| Message ID | 20211005161833.1522737-1-lee.jones@linaro.org (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | [1/1] sign-file: Use OpenSSL provided define to compile out deprecated APIs | expand |
On Tue, Oct 05, 2021 at 05:18:33PM +0100, Lee Jones wrote: > OpenSSL's ENGINE API is deprecated in OpenSSL v3.0. > > Use OPENSSL_NO_ENGINE to disallow its use and fall back on the BIO API. > > Cc: David Howells <dhowells@redhat.com> > Cc: David Woodhouse <dwmw2@infradead.org> > Cc: keyrings@vger.kernel.org > Co-developed-by: Adam Langley <agl@google.com> > Signed-off-by: Lee Jones <lee.jones@linaro.org> > --- > scripts/sign-file.c | 19 ++++++++++--------- > 1 file changed, 10 insertions(+), 9 deletions(-) > > diff --git a/scripts/sign-file.c b/scripts/sign-file.c > index fbd34b8e8f578..fa3fa59db6669 100644 > --- a/scripts/sign-file.c > +++ b/scripts/sign-file.c > @@ -135,7 +135,9 @@ static int pem_pw_cb(char *buf, int len, int w, void *v) > static EVP_PKEY *read_private_key(const char *private_key_name) > { > EVP_PKEY *private_key; > + BIO *b; > > +#ifndef OPENSSL_NO_ENGINE > if (!strncmp(private_key_name, "pkcs11:", 7)) { > ENGINE *e; > > @@ -153,17 +155,16 @@ static EVP_PKEY *read_private_key(const char *private_key_name) > private_key = ENGINE_load_private_key(e, private_key_name, > NULL, NULL); > ERR(!private_key, "%s", private_key_name); > - } else { > - BIO *b; > - > - b = BIO_new_file(private_key_name, "rb"); > - ERR(!b, "%s", private_key_name); > - private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb, > - NULL); > - ERR(!private_key, "%s", private_key_name); > - BIO_free(b); > + return private_key; > } > +#endif > > + b = BIO_new_file(private_key_name, "rb"); > + ERR(!b, "%s", private_key_name); > + private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb, > + NULL); > + ERR(!private_key, "%s", private_key_name); > + BIO_free(b); > return private_key; > } I ran into these same -Wdeprecated-declarations compiler warnings on another project that uses the ENGINE API to access OpenSSL's support for PKCS#11 tokens. The conclusion was that in OpenSSL 3.0, the new API for PKCS#11 support isn't actually ready yet, so we had to keep using the ENGINE API and just add -Wno-deprecated-declarations to the compiler flags. Your patch just removes support for PKCS#11 in that case, which seems undesirable. (Unless no one is actually using it?) - Eric
On Tue, Oct 5, 2021 at 10:01 AM Eric Biggers <ebiggers@kernel.org> wrote: > I ran into these same -Wdeprecated-declarations compiler warnings on another > project that uses the ENGINE API to access OpenSSL's support for PKCS#11 tokens. > The conclusion was that in OpenSSL 3.0, the new API for PKCS#11 support isn't > actually ready yet, so we had to keep using the ENGINE API and just add > -Wno-deprecated-declarations to the compiler flags. > > Your patch just removes support for PKCS#11 in that case, which seems > undesirable. (Unless no one is actually using it?) The patch removes support when OPENSSL_NO_ENGINE is defined, but that's not defined by default in OpenSSL 3.0. (Unless something changed recently.) When OPENSSL_NO_ENGINE is defined, ENGINE support is not compiled into OpenSSL and the headers don't include the functions: https://github.com/openssl/openssl/blob/master/include/openssl/engine.h . Cheers AGL
On Tue, Oct 05, 2021 at 10:14:58AM -0700, Adam Langley wrote: > On Tue, Oct 5, 2021 at 10:01 AM Eric Biggers <ebiggers@kernel.org> wrote: > > I ran into these same -Wdeprecated-declarations compiler warnings on another > > project that uses the ENGINE API to access OpenSSL's support for PKCS#11 tokens. > > The conclusion was that in OpenSSL 3.0, the new API for PKCS#11 support isn't > > actually ready yet, so we had to keep using the ENGINE API and just add > > -Wno-deprecated-declarations to the compiler flags. > > > > Your patch just removes support for PKCS#11 in that case, which seems > > undesirable. (Unless no one is actually using it?) > > The patch removes support when OPENSSL_NO_ENGINE is defined, but > that's not defined by default in OpenSSL 3.0. (Unless something > changed recently.) > > When OPENSSL_NO_ENGINE is defined, ENGINE support is not compiled into > OpenSSL and the headers don't include the functions: > https://github.com/openssl/openssl/blob/master/include/openssl/engine.h > . Okay so this patch is actually a build fix for when OpenSSL doesn't include ENGINE support? Currently this patch claims that it's removing the use of a "deprecated" API, which is something entirely different. - Eric
On Tue, Oct 5, 2021 at 10:25 AM Eric Biggers <ebiggers@kernel.org> wrote: > Okay so this patch is actually a build fix for when OpenSSL doesn't include > ENGINE support? Correct. > Currently this patch claims that it's removing the use of a > "deprecated" API, which is something entirely different. The ENGINE API is deprecated in OpenSSL 3.0 but that change doesn't remove support unless it has already been compiled out of OpenSSL first. Cheers AGL
On Tue, 05 Oct 2021, Eric Biggers wrote: > On Tue, Oct 05, 2021 at 10:14:58AM -0700, Adam Langley wrote: > > On Tue, Oct 5, 2021 at 10:01 AM Eric Biggers <ebiggers@kernel.org> wrote: > > > I ran into these same -Wdeprecated-declarations compiler warnings on another > > > project that uses the ENGINE API to access OpenSSL's support for PKCS#11 tokens. > > > The conclusion was that in OpenSSL 3.0, the new API for PKCS#11 support isn't > > > actually ready yet, so we had to keep using the ENGINE API and just add > > > -Wno-deprecated-declarations to the compiler flags. > > > > > > Your patch just removes support for PKCS#11 in that case, which seems > > > undesirable. (Unless no one is actually using it?) > > > > The patch removes support when OPENSSL_NO_ENGINE is defined, but > > that's not defined by default in OpenSSL 3.0. (Unless something > > changed recently.) > > > > When OPENSSL_NO_ENGINE is defined, ENGINE support is not compiled into > > OpenSSL and the headers don't include the functions: > > https://github.com/openssl/openssl/blob/master/include/openssl/engine.h > > . > > Okay so this patch is actually a build fix for when OpenSSL doesn't include > ENGINE support? Correct. > Currently this patch claims that it's removing the use of a > "deprecated" API, which is something entirely different. I see your point. Happy to rejig the commit message if that would help.
On Tue, Oct 05, 2021 at 07:11:02PM +0100, Lee Jones wrote: > On Tue, 05 Oct 2021, Eric Biggers wrote: > > > On Tue, Oct 05, 2021 at 10:14:58AM -0700, Adam Langley wrote: > > > On Tue, Oct 5, 2021 at 10:01 AM Eric Biggers <ebiggers@kernel.org> wrote: > > > > I ran into these same -Wdeprecated-declarations compiler warnings on another > > > > project that uses the ENGINE API to access OpenSSL's support for PKCS#11 tokens. > > > > The conclusion was that in OpenSSL 3.0, the new API for PKCS#11 support isn't > > > > actually ready yet, so we had to keep using the ENGINE API and just add > > > > -Wno-deprecated-declarations to the compiler flags. > > > > > > > > Your patch just removes support for PKCS#11 in that case, which seems > > > > undesirable. (Unless no one is actually using it?) > > > > > > The patch removes support when OPENSSL_NO_ENGINE is defined, but > > > that's not defined by default in OpenSSL 3.0. (Unless something > > > changed recently.) > > > > > > When OPENSSL_NO_ENGINE is defined, ENGINE support is not compiled into > > > OpenSSL and the headers don't include the functions: > > > https://github.com/openssl/openssl/blob/master/include/openssl/engine.h > > > . > > > > Okay so this patch is actually a build fix for when OpenSSL doesn't include > > ENGINE support? > > Correct. > > > Currently this patch claims that it's removing the use of a > > "deprecated" API, which is something entirely different. > > I see your point. > > Happy to rejig the commit message if that would help. *thread necromancy* Hi, These warnings are quite noisy on Fedora rawhide and other distros that have moved to OpenSSL 3.0. It's not clear to me from this thread if this patch is actually the correct fix? -Kees
On Wed, 02 Mar 2022, Kees Cook wrote: > On Tue, Oct 05, 2021 at 07:11:02PM +0100, Lee Jones wrote: > > On Tue, 05 Oct 2021, Eric Biggers wrote: > > > > > On Tue, Oct 05, 2021 at 10:14:58AM -0700, Adam Langley wrote: > > > > On Tue, Oct 5, 2021 at 10:01 AM Eric Biggers <ebiggers@kernel.org> wrote: > > > > > I ran into these same -Wdeprecated-declarations compiler warnings on another > > > > > project that uses the ENGINE API to access OpenSSL's support for PKCS#11 tokens. > > > > > The conclusion was that in OpenSSL 3.0, the new API for PKCS#11 support isn't > > > > > actually ready yet, so we had to keep using the ENGINE API and just add > > > > > -Wno-deprecated-declarations to the compiler flags. > > > > > > > > > > Your patch just removes support for PKCS#11 in that case, which seems > > > > > undesirable. (Unless no one is actually using it?) > > > > > > > > The patch removes support when OPENSSL_NO_ENGINE is defined, but > > > > that's not defined by default in OpenSSL 3.0. (Unless something > > > > changed recently.) > > > > > > > > When OPENSSL_NO_ENGINE is defined, ENGINE support is not compiled into > > > > OpenSSL and the headers don't include the functions: > > > > https://github.com/openssl/openssl/blob/master/include/openssl/engine.h > > > > . > > > > > > Okay so this patch is actually a build fix for when OpenSSL doesn't include > > > ENGINE support? > > > > Correct. > > > > > Currently this patch claims that it's removing the use of a > > > "deprecated" API, which is something entirely different. > > > > I see your point. > > > > Happy to rejig the commit message if that would help. > > *thread necromancy* > > Hi, > > These warnings are quite noisy on Fedora rawhide and other distros that > have moved to OpenSSL 3.0. It's not clear to me from this thread if this > patch is actually the correct fix? I believe it is the correct fix. However the commit message seemed to cause Eric some confusion. Would you like me to resubmit? It would be nice to get some input from the maintainers at one point.
On Thu, Mar 03, 2022 at 09:26:16AM +0000, Lee Jones wrote: > On Wed, 02 Mar 2022, Kees Cook wrote: > > > On Tue, Oct 05, 2021 at 07:11:02PM +0100, Lee Jones wrote: > > > On Tue, 05 Oct 2021, Eric Biggers wrote: > > > > > > > On Tue, Oct 05, 2021 at 10:14:58AM -0700, Adam Langley wrote: > > > > > On Tue, Oct 5, 2021 at 10:01 AM Eric Biggers <ebiggers@kernel.org> wrote: > > > > > > I ran into these same -Wdeprecated-declarations compiler warnings on another > > > > > > project that uses the ENGINE API to access OpenSSL's support for PKCS#11 tokens. > > > > > > The conclusion was that in OpenSSL 3.0, the new API for PKCS#11 support isn't > > > > > > actually ready yet, so we had to keep using the ENGINE API and just add > > > > > > -Wno-deprecated-declarations to the compiler flags. > > > > > > > > > > > > Your patch just removes support for PKCS#11 in that case, which seems > > > > > > undesirable. (Unless no one is actually using it?) > > > > > > > > > > The patch removes support when OPENSSL_NO_ENGINE is defined, but > > > > > that's not defined by default in OpenSSL 3.0. (Unless something > > > > > changed recently.) > > > > > > > > > > When OPENSSL_NO_ENGINE is defined, ENGINE support is not compiled into > > > > > OpenSSL and the headers don't include the functions: > > > > > https://github.com/openssl/openssl/blob/master/include/openssl/engine.h > > > > > . > > > > > > > > Okay so this patch is actually a build fix for when OpenSSL doesn't include > > > > ENGINE support? > > > > > > Correct. > > > > > > > Currently this patch claims that it's removing the use of a > > > > "deprecated" API, which is something entirely different. > > > > > > I see your point. > > > > > > Happy to rejig the commit message if that would help. > > > > *thread necromancy* > > > > Hi, > > > > These warnings are quite noisy on Fedora rawhide and other distros that > > have moved to OpenSSL 3.0. It's not clear to me from this thread if this > > patch is actually the correct fix? > > I believe it is the correct fix. > > However the commit message seemed to cause Eric some confusion. > > Would you like me to resubmit? Yes, please. :) > It would be nice to get some input from the maintainers at one point. David, do you have an opinion on this? I'd like to see this fixed so that rawhide builds stop spewing warnings. Thanks! -Kees
diff --git a/scripts/sign-file.c b/scripts/sign-file.c index fbd34b8e8f578..fa3fa59db6669 100644 --- a/scripts/sign-file.c +++ b/scripts/sign-file.c @@ -135,7 +135,9 @@ static int pem_pw_cb(char *buf, int len, int w, void *v) static EVP_PKEY *read_private_key(const char *private_key_name) { EVP_PKEY *private_key; + BIO *b; +#ifndef OPENSSL_NO_ENGINE if (!strncmp(private_key_name, "pkcs11:", 7)) { ENGINE *e; @@ -153,17 +155,16 @@ static EVP_PKEY *read_private_key(const char *private_key_name) private_key = ENGINE_load_private_key(e, private_key_name, NULL, NULL); ERR(!private_key, "%s", private_key_name); - } else { - BIO *b; - - b = BIO_new_file(private_key_name, "rb"); - ERR(!b, "%s", private_key_name); - private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb, - NULL); - ERR(!private_key, "%s", private_key_name); - BIO_free(b); + return private_key; } +#endif + b = BIO_new_file(private_key_name, "rb"); + ERR(!b, "%s", private_key_name); + private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb, + NULL); + ERR(!private_key, "%s", private_key_name); + BIO_free(b); return private_key; }
OpenSSL's ENGINE API is deprecated in OpenSSL v3.0. Use OPENSSL_NO_ENGINE to disallow its use and fall back on the BIO API. Cc: David Howells <dhowells@redhat.com> Cc: David Woodhouse <dwmw2@infradead.org> Cc: keyrings@vger.kernel.org Co-developed-by: Adam Langley <agl@google.com> Signed-off-by: Lee Jones <lee.jones@linaro.org> --- scripts/sign-file.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-)