sign-file: Convert API usage to support OpenSSL v3

Origin: https://lore.kernel.org/lkml/20220518215129.264872-1-keescook@chromium.org/

OpenSSL's ENGINE API is deprecated in OpenSSL v3.0, along with some
other functions. Remove the ENGINE use and a macro work-around for
ERR_get_error_line().

Cc: David Howells <dhowells@redhat.com>
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Eric Biggers <ebiggers@kernel.org>
Cc: Shuah Khan <skhan@linuxfoundation.org>
Cc: Salvatore Bonaccorso <carnil@debian.org>
Cc: keyrings@vger.kernel.org
Suggested-by: Adam Langley <agl@google.com>
Co-developed-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
Tested-by: Shuah Khan <skhan@linuxfoundation.org>
Gbp-Pq: Topic bugfix/all
Gbp-Pq: Name sign-file-Convert-API-usage-to-support-OpenSSL-v3.patch

diff --git a/scripts/sign-file.c b/scripts/sign-file.c
index fbd34b8e8f578aba003533348c907899779fb62c..2d633c5f57c3933311bc19eec9d4b9517b6e8146 100644 (file)
--- a/scripts/sign-file.c
+++ b/scripts/sign-file.c
@@ -52,6 +52,10 @@
 #include <openssl/pkcs7.h>
 #endif
 
+#if OPENSSL_VERSION_MAJOR >= 3
+#define ERR_get_error_line(f, l)       ERR_get_error_all(f, l, NULL, NULL, NULL)
+#endif
+
 struct module_signature {
        uint8_t         algo;           /* Public-key crypto algorithm [0] */
        uint8_t         hash;           /* Digest algorithm [0] */
@@ -92,16 +96,6 @@ static void display_openssl_errors(int l)
        }
 }
 
-static void drain_openssl_errors(void)
-{
-       const char *file;
-       int line;
-
-       if (ERR_peek_error() == 0)
-               return;
-       while (ERR_get_error_line(&file, &line)) {}
-}
-
 #define ERR(cond, fmt, ...)                            \
        do {                                            \
                bool __cond = (cond);                   \
@@ -135,35 +129,14 @@ static int pem_pw_cb(char *buf, int len, int w, void *v)
 static EVP_PKEY *read_private_key(const char *private_key_name)
 {
        EVP_PKEY *private_key;
+       BIO *b;
 
-       if (!strncmp(private_key_name, "pkcs11:", 7)) {
-               ENGINE *e;
-
-               ENGINE_load_builtin_engines();
-               drain_openssl_errors();
-               e = ENGINE_by_id("pkcs11");
-               ERR(!e, "Load PKCS#11 ENGINE");
-               if (ENGINE_init(e))
-                       drain_openssl_errors();
-               else
-                       ERR(1, "ENGINE_init");
-               if (key_pass)
-                       ERR(!ENGINE_ctrl_cmd_string(e, "PIN", key_pass, 0),
-                           "Set PKCS#11 PIN");
-               private_key = ENGINE_load_private_key(e, private_key_name,
-                                                     NULL, NULL);
-               ERR(!private_key, "%s", private_key_name);
-       } else {
-               BIO *b;
-
-               b = BIO_new_file(private_key_name, "rb");
-               ERR(!b, "%s", private_key_name);
-               private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb,
-                                                     NULL);
-               ERR(!private_key, "%s", private_key_name);
-               BIO_free(b);
-       }
-
+       b = BIO_new_file(private_key_name, "rb");
+       ERR(!b, "%s", private_key_name);
+       private_key = PEM_read_bio_PrivateKey(b, NULL, pem_pw_cb,
+                                             NULL);
+       ERR(!private_key, "%s", private_key_name);
+       BIO_free(b);
        return private_key;
 }