From patchwork Wed Jul 3 15:50:07 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vitaly Chikunov X-Patchwork-Id: 11029749 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id DE00B1398 for ; Wed, 3 Jul 2019 15:50:40 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CF4672866D for ; Wed, 3 Jul 2019 15:50:40 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id C3239289B6; Wed, 3 Jul 2019 15:50:40 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 628132866D for ; Wed, 3 Jul 2019 15:50:40 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726473AbfGCPuk (ORCPT ); Wed, 3 Jul 2019 11:50:40 -0400 Received: from vmicros1.altlinux.org ([194.107.17.57]:41330 "EHLO vmicros1.altlinux.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725847AbfGCPuk (ORCPT ); Wed, 3 Jul 2019 11:50:40 -0400 Received: from imap.altlinux.org (imap.altlinux.org [194.107.17.38]) by vmicros1.altlinux.org (Postfix) with ESMTP id 0070D72CC6C; Wed, 3 Jul 2019 18:50:37 +0300 (MSK) Received: from beacon.altlinux.org (unknown [185.6.174.98]) by imap.altlinux.org (Postfix) with ESMTPSA id D79874A4A29; Wed, 3 Jul 2019 18:50:36 +0300 (MSK) From: Vitaly Chikunov To: Mimi Zohar , Dmitry Kasatkin , linux-integrity@vger.kernel.org Subject: [PATCH v8 1/9] ima-evm-utils: Convert read_pub_key to EVP_PKEY API Date: Wed, 3 Jul 2019 18:50:07 +0300 Message-Id: <20190703155015.14262-2-vt@altlinux.org> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20190703155015.14262-1-vt@altlinux.org> References: <20190703155015.14262-1-vt@altlinux.org> MIME-Version: 1.0 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Introduce read_pub_pkey() to read keys using EVP_PKEY, and change read_pub_key() to be wrapper for it. Signed-off-by: Vitaly Chikunov --- src/imaevm.h | 1 + src/libimaevm.c | 33 ++++++++++++++++++++++----------- 2 files changed, 23 insertions(+), 11 deletions(-) diff --git a/src/imaevm.h b/src/imaevm.h index c81bf21..6d5eabd 100644 --- a/src/imaevm.h +++ b/src/imaevm.h @@ -216,6 +216,7 @@ int get_filesize(const char *filename); int ima_calc_hash(const char *file, uint8_t *hash); int get_hash_algo(const char *algo); RSA *read_pub_key(const char *keyfile, int x509); +EVP_PKEY *read_pub_pkey(const char *keyfile, int x509); void calc_keyid_v1(uint8_t *keyid, char *str, const unsigned char *pkey, int len); void calc_keyid_v2(uint32_t *keyid, char *str, RSA *key); diff --git a/src/libimaevm.c b/src/libimaevm.c index 3a9ab63..da0f422 100644 --- a/src/libimaevm.c +++ b/src/libimaevm.c @@ -355,10 +355,9 @@ int ima_calc_hash(const char *file, uint8_t *hash) return mdlen; } -RSA *read_pub_key(const char *keyfile, int x509) +EVP_PKEY *read_pub_pkey(const char *keyfile, int x509) { FILE *fp; - RSA *key = NULL; X509 *crt = NULL; EVP_PKEY *pkey = NULL; @@ -375,24 +374,36 @@ RSA *read_pub_key(const char *keyfile, int x509) goto out; } pkey = X509_extract_key(crt); + X509_free(crt); if (!pkey) { log_err("X509_extract_key() failed\n"); goto out; } - key = EVP_PKEY_get1_RSA(pkey); } else { - key = PEM_read_RSA_PUBKEY(fp, NULL, NULL, NULL); + pkey = PEM_read_PUBKEY(fp, NULL, NULL, NULL); + if (!pkey) + log_err("PEM_read_PUBKEY() failed\n"); } - if (!key) - log_err("PEM_read_RSA_PUBKEY() failed\n"); - out: - if (pkey) - EVP_PKEY_free(pkey); - if (crt) - X509_free(crt); fclose(fp); + return pkey; +} + +RSA *read_pub_key(const char *keyfile, int x509) +{ + EVP_PKEY *pkey; + RSA *key; + + pkey = read_pub_pkey(keyfile, x509); + if (!pkey) + return NULL; + key = EVP_PKEY_get1_RSA(pkey); + EVP_PKEY_free(pkey); + if (!key) { + log_err("read_pub_key: unsupported key type\n"); + return NULL; + } return key; } From patchwork Wed Jul 3 15:50:08 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vitaly Chikunov X-Patchwork-Id: 11029751 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 60C5613A4 for ; Wed, 3 Jul 2019 15:50:45 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 520D82879E for ; Wed, 3 Jul 2019 15:50:45 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 46D7328846; Wed, 3 Jul 2019 15:50:45 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E2D6B2879E for ; Wed, 3 Jul 2019 15:50:44 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726490AbfGCPuo (ORCPT ); Wed, 3 Jul 2019 11:50:44 -0400 Received: from vmicros1.altlinux.org ([194.107.17.57]:41490 "EHLO vmicros1.altlinux.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725847AbfGCPuo (ORCPT ); Wed, 3 Jul 2019 11:50:44 -0400 Received: from imap.altlinux.org (imap.altlinux.org [194.107.17.38]) by vmicros1.altlinux.org (Postfix) with ESMTP id B010572CC6C; Wed, 3 Jul 2019 18:50:42 +0300 (MSK) Received: from beacon.altlinux.org (unknown [185.6.174.98]) by imap.altlinux.org (Postfix) with ESMTPSA id 9506D4A4A29; Wed, 3 Jul 2019 18:50:42 +0300 (MSK) From: Vitaly Chikunov To: Mimi Zohar , Dmitry Kasatkin , linux-integrity@vger.kernel.org Subject: [PATCH v8 2/9] ima-evm-utils: Convert read_priv_key to EVP_PKEY API Date: Wed, 3 Jul 2019 18:50:08 +0300 Message-Id: <20190703155015.14262-3-vt@altlinux.org> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20190703155015.14262-1-vt@altlinux.org> References: <20190703155015.14262-1-vt@altlinux.org> MIME-Version: 1.0 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Introduce read_priv_pkey() to read keys using EVP_PKEY, and change read_priv_key() to be wrapper for it. Signed-off-by: Vitaly Chikunov --- src/libimaevm.c | 27 ++++++++++++++++++++++----- 1 file changed, 22 insertions(+), 5 deletions(-) diff --git a/src/libimaevm.c b/src/libimaevm.c index da0f422..23fa804 100644 --- a/src/libimaevm.c +++ b/src/libimaevm.c @@ -753,10 +753,10 @@ void calc_keyid_v2(uint32_t *keyid, char *str, RSA *key) free(pkey); } -static RSA *read_priv_key(const char *keyfile, const char *keypass) +static EVP_PKEY *read_priv_pkey(const char *keyfile, const char *keypass) { FILE *fp; - RSA *key; + EVP_PKEY *pkey; fp = fopen(keyfile, "r"); if (!fp) { @@ -764,15 +764,32 @@ static RSA *read_priv_key(const char *keyfile, const char *keypass) return NULL; } ERR_load_crypto_strings(); - key = PEM_read_RSAPrivateKey(fp, NULL, NULL, (void *)keypass); - if (!key) { + pkey = PEM_read_PrivateKey(fp, NULL, NULL, (void *)keypass); + if (!pkey) { char str[256]; ERR_error_string(ERR_get_error(), str); - log_err("PEM_read_RSAPrivateKey() failed: %s\n", str); + log_err("PEM_read_PrivateKey() failed: %s\n", str); } fclose(fp); + return pkey; +} + +static RSA *read_priv_key(const char *keyfile, const char *keypass) +{ + EVP_PKEY *pkey; + RSA *key; + + pkey = read_priv_pkey(keyfile, keypass); + if (!pkey) + return NULL; + key = EVP_PKEY_get1_RSA(pkey); + EVP_PKEY_free(pkey); + if (!key) { + log_err("read_priv_key: unsupported key type\n"); + return NULL; + } return key; } From patchwork Wed Jul 3 15:50:09 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vitaly Chikunov X-Patchwork-Id: 11029753 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 1CF9B13A4 for ; Wed, 3 Jul 2019 15:50:53 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0EB572866D for ; Wed, 3 Jul 2019 15:50:53 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 03554287F5; Wed, 3 Jul 2019 15:50:53 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 94E942866D for ; Wed, 3 Jul 2019 15:50:52 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725847AbfGCPuw (ORCPT ); Wed, 3 Jul 2019 11:50:52 -0400 Received: from vmicros1.altlinux.org ([194.107.17.57]:41608 "EHLO vmicros1.altlinux.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726430AbfGCPuw (ORCPT ); Wed, 3 Jul 2019 11:50:52 -0400 Received: from imap.altlinux.org (imap.altlinux.org [194.107.17.38]) by vmicros1.altlinux.org (Postfix) with ESMTP id F07E772CC6C; Wed, 3 Jul 2019 18:50:49 +0300 (MSK) Received: from beacon.altlinux.org (unknown [185.6.174.98]) by imap.altlinux.org (Postfix) with ESMTPSA id CDDA94A4A29; Wed, 3 Jul 2019 18:50:49 +0300 (MSK) From: Vitaly Chikunov To: Mimi Zohar , Dmitry Kasatkin , linux-integrity@vger.kernel.org Subject: [PATCH v8 3/9] ima-evm-utils: Convert cmd_import and calc keyid v2 to EVP_PKEY API Date: Wed, 3 Jul 2019 18:50:09 +0300 Message-Id: <20190703155015.14262-4-vt@altlinux.org> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20190703155015.14262-1-vt@altlinux.org> References: <20190703155015.14262-1-vt@altlinux.org> MIME-Version: 1.0 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Introduce calc_pkeyid_v2() (which accepts EVP_PKEY) to replace calc_keyid_v2() (which accepts RSA) in the future and use it in cmd_import(). Signed-off-by: Vitaly Chikunov --- src/evmctl.c | 25 +++++++++++++++---------- src/imaevm.h | 1 + src/libimaevm.c | 30 ++++++++++++++++++++++++++++++ 3 files changed, 46 insertions(+), 10 deletions(-) diff --git a/src/evmctl.c b/src/evmctl.c index 15a7226..eed8f9a 100644 --- a/src/evmctl.c +++ b/src/evmctl.c @@ -891,7 +891,6 @@ static int cmd_import(struct command *cmd) int id, len, err = 0; char name[20]; uint8_t keyid[8]; - RSA *key; inkey = g_argv[optind++]; if (!inkey) { @@ -925,18 +924,26 @@ static int cmd_import(struct command *cmd) } } - key = read_pub_key(inkey, params.x509); - if (!key) - return 1; - if (params.x509) { + EVP_PKEY *pkey = read_pub_pkey(inkey, params.x509); + + if (!pkey) + return 1; pub = file2bin(inkey, NULL, &len); - if (!pub) - goto out; - calc_keyid_v2((uint32_t *)keyid, name, key); + if (!pub) { + EVP_PKEY_free(pkey); + return 1; + } + calc_pkeyid_v2((uint32_t *)keyid, name, pkey); + EVP_PKEY_free(pkey); } else { + RSA *key = read_pub_key(inkey, params.x509); + + if (!key) + return 1; len = key2bin(key, pub); calc_keyid_v1(keyid, name, pub, len); + RSA_free(key); } log_info("Importing public key %s from file %s into keyring %d\n", name, inkey, id); @@ -951,8 +958,6 @@ static int cmd_import(struct command *cmd) } if (params.x509) free(pub); -out: - RSA_free(key); return err; } diff --git a/src/imaevm.h b/src/imaevm.h index 6d5eabd..48d2663 100644 --- a/src/imaevm.h +++ b/src/imaevm.h @@ -220,6 +220,7 @@ EVP_PKEY *read_pub_pkey(const char *keyfile, int x509); void calc_keyid_v1(uint8_t *keyid, char *str, const unsigned char *pkey, int len); void calc_keyid_v2(uint32_t *keyid, char *str, RSA *key); +void calc_pkeyid_v2(uint32_t *keyid, char *str, EVP_PKEY *pkey); int key2bin(RSA *key, unsigned char *pub); int sign_hash(const char *algo, const unsigned char *hash, int size, const char *keyfile, const char *keypass, unsigned char *sig); diff --git a/src/libimaevm.c b/src/libimaevm.c index 23fa804..707b2e9 100644 --- a/src/libimaevm.c +++ b/src/libimaevm.c @@ -753,6 +753,36 @@ void calc_keyid_v2(uint32_t *keyid, char *str, RSA *key) free(pkey); } +/* + * Calculate keyid of the public_key part of EVP_PKEY + */ +void calc_pkeyid_v2(uint32_t *keyid, char *str, EVP_PKEY *pkey) +{ + X509_PUBKEY *pk = NULL; + const unsigned char *public_key = NULL; + int len; + + /* This is more generic than i2d_PublicKey() */ + if (X509_PUBKEY_set(&pk, pkey) && + X509_PUBKEY_get0_param(NULL, &public_key, &len, NULL, pk)) { + uint8_t sha1[SHA_DIGEST_LENGTH]; + + SHA1(public_key, len, sha1); + /* sha1[12 - 19] is exactly keyid from gpg file */ + memcpy(keyid, sha1 + 16, 4); + } else + *keyid = 0; + + log_debug("keyid: "); + log_debug_dump(keyid, 4); + sprintf(str, "%x", __be32_to_cpup(keyid)); + + if (params.verbose > LOG_INFO) + log_info("keyid: %s\n", str); + + X509_PUBKEY_free(pk); +} + static EVP_PKEY *read_priv_pkey(const char *keyfile, const char *keypass) { FILE *fp; From patchwork Wed Jul 3 15:50:10 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vitaly Chikunov X-Patchwork-Id: 11029755 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id BD1D31398 for ; Wed, 3 Jul 2019 15:50:58 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id AE8EA287F5 for ; Wed, 3 Jul 2019 15:50:58 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id A2E5528846; Wed, 3 Jul 2019 15:50:58 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3B9F2287F5 for ; Wed, 3 Jul 2019 15:50:58 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726430AbfGCPu6 (ORCPT ); Wed, 3 Jul 2019 11:50:58 -0400 Received: from vmicros1.altlinux.org ([194.107.17.57]:41670 "EHLO vmicros1.altlinux.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726550AbfGCPu5 (ORCPT ); Wed, 3 Jul 2019 11:50:57 -0400 Received: from imap.altlinux.org (imap.altlinux.org [194.107.17.38]) by vmicros1.altlinux.org (Postfix) with ESMTP id 7F28872CC6C; Wed, 3 Jul 2019 18:50:55 +0300 (MSK) Received: from beacon.altlinux.org (unknown [185.6.174.98]) by imap.altlinux.org (Postfix) with ESMTPSA id 54C744A4A29; Wed, 3 Jul 2019 18:50:55 +0300 (MSK) From: Vitaly Chikunov To: Mimi Zohar , Dmitry Kasatkin , linux-integrity@vger.kernel.org Subject: [PATCH v8 4/9] ima-evm-utils: Convert verify_hash_v2 and find_keyid to EVP_PKEY API Date: Wed, 3 Jul 2019 18:50:10 +0300 Message-Id: <20190703155015.14262-5-vt@altlinux.org> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20190703155015.14262-1-vt@altlinux.org> References: <20190703155015.14262-1-vt@altlinux.org> MIME-Version: 1.0 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Rely on OpenSSL API to verify v2 signatures instead of manual PKCS1 decoding. Also, convert find_keyid() to return EVP_PKEY because verify_hash_v2() is sole user of it. Signed-off-by: Vitaly Chikunov --- src/libimaevm.c | 94 +++++++++++++++++++++++++++++++-------------------------- 1 file changed, 52 insertions(+), 42 deletions(-) diff --git a/src/libimaevm.c b/src/libimaevm.c index 707b2e9..4c98cb0 100644 --- a/src/libimaevm.c +++ b/src/libimaevm.c @@ -452,11 +452,11 @@ struct public_key_entry { struct public_key_entry *next; uint32_t keyid; char name[9]; - RSA *key; + EVP_PKEY *key; }; static struct public_key_entry *public_keys = NULL; -static RSA *find_keyid(uint32_t keyid) +static EVP_PKEY *find_keyid(uint32_t keyid) { struct public_key_entry *entry; @@ -489,13 +489,13 @@ void init_public_keys(const char *keyfiles) break; } - entry->key = read_pub_key(keyfile, 1); + entry->key = read_pub_pkey(keyfile, 1); if (!entry->key) { free(entry); continue; } - calc_keyid_v2(&entry->keyid, entry->name, entry->key); + calc_pkeyid_v2(&entry->keyid, entry->name, entry->key); sprintf(entry->name, "%x", __be32_to_cpup(&entry->keyid)); log_info("key %d: %s %s\n", i++, entry->name, keyfile); entry->next = public_keys; @@ -503,14 +503,18 @@ void init_public_keys(const char *keyfiles) } } +/* + * Return: 0 verification good, 1 verification bad, -1 error. + */ int verify_hash_v2(const char *file, const unsigned char *hash, int size, unsigned char *sig, int siglen, const char *keyfile) { - int err, len; - unsigned char out[1024]; - RSA *key; + int ret = -1; + EVP_PKEY *pkey, *pkey_free = NULL; struct signature_v2_hdr *hdr = (struct signature_v2_hdr *)sig; - const struct RSA_ASN1_template *asn1; + EVP_PKEY_CTX *ctx; + const EVP_MD *md; + const char *st; if (params.verbose > LOG_INFO) { log_info("hash: "); @@ -518,45 +522,51 @@ int verify_hash_v2(const char *file, const unsigned char *hash, int size, } if (public_keys) { - key = find_keyid(hdr->keyid); - if (!key) { + pkey = find_keyid(hdr->keyid); + if (!pkey) { log_err("%s: unknown keyid: %x\n", file, __be32_to_cpup(&hdr->keyid)); return -1; } } else { - key = read_pub_key(keyfile, 1); - if (!key) - return 1; - } - - - err = RSA_public_decrypt(siglen - sizeof(*hdr), sig + sizeof(*hdr), - out, key, RSA_PKCS1_PADDING); - if (err < 0) { - log_err("%s: RSA_public_decrypt() failed: %d\n", file, err); - return 1; - } - - len = err; - - asn1 = &RSA_ASN1_templates[hdr->hash_algo]; - - if (len < asn1->size || memcmp(out, asn1->data, asn1->size)) { - log_err("%s: verification failed: %d (asn1 mismatch)\n", - file, err); - return -1; - } - - len -= asn1->size; - - if (len != size || memcmp(out + asn1->size, hash, len)) { - log_err("%s: verification failed: %d (digest mismatch)\n", - file, err); - return -1; - } - - return 0; + pkey = read_pub_pkey(keyfile, 1); + if (!pkey) + return -1; + pkey_free = pkey; + } + + st = "EVP_PKEY_CTX_new"; + if (!(ctx = EVP_PKEY_CTX_new(pkey, NULL))) + goto err; + st = "EVP_PKEY_verify_init"; + if (!EVP_PKEY_verify_init(ctx)) + goto err; + st = "EVP_get_digestbyname"; + if (!(md = EVP_get_digestbyname(params.hash_algo))) + goto err; + st = "EVP_PKEY_CTX_set_signature_md"; + if (!EVP_PKEY_CTX_set_signature_md(ctx, md)) + goto err; + st = "EVP_PKEY_verify"; + ret = EVP_PKEY_verify(ctx, sig + sizeof(*hdr), + siglen - sizeof(*hdr), hash, size); + if (ret == 1) + ret = 0; + else if (ret == 0) { + log_err("%s: verification failed: %d (%s)\n", + file, ret, ERR_reason_error_string(ERR_get_error())); + ret = 1; + } +err: + if (ret < 0 || ret > 1) { + log_err("%s: verification failed: %d (%s) in %s\n", + file, ret, ERR_reason_error_string(ERR_peek_error()), + st); + ret = -1; + } + EVP_PKEY_CTX_free(ctx); + EVP_PKEY_free(pkey_free); + return ret; } int get_hash_algo(const char *algo) From patchwork Wed Jul 3 15:50:11 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vitaly Chikunov X-Patchwork-Id: 11029757 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 6B98C13A4 for ; Wed, 3 Jul 2019 15:51:05 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5CA60285C7 for ; Wed, 3 Jul 2019 15:51:05 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 51676289EB; Wed, 3 Jul 2019 15:51:05 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9FE02285C7 for ; Wed, 3 Jul 2019 15:51:03 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726550AbfGCPvD (ORCPT ); Wed, 3 Jul 2019 11:51:03 -0400 Received: from vmicros1.altlinux.org ([194.107.17.57]:41770 "EHLO vmicros1.altlinux.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726473AbfGCPvD (ORCPT ); Wed, 3 Jul 2019 11:51:03 -0400 Received: from imap.altlinux.org (imap.altlinux.org [194.107.17.38]) by vmicros1.altlinux.org (Postfix) with ESMTP id 3580372CC6C; Wed, 3 Jul 2019 18:51:01 +0300 (MSK) Received: from beacon.altlinux.org (unknown [185.6.174.98]) by imap.altlinux.org (Postfix) with ESMTPSA id 128064A4A29; Wed, 3 Jul 2019 18:51:01 +0300 (MSK) From: Vitaly Chikunov To: Mimi Zohar , Dmitry Kasatkin , linux-integrity@vger.kernel.org Subject: [PATCH v8 5/9] ima-evm-utils: Convert sign_hash_v2 to EVP_PKEY API Date: Wed, 3 Jul 2019 18:50:11 +0300 Message-Id: <20190703155015.14262-6-vt@altlinux.org> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20190703155015.14262-1-vt@altlinux.org> References: <20190703155015.14262-1-vt@altlinux.org> MIME-Version: 1.0 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Convert sign_hash_v2() to use more generic EVP_PKEY API instead of RSA API. This enables generation of more signatures out of the box, such as EC-RDSA (GOST) and any other that OpenSSL supports. This conversion also fixes generation of MD4 signatures, because it didn't have proper RSA_ASN1_template. Signed-off-by: Vitaly Chikunov --- src/libimaevm.c | 60 ++++++++++++++++++++++++++++++++++----------------------- 1 file changed, 36 insertions(+), 24 deletions(-) diff --git a/src/libimaevm.c b/src/libimaevm.c index 4c98cb0..213855c 100644 --- a/src/libimaevm.c +++ b/src/libimaevm.c @@ -924,14 +924,20 @@ out: return len; } +/* + * @sig is assumed to be of (MAX_SIGNATURE_SIZE - 1) size + * Return: -1 signing error, >0 length of signature + */ int sign_hash_v2(const char *algo, const unsigned char *hash, int size, const char *keyfile, unsigned char *sig) { struct signature_v2_hdr *hdr; int len = -1; - RSA *key; + EVP_PKEY *pkey; char name[20]; - unsigned char *buf; - const struct RSA_ASN1_template *asn1; + EVP_PKEY_CTX *ctx = NULL; + const EVP_MD *md; + size_t sigsize; + const char *st; if (!hash) { log_err("sign_hash_v2: hash is null\n"); @@ -956,8 +962,8 @@ int sign_hash_v2(const char *algo, const unsigned char *hash, int size, const ch log_info("hash: "); log_dump(hash, size); - key = read_priv_key(keyfile, params.keypass); - if (!key) + pkey = read_priv_pkey(keyfile, params.keypass); + if (!pkey) return -1; hdr = (struct signature_v2_hdr *)sig; @@ -965,31 +971,37 @@ int sign_hash_v2(const char *algo, const unsigned char *hash, int size, const ch hdr->hash_algo = get_hash_algo(algo); - calc_keyid_v2(&hdr->keyid, name, key); + calc_pkeyid_v2(&hdr->keyid, name, pkey); - asn1 = &RSA_ASN1_templates[hdr->hash_algo]; - - buf = malloc(size + asn1->size); - if (!buf) - goto out; - - memcpy(buf, asn1->data, asn1->size); - memcpy(buf + asn1->size, hash, size); - len = RSA_private_encrypt(size + asn1->size, buf, hdr->sig, - key, RSA_PKCS1_PADDING); - if (len < 0) { - log_err("RSA_private_encrypt() failed: %d\n", len); - goto out; - } + st = "EVP_PKEY_CTX_new"; + if (!(ctx = EVP_PKEY_CTX_new(pkey, NULL))) + goto err; + st = "EVP_PKEY_sign_init"; + if (!EVP_PKEY_sign_init(ctx)) + goto err; + st = "EVP_get_digestbyname"; + if (!(md = EVP_get_digestbyname(params.hash_algo))) + goto err; + st = "EVP_PKEY_CTX_set_signature_md"; + if (!EVP_PKEY_CTX_set_signature_md(ctx, md)) + goto err; + st = "EVP_PKEY_sign"; + sigsize = MAX_SIGNATURE_SIZE - sizeof(struct signature_v2_hdr) - 1; + if (!EVP_PKEY_sign(ctx, hdr->sig, &sigsize, hash, size)) + goto err; + len = (int)sigsize; /* we add bit length of the signature to make it gnupg compatible */ hdr->sig_size = __cpu_to_be16(len); len += sizeof(*hdr); log_info("evm/ima signature: %d bytes\n", len); -out: - if (buf) - free(buf); - RSA_free(key); + +err: + if (len == -1) + log_err("sign_hash_v2: signing failed: (%s) in %s\n", + ERR_reason_error_string(ERR_peek_error()), st); + EVP_PKEY_CTX_free(ctx); + EVP_PKEY_free(pkey); return len; } From patchwork Wed Jul 3 15:50:12 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vitaly Chikunov X-Patchwork-Id: 11029759 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id B73CC13A4 for ; Wed, 3 Jul 2019 15:51:13 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A877227E01 for ; Wed, 3 Jul 2019 15:51:13 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 9C941289ED; Wed, 3 Jul 2019 15:51:13 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2966C27E01 for ; Wed, 3 Jul 2019 15:51:13 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726430AbfGCPvM (ORCPT ); Wed, 3 Jul 2019 11:51:12 -0400 Received: from vmicros1.altlinux.org ([194.107.17.57]:41870 "EHLO vmicros1.altlinux.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726473AbfGCPvM (ORCPT ); Wed, 3 Jul 2019 11:51:12 -0400 Received: from imap.altlinux.org (imap.altlinux.org [194.107.17.38]) by vmicros1.altlinux.org (Postfix) with ESMTP id 3ED9E72CC6C; Wed, 3 Jul 2019 18:51:09 +0300 (MSK) Received: from beacon.altlinux.org (unknown [185.6.174.98]) by imap.altlinux.org (Postfix) with ESMTPSA id 19CC94A4A29; Wed, 3 Jul 2019 18:51:09 +0300 (MSK) From: Vitaly Chikunov To: Mimi Zohar , Dmitry Kasatkin , linux-integrity@vger.kernel.org Subject: [PATCH v8 6/9] ima-evm-utils: Replace calc_keyid_v2 with calc_pkeyid_v2 Date: Wed, 3 Jul 2019 18:50:12 +0300 Message-Id: <20190703155015.14262-7-vt@altlinux.org> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20190703155015.14262-1-vt@altlinux.org> References: <20190703155015.14262-1-vt@altlinux.org> MIME-Version: 1.0 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Finish conversion of calc keyid v2 to EVP_PKEY API. After sign_hash_v2() is switched to EVP_PKEY API (in previous commit), older RSA-specific calc_keyid_v2() does not needed anymore and can be replaced with calc_pkeyid_v2(). Signed-off-by: Vitaly Chikunov --- src/evmctl.c | 2 +- src/imaevm.h | 3 +-- src/libimaevm.c | 28 +++------------------------- 3 files changed, 5 insertions(+), 28 deletions(-) diff --git a/src/evmctl.c b/src/evmctl.c index eed8f9a..354d731 100644 --- a/src/evmctl.c +++ b/src/evmctl.c @@ -934,7 +934,7 @@ static int cmd_import(struct command *cmd) EVP_PKEY_free(pkey); return 1; } - calc_pkeyid_v2((uint32_t *)keyid, name, pkey); + calc_keyid_v2((uint32_t *)keyid, name, pkey); EVP_PKEY_free(pkey); } else { RSA *key = read_pub_key(inkey, params.x509); diff --git a/src/imaevm.h b/src/imaevm.h index 48d2663..9af43a2 100644 --- a/src/imaevm.h +++ b/src/imaevm.h @@ -219,8 +219,7 @@ RSA *read_pub_key(const char *keyfile, int x509); EVP_PKEY *read_pub_pkey(const char *keyfile, int x509); void calc_keyid_v1(uint8_t *keyid, char *str, const unsigned char *pkey, int len); -void calc_keyid_v2(uint32_t *keyid, char *str, RSA *key); -void calc_pkeyid_v2(uint32_t *keyid, char *str, EVP_PKEY *pkey); +void calc_keyid_v2(uint32_t *keyid, char *str, EVP_PKEY *pkey); int key2bin(RSA *key, unsigned char *pub); int sign_hash(const char *algo, const unsigned char *hash, int size, const char *keyfile, const char *keypass, unsigned char *sig); diff --git a/src/libimaevm.c b/src/libimaevm.c index 213855c..25d5a00 100644 --- a/src/libimaevm.c +++ b/src/libimaevm.c @@ -495,7 +495,7 @@ void init_public_keys(const char *keyfiles) continue; } - calc_pkeyid_v2(&entry->keyid, entry->name, entry->key); + calc_keyid_v2(&entry->keyid, entry->name, entry->key); sprintf(entry->name, "%x", __be32_to_cpup(&entry->keyid)); log_info("key %d: %s %s\n", i++, entry->name, keyfile); entry->next = public_keys; @@ -741,32 +741,10 @@ void calc_keyid_v1(uint8_t *keyid, char *str, const unsigned char *pkey, int len log_info("keyid-v1: %s\n", str); } -void calc_keyid_v2(uint32_t *keyid, char *str, RSA *key) -{ - uint8_t sha1[SHA_DIGEST_LENGTH]; - unsigned char *pkey = NULL; - int len; - - len = i2d_RSAPublicKey(key, &pkey); - - SHA1(pkey, len, sha1); - - /* sha1[12 - 19] is exactly keyid from gpg file */ - memcpy(keyid, sha1 + 16, 4); - log_debug("keyid: "); - log_debug_dump(keyid, 4); - sprintf(str, "%x", __be32_to_cpup(keyid)); - - if (params.verbose > LOG_INFO) - log_info("keyid: %s\n", str); - - free(pkey); -} - /* * Calculate keyid of the public_key part of EVP_PKEY */ -void calc_pkeyid_v2(uint32_t *keyid, char *str, EVP_PKEY *pkey) +void calc_keyid_v2(uint32_t *keyid, char *str, EVP_PKEY *pkey) { X509_PUBKEY *pk = NULL; const unsigned char *public_key = NULL; @@ -971,7 +949,7 @@ int sign_hash_v2(const char *algo, const unsigned char *hash, int size, const ch hdr->hash_algo = get_hash_algo(algo); - calc_pkeyid_v2(&hdr->keyid, name, pkey); + calc_keyid_v2(&hdr->keyid, name, pkey); st = "EVP_PKEY_CTX_new"; if (!(ctx = EVP_PKEY_CTX_new(pkey, NULL))) From patchwork Wed Jul 3 15:50:13 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vitaly Chikunov X-Patchwork-Id: 11029761 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id B84BA1398 for ; Wed, 3 Jul 2019 15:51:19 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A93E5285C7 for ; Wed, 3 Jul 2019 15:51:19 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 9E195289ED; Wed, 3 Jul 2019 15:51:19 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3B8E3289EE for ; Wed, 3 Jul 2019 15:51:19 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726473AbfGCPvT (ORCPT ); Wed, 3 Jul 2019 11:51:19 -0400 Received: from vmicros1.altlinux.org ([194.107.17.57]:41946 "EHLO vmicros1.altlinux.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725847AbfGCPvS (ORCPT ); Wed, 3 Jul 2019 11:51:18 -0400 Received: from imap.altlinux.org (imap.altlinux.org [194.107.17.38]) by vmicros1.altlinux.org (Postfix) with ESMTP id D9D3A72CC6C; Wed, 3 Jul 2019 18:51:15 +0300 (MSK) Received: from beacon.altlinux.org (unknown [185.6.174.98]) by imap.altlinux.org (Postfix) with ESMTPSA id B60BB4A4A29; Wed, 3 Jul 2019 18:51:15 +0300 (MSK) From: Vitaly Chikunov To: Mimi Zohar , Dmitry Kasatkin , linux-integrity@vger.kernel.org Subject: [PATCH v8 7/9] ima-evm-utils: Remove RSA_ASN1_templates Date: Wed, 3 Jul 2019 18:50:13 +0300 Message-Id: <20190703155015.14262-8-vt@altlinux.org> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20190703155015.14262-1-vt@altlinux.org> References: <20190703155015.14262-1-vt@altlinux.org> MIME-Version: 1.0 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP RSA_ASN1_templates[] are not needed anymore, because we switched to the generic EVP_PKEY OpenSSL API to generate v2 signatures instead of constructing PKCS1 ourselves. Signed-off-by: Vitaly Chikunov --- src/imaevm.h | 1 - src/libimaevm.c | 57 --------------------------------------------------------- 2 files changed, 58 deletions(-) diff --git a/src/imaevm.h b/src/imaevm.h index 9af43a2..dc81a3a 100644 --- a/src/imaevm.h +++ b/src/imaevm.h @@ -207,7 +207,6 @@ struct RSA_ASN1_template { #define NUM_PCRS 20 #define DEFAULT_PCR 10 -extern const struct RSA_ASN1_template RSA_ASN1_templates[PKEY_HASH__LAST]; extern struct libevm_params params; void do_dump(FILE *fp, const void *ptr, int len, bool cr); diff --git a/src/libimaevm.c b/src/libimaevm.c index 25d5a00..d8e23a3 100644 --- a/src/libimaevm.c +++ b/src/libimaevm.c @@ -81,63 +81,6 @@ const char *const pkey_hash_algo_kern[PKEY_HASH__LAST] = { [PKEY_HASH_STREEBOG_512] = "streebog512", }; -/* - * Hash algorithm OIDs plus ASN.1 DER wrappings [RFC4880 sec 5.2.2]. - */ -static const uint8_t RSA_digest_info_MD5[] = { - 0x30, 0x20, 0x30, 0x0C, 0x06, 0x08, - 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x02, 0x05, /* OID */ - 0x05, 0x00, 0x04, 0x10 -}; - -static const uint8_t RSA_digest_info_SHA1[] = { - 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, - 0x2B, 0x0E, 0x03, 0x02, 0x1A, - 0x05, 0x00, 0x04, 0x14 -}; - -static const uint8_t RSA_digest_info_RIPE_MD_160[] = { - 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, - 0x2B, 0x24, 0x03, 0x02, 0x01, - 0x05, 0x00, 0x04, 0x14 -}; - -static const uint8_t RSA_digest_info_SHA224[] = { - 0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09, - 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04, - 0x05, 0x00, 0x04, 0x1C -}; - -static const uint8_t RSA_digest_info_SHA256[] = { - 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, - 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, - 0x05, 0x00, 0x04, 0x20 -}; - -static const uint8_t RSA_digest_info_SHA384[] = { - 0x30, 0x41, 0x30, 0x0d, 0x06, 0x09, - 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02, - 0x05, 0x00, 0x04, 0x30 -}; - -static const uint8_t RSA_digest_info_SHA512[] = { - 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, - 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, - 0x05, 0x00, 0x04, 0x40 -}; - -const struct RSA_ASN1_template RSA_ASN1_templates[PKEY_HASH__LAST] = { -#define _(X) { RSA_digest_info_##X, sizeof(RSA_digest_info_##X) } - [PKEY_HASH_MD5] = _(MD5), - [PKEY_HASH_SHA1] = _(SHA1), - [PKEY_HASH_RIPE_MD_160] = _(RIPE_MD_160), - [PKEY_HASH_SHA256] = _(SHA256), - [PKEY_HASH_SHA384] = _(SHA384), - [PKEY_HASH_SHA512] = _(SHA512), - [PKEY_HASH_SHA224] = _(SHA224), -#undef _ -}; - struct libevm_params params = { .verbose = LOG_INFO - 1, .x509 = 1, From patchwork Wed Jul 3 15:50:14 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vitaly Chikunov X-Patchwork-Id: 11029763 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id A74CF1398 for ; Wed, 3 Jul 2019 15:51:25 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9762C2879E for ; Wed, 3 Jul 2019 15:51:25 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 8C15B28A09; Wed, 3 Jul 2019 15:51:25 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2B54428A0B for ; Wed, 3 Jul 2019 15:51:25 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726490AbfGCPvZ (ORCPT ); Wed, 3 Jul 2019 11:51:25 -0400 Received: from vmicros1.altlinux.org ([194.107.17.57]:42048 "EHLO vmicros1.altlinux.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725847AbfGCPvY (ORCPT ); Wed, 3 Jul 2019 11:51:24 -0400 Received: from imap.altlinux.org (imap.altlinux.org [194.107.17.38]) by vmicros1.altlinux.org (Postfix) with ESMTP id 9CAB572CC6C; Wed, 3 Jul 2019 18:51:21 +0300 (MSK) Received: from beacon.altlinux.org (unknown [185.6.174.98]) by imap.altlinux.org (Postfix) with ESMTPSA id 7E08E4A4AF1; Wed, 3 Jul 2019 18:51:21 +0300 (MSK) From: Vitaly Chikunov To: Mimi Zohar , Dmitry Kasatkin , linux-integrity@vger.kernel.org Subject: [PATCH v8 8/9] ima-evm-utils: Pass status codes from sign and hash functions to the callers Date: Wed, 3 Jul 2019 18:50:14 +0300 Message-Id: <20190703155015.14262-9-vt@altlinux.org> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20190703155015.14262-1-vt@altlinux.org> References: <20190703155015.14262-1-vt@altlinux.org> MIME-Version: 1.0 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Move sign_hash()/ima_calc_hash()/calc_evm_hmac()/calc_evm_hash() status checking before assert()'ing of their return values, so it can be passed to the upper level callers. Especially useful for showing errors. Fixes: 1d9c279279 ("Define hash and sig buffer sizes and add asserts") Fixes: 9643544701 ("Fix hash buffer overflow in verify_evm and hmac_evm") Signed-off-by: Vitaly Chikunov ima-evm-utils: Fix assert after ima_calc_hash --- src/evmctl.c | 16 ++++++++-------- src/libimaevm.c | 2 +- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/src/evmctl.c b/src/evmctl.c index 354d731..4e0a831 100644 --- a/src/evmctl.c +++ b/src/evmctl.c @@ -514,14 +514,14 @@ static int sign_evm(const char *file, const char *key) int len, err; len = calc_evm_hash(file, hash); - assert(len <= sizeof(hash)); if (len <= 1) return len; + assert(len <= sizeof(hash)); len = sign_hash(params.hash_algo, hash, len, key, NULL, sig + 1); - assert(len < sizeof(sig)); if (len <= 1) return len; + assert(len < sizeof(sig)); /* add header */ len++; @@ -563,9 +563,9 @@ static int hash_ima(const char *file) } len = ima_calc_hash(file, hash + offset); - assert(len + offset <= sizeof(hash)); if (len <= 1) return len; + assert(len + offset <= sizeof(hash)); len += offset; @@ -593,14 +593,14 @@ static int sign_ima(const char *file, const char *key) int len, err; len = ima_calc_hash(file, hash); - assert(len <= sizeof(hash)); if (len <= 1) return len; + assert(len <= sizeof(hash)); len = sign_hash(params.hash_algo, hash, len, key, NULL, sig + 1); - assert(len < sizeof(sig)); if (len <= 1) return len; + assert(len < sizeof(sig)); /* add header */ len++; @@ -724,9 +724,9 @@ static int cmd_sign_hash(struct command *cmd) hex2bin(hash, line, hashlen / 2); siglen = sign_hash(params.hash_algo, hash, hashlen/2, key, NULL, sig + 1); - assert(siglen < sizeof(sig)); if (siglen <= 1) return siglen; + assert(siglen < sizeof(sig)); fwrite(line, len, 1, stdout); fprintf(stdout, " "); @@ -778,9 +778,9 @@ static int verify_evm(const char *file) int len; mdlen = calc_evm_hash(file, hash); - assert(mdlen <= sizeof(hash)); if (mdlen <= 1) return mdlen; + assert(mdlen <= sizeof(hash)); len = lgetxattr(file, xattr_evm, sig, sizeof(sig)); if (len < 0) { @@ -1160,9 +1160,9 @@ static int hmac_evm(const char *file, const char *key) int len, err; len = calc_evm_hmac(file, key, hash); - assert(len <= sizeof(hash)); if (len <= 1) return len; + assert(len <= sizeof(hash)); log_info("hmac: "); log_dump(hash, len); diff --git a/src/libimaevm.c b/src/libimaevm.c index d8e23a3..caf1237 100644 --- a/src/libimaevm.c +++ b/src/libimaevm.c @@ -618,9 +618,9 @@ int ima_verify_signature(const char *file, unsigned char *sig, int siglen, return verify_hash(file, digest, digestlen, sig + 1, siglen - 1); hashlen = ima_calc_hash(file, hash); - assert(hashlen <= sizeof(hash)); if (hashlen <= 1) return hashlen; + assert(hashlen <= sizeof(hash)); return verify_hash(file, hash, hashlen, sig + 1, siglen - 1); } From patchwork Wed Jul 3 15:50:15 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vitaly Chikunov X-Patchwork-Id: 11029765 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 1BE9513A4 for ; Wed, 3 Jul 2019 15:51:34 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0C0F328477 for ; Wed, 3 Jul 2019 15:51:34 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 0084E289ED; Wed, 3 Jul 2019 15:51:33 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E811228477 for ; Wed, 3 Jul 2019 15:51:32 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725933AbfGCPvc (ORCPT ); Wed, 3 Jul 2019 11:51:32 -0400 Received: from vmicros1.altlinux.org ([194.107.17.57]:42152 "EHLO vmicros1.altlinux.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725847AbfGCPvc (ORCPT ); Wed, 3 Jul 2019 11:51:32 -0400 Received: from imap.altlinux.org (imap.altlinux.org [194.107.17.38]) by vmicros1.altlinux.org (Postfix) with ESMTP id DB7AC72CC6C; Wed, 3 Jul 2019 18:51:29 +0300 (MSK) Received: from beacon.altlinux.org (unknown [185.6.174.98]) by imap.altlinux.org (Postfix) with ESMTPSA id E95654A4A29; Wed, 3 Jul 2019 18:51:28 +0300 (MSK) From: Vitaly Chikunov To: Mimi Zohar , Dmitry Kasatkin , linux-integrity@vger.kernel.org Subject: [PATCH v8 9/9] ima-evm-utils: Log hash_algo with hash value in verbose mode Date: Wed, 3 Jul 2019 18:50:15 +0300 Message-Id: <20190703155015.14262-10-vt@altlinux.org> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20190703155015.14262-1-vt@altlinux.org> References: <20190703155015.14262-1-vt@altlinux.org> MIME-Version: 1.0 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP It's useful to know not just a hash value but also which algorithm is used. Signed-off-by: Vitaly Chikunov --- src/libimaevm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/libimaevm.c b/src/libimaevm.c index caf1237..51d6c33 100644 --- a/src/libimaevm.c +++ b/src/libimaevm.c @@ -460,7 +460,7 @@ int verify_hash_v2(const char *file, const unsigned char *hash, int size, const char *st; if (params.verbose > LOG_INFO) { - log_info("hash: "); + log_info("hash(%s): ", params.hash_algo); log_dump(hash, size); } @@ -880,7 +880,7 @@ int sign_hash_v2(const char *algo, const unsigned char *hash, int size, const ch return -1; } - log_info("hash: "); + log_info("hash(%s): ", params.hash_algo); log_dump(hash, size); pkey = read_priv_pkey(keyfile, params.keypass);