| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <953c45678dc4b59e9e5de0e5c228e2e8a8ac558a.camel@HansenPartnership.com>
Date: Thu, 19 May 2022 11:21:32 -0400
From: James Bottomley <James.Bottomley@...senPartnership.com>
To: Kees Cook <keescook@...omium.org>,
David Howells <dhowells@...hat.com>
Cc: David Woodhouse <dwmw2@...radead.org>,
Eric Biggers <ebiggers@...nel.org>,
Shuah Khan <skhan@...uxfoundation.org>,
Salvatore Bonaccorso <carnil@...ian.org>,
keyrings@...r.kernel.org, Adam Langley <agl@...gle.com>,
Lee Jones <lee.jones@...aro.org>, linux-kernel@...r.kernel.org,
linux-hardening@...r.kernel.org
Subject: Re: [PATCH v2] sign-file: Convert API usage to support OpenSSL v3
On Wed, 2022-05-18 at 14:51 -0700, Kees Cook wrote:
> OpenSSL's ENGINE API is deprecated in OpenSSL v3.0, along with some
> other functions. Remove the ENGINE use and a macro work-around for
> ERR_get_error_line().
What answer was there to Eric Biggers' concern about token support in
sign-file?
https://lore.kernel.org/lkml/YVyKc51r2tfMmQuO@gmail.com/
If you're not doing ephemeral keys (as quite a few kernel builder's
aren't) you really need a token to protect the signing key.
The other point was that openssl3 hasn't converted most of its own
engine code to the provider API, so the deprecation is a bit premature
because it will be a while before provider based token libraries
appear. If the goal is simply to not see the warnings, the compile
flag you need is
-DOPENSSL_API_COMPAT=0x10100000L
James
Powered by blists - more mailing lists