OpenSSL engine removal and fsverity-utils compilation issue

OpenSSL engine removal and fsverity-utils compilation issue

[Disha Goel]

Hi,

Some distributions have started removing OpenSSL engine support, replacing
engine.h with an empty dummy header file. As a result, fsverity-utils fails
to compile with the following error.

Is there any plan to address this issue and support these distributions?

Please seehttps://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine for more details.

# make
   CC       lib/compute_digest.o
   CC       lib/enable.o
   CC       lib/hash_algs.o
   CC       lib/sign_digest.o
lib/sign_digest.c: In function ‘load_pkcs11_private_key’:
lib/sign_digest.c:350:9: error: implicit declaration of function ‘ENGINE_load_dynamic’ [-Wimplicit-function-declaration]
   350 |         ENGINE_load_dynamic();
       |         ^~~~~~~~~~~~~~~~~~~
lib/sign_digest.c:351:18: error: implicit declaration of function ‘ENGINE_by_id’ [-Wimplicit-function-declaration]
   351 |         engine = ENGINE_by_id("dynamic");
       |                  ^~~~~~~~~~~~
lib/sign_digest.c:351:16: error: assignment to ‘ENGINE *’ {aka ‘struct engine_st *’} from ‘int’ makes pointer from integer without a cast [-Wint-conversion]
   351 |         engine = ENGINE_by_id("dynamic");
       |                ^
lib/sign_digest.c:356:14: error: implicit declaration of function ‘ENGINE_ctrl_cmd_string’ [-Wimplicit-function-declaration]
   356 |         if (!ENGINE_ctrl_cmd_string(engine, "SO_PATH",
       |              ^~~~~~~~~~~~~~~~~~~~~~
lib/sign_digest.c:363:14: error: implicit declaration of function ‘ENGINE_init’ [-Wimplicit-function-declaration]
   363 |             !ENGINE_init(engine)) {
       |              ^~~~~~~~~~~
lib/sign_digest.c:365:17: error: implicit declaration of function ‘ENGINE_free’ [-Wimplicit-function-declaration]
   365 |                 ENGINE_free(engine);
       |                 ^~~~~~~~~~~
lib/sign_digest.c:368:21: error: implicit declaration of function ‘ENGINE_load_private_key’ [-Wimplicit-function-declaration]
   368 |         *pkey_ret = ENGINE_load_private_key(engine, sig_params->pkcs11_keyid,
       |                     ^~~~~~~~~~~~~~~~~~~~~~~
lib/sign_digest.c:368:19: error: assignment to ‘EVP_PKEY *’ {aka ‘struct evp_pkey_st *’} from ‘int’ makes pointer from integer without a cast [-Wint-conversion]
   368 |         *pkey_ret = ENGINE_load_private_key(engine, sig_params->pkcs11_keyid,
       |                   ^
lib/sign_digest.c:370:9: error: implicit declaration of function ‘ENGINE_finish’ [-Wimplicit-function-declaration]
   370 |         ENGINE_finish(engine);
       |         ^~~~~~~~~~~~~
make: *** [Makefile:134: lib/sign_digest.o] Error 1

------
Thanks
Disha

Re: OpenSSL engine removal and fsverity-utils compilation issue

[Eric Biggers]

On Thu, Jan 23, 2025 at 04:02:46PM +0530, Disha Goel wrote:
> Hi,
> 
> Some distributions have started removing OpenSSL engine support, replacing
> engine.h with an empty dummy header file. As a result, fsverity-utils fails
> to compile with the following error.
> 
> Is there any plan to address this issue and support these distributions?
> 
> Please seehttps://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine for more details.
> 
> # make
>   CC       lib/compute_digest.o
>   CC       lib/enable.o
>   CC       lib/hash_algs.o
>   CC       lib/sign_digest.o
> lib/sign_digest.c: In function ‘load_pkcs11_private_key’:
> lib/sign_digest.c:350:9: error: implicit declaration of function ‘ENGINE_load_dynamic’ [-Wimplicit-function-declaration]
>   350 |         ENGINE_load_dynamic();
>       |         ^~~~~~~~~~~~~~~~~~~

This is my first time hearing about this, but yes this has to be fixed.  Thanks
for reporting it.

It's just the PKCS#11 token feature that is causing problems.  This feature was
contributed by Aleksander Adamowski <olo@fb.com> (Cc'ed) several years ago.  I
don't have much context on how/whether it is still being used.

I'm tempted to just make the PKCS#11 token support conditional on
!defined(OPENSSL_NO_ENGINE) for now.  If someone still cares about PKCS#11 token
support they can look into finding a way to keep it working with latest OpenSSL.

- Eric

Re: OpenSSL engine removal and fsverity-utils compilation issue

[Eric Biggers]

On Thu, Jan 23, 2025 at 06:24:36PM +0000, Eric Biggers wrote:
> On Thu, Jan 23, 2025 at 04:02:46PM +0530, Disha Goel wrote:
> > Hi,
> > 
> > Some distributions have started removing OpenSSL engine support, replacing
> > engine.h with an empty dummy header file. As a result, fsverity-utils fails
> > to compile with the following error.
> > 
> > Is there any plan to address this issue and support these distributions?
> > 
> > Please seehttps://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine for more details.
> > 
> > # make
> >   CC       lib/compute_digest.o
> >   CC       lib/enable.o
> >   CC       lib/hash_algs.o
> >   CC       lib/sign_digest.o
> > lib/sign_digest.c: In function ‘load_pkcs11_private_key’:
> > lib/sign_digest.c:350:9: error: implicit declaration of function ‘ENGINE_load_dynamic’ [-Wimplicit-function-declaration]
> >   350 |         ENGINE_load_dynamic();
> >       |         ^~~~~~~~~~~~~~~~~~~
> 
> This is my first time hearing about this, but yes this has to be fixed.  Thanks
> for reporting it.
> 
> It's just the PKCS#11 token feature that is causing problems.  This feature was
> contributed by Aleksander Adamowski <olo@fb.com> (Cc'ed) several years ago.  I
> don't have much context on how/whether it is still being used.
> 
> I'm tempted to just make the PKCS#11 token support conditional on
> !defined(OPENSSL_NO_ENGINE) for now.  If someone still cares about PKCS#11 token
> support they can look into finding a way to keep it working with latest OpenSSL.
> 

Now fixed in the master branch of fsverity-utils.

- Eric