OpenSSL's ENGINE API is deprecated in OpenSSL v3.0, along with some
other functions. Remove the ENGINE use and a macro work-around for
ERR_get_error_line().
Cc: David Howells <[email protected]>
Cc: David Woodhouse <[email protected]>
Cc: Eric Biggers <[email protected]>
Cc: Shuah Khan <[email protected]>
Cc: Salvatore Bonaccorso <[email protected]>
Cc: [email protected]
Suggested-by: Adam Langley <[email protected]>
Co-developed-by: Lee Jones <[email protected]>
Signed-off-by: Lee Jones <[email protected]>
Signed-off-by: Kees Cook <[email protected]>
---
v1: https://lore.kernel.org/lkml/[email protected]/
v2: https://lore.kernel.org/lkml/[email protected]/
v3:
- Eliminate all the build warnings with OpenSSL 3
- Fully remove ENGINE usage, if it can be optional, just drop it.
---
scripts/sign-file.c | 49 ++++++++++-----------------------------------
1 file changed, 11 insertions(+), 38 deletions(-)
diff --git a/scripts/sign-file.c b/scripts/sign-file.c
index fbd34b8e8f57..2d633c5f57c3 100644
--- a/scripts/sign-file.c
+++ b/scripts/sign-file.c
@@ -52,6 +52,10 @@
#include <openssl/pkcs7.h>
#endif
+#if OPENSSL_VERSION_MAJOR >= 3
+#define ERR_get_error_line(f, l) ERR_get_error_all(f, l, NULL, NULL, NULL)
+#endif
+
struct module_signature {
uint8_t algo; /* Public-key crypto algorithm [0] */
uint8_t hash; /* Digest algorithm [0] */
@@ -92,16 +96,6 @@ static void display_openssl_errors(int l)
}
}
-static void drain_openssl_errors(void)
-{
- const char *file;
- int line;
-
- if (ERR_peek_error() == 0)
- return;
- while (ERR_get_error_line(&file, &line)) {}
-}
-
#define ERR(cond, fmt, ...) \
do { \
bool __cond = (cond); \
@@ -135,35 +129,14 @@ static int pem_pw_cb(char *buf, int len, int w, void *v)
static EVP_PKEY *read_private_key(const char *private_key_name)
{
EVP_PKEY *private_key;
+ BIO *b;
- if (!strncmp(private_key_name, "pkcs11:", 7)) {
- ENGINE *e;
-
- ENGINE_load_builtin_engines();
- drain_openssl_errors();
- e = ENGINE_by_id("pkcs11");
- ERR(!e, "Load PKCS#11 ENGINE");
- if (ENGINE_init(e))
- drain_openssl_errors();
- else
- ERR(1, "ENGINE_init");
- if (key_pass)
- ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0),
- "Set PKCS#11 PIN");
- private_key = ENGINE_load_private_key(e, private_key_name,
- NULL, NULL);
- ERR(!private_key, "%s", private_key_name);
- } else {
- BIO *b;
-
- b = BIO_new_file(private_key_name, "rb");
- ERR(!b, "%s", private_key_name);
- private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb,
- NULL);
- ERR(!private_key, "%s", private_key_name);
- BIO_free(b);
- }
-
+ b = BIO_new_file(private_key_name, "rb");
+ ERR(!b, "%s", private_key_name);
+ private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb,
+ NULL);
+ ERR(!private_key, "%s", private_key_name);
+ BIO_free(b);
return private_key;
}
--
2.32.0
On Wed, May 18, 2022 at 02:51:29PM -0700, Kees Cook wrote:
> OpenSSL's ENGINE API is deprecated in OpenSSL v3.0, along with some
> other functions. Remove the ENGINE use and a macro work-around for
> ERR_get_error_line().
>
> Cc: David Howells <[email protected]>
> Cc: David Woodhouse <[email protected]>
> Cc: Eric Biggers <[email protected]>
> Cc: Shuah Khan <[email protected]>
> Cc: Salvatore Bonaccorso <[email protected]>
> Cc: [email protected]
> Suggested-by: Adam Langley <[email protected]>
> Co-developed-by: Lee Jones <[email protected]>
> Signed-off-by: Lee Jones <[email protected]>
> Signed-off-by: Kees Cook <[email protected]>
> ---
> v1: https://lore.kernel.org/lkml/[email protected]/
> v2: https://lore.kernel.org/lkml/[email protected]/
> v3:
> - Eliminate all the build warnings with OpenSSL 3
> - Fully remove ENGINE usage, if it can be optional, just drop it.
> ---
> scripts/sign-file.c | 49 ++++++++++-----------------------------------
> 1 file changed, 11 insertions(+), 38 deletions(-)
>
> diff --git a/scripts/sign-file.c b/scripts/sign-file.c
Eh, this only fixes sign-file.c. Fixes are still needed for
extract-cert.c...
--
Kees Cook
On 5/18/22 3:51 PM, Kees Cook wrote:
> OpenSSL's ENGINE API is deprecated in OpenSSL v3.0, along with some
> other functions. Remove the ENGINE use and a macro work-around for
> ERR_get_error_line().
>
> Cc: David Howells <[email protected]>
> Cc: David Woodhouse <[email protected]>
> Cc: Eric Biggers <[email protected]>
> Cc: Shuah Khan <[email protected]>
> Cc: Salvatore Bonaccorso <[email protected]>
> Cc: [email protected]
> Suggested-by: Adam Langley <[email protected]>
> Co-developed-by: Lee Jones <[email protected]>
> Signed-off-by: Lee Jones <[email protected]>
> Signed-off-by: Kees Cook <[email protected]>
> ---
> v1: https://lore.kernel.org/lkml/[email protected]/
> v2: https://lore.kernel.org/lkml/[email protected]/
> v3:
> - Eliminate all the build warnings with OpenSSL 3
> - Fully remove ENGINE usage, if it can be optional, just drop it.
> ---
> scripts/sign-file.c | 49 ++++++++++-----------------------------------
> 1 file changed, 11 insertions(+), 38 deletions(-)
Worked for me on OpenSSL v3 and older version .
Tested-by: Shuah Khan <[email protected]>
thanks,
-- Shuah
Hi Kees,
On Wed, May 18, 2022 at 02:51:29PM -0700, Kees Cook wrote:
> OpenSSL's ENGINE API is deprecated in OpenSSL v3.0, along with some
> other functions. Remove the ENGINE use and a macro work-around for
> ERR_get_error_line().
>
> Cc: David Howells <[email protected]>
> Cc: David Woodhouse <[email protected]>
> Cc: Eric Biggers <[email protected]>
> Cc: Shuah Khan <[email protected]>
> Cc: Salvatore Bonaccorso <[email protected]>
> Cc: [email protected]
> Suggested-by: Adam Langley <[email protected]>
> Co-developed-by: Lee Jones <[email protected]>
> Signed-off-by: Lee Jones <[email protected]>
> Signed-off-by: Kees Cook <[email protected]>
> ---
> v1: https://lore.kernel.org/lkml/[email protected]/
> v2: https://lore.kernel.org/lkml/[email protected]/
> v3:
> - Eliminate all the build warnings with OpenSSL 3
> - Fully remove ENGINE usage, if it can be optional, just drop it.
> ---
> scripts/sign-file.c | 49 ++++++++++-----------------------------------
> 1 file changed, 11 insertions(+), 38 deletions(-)
>
> diff --git a/scripts/sign-file.c b/scripts/sign-file.c
> index fbd34b8e8f57..2d633c5f57c3 100644
> --- a/scripts/sign-file.c
> +++ b/scripts/sign-file.c
> @@ -52,6 +52,10 @@
> #include <openssl/pkcs7.h>
> #endif
>
> +#if OPENSSL_VERSION_MAJOR >= 3
> +#define ERR_get_error_line(f, l) ERR_get_error_all(f, l, NULL, NULL, NULL)
> +#endif
> +
> struct module_signature {
> uint8_t algo; /* Public-key crypto algorithm [0] */
> uint8_t hash; /* Digest algorithm [0] */
> @@ -92,16 +96,6 @@ static void display_openssl_errors(int l)
> }
> }
>
> -static void drain_openssl_errors(void)
> -{
> - const char *file;
> - int line;
> -
> - if (ERR_peek_error() == 0)
> - return;
> - while (ERR_get_error_line(&file, &line)) {}
> -}
> -
> #define ERR(cond, fmt, ...) \
> do { \
> bool __cond = (cond); \
> @@ -135,35 +129,14 @@ static int pem_pw_cb(char *buf, int len, int w, void *v)
> static EVP_PKEY *read_private_key(const char *private_key_name)
> {
> EVP_PKEY *private_key;
> + BIO *b;
>
> - if (!strncmp(private_key_name, "pkcs11:", 7)) {
> - ENGINE *e;
> -
> - ENGINE_load_builtin_engines();
> - drain_openssl_errors();
> - e = ENGINE_by_id("pkcs11");
> - ERR(!e, "Load PKCS#11 ENGINE");
> - if (ENGINE_init(e))
> - drain_openssl_errors();
> - else
> - ERR(1, "ENGINE_init");
> - if (key_pass)
> - ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0),
> - "Set PKCS#11 PIN");
> - private_key = ENGINE_load_private_key(e, private_key_name,
> - NULL, NULL);
> - ERR(!private_key, "%s", private_key_name);
> - } else {
> - BIO *b;
> -
> - b = BIO_new_file(private_key_name, "rb");
> - ERR(!b, "%s", private_key_name);
> - private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb,
> - NULL);
> - ERR(!private_key, "%s", private_key_name);
> - BIO_free(b);
> - }
> -
> + b = BIO_new_file(private_key_name, "rb");
> + ERR(!b, "%s", private_key_name);
> + private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb,
> + NULL);
> + ERR(!private_key, "%s", private_key_name);
> + BIO_free(b);
> return private_key;
> }
Fixes for us as well the build warnings for sign-file.c (as you noted
the other part is still in extract-cert.c).
Tested-by: Salvatore Bonaccorso <[email protected]>
Regards,
Salvatore
On Wed, 2022-05-18 at 14:51 -0700, Kees Cook wrote:
> OpenSSL's ENGINE API is deprecated in OpenSSL v3.0, along with some
> other functions. Remove the ENGINE use and a macro work-around for
> ERR_get_error_line().
What answer was there to Eric Biggers' concern about token support in
sign-file?
https://lore.kernel.org/lkml/[email protected]/
If you're not doing ephemeral keys (as quite a few kernel builder's
aren't) you really need a token to protect the signing key.
The other point was that openssl3 hasn't converted most of its own
engine code to the provider API, so the deprecation is a bit premature
because it will be a while before provider based token libraries
appear. If the goal is simply to not see the warnings, the compile
flag you need is
-DOPENSSL_API_COMPAT=0x10100000L
James