Re: [PATCH v2] sign-file: Convert API usage to support OpenSSL v3

From: James Bottomley
Date: Thu May 19 2022 - 11:21:50 EST

Next message: Hans de Goede: "[PATCH v9 0/3] x86/PCI: Ignore E820 reservations for bridge windows on future systems"
Previous message: Manivannan Sadhasivam: "Re: [PATCH v2 15/17] PCI: dwc: Introduce dma-ranges property support for RC-host"
In reply to: Salvatore Bonaccorso: "Re: [PATCH v2] sign-file: Convert API usage to support OpenSSL v3"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 2022-05-18 at 14:51 -0700, Kees Cook wrote:
> OpenSSL's ENGINE API is deprecated in OpenSSL v3.0, along with some
> other functions. Remove the ENGINE use and a macro work-around for
> ERR_get_error_line().

What answer was there to Eric Biggers' concern about token support in
sign-file?

https://lore.kernel.org/lkml/YVyKc51r2tfMmQuO@xxxxxxxxx/

If you're not doing ephemeral keys (as quite a few kernel builder's
aren't) you really need a token to protect the signing key.

The other point was that openssl3 hasn't converted most of its own
engine code to the provider API, so the deprecation is a bit premature
because it will be a while before provider based token libraries
appear. If the goal is simply to not see the warnings, the compile
flag you need is

-DOPENSSL_API_COMPAT=0x10100000L

James

Next message: Hans de Goede: "[PATCH v9 0/3] x86/PCI: Ignore E820 reservations for bridge windows on future systems"
Previous message: Manivannan Sadhasivam: "Re: [PATCH v2 15/17] PCI: dwc: Introduce dma-ranges property support for RC-host"
In reply to: Salvatore Bonaccorso: "Re: [PATCH v2] sign-file: Convert API usage to support OpenSSL v3"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]