@@ -54,6 +54,10 @@ AC_ARG_ENABLE(sigv1,
AM_CONDITIONAL([CONFIG_SIGV1], [test "x$enable_sigv1" = "xyes"])
AS_IF([test "$enable_sigv1" != "yes"], [enable_sigv1="no"])
+AC_ARG_ENABLE(engine,
+ [AS_HELP_STRING([--disable-engine], [build ima-evm-utils without OpenSSL engine support])],,[enable_engine=yes])
+ AM_CONDITIONAL([CONFIG_ENGINE], [test "x$enable_engine" = "xyes"])
+
#debug support - yes for a while
PKG_ARG_ENABLE(debug, "yes", DEBUG, [Enable Debug support])
if test $pkg_cv_enable_debug = yes; then
@@ -89,5 +93,6 @@ echo " tss2-esys: $ac_cv_lib_tss2_esys_Esys_Free"
echo " tss2-rc-decode: $ac_cv_lib_tss2_rc_Tss2_RC_Decode"
echo " ibmtss: $ac_cv_header_ibmtss_tss_h"
echo " sigv1: $enable_sigv1"
+echo " engine: $enable_engine"
echo " doc: $have_doc"
echo
@@ -11,6 +11,10 @@ if CONFIG_SIGV1
libimaevm_la_CFLAGS = -DCONFIG_SIGV1
endif
+if CONFIG_ENGINE
+libimaevm_la_CFLAGS = -DCONFIG_ENGINE
+endif
+
include_HEADERS = imaevm.h
nodist_libimaevm_la_SOURCES = hash_info.h
@@ -31,6 +35,10 @@ if CONFIG_SIGV1
evmctl_CFLAGS = -DCONFIG_SIGV1
endif
+# Enable "--engine" support
+if CONFIG_ENGINE
+evmctl_CFLAGS = -DCONFIG_ENGINE
+endif
# USE_PCRTSS uses the Intel TSS
if USE_PCRTSS
@@ -64,7 +64,9 @@
#include <openssl/hmac.h>
#include <openssl/err.h>
#include <openssl/rsa.h>
+#if CONFIG_ENGINE
#include <openssl/engine.h>
+#endif
#include <openssl/x509v3.h>
#include "hash_info.h"
#include "pcr.h"
@@ -2715,7 +2717,9 @@ static void usage(void)
" --selinux use custom Selinux label for EVM\n"
" --caps use custom Capabilities for EVM(unspecified: from FS, empty: do not use)\n"
" --verify-sig verify measurement list signatures\n"
- " --engine e preload OpenSSL engine e (such as: gost)\n"
+#if CONFIG_ENGINE
+ " --engine e preload OpenSSL engine e (such as: gost) is deprecated\n"
+#endif
" --ignore-violations ignore ToMToU measurement violations\n"
" -v increase verbosity level\n"
" -h, --help display this help and exit\n"
@@ -2777,7 +2781,9 @@ static struct option opts[] = {
{"selinux", 1, 0, 136},
{"caps", 2, 0, 137},
{"verify-sig", 0, 0, 138},
+#if CONFIG_ENGINE
{"engine", 1, 0, 139},
+#endif
{"xattr-user", 0, 0, 140},
{"ignore-violations", 0, 0, 141},
{"pcrs", 1, 0, 142},
@@ -2830,9 +2836,11 @@ static char *get_password(void)
return password;
}
+#if CONFIG_ENGINE
static ENGINE *setup_engine(const char *engine_id)
{
ENGINE *eng = ENGINE_by_id(engine_id);
+
if (!eng) {
log_err("engine %s isn't available\n", optarg);
ERR_print_errors_fp(stderr);
@@ -2846,6 +2854,7 @@ static ENGINE *setup_engine(const char *engine_id)
ENGINE_set_default(eng, ENGINE_METHOD_ALL);
return eng;
}
+#endif
int main(int argc, char *argv[])
{
@@ -2971,11 +2980,13 @@ int main(int argc, char *argv[])
case 138:
verify_list_sig = 1;
break;
+#if CONFIG_ENGINE
case 139: /* --engine e */
imaevm_params.eng = setup_engine(optarg);
if (!imaevm_params.eng)
goto error;
break;
+#endif
case 140: /* --xattr-user */
xattr_ima = "user.ima";
xattr_evm = "user.evm";
@@ -3034,7 +3045,9 @@ int main(int argc, char *argv[])
if (imaevm_params.keyfile != NULL &&
imaevm_params.eng == NULL &&
!strncmp(imaevm_params.keyfile, "pkcs11:", 7)) {
+#if CONFIG_ENGINE
imaevm_params.eng = setup_engine("pkcs11");
+#endif
if (!imaevm_params.eng)
goto error;
}
@@ -3060,6 +3073,7 @@ int main(int argc, char *argv[])
}
error:
+#if CONFIG_ENGINE
if (imaevm_params.eng) {
ENGINE_finish(imaevm_params.eng);
ENGINE_free(imaevm_params.eng);
@@ -3067,6 +3081,7 @@ error:
ENGINE_cleanup();
#endif
}
+#endif
ERR_free_strings();
EVP_cleanup();
BIO_free(NULL);
@@ -48,7 +48,9 @@
#include <errno.h>
#include <sys/types.h>
#include <openssl/rsa.h>
+#ifdef CONFIG_ENGINE
#include <openssl/engine.h>
+#endif
#ifdef USE_FPRINTF
#define do_log(level, fmt, args...) \
@@ -959,6 +959,7 @@ static EVP_PKEY *read_priv_pkey(const char *keyfile, const char *keypass)
EVP_PKEY *pkey;
if (!strncmp(keyfile, "pkcs11:", 7)) {
+#ifdef CONFIG_ENGINE
if (!imaevm_params.keyid) {
log_err("When using a pkcs11 URI you must provide the keyid with an option\n");
return NULL;
@@ -975,6 +976,10 @@ static EVP_PKEY *read_priv_pkey(const char *keyfile, const char *keypass)
log_err("Failed to load private key %s\n", keyfile);
goto err_engine;
}
+#else
+ log_err("OpenSSL \"engine\" support is disabled\n");
+ goto err_engine;
+#endif
} else {
fp = fopen(keyfile, "r");
if (!fp) {
@@ -312,4 +312,16 @@ _softhsm_teardown() {
rm -rf "${SOFTHSM_SETUP_CONFIGDIR}"
unset SOFTHSM_SETUP_CONFIGDIR SOFTHSM2_CONF PKCS11_KEYURI \
EVMCTL_ENGINE OPENSSL_ENGINE OPENSSL_KEYFORM
-}
\ No newline at end of file
+}
+
+# OpenSSL v3 engine support still works, but is deprecated. In preparation
+# for it being removed, a new ima-evm-utils configuration option
+# "--disable-engine" and the equivalent "--enable-engine=no" is defined.`
+_is_engine_supported() {
+ cmd="evmctl --engine pkcs11"
+ $cmd &>/dev/null
+ if [ $? -eq 1 ]; then
+ return 0
+ fi
+ return 1
+}
@@ -71,6 +71,15 @@ expect_pass check sha384 0x0405 38b060a751ac96384cd9327eb1b1e36a21fdb71114b
expect_pass check sha512 0x0406 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
expect_pass check rmd160 0x0403 9c1185a5c5e9fc54612808977ee8f548b2258d31
expect_pass check sm3 0x0411 1ab21d8355cfa17f8e61194831e81a8f22bec8c728fefb747ed035eb5082aa2b
+
+# Remaining tests require engine support
+_is_engine_supported
+if [ $? -eq 0 ]; then
+ __skip() { echo "Tests requiring engine support are skipped (not supported)"; return $SKIP; }
+ expect_pass __skip
+ exit 0
+fi
+
_enable_gost_engine
expect_pass check md_gost12_256 0x0412 3f539a213e97c802cc229d474c6aa32a825a360b2a933a949fd925208d9ce1bb
expect_pass check streebog256 0x0412 3f539a213e97c802cc229d474c6aa32a825a360b2a933a949fd925208d9ce1bb
@@ -18,6 +18,7 @@
cd "$(dirname "$0")" || exit 1
PATH=../src:$PATH
SIGV1=0
+
source ./functions.sh
_require cmp evmctl getfattr openssl xxd
@@ -418,6 +419,14 @@ if [ -x /opt/openssl3/bin/openssl ]; then
sign_verify sm2 sm3 0x030211:K:004[345678]
fi
+# Remaining tests require engine support
+_is_engine_supported
+if [ $? -eq 0 ]; then
+ __skip() { echo "Tests requiring engine support are skipped (not supported)"; return $SKIP; }
+ expect_pass __skip
+ exit 0
+fi
+
# Test v2 signatures with EC-RDSA
_enable_gost_engine
sign_verify gost2012_256-A md_gost12_256 0x030212:K:0040
OpenSSL v3 "engine" support is deprecated and replaced with "providers". Engine support will continue to work for a while, but results in deprecated declaration and other messages. One option is simply to hide them ("-Wno-deprecated-declarations"). The other alternative is to conditionally build ima-evm-utils without OpenSSL engine support and without disabling deprecated declarations. Based on "--disable-engine" or "--enable-engine=no" configuration option, disable OpenSSL "engine" support. When ima-evm-utils engine support is disabled, don't execute the tests requiring it. Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> --- configure.ac | 5 +++++ src/Makefile.am | 8 ++++++++ src/evmctl.c | 17 ++++++++++++++++- src/imaevm.h | 2 ++ src/libimaevm.c | 5 +++++ tests/functions.sh | 14 +++++++++++++- tests/ima_hash.test | 9 +++++++++ tests/sign_verify.test | 9 +++++++++ 8 files changed, 67 insertions(+), 2 deletions(-)