Projects
Mega:24.03:SP1:Everything
rpm
Sign Up
Log In
Username
Password
We truncated the diff of some files because they were too big. If you want to see the full diff for every file,
click here
.
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
Expand all
Collapse all
Changes of Revision 2
View file
_service:tar_scm:rpm.spec
Changed
@@ -1,6 +1,6 @@ Name: rpm Version: 4.18.2 -Release: 17 +Release: 20 Summary: RPM Package Manager License: GPL-2.0-or-later URL: https://rpm.org/ @@ -17,6 +17,7 @@ Patch9: Add-loongarch-architecture-support.patch Patch10: rpm-Add-sw64-architecture.patch Patch11: add-default-machine-name-to-support-loongarch.patch +Patch12: rpm-selinux-plugin-check-context-file-exist.patch Patch6000: backport-revert-Permit-building-rpm-from-git-without-pandoc.patch Patch6001: backport-Check-inside-root-when-querying-for-files.patch @@ -47,9 +48,16 @@ Patch6026: backport-Fix-V-option-usage-in-our-tests.patch Patch6027: backport-Remove-libtool-la-symlinks.patch Patch6028: backport-Specify-the-private-key-in-rpm-addsign.patch +Patch6029: backport-Use-EVP_PKEY_verify-to-verify-DSA-signatures.patch +Patch6030: backport-No-longer-use-the-low-level-API-in-openssl-3.patch +Patch6031: backport-Add-ECDSA-support-to-digest_openssl.patch +Patch6032: backport-Support-NIST-P-521.patch +Patch6033: backport-Allow-signing-with-ECDSA-keys.patch +Patch6034: backport-Support-ECDSA-in-key-parsing.patch Patch9000: Add-digest-list-plugin.patch Patch9001: Add-IMA-digest-list-support.patch +Patch9002: Support-sm2p256v1-of-ECDSA-and-sm3-of-hash.patch BuildRequires: gcc autoconf automake libtool make gawk popt-devel openssl-devel readline-devel BuildRequires: zlib-devel zstd-devel >= 1.3.8 xz-devel bzip2-devel libarchive-devel ima-evm-utils-devel @@ -335,6 +343,15 @@ %exclude %{_mandir}/man8/rpmspec.8* %changelog +* Tue Oct 29 2024 xujing<xujing125@huawei.com> - 4.18.2-20 +- Support sm2p256v1 of ECDSA and sm3 of hash + +* Sat Oct 26 2024 Funda Wang <fundawang@yeah.net> - 4.18.2-19 +- fix RPM_LD_FLAGS not got exported + +* Fri Oct 25 2024 hugel<xuce10@h-partners.com> - 4.18.2-18 +- Separate the SELinux patch from the IMA digest list patch + * Sun Sep 29 2024 hugel<gengqihu2@h-partners.com> - 4.18.2-17 - Fix testcase failed of rpm addsign @@ -414,7 +431,7 @@ * Tue Jun 20 2023 renhongxun<renhongxun@h-partners.com> - 4.18.1-1 - upgrade version to 4.18.1 -* Wed Jun 21 2023 renhongxun<renhongxun@h-partners.com> - 4.18.0-11 +* Tue Jun 20 2023 renhongxun<renhongxun@h-partners.com> - 4.18.0-11 - Fix per-file plugin hook regression introduced in 4.18 * Mon Jun 19 2023 renhongxun<renhongxun@h-partners.com> - 4.18.0-10
View file
_service:tar_scm:Add-IMA-digest-list-support.patch
Changed
@@ -1,20 +1,20 @@ -From 92ed69a1e2051f202a2532c28cb0b17facda1924 Mon Sep 17 00:00:00 2001 +From 773107eccfa7f0da8547b2c5efe8cce996a35a91 Mon Sep 17 00:00:00 2001 From: zhoushuiqing <zhoushuiqing2@huawei.com> Date: Fri, 16 Jun 2023 11:35:21 +0800 Subject: PATCH Add IMA digest list support +Signed-off-by: xuce <xuce10@h-partners.com> --- build/files.c | 305 ++++++++++++++++++++++++++++++++++++++-- build/parsePreamble.c | 3 +- macros.in | 1 + plugins/Makefile.am | 4 + - plugins/selinux.c | 3 +- rpmio/rpmpgp_internal.c | 32 +---- rpmio/rpmpgp_internal.h | 29 ++++ - 7 files changed, 336 insertions(+), 41 deletions(-) + 6 files changed, 334 insertions(+), 40 deletions(-) diff --git a/build/files.c b/build/files.c -index eb008ab..3fc3551 100644 +index 44ac155..53a26b2 100644 --- a/build/files.c +++ b/build/files.c @@ -50,6 +50,8 @@ @@ -46,7 +46,7 @@ static void nullAttrRec(AttrRec ar) { memset(ar, 0, sizeof(*ar)); -@@ -992,6 +1000,139 @@ static int seenHardLink(FileRecords files, FileListRec flp, rpm_ino_t *fileid) +@@ -993,6 +1001,139 @@ static int seenHardLink(FileRecords files, FileListRec flp, rpm_ino_t *fileid) * @param pkg (sub) package * @param isSrc pass 1 for source packages 0 otherwise */ @@ -186,7 +186,7 @@ static void genCpioListAndHeader(FileList fl, Package pkg, int isSrc) { FileListRec flp; -@@ -1003,6 +1144,11 @@ static void genCpioListAndHeader(FileList fl, Package pkg, int isSrc) +@@ -1005,6 +1146,11 @@ static void genCpioListAndHeader(FileList fl, Package pkg, int isSrc) int override_date = 0; time_t source_date_epoch = 0; char *srcdate = getenv("SOURCE_DATE_EPOCH"); @@ -198,7 +198,7 @@ /* Limit the maximum date to SOURCE_DATE_EPOCH if defined * similar to the tar --clamp-mtime option -@@ -1200,13 +1346,18 @@ static void genCpioListAndHeader(FileList fl, Package pkg, int isSrc) +@@ -1203,13 +1349,18 @@ static void genCpioListAndHeader(FileList fl, Package pkg, int isSrc) if (fl->haveCaps) { headerPutString(h, RPMTAG_FILECAPS, flp->caps); } @@ -223,7 +223,7 @@ buf0 = '\0'; if (S_ISLNK(flp->fl_mode)) { ssize_t llen = readlink(flp->diskPath, buf, BUFSIZ-1); -@@ -1247,6 +1398,7 @@ static void genCpioListAndHeader(FileList fl, Package pkg, int isSrc) +@@ -1250,6 +1401,7 @@ static void genCpioListAndHeader(FileList fl, Package pkg, int isSrc) headerPutUint32(h, RPMTAG_FILEFLAGS, &(flp->flags) ,1); } @@ -231,7 +231,7 @@ pkg->dpathsnpaths = NULL; if (totalFileSize < UINT32_MAX) { -@@ -1285,6 +1437,7 @@ static void genCpioListAndHeader(FileList fl, Package pkg, int isSrc) +@@ -1287,6 +1439,7 @@ static void genCpioListAndHeader(FileList fl, Package pkg, int isSrc) /* Binary packages with dirNames cannot be installed by legacy rpm. */ (void) rpmlibNeedsFeature(pkg, "CompressedFileNames", "3.0.4-1"); } @@ -239,7 +239,7 @@ } static FileRecords FileRecordsFree(FileRecords files) -@@ -1359,8 +1512,8 @@ static int validFilename(const char *fn) +@@ -1361,8 +1514,8 @@ static int validFilename(const char *fn) * @param statp file stat (possibly NULL) * @return RPMRC_OK on success */ @@ -250,7 +250,7 @@ { size_t plen = strlen(diskPath); char bufplen + 1; -@@ -1371,6 +1524,10 @@ static rpmRC addFile(FileList fl, const char * diskPath, +@@ -1373,6 +1526,10 @@ static rpmRC addFile(FileList fl, const char * diskPath, gid_t fileGid; const char *fileUname; const char *fileGname; @@ -261,7 +261,7 @@ rpmRC rc = RPMRC_FAIL; /* assume failure */ /* Strip trailing slash. The special case of '/' path is handled below. */ -@@ -1406,6 +1563,33 @@ static rpmRC addFile(FileList fl, const char * diskPath, +@@ -1408,6 +1565,33 @@ static rpmRC addFile(FileList fl, const char * diskPath, if (*cpioPath == '\0') cpioPath = "/"; @@ -295,7 +295,7 @@ /* * Unless recursing, we dont have stat() info at hand. Handle the * various cases, preserving historical behavior wrt %dev(): -@@ -1543,6 +1727,8 @@ static rpmRC addFile(FileList fl, const char * diskPath, +@@ -1545,6 +1729,8 @@ static rpmRC addFile(FileList fl, const char * diskPath, } flp->flags = fl->cur.attrFlags; @@ -304,7 +304,7 @@ flp->specdFlags = fl->cur.specdFlags; flp->verifyFlags = fl->cur.verifyFlags; -@@ -1563,6 +1749,32 @@ exit: +@@ -1565,6 +1751,32 @@ exit: return rc; } @@ -337,7 +337,7 @@ /** * Add directory (and all of its files) to the package manifest. * @param fl package file tree walk data -@@ -2584,6 +2796,61 @@ static void addPackageFileList (struct FileList_s *fl, Package pkg, +@@ -2586,6 +2798,61 @@ static void addPackageFileList (struct FileList_s *fl, Package pkg, argvFree(fileNames); } @@ -399,7 +399,7 @@ static rpmRC processPackageFiles(rpmSpec spec, rpmBuildPkgFlags pkgFlags, Package pkg, int didInstall, int test) { -@@ -2597,6 +2861,10 @@ static rpmRC processPackageFiles(rpmSpec spec, rpmBuildPkgFlags pkgFlags, +@@ -2599,6 +2866,10 @@ static rpmRC processPackageFiles(rpmSpec spec, rpmBuildPkgFlags pkgFlags, if (readFilesManifest(spec, pkg, *fp)) return RPMRC_FAIL; } @@ -410,7 +410,7 @@ /* Init the file list structure */ memset(&fl, 0, sizeof(fl)); -@@ -2652,12 +2920,17 @@ static rpmRC processPackageFiles(rpmSpec spec, rpmBuildPkgFlags pkgFlags, +@@ -2654,12 +2925,17 @@ static rpmRC processPackageFiles(rpmSpec spec, rpmBuildPkgFlags pkgFlags, if (checkHardLinks(&fl.files)) (void) rpmlibNeedsFeature(pkg, "PartialHardlinkSets", "4.0.4-1"); @@ -428,7 +428,7 @@ return fl.processingFailed ? RPMRC_FAIL : RPMRC_OK; } -@@ -3126,6 +3399,7 @@ static void addPackageDeps(Package from, Package to, enum rpmTag_e tag) +@@ -3128,6 +3404,7 @@ static void addPackageDeps(Package from, Package to, enum rpmTag_e tag) rpmRC processBinaryFiles(rpmSpec spec, rpmBuildPkgFlags pkgFlags, int didInstall, int test) { @@ -436,7 +436,7 @@ Package pkg; rpmRC rc = RPMRC_OK; char *buildroot; -@@ -3142,7 +3416,14 @@ rpmRC processBinaryFiles(rpmSpec spec, rpmBuildPkgFlags pkgFlags, +@@ -3144,7 +3421,14 @@ rpmRC processBinaryFiles(rpmSpec spec, rpmBuildPkgFlags pkgFlags, check_fileList = newStringBuf(); genSourceRpmName(spec); buildroot = rpmGenPath(spec->rootDir, spec->buildRoot, NULL); @@ -452,7 +452,7 @@ if (rpmExpandNumeric("%{?_debuginfo_subpackages}")) { maindbg = findDebuginfoPackage(spec); if (maindbg) { -@@ -3248,6 +3529,7 @@ exit: +@@ -3250,6 +3534,7 @@ exit: check_fileList = freeStringBuf(check_fileList); _free(buildroot); _free(uniquearch); @@ -476,10 +476,10 @@ } if (rpmCharCheck(spec, field, ALLOWED_CHARS_VERREL, NULL)) diff --git a/macros.in b/macros.in -index 949fd7d..c00d270 100644 +index 4c7073c..6093898 100644 --- a/macros.in +++ b/macros.in -@@ -1135,6 +1135,7 @@ package or when debugging this package.\ +@@ -1155,6 +1155,7 @@ package or when debugging this package.\ %__transaction_prioreset %{__plugindir}/prioreset.so %__transaction_audit %{__plugindir}/audit.so %__transaction_dbus_announce %{__plugindir}/dbus_announce.so @@ -499,22 +499,8 @@ +digest_list_la_sources = digest_list.c +digest_list_la_LIBADD = $(top_builddir)/lib/librpm.la $(top_builddir)/rpmio/librpmio.la +plugins_LTLIBRARIES += digest_list.la -diff --git a/plugins/selinux.c b/plugins/selinux.c -index 316ff88..ac1e354 100644 ---- a/plugins/selinux.c -+++ b/plugins/selinux.c -@@ -64,7 +64,8 @@ static rpmRC selinux_tsm_pre(rpmPlugin plugin, rpmts ts) - rpmRC rc = RPMRC_OK; - - /* If SELinux isn't enabled on the system, dont mess with it */ -- if (!is_selinux_enabled()) { -+ if (!is_selinux_enabled() || selinux_file_context_path() == NULL || -+ access(selinux_file_context_path(), F_OK)) { - rpmtsSetFlags(ts, (rpmtsFlags(ts) | RPMTRANS_FLAG_NOCONTEXTS)); - } -
View file
_service:tar_scm:Support-sm2p256v1-of-ECDSA-and-sm3-of-hash.patch
Added
@@ -0,0 +1,251 @@ +From 32ab7eb58556d41df302af8166a77f2f2bf38754 Mon Sep 17 00:00:00 2001 +From: xujing <xujing125@huawei.com> +Date: Wed, 18 Sep 2024 15:57:34 +0800 +Subject: PATCH Support sm2p256v1 of ECDSA and sm3 of hash + +--- + include/rpm/rpmcrypto.h | 1 + + include/rpm/rpmpgp.h | 2 ++ + macros.in | 4 +++ + rpmio/digest_libgcrypt.c | 6 ++++ + rpmio/digest_openssl.c | 69 +++++++++++++++++++++++++++++++++++++++- + rpmio/rpmpgp_internal.c | 1 + + rpmio/rpmpgpval.h | 1 + + sign/rpmsignfiles.c | 4 +++ + 8 files changed, 87 insertions(+), 1 deletion(-) + +diff --git a/include/rpm/rpmcrypto.h b/include/rpm/rpmcrypto.h +index 69d329f..ef36e7a 100644 +--- a/include/rpm/rpmcrypto.h ++++ b/include/rpm/rpmcrypto.h +@@ -27,6 +27,7 @@ typedef enum rpmHashAlgo_e { + RPM_HASH_SHA384 = 9, /*!< SHA384 */ + RPM_HASH_SHA512 = 10, /*!< SHA512 */ + RPM_HASH_SHA224 = 11, /*!< SHA224 */ ++ RPM_HASH_SM3 = 109, /*!< SM3, the definition is the same as that of libgcrypt */ + } rpmHashAlgo; + + /** \ingroup rpmcrypto +diff --git a/include/rpm/rpmpgp.h b/include/rpm/rpmpgp.h +index a3238a6..0d46941 100644 +--- a/include/rpm/rpmpgp.h ++++ b/include/rpm/rpmpgp.h +@@ -274,6 +274,7 @@ typedef enum pgpHashAlgo_e { + PGPHASHALGO_SHA384 = 9, /*!< SHA384 */ + PGPHASHALGO_SHA512 = 10, /*!< SHA512 */ + PGPHASHALGO_SHA224 = 11, /*!< SHA224 */ ++ PGPHASHALGO_SM3 = 109, /*!< SM3, the definition is the same as that of libgcrypt */ + } pgpHashAlgo; + + /** \ingroup rpmpgp +@@ -290,6 +291,7 @@ typedef enum pgpCurveId_e { + PGPCURVE_BRAINPOOL_P512R1 = 5, /*!< brainpoolP512r1 */ + PGPCURVE_ED25519 = 6, /*!< Ed25519 */ + PGPCURVE_CURVE25519 = 7, /*!< Curve25519 */ ++ PGPCURVE_SM2P256V1 = 8, /*!< sm2p256v1 */ + } pgpCurveId; + + /** \ingroup rpmpgp +diff --git a/macros.in b/macros.in +index 11c70be..1b05672 100644 +--- a/macros.in ++++ b/macros.in +@@ -597,6 +597,10 @@ package or when debugging this package.\ + -sbo %{shescape:%{?__signature_filename}} \ + %{?__plaintext_filename:-- %{shescape:%{__plaintext_filename}}} + ++# The sm3 hash algorithm and sm2p256v1 encryption and decryption algorithm ++# in ECDSA are disabled by default. ++%_enable_sm2p256v1_sm3_algo 0 ++ + #============================================================================== + # ---- Transaction macros. + # Macro(s) used to parameterize transactions. +diff --git a/rpmio/digest_libgcrypt.c b/rpmio/digest_libgcrypt.c +index 7a75d2d..d14cc52 100644 +--- a/rpmio/digest_libgcrypt.c ++++ b/rpmio/digest_libgcrypt.c +@@ -42,6 +42,9 @@ size_t rpmDigestLength(int hashalgo) + return 28; + case RPM_HASH_SHA256: + return 32; ++ case RPM_HASH_SM3: ++ if (rpmExpandNumeric("%{?_enable_sm2p256v1_sm3_algo}")) ++ return 32; + case RPM_HASH_SHA384: + return 48; + case RPM_HASH_SHA512: +@@ -66,6 +69,9 @@ static int hashalgo2gcryalgo(int hashalgo) + return GCRY_MD_SHA384; + case RPM_HASH_SHA512: + return GCRY_MD_SHA512; ++ case RPM_HASH_SM3: ++ if (rpmExpandNumeric("%{?_enable_sm2p256v1_sm3_algo}")) ++ return GCRY_MD_SM3; + default: + return 0; + } +diff --git a/rpmio/digest_openssl.c b/rpmio/digest_openssl.c +index eb9fbaa..92b8113 100644 +--- a/rpmio/digest_openssl.c ++++ b/rpmio/digest_openssl.c +@@ -9,6 +9,7 @@ + #include <openssl/ec.h> + + #include <rpm/rpmcrypto.h> ++#include <rpm/rpmmacro.h> + #include "rpmio/rpmpgp_internal.h" + + +@@ -188,6 +189,10 @@ static const EVP_MD *getEVPMD(int hashalgo) + case RPM_HASH_SHA224: + return EVP_sha224(); + ++ case RPM_HASH_SM3: ++ if (rpmExpandNumeric("%{?_enable_sm2p256v1_sm3_algo}")) ++ return EVP_sm3(); ++ + default: + return EVP_md_null(); + } +@@ -837,6 +842,14 @@ static int constructECDSASigningKey(struct pgpDigKeyECDSA_s *key, int curve) + OSSL_PARAM_END + }; + key->evp_pkey = construct_pkey_from_param(EVP_PKEY_EC, params); ++ } else if (curve == PGPCURVE_SM2P256V1 && ++ rpmExpandNumeric("%{?_enable_sm2p256v1_sm3_algo}")) { ++ OSSL_PARAM params = { ++ OSSL_PARAM_utf8_string("group", "SM2", 3), ++ OSSL_PARAM_octet_string("pub", key->q, key->qlen), ++ OSSL_PARAM_END ++ }; ++ key->evp_pkey = construct_pkey_from_param(EVP_PKEY_SM2, params); + } + return key->evp_pkey ? 1 : 0; + #else +@@ -950,6 +963,46 @@ static void pgpFreeSigECDSA(pgpDigAlg pgpsig) + free(pgpsig->data); + } + ++/* Source of zin information refer to https://datatracker.ietf.org/doc/html/draft-shen-sm2-ecdsa-02.html#appendix-D */ ++const unsigned char zin_default = { ++ 0x00, 0x80, /* id length */ ++ 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x31, 0x32, 0x33, 0x34, ++ 0x35, 0x36, 0x37, 0x38, /* default id: 1234567812345678 */ ++ 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfc, /* sm2 a */ ++ 0x28, 0xe9, 0xfa, 0x9e, 0x9d, 0x9f, 0x5e, 0x34, 0x4d, 0x5a, 0x9e, 0x4b, ++ 0xcf, 0x65, 0x09, 0xa7, 0xf3, 0x97, 0x89, 0xf5, 0x15, 0xab, 0x8f, 0x92, ++ 0xdd, 0xbc, 0xbd, 0x41, 0x4d, 0x94, 0x0e, 0x93, /* sm2 b */ ++ 0x32, 0xc4, 0xae, 0x2c, 0x1f, 0x19, 0x81, 0x19, 0x5f, 0x99, 0x04, 0x46, ++ 0x6a, 0x39, 0xc9, 0x94, 0x8f, 0xe3, 0x0b, 0xbf, 0xf2, 0x66, 0x0b, 0xe1, ++ 0x71, 0x5a, 0x45, 0x89, 0x33, 0x4c, 0x74, 0xc7, /* sm2 x */ ++ 0xbc, 0x37, 0x36, 0xa2, 0xf4, 0xf6, 0x77, 0x9c, 0x59, 0xbd, 0xce, 0xe3, ++ 0x6b, 0x69, 0x21, 0x53, 0xd0, 0xa9, 0x87, 0x7c, 0xc6, 0x2a, 0x47, 0x40, ++ 0x02, 0xdf, 0x32, 0xe5, 0x21, 0x39, 0xf0, 0xa0 /* sm2 y */ ++}; ++ ++static int calculate_sm2_hash(struct pgpDigKeyECDSA_s *key, uint8_t *msg, size_t msglen, uint8_t *hash) ++{ ++ unsigned char z32; ++ ++ EVP_MD_CTX *ctx = EVP_MD_CTX_new(); ++ ++ EVP_DigestInit(ctx, EVP_sm3()); ++ EVP_DigestUpdate(ctx, zin_default, sizeof(zin_default)); ++ EVP_DigestUpdate(ctx, key->q + 1, key->qlen - 1); ++ EVP_DigestFinal_ex(ctx, z, NULL); ++ ++ EVP_DigestInit(ctx, EVP_sm3()); ++ EVP_DigestUpdate(ctx, z, sizeof(z)); ++ EVP_DigestUpdate(ctx, msg, msglen); ++ EVP_DigestFinal_ex(ctx, hash, NULL); ++ ++ EVP_MD_CTX_free(ctx); ++ ++ return 0; ++} ++ + static int pgpVerifySigECDSA(pgpDigAlg pgpkey, pgpDigAlg pgpsig, + uint8_t *hash, size_t hashlen, int hash_algo) + { +@@ -959,6 +1012,8 @@ static int pgpVerifySigECDSA(pgpDigAlg pgpkey, pgpDigAlg pgpsig, + unsigned char *xsig = NULL; /* signature encoded for X509 */ + size_t xsig_len = 0; + EVP_PKEY_CTX *pkey_ctx = NULL; ++ uint8_t *hash_to_use = hash; ++ uint8_t sm2_hash32 = { 0 }; + + if (!constructECDSASigningKey(key, pgpkey->curve)) + goto done; +@@ -974,7 +1029,16 @@ static int pgpVerifySigECDSA(pgpDigAlg pgpkey, pgpDigAlg pgpsig, + if (EVP_PKEY_verify_init(pkey_ctx) != 1) + goto done; + +- if (EVP_PKEY_verify(pkey_ctx, xsig, xsig_len, hash, hashlen) == 1) ++ if (pgpkey->curve == PGPCURVE_SM2P256V1) { ++ if (rpmExpandNumeric("%{?_enable_sm2p256v1_sm3_algo}")) { ++ calculate_sm2_hash(key, hash, hashlen, sm2_hash); ++ hash_to_use = sm2_hash; ++ } else { ++ goto done; ++ } ++ } ++ ++ if (EVP_PKEY_verify(pkey_ctx, xsig, xsig_len, hash_to_use, hashlen) == 1) + { + /* Success */ + rc = 0;
View file
_service:tar_scm:Unbundle-config-site-and-add-RPM-LD-FLAGS-macro.patch
Changed
@@ -20,7 +20,7 @@ RPM_OS=\"%{_os}\"\ RPM_BUILD_NCPUS=\"%{_smp_build_ncpus}\"\ - export RPM_SOURCE_DIR RPM_BUILD_DIR RPM_OPT_FLAGS RPM_ARCH RPM_OS RPM_BUILD_NCPUS\ -+ export RPM_SOURCE_DIR RPM_BUILD_DIR RPM_OPT_FLAGS RPM_ARCH RPM_OS RPM_BUILD_NCPUS RPM_OPT_FLAGS\ ++ export RPM_SOURCE_DIR RPM_BUILD_DIR RPM_OPT_FLAGS RPM_ARCH RPM_OS RPM_BUILD_NCPUS RPM_LD_FLAGS\ RPM_DOC_DIR=\"%{_docdir}\"\ export RPM_DOC_DIR\ RPM_PACKAGE_NAME=\"%{NAME}\"\
View file
_service:tar_scm:backport-Add-ECDSA-support-to-digest_openssl.patch
Added
@@ -0,0 +1,263 @@ +From d2d35d1acb89d4113647a9aad2d049808112b935 Mon Sep 17 00:00:00 2001 +From: Michael Schroeder <mls@suse.de> +Date: Wed, 17 Apr 2024 14:07:53 +0200 +Subject: PATCH Add ECDSA support to digest_openssl + +Conflict:modify digest_openssl.c in rpmio; adapt context +Reference:https://github.com/rpm-software-management/rpmpgp_legacy/commit/783a5ea3851b8509eb11a4998d6e4ea41cc7ba38 +--- + rpmio/digest_openssl.c | 208 ++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 207 insertions(+), 1 deletion(-) + +diff --git a/rpmio/digest_openssl.c b/rpmio/digest_openssl.c +index 4d930c9..c8eb15f 100644 +--- a/rpmio/digest_openssl.c ++++ b/rpmio/digest_openssl.c +@@ -6,6 +6,7 @@ + #endif + #include <openssl/rsa.h> + #include <openssl/dsa.h> ++#include <openssl/ec.h> + + #include <rpm/rpmcrypto.h> + #include "rpmio/rpmpgp_internal.h" +@@ -801,6 +802,181 @@ done: + return rc; + } + ++/****************************** ECDSA ***************************************/ ++ ++struct pgpDigKeyECDSA_s { ++ EVP_PKEY *evp_pkey; /* Fully constructed key */ ++ unsigned char *q; /* compressed point */ ++ int qlen; ++}; ++ ++static int constructECDSASigningKey(struct pgpDigKeyECDSA_s *key, int curve) ++{ ++ if (key->evp_pkey) ++ return 1; /* We've already constructed it, so just reuse it */ ++ ++#if OPENSSL_VERSION_MAJOR >= 3 ++ if (curve == PGPCURVE_NIST_P_256) { ++ OSSL_PARAM params = { ++ OSSL_PARAM_utf8_string("group", "P-256", 5), ++ OSSL_PARAM_octet_string("pub", key->q, key->qlen), ++ OSSL_PARAM_END ++ }; ++ key->evp_pkey = construct_pkey_from_param(EVP_PKEY_EC, params); ++ } else if (curve == PGPCURVE_NIST_P_384) { ++ OSSL_PARAM params = { ++ OSSL_PARAM_utf8_string("group", "P-384", 5), ++ OSSL_PARAM_octet_string("pub", key->q, key->qlen), ++ OSSL_PARAM_END ++ }; ++ key->evp_pkey = construct_pkey_from_param(EVP_PKEY_EC, params); ++ } ++ return key->evp_pkey ? 1 : 0; ++#else ++ /* Create the EC key */ ++ EC_KEY *ec = NULL; ++ if (curve == PGPCURVE_NIST_P_256) ++ ec = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); ++ else if (curve == PGPCURVE_NIST_P_384) ++ ec = EC_KEY_new_by_curve_name(NID_secp384r1); ++ if (!ec) ++ return 0; ++ ++ if (!EC_KEY_oct2key(ec, key->q, key->qlen, NULL)) ++ goto exit; ++ ++ /* Create an EVP_PKEY container to abstract the key-type. */ ++ if (!(key->evp_pkey = EVP_PKEY_new())) ++ goto exit; ++ ++ /* Assign the EC key to the EVP_PKEY structure. ++ This will take over memory management of the RSA key */ ++ if (!EVP_PKEY_assign_EC_KEY(key->evp_pkey, ec)) { ++ EVP_PKEY_free(key->evp_pkey); ++ key->evp_pkey = NULL; ++ goto exit; ++ } ++ return 1; ++ ++exit: ++ EC_KEY_free(ec); ++ return 0; ++#endif ++} ++ ++static int pgpSetKeyMpiECDSA(pgpDigAlg pgpkey, int num, const uint8_t *p) ++{ ++ size_t mlen = pgpMpiLen(p) - 2; ++ struct pgpDigKeyECDSA_s *key = pgpkey->data; ++ int rc = 1; ++ ++ if (!key) ++ key = pgpkey->data = xcalloc(1, sizeof(*key)); ++ if (num == 0 && !key->q && mlen > 1 && p2 == 0x04) { ++ key->qlen = mlen; ++ key->q = xmalloc(key->qlen); ++ memcpy(key->q, p + 2, key->qlen), ++ rc = 0; ++ } ++ return rc; ++} ++ ++static void pgpFreeKeyECDSA(pgpDigAlg pgpkey) ++{ ++ struct pgpDigKeyECDSA_s *key = pgpkey->data; ++ if (key) { ++ if (key->q) ++ free(key->q); ++ if (key->evp_pkey) ++ EVP_PKEY_free(key->evp_pkey); ++ free(key); ++ } ++} ++ ++struct pgpDigSigECDSA_s { ++ unsigned char *r; ++ int rlen; ++ unsigned char *s; ++ int slen; ++}; ++ ++static int pgpSetSigMpiECDSA(pgpDigAlg pgpsig, int num, const uint8_t *p) ++{ ++ int mlen = pgpMpiLen(p) - 2; ++ int rc = 1; ++ ++ struct pgpDigSigECDSA_s *sig = pgpsig->data; ++ if (!sig) { ++ sig = xcalloc(1, sizeof(*sig)); ++ pgpsig->data = sig; ++ } ++ ++ switch (num) { ++ case 0: ++ if (sig->r) ++ return 1; /* This should only ever happen once per signature */ ++ sig->rlen = mlen; ++ sig->r = memcpy(xmalloc(mlen), p + 2, mlen); ++ rc = 0; ++ break; ++ case 1: ++ if (sig->s) ++ return 1; /* This should only ever happen once per signature */ ++ sig->slen = mlen; ++ sig->s = memcpy(xmalloc(mlen), p + 2, mlen); ++ rc = 0; ++ break; ++ } ++ ++ return rc; ++} ++ ++static void pgpFreeSigECDSA(pgpDigAlg pgpsig) ++{ ++ struct pgpDigSigECDSA_s *sig = pgpsig->data; ++ if (sig) { ++ free(sig->r); ++ free(sig->s); ++ } ++ free(pgpsig->data); ++} ++ ++static int pgpVerifySigECDSA(pgpDigAlg pgpkey, pgpDigAlg pgpsig, ++ uint8_t *hash, size_t hashlen, int hash_algo) ++{ ++ int rc = 1; /* assume failure */ ++ struct pgpDigSigECDSA_s *sig = pgpsig->data; ++ struct pgpDigKeyECDSA_s *key = pgpkey->data; ++ unsigned char *xsig = NULL; /* signature encoded for X509 */ ++ size_t xsig_len = 0; ++ EVP_PKEY_CTX *pkey_ctx = NULL; ++ ++ if (!constructECDSASigningKey(key, pgpkey->curve)) ++ goto done; ++ ++ xsig = constructDSASignature(sig->r, sig->rlen, sig->s, sig->slen, &xsig_len); ++ if (!xsig) ++ goto done; ++ ++ pkey_ctx = EVP_PKEY_CTX_new(key->evp_pkey, NULL); ++ if (!pkey_ctx) ++ goto done; ++ ++ if (EVP_PKEY_verify_init(pkey_ctx) != 1) ++ goto done; ++ ++ if (EVP_PKEY_verify(pkey_ctx, xsig, xsig_len, hash, hashlen) == 1) ++ { ++ /* Success */ ++ rc = 0; ++ } ++ ++done: ++ if (pkey_ctx) ++ EVP_PKEY_CTX_free(pkey_ctx);
View file
_service:tar_scm:backport-Allow-signing-with-ECDSA-keys.patch
Added
@@ -0,0 +1,29 @@ +From ef0afa856a609bea765dbccaebb75ceeddd202f3 Mon Sep 17 00:00:00 2001 +From: Michael Schroeder <mls@suse.de> +Date: Fri, 12 Apr 2024 14:40:29 +0200 +Subject: PATCH Allow signing with ECDSA keys + +Conflict:NA +Reference:https://github.com/rpm-software-management/rpm/commit/ef0afa856a609bea765dbccaebb75ceeddd202f3 + +Key import and verification already works, it's just that rpm +does not know where to put the signature. +--- + sign/rpmgensig.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sign/rpmgensig.c b/sign/rpmgensig.c +index d7d08a2a3..4d2bbc31f 100644 +--- a/sign/rpmgensig.c ++++ b/sign/rpmgensig.c +@@ -158,6 +158,7 @@ static rpmtd makeSigTag(Header sigh, int ishdr, uint8_t *pkt, size_t pktlen) + pubkey_algo = pgpDigParamsAlgo(sigp, PGPVAL_PUBKEYALGO); + switch (pubkey_algo) { + case PGPPUBKEYALGO_DSA: ++ case PGPPUBKEYALGO_ECDSA: + case PGPPUBKEYALGO_EDDSA: + sigtag = ishdr ? RPMSIGTAG_DSA : RPMSIGTAG_GPG; + break; +-- +2.23.0 +
View file
_service:tar_scm:backport-No-longer-use-the-low-level-API-in-openssl-3.patch
Added
@@ -0,0 +1,138 @@ +From 408f2053da61fa80c5a306b8f87cdd70a7c57a62 Mon Sep 17 00:00:00 2001 +From: Michael Schroeder <mls@suse.de> +Date: Wed, 17 Apr 2024 13:05:28 +0200 +Subject: PATCH No longer use the low level API in openssl-3 + +Conflict:modify digest_openssl.c in rpmio; adapt context +Reference:https://github.com/rpm-software-management/rpmpgp_legacy/commit/de96811994b28d8fb43dfb101a9cbca263eb1ce5 + +Instead, construct the key with EVP_PKEY_fromdata() +--- + rpmio/digest_openssl.c | 73 +++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 72 insertions(+), 1 deletion(-) + +diff --git a/rpmio/digest_openssl.c b/rpmio/digest_openssl.c +index 41d77d0..4d930c9 100644 +--- a/rpmio/digest_openssl.c ++++ b/rpmio/digest_openssl.c +@@ -1,10 +1,13 @@ + #include "system.h" + + #include <openssl/evp.h> ++#if OPENSSL_VERSION_MAJOR >= 3 ++# include <openssl/params.h> ++#endif + #include <openssl/rsa.h> + #include <openssl/dsa.h> +-#include <rpm/rpmcrypto.h> + ++#include <rpm/rpmcrypto.h> + #include "rpmio/rpmpgp_internal.h" + + +@@ -283,6 +286,46 @@ done: + } + + ++/*********************** pkey construction *******************************/ ++ ++#if OPENSSL_VERSION_MAJOR >= 3 ++ ++static EVP_PKEY * ++construct_pkey_from_param(int id, OSSL_PARAM *params) ++{ ++ EVP_PKEY *pkey = NULL; ++ EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_id(id, NULL); ++ if (!ctx || EVP_PKEY_fromdata_init(ctx) <= 0 || EVP_PKEY_fromdata(ctx, &pkey, EVP_PKEY_PUBLIC_KEY, params) <= 0) ++ pkey = NULL; ++ if (ctx) ++ EVP_PKEY_CTX_free(ctx); ++ return pkey; ++} ++ ++static OSSL_PARAM ++create_bn_param(char *key, BIGNUM *bn) ++{ ++ int sz = bn ? BN_num_bytes(bn) : -1; ++ if (sz < 0 || BN_is_negative(bn)) { ++ OSSL_PARAM param = OSSL_PARAM_END; ++ return param; ++ } ++ if (sz == 0) ++ sz = 1; ++ unsigned char *buf = xmalloc(sz); ++ BN_bn2nativepad(bn, buf, sz); ++ OSSL_PARAM param = OSSL_PARAM_BN(key, buf, sz); ++ return param; ++} ++ ++static void ++free_bn_param(OSSL_PARAM *param) ++{ ++ free(param->data); ++} ++ ++#endif ++ + /****************************** RSA **************************************/ + + /* Key */ +@@ -300,6 +343,17 @@ static int constructRSASigningKey(struct pgpDigKeyRSA_s *key) + if (key->evp_pkey) + return 1; /* We've already constructed it, so just reuse it */ + ++#if OPENSSL_VERSION_MAJOR >= 3 ++ OSSL_PARAM params = { ++ create_bn_param("n", key->n), ++ create_bn_param("e", key->e), ++ OSSL_PARAM_END ++ }; ++ key->evp_pkey = construct_pkey_from_param(EVP_PKEY_RSA, params); ++ free_bn_param(params + 0); ++ free_bn_param(params + 1); ++ return key->evp_pkey ? 1 : 0; ++#else + /* Create the RSA key */ + RSA *rsa = RSA_new(); + if (!rsa) return 0; +@@ -324,6 +378,7 @@ static int constructRSASigningKey(struct pgpDigKeyRSA_s *key) + exit: + RSA_free(rsa); + return 0; ++#endif + } + + static int pgpSetKeyMpiRSA(pgpDigAlg pgpkey, int num, const uint8_t *p) +@@ -506,6 +561,21 @@ static int constructDSASigningKey(struct pgpDigKeyDSA_s *key) + if (key->evp_pkey) + return 1; /* We've already constructed it, so just reuse it */ + ++#if OPENSSL_VERSION_MAJOR >= 3 ++ OSSL_PARAM params = { ++ create_bn_param("p", key->p), ++ create_bn_param("q", key->q), ++ create_bn_param("g", key->g), ++ create_bn_param("pub", key->y), ++ OSSL_PARAM_END ++ }; ++ key->evp_pkey = construct_pkey_from_param(EVP_PKEY_DSA, params); ++ free_bn_param(params + 0); ++ free_bn_param(params + 1); ++ free_bn_param(params + 2); ++ free_bn_param(params + 3); ++ return key->evp_pkey ? 1 : 0; ++#else + /* Create the DSA key */ + DSA *dsa = DSA_new(); + if (!dsa) return 0; +@@ -533,6 +603,7 @@ static int constructDSASigningKey(struct pgpDigKeyDSA_s *key) + exit: + DSA_free(dsa); + return 0; ++#endif + } + + +-- +2.23.0 +
View file
_service:tar_scm:backport-Support-ECDSA-in-key-parsing.patch
Added
@@ -0,0 +1,78 @@ +From 8bc74f9ec48386beadf396ba5830aacf6672df4c Mon Sep 17 00:00:00 2001 +From: Michael Schroeder <mls@suse.de> +Date: Thu, 11 Apr 2024 14:13:22 +0200 +Subject: PATCH Support ECDSA in key parsing + +Conflict:modify rpmpgp_internal.c in rpmio; adapt context because 296f2256b90 +and b5b9600834 is not mearged +Reference:https://github.com/rpm-software-management/rpmpgp_legacy/commit/ca6c204cfa95f016ba03a73d5e6e4451cf8d4d6d +--- + rpmio/rpmpgp_internal.c | 17 +++++++---------- + 1 file changed, 7 insertions(+), 10 deletions(-) + +diff --git a/rpmio/rpmpgp_internal.c b/rpmio/rpmpgp_internal.c +index 0fcd220..610a9b2 100644 +--- a/rpmio/rpmpgp_internal.c ++++ b/rpmio/rpmpgp_internal.c +@@ -576,11 +576,6 @@ static int pgpCurveByOid(const uint8_t *p, int l) + return 0; + } + +-static int isKey(pgpDigParams keyp) +-{ +- return keyp->tag == PGPTAG_PUBLIC_KEY || keyp->tag == PGPTAG_PUBLIC_SUBKEY; +-} +- + static int pgpPrtPubkeyParams(uint8_t pubkey_algo, + const uint8_t *p, const uint8_t *h, size_t hlen, + pgpDigParams keyp) +@@ -588,12 +583,12 @@ static int pgpPrtPubkeyParams(uint8_t pubkey_algo, + int rc = 1; /* assume failure */ + const uint8_t *pend = h + hlen; + int curve = 0; +- if (!isKey(keyp)) ++ if (keyp->tag != PGPTAG_PUBLIC_KEY && keyp->tag != PGPTAG_PUBLIC_SUBKEY) + return rc; + /* We can't handle more than one key at a time */ + if (keyp->alg) + return rc; +- if (pubkey_algo == PGPPUBKEYALGO_EDDSA) { ++ if (pubkey_algo == PGPPUBKEYALGO_EDDSA || pubkey_algo == PGPPUBKEYALGO_ECDSA) { + int len = (hlen > 1) ? p0 : 0; + if (len == 0 || len == 0xff || len >= hlen) + return rc; +@@ -686,8 +681,9 @@ static int getPubkeyFingerprint(const uint8_t *h, size_t hlen, + return rc; + se = (uint8_t *)(v + 1); + switch (v->pubkey_algo) { ++ case PGPPUBKEYALGO_ECDSA: + case PGPPUBKEYALGO_EDDSA: +- /* EdDSA has a curve id before the MPIs */ ++ /* ECC has a curve id before the MPIs */ + if (se0 == 0x00 || se0 == 0xff || pend - se < 1 + se0) + return rc; + se += 1 + se0; +@@ -1206,8 +1202,11 @@ rpmRC pgpVerifySignature(pgpDigParams key, pgpDigParams sig, DIGEST_CTX hashctx) + if (sig == NULL || ctx == NULL) + goto exit; + ++ /* make sure the dig param types are correct */ + if (sig->tag != PGPTAG_SIGNATURE) + goto exit; ++ if (key && key->tag != PGPTAG_PUBLIC_KEY && key->tag != PGPTAG_PUBLIC_SUBKEY) ++ goto exit; + + if (sig->hash != NULL) + rpmDigestUpdate(ctx, sig->hash, sig->hashlen); +@@ -1235,8 +1234,6 @@ rpmRC pgpVerifySignature(pgpDigParams key, pgpDigParams sig, DIGEST_CTX hashctx) + * done all we can, return NOKEY to indicate "looks okay but dunno." + */ + if (key && key->alg) { +- if (!isKey(key)) +- goto exit; + pgpDigAlg sa = sig->alg; + pgpDigAlg ka = key->alg; + if (sa && sa->verify && sig->pubkey_algo == key->pubkey_algo) { +-- +2.23.0 +
View file
_service:tar_scm:backport-Support-NIST-P-521.patch
Added
@@ -0,0 +1,52 @@ +From 6344fec232cdd0e9d821a0b17e480494f4dcfd4b Mon Sep 17 00:00:00 2001 +From: Michael Schroeder <mls@suse.de> +Date: Mon, 22 Apr 2024 12:54:32 +0200 +Subject: PATCH Support NIST P-521 + +Conflict:don't modify digest_libgcrypt.c;modify digest_openssl.c in rpmio; +Reference:https://github.com/rpm-software-management/rpmpgp_legacy/commit/6344fec232cdd0e9d821a0b17e480494f4dcfd4b + +Because the standard says we SHOULD. +--- + rpmio/digest_openssl.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/rpmio/digest_openssl.c b/rpmio/digest_openssl.c +index 662b469..42eec66 100644 +--- a/rpmio/digest_openssl.c ++++ b/rpmio/digest_openssl.c +@@ -556,6 +556,13 @@ static int constructECDSASigningKey(struct pgpDigKeyECDSA_s *key, int curve) + OSSL_PARAM_END + }; + key->evp_pkey = construct_pkey_from_param(EVP_PKEY_EC, params); ++ } else if (curve == PGPCURVE_NIST_P_521) { ++ OSSL_PARAM params = { ++ OSSL_PARAM_utf8_string("group", "P-521", 5), ++ OSSL_PARAM_octet_string("pub", key->q, key->qlen), ++ OSSL_PARAM_END ++ }; ++ key->evp_pkey = construct_pkey_from_param(EVP_PKEY_EC, params); + } + return key->evp_pkey ? 1 : 0; + #else +@@ -565,6 +572,8 @@ static int constructECDSASigningKey(struct pgpDigKeyECDSA_s *key, int curve) + ec = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); + else if (curve == PGPCURVE_NIST_P_384) + ec = EC_KEY_new_by_curve_name(NID_secp384r1); ++ else if (curve == PGPCURVE_NIST_P_521) ++ ec = EC_KEY_new_by_curve_name(NID_secp521r1); + if (!ec) + return 0; + +@@ -817,6 +826,8 @@ static int pgpSupportedCurve(int algo, int curve) + return 1; + if (algo == PGPPUBKEYALGO_ECDSA && curve == PGPCURVE_NIST_P_384) + return 1; ++ if (algo == PGPPUBKEYALGO_ECDSA && curve == PGPCURVE_NIST_P_521) ++ return 1; + return 0; + } + +-- +2.23.0 +
View file
_service:tar_scm:backport-Use-EVP_PKEY_verify-to-verify-DSA-signatures.patch
Added
@@ -0,0 +1,316 @@ +From 8bf5c6b094e4f703d9fa1422a463654b512b25ae Mon Sep 17 00:00:00 2001 +From: Michael Schroeder <mls@suse.de> +Date: Wed, 17 Apr 2024 11:05:17 +0200 +Subject: PATCH Use EVP_PKEY_verify to verify DSA signatures + +Conflict:modify digest_openssl.c in rpmio +Reference:https://github.com/rpm-software-management/rpmpgp_legacy/commit/8bf5c6b094e4f703d9fa1422a463654b512b25ae + +The low level API will be deprecated in openssl-3 +--- + rpmio/digest_openssl.c | 179 +++++++++++++++++++++++------------------------ + 1 file changed, 86 insertions(+), 93 deletions(-) + +diff --git a/rpmio/digest_openssl.c b/rpmio/digest_openssl.c +index 8dd7abe..2a39115 100644 +--- a/rpmio/digest_openssl.c ++++ b/rpmio/digest_openssl.c +@@ -43,17 +43,12 @@ struct pgpDigKeyRSA_s { + BIGNUM *n; /* Common Modulus */ + BIGNUM *e; /* Public Exponent */ + EVP_PKEY *evp_pkey; /* Fully constructed key */ +- unsigned char immutable; /* if set, this key cannot be mutated */ + }; + + static int constructRSASigningKey(struct pgpDigKeyRSA_s *key) + { +- if (key->evp_pkey) { +- /* We've already constructed it, so just reuse it */ +- return 1; +- } else if (key->immutable) +- return 0; +- key->immutable = 1; ++ if (key->evp_pkey) ++ return 1; /* We've already constructed it, so just reuse it */ + + /* Create the RSA key */ + RSA *rsa = RSA_new(); +@@ -88,7 +83,7 @@ static int pgpSetKeyMpiRSA(pgpDigAlg pgpkey, int num, const uint8_t *p) + + if (!key) + key = pgpkey->data = xcalloc(1, sizeof(*key)); +- else if (key->immutable) ++ else if (key->evp_pkey) + return 1; + + switch (num) { +@@ -238,7 +233,8 @@ static int pgpVerifySigRSA(pgpDigAlg pgpkey, pgpDigAlg pgpsig, + } + + done: +- EVP_PKEY_CTX_free(pkey_ctx); ++ if (pkey_ctx) ++ EVP_PKEY_CTX_free(pkey_ctx); + free(padded_sig); + return rc; + } +@@ -252,40 +248,41 @@ struct pgpDigKeyDSA_s { + BIGNUM *g; /* Base */ + BIGNUM *y; /* Public Key */ + +- DSA *dsa_key; /* Fully constructed key */ ++ EVP_PKEY *evp_pkey; /* Fully constructed key */ + }; + + static int constructDSASigningKey(struct pgpDigKeyDSA_s *key) + { +- int rc; +- +- if (key->dsa_key) { +- /* We've already constructed it, so just reuse it */ +- return 1; +- } ++ if (key->evp_pkey) ++ return 1; /* We've already constructed it, so just reuse it */ + + /* Create the DSA key */ + DSA *dsa = DSA_new(); + if (!dsa) return 0; + + if (!DSA_set0_pqg(dsa, key->p, key->q, key->g)) { +- rc = 0; +- goto done; ++ goto exit; + } +- + if (!DSA_set0_key(dsa, key->y, NULL)) { +- rc = 0; +- goto done; ++ goto exit; + } + +- key->dsa_key = dsa; ++ /* Create an EVP_PKEY container to abstract the key-type. */ ++ if (!(key->evp_pkey = EVP_PKEY_new())) ++ goto exit; + +- rc = 1; +-done: +- if (rc == 0) { +- DSA_free(dsa); ++ /* Assign the DSA key to the EVP_PKEY structure. ++ This will take over memory management of the RSA key */ ++ if (!EVP_PKEY_assign_DSA(key->evp_pkey, dsa)) { ++ EVP_PKEY_free(key->evp_pkey); ++ key->evp_pkey = NULL; ++ goto exit; + } +- return rc; ++ return 1; ++ ++exit: ++ DSA_free(dsa); ++ return 0; + } + + +@@ -349,10 +346,10 @@ static void pgpFreeKeyDSA(pgpDigAlg pgpkey) + { + struct pgpDigKeyDSA_s *key = pgpkey->data; + if (key) { +- if (key->dsa_key) { +- DSA_free(key->dsa_key); ++ if (key->evp_pkey) { ++ EVP_PKEY_free(key->evp_pkey); + } else { +- /* If sig->dsa_key was constructed, ++ /* If key->evp_pkey was constructed, + * the memory management of these BNs + * are freed with it. */ + BN_clear_free(key->p); +@@ -367,82 +364,72 @@ static void pgpFreeKeyDSA(pgpDigAlg pgpkey) + /* Signature */ + + struct pgpDigSigDSA_s { +- BIGNUM *r; +- BIGNUM *s; +- +- DSA_SIG *dsa_sig; ++ unsigned char *r; ++ int rlen; ++ unsigned char *s; ++ int slen; + }; + +-static int constructDSASignature(struct pgpDigSigDSA_s *sig) ++static void add_asn1_tag(unsigned char *p, int tag, int len) + { +- int rc; +- +- if (sig->dsa_sig) { +- /* We've already constructed it, so just reuse it */ +- return 1; +- } +- +- /* Create the DSA signature */ +- DSA_SIG *dsa_sig = DSA_SIG_new(); +- if (!dsa_sig) return 0; +- +- if (!DSA_SIG_set0(dsa_sig, sig->r, sig->s)) { +- rc = 0; +- goto done; ++ *p++ = tag; ++ if (len >= 256) { ++ *p++ = 130; ++ *p++ = len >> 8; ++ } else if (len > 128) { ++ *p++ = 129; + } ++ *p++ = len; ++} + +- sig->dsa_sig = dsa_sig; +- +- rc = 1; +-done: +- if (rc == 0) { +- DSA_SIG_free(sig->dsa_sig); +- } +- return rc; ++static unsigned char *constructDSASignature(unsigned char *r, int rlen, unsigned char *s, int slen, size_t *siglenp) ++{ ++ int len1 = rlen + (!rlen || (*r & 0x80) != 0 ? 1 : 0), hlen1 = len1 < 128 ? 2 : len1 < 256 ? 3 : 4; ++ int len2 = slen + (!slen || (*s & 0x80) != 0 ? 1 : 0), hlen2 = len2 < 128 ? 2 : len2 < 256 ? 3 : 4; ++ int len3 = hlen1 + len1 + hlen2 + len2, hlen3 = len3 < 128 ? 2 : len3 < 256 ? 3 : 4; ++ unsigned char *buf; ++ if (rlen < 0 || rlen >= 65534 || slen < 0 || slen >= 65534 || len3 > 65535) ++ return 0; /* should never happen as pgp's MPIs have a length < 8192 */ ++ buf = xmalloc(hlen3 + len3); ++ add_asn1_tag(buf, 0x30, len3); ++ add_asn1_tag(buf + hlen3, 0x02, len1); ++ bufhlen3 + hlen1 = 0; /* zero first byte of the integer */ ++ memcpy(buf + hlen3 + hlen1 + len1 - rlen, r, rlen); ++ add_asn1_tag(buf + hlen3 + hlen1 + len1, 0x02, len2); ++ bufhlen3 + len3 - len2 = 0; /* zero first byte of the integer */ ++ memcpy(buf + hlen3 + len3 - slen, s, slen); ++ *siglenp = hlen3 + len3; ++ return buf; + } +
View file
_service:tar_scm:rpm-selinux-plugin-check-context-file-exist.patch
Added
@@ -0,0 +1,26 @@ +From 55708fd5822a3e4bf5537002a648f32cb0a6e07e Mon Sep 17 00:00:00 2001 +From: luhuaxin <1539327763@qq.com> +Date: Tue, 26 Oct 2021 18:39:46 +0800 +Subject: PATCH rpm selinux plugin check context file exist + +--- + plugins/selinux.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/plugins/selinux.c b/plugins/selinux.c +index 1254517..fb8b7a2 100644 +--- a/plugins/selinux.c ++++ b/plugins/selinux.c +@@ -63,7 +63,8 @@ static rpmRC selinux_tsm_pre(rpmPlugin plugin, rpmts ts) + rpmRC rc = RPMRC_OK; + + /* If SELinux isn't enabled on the system, dont mess with it */ +- if (!is_selinux_enabled()) { ++ if (!is_selinux_enabled() || selinux_file_context_path() == NULL || ++ access(selinux_file_context_path(), F_OK)) { + rpmtsSetFlags(ts, (rpmtsFlags(ts) | RPMTRANS_FLAG_NOCONTEXTS)); + } + +-- +2.23.0 +
View file
_service
Changed
@@ -2,7 +2,7 @@ <service name="tar_scm"> <param name="scm">git</param> <param name="url">git@gitee.com:src-openeuler/rpm.git</param> - <param name="revision">openEuler-24.03-LTS-Next</param> + <param name="revision">openEuler-24.03-LTS-SP1</param> <param name="exclude">*</param> <param name="extract">*</param> </service>
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2