Mimi,
On Tue, Sep 06, 2022 at 03:50:21PM -0400, Mimi Zohar wrote:
> If either OPENSSL_NO_DYNAMIC_ENGINE or OPENSSL_NO_ENGINE is defined
> do not build ima-evm-utils with OpenSSL engine support.
>
> Suggested-by: Vitaly Chikunov <vt@xxxxxxxxxxxx>
> Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>
> ---
> Vitaly, unlike with "--disable-engine" the "Tests requiring engine support
> are skipped (not supported)" message is not being displayed after building
> OpenSSL v3 with "no-engine" support.
>
> src/evmctl.c | 14 ++++++++++++++
> src/libimaevm.c | 4 +++-
> tests/install-openssl3.sh | 2 +-
> 3 files changed, 18 insertions(+), 2 deletions(-)
>
> diff --git a/src/evmctl.c b/src/evmctl.c
> index e603449b7d9e..399a0d078a52 100644
> --- a/src/evmctl.c
> +++ b/src/evmctl.c
> @@ -64,9 +64,11 @@
> #include <openssl/hmac.h>
> #include <openssl/err.h>
> #include <openssl/rsa.h>
> +#if !defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
> #if CONFIG_ENGINE
> #include <openssl/engine.h>
> #endif
> +#endif
> #include <openssl/x509v3.h>
> #include "hash_info.h"
> #include "pcr.h"
> @@ -2722,8 +2724,10 @@ static void usage(void)
> " --selinux use custom Selinux label for EVM\n"
> " --caps use custom Capabilities for EVM(unspecified: from FS, empty: do not use)\n"
> " --verify-sig verify measurement list signatures\n"
> +#if !defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
> #if CONFIG_ENGINE
BTW, I would still undefine CONFIG_ENGINE (once, somewhere) if
OPENSSL_NO_ENGINE or OPENSSL_NO_DYNAMIC_ENGINE is defined by openssl,
instead of having two such #if-s each time we want to have engine
dependent code.
> " --engine e preload OpenSSL engine e (such as: gost) is deprecated\n"
> +#endif
> #endif
> " --ignore-violations ignore ToMToU measurement violations\n"
> " -v increase verbosity level\n"
> @@ -2786,8 +2790,10 @@ static struct option opts[] = {
> {"selinux", 1, 0, 136},
> {"caps", 2, 0, 137},
> {"verify-sig", 0, 0, 138},
> +#if !defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
> #if CONFIG_ENGINE
> {"engine", 1, 0, 139},
> +#endif
> #endif
> {"xattr-user", 0, 0, 140},
> {"ignore-violations", 0, 0, 141},
> @@ -2841,6 +2847,7 @@ static char *get_password(void)
> return password;
> }
>
> +#if !defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
> #if CONFIG_ENGINE
> static ENGINE *setup_engine(const char *engine_id)
> {
> @@ -2860,6 +2867,7 @@ static ENGINE *setup_engine(const char *engine_id)
> return eng;
> }
> #endif
> +#endif
>
> int main(int argc, char *argv[])
> {
> @@ -2985,12 +2993,14 @@ int main(int argc, char *argv[])
> case 138:
> verify_list_sig = 1;
> break;
> +#if !defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
> #if CONFIG_ENGINE
A lot of times.
Thanks,
> case 139: /* --engine e */
> imaevm_params.eng = setup_engine(optarg);
> if (!imaevm_params.eng)
> goto error;
> break;
> +#endif
> #endif
> case 140: /* --xattr-user */
> xattr_ima = "user.ima";
> @@ -3050,8 +3060,10 @@ int main(int argc, char *argv[])
> if (imaevm_params.keyfile != NULL &&
> imaevm_params.eng == NULL &&
> !strncmp(imaevm_params.keyfile, "pkcs11:", 7)) {
> +#if !defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
> #if CONFIG_ENGINE
> imaevm_params.eng = setup_engine("pkcs11");
> +#endif
> #endif
> if (!imaevm_params.eng)
> goto error;
> @@ -3078,6 +3090,7 @@ int main(int argc, char *argv[])
> }
>
> error:
> +#if !defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
> #if CONFIG_ENGINE
> if (imaevm_params.eng) {
> ENGINE_finish(imaevm_params.eng);
> @@ -3086,6 +3099,7 @@ error:
> ENGINE_cleanup();
> #endif
> }
> +#endif
> #endif
> ERR_free_strings();
> EVP_cleanup();
> diff --git a/src/libimaevm.c b/src/libimaevm.c
> index 037027c1d951..c41b63fb97b9 100644
> --- a/src/libimaevm.c
> +++ b/src/libimaevm.c
> @@ -959,7 +959,8 @@ static EVP_PKEY *read_priv_pkey(const char *keyfile, const char *keypass)
> EVP_PKEY *pkey;
>
> if (!strncmp(keyfile, "pkcs11:", 7)) {
> -#ifdef CONFIG_ENGINE
> +#if !defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_DYNAMIC_ENGINE)
> +#if CONFIG_ENGINE
> if (!imaevm_params.keyid) {
> log_err("When using a pkcs11 URI you must provide the keyid with an option\n");
> return NULL;
> @@ -979,6 +980,7 @@ static EVP_PKEY *read_priv_pkey(const char *keyfile, const char *keypass)
> #else
> log_err("OpenSSL \"engine\" support is disabled\n");
> goto err_engine;
> +#endif
> #endif
> } else {
> fp = fopen(keyfile, "r");
> diff --git a/tests/install-openssl3.sh b/tests/install-openssl3.sh
> index 1b634681a760..cdda77980fea 100755
> --- a/tests/install-openssl3.sh
> +++ b/tests/install-openssl3.sh
> @@ -13,7 +13,7 @@ wget --no-check-certificate https://github.com/openssl/openssl/archive/refs/tags
> tar --no-same-owner -xzf ${version}.tar.gz
> cd openssl-${version}
>
> -./Configure --prefix=/opt/openssl3 --openssldir=/opt/openssl3/ssl
> +./Configure no-engine no-dynamic-engine --prefix=/opt/openssl3 --openssldir=/opt/openssl3/ssl
> make -j$(nproc)
> # only install apps and library
> sudo make install_sw
> --
> 2.31.1
