From: Vitaly Chikunov <vt@altlinux.org>
To: Mimi Zohar <zohar@linux.ibm.com>
Cc: linux-integrity@vger.kernel.org, Petr Vorel <pvorel@suse.cz>,
Stefan Berger <stefanb@linux.ibm.com>
Subject: Re: [PATCH ima-evm-utils 08/11] Deprecate use of OpenSSL v3 "engine" support
Date: Sun, 4 Sep 2022 06:08:39 +0300 [thread overview]
Message-ID: <20220904030839.dighibhcyxz46utx@altlinux.org> (raw)
In-Reply-To: <20220902162836.554839-9-zohar@linux.ibm.com>
Mimi,
On Fri, Sep 02, 2022 at 12:28:33PM -0400, Mimi Zohar wrote:
> OpenSSL v3 "engine" support is deprecated and replaced with "providers".
> Engine support will continue to work for a while, but results in
> deprecated declaration and other messages. One option is simply to hide
> them ("-Wno-deprecated-declarations"). The other alternative is to
> conditionally build ima-evm-utils without OpenSSL v3 engine support and
> without disabling deprecated declarations.
>
> Based on "--disable-engine" or "--enable-engine=no" configuration
> option, disable OpenSSL v3 "engine" support.
>
> When ima-evm-utils engine support is disabled, don't execute the tests
> requiring it.
>
> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> ---
> configure.ac | 13 +++++++++++++
> src/Makefile.am | 8 ++++++++
> src/evmctl.c | 17 ++++++++++++++++-
> src/imaevm.h | 2 ++
> src/libimaevm.c | 5 +++++
> tests/functions.sh | 14 +++++++++++++-
> tests/ima_hash.test | 9 +++++++++
> tests/sign_verify.test | 10 ++++++++++
> 8 files changed, 76 insertions(+), 2 deletions(-)
>
> diff --git a/configure.ac b/configure.ac
> index dc666f2bb1fa..1a7d7eb17370 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -54,6 +54,17 @@ AC_ARG_ENABLE(sigv1,
> AM_CONDITIONAL([CONFIG_SIGV1], [test "x$enable_sigv1" = "xyes"])
> AS_IF([test "$enable_sigv1" != "yes"], [enable_sigv1="no"])
>
> +AC_ARG_ENABLE(engine,
Thanks.
BTW, if we now have handling of disabled engine -- OpenSSL have defines
OPENSSL_NO_ENGINE and OPENSSL_NO_DYNAMIC_ENGINE -- I think if any of
them is defined we could disable engine support automatically.
(Just a thought: In general, I would prefer if we rely on what is
configured in OpenSSL (whatever is enabled or disabled), and not
complicate things for user with post-decision of what is allowed for us
from OpenSSL. But of course opinions are different.)
> + [AS_HELP_STRING([--disable-engine], [build ima-evm-utils without OpenSSL v3 engine support])])
I think "v3" could be removed since it exists in v1 too.
> diff --git a/src/libimaevm.c b/src/libimaevm.c
> index 4b37bf5bd62c..ba489402f6f1 100644
> --- a/src/libimaevm.c
> +++ b/src/libimaevm.c
> @@ -959,6 +959,7 @@ static EVP_PKEY *read_priv_pkey(const char *keyfile, const char *keypass)
> EVP_PKEY *pkey;
>
> if (!strncmp(keyfile, "pkcs11:", 7)) {
> +#ifdef CONFIG_ENGINE
> if (!imaevm_params.keyid) {
> log_err("When using a pkcs11 URI you must provide the keyid with an option\n");
> return NULL;
> @@ -975,6 +976,10 @@ static EVP_PKEY *read_priv_pkey(const char *keyfile, const char *keypass)
> log_err("Failed to load private key %s\n", keyfile);
> goto err_engine;
> }
> +#else
> + log_err("OpenSSL 3 \"engine\" support is deprecated\n");
And here too "3" could be removed. And perhaps "is disabled" since this is
not just a deprecation warning, but an error.
Thanks,
next prev parent reply other threads:[~2022-09-04 3:08 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-02 16:28 [PATCH ima-evm-utils 00/11] address deprecated warnings Mimi Zohar
2022-09-02 16:28 ` [PATCH ima-evm-utils 01/11] travis: use the distro OpenSSL version on jammy Mimi Zohar
2022-09-02 16:28 ` [PATCH ima-evm-utils 02/11] travis: update dist=focal Mimi Zohar
2022-09-02 20:24 ` Stefan Berger
2022-09-06 18:27 ` Mimi Zohar
2022-09-02 16:28 ` [PATCH ima-evm-utils 03/11] Update configure.ac to address a couple of obsolete warnings Mimi Zohar
2022-09-02 16:28 ` [PATCH ima-evm-utils 04/11] Deprecate IMA signature version 1 Mimi Zohar
2022-09-02 19:25 ` Stefan Berger
2022-09-02 16:28 ` [PATCH ima-evm-utils 05/11] Replace the low level SHA1 calls when calculating the TPM 1.2 PCRs Mimi Zohar
2022-09-02 20:18 ` Stefan Berger
2022-09-02 16:28 ` [PATCH ima-evm-utils 06/11] Replace the low level HMAC calls when calculating the EVM HMAC Mimi Zohar
2022-09-02 16:28 ` [PATCH ima-evm-utils 07/11] Add missing EVP_MD_CTX_free() call in calc_evm_hash() Mimi Zohar
2022-09-02 16:28 ` [PATCH ima-evm-utils 08/11] Deprecate use of OpenSSL v3 "engine" support Mimi Zohar
2022-09-04 3:08 ` Vitaly Chikunov [this message]
2022-09-04 16:26 ` Mimi Zohar
2022-09-02 16:28 ` [PATCH ima-evm-utils 09/11] Fix potential use after free in read_tpm_banks() Mimi Zohar
2022-09-02 16:28 ` [PATCH ima-evm-utils 10/11] Limit the file hash algorithm name length Mimi Zohar
2022-09-02 16:28 ` [PATCH ima-evm-utils 11/11] Missing template data size lower bounds checking Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220904030839.dighibhcyxz46utx@altlinux.org \
--to=vt@altlinux.org \
--cc=linux-integrity@vger.kernel.org \
--cc=pvorel@suse.cz \
--cc=stefanb@linux.ibm.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox