Hi Vitaly,
On Sun, 2022-09-04 at 06:08 +0300, Vitaly Chikunov wrote:
> On Fri, Sep 02, 2022 at 12:28:33PM -0400, Mimi Zohar wrote:
> > OpenSSL v3 "engine" support is deprecated and replaced with "providers".
> > Engine support will continue to work for a while, but results in
> > deprecated declaration and other messages. One option is simply to hide
> > them ("-Wno-deprecated-declarations"). The other alternative is to
> > conditionally build ima-evm-utils without OpenSSL v3 engine support and
> > without disabling deprecated declarations.
> >
> > Based on "--disable-engine" or "--enable-engine=no" configuration
> > option, disable OpenSSL v3 "engine" support.
> >
> > When ima-evm-utils engine support is disabled, don't execute the tests
> > requiring it.
> >
> > Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>
> > ---
> > configure.ac | 13 +++++++++++++
> > src/Makefile.am | 8 ++++++++
> > src/evmctl.c | 17 ++++++++++++++++-
> > src/imaevm.h | 2 ++
> > src/libimaevm.c | 5 +++++
> > tests/functions.sh | 14 +++++++++++++-
> > tests/ima_hash.test | 9 +++++++++
> > tests/sign_verify.test | 10 ++++++++++
> > 8 files changed, 76 insertions(+), 2 deletions(-)
> >
> > diff --git a/configure.ac b/configure.ac
> > index dc666f2bb1fa..1a7d7eb17370 100644
> > --- a/configure.ac
> > +++ b/configure.ac
> > @@ -54,6 +54,17 @@ AC_ARG_ENABLE(sigv1,
> > AM_CONDITIONAL([CONFIG_SIGV1], [test "x$enable_sigv1" = "xyes"])
> > AS_IF([test "$enable_sigv1" != "yes"], [enable_sigv1="no"])
> >
> > +AC_ARG_ENABLE(engine,
>
> Thanks.
>
> BTW, if we now have handling of disabled engine -- OpenSSL have defines
> OPENSSL_NO_ENGINE and OPENSSL_NO_DYNAMIC_ENGINE -- I think if any of
> them is defined we could disable engine support automatically.
Ok
>
> (Just a thought: In general, I would prefer if we rely on what is
> configured in OpenSSL (whatever is enabled or disabled), and not
> complicate things for user with post-decision of what is allowed for us
> from OpenSSL. But of course opinions are different.)
Sorry, but at leat for my testing purposes, being able to disable ima-
evm-utils OpenSSL engine support without recompiling other packages is
a requirement.
> > + [AS_HELP_STRING([--disable-engine], [build ima-evm-utils without OpenSSL v3 engine support])])
>
> I think "v3" could be removed since it exists in v1 too.
configure.ac currently still limits disabling OpenSSL engine support to
v3, but that could be removed.
>
> > diff --git a/src/libimaevm.c b/src/libimaevm.c
> > index 4b37bf5bd62c..ba489402f6f1 100644
> > --- a/src/libimaevm.c
> > +++ b/src/libimaevm.c
> > @@ -959,6 +959,7 @@ static EVP_PKEY *read_priv_pkey(const char *keyfile, const char *keypass)
> > EVP_PKEY *pkey;
> >
> > if (!strncmp(keyfile, "pkcs11:", 7)) {
> > +#ifdef CONFIG_ENGINE
> > if (!imaevm_params.keyid) {
> > log_err("When using a pkcs11 URI you must provide the keyid with an option\n");
> > return NULL;
> > @@ -975,6 +976,10 @@ static EVP_PKEY *read_priv_pkey(const char *keyfile, const char *keypass)
> > log_err("Failed to load private key %s\n", keyfile);
> > goto err_engine;
> > }
> > +#else
> > + log_err("OpenSSL 3 \"engine\" support is deprecated\n");
>
> And here too "3" could be removed. And perhaps "is disabled" since this is
> not just a deprecation warning, but an error.
Sure.
