lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 19 May 2022 08:45:36 +0200 From: Salvatore Bonaccorso <carnil@...ian.org> To: Kees Cook <keescook@...omium.org> Cc: David Howells <dhowells@...hat.com>, David Woodhouse <dwmw2@...radead.org>, Eric Biggers <ebiggers@...nel.org>, Shuah Khan <skhan@...uxfoundation.org>, keyrings@...r.kernel.org, Adam Langley <agl@...gle.com>, Lee Jones <lee.jones@...aro.org>, linux-kernel@...r.kernel.org, linux-hardening@...r.kernel.org Subject: Re: [PATCH v2] sign-file: Convert API usage to support OpenSSL v3 Hi Kees, On Wed, May 18, 2022 at 02:51:29PM -0700, Kees Cook wrote: > OpenSSL's ENGINE API is deprecated in OpenSSL v3.0, along with some > other functions. Remove the ENGINE use and a macro work-around for > ERR_get_error_line(). > > Cc: David Howells <dhowells@...hat.com> > Cc: David Woodhouse <dwmw2@...radead.org> > Cc: Eric Biggers <ebiggers@...nel.org> > Cc: Shuah Khan <skhan@...uxfoundation.org> > Cc: Salvatore Bonaccorso <carnil@...ian.org> > Cc: keyrings@...r.kernel.org > Suggested-by: Adam Langley <agl@...gle.com> > Co-developed-by: Lee Jones <lee.jones@...aro.org> > Signed-off-by: Lee Jones <lee.jones@...aro.org> > Signed-off-by: Kees Cook <keescook@...omium.org> > --- > v1: https://lore.kernel.org/lkml/20211005161833.1522737-1-lee.jones@linaro.org/ > v2: https://lore.kernel.org/lkml/Yicwb+Ceiu8JjVIS@google.com/ > v3: > - Eliminate all the build warnings with OpenSSL 3 > - Fully remove ENGINE usage, if it can be optional, just drop it. > --- > scripts/sign-file.c | 49 ++++++++++----------------------------------- > 1 file changed, 11 insertions(+), 38 deletions(-) > > diff --git a/scripts/sign-file.c b/scripts/sign-file.c > index fbd34b8e8f57..2d633c5f57c3 100644 > --- a/scripts/sign-file.c > +++ b/scripts/sign-file.c > @@ -52,6 +52,10 @@ > #include <openssl/pkcs7.h> > #endif > > +#if OPENSSL_VERSION_MAJOR >= 3 > +#define ERR_get_error_line(f, l) ERR_get_error_all(f, l, NULL, NULL, NULL) > +#endif > + > struct module_signature { > uint8_t algo; /* Public-key crypto algorithm [0] */ > uint8_t hash; /* Digest algorithm [0] */ > @@ -92,16 +96,6 @@ static void display_openssl_errors(int l) > } > } > > -static void drain_openssl_errors(void) > -{ > - const char *file; > - int line; > - > - if (ERR_peek_error() == 0) > - return; > - while (ERR_get_error_line(&file, &line)) {} > -} > - > #define ERR(cond, fmt, ...) \ > do { \ > bool __cond = (cond); \ > @@ -135,35 +129,14 @@ static int pem_pw_cb(char *buf, int len, int w, void *v) > static EVP_PKEY *read_private_key(const char *private_key_name) > { > EVP_PKEY *private_key; > + BIO *b; > > - if (!strncmp(private_key_name, "pkcs11:", 7)) { > - ENGINE *e; > - > - ENGINE_load_builtin_engines(); > - drain_openssl_errors(); > - e = ENGINE_by_id("pkcs11"); > - ERR(!e, "Load PKCS#11 ENGINE"); > - if (ENGINE_init(e)) > - drain_openssl_errors(); > - else > - ERR(1, "ENGINE_init"); > - if (key_pass) > - ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0), > - "Set PKCS#11 PIN"); > - private_key = ENGINE_load_private_key(e, private_key_name, > - NULL, NULL); > - ERR(!private_key, "%s", private_key_name); > - } else { > - BIO *b; > - > - b = BIO_new_file(private_key_name, "rb"); > - ERR(!b, "%s", private_key_name); > - private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb, > - NULL); > - ERR(!private_key, "%s", private_key_name); > - BIO_free(b); > - } > - > + b = BIO_new_file(private_key_name, "rb"); > + ERR(!b, "%s", private_key_name); > + private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb, > + NULL); > + ERR(!private_key, "%s", private_key_name); > + BIO_free(b); > return private_key; > } Fixes for us as well the build warnings for sign-file.c (as you noted the other part is still in extract-cert.c). Tested-by: Salvatore Bonaccorso <carnil@...ian.org> Regards, Salvatore
Powered by blists - more mailing lists