From b878aae4bd0c16e1d0dc37c66e5df27962b1bf14 Mon Sep 17 00:00:00 2001 From: James Antill Date: Thu, 26 May 2022 09:49:12 -0400 Subject: [PATCH] Auto sync2gitlab import of ima-evm-utils-1.3.2-12.el8.src.rpm --- .gitignore | 2 + ...-not-observing-the-hashalgo-argument.patch | 38 ++++ EMPTY | 1 - annocheck-opt-flag.patch | 19 ++ covscan-memory-leaks.patch | 45 ++++ docbook-xsl-path.patch | 12 + ima-evm-utils.spec | 208 ++++++++++++++++++ libimaevm-keydesc-import.patch | 37 ++++ sources | 2 + 9 files changed, 363 insertions(+), 1 deletion(-) create mode 100644 .gitignore create mode 100644 0001-Fix-sign_hash-not-observing-the-hashalgo-argument.patch delete mode 100644 EMPTY create mode 100644 annocheck-opt-flag.patch create mode 100644 covscan-memory-leaks.patch create mode 100644 docbook-xsl-path.patch create mode 100644 ima-evm-utils.spec create mode 100644 libimaevm-keydesc-import.patch create mode 100644 sources diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..aa5d9e3 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +/ima-evm-utils-1.1.tar.gz +/ima-evm-utils-1.3.2.tar.gz diff --git a/0001-Fix-sign_hash-not-observing-the-hashalgo-argument.patch b/0001-Fix-sign_hash-not-observing-the-hashalgo-argument.patch new file mode 100644 index 0000000..663ddc6 --- /dev/null +++ b/0001-Fix-sign_hash-not-observing-the-hashalgo-argument.patch @@ -0,0 +1,38 @@ +From ea10a33d26572eebde59565179f622b6fb240d04 Mon Sep 17 00:00:00 2001 +From: Patrick Uiterwijk +Date: Wed, 6 Jan 2021 10:43:34 +0100 +Subject: [PATCH] Fix sign_hash not observing the hashalgo argument + +This fixes sign_hash not using the correct algorithm for creating the +signature, by ensuring it uses the passed in variable value. + +Signed-off-by: Patrick Uiterwijk +--- + src/libimaevm.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/libimaevm.c b/src/libimaevm.c +index fa6c27858d0f..72d5e67f6fdd 100644 +--- a/src/libimaevm.c ++++ b/src/libimaevm.c +@@ -916,7 +916,7 @@ static int sign_hash_v2(const char *algo, const unsigned char *hash, + return -1; + } + +- log_info("hash(%s): ", imaevm_params.hash_algo); ++ log_info("hash(%s): ", algo); + log_dump(hash, size); + + pkey = read_priv_pkey(keyfile, imaevm_params.keypass); +@@ -942,7 +942,7 @@ static int sign_hash_v2(const char *algo, const unsigned char *hash, + if (!EVP_PKEY_sign_init(ctx)) + goto err; + st = "EVP_get_digestbyname"; +- if (!(md = EVP_get_digestbyname(imaevm_params.hash_algo))) ++ if (!(md = EVP_get_digestbyname(algo))) + goto err; + st = "EVP_PKEY_CTX_set_signature_md"; + if (!EVP_PKEY_CTX_set_signature_md(ctx, md)) +-- +2.29.2 + diff --git a/EMPTY b/EMPTY deleted file mode 100644 index 0519ecb..0000000 --- a/EMPTY +++ /dev/null @@ -1 +0,0 @@ - \ No newline at end of file diff --git a/annocheck-opt-flag.patch b/annocheck-opt-flag.patch new file mode 100644 index 0000000..2ddf993 --- /dev/null +++ b/annocheck-opt-flag.patch @@ -0,0 +1,19 @@ +diff --git a/configure.ac b/configure.ac +index 6822f39..34e4a81 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -36,9 +36,9 @@ AC_CHECK_HEADERS(keyutils.h, , [AC_MSG_ERROR([keyutils.h header not found. You n + #debug support - yes for a while + PKG_ARG_ENABLE(debug, "yes", DEBUG, [Enable Debug support]) + if test $pkg_cv_enable_debug = yes; then +- CFLAGS="$CFLAGS -g -O1 -Wall -Wstrict-prototypes -pipe" ++ CFLAGS="$CFLAGS -g -O2 -Wall -Wstrict-prototypes -pipe" + else +- CFLAGS="$CFLAGS -Wall -Wstrict-prototypes -pipe -fomit-frame-pointer" ++ CFLAGS="$CFLAGS -O2 -Wall -Wstrict-prototypes -pipe -fomit-frame-pointer" + fi + + # for gcov +-- +2.14.4 + diff --git a/covscan-memory-leaks.patch b/covscan-memory-leaks.patch new file mode 100644 index 0000000..25d6950 --- /dev/null +++ b/covscan-memory-leaks.patch @@ -0,0 +1,45 @@ +diff --git a/src/evmctl.c b/src/evmctl.c +index 2ffee78..b80a1c9 100644 +--- a/src/evmctl.c ++++ b/src/evmctl.c +@@ -1716,7 +1716,7 @@ static char *get_password(void) + + if (tcsetattr(fileno(stdin), TCSANOW, &tmp_flags) != 0) { + perror("tcsetattr"); +- return NULL; ++ goto get_pwd_err; + } + + printf("PEM password: "); +@@ -1725,10 +1725,14 @@ static char *get_password(void) + /* restore terminal */ + if (tcsetattr(fileno(stdin), TCSANOW, &flags) != 0) { + perror("tcsetattr"); +- return NULL; ++ goto get_pwd_err; + } + ++ free(password); + return pwd; ++get_pwd_err: ++ free(password); ++ return NULL; + } + + int main(int argc, char *argv[]) +diff --git a/src/libimaevm.c b/src/libimaevm.c +index 6fa0ed4..39582f2 100644 +--- a/src/libimaevm.c ++++ b/src/libimaevm.c +@@ -466,6 +466,8 @@ void init_public_keys(const char *keyfiles) + entry->next = public_keys; + public_keys = entry; + } ++ ++ free(tmp_keyfiles); + } + + int verify_hash_v2(const char *file, const unsigned char *hash, int size, +-- +2.14.4 + diff --git a/docbook-xsl-path.patch b/docbook-xsl-path.patch new file mode 100644 index 0000000..e4ee8e5 --- /dev/null +++ b/docbook-xsl-path.patch @@ -0,0 +1,12 @@ +diff -urNp ima-evm-utils-1.0-orig/Makefile.am ima-evm-utils-1.0/Makefile.am +--- ima-evm-utils-1.0-orig/Makefile.am 2015-07-30 15:28:53.000000000 -0300 ++++ ima-evm-utils-1.0/Makefile.am 2017-11-20 16:20:04.245591165 -0200 +@@ -24,7 +24,7 @@ rpm: $(tarname) + rpmbuild -ba --nodeps $(SPEC) + + # requires asciidoc, xslproc, docbook-xsl +-MANPAGE_DOCBOOK_XSL = /usr/share/xml/docbook/stylesheet/docbook-xsl/manpages/docbook.xsl ++MANPAGE_DOCBOOK_XSL = /usr/share/sgml/docbook/xsl-stylesheets/manpages/docbook.xsl + + evmctl.1.html: README + @asciidoc -o $@ $< diff --git a/ima-evm-utils.spec b/ima-evm-utils.spec new file mode 100644 index 0000000..af59d3b --- /dev/null +++ b/ima-evm-utils.spec @@ -0,0 +1,208 @@ +%global compat_soversion 0 + +Name: ima-evm-utils +Version: 1.3.2 +Release: 12%{?dist} +Summary: IMA/EVM support utilities +License: GPLv2 +Url: http://linux-ima.sourceforge.net/ +Source: http://sourceforge.net/projects/linux-ima/files/ima-evm-utils/%{name}-%{version}.tar.gz +Source10: ima-evm-utils-1.1.tar.gz + +Patch0: 0001-Fix-sign_hash-not-observing-the-hashalgo-argument.patch +# compat patches +Patch1: docbook-xsl-path.patch +Patch2: covscan-memory-leaks.patch +Patch3: annocheck-opt-flag.patch +Patch4: libimaevm-keydesc-import.patch + +BuildRequires: asciidoc +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: gcc +BuildRequires: keyutils-libs-devel +BuildRequires: libtool +BuildRequires: libxslt +BuildRequires: openssl-devel +BuildRequires: tpm2-tss-devel +# compat requirement +BuildRequires: libattr-devel + +#Requires: tpm2-tss + +%description +The Trusted Computing Group(TCG) run-time Integrity Measurement Architecture +(IMA) maintains a list of hash values of executables and other sensitive +system files, as they are read or executed. These are stored in the file +systems extended attributes. The Extended Verification Module (EVM) prevents +unauthorized changes to these extended attributes on the file system. +ima-evm-utils is used to prepare the file system for these extended attributes. + +%package devel +Summary: Development files for %{name} +Requires: %{name} = %{version}-%{release} + +%description devel +This package provides the header files for %{name} + +%package -n %{name}%{compat_soversion} +Summary: Compatibility package of %{name} + +%description -n %{name}%{compat_soversion} +This package provides the libimaevm.so.%{compat_soversion} relative to %{name}-1.1 + +%prep +%setup -q +%patch0 -p1 +mkdir compat/ +tar -zxf %{SOURCE10} --strip-components=1 -C compat/ +cd compat/ +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 + +%build +# build compat version of the package +pushd compat/ +autoreconf -vif +%configure --disable-static +%make_build +popd + +autoreconf -vif +%configure --disable-static +%make_build + +%install +%make_install +find %{buildroot}%{_libdir} -type f -name "*.la" -print -delete +# install compat libs +pushd compat/src/.libs/ +install -p libimaevm.so.%{compat_soversion}.0.0 %{buildroot}%{_libdir}/libimaevm.so.%{compat_soversion}.0.0 +ln -s -f %{buildroot}%{_libdir}/libimaevm.so.%{compat_soversion}.0.0 %{buildroot}%{_libdir}/libimaevm.so.%{compat_soversion} +popd + +%ldconfig_scriptlets + +%files +%license COPYING +%doc NEWS README AUTHORS +%{_bindir}/* +# if you need to bump the soname version, coordinate with dependent packages +%{_libdir}/libimaevm.so.2 +%{_libdir}/libimaevm.so.2.0.0 +%{_mandir}/man1/* + +%files devel +%{_pkgdocdir}/*.sh +%{_includedir}/* +%{_libdir}/libimaevm.so + +%files -n %{name}%{compat_soversion} +%{_libdir}/libimaevm.so.%{compat_soversion} +%{_libdir}/libimaevm.so.%{compat_soversion}.0.0 + +%changelog +* Thu Feb 18 2021 Bruno Meneguele - 1.3.2-12 +- Add compat subpackage for keeping the API stability in userspace + +* Mon Jan 25 2021 Bruno Meneguele - 1.3.2-11 +- Bump release number for yet another rebuild + +* Mon Jan 25 2021 Bruno Meneguele - 1.3.2-10 +- Add patch for fixing hash algorithm used through libimaevm + +* Fri Jan 15 2021 Bruno Meneguele - 1.3.2-9 +- Add tpm2-tss as a runtime dependency + +* Sun Jan 10 2021 Michal Domonkos - 1.3.2-8 +- Bump release number for yet another couple of rebuilds + +* Wed Jan 06 2021 Bruno Meneguele - 1.3.2-4 +- Bump release number for yet another build for solving wrong target usage + +* Wed Jan 06 2021 Bruno Meneguele - 1.3.2-3 +- Bump release number for another build, handling build issues + +* Tue Dec 01 2020 Bruno Meneguele - 1.3.2-2 +- Bump release number for forcing a new build + +* Mon Nov 09 2020 Bruno Meneguele - 1.3.2-1 +- Rebase to upstream v1.3.2 version +- Sync specfile with Fedora's version + +* Thu Mar 28 2019 Bruno E. O. Meneguele - 1.1-5 +- Add patch to correctly handle key description on keyring during importation + +* Mon Oct 29 2018 Bruno E. O. Meneguele - 1.1-4 +- Solve a single memory leak not handled by the last patch + +* Thu Oct 25 2018 Bruno E. O. Meneguele - 1.1-3 +- Solve memory leaks pointed by covscan tool +- Add optimization flag O2 during compilation to satisfy annocheck tool + +* Fri Mar 02 2018 Bruno E. O. Meneguele - 1.1-2 +- Remove libtool files +- Run ldconfig scriptlets after un/installing +- Add -devel subpackage to handle include files and examples +- Disable any static file in the package + +* Fri Feb 16 2018 Bruno E. O. Meneguele - 1.1-1 +- New upstream release +- Support for OpenSSL 1.1 was added directly to the source code in upstream, + thus removing specific patch for it +- Docbook xsl stylesheet updated to a local path + +* Wed Feb 07 2018 Fedora Release Engineering - 1.0-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Fri Feb 02 2018 Igor Gnatenko - 1.0-4 +- Switch to %%ldconfig_scriptlets + +* Fri Dec 01 2017 Bruno E. O. Meneguele - 1.0-3 +- Add OpenSSL 1.1 API support for the package, avoiding the need of + compat-openssl10-devel package + +* Mon Nov 20 2017 Bruno E. O. Meneguele - 1.0-2 +- Adjusted docbook xsl path to match the correct stylesheet +- Remove only *.la files, considering there aren't any *.a files + +* Tue Sep 05 2017 Bruno E. O. Meneguele - 1.0-1 +- New upstream release +- Add OpenSSL 1.0 compatibility package, due to issues with OpenSSL 1.1 +- Remove libtool files +- Run ldconfig after un/installation to update *.so files +- Add -devel subpackage to handle include files and examples + +* Wed Aug 02 2017 Fedora Release Engineering - 0.9-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 0.9-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Fri Feb 10 2017 Fedora Release Engineering - 0.9-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Thu Feb 04 2016 Fedora Release Engineering - 0.9-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Tue Jan 26 2016 Lubomir Rintel - 0.9-3 +- Fix FTBFS + +* Wed Jun 17 2015 Fedora Release Engineering - 0.9-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Fri Oct 31 2014 Avesh Agarwal - 0.9-1 +- New upstream release +- Applied a patch to fix man page issues. +- Updated spec file + +* Sat Aug 16 2014 Fedora Release Engineering - 0.6-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Sat Jun 07 2014 Fedora Release Engineering - 0.6-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Tue Aug 27 2013 Vivek Goyal - 0.6-1 +- Initial package diff --git a/libimaevm-keydesc-import.patch b/libimaevm-keydesc-import.patch new file mode 100644 index 0000000..fb20ebc --- /dev/null +++ b/libimaevm-keydesc-import.patch @@ -0,0 +1,37 @@ +diff --git a/src/libimaevm.c b/src/libimaevm.c +index 6fa0ed4..b6f9b9f 100644 +--- a/src/libimaevm.c ++++ b/src/libimaevm.c +@@ -672,12 +672,11 @@ void calc_keyid_v1(uint8_t *keyid, char *str, const unsigned char *pkey, int len + memcpy(keyid, sha1 + 12, 8); + log_debug("keyid: "); + log_debug_dump(keyid, 8); ++ id = __be64_to_cpup((__be64 *) keyid); ++ sprintf(str, "%llX", (unsigned long long)id); + +- if (params.verbose > LOG_INFO) { +- id = __be64_to_cpup((__be64 *) keyid); +- sprintf(str, "%llX", (unsigned long long)id); ++ if (params.verbose > LOG_INFO) + log_info("keyid-v1: %s\n", str); +- } + } + + void calc_keyid_v2(uint32_t *keyid, char *str, RSA *key) +@@ -694,11 +693,10 @@ void calc_keyid_v2(uint32_t *keyid, char *str, RSA *key) + memcpy(keyid, sha1 + 16, 4); + log_debug("keyid: "); + log_debug_dump(keyid, 4); ++ sprintf(str, "%x", __be32_to_cpup(keyid)); + +- if (params.verbose > LOG_INFO) { +- sprintf(str, "%x", __be32_to_cpup(keyid)); ++ if (params.verbose > LOG_INFO) + log_info("keyid: %s\n", str); +- } + + free(pkey); + } +-- +2.19.1 + diff --git a/sources b/sources new file mode 100644 index 0000000..ac3a7cc --- /dev/null +++ b/sources @@ -0,0 +1,2 @@ +SHA512 (ima-evm-utils-1.1.tar.gz) = fc7efc890812233db888eef210dc4357bee838b56fd95efd9a9e141d684b0b354670a3c053dd93a94a1402dd826074d4a83a4637c8e6c1d90ead3132354a5776 +SHA512 (ima-evm-utils-1.3.2.tar.gz) = af96935f953fbec8cdd40ba1a24001fae916633df03f9dee1e96775baec0ffea21a7a13798b3e3c3f375fd493a65fe65b5357887890b46cac0c4dcca5a5b79db