Re: [PATCH ima-evm-utils 08/11] Deprecate use of OpenSSL v3 "engine" support

[Mimi Zohar <zohar@linux.ibm.com>]

Hi Vitaly,

On Sun, 2022-09-04 at 06:08 +0300, Vitaly Chikunov wrote:
> On Fri, Sep 02, 2022 at 12:28:33PM -0400, Mimi Zohar wrote:
> > OpenSSL v3 "engine" support is deprecated and replaced with "providers".
> > Engine support will continue to work for a while, but results in
> > deprecated declaration and other messages.  One option is simply to hide
> > them ("-Wno-deprecated-declarations").  The other alternative is to
> > conditionally build ima-evm-utils without OpenSSL v3 engine support and
> > without disabling deprecated declarations.
> > 
> > Based on "--disable-engine" or "--enable-engine=no" configuration
> > option, disable OpenSSL v3 "engine" support.
> > 
> > When ima-evm-utils engine support is disabled, don't execute the tests
> > requiring it.
> > 
> > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> > ---
> >  configure.ac           | 13 +++++++++++++
> >  src/Makefile.am        |  8 ++++++++
> >  src/evmctl.c           | 17 ++++++++++++++++-
> >  src/imaevm.h           |  2 ++
> >  src/libimaevm.c        |  5 +++++
> >  tests/functions.sh     | 14 +++++++++++++-
> >  tests/ima_hash.test    |  9 +++++++++
> >  tests/sign_verify.test | 10 ++++++++++
> >  8 files changed, 76 insertions(+), 2 deletions(-)
> > 
> > diff --git a/configure.ac b/configure.ac
> > index dc666f2bb1fa..1a7d7eb17370 100644
> > --- a/configure.ac
> > +++ b/configure.ac
> > @@ -54,6 +54,17 @@ AC_ARG_ENABLE(sigv1,
> >  	AM_CONDITIONAL([CONFIG_SIGV1], [test "x$enable_sigv1" = "xyes"])
> >  	AS_IF([test "$enable_sigv1"  != "yes"], [enable_sigv1="no"])
> >  
> > +AC_ARG_ENABLE(engine,
> 
> Thanks.
> 
> BTW, if we now have handling of disabled engine -- OpenSSL have defines
> OPENSSL_NO_ENGINE and OPENSSL_NO_DYNAMIC_ENGINE -- I think if any of
> them is defined we could disable engine support automatically.

Ok

> 
> (Just a thought: In general, I would prefer if we rely on what is
> configured in OpenSSL (whatever is enabled or disabled), and not
> complicate things for user with post-decision of what is allowed for us
> from OpenSSL. But of course opinions are different.)

Sorry, but at leat for my testing purposes, being able to disable ima-
evm-utils OpenSSL engine support without recompiling other packages is
a requirement.

> > +	      [AS_HELP_STRING([--disable-engine], [build ima-evm-utils without OpenSSL v3 engine support])])
> 
> I think "v3" could be removed since it exists in v1 too.

configure.ac currently still limits disabling OpenSSL engine support to
v3, but that could be removed.

> 
> > diff --git a/src/libimaevm.c b/src/libimaevm.c
> > index 4b37bf5bd62c..ba489402f6f1 100644
> > --- a/src/libimaevm.c
> > +++ b/src/libimaevm.c
> > @@ -959,6 +959,7 @@ static EVP_PKEY *read_priv_pkey(const char *keyfile, const char *keypass)
> >  	EVP_PKEY *pkey;
> >  
> >  	if (!strncmp(keyfile, "pkcs11:", 7)) {
> > +#ifdef CONFIG_ENGINE
> >  		if (!imaevm_params.keyid) {
> >  			log_err("When using a pkcs11 URI you must provide the keyid with an option\n");
> >  			return NULL;
> > @@ -975,6 +976,10 @@ static EVP_PKEY *read_priv_pkey(const char *keyfile, const char *keypass)
> >  			log_err("Failed to load private key %s\n", keyfile);
> >  			goto err_engine;
> >  		}
> > +#else
> > +		log_err("OpenSSL 3 \"engine\" support is deprecated\n");
> 
> And here too "3" could be removed. And perhaps "is disabled" since this is
> not just a deprecation warning, but an error.

Sure.