This series deprecates the sign_hash function and introduces imaevm_signhash that requires the necessary parameters to be passed rather than relying on the global imaevm_params variable. This way we can remove the usage of imaevm_params for the OpenSSL engine and the keyid. Add support for an OpenSSL provider. The choice of engine versus provider is implemented using a struct imaevm_ossl_access that wraps the engine or provider parameters. It also provides a type field where the user can choose one or the other. imaevm_signhash takes this structure as an optional parameter to support engines and providers. Also extend existing test cases with tests with a pkcs11 provider. Regards, Stefan v4: - Fixed subject line in 3/7 - Have sign_hash call imaevm_signhash (3/7) v3: - Added patch checking for engine support in evmctl before trying to run pkcs11 test (1/7) - Updated README with new --provider option (5/7) - Added 2 more skip's to pkcs11 test in case softhsm is not installed (6/7) v2: - Fixed some minor issues Stefan Berger (7): tests: Skip pkcs11 test if no engine support in evmctl headers: Remove usage of CONFIG_IMA_EVM_ENGINE from public header Implement imaevm_signhash library function and deprecate sign_hash evmctl: Replace deprecated sign_hash with imaevm_signhash Add support for OpenSSL provider to the library and evmctl tests: Add pkcs11 test using provider ci: Install pkcs11-provider where available README | 5 +- ci/alt.sh | 2 + ci/debian.sh | 1 + ci/fedora.sh | 1 + ci/tumbleweed.sh | 2 + configure.ac | 6 ++ src/Makefile.am | 21 +++- src/evmctl.c | 124 +++++++++++++++++------ src/imaevm.h | 39 ++++++- src/libimaevm.c | 225 +++++++++++++++++++++++++++++++++-------- tests/functions.sh | 1 - tests/sign_verify.test | 30 +++++- 12 files changed, 369 insertions(+), 88 deletions(-) -- 2.43.2
