lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 19 May 2022 11:21:32 -0400 From: James Bottomley <James.Bottomley@...senPartnership.com> To: Kees Cook <keescook@...omium.org>, David Howells <dhowells@...hat.com> Cc: David Woodhouse <dwmw2@...radead.org>, Eric Biggers <ebiggers@...nel.org>, Shuah Khan <skhan@...uxfoundation.org>, Salvatore Bonaccorso <carnil@...ian.org>, keyrings@...r.kernel.org, Adam Langley <agl@...gle.com>, Lee Jones <lee.jones@...aro.org>, linux-kernel@...r.kernel.org, linux-hardening@...r.kernel.org Subject: Re: [PATCH v2] sign-file: Convert API usage to support OpenSSL v3 On Wed, 2022-05-18 at 14:51 -0700, Kees Cook wrote: > OpenSSL's ENGINE API is deprecated in OpenSSL v3.0, along with some > other functions. Remove the ENGINE use and a macro work-around for > ERR_get_error_line(). What answer was there to Eric Biggers' concern about token support in sign-file? https://lore.kernel.org/lkml/YVyKc51r2tfMmQuO@gmail.com/ If you're not doing ephemeral keys (as quite a few kernel builder's aren't) you really need a token to protect the signing key. The other point was that openssl3 hasn't converted most of its own engine code to the provider API, so the deprecation is a bit premature because it will be a while before provider based token libraries appear. If the goal is simply to not see the warnings, the compile flag you need is -DOPENSSL_API_COMPAT=0x10100000L James
Powered by blists - more mailing lists