lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <27899413.1r3eYUQgxm@skuld-framework>
Date: Tue, 06 Aug 2024 16:27:02 -0400
From: Neal Gompa <neal@...pa.dev>
To: David Howells <dhowells@...hat.com>, dwmw2@...radead.org, zxu@...hat.com,
 keyrings@...r.kernel.org, Jan Stancek <jstancek@...hat.com>
Cc: linux-kernel@...r.kernel.org, Jan Stancek <jstancek@...hat.com>,
 Asahi Linux <asahi@...ts.linux.dev>, Hector Martin <marcan@...can.st>,
 Janne Grunau <j@...nau.net>
Subject:
 Re: [PATCH 0/3] sign-file,extract-cert: switch to PROVIDER API for OpenSSL >=
 3.0

On Friday, July 12, 2024 3:11:13 AM EDT Jan Stancek wrote:
> The ENGINE interface has its limitations and it has been superseded
> by the PROVIDER API, it is deprecated in OpenSSL version 3.0.
> Some distros have started removing it from header files.
> 
> Update sign-file and extract-cert to use PROVIDER API for OpenSSL Major >=
> 3.
> 
> Tested on F39 with openssl-3.1.1, pkcs11-provider-0.5-2,
> openssl-pkcs11-0.4.12-4 and softhsm-2.6.1-5 by using same key/cert as PEM
> and PKCS11 and comparing that the result is identical.
> 
> Jan Stancek (3):
>   sign-file,extract-cert: move common SSL helper functions to a header
>   sign-file,extract-cert: avoid using deprecated ERR_get_error_line()
>   sign-file,extract-cert: use pkcs11 provider for OPENSSL MAJOR >= 3
> 
>  MAINTAINERS          |   1 +
>  certs/Makefile       |   2 +-
>  certs/extract-cert.c | 138 +++++++++++++++++++++++--------------------
>  scripts/sign-file.c  | 134 +++++++++++++++++++++--------------------
>  scripts/ssl-common.h |  32 ++++++++++
>  5 files changed, 178 insertions(+), 129 deletions(-)
>  create mode 100644 scripts/ssl-common.h

The code looks fairly reasonable to me and behaves as expected.

I have been actively using this patch set for several weeks now across 
linux-6.9.y and now linux-6.10.y with good success.

It is in use in production for Fedora Asahi Linux kernels with good success. 
Thanks for the fixes. :)

Reviewed-by: Neal Gompa <neal@...pa.dev>

-- 
真実はいつも一つ!/ Always, there's only one truth!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ