diff mbox series

[fsverity-utils] lib/sign_digest: disable PKCS#11 support when not available in OpenSSL

Message ID 20250129040301.311001-1-ebiggers@kernel.org (mailing list archive)
State New
Headers show
Series [fsverity-utils] lib/sign_digest: disable PKCS#11 support when not available in OpenSSL | expand

Commit Message

Eric Biggers Jan. 29, 2025, 4:03 a.m. UTC 
From: Eric Biggers <ebiggers@google.com>

This is needed to fix the build on Fedora, due to
https://fedoraproject.org/wiki/Changes/OpensslNoEngine.

There may be a new way to support PKCS#11 tokens, but I'll leave that to
someone who cares about that feature (if anyone still cares about it).

Link: https://lore.kernel.org/r/d42c3dd4-47b4-4e98-9814-99cd9c1d112d@linux.ibm.com
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
 lib/sign_digest.c | 24 +++++++++++++-----------
 man/fsverity.1    |  4 ++--
 2 files changed, 15 insertions(+), 13 deletions(-)
diff mbox series

Patch

diff --git a/lib/sign_digest.c b/lib/sign_digest.c
index d726772..9699671 100644
--- a/lib/sign_digest.c
+++ b/lib/sign_digest.c
@@ -219,19 +219,10 @@  out:
 	OPENSSL_free(name_der);
 	OPENSSL_free(pkcs7_data);
 	return err;
 }
 
-static int
-load_pkcs11_private_key(const struct libfsverity_signature_params *sig_params
-			__attribute__((unused)),
-			EVP_PKEY **pkey_ret __attribute__((unused)))
-{
-	libfsverity_error_msg("BoringSSL doesn't support PKCS#11 tokens");
-	return -EINVAL;
-}
-
 #else /* OPENSSL_IS_BORINGSSL */
 
 static BIO *new_mem_buf(const void *buf, size_t size)
 {
 	BIO *bio;
@@ -331,10 +322,22 @@  out:
 	PKCS7_free(p7);
 	BIO_free(bio);
 	return err;
 }
 
+#endif /* !OPENSSL_IS_BORINGSSL */
+
+#ifdef OPENSSL_NO_ENGINE
+static int
+load_pkcs11_private_key(const struct libfsverity_signature_params *sig_params
+			__attribute__((unused)),
+			EVP_PKEY **pkey_ret __attribute__((unused)))
+{
+	libfsverity_error_msg("libfsverity was linked to a version of OpenSSL that doesn't support PKCS#11 tokens.");
+	return -EINVAL;
+}
+#else
 static int
 load_pkcs11_private_key(const struct libfsverity_signature_params *sig_params,
 			EVP_PKEY **pkey_ret)
 {
 	ENGINE *engine;
@@ -373,12 +376,11 @@  load_pkcs11_private_key(const struct libfsverity_signature_params *sig_params,
 		error_msg_openssl("failed to load private key from PKCS#11 token");
 		return -EINVAL;
 	}
 	return 0;
 }
-
-#endif /* !OPENSSL_IS_BORINGSSL */
+#endif
 
 /* Get a private key, either from disk or from a PKCS#11 token. */
 static int
 get_private_key(const struct libfsverity_signature_params *sig_params,
 		EVP_PKEY **pkey_ret)
diff --git a/man/fsverity.1 b/man/fsverity.1
index 0bb9f01..1214b24 100644
--- a/man/fsverity.1
+++ b/man/fsverity.1
@@ -207,12 +207,12 @@  The signature will be written to \f[I]OUT_SIGFILE\f[R] in PKCS#7 DER format.
 The private key can be specified either by key file or by PKCS#11 token.
 To use a key file, provide \f[B]--key\f[R] and optionally \f[B]--cert\f[R].
 To use a PKCS#11 token, provide \f[B]--pkcs11-engine\f[R],
 \f[B]--pkcs11-module\f[R], \f[B]--cert\f[R], and optionally
 \f[B]--pkcs11-keyid\f[R].
-PKCS#11 token support is unavailable when fsverity-utils was built with
-BoringSSL rather than OpenSSL.
+PKCS#11 token support is unavailable if fsverity-utils was built with a version
+of OpenSSL that does not support PKCS#11 tokens.
 .PP
 \f[B]fsverity sign\f[R] should only be used if you need compatibility with
 fs-verity built-in signatures.
 It is not the only way to do signatures with fs-verity.
 For more information, see the fsverity-utils README.