diff --git a/0001-ima-evm-utils-Support-SM2-3-algorithm-for-sign-and-v.patch b/0001-ima-evm-utils-Support-SM2-3-algorithm-for-sign-and-v.patch new file mode 100644 index 0000000000000000000000000000000000000000..4f82308c5255f4b573d02e796d4b8aefe050c542 --- /dev/null +++ b/0001-ima-evm-utils-Support-SM2-3-algorithm-for-sign-and-v.patch @@ -0,0 +1,130 @@ +From a5f5dd7c8e128b226dc8dc5c49562e7ec6bb386b Mon Sep 17 00:00:00 2001 +From: Tianjia Zhang +Date: Wed, 21 Jul 2021 11:16:59 +0800 +Subject: [PATCH] ima-evm-utils: Support SM2/3 algorithm for sign and verify + +Keep in sync with the kernel IMA, IMA signature tool supports SM2/3 +algorithm combination. Because in the current version of OpenSSL 1.1.1, +the SM2 algorithm and the public key using the EC algorithm share the +same ID 'EVP_PKEY_EC', and the specific algorithm can only be +distinguished by the curve name used. This patch supports this feature. + +Secondly, the openssl 1.1.1 tool does not fully support the signature +of SM2/3 algorithm combination, so the openssl3 tool is used in the +test case, and there is no this problem with directly calling the +openssl 1.1.1 API in evmctl. + +Signed-off-by: Tianjia Zhang +[zohar@linux.ibm.com: "COMPILE_SSL: " -> "COMPILE_SSL=" in .travis.yml +Reviewed-by: Petr Vorel +Signed-off-by: Mimi Zohar + +[Yilin: drop yaml test files and rebase ima-evm-utils 1.3.2] +Signed-off-by: Yilin Li +--- + src/libimaevm.c | 20 ++++++++++++++++++++ + tests/gen-keys.sh | 22 ++++++++++++++++++++++ + tests/ima_hash.test | 3 +-- + tests/sign_verify.test | 2 ++ + 4 files changed, 45 insertions(+), 2 deletions(-) +diff --git a/src/libimaevm.c b/src/libimaevm.c +index fa6c278..589dd09 100644 +--- a/src/libimaevm.c ++++ b/src/libimaevm.c +@@ -518,6 +518,16 @@ static int verify_hash_v2(const char *file, const unsigned char *hash, int size, + return -1; + } + ++#ifdef EVP_PKEY_SM2 ++ /* If EC key are used, check whether it is SM2 key */ ++ if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) { ++ EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey); ++ int curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec)); ++ if (curve == NID_sm2) ++ EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2); ++ } ++#endif ++ + st = "EVP_PKEY_CTX_new"; + if (!(ctx = EVP_PKEY_CTX_new(pkey, NULL))) + goto err; +@@ -932,6 +942,16 @@ static int sign_hash_v2(const char *algo, const unsigned char *hash, + return -1; + } + ++#ifdef EVP_PKEY_SM2 ++ /* If EC key are used, check whether it is SM2 key */ ++ if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) { ++ EC_KEY *ec = EVP_PKEY_get0_EC_KEY(pkey); ++ int curve = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec)); ++ if (curve == NID_sm2) ++ EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2); ++ } ++#endif ++ + calc_keyid_v2(&keyid, name, pkey); + hdr->keyid = keyid; + +diff --git a/tests/gen-keys.sh b/tests/gen-keys.sh +index 407876b..d609b54 100755 +--- a/tests/gen-keys.sh ++++ b/tests/gen-keys.sh +@@ -92,6 +92,28 @@ for m in \ + fi + done + ++# SM2 ++for curve in sm2; do ++ if [ "$1" = clean ] || [ "$1" = force ]; then ++ rm -f test-$curve.cer test-$curve.key test-$curve.pub ++ fi ++ if [ "$1" = clean ]; then ++ continue ++ fi ++ if [ ! -e test-$curve.key ]; then ++ log openssl req -verbose -new -nodes -utf8 -days 10000 -batch -x509 \ ++ -sm3 -sigopt "distid:1234567812345678" \ ++ -config test-ca.conf \ ++ -copy_extensions copyall \ ++ -newkey $curve \ ++ -out test-$curve.cer -outform DER \ ++ -keyout test-$curve.key ++ if [ -s test-$curve.key ]; then ++ log openssl pkey -in test-$curve.key -out test-$curve.pub -pubout ++ fi ++ fi ++done ++ + # This script leaves test-ca.conf, *.cer, *.pub, *.key files for sing/verify tests. + # They are never deleted except by `make distclean'. + +diff --git a/tests/ima_hash.test b/tests/ima_hash.test +index 8d66e59..46de4c9 100755 +--- a/tests/ima_hash.test ++++ b/tests/ima_hash.test +@@ -70,8 +70,7 @@ expect_pass check sha256 0x0404 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649 + expect_pass check sha384 0x0405 38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b + expect_pass check sha512 0x0406 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e + expect_pass check rmd160 0x0403 9c1185a5c5e9fc54612808977ee8f548b2258d31 +-expect_fail check sm3 0x01 +-expect_fail check sm3-256 0x01 ++expect_pass check sm3 0x01 1ab21d8355cfa17f8e61194831e81a8f22bec8c728fefb747ed035eb5082aa2b + _enable_gost_engine + expect_pass check md_gost12_256 0x0412 3f539a213e97c802cc229d474c6aa32a825a360b2a933a949fd925208d9ce1bb + expect_pass check streebog256 0x0412 3f539a213e97c802cc229d474c6aa32a825a360b2a933a949fd925208d9ce1bb +diff --git a/tests/sign_verify.test b/tests/sign_verify.test +index 288e133..8ee2487 100755 +--- a/tests/sign_verify.test ++++ b/tests/sign_verify.test +@@ -366,6 +366,8 @@ sign_verify rsa1024 sha384 0x030205:K:0080 + sign_verify rsa1024 sha512 0x030206:K:0080 + sign_verify rsa1024 rmd160 0x030203:K:0080 + ++sign_verify sm2 sm3 0x030211:K:004[345678] ++ + # Test v2 signatures with EC-RDSA + _enable_gost_engine + sign_verify gost2012_256-A md_gost12_256 0x030212:K:0040 +-- +1.8.3.1 + diff --git a/ima-evm-utils.spec b/ima-evm-utils.spec index af59d3bc2137e9ceff7fb103b14b650fd318313d..749c224c5cb686c04c34cdcb603052dc533f39e4 100644 --- a/ima-evm-utils.spec +++ b/ima-evm-utils.spec @@ -1,8 +1,9 @@ +%define anolis_release .0.1 %global compat_soversion 0 Name: ima-evm-utils Version: 1.3.2 -Release: 12%{?dist} +Release: 12.%{?anolis_release}%{?dist} Summary: IMA/EVM support utilities License: GPLv2 Url: http://linux-ima.sourceforge.net/ @@ -16,6 +17,9 @@ Patch2: covscan-memory-leaks.patch Patch3: annocheck-opt-flag.patch Patch4: libimaevm-keydesc-import.patch +# upstream patches +Patch10001: 0001-ima-evm-utils-Support-SM2-3-algorithm-for-sign-and-v.patch + BuildRequires: asciidoc BuildRequires: autoconf BuildRequires: automake @@ -54,6 +58,9 @@ This package provides the libimaevm.so.%{compat_soversion} relative to %{name}-1 %prep %setup -q %patch0 -p1 +# Upstream patch +%patch10001 -p1 + mkdir compat/ tar -zxf %{SOURCE10} --strip-components=1 -C compat/ cd compat/ @@ -104,6 +111,10 @@ popd %{_libdir}/libimaevm.so.%{compat_soversion}.0.0 %changelog +* Sun Jul 11 2021 Yilin Li - 1.3.2-12.0.1 +- Support SM2 algorithm for sign and verify +- Use upstream SM2 patch to replace anolis patch + * Thu Feb 18 2021 Bruno Meneguele - 1.3.2-12 - Add compat subpackage for keeping the API stability in userspace