2021-10-05 16:21:09

by Lee Jones

[permalink] [raw]
Subject: [PATCH 1/1] sign-file: Use OpenSSL provided define to compile out deprecated APIs

OpenSSL's ENGINE API is deprecated in OpenSSL v3.0.

Use OPENSSL_NO_ENGINE to disallow its use and fall back on the BIO API.

Cc: David Howells <[email protected]>
Cc: David Woodhouse <[email protected]>
Cc: [email protected]
Co-developed-by: Adam Langley <[email protected]>
Signed-off-by: Lee Jones <[email protected]>
---
scripts/sign-file.c | 19 ++++++++++---------
1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/scripts/sign-file.c b/scripts/sign-file.c
index fbd34b8e8f578..fa3fa59db6669 100644
--- a/scripts/sign-file.c
+++ b/scripts/sign-file.c
@@ -135,7 +135,9 @@ static int pem_pw_cb(char *buf, int len, int w, void *v)
static EVP_PKEY *read_private_key(const char *private_key_name)
{
EVP_PKEY *private_key;
+ BIO *b;

+#ifndef OPENSSL_NO_ENGINE
if (!strncmp(private_key_name, "pkcs11:", 7)) {
ENGINE *e;

@@ -153,17 +155,16 @@ static EVP_PKEY *read_private_key(const char *private_key_name)
private_key = ENGINE_load_private_key(e, private_key_name,
NULL, NULL);
ERR(!private_key, "%s", private_key_name);
- } else {
- BIO *b;
-
- b = BIO_new_file(private_key_name, "rb");
- ERR(!b, "%s", private_key_name);
- private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb,
- NULL);
- ERR(!private_key, "%s", private_key_name);
- BIO_free(b);
+ return private_key;
}
+#endif

+ b = BIO_new_file(private_key_name, "rb");
+ ERR(!b, "%s", private_key_name);
+ private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb,
+ NULL);
+ ERR(!private_key, "%s", private_key_name);
+ BIO_free(b);
return private_key;
}

--
2.33.0.800.g4c38ced690-goog


2021-10-05 17:06:30

by Eric Biggers

[permalink] [raw]
Subject: Re: [PATCH 1/1] sign-file: Use OpenSSL provided define to compile out deprecated APIs

On Tue, Oct 05, 2021 at 05:18:33PM +0100, Lee Jones wrote:
> OpenSSL's ENGINE API is deprecated in OpenSSL v3.0.
>
> Use OPENSSL_NO_ENGINE to disallow its use and fall back on the BIO API.
>
> Cc: David Howells <[email protected]>
> Cc: David Woodhouse <[email protected]>
> Cc: [email protected]
> Co-developed-by: Adam Langley <[email protected]>
> Signed-off-by: Lee Jones <[email protected]>
> ---
> scripts/sign-file.c | 19 ++++++++++---------
> 1 file changed, 10 insertions(+), 9 deletions(-)
>
> diff --git a/scripts/sign-file.c b/scripts/sign-file.c
> index fbd34b8e8f578..fa3fa59db6669 100644
> --- a/scripts/sign-file.c
> +++ b/scripts/sign-file.c
> @@ -135,7 +135,9 @@ static int pem_pw_cb(char *buf, int len, int w, void *v)
> static EVP_PKEY *read_private_key(const char *private_key_name)
> {
> EVP_PKEY *private_key;
> + BIO *b;
>
> +#ifndef OPENSSL_NO_ENGINE
> if (!strncmp(private_key_name, "pkcs11:", 7)) {
> ENGINE *e;
>
> @@ -153,17 +155,16 @@ static EVP_PKEY *read_private_key(const char *private_key_name)
> private_key = ENGINE_load_private_key(e, private_key_name,
> NULL, NULL);
> ERR(!private_key, "%s", private_key_name);
> - } else {
> - BIO *b;
> -
> - b = BIO_new_file(private_key_name, "rb");
> - ERR(!b, "%s", private_key_name);
> - private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb,
> - NULL);
> - ERR(!private_key, "%s", private_key_name);
> - BIO_free(b);
> + return private_key;
> }
> +#endif
>
> + b = BIO_new_file(private_key_name, "rb");
> + ERR(!b, "%s", private_key_name);
> + private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb,
> + NULL);
> + ERR(!private_key, "%s", private_key_name);
> + BIO_free(b);
> return private_key;
> }

I ran into these same -Wdeprecated-declarations compiler warnings on another
project that uses the ENGINE API to access OpenSSL's support for PKCS#11 tokens.
The conclusion was that in OpenSSL 3.0, the new API for PKCS#11 support isn't
actually ready yet, so we had to keep using the ENGINE API and just add
-Wno-deprecated-declarations to the compiler flags.

Your patch just removes support for PKCS#11 in that case, which seems
undesirable. (Unless no one is actually using it?)

- Eric

2021-10-05 17:18:41

by Adam Langley

[permalink] [raw]
Subject: Re: [PATCH 1/1] sign-file: Use OpenSSL provided define to compile out deprecated APIs

On Tue, Oct 5, 2021 at 10:01 AM Eric Biggers <[email protected]> wrote:
> I ran into these same -Wdeprecated-declarations compiler warnings on another
> project that uses the ENGINE API to access OpenSSL's support for PKCS#11 tokens.
> The conclusion was that in OpenSSL 3.0, the new API for PKCS#11 support isn't
> actually ready yet, so we had to keep using the ENGINE API and just add
> -Wno-deprecated-declarations to the compiler flags.
>
> Your patch just removes support for PKCS#11 in that case, which seems
> undesirable. (Unless no one is actually using it?)

The patch removes support when OPENSSL_NO_ENGINE is defined, but
that's not defined by default in OpenSSL 3.0. (Unless something
changed recently.)

When OPENSSL_NO_ENGINE is defined, ENGINE support is not compiled into
OpenSSL and the headers don't include the functions:
https://github.com/openssl/openssl/blob/master/include/openssl/engine.h
.


Cheers

AGL

2021-10-05 17:26:30

by Eric Biggers

[permalink] [raw]
Subject: Re: [PATCH 1/1] sign-file: Use OpenSSL provided define to compile out deprecated APIs

On Tue, Oct 05, 2021 at 10:14:58AM -0700, Adam Langley wrote:
> On Tue, Oct 5, 2021 at 10:01 AM Eric Biggers <[email protected]> wrote:
> > I ran into these same -Wdeprecated-declarations compiler warnings on another
> > project that uses the ENGINE API to access OpenSSL's support for PKCS#11 tokens.
> > The conclusion was that in OpenSSL 3.0, the new API for PKCS#11 support isn't
> > actually ready yet, so we had to keep using the ENGINE API and just add
> > -Wno-deprecated-declarations to the compiler flags.
> >
> > Your patch just removes support for PKCS#11 in that case, which seems
> > undesirable. (Unless no one is actually using it?)
>
> The patch removes support when OPENSSL_NO_ENGINE is defined, but
> that's not defined by default in OpenSSL 3.0. (Unless something
> changed recently.)
>
> When OPENSSL_NO_ENGINE is defined, ENGINE support is not compiled into
> OpenSSL and the headers don't include the functions:
> https://github.com/openssl/openssl/blob/master/include/openssl/engine.h
> .

Okay so this patch is actually a build fix for when OpenSSL doesn't include
ENGINE support? Currently this patch claims that it's removing the use of a
"deprecated" API, which is something entirely different.

- Eric

2021-10-05 17:36:23

by Adam Langley

[permalink] [raw]
Subject: Re: [PATCH 1/1] sign-file: Use OpenSSL provided define to compile out deprecated APIs

On Tue, Oct 5, 2021 at 10:25 AM Eric Biggers <[email protected]> wrote:
> Okay so this patch is actually a build fix for when OpenSSL doesn't include
> ENGINE support?

Correct.

> Currently this patch claims that it's removing the use of a
> "deprecated" API, which is something entirely different.

The ENGINE API is deprecated in OpenSSL 3.0 but that change doesn't
remove support unless it has already been compiled out of OpenSSL
first.


Cheers

AGL

2021-10-05 18:13:06

by Lee Jones

[permalink] [raw]
Subject: Re: [PATCH 1/1] sign-file: Use OpenSSL provided define to compile out deprecated APIs

On Tue, 05 Oct 2021, Eric Biggers wrote:

> On Tue, Oct 05, 2021 at 10:14:58AM -0700, Adam Langley wrote:
> > On Tue, Oct 5, 2021 at 10:01 AM Eric Biggers <[email protected]> wrote:
> > > I ran into these same -Wdeprecated-declarations compiler warnings on another
> > > project that uses the ENGINE API to access OpenSSL's support for PKCS#11 tokens.
> > > The conclusion was that in OpenSSL 3.0, the new API for PKCS#11 support isn't
> > > actually ready yet, so we had to keep using the ENGINE API and just add
> > > -Wno-deprecated-declarations to the compiler flags.
> > >
> > > Your patch just removes support for PKCS#11 in that case, which seems
> > > undesirable. (Unless no one is actually using it?)
> >
> > The patch removes support when OPENSSL_NO_ENGINE is defined, but
> > that's not defined by default in OpenSSL 3.0. (Unless something
> > changed recently.)
> >
> > When OPENSSL_NO_ENGINE is defined, ENGINE support is not compiled into
> > OpenSSL and the headers don't include the functions:
> > https://github.com/openssl/openssl/blob/master/include/openssl/engine.h
> > .
>
> Okay so this patch is actually a build fix for when OpenSSL doesn't include
> ENGINE support?

Correct.

> Currently this patch claims that it's removing the use of a
> "deprecated" API, which is something entirely different.

I see your point.

Happy to rejig the commit message if that would help.

--
Lee Jones [李琼斯]
Senior Technical Lead - Developer Services
Linaro.org │ Open source software for Arm SoCs
Follow Linaro: Facebook | Twitter | Blog

2022-03-03 00:19:55

by Kees Cook

[permalink] [raw]
Subject: Re: [PATCH 1/1] sign-file: Use OpenSSL provided define to compile out deprecated APIs

On Tue, Oct 05, 2021 at 07:11:02PM +0100, Lee Jones wrote:
> On Tue, 05 Oct 2021, Eric Biggers wrote:
>
> > On Tue, Oct 05, 2021 at 10:14:58AM -0700, Adam Langley wrote:
> > > On Tue, Oct 5, 2021 at 10:01 AM Eric Biggers <[email protected]> wrote:
> > > > I ran into these same -Wdeprecated-declarations compiler warnings on another
> > > > project that uses the ENGINE API to access OpenSSL's support for PKCS#11 tokens.
> > > > The conclusion was that in OpenSSL 3.0, the new API for PKCS#11 support isn't
> > > > actually ready yet, so we had to keep using the ENGINE API and just add
> > > > -Wno-deprecated-declarations to the compiler flags.
> > > >
> > > > Your patch just removes support for PKCS#11 in that case, which seems
> > > > undesirable. (Unless no one is actually using it?)
> > >
> > > The patch removes support when OPENSSL_NO_ENGINE is defined, but
> > > that's not defined by default in OpenSSL 3.0. (Unless something
> > > changed recently.)
> > >
> > > When OPENSSL_NO_ENGINE is defined, ENGINE support is not compiled into
> > > OpenSSL and the headers don't include the functions:
> > > https://github.com/openssl/openssl/blob/master/include/openssl/engine.h
> > > .
> >
> > Okay so this patch is actually a build fix for when OpenSSL doesn't include
> > ENGINE support?
>
> Correct.
>
> > Currently this patch claims that it's removing the use of a
> > "deprecated" API, which is something entirely different.
>
> I see your point.
>
> Happy to rejig the commit message if that would help.

*thread necromancy*

Hi,

These warnings are quite noisy on Fedora rawhide and other distros that
have moved to OpenSSL 3.0. It's not clear to me from this thread if this
patch is actually the correct fix?

-Kees

--
Kees Cook

2022-03-03 11:08:36

by Lee Jones

[permalink] [raw]
Subject: Re: [PATCH 1/1] sign-file: Use OpenSSL provided define to compile out deprecated APIs

On Wed, 02 Mar 2022, Kees Cook wrote:

> On Tue, Oct 05, 2021 at 07:11:02PM +0100, Lee Jones wrote:
> > On Tue, 05 Oct 2021, Eric Biggers wrote:
> >
> > > On Tue, Oct 05, 2021 at 10:14:58AM -0700, Adam Langley wrote:
> > > > On Tue, Oct 5, 2021 at 10:01 AM Eric Biggers <[email protected]> wrote:
> > > > > I ran into these same -Wdeprecated-declarations compiler warnings on another
> > > > > project that uses the ENGINE API to access OpenSSL's support for PKCS#11 tokens.
> > > > > The conclusion was that in OpenSSL 3.0, the new API for PKCS#11 support isn't
> > > > > actually ready yet, so we had to keep using the ENGINE API and just add
> > > > > -Wno-deprecated-declarations to the compiler flags.
> > > > >
> > > > > Your patch just removes support for PKCS#11 in that case, which seems
> > > > > undesirable. (Unless no one is actually using it?)
> > > >
> > > > The patch removes support when OPENSSL_NO_ENGINE is defined, but
> > > > that's not defined by default in OpenSSL 3.0. (Unless something
> > > > changed recently.)
> > > >
> > > > When OPENSSL_NO_ENGINE is defined, ENGINE support is not compiled into
> > > > OpenSSL and the headers don't include the functions:
> > > > https://github.com/openssl/openssl/blob/master/include/openssl/engine.h
> > > > .
> > >
> > > Okay so this patch is actually a build fix for when OpenSSL doesn't include
> > > ENGINE support?
> >
> > Correct.
> >
> > > Currently this patch claims that it's removing the use of a
> > > "deprecated" API, which is something entirely different.
> >
> > I see your point.
> >
> > Happy to rejig the commit message if that would help.
>
> *thread necromancy*
>
> Hi,
>
> These warnings are quite noisy on Fedora rawhide and other distros that
> have moved to OpenSSL 3.0. It's not clear to me from this thread if this
> patch is actually the correct fix?

I believe it is the correct fix.

However the commit message seemed to cause Eric some confusion.

Would you like me to resubmit?

It would be nice to get some input from the maintainers at one point.

--
Lee Jones [李琼斯]
Principal Technical Lead - Developer Services
Linaro.org │ Open source software for Arm SoCs
Follow Linaro: Facebook | Twitter | Blog

2022-03-04 01:07:06

by Kees Cook

[permalink] [raw]
Subject: Re: [PATCH 1/1] sign-file: Use OpenSSL provided define to compile out deprecated APIs

On Thu, Mar 03, 2022 at 09:26:16AM +0000, Lee Jones wrote:
> On Wed, 02 Mar 2022, Kees Cook wrote:
>
> > On Tue, Oct 05, 2021 at 07:11:02PM +0100, Lee Jones wrote:
> > > On Tue, 05 Oct 2021, Eric Biggers wrote:
> > >
> > > > On Tue, Oct 05, 2021 at 10:14:58AM -0700, Adam Langley wrote:
> > > > > On Tue, Oct 5, 2021 at 10:01 AM Eric Biggers <[email protected]> wrote:
> > > > > > I ran into these same -Wdeprecated-declarations compiler warnings on another
> > > > > > project that uses the ENGINE API to access OpenSSL's support for PKCS#11 tokens.
> > > > > > The conclusion was that in OpenSSL 3.0, the new API for PKCS#11 support isn't
> > > > > > actually ready yet, so we had to keep using the ENGINE API and just add
> > > > > > -Wno-deprecated-declarations to the compiler flags.
> > > > > >
> > > > > > Your patch just removes support for PKCS#11 in that case, which seems
> > > > > > undesirable. (Unless no one is actually using it?)
> > > > >
> > > > > The patch removes support when OPENSSL_NO_ENGINE is defined, but
> > > > > that's not defined by default in OpenSSL 3.0. (Unless something
> > > > > changed recently.)
> > > > >
> > > > > When OPENSSL_NO_ENGINE is defined, ENGINE support is not compiled into
> > > > > OpenSSL and the headers don't include the functions:
> > > > > https://github.com/openssl/openssl/blob/master/include/openssl/engine.h
> > > > > .
> > > >
> > > > Okay so this patch is actually a build fix for when OpenSSL doesn't include
> > > > ENGINE support?
> > >
> > > Correct.
> > >
> > > > Currently this patch claims that it's removing the use of a
> > > > "deprecated" API, which is something entirely different.
> > >
> > > I see your point.
> > >
> > > Happy to rejig the commit message if that would help.
> >
> > *thread necromancy*
> >
> > Hi,
> >
> > These warnings are quite noisy on Fedora rawhide and other distros that
> > have moved to OpenSSL 3.0. It's not clear to me from this thread if this
> > patch is actually the correct fix?
>
> I believe it is the correct fix.
>
> However the commit message seemed to cause Eric some confusion.
>
> Would you like me to resubmit?

Yes, please. :)

> It would be nice to get some input from the maintainers at one point.

David, do you have an opinion on this? I'd like to see this fixed so
that rawhide builds stop spewing warnings.

Thanks!

-Kees

--
Kees Cook

2022-03-08 15:56:52

by Lee Jones

[permalink] [raw]
Subject: [PATCH v2 1/1] sign-file: Do not attempt to use the ENGINE_* API if it's not available

OpenSSL's ENGINE API is deprecated in OpenSSL v3.0.

Use OPENSSL_NO_ENGINE to ensure the ENGINE API is only used if it is
present. This will safeguard against compile errors when using SSL
implementations which lack support for this deprecated API.

Cc: David Howells <[email protected]>
Cc: David Woodhouse <[email protected]>
Cc: Eric Biggers <[email protected]>
Cc: Kees Cook <[email protected]>
Cc: [email protected]
Co-developed-by: Adam Langley <[email protected]>
Signed-off-by: Lee Jones <[email protected]>
---
v2: Clear up subject and patch description to avoid confusion

scripts/sign-file.c | 19 ++++++++++---------
1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/scripts/sign-file.c b/scripts/sign-file.c
index fbd34b8e8f578..fa3fa59db6669 100644
--- a/scripts/sign-file.c
+++ b/scripts/sign-file.c
@@ -135,7 +135,9 @@ static int pem_pw_cb(char *buf, int len, int w, void *v)
static EVP_PKEY *read_private_key(const char *private_key_name)
{
EVP_PKEY *private_key;
+ BIO *b;

+#ifndef OPENSSL_NO_ENGINE
if (!strncmp(private_key_name, "pkcs11:", 7)) {
ENGINE *e;

@@ -153,17 +155,16 @@ static EVP_PKEY *read_private_key(const char *private_key_name)
private_key = ENGINE_load_private_key(e, private_key_name,
NULL, NULL);
ERR(!private_key, "%s", private_key_name);
- } else {
- BIO *b;
-
- b = BIO_new_file(private_key_name, "rb");
- ERR(!b, "%s", private_key_name);
- private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb,
- NULL);
- ERR(!private_key, "%s", private_key_name);
- BIO_free(b);
+ return private_key;
}
+#endif

+ b = BIO_new_file(private_key_name, "rb");
+ ERR(!b, "%s", private_key_name);
+ private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb,
+ NULL);
+ ERR(!private_key, "%s", private_key_name);
+ BIO_free(b);
return private_key;
}

2022-03-10 19:26:49

by Kees Cook

[permalink] [raw]
Subject: Re: [PATCH v2 1/1] sign-file: Do not attempt to use the ENGINE_* API if it's not available

On Tue, Mar 08, 2022 at 10:31:11AM +0000, Lee Jones wrote:
> OpenSSL's ENGINE API is deprecated in OpenSSL v3.0.
>
> Use OPENSSL_NO_ENGINE to ensure the ENGINE API is only used if it is
> present. This will safeguard against compile errors when using SSL
> implementations which lack support for this deprecated API.

On Fedora rawhide, I'm still seeing a bunch of warnings:

scripts/sign-file.c: In function 'display_openssl_errors':
scripts/sign-file.c:89:9: warning: 'ERR_get_error_line' is deprecated: Since OpenSSL 3.0 [-Wdeprecat
ed-declarations]
89 | while ((e = ERR_get_error_line(&file, &line))) {
| ^~~~~
In file included from scripts/sign-file.c:29:
/usr/include/openssl/err.h:411:15: note: declared here
411 | unsigned long ERR_get_error_line(const char **file, int *line);
| ^~~~~~~~~~~~~~~~~~
scripts/sign-file.c: In function 'drain_openssl_errors':
scripts/sign-file.c:102:9: warning: 'ERR_get_error_line' is deprecated: Since OpenSSL 3.0 [-Wdepreca
ted-declarations]
102 | while (ERR_get_error_line(&file, &line)) {}
| ^~~~~
/usr/include/openssl/err.h:411:15: note: declared here
411 | unsigned long ERR_get_error_line(const char **file, int *line);
| ^~~~~~~~~~~~~~~~~~
...


>
> Cc: David Howells <[email protected]>
> Cc: David Woodhouse <[email protected]>
> Cc: Eric Biggers <[email protected]>
> Cc: Kees Cook <[email protected]>
> Cc: [email protected]
> Co-developed-by: Adam Langley <[email protected]>
> Signed-off-by: Lee Jones <[email protected]>
> ---
> v2: Clear up subject and patch description to avoid confusion
>
> scripts/sign-file.c | 19 ++++++++++---------
> 1 file changed, 10 insertions(+), 9 deletions(-)
>
> diff --git a/scripts/sign-file.c b/scripts/sign-file.c
> index fbd34b8e8f578..fa3fa59db6669 100644
> --- a/scripts/sign-file.c
> +++ b/scripts/sign-file.c
> @@ -135,7 +135,9 @@ static int pem_pw_cb(char *buf, int len, int w, void *v)
> static EVP_PKEY *read_private_key(const char *private_key_name)
> {
> EVP_PKEY *private_key;
> + BIO *b;
>
> +#ifndef OPENSSL_NO_ENGINE
> if (!strncmp(private_key_name, "pkcs11:", 7)) {
> ENGINE *e;
>
> @@ -153,17 +155,16 @@ static EVP_PKEY *read_private_key(const char *private_key_name)
> private_key = ENGINE_load_private_key(e, private_key_name,
> NULL, NULL);
> ERR(!private_key, "%s", private_key_name);
> - } else {
> - BIO *b;
> -
> - b = BIO_new_file(private_key_name, "rb");
> - ERR(!b, "%s", private_key_name);
> - private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb,
> - NULL);
> - ERR(!private_key, "%s", private_key_name);
> - BIO_free(b);
> + return private_key;
> }
> +#endif
>
> + b = BIO_new_file(private_key_name, "rb");
> + ERR(!b, "%s", private_key_name);
> + private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb,
> + NULL);
> + ERR(!private_key, "%s", private_key_name);
> + BIO_free(b);
> return private_key;
> }

--
Kees Cook

2022-03-10 23:58:22

by Adam Langley

[permalink] [raw]
Subject: Re: [PATCH v2 1/1] sign-file: Do not attempt to use the ENGINE_* API if it's not available

On Thu, Mar 10, 2022 at 8:52 AM Kees Cook <[email protected]> wrote:
>
> On Tue, Mar 08, 2022 at 10:31:11AM +0000, Lee Jones wrote:
> > OpenSSL's ENGINE API is deprecated in OpenSSL v3.0.
> >
> > Use OPENSSL_NO_ENGINE to ensure the ENGINE API is only used if it is
> > present. This will safeguard against compile errors when using SSL
> > implementations which lack support for this deprecated API.
>
> On Fedora rawhide, I'm still seeing a bunch of warnings:
>
> scripts/sign-file.c: In function 'display_openssl_errors':
> scripts/sign-file.c:89:9: warning: 'ERR_get_error_line' is deprecated: Since OpenSSL 3.0 [-Wdeprecat
> ed-declarations]

The `display_openssl_errors` function should probably just call
ERR_print_errors_fp:
https://www.openssl.org/docs/man1.0.2/man3/ERR_print_errors_fp.html

The `drain_openssl_errors` function should probably just call
ERR_clear_error:
https://www.openssl.org/docs/man3.0/man3/ERR_clear_error.html


Cheers

AGL

2022-05-15 13:52:07

by Lee Jones

[permalink] [raw]
Subject: Re: [PATCH v2 1/1] sign-file: Do not attempt to use the ENGINE_* API if it's not available

On Sun, 15 May 2022, Salvatore Bonaccorso wrote:

> Hi,
>
> On Thu, Mar 10, 2022 at 08:51:56AM -0800, Kees Cook wrote:
> > On Tue, Mar 08, 2022 at 10:31:11AM +0000, Lee Jones wrote:
> > > OpenSSL's ENGINE API is deprecated in OpenSSL v3.0.
> > >
> > > Use OPENSSL_NO_ENGINE to ensure the ENGINE API is only used if it is
> > > present. This will safeguard against compile errors when using SSL
> > > implementations which lack support for this deprecated API.
> >
> > On Fedora rawhide, I'm still seeing a bunch of warnings:
> >
> > scripts/sign-file.c: In function 'display_openssl_errors':
> > scripts/sign-file.c:89:9: warning: 'ERR_get_error_line' is deprecated: Since OpenSSL 3.0 [-Wdeprecat
> > ed-declarations]
> > 89 | while ((e = ERR_get_error_line(&file, &line))) {
> > | ^~~~~
> > In file included from scripts/sign-file.c:29:
> > /usr/include/openssl/err.h:411:15: note: declared here
> > 411 | unsigned long ERR_get_error_line(const char **file, int *line);
> > | ^~~~~~~~~~~~~~~~~~
> > scripts/sign-file.c: In function 'drain_openssl_errors':
> > scripts/sign-file.c:102:9: warning: 'ERR_get_error_line' is deprecated: Since OpenSSL 3.0 [-Wdepreca
> > ted-declarations]
> > 102 | while (ERR_get_error_line(&file, &line)) {}
> > | ^~~~~
> > /usr/include/openssl/err.h:411:15: note: declared here
> > 411 | unsigned long ERR_get_error_line(const char **file, int *line);
> > | ^~~~~~~~~~~~~~~~~~
>
> FWIW, we are seeing the same now on Debian as Debian unstable is
> moving to OpenSSL 3.0.
>
> https://lists.debian.org/debian-release/2022/05/msg00070.html

Did this patch help?

We've had a few confirmed reports now.

My guess is the maintainers are not currently monitoring.

With some more {Reviewed,Tested}-bys I'd be prepared to submit this
via other means. Either via my own repository or via Greg's.

--
Lee Jones [李琼斯]
Principal Technical Lead - Developer Services
Linaro.org │ Open source software for Arm SoCs
Follow Linaro: Facebook | Twitter | Blog

2022-05-15 18:32:14

by Salvatore Bonaccorso

[permalink] [raw]
Subject: Re: [PATCH v2 1/1] sign-file: Do not attempt to use the ENGINE_* API if it's not available

Hi,

On Thu, Mar 10, 2022 at 08:51:56AM -0800, Kees Cook wrote:
> On Tue, Mar 08, 2022 at 10:31:11AM +0000, Lee Jones wrote:
> > OpenSSL's ENGINE API is deprecated in OpenSSL v3.0.
> >
> > Use OPENSSL_NO_ENGINE to ensure the ENGINE API is only used if it is
> > present. This will safeguard against compile errors when using SSL
> > implementations which lack support for this deprecated API.
>
> On Fedora rawhide, I'm still seeing a bunch of warnings:
>
> scripts/sign-file.c: In function 'display_openssl_errors':
> scripts/sign-file.c:89:9: warning: 'ERR_get_error_line' is deprecated: Since OpenSSL 3.0 [-Wdeprecat
> ed-declarations]
> 89 | while ((e = ERR_get_error_line(&file, &line))) {
> | ^~~~~
> In file included from scripts/sign-file.c:29:
> /usr/include/openssl/err.h:411:15: note: declared here
> 411 | unsigned long ERR_get_error_line(const char **file, int *line);
> | ^~~~~~~~~~~~~~~~~~
> scripts/sign-file.c: In function 'drain_openssl_errors':
> scripts/sign-file.c:102:9: warning: 'ERR_get_error_line' is deprecated: Since OpenSSL 3.0 [-Wdepreca
> ted-declarations]
> 102 | while (ERR_get_error_line(&file, &line)) {}
> | ^~~~~
> /usr/include/openssl/err.h:411:15: note: declared here
> 411 | unsigned long ERR_get_error_line(const char **file, int *line);
> | ^~~~~~~~~~~~~~~~~~

FWIW, we are seeing the same now on Debian as Debian unstable is
moving to OpenSSL 3.0.

https://lists.debian.org/debian-release/2022/05/msg00070.html

Regards,
Salvatore

2022-05-17 02:14:28

by Shuah Khan

[permalink] [raw]
Subject: Re: [PATCH v2 1/1] sign-file: Do not attempt to use the ENGINE_* API if it's not available

On 5/15/22 3:40 AM, Lee Jones wrote:
> On Sun, 15 May 2022, Salvatore Bonaccorso wrote:
>
>> Hi,
>>
>> On Thu, Mar 10, 2022 at 08:51:56AM -0800, Kees Cook wrote:
>>> On Tue, Mar 08, 2022 at 10:31:11AM +0000, Lee Jones wrote:
>>>> OpenSSL's ENGINE API is deprecated in OpenSSL v3.0.
>>>>
>>>> Use OPENSSL_NO_ENGINE to ensure the ENGINE API is only used if it is
>>>> present. This will safeguard against compile errors when using SSL
>>>> implementations which lack support for this deprecated API.
>>>
>>> On Fedora rawhide, I'm still seeing a bunch of warnings:
>>>
>>> scripts/sign-file.c: In function 'display_openssl_errors':
>>> scripts/sign-file.c:89:9: warning: 'ERR_get_error_line' is deprecated: Since OpenSSL 3.0 [-Wdeprecat
>>> ed-declarations]
>>> 89 | while ((e = ERR_get_error_line(&file, &line))) {
>>> | ^~~~~
>>> In file included from scripts/sign-file.c:29:
>>> /usr/include/openssl/err.h:411:15: note: declared here
>>> 411 | unsigned long ERR_get_error_line(const char **file, int *line);
>>> | ^~~~~~~~~~~~~~~~~~
>>> scripts/sign-file.c: In function 'drain_openssl_errors':
>>> scripts/sign-file.c:102:9: warning: 'ERR_get_error_line' is deprecated: Since OpenSSL 3.0 [-Wdepreca
>>> ted-declarations]
>>> 102 | while (ERR_get_error_line(&file, &line)) {}
>>> | ^~~~~
>>> /usr/include/openssl/err.h:411:15: note: declared here
>>> 411 | unsigned long ERR_get_error_line(const char **file, int *line);
>>> | ^~~~~~~~~~~~~~~~~~
>>
>> FWIW, we are seeing the same now on Debian as Debian unstable is
>> moving to OpenSSL 3.0.
>>
>> https://lists.debian.org/debian-release/2022/05/msg00070.html
>
> Did this patch help?
>
> We've had a few confirmed reports now.
>
> My guess is the maintainers are not currently monitoring.
>
> With some more {Reviewed,Tested}-bys I'd be prepared to submit this
> via other means. Either via my own repository or via Greg's.
>

I am seeing the same issue on my test system after upgrading to
Ubuntu 22.04 LTS. This patch didn't fix the problem.

Please cc me on your future patches and I can test them.

thanks,
-- Shuah