diff options
author | Salvatore Bonaccorso <carnil@debian.org> | 2022-05-19 07:34:14 +0200 |
---|---|---|
committer | Salvatore Bonaccorso <carnil@debian.org> | 2022-05-19 07:34:48 +0200 |
commit | 13e234d459c11946efba647c3daf15e03abb0d99 (patch) | |
tree | 395290f2fd05e97c4eba744df4739266c04564be /debian/patches | |
parent | 0b6b2adc4214e4153b64f0199f3f198c6b1f2c7d (diff) | |
download | linux-debian-13e234d459c11946efba647c3daf15e03abb0d99.tar.gz |
sign-file: Convert API usage to support OpenSSL v3
Diffstat (limited to 'debian/patches')
-rw-r--r-- | debian/patches/bugfix/all/sign-file-Convert-API-usage-to-support-OpenSSL-v3.patch | 102 | ||||
-rw-r--r-- | debian/patches/series | 1 |
2 files changed, 103 insertions, 0 deletions
diff --git a/debian/patches/bugfix/all/sign-file-Convert-API-usage-to-support-OpenSSL-v3.patch b/debian/patches/bugfix/all/sign-file-Convert-API-usage-to-support-OpenSSL-v3.patch new file mode 100644 index 000000000..21ef4b949 --- /dev/null +++ b/debian/patches/bugfix/all/sign-file-Convert-API-usage-to-support-OpenSSL-v3.patch @@ -0,0 +1,102 @@ +From: Kees Cook <keescook@chromium.org> +Date: Wed, 18 May 2022 14:51:29 -0700 +Subject: sign-file: Convert API usage to support OpenSSL v3 +Origin: https://lore.kernel.org/lkml/20220518215129.264872-1-keescook@chromium.org/ + +OpenSSL's ENGINE API is deprecated in OpenSSL v3.0, along with some +other functions. Remove the ENGINE use and a macro work-around for +ERR_get_error_line(). + +Cc: David Howells <dhowells@redhat.com> +Cc: David Woodhouse <dwmw2@infradead.org> +Cc: Eric Biggers <ebiggers@kernel.org> +Cc: Shuah Khan <skhan@linuxfoundation.org> +Cc: Salvatore Bonaccorso <carnil@debian.org> +Cc: keyrings@vger.kernel.org +Suggested-by: Adam Langley <agl@google.com> +Co-developed-by: Lee Jones <lee.jones@linaro.org> +Signed-off-by: Lee Jones <lee.jones@linaro.org> +Signed-off-by: Kees Cook <keescook@chromium.org> +Tested-by: Shuah Khan <skhan@linuxfoundation.org> +--- + scripts/sign-file.c | 49 ++++++++++----------------------------------- + 1 file changed, 11 insertions(+), 38 deletions(-) + +diff --git a/scripts/sign-file.c b/scripts/sign-file.c +index fbd34b8e8f57..2d633c5f57c3 100644 +--- a/scripts/sign-file.c ++++ b/scripts/sign-file.c +@@ -52,6 +52,10 @@ + #include <openssl/pkcs7.h> + #endif + ++#if OPENSSL_VERSION_MAJOR >= 3 ++#define ERR_get_error_line(f, l) ERR_get_error_all(f, l, NULL, NULL, NULL) ++#endif ++ + struct module_signature { + uint8_t algo; /* Public-key crypto algorithm [0] */ + uint8_t hash; /* Digest algorithm [0] */ +@@ -92,16 +96,6 @@ static void display_openssl_errors(int l) + } + } + +-static void drain_openssl_errors(void) +-{ +- const char *file; +- int line; +- +- if (ERR_peek_error() == 0) +- return; +- while (ERR_get_error_line(&file, &line)) {} +-} +- + #define ERR(cond, fmt, ...) \ + do { \ + bool __cond = (cond); \ +@@ -135,35 +129,14 @@ static int pem_pw_cb(char *buf, int len, int w, void *v) + static EVP_PKEY *read_private_key(const char *private_key_name) + { + EVP_PKEY *private_key; ++ BIO *b; + +- if (!strncmp(private_key_name, "pkcs11:", 7)) { +- ENGINE *e; +- +- ENGINE_load_builtin_engines(); +- drain_openssl_errors(); +- e = ENGINE_by_id("pkcs11"); +- ERR(!e, "Load PKCS#11 ENGINE"); +- if (ENGINE_init(e)) +- drain_openssl_errors(); +- else +- ERR(1, "ENGINE_init"); +- if (key_pass) +- ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0), +- "Set PKCS#11 PIN"); +- private_key = ENGINE_load_private_key(e, private_key_name, +- NULL, NULL); +- ERR(!private_key, "%s", private_key_name); +- } else { +- BIO *b; +- +- b = BIO_new_file(private_key_name, "rb"); +- ERR(!b, "%s", private_key_name); +- private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb, +- NULL); +- ERR(!private_key, "%s", private_key_name); +- BIO_free(b); +- } +- ++ b = BIO_new_file(private_key_name, "rb"); ++ ERR(!b, "%s", private_key_name); ++ private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb, ++ NULL); ++ ERR(!private_key, "%s", private_key_name); ++ BIO_free(b); + return private_key; + } + +-- +2.36.1 + diff --git a/debian/patches/series b/debian/patches/series index 8750a4c5e..f795671e9 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -79,6 +79,7 @@ features/x86/x86-make-x32-syscall-support-conditional.patch # Miscellaneous bug fixes bugfix/all/disable-some-marvell-phys.patch bugfix/all/fs-add-module_softdep-declarations-for-hard-coded-cr.patch +bugfix/all/sign-file-Convert-API-usage-to-support-OpenSSL-v3.patch # Miscellaneous features |