Google Git
Sign in
kernel / pub / scm / fs / fsverity / fsverity-utils / ee7d74d75a727463046bf380b3de9e602a6e2b40^! / .
commitee7d74d75a727463046bf380b3de9e602a6e2b40[log] [tgz]
authorEric Biggers <ebiggers@google.com>Tue Jan 28 19:54:56 2025 -0800
committerEric Biggers <ebiggers@google.com>Mon Feb 17 11:41:58 2025 -0800
treefd92677fb37eb2317938ad882eb9727448e94245
parenta7be30661305e1427e50eb87e5503ad37157b3b1 [diff]
lib/sign_digest: disable PKCS#11 support when not available in OpenSSL

This is needed to fix the build on Fedora, due to
https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine.

There may be a new way to support PKCS#11 tokens, but I'll leave that to
someone who cares about that feature (if anyone still cares about it).

Closes: https://lore.kernel.org/r/d42c3dd4-47b4-4e98-9814-99cd9c1d112d@linux.ibm.com
Signed-off-by: Eric Biggers <ebiggers@google.com>

diff --git a/lib/sign_digest.c b/lib/sign_digest.c
index d726772..c22ff90 100644
--- a/lib/sign_digest.c
+++ b/lib/sign_digest.c

@@ -221,15 +221,6 @@
 	return err;
 }
 
-static int
-load_pkcs11_private_key(const struct libfsverity_signature_params *sig_params
-			__attribute__((unused)),
-			EVP_PKEY **pkey_ret __attribute__((unused)))
-{
-	libfsverity_error_msg("BoringSSL doesn't support PKCS#11 tokens");
-	return -EINVAL;
-}
-
 #else /* OPENSSL_IS_BORINGSSL */
 
 static BIO *new_mem_buf(const void *buf, size_t size)
@@ -333,6 +324,18 @@
 	return err;
 }
 
+#endif /* !OPENSSL_IS_BORINGSSL */
+
+#ifdef OPENSSL_NO_ENGINE
+static int
+load_pkcs11_private_key(const struct libfsverity_signature_params *sig_params
+			__attribute__((unused)),
+			EVP_PKEY **pkey_ret __attribute__((unused)))
+{
+	libfsverity_error_msg("libfsverity was linked to a version of OpenSSL that doesn't support PKCS#11 tokens");
+	return -EINVAL;
+}
+#else
 static int
 load_pkcs11_private_key(const struct libfsverity_signature_params *sig_params,
 			EVP_PKEY **pkey_ret)
@@ -375,8 +378,7 @@
 	}
 	return 0;
 }
-
-#endif /* !OPENSSL_IS_BORINGSSL */
+#endif
 
 /* Get a private key, either from disk or from a PKCS#11 token. */
 static int

diff --git a/man/fsverity.1 b/man/fsverity.1
index 0bb9f01..1214b24 100644
--- a/man/fsverity.1
+++ b/man/fsverity.1

@@ -209,8 +209,8 @@
 To use a PKCS#11 token, provide \f[B]--pkcs11-engine\f[R],
 \f[B]--pkcs11-module\f[R], \f[B]--cert\f[R], and optionally
 \f[B]--pkcs11-keyid\f[R].
-PKCS#11 token support is unavailable when fsverity-utils was built with
-BoringSSL rather than OpenSSL.
+PKCS#11 token support is unavailable if fsverity-utils was built with a version
+of OpenSSL that does not support PKCS#11 tokens.
 .PP
 \f[B]fsverity sign\f[R] should only be used if you need compatibility with
 fs-verity built-in signatures.