From: Jan Stancek <jstancek@xxxxxxxxxx>
not upstream: drop openssl ENGINE API usage
openssl deprecated ENGINE API and by default no longer provides
engine.h header, which couple scripts depend on.
The only usage appears to be in code paths we don't really need
for Fedora/RHEL, so as temporary measure drop that code
while we wait for an upstream solution.
Signed-off-by: Jan Stancek <jstancek@xxxxxxxxxx>
diff --git a/certs/extract-cert.c b/certs/extract-cert.c
index blahblah..blahblah 100644
--- a/certs/extract-cert.c
+++ b/certs/extract-cert.c
@@ -21,7 +21,6 @@
#include <openssl/bio.h>
#include <openssl/pem.h>
#include <openssl/err.h>
-#include <openssl/engine.h>
/*
* OpenSSL 3.0 deprecates the OpenSSL's ENGINE API.
@@ -122,28 +121,8 @@ int main(int argc, char **argv)
fclose(f);
exit(0);
} else if (!strncmp(cert_src, "pkcs11:", 7)) {
- ENGINE *e;
- struct {
- const char *cert_id;
- X509 *cert;
- } parms;
-
- parms.cert_id = cert_src;
- parms.cert = NULL;
-
- ENGINE_load_builtin_engines();
- drain_openssl_errors();
- e = ENGINE_by_id("pkcs11");
- ERR(!e, "Load PKCS#11 ENGINE");
- if (ENGINE_init(e))
- drain_openssl_errors();
- else
- ERR(1, "ENGINE_init");
- if (key_pass)
- ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0), "Set PKCS#11 PIN");
- ENGINE_ctrl_cmd(e, "LOAD_CERT_CTRL", 0, &parms, NULL, 1);
- ERR(!parms.cert, "Get X.509 from PKCS#11");
- write_cert(parms.cert);
+ fprintf(stderr, "Error: pkcs11 not implemented\n");
+ exit(1);
} else {
BIO *b;
X509 *x509;
diff --git a/scripts/sign-file.c b/scripts/sign-file.c
index blahblah..blahblah 100644
--- a/scripts/sign-file.c
+++ b/scripts/sign-file.c
@@ -27,7 +27,6 @@
#include <openssl/evp.h>
#include <openssl/pem.h>
#include <openssl/err.h>
-#include <openssl/engine.h>
/*
* OpenSSL 3.0 deprecates the OpenSSL's ENGINE API.
@@ -99,16 +98,6 @@ static void display_openssl_errors(int l)
}
}
-static void drain_openssl_errors(void)
-{
- const char *file;
- int line;
-
- if (ERR_peek_error() == 0)
- return;
- while (ERR_get_error_line(&file, &line)) {}
-}
-
#define ERR(cond, fmt, ...) \
do { \
bool __cond = (cond); \
@@ -144,22 +133,8 @@ static EVP_PKEY *read_private_key(const char *private_key_name)
EVP_PKEY *private_key;
if (!strncmp(private_key_name, "pkcs11:", 7)) {
- ENGINE *e;
-
- ENGINE_load_builtin_engines();
- drain_openssl_errors();
- e = ENGINE_by_id("pkcs11");
- ERR(!e, "Load PKCS#11 ENGINE");
- if (ENGINE_init(e))
- drain_openssl_errors();
- else
- ERR(1, "ENGINE_init");
- if (key_pass)
- ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0),
- "Set PKCS#11 PIN");
- private_key = ENGINE_load_private_key(e, private_key_name,
- NULL, NULL);
- ERR(!private_key, "%s", private_key_name);
+ fprintf(stderr, "Error: pkcs11 not implemented\n");
+ exit(1);
} else {
BIO *b;
--
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/3223
--
_______________________________________________
kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
