From patchwork Sun Jul 7 23:48:33 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vitaly Chikunov X-Patchwork-Id: 11034467 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 33E4C1510 for ; Sun, 7 Jul 2019 23:49:03 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 246EF28113 for ; Sun, 7 Jul 2019 23:49:03 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 1629028173; Sun, 7 Jul 2019 23:49:03 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9E72528113 for ; Sun, 7 Jul 2019 23:49:02 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727606AbfGGXtC (ORCPT ); Sun, 7 Jul 2019 19:49:02 -0400 Received: from vmicros1.altlinux.org ([194.107.17.57]:43070 "EHLO vmicros1.altlinux.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727590AbfGGXtC (ORCPT ); Sun, 7 Jul 2019 19:49:02 -0400 Received: from imap.altlinux.org (imap.altlinux.org [194.107.17.38]) by vmicros1.altlinux.org (Postfix) with ESMTP id 5A94372CC6C; Mon, 8 Jul 2019 02:49:00 +0300 (MSK) Received: from beacon.altlinux.org (unknown [185.6.174.98]) by imap.altlinux.org (Postfix) with ESMTPSA id 368574A4AE8; Mon, 8 Jul 2019 02:49:00 +0300 (MSK) From: Vitaly Chikunov To: Mimi Zohar , Dmitry Kasatkin , linux-integrity@vger.kernel.org Subject: [PATCH v1 1/5] ima-evm-utils: Fix EVP_MD_CTX leak in ima_calc_hash Date: Mon, 8 Jul 2019 02:48:33 +0300 Message-Id: <20190707234837.4866-2-vt@altlinux.org> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20190707234837.4866-1-vt@altlinux.org> References: <20190707234837.4866-1-vt@altlinux.org> MIME-Version: 1.0 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP When pctx is allocated using EVP_MD_CTX_new() it should be freed. Found with ASan. Fixes: 81010f0 ("ima-evm-utils: Add backward compatible support for openssl 1.1") Signed-off-by: Vitaly Chikunov --- src/libimaevm.c | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/src/libimaevm.c b/src/libimaevm.c index 51d6c33..fe1962b 100644 --- a/src/libimaevm.c +++ b/src/libimaevm.c @@ -252,19 +252,21 @@ int ima_calc_hash(const char *file, uint8_t *hash) err = lstat(file, &st); if (err < 0) { log_err("Failed to stat: %s\n", file); - return err; + goto err; } md = EVP_get_digestbyname(params.hash_algo); if (!md) { log_err("EVP_get_digestbyname(%s) failed\n", params.hash_algo); - return 1; + err = 1; + goto err; } err = EVP_DigestInit(pctx, md); if (!err) { log_err("EVP_DigestInit() failed\n"); - return 1; + err = 1; + goto err; } switch (st.st_mode & S_IFMT) { @@ -283,19 +285,25 @@ int ima_calc_hash(const char *file, uint8_t *hash) break; default: log_errno("Unsupported file type"); - return -1; + err = -1; + goto err; } if (err) - return err; + goto err; err = EVP_DigestFinal(pctx, hash, &mdlen); if (!err) { log_err("EVP_DigestFinal() failed\n"); - return 1; + err = 1; + goto err; } - - return mdlen; + err = mdlen; +err: +#if OPENSSL_VERSION_NUMBER >= 0x10100000 + EVP_MD_CTX_free(pctx); +#endif + return err; } EVP_PKEY *read_pub_pkey(const char *keyfile, int x509) From patchwork Sun Jul 7 23:48:34 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vitaly Chikunov X-Patchwork-Id: 11034469 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 48D02112C for ; Sun, 7 Jul 2019 23:49:08 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3607E27FAE for ; Sun, 7 Jul 2019 23:49:08 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 276BE28173; Sun, 7 Jul 2019 23:49:08 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A4E3028113 for ; Sun, 7 Jul 2019 23:49:07 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727616AbfGGXtH (ORCPT ); Sun, 7 Jul 2019 19:49:07 -0400 Received: from vmicros1.altlinux.org ([194.107.17.57]:43116 "EHLO vmicros1.altlinux.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727590AbfGGXtH (ORCPT ); Sun, 7 Jul 2019 19:49:07 -0400 Received: from imap.altlinux.org (imap.altlinux.org [194.107.17.38]) by vmicros1.altlinux.org (Postfix) with ESMTP id 5708972CC6C; Mon, 8 Jul 2019 02:49:05 +0300 (MSK) Received: from beacon.altlinux.org (unknown [185.6.174.98]) by imap.altlinux.org (Postfix) with ESMTPSA id 169AE4A4AE8; Mon, 8 Jul 2019 02:49:05 +0300 (MSK) From: Vitaly Chikunov To: Mimi Zohar , Dmitry Kasatkin , linux-integrity@vger.kernel.org Subject: [PATCH v1 2/5] ima-evm-utils: Fix memory leak in init_public_keys Date: Mon, 8 Jul 2019 02:48:34 +0300 Message-Id: <20190707234837.4866-3-vt@altlinux.org> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20190707234837.4866-1-vt@altlinux.org> References: <20190707234837.4866-1-vt@altlinux.org> MIME-Version: 1.0 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP strdup'ed string should be freed. Found with ASan. Signed-off-by: Vitaly Chikunov --- src/libimaevm.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/libimaevm.c b/src/libimaevm.c index fe1962b..b556276 100644 --- a/src/libimaevm.c +++ b/src/libimaevm.c @@ -421,11 +421,12 @@ static EVP_PKEY *find_keyid(uint32_t keyid) void init_public_keys(const char *keyfiles) { struct public_key_entry *entry; - char *tmp_keyfiles; + char *tmp_keyfiles, *keyfiles_free; char *keyfile; int i = 1; tmp_keyfiles = strdup(keyfiles); + keyfiles_free = tmp_keyfiles; while ((keyfile = strsep(&tmp_keyfiles, ", \t")) != NULL) { if (!keyfile) @@ -452,6 +453,7 @@ void init_public_keys(const char *keyfiles) entry->next = public_keys; public_keys = entry; } + free(keyfiles_free); } /* From patchwork Sun Jul 7 23:48:35 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vitaly Chikunov X-Patchwork-Id: 11034471 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 859B91510 for ; Sun, 7 Jul 2019 23:49:12 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7635A27FAE for ; Sun, 7 Jul 2019 23:49:12 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 6ABA728173; Sun, 7 Jul 2019 23:49:12 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0CA8427FAE for ; Sun, 7 Jul 2019 23:49:12 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727618AbfGGXtL (ORCPT ); Sun, 7 Jul 2019 19:49:11 -0400 Received: from vmicros1.altlinux.org ([194.107.17.57]:43172 "EHLO vmicros1.altlinux.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727590AbfGGXtL (ORCPT ); Sun, 7 Jul 2019 19:49:11 -0400 Received: from imap.altlinux.org (imap.altlinux.org [194.107.17.38]) by vmicros1.altlinux.org (Postfix) with ESMTP id C56F372CC6C; Mon, 8 Jul 2019 02:49:09 +0300 (MSK) Received: from beacon.altlinux.org (unknown [185.6.174.98]) by imap.altlinux.org (Postfix) with ESMTPSA id 8215C4A4AE8; Mon, 8 Jul 2019 02:49:09 +0300 (MSK) From: Vitaly Chikunov To: Mimi Zohar , Dmitry Kasatkin , linux-integrity@vger.kernel.org Subject: [PATCH v1 3/5] ima-evm-utils: Preload public keys for ima_verify Date: Mon, 8 Jul 2019 02:48:35 +0300 Message-Id: <20190707234837.4866-4-vt@altlinux.org> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20190707234837.4866-1-vt@altlinux.org> References: <20190707234837.4866-1-vt@altlinux.org> MIME-Version: 1.0 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP This allows testing verify_hash_v2() with multiple public keys. Signed-off-by: Vitaly Chikunov --- src/evmctl.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/evmctl.c b/src/evmctl.c index 4e0a831..fac593a 100644 --- a/src/evmctl.c +++ b/src/evmctl.c @@ -840,6 +840,9 @@ static int cmd_verify_ima(struct command *cmd) char *file = g_argv[optind++]; int err; + if (params.keyfile) + init_public_keys(params.keyfile); + errno = 0; if (!file) { log_err("Parameters missing\n"); From patchwork Sun Jul 7 23:48:36 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vitaly Chikunov X-Patchwork-Id: 11034473 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id DDB511510 for ; Sun, 7 Jul 2019 23:49:16 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id CD1A127FAE for ; Sun, 7 Jul 2019 23:49:16 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id BFFA028173; Sun, 7 Jul 2019 23:49:16 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 67CB027FAE for ; Sun, 7 Jul 2019 23:49:16 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727639AbfGGXtQ (ORCPT ); Sun, 7 Jul 2019 19:49:16 -0400 Received: from vmicros1.altlinux.org ([194.107.17.57]:43248 "EHLO vmicros1.altlinux.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727590AbfGGXtQ (ORCPT ); Sun, 7 Jul 2019 19:49:16 -0400 Received: from imap.altlinux.org (imap.altlinux.org [194.107.17.38]) by vmicros1.altlinux.org (Postfix) with ESMTP id 1DE0572CC6C; Mon, 8 Jul 2019 02:49:14 +0300 (MSK) Received: from beacon.altlinux.org (unknown [185.6.174.98]) by imap.altlinux.org (Postfix) with ESMTPSA id 8C1EF4A4AE8; Mon, 8 Jul 2019 02:49:13 +0300 (MSK) From: Vitaly Chikunov To: Mimi Zohar , Dmitry Kasatkin , linux-integrity@vger.kernel.org Subject: [PATCH v1 4/5] ima-evm-utils: Allow multiple files in ima_verify Date: Mon, 8 Jul 2019 02:48:36 +0300 Message-Id: <20190707234837.4866-5-vt@altlinux.org> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20190707234837.4866-1-vt@altlinux.org> References: <20190707234837.4866-1-vt@altlinux.org> MIME-Version: 1.0 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP This allows testing multiple verify in a row, similar to ima_measurement. Signed-off-by: Vitaly Chikunov --- src/evmctl.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/src/evmctl.c b/src/evmctl.c index fac593a..7ce2022 100644 --- a/src/evmctl.c +++ b/src/evmctl.c @@ -850,9 +850,11 @@ static int cmd_verify_ima(struct command *cmd) return -1; } - err = verify_ima(file); - if (!err && params.verbose >= LOG_INFO) - log_info("%s: verification is OK\n", file); + do { + err = verify_ima(file); + if (!err && params.verbose >= LOG_INFO) + log_info("%s: verification is OK\n", file); + } while ((file = g_argv[optind++])); return err; } From patchwork Sun Jul 7 23:48:37 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vitaly Chikunov X-Patchwork-Id: 11034475 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 7EFF8112C for ; Sun, 7 Jul 2019 23:49:22 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6E92627FAE for ; Sun, 7 Jul 2019 23:49:22 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 62B7628173; Sun, 7 Jul 2019 23:49:22 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0450127FAE for ; Sun, 7 Jul 2019 23:49:22 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727692AbfGGXtV (ORCPT ); Sun, 7 Jul 2019 19:49:21 -0400 Received: from vmicros1.altlinux.org ([194.107.17.57]:43292 "EHLO vmicros1.altlinux.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727590AbfGGXtV (ORCPT ); Sun, 7 Jul 2019 19:49:21 -0400 Received: from imap.altlinux.org (imap.altlinux.org [194.107.17.38]) by vmicros1.altlinux.org (Postfix) with ESMTP id AE52D72CC6C; Mon, 8 Jul 2019 02:49:18 +0300 (MSK) Received: from beacon.altlinux.org (unknown [185.6.174.98]) by imap.altlinux.org (Postfix) with ESMTPSA id 938664A4AF6; Mon, 8 Jul 2019 02:49:18 +0300 (MSK) From: Vitaly Chikunov To: Mimi Zohar , Dmitry Kasatkin , linux-integrity@vger.kernel.org Subject: [PATCH v1 5/5] ima-evm-utils: Fix clang warning about possible unaligned pointer for hdr->keyid Date: Mon, 8 Jul 2019 02:48:37 +0300 Message-Id: <20190707234837.4866-6-vt@altlinux.org> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20190707234837.4866-1-vt@altlinux.org> References: <20190707234837.4866-1-vt@altlinux.org> MIME-Version: 1.0 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Struct signature_v2_hdr is packed so clang complains that taking address of packed member may result in an unaligned pointer value: libimaevm.c:481:21: warning: taking address of packed member 'keyid' of class or structure 'signature_v2_hdr' may result in an unaligned pointer value [-Waddress-of-packed-member] __be32_to_cpup(&hdr->keyid)); ^~~~~~~~~~ libimaevm.c:905:17: warning: taking address of packed member 'keyid' of class or structure 'signature_v2_hdr' may result in an unaligned pointer value [-Waddress-of-packed-member] calc_keyid_v2(&hdr->keyid, name, pkey); ^~~~~~~~~~ Signed-off-by: Vitaly Chikunov --- src/libimaevm.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/src/libimaevm.c b/src/libimaevm.c index b556276..f8ab812 100644 --- a/src/libimaevm.c +++ b/src/libimaevm.c @@ -475,10 +475,12 @@ int verify_hash_v2(const char *file, const unsigned char *hash, int size, } if (public_keys) { - pkey = find_keyid(hdr->keyid); + uint32_t keyid = hdr->keyid; + + pkey = find_keyid(keyid); if (!pkey) { log_err("%s: unknown keyid: %x\n", file, - __be32_to_cpup(&hdr->keyid)); + __be32_to_cpup(&keyid)); return -1; } } else { @@ -869,6 +871,7 @@ int sign_hash_v2(const char *algo, const unsigned char *hash, int size, const ch const EVP_MD *md; size_t sigsize; const char *st; + uint32_t keyid; if (!hash) { log_err("sign_hash_v2: hash is null\n"); @@ -902,7 +905,8 @@ int sign_hash_v2(const char *algo, const unsigned char *hash, int size, const ch hdr->hash_algo = get_hash_algo(algo); - calc_keyid_v2(&hdr->keyid, name, pkey); + calc_keyid_v2(&keyid, name, pkey); + hdr->keyid = keyid; st = "EVP_PKEY_CTX_new"; if (!(ctx = EVP_PKEY_CTX_new(pkey, NULL)))