[PATCH master] scripts: rockchip: rkimage: reinstate OpenSSL 1.1 compatibility

mail archive of the barebox mailing list
 help / color / mirror / Atom feed

* [PATCH master] scripts: rockchip: rkimage: reinstate OpenSSL 1.1 compatibility
@ 2025-09-30 13:46 Ahmad Fatoum
  2025-09-30 14:12 ` Alexander Shiyan
  2025-10-01  8:29 ` Sascha Hauer
  0 siblings, 2 replies; 3+ messages in thread
From: Ahmad Fatoum @ 2025-09-30 13:46 UTC (permalink / raw)
  To: barebox; +Cc: Alexander Shiyan, Michael Tretter, Ahmad Fatoum

The new signing support made the rkimage utility require OpenSSL 3.0.

We will keep that requirement for signing, but for usage without
signing, let's skip the signing bits optional and report an error on
attempting to sign.

Reported-by: Alexander Shiyan <eagle.alexander923@gmail.com>
Cc: Michael Tretter <m.tretter@pengutronix.de>
Fixes: 54da6347b273 ("scripts: rockchip: implement image signing")
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
 scripts/rkimage.c | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/scripts/rkimage.c b/scripts/rkimage.c
index 9b3ae8bbfff7..e5b6d61c4a9d 100644
--- a/scripts/rkimage.c
+++ b/scripts/rkimage.c
@@ -13,7 +13,6 @@
 #include <stdbool.h>
 
 #include <openssl/bn.h>
-#include <openssl/core_names.h>
 /*
  * TODO Switch from the OpenSSL ENGINE API to the PKCS#11 provider and the
  * PROVIDER API: https://github.com/latchset/pkcs11-provider
@@ -64,7 +63,7 @@ static void idb_hash(struct newidb *idb)
 		sha512(idbu8, size, idbu8 + size);
 }
 
-static EVP_PKEY *load_key_pkcs11(const char *path)
+static __attribute__((unused)) EVP_PKEY *load_key_pkcs11(const char *path)
 {
 	const char *engine_id = "pkcs11";
 	ENGINE *e;
@@ -95,7 +94,7 @@ static EVP_PKEY *load_key_pkcs11(const char *path)
 	return pkey;
 }
 
-static EVP_PKEY *load_key_file(const char *path)
+static __attribute__((unused)) EVP_PKEY *load_key_file(const char *path)
 {
 	BIO *key;
 	EVP_PKEY *pkey = NULL;
@@ -180,6 +179,9 @@ static int create_newidb(struct newidb *idb)
 	return 0;
 }
 
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+#include <openssl/core_names.h>
+
 static int rsa_get_params(EVP_PKEY *key, BIGNUM *e, BIGNUM *n, BIGNUM *np)
 {
 	BN_CTX *ctx = BN_CTX_new();
@@ -356,6 +358,13 @@ static int sign_newidb(struct newidb *idb, const char *path)
 
 	return ret;
 }
+#else
+static int sign_newidb(struct newidb *idb, const char *path)
+{
+       fprintf(stderr, "Signing support requires at least OpenSSL 3.0\n");
+       return -ENOSYS;
+}
+#endif
 
 struct option cbootcmd[] = {
 	{"help", 0, NULL, 'h'},
-- 
2.47.3




^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH master] scripts: rockchip: rkimage: reinstate OpenSSL 1.1 compatibility
  2025-09-30 13:46 [PATCH master] scripts: rockchip: rkimage: reinstate OpenSSL 1.1 compatibility Ahmad Fatoum
@ 2025-09-30 14:12 ` Alexander Shiyan
  2025-10-01  8:29 ` Sascha Hauer
  1 sibling, 0 replies; 3+ messages in thread
From: Alexander Shiyan @ 2025-09-30 14:12 UTC (permalink / raw)
  To: Ahmad Fatoum; +Cc: barebox, Michael Tretter

Tested-by: Alexander Shiyan <eagle.alexander923@gmail.com>

вт, 30 сент. 2025 г. в 16:46, Ahmad Fatoum <a.fatoum@pengutronix.de>:
>
> The new signing support made the rkimage utility require OpenSSL 3.0.
>
> We will keep that requirement for signing, but for usage without
> signing, let's skip the signing bits optional and report an error on
> attempting to sign.
>
> Reported-by: Alexander Shiyan <eagle.alexander923@gmail.com>
> Cc: Michael Tretter <m.tretter@pengutronix.de>
> Fixes: 54da6347b273 ("scripts: rockchip: implement image signing")
> Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
> ---
>  scripts/rkimage.c | 15 ++++++++++++---
>  1 file changed, 12 insertions(+), 3 deletions(-)
>
> diff --git a/scripts/rkimage.c b/scripts/rkimage.c
> index 9b3ae8bbfff7..e5b6d61c4a9d 100644
> --- a/scripts/rkimage.c
> +++ b/scripts/rkimage.c
> @@ -13,7 +13,6 @@
>  #include <stdbool.h>
>
>  #include <openssl/bn.h>
> -#include <openssl/core_names.h>
>  /*
>   * TODO Switch from the OpenSSL ENGINE API to the PKCS#11 provider and the
>   * PROVIDER API: https://github.com/latchset/pkcs11-provider
> @@ -64,7 +63,7 @@ static void idb_hash(struct newidb *idb)
>                 sha512(idbu8, size, idbu8 + size);
>  }
>
> -static EVP_PKEY *load_key_pkcs11(const char *path)
> +static __attribute__((unused)) EVP_PKEY *load_key_pkcs11(const char *path)
>  {
>         const char *engine_id = "pkcs11";
>         ENGINE *e;
> @@ -95,7 +94,7 @@ static EVP_PKEY *load_key_pkcs11(const char *path)
>         return pkey;
>  }
>
> -static EVP_PKEY *load_key_file(const char *path)
> +static __attribute__((unused)) EVP_PKEY *load_key_file(const char *path)
>  {
>         BIO *key;
>         EVP_PKEY *pkey = NULL;
> @@ -180,6 +179,9 @@ static int create_newidb(struct newidb *idb)
>         return 0;
>  }
>
> +#if OPENSSL_VERSION_NUMBER >= 0x30000000L
> +#include <openssl/core_names.h>
> +
>  static int rsa_get_params(EVP_PKEY *key, BIGNUM *e, BIGNUM *n, BIGNUM *np)
>  {
>         BN_CTX *ctx = BN_CTX_new();
> @@ -356,6 +358,13 @@ static int sign_newidb(struct newidb *idb, const char *path)
>
>         return ret;
>  }
> +#else
> +static int sign_newidb(struct newidb *idb, const char *path)
> +{
> +       fprintf(stderr, "Signing support requires at least OpenSSL 3.0\n");
> +       return -ENOSYS;
> +}
> +#endif
>
>  struct option cbootcmd[] = {
>         {"help", 0, NULL, 'h'},
> --
> 2.47.3
>



^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH master] scripts: rockchip: rkimage: reinstate OpenSSL 1.1 compatibility
  2025-09-30 13:46 [PATCH master] scripts: rockchip: rkimage: reinstate OpenSSL 1.1 compatibility Ahmad Fatoum
  2025-09-30 14:12 ` Alexander Shiyan
@ 2025-10-01  8:29 ` Sascha Hauer
  1 sibling, 0 replies; 3+ messages in thread
From: Sascha Hauer @ 2025-10-01  8:29 UTC (permalink / raw)
  To: barebox, Ahmad Fatoum; +Cc: Alexander Shiyan, Michael Tretter


On Tue, 30 Sep 2025 15:46:43 +0200, Ahmad Fatoum wrote:
> The new signing support made the rkimage utility require OpenSSL 3.0.
> 
> We will keep that requirement for signing, but for usage without
> signing, let's skip the signing bits optional and report an error on
> attempting to sign.
> 
> 
> [...]

Applied, thanks!

[1/1] scripts: rockchip: rkimage: reinstate OpenSSL 1.1 compatibility
      https://git.pengutronix.de/cgit/barebox/commit/?id=fddbc93cb9fe (link may not be stable)

Best regards,
-- 
Sascha Hauer <s.hauer@pengutronix.de>




^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2025-10-01  8:30 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-09-30 13:46 [PATCH master] scripts: rockchip: rkimage: reinstate OpenSSL 1.1 compatibility Ahmad Fatoum
2025-09-30 14:12 ` Alexander Shiyan
2025-10-01  8:29 ` Sascha Hauer

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox