!33 Support SM signature

From: @HuaxinLuGitee 
Reviewed-by: @zhujianwei001 
Signed-off-by: @zhujianwei001

ima-evm-utils-Fix-incorrect-algorithm-name-in-hash_i.patch

@@ -0,0 +1,48 @@
+From 455a399c1f1605d3a96fa8b89b48f4c203a48951 Mon Sep 17 00:00:00 2001
+From: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+Date: Sat, 24 Jul 2021 17:56:47 +0800
+Subject: [PATCH 2/2] ima-evm-utils: Fix incorrect algorithm name in
+ hash_info.gen
+
+There is no such an algorithm name as sm3-256. This is an ambiguity
+caused by the definition of the macro HASH_ALGO_SM3_256. The sed
+command is only a special case of sm3, so sm3 is used to replace
+the sm3-256 algorithm name.
+
+Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+Reviewed-by: Petr Vorel <pvorel@suse.cz>
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+Signed-off-by: luhuaxin <luhuaxin1@huawei.com>
+---
+ src/.gitignore    | 1 +
+ src/hash_info.gen | 7 ++++---
+ 2 files changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/src/.gitignore b/src/.gitignore
+index 38e8e3c..69d2988 100644
+--- a/src/.gitignore
++++ b/src/.gitignore
+@@ -1 +1,2 @@
+ hash_info.h
++tmp_hash_info.h
+diff --git a/src/hash_info.gen b/src/hash_info.gen
+index 5f7a97f..08d4a94 100755
+--- a/src/hash_info.gen
++++ b/src/hash_info.gen
+@@ -84,9 +84,10 @@ echo "};"
+ echo "const char *const hash_algo_name[HASH_ALGO__LAST] = {"
+ sed -n 's/HASH_ALGO_\(.*\),/\1 \L\1\E/p' $HASH_INFO | \
+   while read a b; do
+-    # Normalize text hash name: if it contains underscore between
+-    # digits replace it with a dash, other underscores are removed.
+-    b=$(echo "$b" | sed "s/\([0-9]\)_\([0-9]\)/\1-\2/g;s/_//g")
++    # Normalize text hash name: sm3 algorithm name is different from
++    # the macro definition, which is also the only special case of an
++    # underscore between digits. Remove all other underscores.
++    b=$(echo "$b" | sed "s/sm3_256/sm3/g;s/_//g")
+     printf '\t%-26s = "%s",\n' "[HASH_ALGO_$a]" "$b"
+   done
+ echo "};"
+-- 
+1.8.3.1
+

ima-evm-utils-Support-SM2-3-algorithm-for-sign-and-v.patch

@@ -0,0 +1,209 @@
+From 17b9fc3fdbc3545efe9be6482bd7cc0a9fe30791 Mon Sep 17 00:00:00 2001
+From: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+Date: Wed, 21 Jul 2021 11:16:59 +0800
+Subject: [PATCH 1/2] ima-evm-utils: Support SM2/3 algorithm for sign and
+ verify
+
+Keep in sync with the kernel IMA, IMA signature tool supports SM2/3
+algorithm combination. Because in the current version of OpenSSL 1.1.1,
+the SM2 algorithm and the public key using the EC algorithm share the
+same ID 'EVP_PKEY_EC', and the specific algorithm can only be
+distinguished by the curve name used. This patch supports this feature.
+
+Secondly, the openssl 1.1.1 tool does not fully support the signature
+of SM2/3 algorithm combination, so the openssl3 tool is used in the
+test case, and there is no this problem with directly calling the
+openssl 1.1.1 API in evmctl.
+
+Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+[zohar@linux.ibm.com: "COMPILE_SSL: " -> "COMPILE_SSL=" in .travis.yml
+Reviewed-by: Petr Vorel <pvorel@suse.cz>
+Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
+
+Signed-off-by: luhuaxin <luhuaxin1@huawei.com>
+---
+ .travis.yml               |  6 +++---
+ src/libimaevm.c           | 20 ++++++++++++++++++++
+ tests/gen-keys.sh         | 25 +++++++++++++++++++++++++
+ tests/ima_hash.test       |  3 +--
+ tests/install-openssl3.sh | 23 +++++++++++++++++++++++
+ tests/sign_verify.test    | 10 ++++++++++
+ 6 files changed, 82 insertions(+), 5 deletions(-)
+ create mode 100755 tests/install-openssl3.sh
+
+diff --git a/.travis.yml b/.travis.yml
+index 9bea5d1..9063b04 100644
+--- a/.travis.yml
++++ b/.travis.yml
+@@ -7,7 +7,7 @@ matrix:
+     include:
+         # 32 bit build
+         - os: linux
+-          env: DISTRO=debian:stable VARIANT=i386 ARCH=i386 TSS=tpm2-tss
++          env: DISTRO=debian:stable VARIANT=i386 ARCH=i386 TSS=tpm2-tss COMPILE_SSL=openssl-3.0.0-beta1
+           compiler: gcc
+ 
+         # cross compilation builds
+@@ -30,7 +30,7 @@ matrix:
+ 
+         # glibc (gcc/clang)
+         - os: linux
+-          env: DISTRO=opensuse/tumbleweed TSS=ibmtss
++          env: DISTRO=opensuse/tumbleweed TSS=ibmtss COMPILE_SSL=openssl-3.0.0-beta1
+           compiler: clang
+ 
+         - os: linux
+@@ -75,4 +75,4 @@ before_install:
+ script:
+     - INSTALL="${DISTRO%%:*}"
+     - INSTALL="${INSTALL%%/*}"
+-    - docker run -t ima-evm-utils /bin/sh -c "cd travis && if [ \"$VARIANT\" ]; then ARCH=\"$ARCH\" ./$INSTALL.$VARIANT.sh; fi && ARCH=\"$ARCH\" CC=\"$CC\" TSS=\"$TSS\" ./$INSTALL.sh && if [ ! \"$VARIANT\" ]; then which tpm_server || which swtpm || ../tests/install-swtpm.sh; fi && CC=\"$CC\" VARIANT=\"$VARIANT\" ../build.sh"
++    - docker run -t ima-evm-utils /bin/sh -c "cd travis && if [ \"$VARIANT\" ]; then ARCH=\"$ARCH\" ./$INSTALL.$VARIANT.sh; fi && ARCH=\"$ARCH\" CC=\"$CC\" TSS=\"$TSS\" ./$INSTALL.sh && if [ "$COMPILE_SSL" ]; then COMPILE_SSL="$COMPILE_SSL" ./tests/install-openssl3.sh; fi  && if [ ! \"$VARIANT\" ]; then which tpm_server || which swtpm || ../tests/install-swtpm.sh; fi && CC=\"$CC\" VARIANT=\"$VARIANT\" ../build.sh"
+diff --git a/src/libimaevm.c b/src/libimaevm.c
+index fa6c278..423d9dc 100644
+--- a/src/libimaevm.c
++++ b/src/libimaevm.c
+@@ -518,6 +518,16 @@ static int verify_hash_v2(const char *file, const unsigned char *hash, int size,
+ 		return -1;
+ 	}
+ 
++#if defined(EVP_PKEY_SM2) && OPENSSL_VERSION_NUMBER < 0x30000000
++	/* If EC key are used, check whether it is SM2 key */
++	if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
++		EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey);
++		int curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
++		if (curve == NID_sm2)
++			EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2);
++	}
++#endif
++
+ 	st = "EVP_PKEY_CTX_new";
+ 	if (!(ctx = EVP_PKEY_CTX_new(pkey, NULL)))
+ 		goto err;
+@@ -932,6 +942,16 @@ static int sign_hash_v2(const char *algo, const unsigned char *hash,
+ 		return -1;
+ 	}
+ 
++#if defined(EVP_PKEY_SM2) && OPENSSL_VERSION_NUMBER < 0x30000000
++	/* If EC key are used, check whether it is SM2 key */
++	if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
++		EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey);
++		int curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
++		if (curve == NID_sm2)
++			EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2);
++	}
++#endif
++
+ 	calc_keyid_v2(&keyid, name, pkey);
+ 	hdr->keyid = keyid;
+ 
+diff --git a/tests/gen-keys.sh b/tests/gen-keys.sh
+index 407876b..ae72487 100755
+--- a/tests/gen-keys.sh
++++ b/tests/gen-keys.sh
+@@ -92,6 +92,31 @@ for m in \
+     fi
+ done
+ 
++# SM2, If openssl 3.0 is installed, gen SM2 keys using
++if [ -x /opt/openssl3/bin/openssl ]; then
++  (PATH=/opt/openssl3/bin:$PATH LD_LIBRARY_PATH=/opt/openssl3/lib
++  for curve in sm2; do
++    if [ "$1" = clean ] || [ "$1" = force ]; then
++      rm -f test-$curve.cer test-$curve.key test-$curve.pub
++    fi
++    if [ "$1" = clean ]; then
++      continue
++    fi
++    if [ ! -e test-$curve.key ]; then
++      log openssl req -verbose -new -nodes -utf8 -days 10000 -batch -x509 \
++        -sm3 -sigopt "distid:1234567812345678" \
++        -config test-ca.conf \
++        -copy_extensions copyall \
++        -newkey $curve \
++        -out test-$curve.cer -outform DER \
++        -keyout test-$curve.key
++      if [ -s test-$curve.key ]; then
++        log openssl pkey -in test-$curve.key -out test-$curve.pub -pubout
++      fi
++    fi
++  done)
++fi
++
+ # This script leaves test-ca.conf, *.cer, *.pub, *.key files for sing/verify tests.
+ # They are never deleted except by `make distclean'.
+ 
+diff --git a/tests/ima_hash.test b/tests/ima_hash.test
+index 8d66e59..6e0e463 100755
+--- a/tests/ima_hash.test
++++ b/tests/ima_hash.test
+@@ -70,8 +70,7 @@ expect_pass check  sha256     0x0404 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649
+ expect_pass check  sha384     0x0405 38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b
+ expect_pass check  sha512     0x0406 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
+ expect_pass check  rmd160     0x0403 9c1185a5c5e9fc54612808977ee8f548b2258d31
+-expect_fail check  sm3        0x01
+-expect_fail check  sm3-256    0x01
++expect_pass check  sm3        0x0411 1ab21d8355cfa17f8e61194831e81a8f22bec8c728fefb747ed035eb5082aa2b
+ _enable_gost_engine
+ expect_pass check  md_gost12_256 0x0412 3f539a213e97c802cc229d474c6aa32a825a360b2a933a949fd925208d9ce1bb
+ expect_pass check  streebog256   0x0412 3f539a213e97c802cc229d474c6aa32a825a360b2a933a949fd925208d9ce1bb
+diff --git a/tests/install-openssl3.sh b/tests/install-openssl3.sh
+new file mode 100755
+index 0000000..1b63468
+--- /dev/null
++++ b/tests/install-openssl3.sh
+@@ -0,0 +1,23 @@
++#!/bin/bash
++
++set -ex
++
++if [ -z "$COMPILE_SSL" ]; then
++    echo "Missing \$COMPILE_SSL!" >&2
++    exit 1
++fi
++
++version=${COMPILE_SSL}
++
++wget --no-check-certificate https://github.com/openssl/openssl/archive/refs/tags/${version}.tar.gz
++tar --no-same-owner -xzf ${version}.tar.gz
++cd openssl-${version}
++
++./Configure --prefix=/opt/openssl3 --openssldir=/opt/openssl3/ssl
++make -j$(nproc)
++# only install apps and library
++sudo make install_sw
++
++cd ..
++rm -rf ${version}.tar.gz
++rm -rf openssl-${version}
+diff --git a/tests/sign_verify.test b/tests/sign_verify.test
+index 288e133..f716319 100755
+--- a/tests/sign_verify.test
++++ b/tests/sign_verify.test
+@@ -198,6 +198,10 @@ check_sign() {
+   # This is all we can do for evm.
+   [[ "$TYPE" =~ evm ]] && return "$OK"
+ 
++  # When using the SM2/3 algorithm, the openssl tool uses USERID for verify,
++  # which is incompatible with calling API directly, so skip it.
++  [[ "$ALG" == sm3 ]] && return "$OK"
++
+   # Extract signature to a file
+   _extract_xattr "$FILE" "$(_xattr "$TYPE")" "$FILE.sig2" "$PREFIX"
+ 
+@@ -366,6 +370,12 @@ sign_verify  rsa1024  sha384  0x030205:K:0080
+ sign_verify  rsa1024  sha512  0x030206:K:0080
+ sign_verify  rsa1024  rmd160  0x030203:K:0080
+ 
++# If openssl 3.0 is installed, test the SM2/3 algorithm combination
++if [ -x /opt/openssl3/bin/openssl ]; then
++  PATH=/opt/openssl3/bin:$PATH LD_LIBRARY_PATH=/opt/openssl3/lib \
++    sign_verify  sm2    sm3    0x030211:K:004[345678]
++fi
++
+ # Test v2 signatures with EC-RDSA
+ _enable_gost_engine
+ sign_verify  gost2012_256-A md_gost12_256 0x030212:K:0040
+-- 
+1.8.3.1
+

ima-evm-utils.spec

@@ -1,11 +1,14 @@
 Name:         ima-evm-utils
 Version:      1.3.2
-Release:      3
+Release:      4
 Summary:      IMA/EVM control utilities
 License:      GPLv2
 URL:          http://linux-ima.sourceforge.net/
 Source0:      http://sourceforge.net/projects/linux-ima/files/ima-evm-utils/%{name}-%{version}.tar.gz
 
+Patch6000:    ima-evm-utils-Support-SM2-3-algorithm-for-sign-and-v.patch
+Patch6001:    ima-evm-utils-Fix-incorrect-algorithm-name-in-hash_i.patch
+
 Patch9000:    add-save-command-to-support-digest-list-building.patch
 
 BuildRequires: autoconf automake libtool asciidoc vim-common
@@ -72,6 +75,9 @@ make check
 %doc %{_mandir}/*/*
 
 %changelog
+* Thu Jun 30 2022 luhuaxin <luhuaxin1@huawei.com> - 1.3.2-4
+- Support SM signature
+
 * Wed Nov 10 2021 xu_ping <xuping33@huawei.com> - 1.3.2-3
 - Fix tests failed due to lack of openssl command