Mimi,
On Fri, Sep 02, 2022 at 12:28:33PM -0400, Mimi Zohar wrote:
> OpenSSL v3 "engine" support is deprecated and replaced with "providers".
> Engine support will continue to work for a while, but results in
> deprecated declaration and other messages. One option is simply to hide
> them ("-Wno-deprecated-declarations"). The other alternative is to
> conditionally build ima-evm-utils without OpenSSL v3 engine support and
> without disabling deprecated declarations.
>
> Based on "--disable-engine" or "--enable-engine=no" configuration
> option, disable OpenSSL v3 "engine" support.
>
> When ima-evm-utils engine support is disabled, don't execute the tests
> requiring it.
>
> Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>
> ---
> configure.ac | 13 +++++++++++++
> src/Makefile.am | 8 ++++++++
> src/evmctl.c | 17 ++++++++++++++++-
> src/imaevm.h | 2 ++
> src/libimaevm.c | 5 +++++
> tests/functions.sh | 14 +++++++++++++-
> tests/ima_hash.test | 9 +++++++++
> tests/sign_verify.test | 10 ++++++++++
> 8 files changed, 76 insertions(+), 2 deletions(-)
>
> diff --git a/configure.ac b/configure.ac
> index dc666f2bb1fa..1a7d7eb17370 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -54,6 +54,17 @@ AC_ARG_ENABLE(sigv1,
> AM_CONDITIONAL([CONFIG_SIGV1], [test "x$enable_sigv1" = "xyes"])
> AS_IF([test "$enable_sigv1" != "yes"], [enable_sigv1="no"])
>
> +AC_ARG_ENABLE(engine,
Thanks.
BTW, if we now have handling of disabled engine -- OpenSSL have defines
OPENSSL_NO_ENGINE and OPENSSL_NO_DYNAMIC_ENGINE -- I think if any of
them is defined we could disable engine support automatically.
(Just a thought: In general, I would prefer if we rely on what is
configured in OpenSSL (whatever is enabled or disabled), and not
complicate things for user with post-decision of what is allowed for us
from OpenSSL. But of course opinions are different.)
> + [AS_HELP_STRING([--disable-engine], [build ima-evm-utils without OpenSSL v3 engine support])])
I think "v3" could be removed since it exists in v1 too.
> diff --git a/src/libimaevm.c b/src/libimaevm.c
> index 4b37bf5bd62c..ba489402f6f1 100644
> --- a/src/libimaevm.c
> +++ b/src/libimaevm.c
> @@ -959,6 +959,7 @@ static EVP_PKEY *read_priv_pkey(const char *keyfile, const char *keypass)
> EVP_PKEY *pkey;
>
> if (!strncmp(keyfile, "pkcs11:", 7)) {
> +#ifdef CONFIG_ENGINE
> if (!imaevm_params.keyid) {
> log_err("When using a pkcs11 URI you must provide the keyid with an option\n");
> return NULL;
> @@ -975,6 +976,10 @@ static EVP_PKEY *read_priv_pkey(const char *keyfile, const char *keypass)
> log_err("Failed to load private key %s\n", keyfile);
> goto err_engine;
> }
> +#else
> + log_err("OpenSSL 3 \"engine\" support is deprecated\n");
And here too "3" could be removed. And perhaps "is disabled" since this is
not just a deprecation warning, but an error.
Thanks,
