diff --git a/add-save-command-to-support-digest-list-building.patch b/0001-add-save-command-to-support-digest-list-building.patch similarity index 67% rename from add-save-command-to-support-digest-list-building.patch rename to 0001-add-save-command-to-support-digest-list-building.patch index 13eec14a022644f3f4f4afa30f109577990b6797..d497b7a8802f1975d9a4478d2bcc956e0ec66bcf 100644 --- a/add-save-command-to-support-digest-list-building.patch +++ b/0001-add-save-command-to-support-digest-list-building.patch @@ -1,4 +1,4 @@ -From 6e607f4c5b3a608477bfc10405fb3c1f2ef93024 Mon Sep 17 00:00:00 2001 +From bf460c8e2001ec1227ce5a9ecf44d24782d43871 Mon Sep 17 00:00:00 2001 From: Roberto Sassu Date: Thu, 21 Jan 2021 08:16:34 +0800 Subject: [PATCH] add save command to support digest list building @@ -6,15 +6,16 @@ Subject: [PATCH] add save command to support digest list building This patch adds save command to support IMA digest list. Signed-off-by: Tianxing Zhang +Signed-off-by: zhoushuiqing --- - src/evmctl.c | 67 ++++++++++++++++++++++++++++++++++++++++++++++------ - 1 file changed, 60 insertions(+), 7 deletions(-) + src/evmctl.c | 65 +++++++++++++++++++++++++++++++++++++++++++++++----- + 1 file changed, 59 insertions(+), 6 deletions(-) diff --git a/src/evmctl.c b/src/evmctl.c -index 1815f55..439713d 100644 +index 6d2bb67..70d07a5 100644 --- a/src/evmctl.c +++ b/src/evmctl.c -@@ -115,6 +115,7 @@ static int sigdump; +@@ -121,6 +121,7 @@ static int sigdump; static int digest; static int digsig; static int sigfile; @@ -22,9 +23,9 @@ index 1815f55..439713d 100644 static char *uuid_str; static char *ino_str; static char *uid_str; -@@ -165,7 +166,8 @@ struct tpm_bank_info { - static char *pcrfile[MAX_PCRFILE]; - static unsigned npcrfile; +@@ -173,7 +174,8 @@ static unsigned npcrfile; + #define log_errno_reset(level, fmt, args...) \ + {do_log(level, fmt " (errno: %s)\n", ##args, strerror(errno)); errno = 0; } -static int bin2file(const char *file, const char *ext, const unsigned char *data, int len) +static int _bin2file(const char *file, const char *ext, @@ -32,7 +33,7 @@ index 1815f55..439713d 100644 { FILE *fp; char name[strlen(file) + (ext ? strlen(ext) : 0) + 2]; -@@ -178,7 +180,7 @@ static int bin2file(const char *file, const char *ext, const unsigned char *data +@@ -186,7 +188,7 @@ static int bin2file(const char *file, const char *ext, const unsigned char *data log_info("Writing to %s\n", name); @@ -41,7 +42,7 @@ index 1815f55..439713d 100644 if (!fp) { log_err("Failed to open: %s\n", name); return -1; -@@ -188,6 +190,18 @@ static int bin2file(const char *file, const char *ext, const unsigned char *data +@@ -196,6 +198,18 @@ static int bin2file(const char *file, const char *ext, const unsigned char *data return err; } @@ -60,7 +61,7 @@ index 1815f55..439713d 100644 static unsigned char *file2bin(const char *file, const char *ext, int *size) { FILE *fp; -@@ -353,6 +367,9 @@ static int calc_evm_hash(const char *file, unsigned char *hash) +@@ -365,6 +379,9 @@ static int calc_evm_hash(const char *file, unsigned char *hash) return -1; } @@ -70,18 +71,18 @@ index 1815f55..439713d 100644 if (generation_str) generation = strtoul(generation_str, NULL, 10); if (ino_str) -@@ -364,7 +381,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash) +@@ -376,7 +393,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash) if (mode_str) st.st_mode = strtoul(mode_str, NULL, 10); - if (!evm_immutable) { + if (!evm_immutable && !evm_portable) { - if ((S_ISREG(st.st_mode) || S_ISDIR(st.st_mode)) && !generation_str) { - /* we cannot at the momement to get generation of - special files kernel API does not support it */ -@@ -444,7 +461,11 @@ static int calc_evm_hash(const char *file, unsigned char *hash) - /*log_debug("name: %s, value: %s, size: %d\n", *xattrname, xattr_value, err);*/ - log_info("name: %s, size: %d\n", *xattrname, err); + if (S_ISREG(st.st_mode) && !generation_str) { + int fd = open(file, 0); + +@@ -478,7 +495,11 @@ static int calc_evm_hash(const char *file, unsigned char *hash) + log_info("name: %s, size: %d\n", + use_xattr_ima ? xattr_ima : *xattrname, err); log_debug_dump(xattr_value, err); - err = EVP_DigestUpdate(pctx, xattr_value, err); + if (datafile) @@ -91,8 +92,8 @@ index 1815f55..439713d 100644 + err = EVP_DigestUpdate(pctx, xattr_value, err); if (!err) { log_err("EVP_DigestUpdate() failed\n"); - return 1; -@@ -498,7 +519,11 @@ static int calc_evm_hash(const char *file, unsigned char *hash) + goto out; +@@ -532,7 +553,11 @@ static int calc_evm_hash(const char *file, unsigned char *hash) log_debug("hmac_misc (%d): ", hmac_size); log_debug_dump(&hmac_misc, hmac_size); @@ -104,8 +105,8 @@ index 1815f55..439713d 100644 + err = EVP_DigestUpdate(pctx, &hmac_misc, hmac_size); if (!err) { log_err("EVP_DigestUpdate() failed\n"); - return 1; -@@ -555,6 +580,9 @@ static int sign_evm(const char *file, const char *key) + goto out; +@@ -593,6 +618,9 @@ static int sign_evm(const char *file, const char *key) if (sigdump || imaevm_params.verbose >= LOG_INFO) imaevm_hexdump(sig, len); @@ -115,7 +116,7 @@ index 1815f55..439713d 100644 if (xattr) { err = lsetxattr(file, xattr_evm, sig, len, 0); if (err < 0) { -@@ -566,6 +594,21 @@ static int sign_evm(const char *file, const char *key) +@@ -605,6 +633,21 @@ static int sign_evm(const char *file, const char *key) return 0; } @@ -137,7 +138,7 @@ index 1815f55..439713d 100644 static int hash_ima(const char *file) { unsigned char hash[MAX_DIGEST_SIZE + 2]; /* +2 byte xattr header */ -@@ -678,7 +721,7 @@ static int get_file_type(const char *path, const char *search_type) +@@ -717,7 +760,7 @@ static int get_file_type(const char *path, const char *search_type) static int do_cmd(struct command *cmd, find_cb_t func) { @@ -146,7 +147,7 @@ index 1815f55..439713d 100644 int err, dts = REG_MASK; /* only regular files by default */ if (!path) { -@@ -687,6 +730,10 @@ static int do_cmd(struct command *cmd, find_cb_t func) +@@ -726,6 +769,10 @@ static int do_cmd(struct command *cmd, find_cb_t func) return -1; } @@ -157,7 +158,7 @@ index 1815f55..439713d 100644 if (recursive) { if (search_type) { dts = get_file_type(path, search_type); -@@ -793,6 +840,11 @@ static int cmd_sign_evm(struct command *cmd) +@@ -905,6 +952,11 @@ static int cmd_sign_evm(struct command *cmd) return do_cmd(cmd, sign_evm_path); } @@ -169,23 +170,14 @@ index 1815f55..439713d 100644 static int verify_evm(const char *file) { unsigned char hash[MAX_DIGEST_SIZE]; -@@ -807,7 +859,7 @@ static int verify_evm(const char *file) - return len; - } - -- if (sig[0] != 0x03) { -+ if (sig[0] != 0x03 && sig[0] != 0x05) { - log_err("%s has no signature\n", xattr_evm); - return -1; - } -@@ -2479,6 +2531,7 @@ struct command cmds[] = { - {"import", cmd_import, 0, "[--rsa] pubkey keyring", "Import public key into the keyring.\n"}, - {"convert", cmd_convert, 0, "key", "convert public key into the keyring.\n"}, - {"sign", cmd_sign_evm, 0, "[-r] [--imahash | --imasig ] [--key key] [--pass [password] file", "Sign file metadata.\n"}, +@@ -2874,6 +2926,7 @@ struct command cmds[] = { + {"import", cmd_import, 0, "pubkey keyring", "Import public key into the keyring.\n"}, + #endif + {"sign", cmd_sign_evm, 0, "[-r] [--imahash | --imasig ] [--key key] [--pass[=]] file", "Sign file metadata.\n"}, + {"save", cmd_save_evm, 0, "[-r] [--imahash | --imasig ] file", "Save file metadata.\n"}, {"verify", cmd_verify_evm, 0, "file", "Verify EVM signature (for debugging).\n"}, - {"ima_sign", cmd_sign_ima, 0, "[--sigfile] [--key key] [--pass [password] file", "Make file content signature.\n"}, + {"ima_sign", cmd_sign_ima, 0, "[--sigfile] [--key key] [--pass[=]] file", "Make file content signature.\n"}, {"ima_verify", cmd_verify_ima, 0, "file", "Verify IMA signature (for debugging).\n"}, -- -2.25.1 +2.33.0 diff --git a/fix-caps-parameter-cannot-be-parsed.patch b/0002-fix-caps-parameter-cannot-be-parsed.patch similarity index 78% rename from fix-caps-parameter-cannot-be-parsed.patch rename to 0002-fix-caps-parameter-cannot-be-parsed.patch index 1881b90e09964688bf095ef86e442aea451ed63b..3ddcced02b91f35e1d13f653344041bef651b2ed 100644 --- a/fix-caps-parameter-cannot-be-parsed.patch +++ b/0002-fix-caps-parameter-cannot-be-parsed.patch @@ -1,18 +1,19 @@ -From 40602a7926ec13819a5926d4ac451becb44b7d98 Mon Sep 17 00:00:00 2001 +From 24c9623f563646695f6d219b2414b23f36378b42 Mon Sep 17 00:00:00 2001 From: shenxiangwei Date: Fri, 19 Aug 2022 12:05:11 +0800 Subject: [PATCH] fix caps parameter cannot be parsed Signed-off-by: shenxiangwei +Signed-off-by: zhoushuiqing --- src/evmctl.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/evmctl.c b/src/evmctl.c -index 28f4b8d..6ef2f68 100644 +index 70d07a5..19175b8 100644 --- a/src/evmctl.c +++ b/src/evmctl.c -@@ -440,13 +440,13 @@ static int calc_evm_hash(const char *file, unsigned char *hash) +@@ -472,14 +472,14 @@ static int calc_evm_hash(const char *file, unsigned char *hash) } else if (!strcmp(*xattrname, XATTR_NAME_CAPS) && (hmac_flags & HMAC_FLAG_CAPS_SET)) { if (!caps_str) continue; @@ -22,12 +23,13 @@ index 28f4b8d..6ef2f68 100644 if (err >= sizeof(xattr_value)) { log_err("caps[%u] value is too long to fit into xattr[%zu]\n", err + 1, sizeof(xattr_value)); - return -1; + err = -1; + goto out; } - strcpy(xattr_value, caps_str); } else { err = lgetxattr(file, *xattrname, xattr_value, sizeof(xattr_value)); if (err < 0) { -- -2.27.0 +2.33.0 diff --git a/add-sm3-option.patch b/0003-add-sm3-option.patch similarity index 48% rename from add-sm3-option.patch rename to 0003-add-sm3-option.patch index 3f3423a98eb31f2da1408cefafac54392f899d43..0921f217c761f8cf5fb7b2861ed846d701475efb 100644 --- a/add-sm3-option.patch +++ b/0003-add-sm3-option.patch @@ -1,26 +1,27 @@ -From 3fe53a713f32c28841e7f5efd4afb397b6d7e154 Mon Sep 17 00:00:00 2001 +From 41073a60e1857b1a7fe6ef455c72c6d4458f79cc Mon Sep 17 00:00:00 2001 From: shenxiangwei Date: Wed, 24 Aug 2022 08:26:49 +0800 Subject: [PATCH] add sm3 option Signed-off-by: shenxiangwei +Signed-off-by: zhoushuiqing --- src/evmctl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/evmctl.c b/src/evmctl.c -index 28f4b8d..bce4b91 100644 +index 19175b8..fcfa2e4 100644 --- a/src/evmctl.c +++ b/src/evmctl.c -@@ -2489,7 +2489,7 @@ static void usage(void) +@@ -2870,7 +2870,7 @@ static void usage(void) printf( "\n" -- " -a, --hashalgo sha1 (default), sha224, sha256, sha384, sha512, streebog256, streebog512\n" -+ " -a, --hashalgo sha1 (default), sha224, sha256, sha384, sha512, streebog256, streebog512, sm3\n" +- " -a, --hashalgo sha1, sha224, sha256, sha384, sha512, streebog256, streebog512 (default: %s)\n" ++ " -a, --hashalgo sha1, sha224, sha256, sha384, sha512, streebog256, streebog512, sm3 (default: %s)\n" " -s, --imasig make IMA signature\n" + " --veritysig sign an fs-verity file digest hash\n" " -d, --imahash make IMA hash\n" - " -f, --sigfile store IMA signature in .sig file instead of xattr\n" -- -2.27.0 +2.33.0 diff --git a/skip-test-error-in-docker.patch b/0004-Skip-test-error-in-docker.patch similarity index 78% rename from skip-test-error-in-docker.patch rename to 0004-Skip-test-error-in-docker.patch index 28d3fe33622a745ad63c7d093945ded4728c9f30..b7579fe800d2e40a1cc1470cdc37ac9b181e811e 100644 --- a/skip-test-error-in-docker.patch +++ b/0004-Skip-test-error-in-docker.patch @@ -1,18 +1,19 @@ -From d3a4e24f6a2bac023f7e7c0eda403f0d8e25996d Mon Sep 17 00:00:00 2001 +From c152f534a661e9f2cb0ee125e1087df3c389dcd9 Mon Sep 17 00:00:00 2001 From: shenxiangwei Date: Mon, 26 Sep 2022 19:36:25 +0800 Subject: [PATCH] Skip test error in docker +Signed-off-by: zhoushuiqing --- tests/ima_hash.test | 5 +++++ tests/sign_verify.test | 10 ++++++++++ 2 files changed, 15 insertions(+) diff --git a/tests/ima_hash.test b/tests/ima_hash.test -index 8d66e59..cd97e1d 100644 +index e88fd59..abf544a 100755 --- a/tests/ima_hash.test +++ b/tests/ima_hash.test -@@ -24,6 +24,11 @@ trap _report_exit EXIT +@@ -24,6 +24,11 @@ trap _report_exit_and_cleanup EXIT set -f # disable globbing check() { @@ -25,10 +26,10 @@ index 8d66e59..cd97e1d 100644 local file=$alg-hash.txt diff --git a/tests/sign_verify.test b/tests/sign_verify.test -index 288e133..e1899df 100644 +index 2bc365a..eeb75ef 100755 --- a/tests/sign_verify.test +++ b/tests/sign_verify.test -@@ -130,6 +130,11 @@ check_sign() { +@@ -136,6 +136,11 @@ check_sign() { # PREFIX (signature header prefix in hex), # OPTS (additional options for evmctl), # FILE (working file to sign). @@ -38,9 +39,9 @@ index 288e133..e1899df 100644 + fi + local "$@" - local KEY=${KEY%.*}.key + local key verifykey local FILE=${FILE:-$ALG.txt} -@@ -225,6 +230,11 @@ check_verify() { +@@ -246,6 +251,11 @@ check_verify() { # ALG (hash algo), # OPTS (additional options for evmctl), # FILE (filename to verify). @@ -53,5 +54,5 @@ index 288e133..e1899df 100644 # shellcheck disable=SC2086 -- -2.37.3.windows.1 +2.33.0 diff --git a/ima-evm-utils-1.3.2.tar.gz b/ima-evm-utils-1.3.2.tar.gz deleted file mode 100644 index 7d2335ef31e1dcd94c26861fb578d28adca49842..0000000000000000000000000000000000000000 Binary files a/ima-evm-utils-1.3.2.tar.gz and /dev/null differ diff --git a/ima-evm-utils-1.5.tar.gz b/ima-evm-utils-1.5.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..6fe5ab547fd7a493ebd8bf41f68fe6f6ba33b6f1 Binary files /dev/null and b/ima-evm-utils-1.5.tar.gz differ diff --git a/ima-evm-utils-Fix-incorrect-algorithm-name-in-hash_i.patch b/ima-evm-utils-Fix-incorrect-algorithm-name-in-hash_i.patch deleted file mode 100644 index 328368a0508575defe45a2c7b1f6802e5b12d944..0000000000000000000000000000000000000000 --- a/ima-evm-utils-Fix-incorrect-algorithm-name-in-hash_i.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 455a399c1f1605d3a96fa8b89b48f4c203a48951 Mon Sep 17 00:00:00 2001 -From: Tianjia Zhang -Date: Sat, 24 Jul 2021 17:56:47 +0800 -Subject: [PATCH 2/2] ima-evm-utils: Fix incorrect algorithm name in - hash_info.gen - -There is no such an algorithm name as sm3-256. This is an ambiguity -caused by the definition of the macro HASH_ALGO_SM3_256. The sed -command is only a special case of sm3, so sm3 is used to replace -the sm3-256 algorithm name. - -Signed-off-by: Tianjia Zhang -Reviewed-by: Petr Vorel -Signed-off-by: Mimi Zohar -Signed-off-by: luhuaxin ---- - src/.gitignore | 1 + - src/hash_info.gen | 7 ++++--- - 2 files changed, 5 insertions(+), 3 deletions(-) - -diff --git a/src/.gitignore b/src/.gitignore -index 38e8e3c..69d2988 100644 ---- a/src/.gitignore -+++ b/src/.gitignore -@@ -1 +1,2 @@ - hash_info.h -+tmp_hash_info.h -diff --git a/src/hash_info.gen b/src/hash_info.gen -index 5f7a97f..08d4a94 100755 ---- a/src/hash_info.gen -+++ b/src/hash_info.gen -@@ -84,9 +84,10 @@ echo "};" - echo "const char *const hash_algo_name[HASH_ALGO__LAST] = {" - sed -n 's/HASH_ALGO_\(.*\),/\1 \L\1\E/p' $HASH_INFO | \ - while read a b; do -- # Normalize text hash name: if it contains underscore between -- # digits replace it with a dash, other underscores are removed. -- b=$(echo "$b" | sed "s/\([0-9]\)_\([0-9]\)/\1-\2/g;s/_//g") -+ # Normalize text hash name: sm3 algorithm name is different from -+ # the macro definition, which is also the only special case of an -+ # underscore between digits. Remove all other underscores. -+ b=$(echo "$b" | sed "s/sm3_256/sm3/g;s/_//g") - printf '\t%-26s = "%s",\n' "[HASH_ALGO_$a]" "$b" - done - echo "};" --- -1.8.3.1 - diff --git a/ima-evm-utils-Support-SM2-3-algorithm-for-sign-and-v.patch b/ima-evm-utils-Support-SM2-3-algorithm-for-sign-and-v.patch deleted file mode 100644 index 480aaf630057099fde35cdd525e58d4e103ec05e..0000000000000000000000000000000000000000 --- a/ima-evm-utils-Support-SM2-3-algorithm-for-sign-and-v.patch +++ /dev/null @@ -1,209 +0,0 @@ -From 17b9fc3fdbc3545efe9be6482bd7cc0a9fe30791 Mon Sep 17 00:00:00 2001 -From: Tianjia Zhang -Date: Wed, 21 Jul 2021 11:16:59 +0800 -Subject: [PATCH 1/2] ima-evm-utils: Support SM2/3 algorithm for sign and - verify - -Keep in sync with the kernel IMA, IMA signature tool supports SM2/3 -algorithm combination. Because in the current version of OpenSSL 1.1.1, -the SM2 algorithm and the public key using the EC algorithm share the -same ID 'EVP_PKEY_EC', and the specific algorithm can only be -distinguished by the curve name used. This patch supports this feature. - -Secondly, the openssl 1.1.1 tool does not fully support the signature -of SM2/3 algorithm combination, so the openssl3 tool is used in the -test case, and there is no this problem with directly calling the -openssl 1.1.1 API in evmctl. - -Signed-off-by: Tianjia Zhang -[zohar@linux.ibm.com: "COMPILE_SSL: " -> "COMPILE_SSL=" in .travis.yml -Reviewed-by: Petr Vorel -Signed-off-by: Mimi Zohar - -Signed-off-by: luhuaxin ---- - .travis.yml | 6 +++--- - src/libimaevm.c | 20 ++++++++++++++++++++ - tests/gen-keys.sh | 25 +++++++++++++++++++++++++ - tests/ima_hash.test | 3 +-- - tests/install-openssl3.sh | 23 +++++++++++++++++++++++ - tests/sign_verify.test | 10 ++++++++++ - 6 files changed, 82 insertions(+), 5 deletions(-) - create mode 100755 tests/install-openssl3.sh - -diff --git a/.travis.yml b/.travis.yml -index 9bea5d1..9063b04 100644 ---- a/.travis.yml -+++ b/.travis.yml -@@ -7,7 +7,7 @@ matrix: - include: - # 32 bit build - - os: linux -- env: DISTRO=debian:stable VARIANT=i386 ARCH=i386 TSS=tpm2-tss -+ env: DISTRO=debian:stable VARIANT=i386 ARCH=i386 TSS=tpm2-tss COMPILE_SSL=openssl-3.0.0-beta1 - compiler: gcc - - # cross compilation builds -@@ -30,7 +30,7 @@ matrix: - - # glibc (gcc/clang) - - os: linux -- env: DISTRO=opensuse/tumbleweed TSS=ibmtss -+ env: DISTRO=opensuse/tumbleweed TSS=ibmtss COMPILE_SSL=openssl-3.0.0-beta1 - compiler: clang - - - os: linux -@@ -75,4 +75,4 @@ before_install: - script: - - INSTALL="${DISTRO%%:*}" - - INSTALL="${INSTALL%%/*}" -- - docker run -t ima-evm-utils /bin/sh -c "cd travis && if [ \"$VARIANT\" ]; then ARCH=\"$ARCH\" ./$INSTALL.$VARIANT.sh; fi && ARCH=\"$ARCH\" CC=\"$CC\" TSS=\"$TSS\" ./$INSTALL.sh && if [ ! \"$VARIANT\" ]; then which tpm_server || which swtpm || ../tests/install-swtpm.sh; fi && CC=\"$CC\" VARIANT=\"$VARIANT\" ../build.sh" -+ - docker run -t ima-evm-utils /bin/sh -c "cd travis && if [ \"$VARIANT\" ]; then ARCH=\"$ARCH\" ./$INSTALL.$VARIANT.sh; fi && ARCH=\"$ARCH\" CC=\"$CC\" TSS=\"$TSS\" ./$INSTALL.sh && if [ "$COMPILE_SSL" ]; then COMPILE_SSL="$COMPILE_SSL" ./tests/install-openssl3.sh; fi && if [ ! \"$VARIANT\" ]; then which tpm_server || which swtpm || ../tests/install-swtpm.sh; fi && CC=\"$CC\" VARIANT=\"$VARIANT\" ../build.sh" -diff --git a/src/libimaevm.c b/src/libimaevm.c -index fa6c278..423d9dc 100644 ---- a/src/libimaevm.c -+++ b/src/libimaevm.c -@@ -518,6 +518,16 @@ static int verify_hash_v2(const char *file, const unsigned char *hash, int size, - return -1; - } - -+#if defined(EVP_PKEY_SM2) && OPENSSL_VERSION_NUMBER < 0x30000000 -+ /* If EC key are used, check whether it is SM2 key */ -+ if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) { -+ EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey); -+ int curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec)); -+ if (curve == NID_sm2) -+ EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2); -+ } -+#endif -+ - st = "EVP_PKEY_CTX_new"; - if (!(ctx = EVP_PKEY_CTX_new(pkey, NULL))) - goto err; -@@ -932,6 +942,16 @@ static int sign_hash_v2(const char *algo, const unsigned char *hash, - return -1; - } - -+#if defined(EVP_PKEY_SM2) && OPENSSL_VERSION_NUMBER < 0x30000000 -+ /* If EC key are used, check whether it is SM2 key */ -+ if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) { -+ EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey); -+ int curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec)); -+ if (curve == NID_sm2) -+ EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2); -+ } -+#endif -+ - calc_keyid_v2(&keyid, name, pkey); - hdr->keyid = keyid; - -diff --git a/tests/gen-keys.sh b/tests/gen-keys.sh -index 407876b..ae72487 100755 ---- a/tests/gen-keys.sh -+++ b/tests/gen-keys.sh -@@ -92,6 +92,31 @@ for m in \ - fi - done - -+# SM2, If openssl 3.0 is installed, gen SM2 keys using -+if [ -x /opt/openssl3/bin/openssl ]; then -+ (PATH=/opt/openssl3/bin:$PATH LD_LIBRARY_PATH=/opt/openssl3/lib -+ for curve in sm2; do -+ if [ "$1" = clean ] || [ "$1" = force ]; then -+ rm -f test-$curve.cer test-$curve.key test-$curve.pub -+ fi -+ if [ "$1" = clean ]; then -+ continue -+ fi -+ if [ ! -e test-$curve.key ]; then -+ log openssl req -verbose -new -nodes -utf8 -days 10000 -batch -x509 \ -+ -sm3 -sigopt "distid:1234567812345678" \ -+ -config test-ca.conf \ -+ -copy_extensions copyall \ -+ -newkey $curve \ -+ -out test-$curve.cer -outform DER \ -+ -keyout test-$curve.key -+ if [ -s test-$curve.key ]; then -+ log openssl pkey -in test-$curve.key -out test-$curve.pub -pubout -+ fi -+ fi -+ done) -+fi -+ - # This script leaves test-ca.conf, *.cer, *.pub, *.key files for sing/verify tests. - # They are never deleted except by `make distclean'. - -diff --git a/tests/ima_hash.test b/tests/ima_hash.test -index 8d66e59..6e0e463 100755 ---- a/tests/ima_hash.test -+++ b/tests/ima_hash.test -@@ -70,8 +70,7 @@ expect_pass check sha256 0x0404 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649 - expect_pass check sha384 0x0405 38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b - expect_pass check sha512 0x0406 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e - expect_pass check rmd160 0x0403 9c1185a5c5e9fc54612808977ee8f548b2258d31 --expect_fail check sm3 0x01 --expect_fail check sm3-256 0x01 -+expect_pass check sm3 0x0411 1ab21d8355cfa17f8e61194831e81a8f22bec8c728fefb747ed035eb5082aa2b - _enable_gost_engine - expect_pass check md_gost12_256 0x0412 3f539a213e97c802cc229d474c6aa32a825a360b2a933a949fd925208d9ce1bb - expect_pass check streebog256 0x0412 3f539a213e97c802cc229d474c6aa32a825a360b2a933a949fd925208d9ce1bb -diff --git a/tests/install-openssl3.sh b/tests/install-openssl3.sh -new file mode 100755 -index 0000000..1b63468 ---- /dev/null -+++ b/tests/install-openssl3.sh -@@ -0,0 +1,23 @@ -+#!/bin/bash -+ -+set -ex -+ -+if [ -z "$COMPILE_SSL" ]; then -+ echo "Missing \$COMPILE_SSL!" >&2 -+ exit 1 -+fi -+ -+version=${COMPILE_SSL} -+ -+wget --no-check-certificate https://github.com/openssl/openssl/archive/refs/tags/${version}.tar.gz -+tar --no-same-owner -xzf ${version}.tar.gz -+cd openssl-${version} -+ -+./Configure --prefix=/opt/openssl3 --openssldir=/opt/openssl3/ssl -+make -j$(nproc) -+# only install apps and library -+sudo make install_sw -+ -+cd .. -+rm -rf ${version}.tar.gz -+rm -rf openssl-${version} -diff --git a/tests/sign_verify.test b/tests/sign_verify.test -index 288e133..f716319 100755 ---- a/tests/sign_verify.test -+++ b/tests/sign_verify.test -@@ -198,6 +198,10 @@ check_sign() { - # This is all we can do for evm. - [[ "$TYPE" =~ evm ]] && return "$OK" - -+ # When using the SM2/3 algorithm, the openssl tool uses USERID for verify, -+ # which is incompatible with calling API directly, so skip it. -+ [[ "$ALG" == sm3 ]] && return "$OK" -+ - # Extract signature to a file - _extract_xattr "$FILE" "$(_xattr "$TYPE")" "$FILE.sig2" "$PREFIX" - -@@ -366,6 +370,12 @@ sign_verify rsa1024 sha384 0x030205:K:0080 - sign_verify rsa1024 sha512 0x030206:K:0080 - sign_verify rsa1024 rmd160 0x030203:K:0080 - -+# If openssl 3.0 is installed, test the SM2/3 algorithm combination -+if [ -x /opt/openssl3/bin/openssl ]; then -+ PATH=/opt/openssl3/bin:$PATH LD_LIBRARY_PATH=/opt/openssl3/lib \ -+ sign_verify sm2 sm3 0x030211:K:004[345678] -+fi -+ - # Test v2 signatures with EC-RDSA - _enable_gost_engine - sign_verify gost2012_256-A md_gost12_256 0x030212:K:0040 --- -1.8.3.1 - diff --git a/ima-evm-utils.spec b/ima-evm-utils.spec index 9392cebf9f442dc92f840657330f17fed0417204..a2bbf0a9a95d497a9b20df387e68886e3bf4eed8 100644 --- a/ima-evm-utils.spec +++ b/ima-evm-utils.spec @@ -1,18 +1,15 @@ Name: ima-evm-utils -Version: 1.3.2 -Release: 10 +Version: 1.5 +Release: 1 Summary: IMA/EVM control utilities License: GPLv2 URL: http://linux-ima.sourceforge.net/ Source0: https://github.com/mimizohar/ima-evm-utils/releases/download/v%{version}/%{name}-%{version}.tar.gz -Patch6000: ima-evm-utils-Support-SM2-3-algorithm-for-sign-and-v.patch -Patch6001: ima-evm-utils-Fix-incorrect-algorithm-name-in-hash_i.patch - -Patch9000: add-save-command-to-support-digest-list-building.patch -Patch9001: fix-caps-parameter-cannot-be-parsed.patch -Patch9002: add-sm3-option.patch -Patch9003: skip-test-error-in-docker.patch +Patch9000: 0001-add-save-command-to-support-digest-list-building.patch +Patch9001: 0002-fix-caps-parameter-cannot-be-parsed.patch +Patch9002: 0003-add-sm3-option.patch +Patch9003: 0004-Skip-test-error-in-docker.patch BuildRequires: autoconf automake libtool asciidoc vim-common BuildRequires: libxslt openssl openssl-devel keyutils-libs-devel tpm2-tss-devel @@ -54,6 +51,9 @@ rm -rf %{buildroot} %make_install find %{buildroot} -type f -name "*.la" -delete -print +cp -a %{_libdir}/libimaevm.so.2.0.0 %{buildroot}%{_libdir}/libimaevm.so.2.0.0 +ln -s -f %{buildroot}%{_libdir}/libimaevm.so.2.0.0 %{buildroot}%{_libdir}/libimaevm.so.2 + %check make check @@ -80,6 +80,9 @@ make check %endif %changelog +* Fri Jul 28 2023 zhoushuiqing - 1.5-1 +- Upgrade to 1.5 with compatibility + * Thu Jul 27 2023 zhoushuiqing - 1.3.2-10 - Revert "Upgrade to 1.5"