* Re: [PATCH 0/3] sign-file,extract-cert: switch to PROVIDER API for OpenSSL >= 3.0 [not found] <cover.1720728319.git.jstancek@redhat.com> @ 2024-08-06 20:27 ` Neal Gompa 2024-09-20 11:42 ` Neal Gompa 0 siblings, 1 reply; 5+ messages in thread From: Neal Gompa @ 2024-08-06 20:27 UTC (permalink / raw) To: David Howells, dwmw2, zxu, keyrings, Jan Stancek Cc: linux-kernel, Jan Stancek, Asahi Linux, Hector Martin, Janne Grunau On Friday, July 12, 2024 3:11:13 AM EDT Jan Stancek wrote: > The ENGINE interface has its limitations and it has been superseded > by the PROVIDER API, it is deprecated in OpenSSL version 3.0. > Some distros have started removing it from header files. > > Update sign-file and extract-cert to use PROVIDER API for OpenSSL Major >= > 3. > > Tested on F39 with openssl-3.1.1, pkcs11-provider-0.5-2, > openssl-pkcs11-0.4.12-4 and softhsm-2.6.1-5 by using same key/cert as PEM > and PKCS11 and comparing that the result is identical. > > Jan Stancek (3): > sign-file,extract-cert: move common SSL helper functions to a header > sign-file,extract-cert: avoid using deprecated ERR_get_error_line() > sign-file,extract-cert: use pkcs11 provider for OPENSSL MAJOR >= 3 > > MAINTAINERS | 1 + > certs/Makefile | 2 +- > certs/extract-cert.c | 138 +++++++++++++++++++++++-------------------- > scripts/sign-file.c | 134 +++++++++++++++++++++-------------------- > scripts/ssl-common.h | 32 ++++++++++ > 5 files changed, 178 insertions(+), 129 deletions(-) > create mode 100644 scripts/ssl-common.h The code looks fairly reasonable to me and behaves as expected. I have been actively using this patch set for several weeks now across linux-6.9.y and now linux-6.10.y with good success. It is in use in production for Fedora Asahi Linux kernels with good success. Thanks for the fixes. :) Reviewed-by: Neal Gompa <neal@gompa.dev> -- 真実はいつも一つ!/ Always, there's only one truth! ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 0/3] sign-file,extract-cert: switch to PROVIDER API for OpenSSL >= 3.0 2024-08-06 20:27 ` [PATCH 0/3] sign-file,extract-cert: switch to PROVIDER API for OpenSSL >= 3.0 Neal Gompa @ 2024-09-20 11:42 ` Neal Gompa 2024-09-20 15:34 ` Jarkko Sakkinen 0 siblings, 1 reply; 5+ messages in thread From: Neal Gompa @ 2024-09-20 11:42 UTC (permalink / raw) To: Jarkko Sakkinen, David Howells, dwmw2, zxu, keyrings, Jan Stancek Cc: linux-kernel, Asahi Linux, Hector Martin, Janne Grunau, Jarkko Sakkinen On Tue, Aug 6, 2024 at 4:27 PM Neal Gompa <neal@gompa.dev> wrote: > > On Friday, July 12, 2024 3:11:13 AM EDT Jan Stancek wrote: > > The ENGINE interface has its limitations and it has been superseded > > by the PROVIDER API, it is deprecated in OpenSSL version 3.0. > > Some distros have started removing it from header files. > > > > Update sign-file and extract-cert to use PROVIDER API for OpenSSL Major >= > > 3. > > > > Tested on F39 with openssl-3.1.1, pkcs11-provider-0.5-2, > > openssl-pkcs11-0.4.12-4 and softhsm-2.6.1-5 by using same key/cert as PEM > > and PKCS11 and comparing that the result is identical. > > > > Jan Stancek (3): > > sign-file,extract-cert: move common SSL helper functions to a header > > sign-file,extract-cert: avoid using deprecated ERR_get_error_line() > > sign-file,extract-cert: use pkcs11 provider for OPENSSL MAJOR >= 3 > > > > MAINTAINERS | 1 + > > certs/Makefile | 2 +- > > certs/extract-cert.c | 138 +++++++++++++++++++++++-------------------- > > scripts/sign-file.c | 134 +++++++++++++++++++++-------------------- > > scripts/ssl-common.h | 32 ++++++++++ > > 5 files changed, 178 insertions(+), 129 deletions(-) > > create mode 100644 scripts/ssl-common.h > > The code looks fairly reasonable to me and behaves as expected. > > I have been actively using this patch set for several weeks now across > linux-6.9.y and now linux-6.10.y with good success. > > It is in use in production for Fedora Asahi Linux kernels with good success. > Thanks for the fixes. :) > > Reviewed-by: Neal Gompa <neal@gompa.dev> > Jarkko, could you please consider submitting this for inclusion into 6.12? I've been carrying this for three Linux kernel rebases now (6.9.y, 6.10.y, and now 6.11.y) and it seems to be just fine, and without it, I cannot build kernels anymore with the OpenSSL engine API disabled in Fedora and CentOS/RHEL. I also expect that the engine API will disappear on other platforms in the near future given its deprecated status and recently accelerated conversion of engine backends to the newer provider API. Thanks in advance! :) -- 真実はいつも一つ!/ Always, there's only one truth! ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 0/3] sign-file,extract-cert: switch to PROVIDER API for OpenSSL >= 3.0 2024-09-20 11:42 ` Neal Gompa @ 2024-09-20 15:34 ` Jarkko Sakkinen 2024-09-20 20:05 ` Jan Stancek 0 siblings, 1 reply; 5+ messages in thread From: Jarkko Sakkinen @ 2024-09-20 15:34 UTC (permalink / raw) To: Neal Gompa, David Howells, dwmw2, zxu, keyrings, Jan Stancek Cc: linux-kernel, Asahi Linux, Hector Martin, Janne Grunau, Jarkko Sakkinen On Fri Sep 20, 2024 at 2:42 PM EEST, Neal Gompa wrote: > On Tue, Aug 6, 2024 at 4:27 PM Neal Gompa <neal@gompa.dev> wrote: > > > > On Friday, July 12, 2024 3:11:13 AM EDT Jan Stancek wrote: > > > The ENGINE interface has its limitations and it has been superseded > > > by the PROVIDER API, it is deprecated in OpenSSL version 3.0. > > > Some distros have started removing it from header files. > > > > > > Update sign-file and extract-cert to use PROVIDER API for OpenSSL Major >= > > > 3. > > > > > > Tested on F39 with openssl-3.1.1, pkcs11-provider-0.5-2, > > > openssl-pkcs11-0.4.12-4 and softhsm-2.6.1-5 by using same key/cert as PEM > > > and PKCS11 and comparing that the result is identical. > > > > > > Jan Stancek (3): > > > sign-file,extract-cert: move common SSL helper functions to a header > > > sign-file,extract-cert: avoid using deprecated ERR_get_error_line() > > > sign-file,extract-cert: use pkcs11 provider for OPENSSL MAJOR >= 3 > > > > > > MAINTAINERS | 1 + > > > certs/Makefile | 2 +- > > > certs/extract-cert.c | 138 +++++++++++++++++++++++-------------------- > > > scripts/sign-file.c | 134 +++++++++++++++++++++-------------------- > > > scripts/ssl-common.h | 32 ++++++++++ > > > 5 files changed, 178 insertions(+), 129 deletions(-) > > > create mode 100644 scripts/ssl-common.h > > > > The code looks fairly reasonable to me and behaves as expected. > > > > I have been actively using this patch set for several weeks now across > > linux-6.9.y and now linux-6.10.y with good success. > > > > It is in use in production for Fedora Asahi Linux kernels with good success. > > Thanks for the fixes. :) > > > > Reviewed-by: Neal Gompa <neal@gompa.dev> > > > > Jarkko, could you please consider submitting this for inclusion into > 6.12? I've been carrying this for three Linux kernel rebases now > (6.9.y, 6.10.y, and now 6.11.y) and it seems to be just fine, and > without it, I cannot build kernels anymore with the OpenSSL engine API > disabled in Fedora and CentOS/RHEL. I also expect that the engine API > will disappear on other platforms in the near future given its > deprecated status and recently accelerated conversion of engine > backends to the newer provider API. > > Thanks in advance! :) Yes, I think I can. And I've yet to do 6.12 PR because I've been busy sorting out perf regression in the TPM driver. ERROR: need consistent spacing around '*' (ctx:WxV) #66: FILE: certs/extract-cert.c:69: + OSSL_STORE_CTX *store; ^ ERROR: need consistent spacing around '*' (ctx:WxV) #93: FILE: certs/extract-cert.c:96: + ENGINE *e; ^ ERROR: need consistent spacing around '*' (ctx:WxV) #199: FILE: scripts/sign-file.c:114: + OSSL_STORE_CTX *store; ^ ERROR: need consistent spacing around '*' (ctx:WxV) #229: FILE: scripts/sign-file.c:141: + ENGINE *e; ^ Any ideas of these? My guess is that they are unfixable and related to non-kernel-standard code. BR, Jarkko ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 0/3] sign-file,extract-cert: switch to PROVIDER API for OpenSSL >= 3.0 2024-09-20 15:34 ` Jarkko Sakkinen @ 2024-09-20 20:05 ` Jan Stancek 2024-09-20 22:16 ` Jarkko Sakkinen 0 siblings, 1 reply; 5+ messages in thread From: Jan Stancek @ 2024-09-20 20:05 UTC (permalink / raw) To: Jarkko Sakkinen Cc: Neal Gompa, David Howells, dwmw2, zxu, keyrings, linux-kernel, Asahi Linux, Hector Martin, Janne Grunau, Jarkko Sakkinen On Fri, Sep 20, 2024 at 5:34 PM Jarkko Sakkinen <jarkko.sakkinen@iki.fi> wrote: > > On Fri Sep 20, 2024 at 2:42 PM EEST, Neal Gompa wrote: > > On Tue, Aug 6, 2024 at 4:27 PM Neal Gompa <neal@gompa.dev> wrote: > > > > > > On Friday, July 12, 2024 3:11:13 AM EDT Jan Stancek wrote: > > > > The ENGINE interface has its limitations and it has been superseded > > > > by the PROVIDER API, it is deprecated in OpenSSL version 3.0. > > > > Some distros have started removing it from header files. > > > > > > > > Update sign-file and extract-cert to use PROVIDER API for OpenSSL Major >= > > > > 3. > > > > > > > > Tested on F39 with openssl-3.1.1, pkcs11-provider-0.5-2, > > > > openssl-pkcs11-0.4.12-4 and softhsm-2.6.1-5 by using same key/cert as PEM > > > > and PKCS11 and comparing that the result is identical. > > > > > > > > Jan Stancek (3): > > > > sign-file,extract-cert: move common SSL helper functions to a header > > > > sign-file,extract-cert: avoid using deprecated ERR_get_error_line() > > > > sign-file,extract-cert: use pkcs11 provider for OPENSSL MAJOR >= 3 > > > > > > > > MAINTAINERS | 1 + > > > > certs/Makefile | 2 +- > > > > certs/extract-cert.c | 138 +++++++++++++++++++++++-------------------- > > > > scripts/sign-file.c | 134 +++++++++++++++++++++-------------------- > > > > scripts/ssl-common.h | 32 ++++++++++ > > > > 5 files changed, 178 insertions(+), 129 deletions(-) > > > > create mode 100644 scripts/ssl-common.h > > > > > > The code looks fairly reasonable to me and behaves as expected. > > > > > > I have been actively using this patch set for several weeks now across > > > linux-6.9.y and now linux-6.10.y with good success. > > > > > > It is in use in production for Fedora Asahi Linux kernels with good success. > > > Thanks for the fixes. :) > > > > > > Reviewed-by: Neal Gompa <neal@gompa.dev> > > > > > > > Jarkko, could you please consider submitting this for inclusion into > > 6.12? I've been carrying this for three Linux kernel rebases now > > (6.9.y, 6.10.y, and now 6.11.y) and it seems to be just fine, and > > without it, I cannot build kernels anymore with the OpenSSL engine API > > disabled in Fedora and CentOS/RHEL. I also expect that the engine API > > will disappear on other platforms in the near future given its > > deprecated status and recently accelerated conversion of engine > > backends to the newer provider API. > > > > Thanks in advance! :) > > Yes, I think I can. And I've yet to do 6.12 PR because I've been > busy sorting out perf regression in the TPM driver. > > ERROR: need consistent spacing around '*' (ctx:WxV) > #66: FILE: certs/extract-cert.c:69: > + OSSL_STORE_CTX *store; > ^ > > ERROR: need consistent spacing around '*' (ctx:WxV) > #93: FILE: certs/extract-cert.c:96: > + ENGINE *e; > ^ > > ERROR: need consistent spacing around '*' (ctx:WxV) > #199: FILE: scripts/sign-file.c:114: > + OSSL_STORE_CTX *store; > ^ > > ERROR: need consistent spacing around '*' (ctx:WxV) > #229: FILE: scripts/sign-file.c:141: > + ENGINE *e; > ^ > Any ideas of these? My guess is that they are unfixable and related > to non-kernel-standard code. This looks like false-positive. Following will produce same error: +#if TEST + ENGINE *e; +#endif + $ git diff > 1.patch; ./scripts/checkpatch.pl 1.patch ERROR: need consistent spacing around '*' (ctx:WxV) #10: FILE: scripts/sign-file.c:217: + ENGINE *e; ^ total: 1 errors, 0 warnings, 10 lines checked but if first type in #if block is something checkpatch recognizes, then it reports no issues: +#if TEST + int i; + ENGINE *e; +#endif + $ git diff > 1.patch; ./scripts/checkpatch.pl 1.patch total: 0 errors, 0 warnings, 11 lines checked Regards, Jan ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 0/3] sign-file,extract-cert: switch to PROVIDER API for OpenSSL >= 3.0 2024-09-20 20:05 ` Jan Stancek @ 2024-09-20 22:16 ` Jarkko Sakkinen 0 siblings, 0 replies; 5+ messages in thread From: Jarkko Sakkinen @ 2024-09-20 22:16 UTC (permalink / raw) To: Jan Stancek, Jarkko Sakkinen Cc: Neal Gompa, David Howells, dwmw2, zxu, keyrings, linux-kernel, Asahi Linux, Hector Martin, Janne Grunau On Fri Sep 20, 2024 at 11:05 PM EEST, Jan Stancek wrote: > This looks like false-positive. Following will produce same error: > +#if TEST > + ENGINE *e; > +#endif > + > $ git diff > 1.patch; ./scripts/checkpatch.pl 1.patch > ERROR: need consistent spacing around '*' (ctx:WxV) > #10: FILE: scripts/sign-file.c:217: > + ENGINE *e; > ^ > > total: 1 errors, 0 warnings, 10 lines checked > > but if first type in #if block is something checkpatch recognizes, > then it reports no issues: > +#if TEST > + int i; > + ENGINE *e; > +#endif > + > > $ git diff > 1.patch; ./scripts/checkpatch.pl 1.patch > total: 0 errors, 0 warnings, 11 lines checked I fixed a couple of alignment issues reported by "checkpatch.pl --strict" and sent a pull request: https://lore.kernel.org/keyrings/D4B9WXZC9B9U.34I6BHWMYXOS2@kernel.org/T/#u > Regards, > Jan BR, Jarkko ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2024-09-20 22:16 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <cover.1720728319.git.jstancek@redhat.com>
2024-08-06 20:27 ` [PATCH 0/3] sign-file,extract-cert: switch to PROVIDER API for OpenSSL >= 3.0 Neal Gompa
2024-09-20 11:42 ` Neal Gompa
2024-09-20 15:34 ` Jarkko Sakkinen
2024-09-20 20:05 ` Jan Stancek
2024-09-20 22:16 ` Jarkko Sakkinen
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox