diff --git a/0003-add-sm3-option.patch b/0003-add-sm3-option.patch deleted file mode 100644 index 0921f21..0000000 --- a/0003-add-sm3-option.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 41073a60e1857b1a7fe6ef455c72c6d4458f79cc Mon Sep 17 00:00:00 2001 -From: shenxiangwei -Date: Wed, 24 Aug 2022 08:26:49 +0800 -Subject: [PATCH] add sm3 option - -Signed-off-by: shenxiangwei -Signed-off-by: zhoushuiqing ---- - src/evmctl.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/evmctl.c b/src/evmctl.c -index 19175b8..fcfa2e4 100644 ---- a/src/evmctl.c -+++ b/src/evmctl.c -@@ -2870,7 +2870,7 @@ static void usage(void) - - printf( - "\n" -- " -a, --hashalgo sha1, sha224, sha256, sha384, sha512, streebog256, streebog512 (default: %s)\n" -+ " -a, --hashalgo sha1, sha224, sha256, sha384, sha512, streebog256, streebog512, sm3 (default: %s)\n" - " -s, --imasig make IMA signature\n" - " --veritysig sign an fs-verity file digest hash\n" - " -d, --imahash make IMA hash\n" --- -2.33.0 - diff --git a/0001-add-save-command-to-support-digest-list-building.patch b/add-save-command-to-support-digest-list-building.patch similarity index 67% rename from 0001-add-save-command-to-support-digest-list-building.patch rename to add-save-command-to-support-digest-list-building.patch index d497b7a..13eec14 100644 --- a/0001-add-save-command-to-support-digest-list-building.patch +++ b/add-save-command-to-support-digest-list-building.patch @@ -1,4 +1,4 @@ -From bf460c8e2001ec1227ce5a9ecf44d24782d43871 Mon Sep 17 00:00:00 2001 +From 6e607f4c5b3a608477bfc10405fb3c1f2ef93024 Mon Sep 17 00:00:00 2001 From: Roberto Sassu Date: Thu, 21 Jan 2021 08:16:34 +0800 Subject: [PATCH] add save command to support digest list building @@ -6,16 +6,15 @@ Subject: [PATCH] add save command to support digest list building This patch adds save command to support IMA digest list. Signed-off-by: Tianxing Zhang -Signed-off-by: zhoushuiqing --- - src/evmctl.c | 65 +++++++++++++++++++++++++++++++++++++++++++++++----- - 1 file changed, 59 insertions(+), 6 deletions(-) + src/evmctl.c | 67 ++++++++++++++++++++++++++++++++++++++++++++++------ + 1 file changed, 60 insertions(+), 7 deletions(-) diff --git a/src/evmctl.c b/src/evmctl.c -index 6d2bb67..70d07a5 100644 +index 1815f55..439713d 100644 --- a/src/evmctl.c +++ b/src/evmctl.c -@@ -121,6 +121,7 @@ static int sigdump; +@@ -115,6 +115,7 @@ static int sigdump; static int digest; static int digsig; static int sigfile; @@ -23,9 +22,9 @@ index 6d2bb67..70d07a5 100644 static char *uuid_str; static char *ino_str; static char *uid_str; -@@ -173,7 +174,8 @@ static unsigned npcrfile; - #define log_errno_reset(level, fmt, args...) \ - {do_log(level, fmt " (errno: %s)\n", ##args, strerror(errno)); errno = 0; } +@@ -165,7 +166,8 @@ struct tpm_bank_info { + static char *pcrfile[MAX_PCRFILE]; + static unsigned npcrfile; -static int bin2file(const char *file, const char *ext, const unsigned char *data, int len) +static int _bin2file(const char *file, const char *ext, @@ -33,7 +32,7 @@ index 6d2bb67..70d07a5 100644 { FILE *fp; char name[strlen(file) + (ext ? strlen(ext) : 0) + 2]; -@@ -186,7 +188,7 @@ static int bin2file(const char *file, const char *ext, const unsigned char *data +@@ -178,7 +180,7 @@ static int bin2file(const char *file, const char *ext, const unsigned char *data log_info("Writing to %s\n", name); @@ -42,7 +41,7 @@ index 6d2bb67..70d07a5 100644 if (!fp) { log_err("Failed to open: %s\n", name); return -1; -@@ -196,6 +198,18 @@ static int bin2file(const char *file, const char *ext, const unsigned char *data +@@ -188,6 +190,18 @@ static int bin2file(const char *file, const char *ext, const unsigned char *data return err; } @@ -61,7 +60,7 @@ index 6d2bb67..70d07a5 100644 static unsigned char *file2bin(const char *file, const char *ext, int *size) { FILE *fp; -@@ -365,6 +379,9 @@ static int calc_evm_hash(const char *file, unsigned char *hash) +@@ -353,6 +367,9 @@ static int calc_evm_hash(const char *file, unsigned char *hash) return -1; } @@ -71,18 +70,18 @@ index 6d2bb67..70d07a5 100644 if (generation_str) generation = strtoul(generation_str, NULL, 10); if (ino_str) -@@ -376,7 +393,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash) +@@ -364,7 +381,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash) if (mode_str) st.st_mode = strtoul(mode_str, NULL, 10); - if (!evm_immutable) { + if (!evm_immutable && !evm_portable) { - if (S_ISREG(st.st_mode) && !generation_str) { - int fd = open(file, 0); - -@@ -478,7 +495,11 @@ static int calc_evm_hash(const char *file, unsigned char *hash) - log_info("name: %s, size: %d\n", - use_xattr_ima ? xattr_ima : *xattrname, err); + if ((S_ISREG(st.st_mode) || S_ISDIR(st.st_mode)) && !generation_str) { + /* we cannot at the momement to get generation of + special files kernel API does not support it */ +@@ -444,7 +461,11 @@ static int calc_evm_hash(const char *file, unsigned char *hash) + /*log_debug("name: %s, value: %s, size: %d\n", *xattrname, xattr_value, err);*/ + log_info("name: %s, size: %d\n", *xattrname, err); log_debug_dump(xattr_value, err); - err = EVP_DigestUpdate(pctx, xattr_value, err); + if (datafile) @@ -92,8 +91,8 @@ index 6d2bb67..70d07a5 100644 + err = EVP_DigestUpdate(pctx, xattr_value, err); if (!err) { log_err("EVP_DigestUpdate() failed\n"); - goto out; -@@ -532,7 +553,11 @@ static int calc_evm_hash(const char *file, unsigned char *hash) + return 1; +@@ -498,7 +519,11 @@ static int calc_evm_hash(const char *file, unsigned char *hash) log_debug("hmac_misc (%d): ", hmac_size); log_debug_dump(&hmac_misc, hmac_size); @@ -105,8 +104,8 @@ index 6d2bb67..70d07a5 100644 + err = EVP_DigestUpdate(pctx, &hmac_misc, hmac_size); if (!err) { log_err("EVP_DigestUpdate() failed\n"); - goto out; -@@ -593,6 +618,9 @@ static int sign_evm(const char *file, const char *key) + return 1; +@@ -555,6 +580,9 @@ static int sign_evm(const char *file, const char *key) if (sigdump || imaevm_params.verbose >= LOG_INFO) imaevm_hexdump(sig, len); @@ -116,7 +115,7 @@ index 6d2bb67..70d07a5 100644 if (xattr) { err = lsetxattr(file, xattr_evm, sig, len, 0); if (err < 0) { -@@ -605,6 +633,21 @@ static int sign_evm(const char *file, const char *key) +@@ -566,6 +594,21 @@ static int sign_evm(const char *file, const char *key) return 0; } @@ -138,7 +137,7 @@ index 6d2bb67..70d07a5 100644 static int hash_ima(const char *file) { unsigned char hash[MAX_DIGEST_SIZE + 2]; /* +2 byte xattr header */ -@@ -717,7 +760,7 @@ static int get_file_type(const char *path, const char *search_type) +@@ -678,7 +721,7 @@ static int get_file_type(const char *path, const char *search_type) static int do_cmd(struct command *cmd, find_cb_t func) { @@ -147,7 +146,7 @@ index 6d2bb67..70d07a5 100644 int err, dts = REG_MASK; /* only regular files by default */ if (!path) { -@@ -726,6 +769,10 @@ static int do_cmd(struct command *cmd, find_cb_t func) +@@ -687,6 +730,10 @@ static int do_cmd(struct command *cmd, find_cb_t func) return -1; } @@ -158,7 +157,7 @@ index 6d2bb67..70d07a5 100644 if (recursive) { if (search_type) { dts = get_file_type(path, search_type); -@@ -905,6 +952,11 @@ static int cmd_sign_evm(struct command *cmd) +@@ -793,6 +840,11 @@ static int cmd_sign_evm(struct command *cmd) return do_cmd(cmd, sign_evm_path); } @@ -170,14 +169,23 @@ index 6d2bb67..70d07a5 100644 static int verify_evm(const char *file) { unsigned char hash[MAX_DIGEST_SIZE]; -@@ -2874,6 +2926,7 @@ struct command cmds[] = { - {"import", cmd_import, 0, "pubkey keyring", "Import public key into the keyring.\n"}, - #endif - {"sign", cmd_sign_evm, 0, "[-r] [--imahash | --imasig ] [--key key] [--pass[=]] file", "Sign file metadata.\n"}, +@@ -807,7 +859,7 @@ static int verify_evm(const char *file) + return len; + } + +- if (sig[0] != 0x03) { ++ if (sig[0] != 0x03 && sig[0] != 0x05) { + log_err("%s has no signature\n", xattr_evm); + return -1; + } +@@ -2479,6 +2531,7 @@ struct command cmds[] = { + {"import", cmd_import, 0, "[--rsa] pubkey keyring", "Import public key into the keyring.\n"}, + {"convert", cmd_convert, 0, "key", "convert public key into the keyring.\n"}, + {"sign", cmd_sign_evm, 0, "[-r] [--imahash | --imasig ] [--key key] [--pass [password] file", "Sign file metadata.\n"}, + {"save", cmd_save_evm, 0, "[-r] [--imahash | --imasig ] file", "Save file metadata.\n"}, {"verify", cmd_verify_evm, 0, "file", "Verify EVM signature (for debugging).\n"}, - {"ima_sign", cmd_sign_ima, 0, "[--sigfile] [--key key] [--pass[=]] file", "Make file content signature.\n"}, + {"ima_sign", cmd_sign_ima, 0, "[--sigfile] [--key key] [--pass [password] file", "Make file content signature.\n"}, {"ima_verify", cmd_verify_ima, 0, "file", "Verify IMA signature (for debugging).\n"}, -- -2.33.0 +2.25.1 diff --git a/add-sm3-option.patch b/add-sm3-option.patch new file mode 100644 index 0000000..3f3423a --- /dev/null +++ b/add-sm3-option.patch @@ -0,0 +1,26 @@ +From 3fe53a713f32c28841e7f5efd4afb397b6d7e154 Mon Sep 17 00:00:00 2001 +From: shenxiangwei +Date: Wed, 24 Aug 2022 08:26:49 +0800 +Subject: [PATCH] add sm3 option + +Signed-off-by: shenxiangwei +--- + src/evmctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/evmctl.c b/src/evmctl.c +index 28f4b8d..bce4b91 100644 +--- a/src/evmctl.c ++++ b/src/evmctl.c +@@ -2489,7 +2489,7 @@ static void usage(void) + + printf( + "\n" +- " -a, --hashalgo sha1 (default), sha224, sha256, sha384, sha512, streebog256, streebog512\n" ++ " -a, --hashalgo sha1 (default), sha224, sha256, sha384, sha512, streebog256, streebog512, sm3\n" + " -s, --imasig make IMA signature\n" + " -d, --imahash make IMA hash\n" + " -f, --sigfile store IMA signature in .sig file instead of xattr\n" +-- +2.27.0 + diff --git a/0002-fix-caps-parameter-cannot-be-parsed.patch b/fix-caps-parameter-cannot-be-parsed.patch similarity index 78% rename from 0002-fix-caps-parameter-cannot-be-parsed.patch rename to fix-caps-parameter-cannot-be-parsed.patch index 3ddcced..1881b90 100644 --- a/0002-fix-caps-parameter-cannot-be-parsed.patch +++ b/fix-caps-parameter-cannot-be-parsed.patch @@ -1,19 +1,18 @@ -From 24c9623f563646695f6d219b2414b23f36378b42 Mon Sep 17 00:00:00 2001 +From 40602a7926ec13819a5926d4ac451becb44b7d98 Mon Sep 17 00:00:00 2001 From: shenxiangwei Date: Fri, 19 Aug 2022 12:05:11 +0800 Subject: [PATCH] fix caps parameter cannot be parsed Signed-off-by: shenxiangwei -Signed-off-by: zhoushuiqing --- src/evmctl.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/evmctl.c b/src/evmctl.c -index 70d07a5..19175b8 100644 +index 28f4b8d..6ef2f68 100644 --- a/src/evmctl.c +++ b/src/evmctl.c -@@ -472,14 +472,14 @@ static int calc_evm_hash(const char *file, unsigned char *hash) +@@ -440,13 +440,13 @@ static int calc_evm_hash(const char *file, unsigned char *hash) } else if (!strcmp(*xattrname, XATTR_NAME_CAPS) && (hmac_flags & HMAC_FLAG_CAPS_SET)) { if (!caps_str) continue; @@ -23,13 +22,12 @@ index 70d07a5..19175b8 100644 if (err >= sizeof(xattr_value)) { log_err("caps[%u] value is too long to fit into xattr[%zu]\n", err + 1, sizeof(xattr_value)); - err = -1; - goto out; + return -1; } - strcpy(xattr_value, caps_str); } else { err = lgetxattr(file, *xattrname, xattr_value, sizeof(xattr_value)); if (err < 0) { -- -2.33.0 +2.27.0 diff --git a/ima-evm-utils-1.3.2.tar.gz b/ima-evm-utils-1.3.2.tar.gz new file mode 100644 index 0000000..7d2335e Binary files /dev/null and b/ima-evm-utils-1.3.2.tar.gz differ diff --git a/ima-evm-utils-1.5.tar.gz b/ima-evm-utils-1.5.tar.gz deleted file mode 100644 index 6fe5ab5..0000000 Binary files a/ima-evm-utils-1.5.tar.gz and /dev/null differ diff --git a/ima-evm-utils-Fix-incorrect-algorithm-name-in-hash_i.patch b/ima-evm-utils-Fix-incorrect-algorithm-name-in-hash_i.patch new file mode 100644 index 0000000..328368a --- /dev/null +++ b/ima-evm-utils-Fix-incorrect-algorithm-name-in-hash_i.patch @@ -0,0 +1,48 @@ +From 455a399c1f1605d3a96fa8b89b48f4c203a48951 Mon Sep 17 00:00:00 2001 +From: Tianjia Zhang +Date: Sat, 24 Jul 2021 17:56:47 +0800 +Subject: [PATCH 2/2] ima-evm-utils: Fix incorrect algorithm name in + hash_info.gen + +There is no such an algorithm name as sm3-256. This is an ambiguity +caused by the definition of the macro HASH_ALGO_SM3_256. The sed +command is only a special case of sm3, so sm3 is used to replace +the sm3-256 algorithm name. + +Signed-off-by: Tianjia Zhang +Reviewed-by: Petr Vorel +Signed-off-by: Mimi Zohar +Signed-off-by: luhuaxin +--- + src/.gitignore | 1 + + src/hash_info.gen | 7 ++++--- + 2 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/src/.gitignore b/src/.gitignore +index 38e8e3c..69d2988 100644 +--- a/src/.gitignore ++++ b/src/.gitignore +@@ -1 +1,2 @@ + hash_info.h ++tmp_hash_info.h +diff --git a/src/hash_info.gen b/src/hash_info.gen +index 5f7a97f..08d4a94 100755 +--- a/src/hash_info.gen ++++ b/src/hash_info.gen +@@ -84,9 +84,10 @@ echo "};" + echo "const char *const hash_algo_name[HASH_ALGO__LAST] = {" + sed -n 's/HASH_ALGO_\(.*\),/\1 \L\1\E/p' $HASH_INFO | \ + while read a b; do +- # Normalize text hash name: if it contains underscore between +- # digits replace it with a dash, other underscores are removed. +- b=$(echo "$b" | sed "s/\([0-9]\)_\([0-9]\)/\1-\2/g;s/_//g") ++ # Normalize text hash name: sm3 algorithm name is different from ++ # the macro definition, which is also the only special case of an ++ # underscore between digits. Remove all other underscores. ++ b=$(echo "$b" | sed "s/sm3_256/sm3/g;s/_//g") + printf '\t%-26s = "%s",\n' "[HASH_ALGO_$a]" "$b" + done + echo "};" +-- +1.8.3.1 + diff --git a/ima-evm-utils-Support-SM2-3-algorithm-for-sign-and-v.patch b/ima-evm-utils-Support-SM2-3-algorithm-for-sign-and-v.patch new file mode 100644 index 0000000..480aaf6 --- /dev/null +++ b/ima-evm-utils-Support-SM2-3-algorithm-for-sign-and-v.patch @@ -0,0 +1,209 @@ +From 17b9fc3fdbc3545efe9be6482bd7cc0a9fe30791 Mon Sep 17 00:00:00 2001 +From: Tianjia Zhang +Date: Wed, 21 Jul 2021 11:16:59 +0800 +Subject: [PATCH 1/2] ima-evm-utils: Support SM2/3 algorithm for sign and + verify + +Keep in sync with the kernel IMA, IMA signature tool supports SM2/3 +algorithm combination. Because in the current version of OpenSSL 1.1.1, +the SM2 algorithm and the public key using the EC algorithm share the +same ID 'EVP_PKEY_EC', and the specific algorithm can only be +distinguished by the curve name used. This patch supports this feature. + +Secondly, the openssl 1.1.1 tool does not fully support the signature +of SM2/3 algorithm combination, so the openssl3 tool is used in the +test case, and there is no this problem with directly calling the +openssl 1.1.1 API in evmctl. + +Signed-off-by: Tianjia Zhang +[zohar@linux.ibm.com: "COMPILE_SSL: " -> "COMPILE_SSL=" in .travis.yml +Reviewed-by: Petr Vorel +Signed-off-by: Mimi Zohar + +Signed-off-by: luhuaxin +--- + .travis.yml | 6 +++--- + src/libimaevm.c | 20 ++++++++++++++++++++ + tests/gen-keys.sh | 25 +++++++++++++++++++++++++ + tests/ima_hash.test | 3 +-- + tests/install-openssl3.sh | 23 +++++++++++++++++++++++ + tests/sign_verify.test | 10 ++++++++++ + 6 files changed, 82 insertions(+), 5 deletions(-) + create mode 100755 tests/install-openssl3.sh + +diff --git a/.travis.yml b/.travis.yml +index 9bea5d1..9063b04 100644 +--- a/.travis.yml ++++ b/.travis.yml +@@ -7,7 +7,7 @@ matrix: + include: + # 32 bit build + - os: linux +- env: DISTRO=debian:stable VARIANT=i386 ARCH=i386 TSS=tpm2-tss ++ env: DISTRO=debian:stable VARIANT=i386 ARCH=i386 TSS=tpm2-tss COMPILE_SSL=openssl-3.0.0-beta1 + compiler: gcc + + # cross compilation builds +@@ -30,7 +30,7 @@ matrix: + + # glibc (gcc/clang) + - os: linux +- env: DISTRO=opensuse/tumbleweed TSS=ibmtss ++ env: DISTRO=opensuse/tumbleweed TSS=ibmtss COMPILE_SSL=openssl-3.0.0-beta1 + compiler: clang + + - os: linux +@@ -75,4 +75,4 @@ before_install: + script: + - INSTALL="${DISTRO%%:*}" + - INSTALL="${INSTALL%%/*}" +- - docker run -t ima-evm-utils /bin/sh -c "cd travis && if [ \"$VARIANT\" ]; then ARCH=\"$ARCH\" ./$INSTALL.$VARIANT.sh; fi && ARCH=\"$ARCH\" CC=\"$CC\" TSS=\"$TSS\" ./$INSTALL.sh && if [ ! \"$VARIANT\" ]; then which tpm_server || which swtpm || ../tests/install-swtpm.sh; fi && CC=\"$CC\" VARIANT=\"$VARIANT\" ../build.sh" ++ - docker run -t ima-evm-utils /bin/sh -c "cd travis && if [ \"$VARIANT\" ]; then ARCH=\"$ARCH\" ./$INSTALL.$VARIANT.sh; fi && ARCH=\"$ARCH\" CC=\"$CC\" TSS=\"$TSS\" ./$INSTALL.sh && if [ "$COMPILE_SSL" ]; then COMPILE_SSL="$COMPILE_SSL" ./tests/install-openssl3.sh; fi && if [ ! \"$VARIANT\" ]; then which tpm_server || which swtpm || ../tests/install-swtpm.sh; fi && CC=\"$CC\" VARIANT=\"$VARIANT\" ../build.sh" +diff --git a/src/libimaevm.c b/src/libimaevm.c +index fa6c278..423d9dc 100644 +--- a/src/libimaevm.c ++++ b/src/libimaevm.c +@@ -518,6 +518,16 @@ static int verify_hash_v2(const char *file, const unsigned char *hash, int size, + return -1; + } + ++#if defined(EVP_PKEY_SM2) && OPENSSL_VERSION_NUMBER < 0x30000000 ++ /* If EC key are used, check whether it is SM2 key */ ++ if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) { ++ EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey); ++ int curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec)); ++ if (curve == NID_sm2) ++ EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2); ++ } ++#endif ++ + st = "EVP_PKEY_CTX_new"; + if (!(ctx = EVP_PKEY_CTX_new(pkey, NULL))) + goto err; +@@ -932,6 +942,16 @@ static int sign_hash_v2(const char *algo, const unsigned char *hash, + return -1; + } + ++#if defined(EVP_PKEY_SM2) && OPENSSL_VERSION_NUMBER < 0x30000000 ++ /* If EC key are used, check whether it is SM2 key */ ++ if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) { ++ EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey); ++ int curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec)); ++ if (curve == NID_sm2) ++ EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2); ++ } ++#endif ++ + calc_keyid_v2(&keyid, name, pkey); + hdr->keyid = keyid; + +diff --git a/tests/gen-keys.sh b/tests/gen-keys.sh +index 407876b..ae72487 100755 +--- a/tests/gen-keys.sh ++++ b/tests/gen-keys.sh +@@ -92,6 +92,31 @@ for m in \ + fi + done + ++# SM2, If openssl 3.0 is installed, gen SM2 keys using ++if [ -x /opt/openssl3/bin/openssl ]; then ++ (PATH=/opt/openssl3/bin:$PATH LD_LIBRARY_PATH=/opt/openssl3/lib ++ for curve in sm2; do ++ if [ "$1" = clean ] || [ "$1" = force ]; then ++ rm -f test-$curve.cer test-$curve.key test-$curve.pub ++ fi ++ if [ "$1" = clean ]; then ++ continue ++ fi ++ if [ ! -e test-$curve.key ]; then ++ log openssl req -verbose -new -nodes -utf8 -days 10000 -batch -x509 \ ++ -sm3 -sigopt "distid:1234567812345678" \ ++ -config test-ca.conf \ ++ -copy_extensions copyall \ ++ -newkey $curve \ ++ -out test-$curve.cer -outform DER \ ++ -keyout test-$curve.key ++ if [ -s test-$curve.key ]; then ++ log openssl pkey -in test-$curve.key -out test-$curve.pub -pubout ++ fi ++ fi ++ done) ++fi ++ + # This script leaves test-ca.conf, *.cer, *.pub, *.key files for sing/verify tests. + # They are never deleted except by `make distclean'. + +diff --git a/tests/ima_hash.test b/tests/ima_hash.test +index 8d66e59..6e0e463 100755 +--- a/tests/ima_hash.test ++++ b/tests/ima_hash.test +@@ -70,8 +70,7 @@ expect_pass check sha256 0x0404 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649 + expect_pass check sha384 0x0405 38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b + expect_pass check sha512 0x0406 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e + expect_pass check rmd160 0x0403 9c1185a5c5e9fc54612808977ee8f548b2258d31 +-expect_fail check sm3 0x01 +-expect_fail check sm3-256 0x01 ++expect_pass check sm3 0x0411 1ab21d8355cfa17f8e61194831e81a8f22bec8c728fefb747ed035eb5082aa2b + _enable_gost_engine + expect_pass check md_gost12_256 0x0412 3f539a213e97c802cc229d474c6aa32a825a360b2a933a949fd925208d9ce1bb + expect_pass check streebog256 0x0412 3f539a213e97c802cc229d474c6aa32a825a360b2a933a949fd925208d9ce1bb +diff --git a/tests/install-openssl3.sh b/tests/install-openssl3.sh +new file mode 100755 +index 0000000..1b63468 +--- /dev/null ++++ b/tests/install-openssl3.sh +@@ -0,0 +1,23 @@ ++#!/bin/bash ++ ++set -ex ++ ++if [ -z "$COMPILE_SSL" ]; then ++ echo "Missing \$COMPILE_SSL!" >&2 ++ exit 1 ++fi ++ ++version=${COMPILE_SSL} ++ ++wget --no-check-certificate https://github.com/openssl/openssl/archive/refs/tags/${version}.tar.gz ++tar --no-same-owner -xzf ${version}.tar.gz ++cd openssl-${version} ++ ++./Configure --prefix=/opt/openssl3 --openssldir=/opt/openssl3/ssl ++make -j$(nproc) ++# only install apps and library ++sudo make install_sw ++ ++cd .. ++rm -rf ${version}.tar.gz ++rm -rf openssl-${version} +diff --git a/tests/sign_verify.test b/tests/sign_verify.test +index 288e133..f716319 100755 +--- a/tests/sign_verify.test ++++ b/tests/sign_verify.test +@@ -198,6 +198,10 @@ check_sign() { + # This is all we can do for evm. + [[ "$TYPE" =~ evm ]] && return "$OK" + ++ # When using the SM2/3 algorithm, the openssl tool uses USERID for verify, ++ # which is incompatible with calling API directly, so skip it. ++ [[ "$ALG" == sm3 ]] && return "$OK" ++ + # Extract signature to a file + _extract_xattr "$FILE" "$(_xattr "$TYPE")" "$FILE.sig2" "$PREFIX" + +@@ -366,6 +370,12 @@ sign_verify rsa1024 sha384 0x030205:K:0080 + sign_verify rsa1024 sha512 0x030206:K:0080 + sign_verify rsa1024 rmd160 0x030203:K:0080 + ++# If openssl 3.0 is installed, test the SM2/3 algorithm combination ++if [ -x /opt/openssl3/bin/openssl ]; then ++ PATH=/opt/openssl3/bin:$PATH LD_LIBRARY_PATH=/opt/openssl3/lib \ ++ sign_verify sm2 sm3 0x030211:K:004[345678] ++fi ++ + # Test v2 signatures with EC-RDSA + _enable_gost_engine + sign_verify gost2012_256-A md_gost12_256 0x030212:K:0040 +-- +1.8.3.1 + diff --git a/ima-evm-utils.spec b/ima-evm-utils.spec index 3920bc5..9392ceb 100644 --- a/ima-evm-utils.spec +++ b/ima-evm-utils.spec @@ -1,15 +1,18 @@ Name: ima-evm-utils -Version: 1.5 -Release: 1 +Version: 1.3.2 +Release: 10 Summary: IMA/EVM control utilities License: GPLv2 URL: http://linux-ima.sourceforge.net/ Source0: https://github.com/mimizohar/ima-evm-utils/releases/download/v%{version}/%{name}-%{version}.tar.gz -Patch9000: 0001-add-save-command-to-support-digest-list-building.patch -Patch9001: 0002-fix-caps-parameter-cannot-be-parsed.patch -Patch9002: 0003-add-sm3-option.patch -Patch9003: 0004-Skip-test-error-in-docker.patch +Patch6000: ima-evm-utils-Support-SM2-3-algorithm-for-sign-and-v.patch +Patch6001: ima-evm-utils-Fix-incorrect-algorithm-name-in-hash_i.patch + +Patch9000: add-save-command-to-support-digest-list-building.patch +Patch9001: fix-caps-parameter-cannot-be-parsed.patch +Patch9002: add-sm3-option.patch +Patch9003: skip-test-error-in-docker.patch BuildRequires: autoconf automake libtool asciidoc vim-common BuildRequires: libxslt openssl openssl-devel keyutils-libs-devel tpm2-tss-devel @@ -77,6 +80,9 @@ make check %endif %changelog +* Thu Jul 27 2023 zhoushuiqing - 1.3.2-10 +- Revert "Upgrade to 1.5" + * Thu Jul 20 2023 zhoushuiqing - 1.5-1 - Upgrade to 1.5 diff --git a/0004-Skip-test-error-in-docker.patch b/skip-test-error-in-docker.patch similarity index 78% rename from 0004-Skip-test-error-in-docker.patch rename to skip-test-error-in-docker.patch index b7579fe..28d3fe3 100644 --- a/0004-Skip-test-error-in-docker.patch +++ b/skip-test-error-in-docker.patch @@ -1,19 +1,18 @@ -From c152f534a661e9f2cb0ee125e1087df3c389dcd9 Mon Sep 17 00:00:00 2001 +From d3a4e24f6a2bac023f7e7c0eda403f0d8e25996d Mon Sep 17 00:00:00 2001 From: shenxiangwei Date: Mon, 26 Sep 2022 19:36:25 +0800 Subject: [PATCH] Skip test error in docker -Signed-off-by: zhoushuiqing --- tests/ima_hash.test | 5 +++++ tests/sign_verify.test | 10 ++++++++++ 2 files changed, 15 insertions(+) diff --git a/tests/ima_hash.test b/tests/ima_hash.test -index e88fd59..abf544a 100755 +index 8d66e59..cd97e1d 100644 --- a/tests/ima_hash.test +++ b/tests/ima_hash.test -@@ -24,6 +24,11 @@ trap _report_exit_and_cleanup EXIT +@@ -24,6 +24,11 @@ trap _report_exit EXIT set -f # disable globbing check() { @@ -26,10 +25,10 @@ index e88fd59..abf544a 100755 local file=$alg-hash.txt diff --git a/tests/sign_verify.test b/tests/sign_verify.test -index 2bc365a..eeb75ef 100755 +index 288e133..e1899df 100644 --- a/tests/sign_verify.test +++ b/tests/sign_verify.test -@@ -136,6 +136,11 @@ check_sign() { +@@ -130,6 +130,11 @@ check_sign() { # PREFIX (signature header prefix in hex), # OPTS (additional options for evmctl), # FILE (working file to sign). @@ -39,9 +38,9 @@ index 2bc365a..eeb75ef 100755 + fi + local "$@" - local key verifykey + local KEY=${KEY%.*}.key local FILE=${FILE:-$ALG.txt} -@@ -246,6 +251,11 @@ check_verify() { +@@ -225,6 +230,11 @@ check_verify() { # ALG (hash algo), # OPTS (additional options for evmctl), # FILE (filename to verify). @@ -54,5 +53,5 @@ index 2bc365a..eeb75ef 100755 # shellcheck disable=SC2086 -- -2.33.0 +2.37.3.windows.1