[PATCH master] scripts: rockchip: rkimage: reinstate OpenSSL 1.1 compatibility

[PATCH master] scripts: rockchip: rkimage: reinstate OpenSSL 1.1 compatibility

[Ahmad Fatoum]

The new signing support made the rkimage utility require OpenSSL 3.0.

We will keep that requirement for signing, but for usage without
signing, let's skip the signing bits optional and report an error on
attempting to sign.

Reported-by: Alexander Shiyan <eagle.alexander923@gmail.com>
Cc: Michael Tretter <m.tretter@pengutronix.de>
Fixes: 54da6347b273 ("scripts: rockchip: implement image signing")
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 scripts/rkimage.c | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/scripts/rkimage.c b/scripts/rkimage.c
index 9b3ae8bbfff7..e5b6d61c4a9d 100644
--- a/scripts/rkimage.c
+++ b/scripts/rkimage.c
@@ -13,7 +13,6 @@
 #include <stdbool.h>
 
 #include <openssl/bn.h>
-#include <openssl/core_names.h>
 /*
  * TODO Switch from the OpenSSL ENGINE API to the PKCS#11 provider and the
  * PROVIDER API: https://github.com/latchset/pkcs11-provider
@@ -64,7 +63,7 @@ static void idb_hash(struct newidb *idb)
 		sha512(idbu8, size, idbu8 + size);
 }
 
-static EVP_PKEY *load_key_pkcs11(const char *path)
+static __attribute__((unused)) EVP_PKEY *load_key_pkcs11(const char *path)
 {
 	const char *engine_id = "pkcs11";
 	ENGINE *e;
@@ -95,7 +94,7 @@ static EVP_PKEY *load_key_pkcs11(const char *path)
 	return pkey;
 }
 
-static EVP_PKEY *load_key_file(const char *path)
+static __attribute__((unused)) EVP_PKEY *load_key_file(const char *path)
 {
 	BIO *key;
 	EVP_PKEY *pkey = NULL;
@@ -180,6 +179,9 @@ static int create_newidb(struct newidb *idb)
 	return 0;
 }
 
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+#include <openssl/core_names.h>
+
 static int rsa_get_params(EVP_PKEY *key, BIGNUM *e, BIGNUM *n, BIGNUM *np)
 {
 	BN_CTX *ctx = BN_CTX_new();
@@ -356,6 +358,13 @@ static int sign_newidb(struct newidb *idb, const char *path)
 
 	return ret;
 }
+#else
+static int sign_newidb(struct newidb *idb, const char *path)
+{
+       fprintf(stderr, "Signing support requires at least OpenSSL 3.0\n");
+       return -ENOSYS;
+}
+#endif
 
 struct option cbootcmd[] = {
 	{"help", 0, NULL, 'h'},
-- 
2.47.3

Re: [PATCH master] scripts: rockchip: rkimage: reinstate OpenSSL 1.1 compatibility

[Alexander Shiyan]

Tested-by: Alexander Shiyan <eagle.alexander923@gmail.com>

вт, 30 сент. 2025 г. в 16:46, Ahmad Fatoum <a.fatoum@pengutronix.de>:
>
> The new signing support made the rkimage utility require OpenSSL 3.0.
>
> We will keep that requirement for signing, but for usage without
> signing, let's skip the signing bits optional and report an error on
> attempting to sign.
>
> Reported-by: Alexander Shiyan <eagle.alexander923@gmail.com>
> Cc: Michael Tretter <m.tretter@pengutronix.de>
> Fixes: 54da6347b273 ("scripts: rockchip: implement image signing")
> Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
> ---
>  scripts/rkimage.c | 15 ++++++++++++---
>  1 file changed, 12 insertions(+), 3 deletions(-)
>
> diff --git a/scripts/rkimage.c b/scripts/rkimage.c
> index 9b3ae8bbfff7..e5b6d61c4a9d 100644
> --- a/scripts/rkimage.c
> +++ b/scripts/rkimage.c
> @@ -13,7 +13,6 @@
>  #include <stdbool.h>
>
>  #include <openssl/bn.h>
> -#include <openssl/core_names.h>
>  /*
>   * TODO Switch from the OpenSSL ENGINE API to the PKCS#11 provider and the
>   * PROVIDER API: https://github.com/latchset/pkcs11-provider
> @@ -64,7 +63,7 @@ static void idb_hash(struct newidb *idb)
>                 sha512(idbu8, size, idbu8 + size);
>  }
>
> -static EVP_PKEY *load_key_pkcs11(const char *path)
> +static __attribute__((unused)) EVP_PKEY *load_key_pkcs11(const char *path)
>  {
>         const char *engine_id = "pkcs11";
>         ENGINE *e;
> @@ -95,7 +94,7 @@ static EVP_PKEY *load_key_pkcs11(const char *path)
>         return pkey;
>  }
>
> -static EVP_PKEY *load_key_file(const char *path)
> +static __attribute__((unused)) EVP_PKEY *load_key_file(const char *path)
>  {
>         BIO *key;
>         EVP_PKEY *pkey = NULL;
> @@ -180,6 +179,9 @@ static int create_newidb(struct newidb *idb)
>         return 0;
>  }
>
> +#if OPENSSL_VERSION_NUMBER >= 0x30000000L
> +#include <openssl/core_names.h>
> +
>  static int rsa_get_params(EVP_PKEY *key, BIGNUM *e, BIGNUM *n, BIGNUM *np)
>  {
>         BN_CTX *ctx = BN_CTX_new();
> @@ -356,6 +358,13 @@ static int sign_newidb(struct newidb *idb, const char *path)
>
>         return ret;
>  }
> +#else
> +static int sign_newidb(struct newidb *idb, const char *path)
> +{
> +       fprintf(stderr, "Signing support requires at least OpenSSL 3.0\n");
> +       return -ENOSYS;
> +}
> +#endif
>
>  struct option cbootcmd[] = {
>         {"help", 0, NULL, 'h'},
> --
> 2.47.3
>

Re: [PATCH master] scripts: rockchip: rkimage: reinstate OpenSSL 1.1 compatibility

[Sascha Hauer]

On Tue, 30 Sep 2025 15:46:43 +0200, Ahmad Fatoum wrote:
> The new signing support made the rkimage utility require OpenSSL 3.0.
> 
> We will keep that requirement for signing, but for usage without
> signing, let's skip the signing bits optional and report an error on
> attempting to sign.
> 
> 
> [...]

Applied, thanks!

[1/1] scripts: rockchip: rkimage: reinstate OpenSSL 1.1 compatibility
      https://git.pengutronix.de/cgit/barebox/commit/?id=fddbc93cb9fe (link may not be stable)

Best regards,
-- 
Sascha Hauer <s.hauer@pengutronix.de>