Between travis/ci and OpenSSL v3 a large number of deprecated warnings are being emitted when compiling ima-evm-utils. Start addressing these deprecated warnings by replacing the low level SHA1 and HMAC calls with the EVP_ functions. IMA signature version 1 also uses low level calls, but instead of fixing it, deprecate it as nobody should be using it anyway. OpenSSL v3 "engine" support is deprecated and replaced with "providers". Engine support will continue to work for a while, but results in deprecated declaration and other messages. Define a "--disable-engine" and the equivalent "--enable-engine=no" configuration option. Changelog v4: Based on Vitaly's comments: - instead of setting errno to zero, define a macro to log a message with the errno and reset errno. - verify ENGINE_init symbol is defined in libcrypto. - disable engine support if either OPENSSL_NO_DYNAMIC_ENGINE or OPENSSL_NO_ENGINE variables are defined. - Rename CONFIG_ENGINE to CONFIG_IMA_EVM_ENGINE Changelog v3: - Make the SM2/SM3 tests dependent on the OpenSSL v3, rather than compiling OpenSSL v3, based on Vitaly's suggestion. - Re-use the existing infrastructure for compiling OpenSSL to compile OpenSSL without engine support. ima-evm-utils compiles cleanly without any deprecated messages. - Instead of using the distro OpenSSL version on jammy, compile OpenSSL to test building ima-evm-utils without OpenSSL engine support. - Make sure the keyfile is a regular file before using it. - Based on Vitaly's suggestion: undefine CONFIG_ENGINE when OpenSSL engine support is not configured, run the tests normally without checking whether engine support is configured. - Add Stefan's Reviewed-by tags. Changelog v2: - Based on Vitaly's comments, base enabling engine support on OPENSSL_NO_ENGINE/OPENSSL_NO_DYNAMIC_ENGINE support. Also don't limit disabling ima-evm-utils engine support to v3, make it generic. - Added Stefan's Reviewed-by tags. Changelog v1: - Based on Stefan's comments, removed deprecated functions when not used and added missing word. Updated the usage and options accordingly. - Based on Vitaly's comments, explicitly require "--disable-engine" configuration to compile ima-evm-utils without OpenSSL v3 engine support and typo. - Based on Petr's comments, addressed the "return 77" by removing it, updated the travis patch description, and added his Reviewed-by tags. Mimi Zohar (17): Revert "Reset 'errno' after failure to open or access a file" log and reset 'errno' after failure to open non-critical files Log and reset 'errno' on lsetxattr failure travis: update dist=focal Update configure.ac to address a couple of obsolete warnings Deprecate IMA signature version 1 Replace the low level SHA1 calls when calculating the TPM 1.2 PCRs Replace the low level HMAC calls when calculating the EVM HMAC Add missing EVP_MD_CTX_free() call in calc_evm_hash() Disable use of OpenSSL "engine" support Fix potential use after free in read_tpm_banks() Limit the file hash algorithm name length Missing template data size lower bounds checking Base sm2/sm3 test on openssl version installed Compile a newer version of OpenSSL Build OpenSSL without engine support Fix d2i_x509_fp failure .github/workflows/ci.yml | 10 +- .travis.yml | 10 +- acinclude.m4 | 2 +- build.sh | 8 ++ configure.ac | 16 ++- m4/manpage-docbook-xsl.m4 | 2 +- src/Makefile.am | 18 +++ src/evmctl.c | 282 ++++++++++++++++++++++++++------------ src/imaevm.h | 6 + src/libimaevm.c | 44 ++++-- tests/install-openssl3.sh | 9 +- tests/sign_verify.test | 25 ++-- 12 files changed, 311 insertions(+), 121 deletions(-) -- 2.31.1
