Re: [PATCH v2 1/1] sign-file: Do not attempt to use the ENGINE_* API if it's not available
From: Kees Cook
Date: Thu Mar 10 2022 - 11:52:10 EST
On Tue, Mar 08, 2022 at 10:31:11AM +0000, Lee Jones wrote:
> OpenSSL's ENGINE API is deprecated in OpenSSL v3.0.
>
> Use OPENSSL_NO_ENGINE to ensure the ENGINE API is only used if it is
> present. This will safeguard against compile errors when using SSL
> implementations which lack support for this deprecated API.
On Fedora rawhide, I'm still seeing a bunch of warnings:
scripts/sign-file.c: In function 'display_openssl_errors':
scripts/sign-file.c:89:9: warning: 'ERR_get_error_line' is deprecated: Since OpenSSL 3.0 [-Wdeprecat
ed-declarations]
89 | while ((e = ERR_get_error_line(&file, &line))) {
| ^~~~~
In file included from scripts/sign-file.c:29:
/usr/include/openssl/err.h:411:15: note: declared here
411 | unsigned long ERR_get_error_line(const char **file, int *line);
| ^~~~~~~~~~~~~~~~~~
scripts/sign-file.c: In function 'drain_openssl_errors':
scripts/sign-file.c:102:9: warning: 'ERR_get_error_line' is deprecated: Since OpenSSL 3.0 [-Wdepreca
ted-declarations]
102 | while (ERR_get_error_line(&file, &line)) {}
| ^~~~~
/usr/include/openssl/err.h:411:15: note: declared here
411 | unsigned long ERR_get_error_line(const char **file, int *line);
| ^~~~~~~~~~~~~~~~~~
...
>
> Cc: David Howells <dhowells@xxxxxxxxxx>
> Cc: David Woodhouse <dwmw2@xxxxxxxxxxxxx>
> Cc: Eric Biggers <ebiggers@xxxxxxxxxx>
> Cc: Kees Cook <keescook@xxxxxxxxxxxx>
> Cc: keyrings@xxxxxxxxxxxxxxx
> Co-developed-by: Adam Langley <agl@xxxxxxxxxx>
> Signed-off-by: Lee Jones <lee.jones@xxxxxxxxxx>
> ---
> v2: Clear up subject and patch description to avoid confusion
>
> scripts/sign-file.c | 19 ++++++++++---------
> 1 file changed, 10 insertions(+), 9 deletions(-)
>
> diff --git a/scripts/sign-file.c b/scripts/sign-file.c
> index fbd34b8e8f578..fa3fa59db6669 100644
> --- a/scripts/sign-file.c
> +++ b/scripts/sign-file.c
> @@ -135,7 +135,9 @@ static int pem_pw_cb(char *buf, int len, int w, void *v)
> static EVP_PKEY *read_private_key(const char *private_key_name)
> {
> EVP_PKEY *private_key;
> + BIO *b;
>
> +#ifndef OPENSSL_NO_ENGINE
> if (!strncmp(private_key_name, "pkcs11:", 7)) {
> ENGINE *e;
>
> @@ -153,17 +155,16 @@ static EVP_PKEY *read_private_key(const char *private_key_name)
> private_key = ENGINE_load_private_key(e, private_key_name,
> NULL, NULL);
> ERR(!private_key, "%s", private_key_name);
> - } else {
> - BIO *b;
> -
> - b = BIO_new_file(private_key_name, "rb");
> - ERR(!b, "%s", private_key_name);
> - private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb,
> - NULL);
> - ERR(!private_key, "%s", private_key_name);
> - BIO_free(b);
> + return private_key;
> }
> +#endif
>
> + b = BIO_new_file(private_key_name, "rb");
> + ERR(!b, "%s", private_key_name);
> + private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb,
> + NULL);
> + ERR(!private_key, "%s", private_key_name);
> + BIO_free(b);
> return private_key;
> }
--
Kees Cook