Re: [PATCH ima-evm-utils v3 07/15] Disable use of OpenSSL "engine" support

Vitaly Chikunov <vt@xxxxxxxxxxxx> · Wed, 14 Sep 2022 19:38:03 +0300

On Tue, Sep 13, 2022 at 10:29:48PM -0400, Mimi Zohar wrote:
> OpenSSL v3 "engine" support is deprecated and replaced with "providers".
> Engine support will continue to work for a while, but results in
> deprecated declaration and other messages.  One option is simply to hide
> them ("-Wno-deprecated-declarations").  The other alternative is to
> conditionally build ima-evm-utils without OpenSSL engine support and
> without disabling deprecated declarations.
> 
> Based on "--disable-engine" or "--enable-engine=no" configuration
> option, disable OpenSSL "engine" support.
> 
> Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxx>
> ---
>  configure.ac           |  5 +++++
>  src/Makefile.am        |  8 ++++++++
>  src/evmctl.c           | 17 ++++++++++++++++-
>  src/imaevm.h           |  2 ++
>  src/libimaevm.c        |  7 ++++++-
>  tests/functions.sh     |  2 +-
>  tests/ima_hash.test    |  1 +
>  tests/sign_verify.test |  1 +
>  8 files changed, 40 insertions(+), 3 deletions(-)
> 
> diff --git a/configure.ac b/configure.ac
> index dc666f2bb1fa..49e9350ace07 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -54,6 +54,10 @@ AC_ARG_ENABLE(sigv1,
>  	AM_CONDITIONAL([CONFIG_SIGV1], [test "x$enable_sigv1" = "xyes"])
>  	AS_IF([test "$enable_sigv1"  != "yes"], [enable_sigv1="no"])
>  
> +AC_ARG_ENABLE(engine,
> +	      [AS_HELP_STRING([--disable-engine], [build ima-evm-utils without OpenSSL engine support])],,[enable_engine=yes])

I would insert here:

  AC_CHECK_LIB([crypto], [ENGINE_init],, [enable_engine=no])

So that if -lcrypto does not have ENGINE_init symbol, engine will be
automatically disabled.

> @@ -2972,11 +2981,13 @@ int main(int argc, char *argv[])
>  		case 138:
>  			verify_list_sig = 1;
>  			break;
> +#if CONFIG_ENGINE
>  		case 139: /* --engine e */
>  			imaevm_params.eng = setup_engine(optarg);
>  			if (!imaevm_params.eng)
>  				goto error;

Still it's a bit strange that this error will not cause exit(1).

Thanks,

>  			break;
> +#endif
>  		case 140: /* --xattr-user */
>  			xattr_ima = "user.ima";
>  			xattr_evm = "user.evm";
> @@ -3035,7 +3046,9 @@ int main(int argc, char *argv[])
>  	if (imaevm_params.keyfile != NULL &&
>  	    imaevm_params.eng == NULL &&
>  	    !strncmp(imaevm_params.keyfile, "pkcs11:", 7)) {
> +#if CONFIG_ENGINE
>  		imaevm_params.eng = setup_engine("pkcs11");
> +#endif
>  		if (!imaevm_params.eng)
>  			goto error;
>  	}
> @@ -3061,6 +3074,7 @@ int main(int argc, char *argv[])
>  	}
>  
>  error:
> +#if CONFIG_ENGINE
>  	if (imaevm_params.eng) {
>  		ENGINE_finish(imaevm_params.eng);
>  		ENGINE_free(imaevm_params.eng);
> @@ -3068,6 +3082,7 @@ error:
>  		ENGINE_cleanup();
>  #endif
>  	}
> +#endif
>  	ERR_free_strings();
>  	EVP_cleanup();
>  	BIO_free(NULL);