| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <D3EPBYVJ9NZ2.2OI3EQVYKRRZI@kernel.org>
Date: Tue, 13 Aug 2024 13:12:10 +0300
From: "Jarkko Sakkinen" <jarkko@...nel.org>
To: "Jan Stancek" <jstancek@...hat.com>, <dhowells@...hat.com>,
<dwmw2@...radead.org>, <zxu@...hat.com>, <keyrings@...r.kernel.org>
Cc: <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH 2/3] sign-file,extract-cert: avoid using deprecated
ERR_get_error_line()
On Fri Jul 12, 2024 at 10:11 AM EEST, Jan Stancek wrote:
> ERR_get_error_line() is deprecated since OpenSSL 3.0.
>
> Use ERR_peek_error_line() instead, and combine display_openssl_errors()
> and drain_openssl_errors() to a single function where parameter decides
> if it should consume errors silently.
>
> Signed-off-by: Jan Stancek <jstancek@...hat.com>
> ---
> certs/extract-cert.c | 4 ++--
> scripts/sign-file.c | 6 +++---
> scripts/ssl-common.h | 23 ++++++++---------------
> 3 files changed, 13 insertions(+), 20 deletions(-)
>
> diff --git a/certs/extract-cert.c b/certs/extract-cert.c
> index 8e7ba9974a1f..61bbe0085671 100644
> --- a/certs/extract-cert.c
> +++ b/certs/extract-cert.c
> @@ -99,11 +99,11 @@ int main(int argc, char **argv)
> parms.cert = NULL;
>
> ENGINE_load_builtin_engines();
> - drain_openssl_errors();
> + drain_openssl_errors(__LINE__, 1);
> e = ENGINE_by_id("pkcs11");
> ERR(!e, "Load PKCS#11 ENGINE");
> if (ENGINE_init(e))
> - drain_openssl_errors();
> + drain_openssl_errors(__LINE__, 1);
> else
> ERR(1, "ENGINE_init");
> if (key_pass)
> diff --git a/scripts/sign-file.c b/scripts/sign-file.c
> index 39ba58db5d4e..bb3fdf1a617c 100644
> --- a/scripts/sign-file.c
> +++ b/scripts/sign-file.c
> @@ -114,11 +114,11 @@ static EVP_PKEY *read_private_key(const char *private_key_name)
> ENGINE *e;
>
> ENGINE_load_builtin_engines();
> - drain_openssl_errors();
> + drain_openssl_errors(__LINE__, 1);
> e = ENGINE_by_id("pkcs11");
> ERR(!e, "Load PKCS#11 ENGINE");
> if (ENGINE_init(e))
> - drain_openssl_errors();
> + drain_openssl_errors(__LINE__, 1);
> else
> ERR(1, "ENGINE_init");
> if (key_pass)
> @@ -273,7 +273,7 @@ int main(int argc, char **argv)
>
> /* Digest the module data. */
> OpenSSL_add_all_digests();
> - display_openssl_errors(__LINE__);
> + drain_openssl_errors(__LINE__, 0);
> digest_algo = EVP_get_digestbyname(hash_algo);
> ERR(!digest_algo, "EVP_get_digestbyname");
>
> diff --git a/scripts/ssl-common.h b/scripts/ssl-common.h
> index e6711c75ed91..2db0e181143c 100644
> --- a/scripts/ssl-common.h
> +++ b/scripts/ssl-common.h
> @@ -3,7 +3,7 @@
> * SSL helper functions shared by sign-file and extract-cert.
> */
>
> -static void display_openssl_errors(int l)
> +static void drain_openssl_errors(int l, int silent)
> {
> const char *file;
> char buf[120];
> @@ -11,28 +11,21 @@ static void display_openssl_errors(int l)
>
> if (ERR_peek_error() == 0)
> return;
> - fprintf(stderr, "At main.c:%d:\n", l);
> + if (!silent)
> + fprintf(stderr, "At main.c:%d:\n", l);
>
> - while ((e = ERR_get_error_line(&file, &line))) {
> + while ((e = ERR_peek_error_line(&file, &line))) {
> ERR_error_string(e, buf);
> - fprintf(stderr, "- SSL %s: %s:%d\n", buf, file, line);
> + if (!silent)
> + fprintf(stderr, "- SSL %s: %s:%d\n", buf, file, line);
> + ERR_get_error();
> }
> }
>
> -static void drain_openssl_errors(void)
> -{
> - const char *file;
> - int line;
> -
> - if (ERR_peek_error() == 0)
> - return;
> - while (ERR_get_error_line(&file, &line)) {}
> -}
> -
> #define ERR(cond, fmt, ...) \
> do { \
> bool __cond = (cond); \
> - display_openssl_errors(__LINE__); \
> + drain_openssl_errors(__LINE__, 0); \
> if (__cond) { \
> errx(1, fmt, ## __VA_ARGS__); \
> } \
Reviewed-by: Jarkko Sakkinen <jarkko@...nel.org>
BR, Jarkko
Powered by blists - more mailing lists