diff options
| author | Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com> | 2019-09-04 10:25:09 +0300 |
|---|---|---|
| committer | Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com> | 2019-09-04 12:01:45 +0300 |
| commit | d139491c9ad4ca3f85ac01432c856ebcd41d706b (patch) | |
| tree | 1ecad52d8d7583cf97def94aff3fc3e420cff199 | |
| parent | 26ced755f525311d102e95adbc3a36072c62ce00 (diff) | |
| download | meta-secure-core-d139491c9ad4ca3f85ac01432c856ebcd41d706b.tar.gz | |
ima-evm-utils: update to release 1.2.1
Bump ima-evm-utils to latest release (1.2.1).
Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
3 files changed, 7 insertions, 307 deletions
diff --git a/meta-integrity/recipes-support/ima-evm-utils/ima-evm-utils/0001-Install-evmctl-to-sbindir-rather-than-bindir.patch b/meta-integrity/recipes-support/ima-evm-utils/ima-evm-utils/0001-Install-evmctl-to-sbindir-rather-than-bindir.patch index 545be42..2a63e80 100644 --- a/meta-integrity/recipes-support/ima-evm-utils/ima-evm-utils/0001-Install-evmctl-to-sbindir-rather-than-bindir.patch +++ b/meta-integrity/recipes-support/ima-evm-utils/ima-evm-utils/0001-Install-evmctl-to-sbindir-rather-than-bindir.patch | |||
| @@ -14,15 +14,15 @@ diff --git a/src/Makefile.am b/src/Makefile.am | |||
| 14 | index deb18fb..aa8f666 100644 | 14 | index deb18fb..aa8f666 100644 |
| 15 | --- a/src/Makefile.am | 15 | --- a/src/Makefile.am |
| 16 | +++ b/src/Makefile.am | 16 | +++ b/src/Makefile.am |
| 17 | @@ -9,7 +9,7 @@ libimaevm_la_LIBADD = $(OPENSSL_LIBS) | 17 | @@ -15,7 +15,7 @@ EXTRA_DIST = hash_info.gen |
| 18 | 18 | hash_info.h: Makefile | |
| 19 | include_HEADERS = imaevm.h | 19 | $(srcdir)/hash_info.gen $(KERNEL_HEADERS) >$@ |
| 20 | 20 | ||
| 21 | -bin_PROGRAMS = evmctl | 21 | -bin_PROGRAMS = evmctl |
| 22 | +sbin_PROGRAMS = evmctl | 22 | +sbin_PROGRAMS = evmctl |
| 23 | 23 | ||
| 24 | evmctl_SOURCES = evmctl.c | 24 | evmctl_SOURCES = evmctl.c |
| 25 | evmctl_CPPFLAGS = $(OPENSSL_CFLAGS) | 25 | evmctl_CPPFLAGS = $(AM_CPPFLAGS) $(LIBCRYPTO_CFLAGS) |
| 26 | -- | 26 | -- |
| 27 | 2.7.4 | 27 | 2.7.4 |
| 28 | 28 | ||
diff --git a/meta-integrity/recipes-support/ima-evm-utils/ima-evm-utils/Fix-the-build-failure-with-openssl-1.1.x.patch b/meta-integrity/recipes-support/ima-evm-utils/ima-evm-utils/Fix-the-build-failure-with-openssl-1.1.x.patch deleted file mode 100644 index 5551678..0000000 --- a/meta-integrity/recipes-support/ima-evm-utils/ima-evm-utils/Fix-the-build-failure-with-openssl-1.1.x.patch +++ /dev/null | |||
| @@ -1,299 +0,0 @@ | |||
| 1 | From 61595d2d4eb9d6855680ea2f6d74492a4b7a553f Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Lans Zhang <jia.zhang@windriver.com> | ||
| 3 | Date: Wed, 16 Aug 2017 14:32:03 +0800 | ||
| 4 | Subject: [PATCH] Fix the build failure with openssl-1.1.x | ||
| 5 | |||
| 6 | - Clean up the opaqu EVP_MD_CTX and RSA. | ||
| 7 | - Similarly, HMAC_CTX is also opaqu. Note that there is no dynamic | ||
| 8 | allocation function like HMAC_CTX_create|new() available in 1.0.x. | ||
| 9 | - HMAC_CTX_cleanup() is replaced by HMAC_CTX_reset(). | ||
| 10 | |||
| 11 | Signed-off-by: Lans Zhang <jia.zhang@windriver.com> | ||
| 12 | --- | ||
| 13 | src/evmctl.c | 79 +++++++++++++++++++++++++++++++++++++++++---------------- | ||
| 14 | src/libimaevm.c | 54 +++++++++++++++++++++++++-------------- | ||
| 15 | 2 files changed, 92 insertions(+), 41 deletions(-) | ||
| 16 | |||
| 17 | diff --git a/src/evmctl.c b/src/evmctl.c | ||
| 18 | index c54efbb..9156bcb 100644 | ||
| 19 | --- a/src/evmctl.c | ||
| 20 | +++ b/src/evmctl.c | ||
| 21 | @@ -314,7 +314,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash) | ||
| 22 | struct stat st; | ||
| 23 | int err; | ||
| 24 | uint32_t generation = 0; | ||
| 25 | - EVP_MD_CTX ctx; | ||
| 26 | + EVP_MD_CTX *ctx; | ||
| 27 | unsigned int mdlen; | ||
| 28 | char **xattrname; | ||
| 29 | char xattr_value[1024]; | ||
| 30 | @@ -366,10 +366,17 @@ static int calc_evm_hash(const char *file, unsigned char *hash) | ||
| 31 | return -1; | ||
| 32 | } | ||
| 33 | |||
| 34 | - err = EVP_DigestInit(&ctx, EVP_sha1()); | ||
| 35 | + ctx = EVP_MD_CTX_create(); | ||
| 36 | + if (!ctx) { | ||
| 37 | + log_err("EVP_MD_CTX_create() failed\n"); | ||
| 38 | + return -1; | ||
| 39 | + } | ||
| 40 | + | ||
| 41 | + err = EVP_DigestInit(ctx, EVP_sha1()); | ||
| 42 | if (!err) { | ||
| 43 | log_err("EVP_DigestInit() failed\n"); | ||
| 44 | - return 1; | ||
| 45 | + err = 1; | ||
| 46 | + goto out; | ||
| 47 | } | ||
| 48 | |||
| 49 | for (xattrname = evm_config_xattrnames; *xattrname != NULL; xattrname++) { | ||
| 50 | @@ -398,10 +405,11 @@ static int calc_evm_hash(const char *file, unsigned char *hash) | ||
| 51 | /*log_debug("name: %s, value: %s, size: %d\n", *xattrname, xattr_value, err);*/ | ||
| 52 | log_info("name: %s, size: %d\n", *xattrname, err); | ||
| 53 | log_debug_dump(xattr_value, err); | ||
| 54 | - err = EVP_DigestUpdate(&ctx, xattr_value, err); | ||
| 55 | + err = EVP_DigestUpdate(ctx, xattr_value, err); | ||
| 56 | if (!err) { | ||
| 57 | log_err("EVP_DigestUpdate() failed\n"); | ||
| 58 | - return 1; | ||
| 59 | + err = 1; | ||
| 60 | + goto out; | ||
| 61 | } | ||
| 62 | } | ||
| 63 | |||
| 64 | @@ -446,31 +454,38 @@ static int calc_evm_hash(const char *file, unsigned char *hash) | ||
| 65 | log_debug("hmac_misc (%d): ", hmac_size); | ||
| 66 | log_debug_dump(&hmac_misc, hmac_size); | ||
| 67 | |||
| 68 | - err = EVP_DigestUpdate(&ctx, &hmac_misc, hmac_size); | ||
| 69 | + err = EVP_DigestUpdate(ctx, &hmac_misc, hmac_size); | ||
| 70 | if (!err) { | ||
| 71 | log_err("EVP_DigestUpdate() failed\n"); | ||
| 72 | - return 1; | ||
| 73 | + err = 1; | ||
| 74 | + goto out; | ||
| 75 | } | ||
| 76 | |||
| 77 | if (!evm_immutable && !(hmac_flags & HMAC_FLAG_NO_UUID)) { | ||
| 78 | err = get_uuid(&st, uuid); | ||
| 79 | - if (err) | ||
| 80 | - return -1; | ||
| 81 | + if (err) { | ||
| 82 | + err = -1; | ||
| 83 | + goto out; | ||
| 84 | + } | ||
| 85 | |||
| 86 | - err = EVP_DigestUpdate(&ctx, (const unsigned char *)uuid, sizeof(uuid)); | ||
| 87 | + err = EVP_DigestUpdate(ctx, (const unsigned char *)uuid, sizeof(uuid)); | ||
| 88 | if (!err) { | ||
| 89 | log_err("EVP_DigestUpdate() failed\n"); | ||
| 90 | - return 1; | ||
| 91 | + err = 1; | ||
| 92 | + goto out; | ||
| 93 | } | ||
| 94 | } | ||
| 95 | |||
| 96 | - err = EVP_DigestFinal(&ctx, hash, &mdlen); | ||
| 97 | - if (!err) { | ||
| 98 | + if (!EVP_DigestFinal(ctx, hash, &mdlen)) { | ||
| 99 | log_err("EVP_DigestFinal() failed\n"); | ||
| 100 | - return 1; | ||
| 101 | - } | ||
| 102 | + err = 1; | ||
| 103 | + } else | ||
| 104 | + err = 0; | ||
| 105 | + | ||
| 106 | +out: | ||
| 107 | + EVP_MD_CTX_destroy(ctx); | ||
| 108 | |||
| 109 | - return mdlen; | ||
| 110 | + return err ?: mdlen; | ||
| 111 | } | ||
| 112 | |||
| 113 | static int sign_evm(const char *file, const char *key) | ||
| 114 | @@ -908,7 +923,7 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h | ||
| 115 | struct stat st; | ||
| 116 | int err = -1; | ||
| 117 | uint32_t generation = 0; | ||
| 118 | - HMAC_CTX ctx; | ||
| 119 | + HMAC_CTX *ctx = NULL; | ||
| 120 | unsigned int mdlen; | ||
| 121 | char **xattrname; | ||
| 122 | unsigned char xattr_value[1024]; | ||
| 123 | @@ -965,7 +980,17 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h | ||
| 124 | goto out; | ||
| 125 | } | ||
| 126 | |||
| 127 | - err = !HMAC_Init(&ctx, evmkey, sizeof(evmkey), EVP_sha1()); | ||
| 128 | +#if OPENSSL_VERSION_NUMBER < 0x10100000L | ||
| 129 | + ctx = malloc(sizeof(*ctx)); | ||
| 130 | +#else | ||
| 131 | + ctx = HMAC_CTX_new(); | ||
| 132 | +#endif | ||
| 133 | + if (!ctx) { | ||
| 134 | + log_err("HMAC_CTX_new() failed\n"); | ||
| 135 | + goto out; | ||
| 136 | + } | ||
| 137 | + | ||
| 138 | + err = !HMAC_Init(ctx, evmkey, sizeof(evmkey), EVP_sha1()); | ||
| 139 | if (err) { | ||
| 140 | log_err("HMAC_Init() failed\n"); | ||
| 141 | goto out; | ||
| 142 | @@ -984,7 +1009,7 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h | ||
| 143 | /*log_debug("name: %s, value: %s, size: %d\n", *xattrname, xattr_value, err);*/ | ||
| 144 | log_info("name: %s, size: %d\n", *xattrname, err); | ||
| 145 | log_debug_dump(xattr_value, err); | ||
| 146 | - err = !HMAC_Update(&ctx, xattr_value, err); | ||
| 147 | + err = !HMAC_Update(ctx, xattr_value, err); | ||
| 148 | if (err) { | ||
| 149 | log_err("HMAC_Update() failed\n"); | ||
| 150 | goto out_ctx_cleanup; | ||
| 151 | @@ -1025,17 +1050,27 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h | ||
| 152 | log_debug("hmac_misc (%d): ", hmac_size); | ||
| 153 | log_debug_dump(&hmac_misc, hmac_size); | ||
| 154 | |||
| 155 | - err = !HMAC_Update(&ctx, (const unsigned char *)&hmac_misc, hmac_size); | ||
| 156 | + err = !HMAC_Update(ctx, (const unsigned char *)&hmac_misc, hmac_size); | ||
| 157 | if (err) { | ||
| 158 | log_err("HMAC_Update() failed\n"); | ||
| 159 | goto out_ctx_cleanup; | ||
| 160 | } | ||
| 161 | - err = !HMAC_Final(&ctx, hash, &mdlen); | ||
| 162 | + err = !HMAC_Final(ctx, hash, &mdlen); | ||
| 163 | if (err) | ||
| 164 | log_err("HMAC_Final() failed\n"); | ||
| 165 | out_ctx_cleanup: | ||
| 166 | - HMAC_CTX_cleanup(&ctx); | ||
| 167 | +#if OPENSSL_VERSION_NUMBER < 0x10100000L | ||
| 168 | + HMAC_CTX_cleanup(ctx); | ||
| 169 | +#else | ||
| 170 | + HMAC_CTX_reset(ctx); | ||
| 171 | +#endif | ||
| 172 | out: | ||
| 173 | + if (ctx) | ||
| 174 | +#if OPENSSL_VERSION_NUMBER < 0x10100000L | ||
| 175 | + free(ctx); | ||
| 176 | +#else | ||
| 177 | + HMAC_CTX_free(ctx); | ||
| 178 | +#endif | ||
| 179 | free(key); | ||
| 180 | return err ?: mdlen; | ||
| 181 | } | ||
| 182 | diff --git a/src/libimaevm.c b/src/libimaevm.c | ||
| 183 | index eedffb4..3f23cac 100644 | ||
| 184 | --- a/src/libimaevm.c | ||
| 185 | +++ b/src/libimaevm.c | ||
| 186 | @@ -271,7 +271,7 @@ int ima_calc_hash(const char *file, uint8_t *hash) | ||
| 187 | { | ||
| 188 | const EVP_MD *md; | ||
| 189 | struct stat st; | ||
| 190 | - EVP_MD_CTX ctx; | ||
| 191 | + EVP_MD_CTX *ctx; | ||
| 192 | unsigned int mdlen; | ||
| 193 | int err; | ||
| 194 | |||
| 195 | @@ -288,41 +288,50 @@ int ima_calc_hash(const char *file, uint8_t *hash) | ||
| 196 | return 1; | ||
| 197 | } | ||
| 198 | |||
| 199 | - err = EVP_DigestInit(&ctx, md); | ||
| 200 | + ctx = EVP_MD_CTX_create(); | ||
| 201 | + if (!ctx) { | ||
| 202 | + log_err("EVP_MD_CTX_create() failed\n"); | ||
| 203 | + return 1; | ||
| 204 | + } | ||
| 205 | + | ||
| 206 | + err = EVP_DigestInit(ctx, md); | ||
| 207 | if (!err) { | ||
| 208 | log_err("EVP_DigestInit() failed\n"); | ||
| 209 | - return 1; | ||
| 210 | + err = 1; | ||
| 211 | + goto out; | ||
| 212 | } | ||
| 213 | |||
| 214 | switch (st.st_mode & S_IFMT) { | ||
| 215 | case S_IFREG: | ||
| 216 | - err = add_file_hash(file, &ctx); | ||
| 217 | + err = add_file_hash(file, ctx); | ||
| 218 | break; | ||
| 219 | case S_IFDIR: | ||
| 220 | - err = add_dir_hash(file, &ctx); | ||
| 221 | + err = add_dir_hash(file, ctx); | ||
| 222 | break; | ||
| 223 | case S_IFLNK: | ||
| 224 | - err = add_link_hash(file, &ctx); | ||
| 225 | + err = add_link_hash(file, ctx); | ||
| 226 | break; | ||
| 227 | case S_IFIFO: case S_IFSOCK: | ||
| 228 | case S_IFCHR: case S_IFBLK: | ||
| 229 | - err = add_dev_hash(&st, &ctx); | ||
| 230 | + err = add_dev_hash(&st, ctx); | ||
| 231 | break; | ||
| 232 | default: | ||
| 233 | log_errno("Unsupported file type"); | ||
| 234 | - return -1; | ||
| 235 | + err = -1; | ||
| 236 | } | ||
| 237 | |||
| 238 | if (err) | ||
| 239 | - return err; | ||
| 240 | + goto out; | ||
| 241 | |||
| 242 | - err = EVP_DigestFinal(&ctx, hash, &mdlen); | ||
| 243 | - if (!err) { | ||
| 244 | + if (!EVP_DigestFinal(ctx, hash, &mdlen)) { | ||
| 245 | log_err("EVP_DigestFinal() failed\n"); | ||
| 246 | - return 1; | ||
| 247 | + err = 1; | ||
| 248 | } | ||
| 249 | |||
| 250 | - return mdlen; | ||
| 251 | +out: | ||
| 252 | + EVP_MD_CTX_destroy(ctx); | ||
| 253 | + | ||
| 254 | + return err ?: mdlen; | ||
| 255 | } | ||
| 256 | |||
| 257 | RSA *read_pub_key(const char *keyfile, int x509) | ||
| 258 | @@ -549,6 +558,7 @@ int key2bin(RSA *key, unsigned char *pub) | ||
| 259 | { | ||
| 260 | int len, b, offset = 0; | ||
| 261 | struct pubkey_hdr *pkh = (struct pubkey_hdr *)pub; | ||
| 262 | + BIGNUM *n, *e; | ||
| 263 | |||
| 264 | /* add key header */ | ||
| 265 | pkh->version = 1; | ||
| 266 | @@ -558,18 +568,24 @@ int key2bin(RSA *key, unsigned char *pub) | ||
| 267 | |||
| 268 | offset += sizeof(*pkh); | ||
| 269 | |||
| 270 | - len = BN_num_bytes(key->n); | ||
| 271 | - b = BN_num_bits(key->n); | ||
| 272 | +#if OPENSSL_VERSION_NUMBER < 0x10100000L | ||
| 273 | + n = key->n; | ||
| 274 | + e = key->e; | ||
| 275 | +#else | ||
| 276 | + RSA_get0_key(key, (const BIGNUM **)&n, (const BIGNUM **)&e, NULL); | ||
| 277 | +#endif | ||
| 278 | + len = BN_num_bytes(n); | ||
| 279 | + b = BN_num_bits(n); | ||
| 280 | pub[offset++] = b >> 8; | ||
| 281 | pub[offset++] = b & 0xff; | ||
| 282 | - BN_bn2bin(key->n, &pub[offset]); | ||
| 283 | + BN_bn2bin(n, &pub[offset]); | ||
| 284 | offset += len; | ||
| 285 | |||
| 286 | - len = BN_num_bytes(key->e); | ||
| 287 | - b = BN_num_bits(key->e); | ||
| 288 | + len = BN_num_bytes(e); | ||
| 289 | + b = BN_num_bits(e); | ||
| 290 | pub[offset++] = b >> 8; | ||
| 291 | pub[offset++] = b & 0xff; | ||
| 292 | - BN_bn2bin(key->e, &pub[offset]); | ||
| 293 | + BN_bn2bin(e, &pub[offset]); | ||
| 294 | offset += len; | ||
| 295 | |||
| 296 | return offset; | ||
| 297 | -- | ||
| 298 | 2.7.5 | ||
| 299 | |||
diff --git a/meta-integrity/recipes-support/ima-evm-utils/ima-evm-utils_git.bb b/meta-integrity/recipes-support/ima-evm-utils/ima-evm-utils_git.bb index 0d0d703..bc98ce6 100644 --- a/meta-integrity/recipes-support/ima-evm-utils/ima-evm-utils_git.bb +++ b/meta-integrity/recipes-support/ima-evm-utils/ima-evm-utils_git.bb | |||
| @@ -3,16 +3,15 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263" | |||
| 3 | 3 | ||
| 4 | DEPENDS += "openssl attr keyutils" | 4 | DEPENDS += "openssl attr keyutils" |
| 5 | 5 | ||
| 6 | PV = "1.0+git${SRCPV}" | 6 | PV = "1.2.1+git${SRCPV}" |
| 7 | 7 | ||
| 8 | SRC_URI = "\ | 8 | SRC_URI = "\ |
| 9 | git://git.code.sf.net/p/linux-ima/ima-evm-utils \ | 9 | git://git.code.sf.net/p/linux-ima/ima-evm-utils;branch=ima-evm-utils-1.2.y \ |
| 10 | file://0001-Don-t-build-man-pages.patch \ | 10 | file://0001-Don-t-build-man-pages.patch \ |
| 11 | file://0001-Install-evmctl-to-sbindir-rather-than-bindir.patch \ | 11 | file://0001-Install-evmctl-to-sbindir-rather-than-bindir.patch \ |
| 12 | file://Fix-the-build-failure-with-openssl-1.1.x.patch \ | ||
| 13 | file://0001-ima-evm-utils-include-sys-types.h-in-header-to-fix-b.patch \ | 12 | file://0001-ima-evm-utils-include-sys-types.h-in-header-to-fix-b.patch \ |
| 14 | " | 13 | " |
| 15 | SRCREV = "3e2a67bdb0673581a97506262e62db098efef6d7" | 14 | SRCREV = "3eab1f93b634249c1720f65fcb495b1996f0256e" |
| 16 | 15 | ||
| 17 | S = "${WORKDIR}/git" | 16 | S = "${WORKDIR}/git" |
| 18 | 17 | ||