[v4] ima_evm_utils: erroneous "verification failed: 0 (invalid padding)" message
diff mbox series

Message ID 1563492600-23396-1-git-send-email-zohar@linux.ibm.com
State New
Headers show
Series
  • [v4] ima_evm_utils: erroneous "verification failed: 0 (invalid padding)" message
Related show

Commit Message

Mimi Zohar July 18, 2019, 11:30 p.m. UTC
When public keys are specified on the boot command line (--key <public
key file>, [<public key file>, ...]), the appropriate public key is used
to verify EVM or file signatures.  If no keys are specified, the default
x509_evm.der or x509_evm.pem file is used to verify the DIGSIG_VERSION_2
or DIGSIG_VERSION_1 signatures respectively, without first checking the
keyids.  Instead of emitting a "verification failed: 0 (invalid
padding)" message, an "unknown keyid" message would be clearer.

To address this problem, when no public keys are specified, this patch
loads the x509_evm.der default public key onto the "public_keys" list,
while the x509_evm.pem continues to be passed to verify_hash_v1()

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
Changelog:
- reverted most of the v3 changes, but kept the patch description and the
cmd_verify_evm() change, in order to pick up Vitaly's patches.


 src/evmctl.c    | 14 +++++++++++---
 src/libimaevm.c | 17 +++++++----------
 2 files changed, 18 insertions(+), 13 deletions(-)

Comments

Vitaly Chikunov July 18, 2019, 11:44 p.m. UTC | #1
Mimi,

Ah. Excuse me basing my patches on v2. I never received v3 with your
changes, don't know why.

On Thu, Jul 18, 2019 at 07:30:00PM -0400, Mimi Zohar wrote:
> When public keys are specified on the boot command line (--key <public
> key file>, [<public key file>, ...]), the appropriate public key is used

Probably spaces should be removed in specification of `--key'.

> to verify EVM or file signatures.  If no keys are specified, the default
> x509_evm.der or x509_evm.pem file is used to verify the DIGSIG_VERSION_2

s/x509_evm.pem/pubkey_evm.pem/

> or DIGSIG_VERSION_1 signatures respectively, without first checking the
> keyids.  Instead of emitting a "verification failed: 0 (invalid
> padding)" message, an "unknown keyid" message would be clearer.
> 
> To address this problem, when no public keys are specified, this patch
> loads the x509_evm.der default public key onto the "public_keys" list,
> while the x509_evm.pem continues to be passed to verify_hash_v1()

And here.

Thanks,

> 
> Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
> ---
> Changelog:
> - reverted most of the v3 changes, but kept the patch description and the
> cmd_verify_evm() change, in order to pick up Vitaly's patches.
> 
> 
>  src/evmctl.c    | 14 +++++++++++---
>  src/libimaevm.c | 17 +++++++----------
>  2 files changed, 18 insertions(+), 13 deletions(-)
> 
> diff --git a/src/evmctl.c b/src/evmctl.c
> index 61808d276419..9e0926f10404 100644
> --- a/src/evmctl.c
> +++ b/src/evmctl.c
> @@ -838,6 +838,11 @@ static int cmd_verify_evm(struct command *cmd)
>  		return -1;
>  	}
>  
> +	if (params.keyfile)	/* Support multiple public keys */
> +		init_public_keys(params.keyfile);
> +	else			/* assume read pubkey from x509 cert */
> +		init_public_keys("/etc/keys/x509_evm.der");
> +
>  	err = verify_evm(file);
>  	if (!err && params.verbose >= LOG_INFO)
>  		log_info("%s: verification is OK\n", file);
> @@ -879,8 +884,10 @@ static int cmd_verify_ima(struct command *cmd)
>  	char *file = g_argv[optind++];
>  	int err;
>  
> -	if (params.keyfile)
> +	if (params.keyfile)	/* Support multiple public keys */
>  		init_public_keys(params.keyfile);
> +	else			/* assume read pubkey from x509 cert */
> +		init_public_keys("/etc/keys/x509_evm.der");
>  
>  	errno = 0;
>  	if (!file) {
> @@ -1602,9 +1609,10 @@ static int ima_measurement(const char *file)
>  		return -1;
>  	}
>  
> -	/* Support multiple public keys */
> -	if (params.keyfile)
> +	if (params.keyfile)	/* Support multiple public keys */
>  		init_public_keys(params.keyfile);
> +	else			/* assume read pubkey from x509 cert */
> +		init_public_keys("/etc/keys/x509_evm.der");
>  
>  	while (fread(&entry.header, sizeof(entry.header), 1, fp)) {
>  		ima_extend_pcr(pcr[entry.header.pcr], entry.header.digest,
> diff --git a/src/libimaevm.c b/src/libimaevm.c
> index ae487f9fe36c..afd21051b09a 100644
> --- a/src/libimaevm.c
> +++ b/src/libimaevm.c
> @@ -302,6 +302,9 @@ EVP_PKEY *read_pub_pkey(const char *keyfile, int x509)
>  	X509 *crt = NULL;
>  	EVP_PKEY *pkey = NULL;
>  
> +	if (!keyfile)
> +		return NULL;
> +
>  	fp = fopen(keyfile, "r");
>  	if (!fp) {
>  		log_err("Failed to open keyfile: %s\n", keyfile);
> @@ -569,27 +572,21 @@ static int get_hash_algo_from_sig(unsigned char *sig)
>  int verify_hash(const char *file, const unsigned char *hash, int size, unsigned char *sig,
>  		int siglen)
>  {
> -	const char *key;
> -	int x509;
> +	const char *key = NULL;
>  	verify_hash_fn_t verify_hash;
>  
>  	/* Get signature type from sig header */
>  	if (sig[0] == DIGSIG_VERSION_1) {
>  		verify_hash = verify_hash_v1;
> +
>  		/* Read pubkey from RSA key */
> -		x509 = 0;
> +		if (!params.keyfile)
> +			key = "/etc/keys/pubkey_evm.pem";
>  	} else if (sig[0] == DIGSIG_VERSION_2) {
>  		verify_hash = verify_hash_v2;
> -		/* Read pubkey from x509 cert */
> -		x509 = 1;
>  	} else
>  		return -1;
>  
> -	/* Determine what key to use for verification*/
> -	key = params.keyfile ? : x509 ?
> -			"/etc/keys/x509_evm.der" :
> -			"/etc/keys/pubkey_evm.pem";
> -
>  	return verify_hash(file, hash, size, sig, siglen, key);
>  }
>  
> -- 
> 2.7.5

Patch
diff mbox series

diff --git a/src/evmctl.c b/src/evmctl.c
index 61808d276419..9e0926f10404 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -838,6 +838,11 @@  static int cmd_verify_evm(struct command *cmd)
 		return -1;
 	}
 
+	if (params.keyfile)	/* Support multiple public keys */
+		init_public_keys(params.keyfile);
+	else			/* assume read pubkey from x509 cert */
+		init_public_keys("/etc/keys/x509_evm.der");
+
 	err = verify_evm(file);
 	if (!err && params.verbose >= LOG_INFO)
 		log_info("%s: verification is OK\n", file);
@@ -879,8 +884,10 @@  static int cmd_verify_ima(struct command *cmd)
 	char *file = g_argv[optind++];
 	int err;
 
-	if (params.keyfile)
+	if (params.keyfile)	/* Support multiple public keys */
 		init_public_keys(params.keyfile);
+	else			/* assume read pubkey from x509 cert */
+		init_public_keys("/etc/keys/x509_evm.der");
 
 	errno = 0;
 	if (!file) {
@@ -1602,9 +1609,10 @@  static int ima_measurement(const char *file)
 		return -1;
 	}
 
-	/* Support multiple public keys */
-	if (params.keyfile)
+	if (params.keyfile)	/* Support multiple public keys */
 		init_public_keys(params.keyfile);
+	else			/* assume read pubkey from x509 cert */
+		init_public_keys("/etc/keys/x509_evm.der");
 
 	while (fread(&entry.header, sizeof(entry.header), 1, fp)) {
 		ima_extend_pcr(pcr[entry.header.pcr], entry.header.digest,
diff --git a/src/libimaevm.c b/src/libimaevm.c
index ae487f9fe36c..afd21051b09a 100644
--- a/src/libimaevm.c
+++ b/src/libimaevm.c
@@ -302,6 +302,9 @@  EVP_PKEY *read_pub_pkey(const char *keyfile, int x509)
 	X509 *crt = NULL;
 	EVP_PKEY *pkey = NULL;
 
+	if (!keyfile)
+		return NULL;
+
 	fp = fopen(keyfile, "r");
 	if (!fp) {
 		log_err("Failed to open keyfile: %s\n", keyfile);
@@ -569,27 +572,21 @@  static int get_hash_algo_from_sig(unsigned char *sig)
 int verify_hash(const char *file, const unsigned char *hash, int size, unsigned char *sig,
 		int siglen)
 {
-	const char *key;
-	int x509;
+	const char *key = NULL;
 	verify_hash_fn_t verify_hash;
 
 	/* Get signature type from sig header */
 	if (sig[0] == DIGSIG_VERSION_1) {
 		verify_hash = verify_hash_v1;
+
 		/* Read pubkey from RSA key */
-		x509 = 0;
+		if (!params.keyfile)
+			key = "/etc/keys/pubkey_evm.pem";
 	} else if (sig[0] == DIGSIG_VERSION_2) {
 		verify_hash = verify_hash_v2;
-		/* Read pubkey from x509 cert */
-		x509 = 1;
 	} else
 		return -1;
 
-	/* Determine what key to use for verification*/
-	key = params.keyfile ? : x509 ?
-			"/etc/keys/x509_evm.der" :
-			"/etc/keys/pubkey_evm.pem";
-
 	return verify_hash(file, hash, size, sig, siglen, key);
 }