From: Mimi Zohar <zohar@linux.ibm.com>
To: linux-integrity@vger.kernel.org
Cc: Mimi Zohar <zohar@linux.ibm.com>, Petr Vorel <pvorel@suse.cz>,
Vitaly Chikunov <vt@altlinux.org>,
Stefan Berger <stefanb@linux.ibm.com>
Subject: [PATCH ima-evm-utils v2 08/12] Disable use of OpenSSL "engine" support
Date: Tue, 6 Sep 2022 15:50:17 -0400 [thread overview]
Message-ID: <20220906195021.854090-9-zohar@linux.ibm.com> (raw)
In-Reply-To: <20220906195021.854090-1-zohar@linux.ibm.com>
OpenSSL v3 "engine" support is deprecated and replaced with "providers".
Engine support will continue to work for a while, but results in
deprecated declaration and other messages. One option is simply to hide
them ("-Wno-deprecated-declarations"). The other alternative is to
conditionally build ima-evm-utils without OpenSSL engine support and
without disabling deprecated declarations.
Based on "--disable-engine" or "--enable-engine=no" configuration
option, disable OpenSSL "engine" support.
When ima-evm-utils engine support is disabled, don't execute the tests
requiring it.
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
configure.ac | 5 +++++
src/Makefile.am | 8 ++++++++
src/evmctl.c | 17 ++++++++++++++++-
src/imaevm.h | 2 ++
src/libimaevm.c | 5 +++++
tests/functions.sh | 14 +++++++++++++-
tests/ima_hash.test | 9 +++++++++
tests/sign_verify.test | 9 +++++++++
8 files changed, 67 insertions(+), 2 deletions(-)
diff --git a/configure.ac b/configure.ac
index dc666f2bb1fa..49e9350ace07 100644
--- a/configure.ac
+++ b/configure.ac
@@ -54,6 +54,10 @@ AC_ARG_ENABLE(sigv1,
AM_CONDITIONAL([CONFIG_SIGV1], [test "x$enable_sigv1" = "xyes"])
AS_IF([test "$enable_sigv1" != "yes"], [enable_sigv1="no"])
+AC_ARG_ENABLE(engine,
+ [AS_HELP_STRING([--disable-engine], [build ima-evm-utils without OpenSSL engine support])],,[enable_engine=yes])
+ AM_CONDITIONAL([CONFIG_ENGINE], [test "x$enable_engine" = "xyes"])
+
#debug support - yes for a while
PKG_ARG_ENABLE(debug, "yes", DEBUG, [Enable Debug support])
if test $pkg_cv_enable_debug = yes; then
@@ -89,5 +93,6 @@ echo " tss2-esys: $ac_cv_lib_tss2_esys_Esys_Free"
echo " tss2-rc-decode: $ac_cv_lib_tss2_rc_Tss2_RC_Decode"
echo " ibmtss: $ac_cv_header_ibmtss_tss_h"
echo " sigv1: $enable_sigv1"
+echo " engine: $enable_engine"
echo " doc: $have_doc"
echo
diff --git a/src/Makefile.am b/src/Makefile.am
index 90c7249020cf..a810d6e0acff 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -11,6 +11,10 @@ if CONFIG_SIGV1
libimaevm_la_CFLAGS = -DCONFIG_SIGV1
endif
+if CONFIG_ENGINE
+libimaevm_la_CFLAGS = -DCONFIG_ENGINE
+endif
+
include_HEADERS = imaevm.h
nodist_libimaevm_la_SOURCES = hash_info.h
@@ -31,6 +35,10 @@ if CONFIG_SIGV1
evmctl_CFLAGS = -DCONFIG_SIGV1
endif
+# Enable "--engine" support
+if CONFIG_ENGINE
+evmctl_CFLAGS = -DCONFIG_ENGINE
+endif
# USE_PCRTSS uses the Intel TSS
if USE_PCRTSS
diff --git a/src/evmctl.c b/src/evmctl.c
index b89e74e06c3d..fa588e0caba2 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -64,7 +64,9 @@
#include <openssl/hmac.h>
#include <openssl/err.h>
#include <openssl/rsa.h>
+#if CONFIG_ENGINE
#include <openssl/engine.h>
+#endif
#include <openssl/x509v3.h>
#include "hash_info.h"
#include "pcr.h"
@@ -2715,7 +2717,9 @@ static void usage(void)
" --selinux use custom Selinux label for EVM\n"
" --caps use custom Capabilities for EVM(unspecified: from FS, empty: do not use)\n"
" --verify-sig verify measurement list signatures\n"
- " --engine e preload OpenSSL engine e (such as: gost)\n"
+#if CONFIG_ENGINE
+ " --engine e preload OpenSSL engine e (such as: gost) is deprecated\n"
+#endif
" --ignore-violations ignore ToMToU measurement violations\n"
" -v increase verbosity level\n"
" -h, --help display this help and exit\n"
@@ -2777,7 +2781,9 @@ static struct option opts[] = {
{"selinux", 1, 0, 136},
{"caps", 2, 0, 137},
{"verify-sig", 0, 0, 138},
+#if CONFIG_ENGINE
{"engine", 1, 0, 139},
+#endif
{"xattr-user", 0, 0, 140},
{"ignore-violations", 0, 0, 141},
{"pcrs", 1, 0, 142},
@@ -2830,9 +2836,11 @@ static char *get_password(void)
return password;
}
+#if CONFIG_ENGINE
static ENGINE *setup_engine(const char *engine_id)
{
ENGINE *eng = ENGINE_by_id(engine_id);
+
if (!eng) {
log_err("engine %s isn't available\n", optarg);
ERR_print_errors_fp(stderr);
@@ -2846,6 +2854,7 @@ static ENGINE *setup_engine(const char *engine_id)
ENGINE_set_default(eng, ENGINE_METHOD_ALL);
return eng;
}
+#endif
int main(int argc, char *argv[])
{
@@ -2971,11 +2980,13 @@ int main(int argc, char *argv[])
case 138:
verify_list_sig = 1;
break;
+#if CONFIG_ENGINE
case 139: /* --engine e */
imaevm_params.eng = setup_engine(optarg);
if (!imaevm_params.eng)
goto error;
break;
+#endif
case 140: /* --xattr-user */
xattr_ima = "user.ima";
xattr_evm = "user.evm";
@@ -3034,7 +3045,9 @@ int main(int argc, char *argv[])
if (imaevm_params.keyfile != NULL &&
imaevm_params.eng == NULL &&
!strncmp(imaevm_params.keyfile, "pkcs11:", 7)) {
+#if CONFIG_ENGINE
imaevm_params.eng = setup_engine("pkcs11");
+#endif
if (!imaevm_params.eng)
goto error;
}
@@ -3060,6 +3073,7 @@ int main(int argc, char *argv[])
}
error:
+#if CONFIG_ENGINE
if (imaevm_params.eng) {
ENGINE_finish(imaevm_params.eng);
ENGINE_free(imaevm_params.eng);
@@ -3067,6 +3081,7 @@ error:
ENGINE_cleanup();
#endif
}
+#endif
ERR_free_strings();
EVP_cleanup();
BIO_free(NULL);
diff --git a/src/imaevm.h b/src/imaevm.h
index afcf1e042014..ebe8c20d566a 100644
--- a/src/imaevm.h
+++ b/src/imaevm.h
@@ -48,7 +48,9 @@
#include <errno.h>
#include <sys/types.h>
#include <openssl/rsa.h>
+#ifdef CONFIG_ENGINE
#include <openssl/engine.h>
+#endif
#ifdef USE_FPRINTF
#define do_log(level, fmt, args...) \
diff --git a/src/libimaevm.c b/src/libimaevm.c
index 4b37bf5bd62c..037027c1d951 100644
--- a/src/libimaevm.c
+++ b/src/libimaevm.c
@@ -959,6 +959,7 @@ static EVP_PKEY *read_priv_pkey(const char *keyfile, const char *keypass)
EVP_PKEY *pkey;
if (!strncmp(keyfile, "pkcs11:", 7)) {
+#ifdef CONFIG_ENGINE
if (!imaevm_params.keyid) {
log_err("When using a pkcs11 URI you must provide the keyid with an option\n");
return NULL;
@@ -975,6 +976,10 @@ static EVP_PKEY *read_priv_pkey(const char *keyfile, const char *keypass)
log_err("Failed to load private key %s\n", keyfile);
goto err_engine;
}
+#else
+ log_err("OpenSSL \"engine\" support is disabled\n");
+ goto err_engine;
+#endif
} else {
fp = fopen(keyfile, "r");
if (!fp) {
diff --git a/tests/functions.sh b/tests/functions.sh
index 8f6f02dfcd95..9f7784584e91 100755
--- a/tests/functions.sh
+++ b/tests/functions.sh
@@ -312,4 +312,16 @@ _softhsm_teardown() {
rm -rf "${SOFTHSM_SETUP_CONFIGDIR}"
unset SOFTHSM_SETUP_CONFIGDIR SOFTHSM2_CONF PKCS11_KEYURI \
EVMCTL_ENGINE OPENSSL_ENGINE OPENSSL_KEYFORM
-}
\ No newline at end of file
+}
+
+# OpenSSL v3 engine support still works, but is deprecated. In preparation
+# for it being removed, a new ima-evm-utils configuration option
+# "--disable-engine" and the equivalent "--enable-engine=no" is defined.`
+_is_engine_supported() {
+ cmd="evmctl --engine pkcs11"
+ $cmd &>/dev/null
+ if [ $? -eq 1 ]; then
+ return 0
+ fi
+ return 1
+}
diff --git a/tests/ima_hash.test b/tests/ima_hash.test
index e88fd59cc359..33223e6c7a94 100755
--- a/tests/ima_hash.test
+++ b/tests/ima_hash.test
@@ -71,6 +71,15 @@ expect_pass check sha384 0x0405 38b060a751ac96384cd9327eb1b1e36a21fdb71114b
expect_pass check sha512 0x0406 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
expect_pass check rmd160 0x0403 9c1185a5c5e9fc54612808977ee8f548b2258d31
expect_pass check sm3 0x0411 1ab21d8355cfa17f8e61194831e81a8f22bec8c728fefb747ed035eb5082aa2b
+
+# Remaining tests require engine support
+_is_engine_supported
+if [ $? -eq 0 ]; then
+ __skip() { echo "Tests requiring engine support are skipped (not supported)"; return $SKIP; }
+ expect_pass __skip
+ exit 0
+fi
+
_enable_gost_engine
expect_pass check md_gost12_256 0x0412 3f539a213e97c802cc229d474c6aa32a825a360b2a933a949fd925208d9ce1bb
expect_pass check streebog256 0x0412 3f539a213e97c802cc229d474c6aa32a825a360b2a933a949fd925208d9ce1bb
diff --git a/tests/sign_verify.test b/tests/sign_verify.test
index 948892759424..1486447a8316 100755
--- a/tests/sign_verify.test
+++ b/tests/sign_verify.test
@@ -18,6 +18,7 @@
cd "$(dirname "$0")" || exit 1
PATH=../src:$PATH
SIGV1=0
+
source ./functions.sh
_require cmp evmctl getfattr openssl xxd
@@ -418,6 +419,14 @@ if [ -x /opt/openssl3/bin/openssl ]; then
sign_verify sm2 sm3 0x030211:K:004[345678]
fi
+# Remaining tests require engine support
+_is_engine_supported
+if [ $? -eq 0 ]; then
+ __skip() { echo "Tests requiring engine support are skipped (not supported)"; return $SKIP; }
+ expect_pass __skip
+ exit 0
+fi
+
# Test v2 signatures with EC-RDSA
_enable_gost_engine
sign_verify gost2012_256-A md_gost12_256 0x030212:K:0040
--
2.31.1
next prev parent reply other threads:[~2022-09-06 19:55 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-06 19:50 [PATCH ima-evm-utils v2 00/12] address deprecated warnings Mimi Zohar
2022-09-06 19:50 ` [PATCH ima-evm-utils v2 01/12] travis: use the distro OpenSSL version on jammy Mimi Zohar
2022-09-06 19:50 ` [PATCH ima-evm-utils v2 02/12] travis: update dist=focal Mimi Zohar
2022-09-13 16:39 ` Stefan Berger
2022-09-06 19:50 ` [PATCH ima-evm-utils v2 03/12] Update configure.ac to address a couple of obsolete warnings Mimi Zohar
2022-09-13 16:40 ` Stefan Berger
2022-09-06 19:50 ` [PATCH ima-evm-utils v2 04/12] Deprecate IMA signature version 1 Mimi Zohar
2022-09-06 19:50 ` [PATCH ima-evm-utils v2 05/12] Replace the low level SHA1 calls when calculating the TPM 1.2 PCRs Mimi Zohar
2022-09-06 19:50 ` [PATCH ima-evm-utils v2 06/12] Replace the low level HMAC calls when calculating the EVM HMAC Mimi Zohar
2022-09-06 20:31 ` Stefan Berger
2022-09-06 19:50 ` [PATCH ima-evm-utils v2 07/12] Add missing EVP_MD_CTX_free() call in calc_evm_hash() Mimi Zohar
2022-09-06 20:36 ` Stefan Berger
2022-09-06 19:50 ` Mimi Zohar [this message]
2022-09-06 19:50 ` [PATCH ima-evm-utils v2 09/12] Fix potential use after free in read_tpm_banks() Mimi Zohar
2022-09-13 16:38 ` Stefan Berger
2022-09-06 19:50 ` [PATCH ima-evm-utils v2 10/12] Limit the file hash algorithm name length Mimi Zohar
2022-09-13 16:35 ` Stefan Berger
2022-09-06 19:50 ` [PATCH ima-evm-utils v2 11/12] Missing template data size lower bounds checking Mimi Zohar
2022-09-13 16:34 ` Stefan Berger
2022-09-06 19:50 ` [RFC PATCH ima-evm-utils v2 12/12] Limit configuring OpenSSL engine support Mimi Zohar
2022-09-07 15:43 ` Vitaly Chikunov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220906195021.854090-9-zohar@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=linux-integrity@vger.kernel.org \
--cc=pvorel@suse.cz \
--cc=stefanb@linux.ibm.com \
--cc=vt@altlinux.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.