_error_line(const char **file, int *line);
>>>        |               ^~~~~~~~~~~~~~~~~~
>>
>> FWIW, we are seeing the same now on Debian as Debian unstable is
>> moving to OpenSSL 3.0.
>>
>> https://lists.debian.org/debian-release/2022/05/msg00070.html
> 
> Did this patch help?
> 
> We've had a few confirmed reports now.
> 
> My guess is the maintainers are not currently monitoring.
> 
> With some more {Reviewed,Tested}-bys I'd be prepared to submit this
> via other means.  Either via my own repository or via Greg's.
> 
  
I am seeing the same issue on my test system after upgrading to
Ubuntu 22.04 LTS. This patch didn't fix the problem.

Please cc me on your future patches and I can test them.

thanks,
-- Shuah