From: Vitaly Chikunov <vt@altlinux.org>
To: Mimi Zohar <zohar@linux.vnet.ibm.com>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
linux-integrity@vger.kernel.org
Subject: [PATCH v2] ima-evm-utils: rework openssl init
Date: Sun, 3 Feb 2019 20:47:12 +0300 [thread overview]
Message-ID: <20190203174712.892-1-vt@altlinux.org> (raw)
Remove deprecated call to OpenSSL_add_all_algorithms().
Allow to disable openssl config loading via configure
`--disable-openssl-conf' option.
Finish engine initialization properly by calling ENGINE_set_default(),
as suggested by James Bottomley.
Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
---
- v1 is "ima-evm-utils: remove redundant call to OpenSSL_add_all_algorithms"
- everything is changed as suggested in mailing list, not just
redundant OpenSSL_add_all_algorithms() call is removed.
configure.ac | 6 ++++++
src/evmctl.c | 1 +
src/libimaevm.c | 8 ++++++--
3 files changed, 13 insertions(+), 2 deletions(-)
diff --git a/configure.ac b/configure.ac
index 60f3684..ff8ac29 100644
--- a/configure.ac
+++ b/configure.ac
@@ -39,6 +39,12 @@ AC_ARG_WITH(kernel_headers, [AS_HELP_STRING([--with-kernel-headers=PATH],
[KERNEL_HEADERS="$withval"],
[KERNEL_HEADERS=/lib/modules/$(uname -r)/source])
+AC_ARG_ENABLE([openssl_conf],
+ [AS_HELP_STRING([--disable-openssl-conf], [disable loading of openssl config by libimaevm])],
+ if test "$enable_openssl_conf" = "no"; then
+ AC_DEFINE(DISABLE_OPENSSL_CONF, 1, [Define to disable loading of openssl config by libimaevm.])
+ fi)
+
#debug support - yes for a while
PKG_ARG_ENABLE(debug, "yes", DEBUG, [Enable Debug support])
if test $pkg_cv_enable_debug = yes; then
diff --git a/src/evmctl.c b/src/evmctl.c
index 2e4d551..fa074c4 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -1904,6 +1904,7 @@ int main(int argc, char *argv[])
ENGINE_free(eng);
eng = NULL;
}
+ ENGINE_set_default(eng, ENGINE_METHOD_ALL);
break;
case 140: /* --xattr-user */
xattr_ima = "user.ima";
diff --git a/src/libimaevm.c b/src/libimaevm.c
index 799eeec..db27c6f 100644
--- a/src/libimaevm.c
+++ b/src/libimaevm.c
@@ -976,7 +976,11 @@ int sign_hash(const char *hashalgo, const unsigned char *hash, int size, const c
static void libinit()
{
- OpenSSL_add_all_algorithms();
- OPENSSL_add_all_algorithms_conf();
+ OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS |
+ OPENSSL_INIT_ADD_ALL_DIGESTS |
+#ifndef DISABLE_OPENSSL_CONF
+ OPENSSL_INIT_LOAD_CONFIG |
+#endif
+ OPENSSL_INIT_ENGINE_ALL_BUILTIN, NULL);
ERR_load_crypto_strings();
}
--
2.11.0
next reply other threads:[~2019-02-03 17:47 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-03 17:47 Vitaly Chikunov [this message]
2019-02-12 22:11 ` [PATCH v2] ima-evm-utils: rework openssl init Mimi Zohar
2019-03-10 22:32 ` Mimi Zohar
2019-03-10 23:15 ` Vitaly Chikunov
2019-03-23 1:25 ` Vitaly Chikunov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190203174712.892-1-vt@altlinux.org \
--to=vt@altlinux.org \
--cc=dmitry.kasatkin@gmail.com \
--cc=linux-integrity@vger.kernel.org \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).