packages/ima-evm-utils
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!64 Revert "Upgrade to 1.5"

Browse Source 
From: @ZhouShuiQing 
Reviewed-by: @HuaxinLuGitee 
Signed-off-by: @HuaxinLuGitee
This commit is contained in:
openeuler-ci-bot 2023-07-27 02:23:18 +00:00 committed by Gitee
commit f03e06dcfa
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
10 changed files with 349 additions and 82 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
0003-add-sm3-option.patch
View File

@ -1,27 +0,0 @@
From 41073a60e1857b1a7fe6ef455c72c6d4458f79cc Mon Sep 17 00:00:00 2001
From: shenxiangwei <shenxiangwei1@huawei.com>
Date: Wed, 24 Aug 2022 08:26:49 +0800
Subject: [PATCH] add sm3 option
Signed-off-by: shenxiangwei <shenxiangwei1@huawei.com>
Signed-off-by: zhoushuiqing <zhoushuiqing2@huawei.com>
---
src/evmctl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/evmctl.c b/src/evmctl.c
index 19175b8..fcfa2e4 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -2870,7 +2870,7 @@ static void usage(void)
printf(
"\n"
- " -a, --hashalgo sha1, sha224, sha256, sha384, sha512, streebog256, streebog512 (default: %s)\n"
+ " -a, --hashalgo sha1, sha224, sha256, sha384, sha512, streebog256, streebog512, sm3 (default: %s)\n"
" -s, --imasig make IMA signature\n"
" --veritysig sign an fs-verity file digest hash\n"
" -d, --imahash make IMA hash\n"
--
2.33.0

74
0001-add-save-command-to-support-digest-list-building.patch → add-save-command-to-support-digest-list-building.patch
View File

@ -1,4 +1,4 @@
From bf460c8e2001ec1227ce5a9ecf44d24782d43871 Mon Sep 17 00:00:00 2001 From 6e607f4c5b3a608477bfc10405fb3c1f2ef93024 Mon Sep 17 00:00:00 2001
From: Roberto Sassu <roberto.sassu@huawei.com> From: Roberto Sassu <roberto.sassu@huawei.com>
Date: Thu, 21 Jan 2021 08:16:34 +0800 Date: Thu, 21 Jan 2021 08:16:34 +0800
Subject: [PATCH] add save command to support digest list building Subject: [PATCH] add save command to support digest list building
@ -6,16 +6,15 @@ Subject: [PATCH] add save command to support digest list building
This patch adds save command to support IMA digest list. This patch adds save command to support IMA digest list.
Signed-off-by: Tianxing Zhang <benjamin93@163.com> Signed-off-by: Tianxing Zhang <benjamin93@163.com>
Signed-off-by: zhoushuiqing <zhoushuiqing2@huawei.com>
--- ---
src/evmctl.c | 65 +++++++++++++++++++++++++++++++++++++++++++++++----- src/evmctl.c | 67 ++++++++++++++++++++++++++++++++++++++++++++++------
1 file changed, 59 insertions(+), 6 deletions(-) 1 file changed, 60 insertions(+), 7 deletions(-)
diff --git a/src/evmctl.c b/src/evmctl.c diff --git a/src/evmctl.c b/src/evmctl.c
index 6d2bb67..70d07a5 100644 index 1815f55..439713d 100644
--- a/src/evmctl.c --- a/src/evmctl.c
+++ b/src/evmctl.c +++ b/src/evmctl.c
@@ -121,6 +121,7 @@ static int sigdump; @@ -115,6 +115,7 @@ static int sigdump;
static int digest; static int digest;
static int digsig; static int digsig;
static int sigfile; static int sigfile;
@ -23,9 +22,9 @@ index 6d2bb67..70d07a5 100644
static char *uuid_str; static char *uuid_str;
static char *ino_str; static char *ino_str;
static char *uid_str; static char *uid_str;
@@ -173,7 +174,8 @@ static unsigned npcrfile; @@ -165,7 +166,8 @@ struct tpm_bank_info {
#define log_errno_reset(level, fmt, args...) \ static char *pcrfile[MAX_PCRFILE];
{do_log(level, fmt " (errno: %s)\n", ##args, strerror(errno)); errno = 0; } static unsigned npcrfile;
-static int bin2file(const char *file, const char *ext, const unsigned char *data, int len) -static int bin2file(const char *file, const char *ext, const unsigned char *data, int len)
+static int _bin2file(const char *file, const char *ext, +static int _bin2file(const char *file, const char *ext,
@ -33,7 +32,7 @@ index 6d2bb67..70d07a5 100644
{ {
FILE *fp; FILE *fp;
char name[strlen(file) + (ext ? strlen(ext) : 0) + 2]; char name[strlen(file) + (ext ? strlen(ext) : 0) + 2];
@@ -186,7 +188,7 @@ static int bin2file(const char *file, const char *ext, const unsigned char *data @@ -178,7 +180,7 @@ static int bin2file(const char *file, const char *ext, const unsigned char *data
log_info("Writing to %s\n", name); log_info("Writing to %s\n", name);
@ -42,7 +41,7 @@ index 6d2bb67..70d07a5 100644
if (!fp) { if (!fp) {
log_err("Failed to open: %s\n", name); log_err("Failed to open: %s\n", name);
return -1; return -1;
@@ -196,6 +198,18 @@ static int bin2file(const char *file, const char *ext, const unsigned char *data @@ -188,6 +190,18 @@ static int bin2file(const char *file, const char *ext, const unsigned char *data
return err; return err;
} }
@ -61,7 +60,7 @@ index 6d2bb67..70d07a5 100644
static unsigned char *file2bin(const char *file, const char *ext, int *size) static unsigned char *file2bin(const char *file, const char *ext, int *size)
{ {
FILE *fp; FILE *fp;
@@ -365,6 +379,9 @@ static int calc_evm_hash(const char *file, unsigned char *hash) @@ -353,6 +367,9 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
return -1; return -1;
} }
@ -71,18 +70,18 @@ index 6d2bb67..70d07a5 100644
if (generation_str) if (generation_str)
generation = strtoul(generation_str, NULL, 10); generation = strtoul(generation_str, NULL, 10);
if (ino_str) if (ino_str)
@@ -376,7 +393,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash) @@ -364,7 +381,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
if (mode_str) if (mode_str)
st.st_mode = strtoul(mode_str, NULL, 10); st.st_mode = strtoul(mode_str, NULL, 10);
- if (!evm_immutable) { - if (!evm_immutable) {
+ if (!evm_immutable && !evm_portable) { + if (!evm_immutable && !evm_portable) {
if (S_ISREG(st.st_mode) && !generation_str) { if ((S_ISREG(st.st_mode) || S_ISDIR(st.st_mode)) && !generation_str) {
int fd = open(file, 0); /* we cannot at the momement to get generation of
special files kernel API does not support it */
@@ -478,7 +495,11 @@ static int calc_evm_hash(const char *file, unsigned char *hash) @@ -444,7 +461,11 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
log_info("name: %s, size: %d\n", /*log_debug("name: %s, value: %s, size: %d\n", *xattrname, xattr_value, err);*/
use_xattr_ima ? xattr_ima : *xattrname, err); log_info("name: %s, size: %d\n", *xattrname, err);
log_debug_dump(xattr_value, err); log_debug_dump(xattr_value, err);
- err = EVP_DigestUpdate(pctx, xattr_value, err); - err = EVP_DigestUpdate(pctx, xattr_value, err);
+ if (datafile) + if (datafile)
@ -92,8 +91,8 @@ index 6d2bb67..70d07a5 100644
+ err = EVP_DigestUpdate(pctx, xattr_value, err); + err = EVP_DigestUpdate(pctx, xattr_value, err);
if (!err) { if (!err) {
log_err("EVP_DigestUpdate() failed\n"); log_err("EVP_DigestUpdate() failed\n");
goto out; return 1;
@@ -532,7 +553,11 @@ static int calc_evm_hash(const char *file, unsigned char *hash) @@ -498,7 +519,11 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
log_debug("hmac_misc (%d): ", hmac_size); log_debug("hmac_misc (%d): ", hmac_size);
log_debug_dump(&hmac_misc, hmac_size); log_debug_dump(&hmac_misc, hmac_size);
@ -105,8 +104,8 @@ index 6d2bb67..70d07a5 100644
+ err = EVP_DigestUpdate(pctx, &hmac_misc, hmac_size); + err = EVP_DigestUpdate(pctx, &hmac_misc, hmac_size);
if (!err) { if (!err) {
log_err("EVP_DigestUpdate() failed\n"); log_err("EVP_DigestUpdate() failed\n");
goto out; return 1;
@@ -593,6 +618,9 @@ static int sign_evm(const char *file, const char *key) @@ -555,6 +580,9 @@ static int sign_evm(const char *file, const char *key)
if (sigdump || imaevm_params.verbose >= LOG_INFO) if (sigdump || imaevm_params.verbose >= LOG_INFO)
imaevm_hexdump(sig, len); imaevm_hexdump(sig, len);
@ -116,7 +115,7 @@ index 6d2bb67..70d07a5 100644
if (xattr) { if (xattr) {
err = lsetxattr(file, xattr_evm, sig, len, 0); err = lsetxattr(file, xattr_evm, sig, len, 0);
if (err < 0) { if (err < 0) {
@@ -605,6 +633,21 @@ static int sign_evm(const char *file, const char *key) @@ -566,6 +594,21 @@ static int sign_evm(const char *file, const char *key)
return 0; return 0;
} }
@ -138,7 +137,7 @@ index 6d2bb67..70d07a5 100644
static int hash_ima(const char *file) static int hash_ima(const char *file)
{ {
unsigned char hash[MAX_DIGEST_SIZE + 2]; /* +2 byte xattr header */ unsigned char hash[MAX_DIGEST_SIZE + 2]; /* +2 byte xattr header */
@@ -717,7 +760,7 @@ static int get_file_type(const char *path, const char *search_type) @@ -678,7 +721,7 @@ static int get_file_type(const char *path, const char *search_type)
static int do_cmd(struct command *cmd, find_cb_t func) static int do_cmd(struct command *cmd, find_cb_t func)
{ {
@ -147,7 +146,7 @@ index 6d2bb67..70d07a5 100644
int err, dts = REG_MASK; /* only regular files by default */ int err, dts = REG_MASK; /* only regular files by default */
if (!path) { if (!path) {
@@ -726,6 +769,10 @@ static int do_cmd(struct command *cmd, find_cb_t func) @@ -687,6 +730,10 @@ static int do_cmd(struct command *cmd, find_cb_t func)
return -1; return -1;
} }
@ -158,7 +157,7 @@ index 6d2bb67..70d07a5 100644
if (recursive) { if (recursive) {
if (search_type) { if (search_type) {
dts = get_file_type(path, search_type); dts = get_file_type(path, search_type);
@@ -905,6 +952,11 @@ static int cmd_sign_evm(struct command *cmd) @@ -793,6 +840,11 @@ static int cmd_sign_evm(struct command *cmd)
return do_cmd(cmd, sign_evm_path); return do_cmd(cmd, sign_evm_path);
} }
@ -170,14 +169,23 @@ index 6d2bb67..70d07a5 100644
static int verify_evm(const char *file) static int verify_evm(const char *file)
{ {
unsigned char hash[MAX_DIGEST_SIZE]; unsigned char hash[MAX_DIGEST_SIZE];
@@ -2874,6 +2926,7 @@ struct command cmds[] = { @@ -807,7 +859,7 @@ static int verify_evm(const char *file)
{"import", cmd_import, 0, "pubkey keyring", "Import public key into the keyring.\n"}, return len;
#endif }
{"sign", cmd_sign_evm, 0, "[-r] [--imahash | --imasig ] [--key key] [--pass[=<password>]] file", "Sign file metadata.\n"},
- if (sig[0] != 0x03) {
+ if (sig[0] != 0x03 && sig[0] != 0x05) {
log_err("%s has no signature\n", xattr_evm);
return -1;
}
@@ -2479,6 +2531,7 @@ struct command cmds[] = {
{"import", cmd_import, 0, "[--rsa] pubkey keyring", "Import public key into the keyring.\n"},
{"convert", cmd_convert, 0, "key", "convert public key into the keyring.\n"},
{"sign", cmd_sign_evm, 0, "[-r] [--imahash | --imasig ] [--key key] [--pass [password] file", "Sign file metadata.\n"},
+ {"save", cmd_save_evm, 0, "[-r] [--imahash | --imasig ] file", "Save file metadata.\n"}, + {"save", cmd_save_evm, 0, "[-r] [--imahash | --imasig ] file", "Save file metadata.\n"},
{"verify", cmd_verify_evm, 0, "file", "Verify EVM signature (for debugging).\n"}, {"verify", cmd_verify_evm, 0, "file", "Verify EVM signature (for debugging).\n"},
{"ima_sign", cmd_sign_ima, 0, "[--sigfile] [--key key] [--pass[=<password>]] file", "Make file content signature.\n"}, {"ima_sign", cmd_sign_ima, 0, "[--sigfile] [--key key] [--pass [password] file", "Make file content signature.\n"},
{"ima_verify", cmd_verify_ima, 0, "file", "Verify IMA signature (for debugging).\n"}, {"ima_verify", cmd_verify_ima, 0, "file", "Verify IMA signature (for debugging).\n"},
-- --
2.33.0 2.25.1

26
add-sm3-option.patch Normal file
View File

@ -0,0 +1,26 @@
From 3fe53a713f32c28841e7f5efd4afb397b6d7e154 Mon Sep 17 00:00:00 2001
From: shenxiangwei <shenxiangwei1@huawei.com>
Date: Wed, 24 Aug 2022 08:26:49 +0800
Subject: [PATCH] add sm3 option
Signed-off-by: shenxiangwei <shenxiangwei1@huawei.com>
---
src/evmctl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/evmctl.c b/src/evmctl.c
index 28f4b8d..bce4b91 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -2489,7 +2489,7 @@ static void usage(void)
printf(
"\n"
- " -a, --hashalgo sha1 (default), sha224, sha256, sha384, sha512, streebog256, streebog512\n"
+ " -a, --hashalgo sha1 (default), sha224, sha256, sha384, sha512, streebog256, streebog512, sm3\n"
" -s, --imasig make IMA signature\n"
" -d, --imahash make IMA hash\n"
" -f, --sigfile store IMA signature in .sig file instead of xattr\n"
--
2.27.0

12
0002-fix-caps-parameter-cannot-be-parsed.patch → fix-caps-parameter-cannot-be-parsed.patch
View File

@ -1,19 +1,18 @@
From 24c9623f563646695f6d219b2414b23f36378b42 Mon Sep 17 00:00:00 2001 From 40602a7926ec13819a5926d4ac451becb44b7d98 Mon Sep 17 00:00:00 2001
From: shenxiangwei <shenxiangwei1@huawei.com> From: shenxiangwei <shenxiangwei1@huawei.com>
Date: Fri, 19 Aug 2022 12:05:11 +0800 Date: Fri, 19 Aug 2022 12:05:11 +0800
Subject: [PATCH] fix caps parameter cannot be parsed Subject: [PATCH] fix caps parameter cannot be parsed
Signed-off-by: shenxiangwei <shenxiangwei1@huawei.com> Signed-off-by: shenxiangwei <shenxiangwei1@huawei.com>
Signed-off-by: zhoushuiqing <zhoushuiqing2@huawei.com>
--- ---
src/evmctl.c | 4 ++-- src/evmctl.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-) 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/evmctl.c b/src/evmctl.c diff --git a/src/evmctl.c b/src/evmctl.c
index 70d07a5..19175b8 100644 index 28f4b8d..6ef2f68 100644
--- a/src/evmctl.c --- a/src/evmctl.c
+++ b/src/evmctl.c +++ b/src/evmctl.c
@@ -472,14 +472,14 @@ static int calc_evm_hash(const char *file, unsigned char *hash) @@ -440,13 +440,13 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
} else if (!strcmp(*xattrname, XATTR_NAME_CAPS) && (hmac_flags & HMAC_FLAG_CAPS_SET)) { } else if (!strcmp(*xattrname, XATTR_NAME_CAPS) && (hmac_flags & HMAC_FLAG_CAPS_SET)) {
if (!caps_str) if (!caps_str)
continue; continue;
@ -23,13 +22,12 @@ index 70d07a5..19175b8 100644
if (err >= sizeof(xattr_value)) { if (err >= sizeof(xattr_value)) {
log_err("caps[%u] value is too long to fit into xattr[%zu]\n", log_err("caps[%u] value is too long to fit into xattr[%zu]\n",
err + 1, sizeof(xattr_value)); err + 1, sizeof(xattr_value));
err = -1; return -1;
goto out;
} }
- strcpy(xattr_value, caps_str); - strcpy(xattr_value, caps_str);
} else { } else {
err = lgetxattr(file, *xattrname, xattr_value, sizeof(xattr_value)); err = lgetxattr(file, *xattrname, xattr_value, sizeof(xattr_value));
if (err < 0) { if (err < 0) {
-- --
2.33.0 2.27.0

BIN
ima-evm-utils-1.3.2.tar.gz Normal file
View File

Binary file not shown.

BIN
ima-evm-utils-1.5.tar.gz
View File

Binary file not shown.

48
ima-evm-utils-Fix-incorrect-algorithm-name-in-hash_i.patch Normal file
View File

@ -0,0 +1,48 @@
From 455a399c1f1605d3a96fa8b89b48f4c203a48951 Mon Sep 17 00:00:00 2001
From: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
Date: Sat, 24 Jul 2021 17:56:47 +0800
Subject: [PATCH 2/2] ima-evm-utils: Fix incorrect algorithm name in
hash_info.gen
There is no such an algorithm name as sm3-256. This is an ambiguity
caused by the definition of the macro HASH_ALGO_SM3_256. The sed
command is only a special case of sm3, so sm3 is used to replace
the sm3-256 algorithm name.
Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: luhuaxin <luhuaxin1@huawei.com>
---
src/.gitignore | 1 +
src/hash_info.gen | 7 ++++---
2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/.gitignore b/src/.gitignore
index 38e8e3c..69d2988 100644
--- a/src/.gitignore
+++ b/src/.gitignore
@@ -1 +1,2 @@
hash_info.h
+tmp_hash_info.h
diff --git a/src/hash_info.gen b/src/hash_info.gen
index 5f7a97f..08d4a94 100755
--- a/src/hash_info.gen
+++ b/src/hash_info.gen
@@ -84,9 +84,10 @@ echo "};"
echo "const char *const hash_algo_name[HASH_ALGO__LAST] = {"
sed -n 's/HASH_ALGO_\(.*\),/\1 \L\1\E/p' $HASH_INFO | \
while read a b; do
- # Normalize text hash name: if it contains underscore between
- # digits replace it with a dash, other underscores are removed.
- b=$(echo "$b" | sed "s/\([0-9]\)_\([0-9]\)/\1-\2/g;s/_//g")
+ # Normalize text hash name: sm3 algorithm name is different from
+ # the macro definition, which is also the only special case of an
+ # underscore between digits. Remove all other underscores.
+ b=$(echo "$b" | sed "s/sm3_256/sm3/g;s/_//g")
printf '\t%-26s = "%s",\n' "[HASH_ALGO_$a]" "$b"
done
echo "};"
--
1.8.3.1

209
ima-evm-utils-Support-SM2-3-algorithm-for-sign-and-v.patch Normal file
View File

@ -0,0 +1,209 @@
From 17b9fc3fdbc3545efe9be6482bd7cc0a9fe30791 Mon Sep 17 00:00:00 2001
From: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
Date: Wed, 21 Jul 2021 11:16:59 +0800
Subject: [PATCH 1/2] ima-evm-utils: Support SM2/3 algorithm for sign and
verify
Keep in sync with the kernel IMA, IMA signature tool supports SM2/3
algorithm combination. Because in the current version of OpenSSL 1.1.1,
the SM2 algorithm and the public key using the EC algorithm share the
same ID 'EVP_PKEY_EC', and the specific algorithm can only be
distinguished by the curve name used. This patch supports this feature.
Secondly, the openssl 1.1.1 tool does not fully support the signature
of SM2/3 algorithm combination, so the openssl3 tool is used in the
test case, and there is no this problem with directly calling the
openssl 1.1.1 API in evmctl.
Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
[zohar@linux.ibm.com: "COMPILE_SSL: " -> "COMPILE_SSL=" in .travis.yml
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: luhuaxin <luhuaxin1@huawei.com>
---
.travis.yml | 6 +++---
src/libimaevm.c | 20 ++++++++++++++++++++
tests/gen-keys.sh | 25 +++++++++++++++++++++++++
tests/ima_hash.test | 3 +--
tests/install-openssl3.sh | 23 +++++++++++++++++++++++
tests/sign_verify.test | 10 ++++++++++
6 files changed, 82 insertions(+), 5 deletions(-)
create mode 100755 tests/install-openssl3.sh
diff --git a/.travis.yml b/.travis.yml
index 9bea5d1..9063b04 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -7,7 +7,7 @@ matrix:
include:
# 32 bit build
- os: linux
- env: DISTRO=debian:stable VARIANT=i386 ARCH=i386 TSS=tpm2-tss
+ env: DISTRO=debian:stable VARIANT=i386 ARCH=i386 TSS=tpm2-tss COMPILE_SSL=openssl-3.0.0-beta1
compiler: gcc
# cross compilation builds
@@ -30,7 +30,7 @@ matrix:
# glibc (gcc/clang)
- os: linux
- env: DISTRO=opensuse/tumbleweed TSS=ibmtss
+ env: DISTRO=opensuse/tumbleweed TSS=ibmtss COMPILE_SSL=openssl-3.0.0-beta1
compiler: clang
- os: linux
@@ -75,4 +75,4 @@ before_install:
script:
- INSTALL="${DISTRO%%:*}"
- INSTALL="${INSTALL%%/*}"
- - docker run -t ima-evm-utils /bin/sh -c "cd travis && if [ \"$VARIANT\" ]; then ARCH=\"$ARCH\" ./$INSTALL.$VARIANT.sh; fi && ARCH=\"$ARCH\" CC=\"$CC\" TSS=\"$TSS\" ./$INSTALL.sh && if [ ! \"$VARIANT\" ]; then which tpm_server || which swtpm || ../tests/install-swtpm.sh; fi && CC=\"$CC\" VARIANT=\"$VARIANT\" ../build.sh"
+ - docker run -t ima-evm-utils /bin/sh -c "cd travis && if [ \"$VARIANT\" ]; then ARCH=\"$ARCH\" ./$INSTALL.$VARIANT.sh; fi && ARCH=\"$ARCH\" CC=\"$CC\" TSS=\"$TSS\" ./$INSTALL.sh && if [ "$COMPILE_SSL" ]; then COMPILE_SSL="$COMPILE_SSL" ./tests/install-openssl3.sh; fi && if [ ! \"$VARIANT\" ]; then which tpm_server || which swtpm || ../tests/install-swtpm.sh; fi && CC=\"$CC\" VARIANT=\"$VARIANT\" ../build.sh"
diff --git a/src/libimaevm.c b/src/libimaevm.c
index fa6c278..423d9dc 100644
--- a/src/libimaevm.c
+++ b/src/libimaevm.c
@@ -518,6 +518,16 @@ static int verify_hash_v2(const char *file, const unsigned char *hash, int size,
return -1;
}
+#if defined(EVP_PKEY_SM2) && OPENSSL_VERSION_NUMBER < 0x30000000
+ /* If EC key are used, check whether it is SM2 key */
+ if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
+ EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey);
+ int curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
+ if (curve == NID_sm2)
+ EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2);
+ }
+#endif
+
st = "EVP_PKEY_CTX_new";
if (!(ctx = EVP_PKEY_CTX_new(pkey, NULL)))
goto err;
@@ -932,6 +942,16 @@ static int sign_hash_v2(const char *algo, const unsigned char *hash,
return -1;
}
+#if defined(EVP_PKEY_SM2) && OPENSSL_VERSION_NUMBER < 0x30000000
+ /* If EC key are used, check whether it is SM2 key */
+ if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
+ EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey);
+ int curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
+ if (curve == NID_sm2)
+ EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2);
+ }
+#endif
+
calc_keyid_v2(&keyid, name, pkey);
hdr->keyid = keyid;
diff --git a/tests/gen-keys.sh b/tests/gen-keys.sh
index 407876b..ae72487 100755
--- a/tests/gen-keys.sh
+++ b/tests/gen-keys.sh
@@ -92,6 +92,31 @@ for m in \
fi
done
+# SM2, If openssl 3.0 is installed, gen SM2 keys using
+if [ -x /opt/openssl3/bin/openssl ]; then
+ (PATH=/opt/openssl3/bin:$PATH LD_LIBRARY_PATH=/opt/openssl3/lib
+ for curve in sm2; do
+ if [ "$1" = clean ] || [ "$1" = force ]; then
+ rm -f test-$curve.cer test-$curve.key test-$curve.pub
+ fi
+ if [ "$1" = clean ]; then
+ continue
+ fi
+ if [ ! -e test-$curve.key ]; then
+ log openssl req -verbose -new -nodes -utf8 -days 10000 -batch -x509 \
+ -sm3 -sigopt "distid:1234567812345678" \
+ -config test-ca.conf \
+ -copy_extensions copyall \
+ -newkey $curve \
+ -out test-$curve.cer -outform DER \
+ -keyout test-$curve.key
+ if [ -s test-$curve.key ]; then
+ log openssl pkey -in test-$curve.key -out test-$curve.pub -pubout
+ fi
+ fi
+ done)
+fi
+
# This script leaves test-ca.conf, *.cer, *.pub, *.key files for sing/verify tests.
# They are never deleted except by `make distclean'.
diff --git a/tests/ima_hash.test b/tests/ima_hash.test
index 8d66e59..6e0e463 100755
--- a/tests/ima_hash.test
+++ b/tests/ima_hash.test
@@ -70,8 +70,7 @@ expect_pass check sha256 0x0404 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649
expect_pass check sha384 0x0405 38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b
expect_pass check sha512 0x0406 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
expect_pass check rmd160 0x0403 9c1185a5c5e9fc54612808977ee8f548b2258d31
-expect_fail check sm3 0x01
-expect_fail check sm3-256 0x01
+expect_pass check sm3 0x0411 1ab21d8355cfa17f8e61194831e81a8f22bec8c728fefb747ed035eb5082aa2b
_enable_gost_engine
expect_pass check md_gost12_256 0x0412 3f539a213e97c802cc229d474c6aa32a825a360b2a933a949fd925208d9ce1bb
expect_pass check streebog256 0x0412 3f539a213e97c802cc229d474c6aa32a825a360b2a933a949fd925208d9ce1bb
diff --git a/tests/install-openssl3.sh b/tests/install-openssl3.sh
new file mode 100755
index 0000000..1b63468
--- /dev/null
+++ b/tests/install-openssl3.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+set -ex
+
+if [ -z "$COMPILE_SSL" ]; then
+ echo "Missing \$COMPILE_SSL!" >&2
+ exit 1
+fi
+
+version=${COMPILE_SSL}
+
+wget --no-check-certificate https://github.com/openssl/openssl/archive/refs/tags/${version}.tar.gz
+tar --no-same-owner -xzf ${version}.tar.gz
+cd openssl-${version}
+
+./Configure --prefix=/opt/openssl3 --openssldir=/opt/openssl3/ssl
+make -j$(nproc)
+# only install apps and library
+sudo make install_sw
+
+cd ..
+rm -rf ${version}.tar.gz
+rm -rf openssl-${version}
diff --git a/tests/sign_verify.test b/tests/sign_verify.test
index 288e133..f716319 100755
--- a/tests/sign_verify.test
+++ b/tests/sign_verify.test
@@ -198,6 +198,10 @@ check_sign() {
# This is all we can do for evm.
[[ "$TYPE" =~ evm ]] && return "$OK"
+ # When using the SM2/3 algorithm, the openssl tool uses USERID for verify,
+ # which is incompatible with calling API directly, so skip it.
+ [[ "$ALG" == sm3 ]] && return "$OK"
+
# Extract signature to a file
_extract_xattr "$FILE" "$(_xattr "$TYPE")" "$FILE.sig2" "$PREFIX"
@@ -366,6 +370,12 @@ sign_verify rsa1024 sha384 0x030205:K:0080
sign_verify rsa1024 sha512 0x030206:K:0080
sign_verify rsa1024 rmd160 0x030203:K:0080
+# If openssl 3.0 is installed, test the SM2/3 algorithm combination
+if [ -x /opt/openssl3/bin/openssl ]; then
+ PATH=/opt/openssl3/bin:$PATH LD_LIBRARY_PATH=/opt/openssl3/lib \
+ sign_verify sm2 sm3 0x030211:K:004[345678]
+fi
+
# Test v2 signatures with EC-RDSA
_enable_gost_engine
sign_verify gost2012_256-A md_gost12_256 0x030212:K:0040
--
1.8.3.1

18
ima-evm-utils.spec
View File

@ -1,15 +1,18 @@
Name: ima-evm-utils Name: ima-evm-utils
Version: 1.5 Version: 1.3.2
Release: 1 Release: 10
Summary: IMA/EVM control utilities Summary: IMA/EVM control utilities
License: GPLv2 License: GPLv2
URL: http://linux-ima.sourceforge.net/ URL: http://linux-ima.sourceforge.net/
Source0: https://github.com/mimizohar/ima-evm-utils/releases/download/v%{version}/%{name}-%{version}.tar.gz Source0: https://github.com/mimizohar/ima-evm-utils/releases/download/v%{version}/%{name}-%{version}.tar.gz
Patch9000: 0001-add-save-command-to-support-digest-list-building.patch Patch6000: ima-evm-utils-Support-SM2-3-algorithm-for-sign-and-v.patch
Patch9001: 0002-fix-caps-parameter-cannot-be-parsed.patch Patch6001: ima-evm-utils-Fix-incorrect-algorithm-name-in-hash_i.patch
Patch9002: 0003-add-sm3-option.patch
Patch9003: 0004-Skip-test-error-in-docker.patch Patch9000: add-save-command-to-support-digest-list-building.patch
Patch9001: fix-caps-parameter-cannot-be-parsed.patch
Patch9002: add-sm3-option.patch
Patch9003: skip-test-error-in-docker.patch
BuildRequires: autoconf automake libtool asciidoc vim-common BuildRequires: autoconf automake libtool asciidoc vim-common
BuildRequires: libxslt openssl openssl-devel keyutils-libs-devel tpm2-tss-devel BuildRequires: libxslt openssl openssl-devel keyutils-libs-devel tpm2-tss-devel
@ -77,6 +80,9 @@ make check
%endif %endif
%changelog %changelog
* Thu Jul 27 2023 zhoushuiqing <zhoushuiqing2@huawei.com> - 1.3.2-10
- Revert "Upgrade to 1.5"
* Thu Jul 20 2023 zhoushuiqing <zhoushuiqing2@huawei.com> - 1.5-1 * Thu Jul 20 2023 zhoushuiqing <zhoushuiqing2@huawei.com> - 1.5-1
- Upgrade to 1.5 - Upgrade to 1.5

17
0004-Skip-test-error-in-docker.patch → skip-test-error-in-docker.patch
View File

@ -1,19 +1,18 @@
From c152f534a661e9f2cb0ee125e1087df3c389dcd9 Mon Sep 17 00:00:00 2001 From d3a4e24f6a2bac023f7e7c0eda403f0d8e25996d Mon Sep 17 00:00:00 2001
From: shenxiangwei <shenxiangwei1@huawei.com> From: shenxiangwei <shenxiangwei1@huawei.com>
Date: Mon, 26 Sep 2022 19:36:25 +0800 Date: Mon, 26 Sep 2022 19:36:25 +0800
Subject: [PATCH] Skip test error in docker Subject: [PATCH] Skip test error in docker
Signed-off-by: zhoushuiqing <zhoushuiqing2@huawei.com>
--- ---
tests/ima_hash.test | 5 +++++ tests/ima_hash.test | 5 +++++
tests/sign_verify.test | 10 ++++++++++ tests/sign_verify.test | 10 ++++++++++
2 files changed, 15 insertions(+) 2 files changed, 15 insertions(+)
diff --git a/tests/ima_hash.test b/tests/ima_hash.test diff --git a/tests/ima_hash.test b/tests/ima_hash.test
index e88fd59..abf544a 100755 index 8d66e59..cd97e1d 100644
--- a/tests/ima_hash.test --- a/tests/ima_hash.test
+++ b/tests/ima_hash.test +++ b/tests/ima_hash.test
@@ -24,6 +24,11 @@ trap _report_exit_and_cleanup EXIT @@ -24,6 +24,11 @@ trap _report_exit EXIT
set -f # disable globbing set -f # disable globbing
check() { check() {
@ -26,10 +25,10 @@ index e88fd59..abf544a 100755
local file=$alg-hash.txt local file=$alg-hash.txt
diff --git a/tests/sign_verify.test b/tests/sign_verify.test diff --git a/tests/sign_verify.test b/tests/sign_verify.test
index 2bc365a..eeb75ef 100755 index 288e133..e1899df 100644
--- a/tests/sign_verify.test --- a/tests/sign_verify.test
+++ b/tests/sign_verify.test +++ b/tests/sign_verify.test
@@ -136,6 +136,11 @@ check_sign() { @@ -130,6 +130,11 @@ check_sign() {
# PREFIX (signature header prefix in hex), # PREFIX (signature header prefix in hex),
# OPTS (additional options for evmctl), # OPTS (additional options for evmctl),
# FILE (working file to sign). # FILE (working file to sign).
@ -39,9 +38,9 @@ index 2bc365a..eeb75ef 100755
+ fi + fi
+ +
local "$@" local "$@"
local key verifykey local KEY=${KEY%.*}.key
local FILE=${FILE:-$ALG.txt} local FILE=${FILE:-$ALG.txt}
@@ -246,6 +251,11 @@ check_verify() { @@ -225,6 +230,11 @@ check_verify() {
# ALG (hash algo), # ALG (hash algo),
# OPTS (additional options for evmctl), # OPTS (additional options for evmctl),
# FILE (filename to verify). # FILE (filename to verify).
@ -54,5 +53,5 @@ index 2bc365a..eeb75ef 100755
# shellcheck disable=SC2086 # shellcheck disable=SC2086
-- --
2.33.0 2.37.3.windows.1