From: Eric Biggers <ebiggers@kernel.org>
To: Lee Jones <lee.jones@linaro.org>
Cc: linux-kernel@vger.kernel.org, David Howells <dhowells@redhat.com>,
David Woodhouse <dwmw2@infradead.org>,
keyrings@vger.kernel.org, Adam Langley <agl@google.com>
Subject: Re: [PATCH 1/1] sign-file: Use OpenSSL provided define to compile out deprecated APIs
Date: Tue, 5 Oct 2021 10:01:16 -0700 [thread overview]
Message-ID: <YVyE3Ax1PRtiBwf+@gmail.com> (raw)
In-Reply-To: <20211005161833.1522737-1-lee.jones@linaro.org>
On Tue, Oct 05, 2021 at 05:18:33PM +0100, Lee Jones wrote:
> OpenSSL's ENGINE API is deprecated in OpenSSL v3.0.
>
> Use OPENSSL_NO_ENGINE to disallow its use and fall back on the BIO API.
>
> Cc: David Howells <dhowells@redhat.com>
> Cc: David Woodhouse <dwmw2@infradead.org>
> Cc: keyrings@vger.kernel.org
> Co-developed-by: Adam Langley <agl@google.com>
> Signed-off-by: Lee Jones <lee.jones@linaro.org>
> ---
> scripts/sign-file.c | 19 ++++++++++---------
> 1 file changed, 10 insertions(+), 9 deletions(-)
>
> diff --git a/scripts/sign-file.c b/scripts/sign-file.c
> index fbd34b8e8f578..fa3fa59db6669 100644
> --- a/scripts/sign-file.c
> +++ b/scripts/sign-file.c
> @@ -135,7 +135,9 @@ static int pem_pw_cb(char *buf, int len, int w, void *v)
> static EVP_PKEY *read_private_key(const char *private_key_name)
> {
> EVP_PKEY *private_key;
> + BIO *b;
>
> +#ifndef OPENSSL_NO_ENGINE
> if (!strncmp(private_key_name, "pkcs11:", 7)) {
> ENGINE *e;
>
> @@ -153,17 +155,16 @@ static EVP_PKEY *read_private_key(const char *private_key_name)
> private_key = ENGINE_load_private_key(e, private_key_name,
> NULL, NULL);
> ERR(!private_key, "%s", private_key_name);
> - } else {
> - BIO *b;
> -
> - b = BIO_new_file(private_key_name, "rb");
> - ERR(!b, "%s", private_key_name);
> - private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb,
> - NULL);
> - ERR(!private_key, "%s", private_key_name);
> - BIO_free(b);
> + return private_key;
> }
> +#endif
>
> + b = BIO_new_file(private_key_name, "rb");
> + ERR(!b, "%s", private_key_name);
> + private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb,
> + NULL);
> + ERR(!private_key, "%s", private_key_name);
> + BIO_free(b);
> return private_key;
> }
I ran into these same -Wdeprecated-declarations compiler warnings on another
project that uses the ENGINE API to access OpenSSL's support for PKCS#11 tokens.
The conclusion was that in OpenSSL 3.0, the new API for PKCS#11 support isn't
actually ready yet, so we had to keep using the ENGINE API and just add
-Wno-deprecated-declarations to the compiler flags.
Your patch just removes support for PKCS#11 in that case, which seems
undesirable. (Unless no one is actually using it?)
- Eric
next prev parent reply other threads:[~2021-10-05 17:01 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-05 16:18 [PATCH 1/1] sign-file: Use OpenSSL provided define to compile out deprecated APIs Lee Jones
2021-10-05 17:01 ` Eric Biggers [this message]
2021-10-05 17:14 ` Adam Langley
2021-10-05 17:25 ` Eric Biggers
2021-10-05 17:33 ` Adam Langley
2021-10-05 18:11 ` Lee Jones
2022-03-02 20:52 ` Kees Cook
2022-03-03 9:26 ` Lee Jones
2022-03-03 18:05 ` Kees Cook
2022-03-08 10:31 ` [PATCH v2 1/1] sign-file: Do not attempt to use the ENGINE_* API if it's not available Lee Jones
2022-03-10 16:51 ` Kees Cook
2022-03-10 17:15 ` Adam Langley
2022-05-15 7:16 ` Salvatore Bonaccorso
2022-05-15 9:40 ` Lee Jones
2022-05-16 15:39 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YVyE3Ax1PRtiBwf+@gmail.com \
--to=ebiggers@kernel.org \
--cc=agl@google.com \
--cc=dhowells@redhat.com \
--cc=dwmw2@infradead.org \
--cc=keyrings@vger.kernel.org \
--cc=lee.jones@linaro.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.