lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Tue, 5 Oct 2021 10:01:16 -0700
From:   Eric Biggers <ebiggers@...nel.org>
To:     Lee Jones <lee.jones@...aro.org>
Cc:     linux-kernel@...r.kernel.org, David Howells <dhowells@...hat.com>,
        David Woodhouse <dwmw2@...radead.org>,
        keyrings@...r.kernel.org, Adam Langley <agl@...gle.com>
Subject: Re: [PATCH 1/1] sign-file: Use OpenSSL provided define to compile
 out deprecated APIs

On Tue, Oct 05, 2021 at 05:18:33PM +0100, Lee Jones wrote:
> OpenSSL's ENGINE API is deprecated in OpenSSL v3.0.
> 
> Use OPENSSL_NO_ENGINE to disallow its use and fall back on the BIO API.
> 
> Cc: David Howells <dhowells@...hat.com>
> Cc: David Woodhouse <dwmw2@...radead.org>
> Cc: keyrings@...r.kernel.org
> Co-developed-by: Adam Langley <agl@...gle.com>
> Signed-off-by: Lee Jones <lee.jones@...aro.org>
> ---
>  scripts/sign-file.c | 19 ++++++++++---------
>  1 file changed, 10 insertions(+), 9 deletions(-)
> 
> diff --git a/scripts/sign-file.c b/scripts/sign-file.c
> index fbd34b8e8f578..fa3fa59db6669 100644
> --- a/scripts/sign-file.c
> +++ b/scripts/sign-file.c
> @@ -135,7 +135,9 @@ static int pem_pw_cb(char *buf, int len, int w, void *v)
>  static EVP_PKEY *read_private_key(const char *private_key_name)
>  {
>  	EVP_PKEY *private_key;
> +	BIO *b;
>  
> +#ifndef OPENSSL_NO_ENGINE
>  	if (!strncmp(private_key_name, "pkcs11:", 7)) {
>  		ENGINE *e;
>  
> @@ -153,17 +155,16 @@ static EVP_PKEY *read_private_key(const char *private_key_name)
>  		private_key = ENGINE_load_private_key(e, private_key_name,
>  						      NULL, NULL);
>  		ERR(!private_key, "%s", private_key_name);
> -	} else {
> -		BIO *b;
> -
> -		b = BIO_new_file(private_key_name, "rb");
> -		ERR(!b, "%s", private_key_name);
> -		private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb,
> -						      NULL);
> -		ERR(!private_key, "%s", private_key_name);
> -		BIO_free(b);
> +		return private_key;
>  	}
> +#endif
>  
> +	b = BIO_new_file(private_key_name, "rb");
> +	ERR(!b, "%s", private_key_name);
> +	private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb,
> +					      NULL);
> +	ERR(!private_key, "%s", private_key_name);
> +	BIO_free(b);
>  	return private_key;
>  }

I ran into these same -Wdeprecated-declarations compiler warnings on another
project that uses the ENGINE API to access OpenSSL's support for PKCS#11 tokens.
The conclusion was that in OpenSSL 3.0, the new API for PKCS#11 support isn't
actually ready yet, so we had to keep using the ENGINE API and just add
-Wno-deprecated-declarations to the compiler flags.

Your patch just removes support for PKCS#11 in that case, which seems
undesirable.  (Unless no one is actually using it?)

- Eric

Powered by blists - more mailing lists