sign-file: Convert API usage to support OpenSSL v3

2 files changed, 103 insertions, 0 deletions

diff --git a/debian/patches/bugfix/all/sign-file-Convert-API-usage-to-support-OpenSSL-v3.patch b/debian/patches/bugfix/all/sign-file-Convert-API-usage-to-support-OpenSSL-v3.patch
new file mode 100644
index 000000000..21ef4b949
--- /dev/null
+++ b/debian/patches/bugfix/all/sign-file-Convert-API-usage-to-support-OpenSSL-v3.patch
@@ -0,0 +1,102 @@
+From: Kees Cook <keescook@chromium.org>
+Date: Wed, 18 May 2022 14:51:29 -0700
+Subject: sign-file: Convert API usage to support OpenSSL v3
+Origin: https://lore.kernel.org/lkml/20220518215129.264872-1-keescook@chromium.org/
+
+OpenSSL's ENGINE API is deprecated in OpenSSL v3.0, along with some
+other functions. Remove the ENGINE use and a macro work-around for
+ERR_get_error_line().
+
+Cc: David Howells <dhowells@redhat.com>
+Cc: David Woodhouse <dwmw2@infradead.org>
+Cc: Eric Biggers <ebiggers@kernel.org>
+Cc: Shuah Khan <skhan@linuxfoundation.org>
+Cc: Salvatore Bonaccorso <carnil@debian.org>
+Cc: keyrings@vger.kernel.org
+Suggested-by: Adam Langley <agl@google.com>
+Co-developed-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Tested-by: Shuah Khan <skhan@linuxfoundation.org>
+---
+ scripts/sign-file.c | 49 ++++++++++-----------------------------------
+ 1 file changed, 11 insertions(+), 38 deletions(-)
+
+diff --git a/scripts/sign-file.c b/scripts/sign-file.c
+index fbd34b8e8f57..2d633c5f57c3 100644
+--- a/scripts/sign-file.c
++++ b/scripts/sign-file.c
+@@ -52,6 +52,10 @@
+ #include <openssl/pkcs7.h>
+ #endif
+ 
++#if OPENSSL_VERSION_MAJOR >= 3
++#define ERR_get_error_line(f, l)	ERR_get_error_all(f, l, NULL, NULL, NULL)
++#endif
++
+ struct module_signature {
+ 	uint8_t		algo;		/* Public-key crypto algorithm [0] */
+ 	uint8_t		hash;		/* Digest algorithm [0] */
+@@ -92,16 +96,6 @@ static void display_openssl_errors(int l)
+ 	}
+ }
+ 
+-static void drain_openssl_errors(void)
+-{
+-	const char *file;
+-	int line;
+-
+-	if (ERR_peek_error() == 0)
+-		return;
+-	while (ERR_get_error_line(&file, &line)) {}
+-}
+-
+ #define ERR(cond, fmt, ...)				\
+ 	do {						\
+ 		bool __cond = (cond);			\
+@@ -135,35 +129,14 @@ static int pem_pw_cb(char *buf, int len, int w, void *v)
+ static EVP_PKEY *read_private_key(const char *private_key_name)
+ {
+ 	EVP_PKEY *private_key;
++	BIO *b;
+ 
+-	if (!strncmp(private_key_name, "pkcs11:", 7)) {
+-		ENGINE *e;
+-
+-		ENGINE_load_builtin_engines();
+-		drain_openssl_errors();
+-		e = ENGINE_by_id("pkcs11");
+-		ERR(!e, "Load PKCS#11 ENGINE");
+-		if (ENGINE_init(e))
+-			drain_openssl_errors();
+-		else
+-			ERR(1, "ENGINE_init");
+-		if (key_pass)
+-			ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0),
+-			    "Set PKCS#11 PIN");
+-		private_key = ENGINE_load_private_key(e, private_key_name,
+-						      NULL, NULL);
+-		ERR(!private_key, "%s", private_key_name);
+-	} else {
+-		BIO *b;
+-
+-		b = BIO_new_file(private_key_name, "rb");
+-		ERR(!b, "%s", private_key_name);
+-		private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb,
+-						      NULL);
+-		ERR(!private_key, "%s", private_key_name);
+-		BIO_free(b);
+-	}
+-
++	b = BIO_new_file(private_key_name, "rb");
++	ERR(!b, "%s", private_key_name);
++	private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb,
++					      NULL);
++	ERR(!private_key, "%s", private_key_name);
++	BIO_free(b);
+ 	return private_key;
+ }
+ 
+-- 
+2.36.1
+
diff --git a/debian/patches/series b/debian/patches/series
index 8750a4c5e..f795671e9 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -79,6 +79,7 @@ features/x86/x86-make-x32-syscall-support-conditional.patch
 # Miscellaneous bug fixes
 bugfix/all/disable-some-marvell-phys.patch
 bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch
+bugfix/all/sign-file-Convert-API-usage-to-support-OpenSSL-v3.patch
 
 # Miscellaneous features