From 8ff4d25a90d5d0c5ae011cd46a10fc1c4e238c32 Mon Sep 17 00:00:00 2001 From: Lans Zhang Date: Wed, 16 Aug 2017 14:56:23 +0800 Subject: ima-evm-utils: support to build with openssl-1.1.x Signed-off-by: Lans Zhang --- .../Fix-the-build-failure-with-openssl-1.1.x.patch | 299 +++++++++++++++++++++ .../ima-evm-utils/ima-evm-utils_git.bb | 1 + 2 files changed, 300 insertions(+) create mode 100644 meta-integrity/recipes-support/ima-evm-utils/ima-evm-utils/Fix-the-build-failure-with-openssl-1.1.x.patch diff --git a/meta-integrity/recipes-support/ima-evm-utils/ima-evm-utils/Fix-the-build-failure-with-openssl-1.1.x.patch b/meta-integrity/recipes-support/ima-evm-utils/ima-evm-utils/Fix-the-build-failure-with-openssl-1.1.x.patch new file mode 100644 index 0000000..5551678 --- /dev/null +++ b/meta-integrity/recipes-support/ima-evm-utils/ima-evm-utils/Fix-the-build-failure-with-openssl-1.1.x.patch @@ -0,0 +1,299 @@ +From 61595d2d4eb9d6855680ea2f6d74492a4b7a553f Mon Sep 17 00:00:00 2001 +From: Lans Zhang +Date: Wed, 16 Aug 2017 14:32:03 +0800 +Subject: [PATCH] Fix the build failure with openssl-1.1.x + +- Clean up the opaqu EVP_MD_CTX and RSA. +- Similarly, HMAC_CTX is also opaqu. Note that there is no dynamic + allocation function like HMAC_CTX_create|new() available in 1.0.x. +- HMAC_CTX_cleanup() is replaced by HMAC_CTX_reset(). + +Signed-off-by: Lans Zhang +--- + src/evmctl.c | 79 +++++++++++++++++++++++++++++++++++++++++---------------- + src/libimaevm.c | 54 +++++++++++++++++++++++++-------------- + 2 files changed, 92 insertions(+), 41 deletions(-) + +diff --git a/src/evmctl.c b/src/evmctl.c +index c54efbb..9156bcb 100644 +--- a/src/evmctl.c ++++ b/src/evmctl.c +@@ -314,7 +314,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash) + struct stat st; + int err; + uint32_t generation = 0; +- EVP_MD_CTX ctx; ++ EVP_MD_CTX *ctx; + unsigned int mdlen; + char **xattrname; + char xattr_value[1024]; +@@ -366,10 +366,17 @@ static int calc_evm_hash(const char *file, unsigned char *hash) + return -1; + } + +- err = EVP_DigestInit(&ctx, EVP_sha1()); ++ ctx = EVP_MD_CTX_create(); ++ if (!ctx) { ++ log_err("EVP_MD_CTX_create() failed\n"); ++ return -1; ++ } ++ ++ err = EVP_DigestInit(ctx, EVP_sha1()); + if (!err) { + log_err("EVP_DigestInit() failed\n"); +- return 1; ++ err = 1; ++ goto out; + } + + for (xattrname = evm_config_xattrnames; *xattrname != NULL; xattrname++) { +@@ -398,10 +405,11 @@ static int calc_evm_hash(const char *file, unsigned char *hash) + /*log_debug("name: %s, value: %s, size: %d\n", *xattrname, xattr_value, err);*/ + log_info("name: %s, size: %d\n", *xattrname, err); + log_debug_dump(xattr_value, err); +- err = EVP_DigestUpdate(&ctx, xattr_value, err); ++ err = EVP_DigestUpdate(ctx, xattr_value, err); + if (!err) { + log_err("EVP_DigestUpdate() failed\n"); +- return 1; ++ err = 1; ++ goto out; + } + } + +@@ -446,31 +454,38 @@ static int calc_evm_hash(const char *file, unsigned char *hash) + log_debug("hmac_misc (%d): ", hmac_size); + log_debug_dump(&hmac_misc, hmac_size); + +- err = EVP_DigestUpdate(&ctx, &hmac_misc, hmac_size); ++ err = EVP_DigestUpdate(ctx, &hmac_misc, hmac_size); + if (!err) { + log_err("EVP_DigestUpdate() failed\n"); +- return 1; ++ err = 1; ++ goto out; + } + + if (!evm_immutable && !(hmac_flags & HMAC_FLAG_NO_UUID)) { + err = get_uuid(&st, uuid); +- if (err) +- return -1; ++ if (err) { ++ err = -1; ++ goto out; ++ } + +- err = EVP_DigestUpdate(&ctx, (const unsigned char *)uuid, sizeof(uuid)); ++ err = EVP_DigestUpdate(ctx, (const unsigned char *)uuid, sizeof(uuid)); + if (!err) { + log_err("EVP_DigestUpdate() failed\n"); +- return 1; ++ err = 1; ++ goto out; + } + } + +- err = EVP_DigestFinal(&ctx, hash, &mdlen); +- if (!err) { ++ if (!EVP_DigestFinal(ctx, hash, &mdlen)) { + log_err("EVP_DigestFinal() failed\n"); +- return 1; +- } ++ err = 1; ++ } else ++ err = 0; ++ ++out: ++ EVP_MD_CTX_destroy(ctx); + +- return mdlen; ++ return err ?: mdlen; + } + + static int sign_evm(const char *file, const char *key) +@@ -908,7 +923,7 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h + struct stat st; + int err = -1; + uint32_t generation = 0; +- HMAC_CTX ctx; ++ HMAC_CTX *ctx = NULL; + unsigned int mdlen; + char **xattrname; + unsigned char xattr_value[1024]; +@@ -965,7 +980,17 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h + goto out; + } + +- err = !HMAC_Init(&ctx, evmkey, sizeof(evmkey), EVP_sha1()); ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++ ctx = malloc(sizeof(*ctx)); ++#else ++ ctx = HMAC_CTX_new(); ++#endif ++ if (!ctx) { ++ log_err("HMAC_CTX_new() failed\n"); ++ goto out; ++ } ++ ++ err = !HMAC_Init(ctx, evmkey, sizeof(evmkey), EVP_sha1()); + if (err) { + log_err("HMAC_Init() failed\n"); + goto out; +@@ -984,7 +1009,7 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h + /*log_debug("name: %s, value: %s, size: %d\n", *xattrname, xattr_value, err);*/ + log_info("name: %s, size: %d\n", *xattrname, err); + log_debug_dump(xattr_value, err); +- err = !HMAC_Update(&ctx, xattr_value, err); ++ err = !HMAC_Update(ctx, xattr_value, err); + if (err) { + log_err("HMAC_Update() failed\n"); + goto out_ctx_cleanup; +@@ -1025,17 +1050,27 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h + log_debug("hmac_misc (%d): ", hmac_size); + log_debug_dump(&hmac_misc, hmac_size); + +- err = !HMAC_Update(&ctx, (const unsigned char *)&hmac_misc, hmac_size); ++ err = !HMAC_Update(ctx, (const unsigned char *)&hmac_misc, hmac_size); + if (err) { + log_err("HMAC_Update() failed\n"); + goto out_ctx_cleanup; + } +- err = !HMAC_Final(&ctx, hash, &mdlen); ++ err = !HMAC_Final(ctx, hash, &mdlen); + if (err) + log_err("HMAC_Final() failed\n"); + out_ctx_cleanup: +- HMAC_CTX_cleanup(&ctx); ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++ HMAC_CTX_cleanup(ctx); ++#else ++ HMAC_CTX_reset(ctx); ++#endif + out: ++ if (ctx) ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++ free(ctx); ++#else ++ HMAC_CTX_free(ctx); ++#endif + free(key); + return err ?: mdlen; + } +diff --git a/src/libimaevm.c b/src/libimaevm.c +index eedffb4..3f23cac 100644 +--- a/src/libimaevm.c ++++ b/src/libimaevm.c +@@ -271,7 +271,7 @@ int ima_calc_hash(const char *file, uint8_t *hash) + { + const EVP_MD *md; + struct stat st; +- EVP_MD_CTX ctx; ++ EVP_MD_CTX *ctx; + unsigned int mdlen; + int err; + +@@ -288,41 +288,50 @@ int ima_calc_hash(const char *file, uint8_t *hash) + return 1; + } + +- err = EVP_DigestInit(&ctx, md); ++ ctx = EVP_MD_CTX_create(); ++ if (!ctx) { ++ log_err("EVP_MD_CTX_create() failed\n"); ++ return 1; ++ } ++ ++ err = EVP_DigestInit(ctx, md); + if (!err) { + log_err("EVP_DigestInit() failed\n"); +- return 1; ++ err = 1; ++ goto out; + } + + switch (st.st_mode & S_IFMT) { + case S_IFREG: +- err = add_file_hash(file, &ctx); ++ err = add_file_hash(file, ctx); + break; + case S_IFDIR: +- err = add_dir_hash(file, &ctx); ++ err = add_dir_hash(file, ctx); + break; + case S_IFLNK: +- err = add_link_hash(file, &ctx); ++ err = add_link_hash(file, ctx); + break; + case S_IFIFO: case S_IFSOCK: + case S_IFCHR: case S_IFBLK: +- err = add_dev_hash(&st, &ctx); ++ err = add_dev_hash(&st, ctx); + break; + default: + log_errno("Unsupported file type"); +- return -1; ++ err = -1; + } + + if (err) +- return err; ++ goto out; + +- err = EVP_DigestFinal(&ctx, hash, &mdlen); +- if (!err) { ++ if (!EVP_DigestFinal(ctx, hash, &mdlen)) { + log_err("EVP_DigestFinal() failed\n"); +- return 1; ++ err = 1; + } + +- return mdlen; ++out: ++ EVP_MD_CTX_destroy(ctx); ++ ++ return err ?: mdlen; + } + + RSA *read_pub_key(const char *keyfile, int x509) +@@ -549,6 +558,7 @@ int key2bin(RSA *key, unsigned char *pub) + { + int len, b, offset = 0; + struct pubkey_hdr *pkh = (struct pubkey_hdr *)pub; ++ BIGNUM *n, *e; + + /* add key header */ + pkh->version = 1; +@@ -558,18 +568,24 @@ int key2bin(RSA *key, unsigned char *pub) + + offset += sizeof(*pkh); + +- len = BN_num_bytes(key->n); +- b = BN_num_bits(key->n); ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++ n = key->n; ++ e = key->e; ++#else ++ RSA_get0_key(key, (const BIGNUM **)&n, (const BIGNUM **)&e, NULL); ++#endif ++ len = BN_num_bytes(n); ++ b = BN_num_bits(n); + pub[offset++] = b >> 8; + pub[offset++] = b & 0xff; +- BN_bn2bin(key->n, &pub[offset]); ++ BN_bn2bin(n, &pub[offset]); + offset += len; + +- len = BN_num_bytes(key->e); +- b = BN_num_bits(key->e); ++ len = BN_num_bytes(e); ++ b = BN_num_bits(e); + pub[offset++] = b >> 8; + pub[offset++] = b & 0xff; +- BN_bn2bin(key->e, &pub[offset]); ++ BN_bn2bin(e, &pub[offset]); + offset += len; + + return offset; +-- +2.7.5 + diff --git a/meta-integrity/recipes-support/ima-evm-utils/ima-evm-utils_git.bb b/meta-integrity/recipes-support/ima-evm-utils/ima-evm-utils_git.bb index 8ef322d..dbfd7c9 100644 --- a/meta-integrity/recipes-support/ima-evm-utils/ima-evm-utils_git.bb +++ b/meta-integrity/recipes-support/ima-evm-utils/ima-evm-utils_git.bb @@ -9,6 +9,7 @@ SRC_URI = "\ git://git.code.sf.net/p/linux-ima/ima-evm-utils \ file://0001-Don-t-build-man-pages.patch \ file://0001-Install-evmctl-to-sbindir-rather-than-bindir.patch \ + file://Fix-the-build-failure-with-openssl-1.1.x.patch \ " SRCREV = "3e2a67bdb0673581a97506262e62db098efef6d7" -- cgit v1.2.3-54-g00ecf