From 58c2a040149f9da4843c1a71835ce40b61cf4b1e Mon Sep 17 00:00:00 2001 From: luhuaxin Date: Thu, 30 Jun 2022 17:55:41 +0800 Subject: [PATCH] Support SM signature --- ...x-incorrect-algorithm-name-in-hash_i.patch | 48 ++++ ...pport-SM2-3-algorithm-for-sign-and-v.patch | 209 ++++++++++++++++++ ima-evm-utils.spec | 8 +- 3 files changed, 264 insertions(+), 1 deletion(-) create mode 100644 ima-evm-utils-Fix-incorrect-algorithm-name-in-hash_i.patch create mode 100644 ima-evm-utils-Support-SM2-3-algorithm-for-sign-and-v.patch diff --git a/ima-evm-utils-Fix-incorrect-algorithm-name-in-hash_i.patch b/ima-evm-utils-Fix-incorrect-algorithm-name-in-hash_i.patch new file mode 100644 index 0000000..328368a --- /dev/null +++ b/ima-evm-utils-Fix-incorrect-algorithm-name-in-hash_i.patch @@ -0,0 +1,48 @@ +From 455a399c1f1605d3a96fa8b89b48f4c203a48951 Mon Sep 17 00:00:00 2001 +From: Tianjia Zhang +Date: Sat, 24 Jul 2021 17:56:47 +0800 +Subject: [PATCH 2/2] ima-evm-utils: Fix incorrect algorithm name in + hash_info.gen + +There is no such an algorithm name as sm3-256. This is an ambiguity +caused by the definition of the macro HASH_ALGO_SM3_256. The sed +command is only a special case of sm3, so sm3 is used to replace +the sm3-256 algorithm name. + +Signed-off-by: Tianjia Zhang +Reviewed-by: Petr Vorel +Signed-off-by: Mimi Zohar +Signed-off-by: luhuaxin +--- + src/.gitignore | 1 + + src/hash_info.gen | 7 ++++--- + 2 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/src/.gitignore b/src/.gitignore +index 38e8e3c..69d2988 100644 +--- a/src/.gitignore ++++ b/src/.gitignore +@@ -1 +1,2 @@ + hash_info.h ++tmp_hash_info.h +diff --git a/src/hash_info.gen b/src/hash_info.gen +index 5f7a97f..08d4a94 100755 +--- a/src/hash_info.gen ++++ b/src/hash_info.gen +@@ -84,9 +84,10 @@ echo "};" + echo "const char *const hash_algo_name[HASH_ALGO__LAST] = {" + sed -n 's/HASH_ALGO_\(.*\),/\1 \L\1\E/p' $HASH_INFO | \ + while read a b; do +- # Normalize text hash name: if it contains underscore between +- # digits replace it with a dash, other underscores are removed. +- b=$(echo "$b" | sed "s/\([0-9]\)_\([0-9]\)/\1-\2/g;s/_//g") ++ # Normalize text hash name: sm3 algorithm name is different from ++ # the macro definition, which is also the only special case of an ++ # underscore between digits. Remove all other underscores. ++ b=$(echo "$b" | sed "s/sm3_256/sm3/g;s/_//g") + printf '\t%-26s = "%s",\n' "[HASH_ALGO_$a]" "$b" + done + echo "};" +-- +1.8.3.1 + diff --git a/ima-evm-utils-Support-SM2-3-algorithm-for-sign-and-v.patch b/ima-evm-utils-Support-SM2-3-algorithm-for-sign-and-v.patch new file mode 100644 index 0000000..480aaf6 --- /dev/null +++ b/ima-evm-utils-Support-SM2-3-algorithm-for-sign-and-v.patch @@ -0,0 +1,209 @@ +From 17b9fc3fdbc3545efe9be6482bd7cc0a9fe30791 Mon Sep 17 00:00:00 2001 +From: Tianjia Zhang +Date: Wed, 21 Jul 2021 11:16:59 +0800 +Subject: [PATCH 1/2] ima-evm-utils: Support SM2/3 algorithm for sign and + verify + +Keep in sync with the kernel IMA, IMA signature tool supports SM2/3 +algorithm combination. Because in the current version of OpenSSL 1.1.1, +the SM2 algorithm and the public key using the EC algorithm share the +same ID 'EVP_PKEY_EC', and the specific algorithm can only be +distinguished by the curve name used. This patch supports this feature. + +Secondly, the openssl 1.1.1 tool does not fully support the signature +of SM2/3 algorithm combination, so the openssl3 tool is used in the +test case, and there is no this problem with directly calling the +openssl 1.1.1 API in evmctl. + +Signed-off-by: Tianjia Zhang +[zohar@linux.ibm.com: "COMPILE_SSL: " -> "COMPILE_SSL=" in .travis.yml +Reviewed-by: Petr Vorel +Signed-off-by: Mimi Zohar + +Signed-off-by: luhuaxin +--- + .travis.yml | 6 +++--- + src/libimaevm.c | 20 ++++++++++++++++++++ + tests/gen-keys.sh | 25 +++++++++++++++++++++++++ + tests/ima_hash.test | 3 +-- + tests/install-openssl3.sh | 23 +++++++++++++++++++++++ + tests/sign_verify.test | 10 ++++++++++ + 6 files changed, 82 insertions(+), 5 deletions(-) + create mode 100755 tests/install-openssl3.sh + +diff --git a/.travis.yml b/.travis.yml +index 9bea5d1..9063b04 100644 +--- a/.travis.yml ++++ b/.travis.yml +@@ -7,7 +7,7 @@ matrix: + include: + # 32 bit build + - os: linux +- env: DISTRO=debian:stable VARIANT=i386 ARCH=i386 TSS=tpm2-tss ++ env: DISTRO=debian:stable VARIANT=i386 ARCH=i386 TSS=tpm2-tss COMPILE_SSL=openssl-3.0.0-beta1 + compiler: gcc + + # cross compilation builds +@@ -30,7 +30,7 @@ matrix: + + # glibc (gcc/clang) + - os: linux +- env: DISTRO=opensuse/tumbleweed TSS=ibmtss ++ env: DISTRO=opensuse/tumbleweed TSS=ibmtss COMPILE_SSL=openssl-3.0.0-beta1 + compiler: clang + + - os: linux +@@ -75,4 +75,4 @@ before_install: + script: + - INSTALL="${DISTRO%%:*}" + - INSTALL="${INSTALL%%/*}" +- - docker run -t ima-evm-utils /bin/sh -c "cd travis && if [ \"$VARIANT\" ]; then ARCH=\"$ARCH\" ./$INSTALL.$VARIANT.sh; fi && ARCH=\"$ARCH\" CC=\"$CC\" TSS=\"$TSS\" ./$INSTALL.sh && if [ ! \"$VARIANT\" ]; then which tpm_server || which swtpm || ../tests/install-swtpm.sh; fi && CC=\"$CC\" VARIANT=\"$VARIANT\" ../build.sh" ++ - docker run -t ima-evm-utils /bin/sh -c "cd travis && if [ \"$VARIANT\" ]; then ARCH=\"$ARCH\" ./$INSTALL.$VARIANT.sh; fi && ARCH=\"$ARCH\" CC=\"$CC\" TSS=\"$TSS\" ./$INSTALL.sh && if [ "$COMPILE_SSL" ]; then COMPILE_SSL="$COMPILE_SSL" ./tests/install-openssl3.sh; fi && if [ ! \"$VARIANT\" ]; then which tpm_server || which swtpm || ../tests/install-swtpm.sh; fi && CC=\"$CC\" VARIANT=\"$VARIANT\" ../build.sh" +diff --git a/src/libimaevm.c b/src/libimaevm.c +index fa6c278..423d9dc 100644 +--- a/src/libimaevm.c ++++ b/src/libimaevm.c +@@ -518,6 +518,16 @@ static int verify_hash_v2(const char *file, const unsigned char *hash, int size, + return -1; + } + ++#if defined(EVP_PKEY_SM2) && OPENSSL_VERSION_NUMBER < 0x30000000 ++ /* If EC key are used, check whether it is SM2 key */ ++ if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) { ++ EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey); ++ int curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec)); ++ if (curve == NID_sm2) ++ EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2); ++ } ++#endif ++ + st = "EVP_PKEY_CTX_new"; + if (!(ctx = EVP_PKEY_CTX_new(pkey, NULL))) + goto err; +@@ -932,6 +942,16 @@ static int sign_hash_v2(const char *algo, const unsigned char *hash, + return -1; + } + ++#if defined(EVP_PKEY_SM2) && OPENSSL_VERSION_NUMBER < 0x30000000 ++ /* If EC key are used, check whether it is SM2 key */ ++ if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) { ++ EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey); ++ int curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec)); ++ if (curve == NID_sm2) ++ EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2); ++ } ++#endif ++ + calc_keyid_v2(&keyid, name, pkey); + hdr->keyid = keyid; + +diff --git a/tests/gen-keys.sh b/tests/gen-keys.sh +index 407876b..ae72487 100755 +--- a/tests/gen-keys.sh ++++ b/tests/gen-keys.sh +@@ -92,6 +92,31 @@ for m in \ + fi + done + ++# SM2, If openssl 3.0 is installed, gen SM2 keys using ++if [ -x /opt/openssl3/bin/openssl ]; then ++ (PATH=/opt/openssl3/bin:$PATH LD_LIBRARY_PATH=/opt/openssl3/lib ++ for curve in sm2; do ++ if [ "$1" = clean ] || [ "$1" = force ]; then ++ rm -f test-$curve.cer test-$curve.key test-$curve.pub ++ fi ++ if [ "$1" = clean ]; then ++ continue ++ fi ++ if [ ! -e test-$curve.key ]; then ++ log openssl req -verbose -new -nodes -utf8 -days 10000 -batch -x509 \ ++ -sm3 -sigopt "distid:1234567812345678" \ ++ -config test-ca.conf \ ++ -copy_extensions copyall \ ++ -newkey $curve \ ++ -out test-$curve.cer -outform DER \ ++ -keyout test-$curve.key ++ if [ -s test-$curve.key ]; then ++ log openssl pkey -in test-$curve.key -out test-$curve.pub -pubout ++ fi ++ fi ++ done) ++fi ++ + # This script leaves test-ca.conf, *.cer, *.pub, *.key files for sing/verify tests. + # They are never deleted except by `make distclean'. + +diff --git a/tests/ima_hash.test b/tests/ima_hash.test +index 8d66e59..6e0e463 100755 +--- a/tests/ima_hash.test ++++ b/tests/ima_hash.test +@@ -70,8 +70,7 @@ expect_pass check sha256 0x0404 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649 + expect_pass check sha384 0x0405 38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b + expect_pass check sha512 0x0406 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e + expect_pass check rmd160 0x0403 9c1185a5c5e9fc54612808977ee8f548b2258d31 +-expect_fail check sm3 0x01 +-expect_fail check sm3-256 0x01 ++expect_pass check sm3 0x0411 1ab21d8355cfa17f8e61194831e81a8f22bec8c728fefb747ed035eb5082aa2b + _enable_gost_engine + expect_pass check md_gost12_256 0x0412 3f539a213e97c802cc229d474c6aa32a825a360b2a933a949fd925208d9ce1bb + expect_pass check streebog256 0x0412 3f539a213e97c802cc229d474c6aa32a825a360b2a933a949fd925208d9ce1bb +diff --git a/tests/install-openssl3.sh b/tests/install-openssl3.sh +new file mode 100755 +index 0000000..1b63468 +--- /dev/null ++++ b/tests/install-openssl3.sh +@@ -0,0 +1,23 @@ ++#!/bin/bash ++ ++set -ex ++ ++if [ -z "$COMPILE_SSL" ]; then ++ echo "Missing \$COMPILE_SSL!" >&2 ++ exit 1 ++fi ++ ++version=${COMPILE_SSL} ++ ++wget --no-check-certificate https://github.com/openssl/openssl/archive/refs/tags/${version}.tar.gz ++tar --no-same-owner -xzf ${version}.tar.gz ++cd openssl-${version} ++ ++./Configure --prefix=/opt/openssl3 --openssldir=/opt/openssl3/ssl ++make -j$(nproc) ++# only install apps and library ++sudo make install_sw ++ ++cd .. ++rm -rf ${version}.tar.gz ++rm -rf openssl-${version} +diff --git a/tests/sign_verify.test b/tests/sign_verify.test +index 288e133..f716319 100755 +--- a/tests/sign_verify.test ++++ b/tests/sign_verify.test +@@ -198,6 +198,10 @@ check_sign() { + # This is all we can do for evm. + [[ "$TYPE" =~ evm ]] && return "$OK" + ++ # When using the SM2/3 algorithm, the openssl tool uses USERID for verify, ++ # which is incompatible with calling API directly, so skip it. ++ [[ "$ALG" == sm3 ]] && return "$OK" ++ + # Extract signature to a file + _extract_xattr "$FILE" "$(_xattr "$TYPE")" "$FILE.sig2" "$PREFIX" + +@@ -366,6 +370,12 @@ sign_verify rsa1024 sha384 0x030205:K:0080 + sign_verify rsa1024 sha512 0x030206:K:0080 + sign_verify rsa1024 rmd160 0x030203:K:0080 + ++# If openssl 3.0 is installed, test the SM2/3 algorithm combination ++if [ -x /opt/openssl3/bin/openssl ]; then ++ PATH=/opt/openssl3/bin:$PATH LD_LIBRARY_PATH=/opt/openssl3/lib \ ++ sign_verify sm2 sm3 0x030211:K:004[345678] ++fi ++ + # Test v2 signatures with EC-RDSA + _enable_gost_engine + sign_verify gost2012_256-A md_gost12_256 0x030212:K:0040 +-- +1.8.3.1 + diff --git a/ima-evm-utils.spec b/ima-evm-utils.spec index ac932fc..37675b8 100644 --- a/ima-evm-utils.spec +++ b/ima-evm-utils.spec @@ -1,11 +1,14 @@ Name: ima-evm-utils Version: 1.3.2 -Release: 3 +Release: 4 Summary: IMA/EVM control utilities License: GPLv2 URL: http://linux-ima.sourceforge.net/ Source0: http://sourceforge.net/projects/linux-ima/files/ima-evm-utils/%{name}-%{version}.tar.gz +Patch6000: ima-evm-utils-Support-SM2-3-algorithm-for-sign-and-v.patch +Patch6001: ima-evm-utils-Fix-incorrect-algorithm-name-in-hash_i.patch + Patch9000: add-save-command-to-support-digest-list-building.patch BuildRequires: autoconf automake libtool asciidoc vim-common @@ -72,6 +75,9 @@ make check %doc %{_mandir}/*/* %changelog +* Thu Jun 30 2022 luhuaxin - 1.3.2-4 +- Support SM signature + * Wed Nov 10 2021 xu_ping - 1.3.2-3 - Fix tests failed due to lack of openssl command