On 11/23/23 20:05, James Bottomley wrote:
On Thu, 2023-11-23 at 18:42 -0500, Dennis Clarke wrote:
On 11/23/23 09:53, James Bottomley wrote:
On Fri, 2023-11-17 at 00:34 -0500, Dennis Clarke wrote:
On 11/16/23 18:41, Bagas Sanjaya wrote:
Hi,
I notice a bug report on Bugzilla [1]. Quoting from it:
<snip>
Not related to
https://bugzilla.kernel.org/show_bug.cgi?id=215750 but I
.
. <snip>
.
I am looking into this. The code will likely age into some deprecated
calls and I think that I may be way out on the edge here.
So you did build without engine support ...
Yep.
--prefix=/usr/local no-asm shared no-engine no-hw threads zlib
sctp enable-weak-ssl-ciphers -DPEDANTIC -D_REENTRANT
So there we see the "no-engine" option. That pretty much kicks the
sign-file.c code to the curb.
However the code will need a pile of ifndef stuff and then call the
correct future looking calls for OpenSSL 3.x etc etc etc ... the
usual stuff
Well, not really: openssl is highly configurable and if it gets
configured wrongly, stuff like this happens.
Well, not "wrongly". More like "not the usual off the shelf stuff".
That's why distros have a
fairly inclusive configuration and they stick to it. No-one can cope
with the combinatoric explosion of openssl configuration possibilities
(even though they have ifdefs for most of them) so the only way is
really to fix a standard configuration and assume you're building for
it.
Seems clear to me.
Openssl has been talking for ages about removing engine support, but
they've been unable to do so due to the rather slow pace of conversion
of their own engines. I anticipate this code can be removed in favour
of the pkcs11 provider long before openssl actually manages to remove
engines.
James
Well I thank you for the clarity here. I still feel that sign-file.c
needs a bit of a rewrite and I guess the old expression "patches are
welcome" works here.
Dennis Clarke
RISC-V/SPARC/PPC/ARM/CISC
UNIX and Linux spoken