| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <YoXnkIke2xgSuN6F@eldamar.lan>
Date: Thu, 19 May 2022 08:45:36 +0200
From: Salvatore Bonaccorso <carnil@...ian.org>
To: Kees Cook <keescook@...omium.org>
Cc: David Howells <dhowells@...hat.com>,
David Woodhouse <dwmw2@...radead.org>,
Eric Biggers <ebiggers@...nel.org>,
Shuah Khan <skhan@...uxfoundation.org>,
keyrings@...r.kernel.org, Adam Langley <agl@...gle.com>,
Lee Jones <lee.jones@...aro.org>, linux-kernel@...r.kernel.org,
linux-hardening@...r.kernel.org
Subject: Re: [PATCH v2] sign-file: Convert API usage to support OpenSSL v3
Hi Kees,
On Wed, May 18, 2022 at 02:51:29PM -0700, Kees Cook wrote:
> OpenSSL's ENGINE API is deprecated in OpenSSL v3.0, along with some
> other functions. Remove the ENGINE use and a macro work-around for
> ERR_get_error_line().
>
> Cc: David Howells <dhowells@...hat.com>
> Cc: David Woodhouse <dwmw2@...radead.org>
> Cc: Eric Biggers <ebiggers@...nel.org>
> Cc: Shuah Khan <skhan@...uxfoundation.org>
> Cc: Salvatore Bonaccorso <carnil@...ian.org>
> Cc: keyrings@...r.kernel.org
> Suggested-by: Adam Langley <agl@...gle.com>
> Co-developed-by: Lee Jones <lee.jones@...aro.org>
> Signed-off-by: Lee Jones <lee.jones@...aro.org>
> Signed-off-by: Kees Cook <keescook@...omium.org>
> ---
> v1: https://lore.kernel.org/lkml/20211005161833.1522737-1-lee.jones@linaro.org/
> v2: https://lore.kernel.org/lkml/Yicwb+Ceiu8JjVIS@google.com/
> v3:
> - Eliminate all the build warnings with OpenSSL 3
> - Fully remove ENGINE usage, if it can be optional, just drop it.
> ---
> scripts/sign-file.c | 49 ++++++++++-----------------------------------
> 1 file changed, 11 insertions(+), 38 deletions(-)
>
> diff --git a/scripts/sign-file.c b/scripts/sign-file.c
> index fbd34b8e8f57..2d633c5f57c3 100644
> --- a/scripts/sign-file.c
> +++ b/scripts/sign-file.c
> @@ -52,6 +52,10 @@
> #include <openssl/pkcs7.h>
> #endif
>
> +#if OPENSSL_VERSION_MAJOR >= 3
> +#define ERR_get_error_line(f, l) ERR_get_error_all(f, l, NULL, NULL, NULL)
> +#endif
> +
> struct module_signature {
> uint8_t algo; /* Public-key crypto algorithm [0] */
> uint8_t hash; /* Digest algorithm [0] */
> @@ -92,16 +96,6 @@ static void display_openssl_errors(int l)
> }
> }
>
> -static void drain_openssl_errors(void)
> -{
> - const char *file;
> - int line;
> -
> - if (ERR_peek_error() == 0)
> - return;
> - while (ERR_get_error_line(&file, &line)) {}
> -}
> -
> #define ERR(cond, fmt, ...) \
> do { \
> bool __cond = (cond); \
> @@ -135,35 +129,14 @@ static int pem_pw_cb(char *buf, int len, int w, void *v)
> static EVP_PKEY *read_private_key(const char *private_key_name)
> {
> EVP_PKEY *private_key;
> + BIO *b;
>
> - if (!strncmp(private_key_name, "pkcs11:", 7)) {
> - ENGINE *e;
> -
> - ENGINE_load_builtin_engines();
> - drain_openssl_errors();
> - e = ENGINE_by_id("pkcs11");
> - ERR(!e, "Load PKCS#11 ENGINE");
> - if (ENGINE_init(e))
> - drain_openssl_errors();
> - else
> - ERR(1, "ENGINE_init");
> - if (key_pass)
> - ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0),
> - "Set PKCS#11 PIN");
> - private_key = ENGINE_load_private_key(e, private_key_name,
> - NULL, NULL);
> - ERR(!private_key, "%s", private_key_name);
> - } else {
> - BIO *b;
> -
> - b = BIO_new_file(private_key_name, "rb");
> - ERR(!b, "%s", private_key_name);
> - private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb,
> - NULL);
> - ERR(!private_key, "%s", private_key_name);
> - BIO_free(b);
> - }
> -
> + b = BIO_new_file(private_key_name, "rb");
> + ERR(!b, "%s", private_key_name);
> + private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb,
> + NULL);
> + ERR(!private_key, "%s", private_key_name);
> + BIO_free(b);
> return private_key;
> }
Fixes for us as well the build warnings for sign-file.c (as you noted
the other part is still in extract-cert.c).
Tested-by: Salvatore Bonaccorso <carnil@...ian.org>
Regards,
Salvatore
Powered by blists - more mailing lists