Message ID | 20220518215129.264872-1-keescook@chromium.org (mailing list archive) |
---|---|
State | New |
Headers | show |
Series | [v2] sign-file: Convert API usage to support OpenSSL v3 | expand |
On Wed, May 18, 2022 at 02:51:29PM -0700, Kees Cook wrote: > OpenSSL's ENGINE API is deprecated in OpenSSL v3.0, along with some > other functions. Remove the ENGINE use and a macro work-around for > ERR_get_error_line(). > > Cc: David Howells <dhowells@redhat.com> > Cc: David Woodhouse <dwmw2@infradead.org> > Cc: Eric Biggers <ebiggers@kernel.org> > Cc: Shuah Khan <skhan@linuxfoundation.org> > Cc: Salvatore Bonaccorso <carnil@debian.org> > Cc: keyrings@vger.kernel.org > Suggested-by: Adam Langley <agl@google.com> > Co-developed-by: Lee Jones <lee.jones@linaro.org> > Signed-off-by: Lee Jones <lee.jones@linaro.org> > Signed-off-by: Kees Cook <keescook@chromium.org> > --- > v1: https://lore.kernel.org/lkml/20211005161833.1522737-1-lee.jones@linaro.org/ > v2: https://lore.kernel.org/lkml/Yicwb+Ceiu8JjVIS@google.com/ > v3: > - Eliminate all the build warnings with OpenSSL 3 > - Fully remove ENGINE usage, if it can be optional, just drop it. > --- > scripts/sign-file.c | 49 ++++++++++----------------------------------- > 1 file changed, 11 insertions(+), 38 deletions(-) > > diff --git a/scripts/sign-file.c b/scripts/sign-file.c Eh, this only fixes sign-file.c. Fixes are still needed for extract-cert.c...
On 5/18/22 3:51 PM, Kees Cook wrote: > OpenSSL's ENGINE API is deprecated in OpenSSL v3.0, along with some > other functions. Remove the ENGINE use and a macro work-around for > ERR_get_error_line(). > > Cc: David Howells <dhowells@redhat.com> > Cc: David Woodhouse <dwmw2@infradead.org> > Cc: Eric Biggers <ebiggers@kernel.org> > Cc: Shuah Khan <skhan@linuxfoundation.org> > Cc: Salvatore Bonaccorso <carnil@debian.org> > Cc: keyrings@vger.kernel.org > Suggested-by: Adam Langley <agl@google.com> > Co-developed-by: Lee Jones <lee.jones@linaro.org> > Signed-off-by: Lee Jones <lee.jones@linaro.org> > Signed-off-by: Kees Cook <keescook@chromium.org> > --- > v1: https://lore.kernel.org/lkml/20211005161833.1522737-1-lee.jones@linaro.org/ > v2: https://lore.kernel.org/lkml/Yicwb+Ceiu8JjVIS@google.com/ > v3: > - Eliminate all the build warnings with OpenSSL 3 > - Fully remove ENGINE usage, if it can be optional, just drop it. > --- > scripts/sign-file.c | 49 ++++++++++----------------------------------- > 1 file changed, 11 insertions(+), 38 deletions(-) Worked for me on OpenSSL v3 and older version . Tested-by: Shuah Khan <skhan@linuxfoundation.org> thanks, -- Shuah
Hi Kees, On Wed, May 18, 2022 at 02:51:29PM -0700, Kees Cook wrote: > OpenSSL's ENGINE API is deprecated in OpenSSL v3.0, along with some > other functions. Remove the ENGINE use and a macro work-around for > ERR_get_error_line(). > > Cc: David Howells <dhowells@redhat.com> > Cc: David Woodhouse <dwmw2@infradead.org> > Cc: Eric Biggers <ebiggers@kernel.org> > Cc: Shuah Khan <skhan@linuxfoundation.org> > Cc: Salvatore Bonaccorso <carnil@debian.org> > Cc: keyrings@vger.kernel.org > Suggested-by: Adam Langley <agl@google.com> > Co-developed-by: Lee Jones <lee.jones@linaro.org> > Signed-off-by: Lee Jones <lee.jones@linaro.org> > Signed-off-by: Kees Cook <keescook@chromium.org> > --- > v1: https://lore.kernel.org/lkml/20211005161833.1522737-1-lee.jones@linaro.org/ > v2: https://lore.kernel.org/lkml/Yicwb+Ceiu8JjVIS@google.com/ > v3: > - Eliminate all the build warnings with OpenSSL 3 > - Fully remove ENGINE usage, if it can be optional, just drop it. > --- > scripts/sign-file.c | 49 ++++++++++----------------------------------- > 1 file changed, 11 insertions(+), 38 deletions(-) > > diff --git a/scripts/sign-file.c b/scripts/sign-file.c > index fbd34b8e8f57..2d633c5f57c3 100644 > --- a/scripts/sign-file.c > +++ b/scripts/sign-file.c > @@ -52,6 +52,10 @@ > #include <openssl/pkcs7.h> > #endif > > +#if OPENSSL_VERSION_MAJOR >= 3 > +#define ERR_get_error_line(f, l) ERR_get_error_all(f, l, NULL, NULL, NULL) > +#endif > + > struct module_signature { > uint8_t algo; /* Public-key crypto algorithm [0] */ > uint8_t hash; /* Digest algorithm [0] */ > @@ -92,16 +96,6 @@ static void display_openssl_errors(int l) > } > } > > -static void drain_openssl_errors(void) > -{ > - const char *file; > - int line; > - > - if (ERR_peek_error() == 0) > - return; > - while (ERR_get_error_line(&file, &line)) {} > -} > - > #define ERR(cond, fmt, ...) \ > do { \ > bool __cond = (cond); \ > @@ -135,35 +129,14 @@ static int pem_pw_cb(char *buf, int len, int w, void *v) > static EVP_PKEY *read_private_key(const char *private_key_name) > { > EVP_PKEY *private_key; > + BIO *b; > > - if (!strncmp(private_key_name, "pkcs11:", 7)) { > - ENGINE *e; > - > - ENGINE_load_builtin_engines(); > - drain_openssl_errors(); > - e = ENGINE_by_id("pkcs11"); > - ERR(!e, "Load PKCS#11 ENGINE"); > - if (ENGINE_init(e)) > - drain_openssl_errors(); > - else > - ERR(1, "ENGINE_init"); > - if (key_pass) > - ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0), > - "Set PKCS#11 PIN"); > - private_key = ENGINE_load_private_key(e, private_key_name, > - NULL, NULL); > - ERR(!private_key, "%s", private_key_name); > - } else { > - BIO *b; > - > - b = BIO_new_file(private_key_name, "rb"); > - ERR(!b, "%s", private_key_name); > - private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb, > - NULL); > - ERR(!private_key, "%s", private_key_name); > - BIO_free(b); > - } > - > + b = BIO_new_file(private_key_name, "rb"); > + ERR(!b, "%s", private_key_name); > + private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb, > + NULL); > + ERR(!private_key, "%s", private_key_name); > + BIO_free(b); > return private_key; > } Fixes for us as well the build warnings for sign-file.c (as you noted the other part is still in extract-cert.c). Tested-by: Salvatore Bonaccorso <carnil@debian.org> Regards, Salvatore
On Wed, 2022-05-18 at 14:51 -0700, Kees Cook wrote: > OpenSSL's ENGINE API is deprecated in OpenSSL v3.0, along with some > other functions. Remove the ENGINE use and a macro work-around for > ERR_get_error_line(). What answer was there to Eric Biggers' concern about token support in sign-file? https://lore.kernel.org/lkml/YVyKc51r2tfMmQuO@gmail.com/ If you're not doing ephemeral keys (as quite a few kernel builder's aren't) you really need a token to protect the signing key. The other point was that openssl3 hasn't converted most of its own engine code to the provider API, so the deprecation is a bit premature because it will be a while before provider based token libraries appear. If the goal is simply to not see the warnings, the compile flag you need is -DOPENSSL_API_COMPAT=0x10100000L James
diff --git a/scripts/sign-file.c b/scripts/sign-file.c index fbd34b8e8f57..2d633c5f57c3 100644 --- a/scripts/sign-file.c +++ b/scripts/sign-file.c @@ -52,6 +52,10 @@ #include <openssl/pkcs7.h> #endif +#if OPENSSL_VERSION_MAJOR >= 3 +#define ERR_get_error_line(f, l) ERR_get_error_all(f, l, NULL, NULL, NULL) +#endif + struct module_signature { uint8_t algo; /* Public-key crypto algorithm [0] */ uint8_t hash; /* Digest algorithm [0] */ @@ -92,16 +96,6 @@ static void display_openssl_errors(int l) } } -static void drain_openssl_errors(void) -{ - const char *file; - int line; - - if (ERR_peek_error() == 0) - return; - while (ERR_get_error_line(&file, &line)) {} -} - #define ERR(cond, fmt, ...) \ do { \ bool __cond = (cond); \ @@ -135,35 +129,14 @@ static int pem_pw_cb(char *buf, int len, int w, void *v) static EVP_PKEY *read_private_key(const char *private_key_name) { EVP_PKEY *private_key; + BIO *b; - if (!strncmp(private_key_name, "pkcs11:", 7)) { - ENGINE *e; - - ENGINE_load_builtin_engines(); - drain_openssl_errors(); - e = ENGINE_by_id("pkcs11"); - ERR(!e, "Load PKCS#11 ENGINE"); - if (ENGINE_init(e)) - drain_openssl_errors(); - else - ERR(1, "ENGINE_init"); - if (key_pass) - ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0), - "Set PKCS#11 PIN"); - private_key = ENGINE_load_private_key(e, private_key_name, - NULL, NULL); - ERR(!private_key, "%s", private_key_name); - } else { - BIO *b; - - b = BIO_new_file(private_key_name, "rb"); - ERR(!b, "%s", private_key_name); - private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb, - NULL); - ERR(!private_key, "%s", private_key_name); - BIO_free(b); - } - + b = BIO_new_file(private_key_name, "rb"); + ERR(!b, "%s", private_key_name); + private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb, + NULL); + ERR(!private_key, "%s", private_key_name); + BIO_free(b); return private_key; }