lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Thu, 19 May 2022 11:21:32 -0400
From:   James Bottomley <James.Bottomley@...senPartnership.com>
To:     Kees Cook <keescook@...omium.org>,
        David Howells <dhowells@...hat.com>
Cc:     David Woodhouse <dwmw2@...radead.org>,
        Eric Biggers <ebiggers@...nel.org>,
        Shuah Khan <skhan@...uxfoundation.org>,
        Salvatore Bonaccorso <carnil@...ian.org>,
        keyrings@...r.kernel.org, Adam Langley <agl@...gle.com>,
        Lee Jones <lee.jones@...aro.org>, linux-kernel@...r.kernel.org,
        linux-hardening@...r.kernel.org
Subject: Re: [PATCH v2] sign-file: Convert API usage to support OpenSSL v3

On Wed, 2022-05-18 at 14:51 -0700, Kees Cook wrote:
> OpenSSL's ENGINE API is deprecated in OpenSSL v3.0, along with some
> other functions. Remove the ENGINE use and a macro work-around for
> ERR_get_error_line().

What answer was there to Eric Biggers' concern about token support in
sign-file?

https://lore.kernel.org/lkml/YVyKc51r2tfMmQuO@gmail.com/

If you're not doing ephemeral keys (as quite a few kernel builder's
aren't) you really need a token to protect the signing key.

The other point was that openssl3 hasn't converted most of its own
engine code to the provider API, so the deprecation is a bit premature
because it will be a while before provider based token libraries
appear.  If the goal is simply to not see the warnings, the compile
flag you need is

-DOPENSSL_API_COMPAT=0x10100000L

James


Powered by blists - more mailing lists