lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAEg-Je_MXyP_PNj_QOu66SW_XYHy0zv0PnTTxX2qWELRG+xM_w@mail.gmail.com>
Date: Fri, 20 Sep 2024 07:42:09 -0400
From: Neal Gompa <neal@...pa.dev>
To: Jarkko Sakkinen <jarkko.sakkinen@....fi>, David Howells <dhowells@...hat.com>, dwmw2@...radead.org, 
	zxu@...hat.com, keyrings@...r.kernel.org, Jan Stancek <jstancek@...hat.com>
Cc: linux-kernel@...r.kernel.org, Asahi Linux <asahi@...ts.linux.dev>, 
	Hector Martin <marcan@...can.st>, Janne Grunau <j@...nau.net>, Jarkko Sakkinen <jarkko@...nel.org>
Subject: Re: [PATCH 0/3] sign-file,extract-cert: switch to PROVIDER API for
 OpenSSL >= 3.0

On Tue, Aug 6, 2024 at 4:27 PM Neal Gompa <neal@...pa.dev> wrote:
>
> On Friday, July 12, 2024 3:11:13 AM EDT Jan Stancek wrote:
> > The ENGINE interface has its limitations and it has been superseded
> > by the PROVIDER API, it is deprecated in OpenSSL version 3.0.
> > Some distros have started removing it from header files.
> >
> > Update sign-file and extract-cert to use PROVIDER API for OpenSSL Major >=
> > 3.
> >
> > Tested on F39 with openssl-3.1.1, pkcs11-provider-0.5-2,
> > openssl-pkcs11-0.4.12-4 and softhsm-2.6.1-5 by using same key/cert as PEM
> > and PKCS11 and comparing that the result is identical.
> >
> > Jan Stancek (3):
> >   sign-file,extract-cert: move common SSL helper functions to a header
> >   sign-file,extract-cert: avoid using deprecated ERR_get_error_line()
> >   sign-file,extract-cert: use pkcs11 provider for OPENSSL MAJOR >= 3
> >
> >  MAINTAINERS          |   1 +
> >  certs/Makefile       |   2 +-
> >  certs/extract-cert.c | 138 +++++++++++++++++++++++--------------------
> >  scripts/sign-file.c  | 134 +++++++++++++++++++++--------------------
> >  scripts/ssl-common.h |  32 ++++++++++
> >  5 files changed, 178 insertions(+), 129 deletions(-)
> >  create mode 100644 scripts/ssl-common.h
>
> The code looks fairly reasonable to me and behaves as expected.
>
> I have been actively using this patch set for several weeks now across
> linux-6.9.y and now linux-6.10.y with good success.
>
> It is in use in production for Fedora Asahi Linux kernels with good success.
> Thanks for the fixes. :)
>
> Reviewed-by: Neal Gompa <neal@...pa.dev>
>

Jarkko, could you please consider submitting this for inclusion into
6.12? I've been carrying this for three Linux kernel rebases now
(6.9.y, 6.10.y, and now 6.11.y) and it seems to be just fine, and
without it, I cannot build kernels anymore with the OpenSSL engine API
disabled in Fedora and CentOS/RHEL. I also expect that the engine API
will disappear on other platforms in the near future given its
deprecated status and recently accelerated conversion of engine
backends to the newer provider API.

Thanks in advance! :)


-- 
真実はいつも一つ!/ Always, there's only one truth!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ