From patchwork Sat Mar 23 01:41:51 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vitaly Chikunov X-Patchwork-Id: 10866693 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id CED68139A for ; Sat, 23 Mar 2019 01:42:13 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B95A52A908 for ; Sat, 23 Mar 2019 01:42:13 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id AD3B22A970; Sat, 23 Mar 2019 01:42:13 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 703042A908 for ; Sat, 23 Mar 2019 01:42:12 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727918AbfCWBmM (ORCPT ); Fri, 22 Mar 2019 21:42:12 -0400 Received: from vmicros1.altlinux.org ([194.107.17.57]:58166 "EHLO vmicros1.altlinux.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727554AbfCWBmM (ORCPT ); Fri, 22 Mar 2019 21:42:12 -0400 Received: from imap.altlinux.org (imap.altlinux.org [194.107.17.38]) by vmicros1.altlinux.org (Postfix) with ESMTP id 5025672CCAC; Sat, 23 Mar 2019 04:42:08 +0300 (MSK) Received: from beacon.altlinux.org (unknown [185.6.174.98]) by imap.altlinux.org (Postfix) with ESMTPSA id 094FC4A4A16; Sat, 23 Mar 2019 04:42:08 +0300 (MSK) From: Vitaly Chikunov To: Mimi Zohar , Dmitry Kasatkin , linux-integrity@vger.kernel.org Cc: Mimi Zohar Subject: [PATCH 1/2] ima-evm-utils: Extract digest algorithms from hash_info.h Date: Sat, 23 Mar 2019 04:41:51 +0300 Message-Id: <20190323014152.14701-2-vt@altlinux.org> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20190323014152.14701-1-vt@altlinux.org> References: <20190323014152.14701-1-vt@altlinux.org> MIME-Version: 1.0 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP If configured with "--with-kernel-headers=PATH" try to extract hash algorithms from "hash_info.h" from the kernel source tree or kernel-headers package located in the specified path. (Otherwise, it will be tried to get from the installed kernel.) This also introduces two algorithm lists, one is built-in and another is from the kernel source. (They should never contain conflicting algorithm IDs by their append-only nature.) If the digest is not found in the built-in list it will be searched in the list from kernel's "hash_info.h". This patch will allow evmctl to be just recompiled to work with digest algorithms introduced in the newer kernels. Suggested-by: Mimi Zohar Signed-off-by: Vitaly Chikunov --- configure.ac | 6 ++++++ src/Makefile.am | 6 ++++++ src/hash_info.gen | 49 +++++++++++++++++++++++++++++++++++++++++++++++++ src/libimaevm.c | 23 ++++++++++++++++++++++- 4 files changed, 83 insertions(+), 1 deletion(-) create mode 100755 src/hash_info.gen diff --git a/configure.ac b/configure.ac index a5b4288..60f3684 100644 --- a/configure.ac +++ b/configure.ac @@ -27,12 +27,18 @@ AC_HEADER_STDC PKG_CHECK_MODULES(OPENSSL, [ openssl >= 0.9.8 ]) AC_SUBST(OPENSSL_CFLAGS) AC_SUBST(OPENSSL_LIBS) +AC_SUBST(KERNEL_HEADERS) AC_CHECK_HEADER(unistd.h) AC_CHECK_HEADERS(openssl/conf.h) AC_CHECK_HEADERS(sys/xattr.h, , [AC_MSG_ERROR([sys/xattr.h header not found. You need the c-library development package.])]) AC_CHECK_HEADERS(keyutils.h, , [AC_MSG_ERROR([keyutils.h header not found. You need the libkeyutils development package.])]) +AC_ARG_WITH(kernel_headers, [AS_HELP_STRING([--with-kernel-headers=PATH], + [specifies the Linux kernel-headers package location or kernel root directory you want to use])], + [KERNEL_HEADERS="$withval"], + [KERNEL_HEADERS=/lib/modules/$(uname -r)/source]) + #debug support - yes for a while PKG_ARG_ENABLE(debug, "yes", DEBUG, [Enable Debug support]) if test $pkg_cv_enable_debug = yes; then diff --git a/src/Makefile.am b/src/Makefile.am index deb18fb..d74fc6f 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -9,6 +9,11 @@ libimaevm_la_LIBADD = $(OPENSSL_LIBS) include_HEADERS = imaevm.h +nodist_libimaevm_la_SOURCES = hash_info.h +BUILT_SOURCES = hash_info.h +hash_info.h: Makefile + ./hash_info.gen $(KERNEL_HEADERS) >$@ + bin_PROGRAMS = evmctl evmctl_SOURCES = evmctl.c @@ -18,5 +23,6 @@ evmctl_LDADD = $(OPENSSL_LIBS) -lkeyutils libimaevm.la INCLUDES = -I$(top_srcdir) -include config.h +CLEANFILES = hash_info.h DISTCLEANFILES = @DISTCLEANFILES@ diff --git a/src/hash_info.gen b/src/hash_info.gen new file mode 100755 index 0000000..54532ca --- /dev/null +++ b/src/hash_info.gen @@ -0,0 +1,49 @@ +#!/bin/sh +# +# Generate hash_info.h from kernel headers +# +# Copyright (C) 2018 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2, or (at your option) +# any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. + +KERNEL_HEADERS=$1 +HASH_INFO_H=uapi/linux/hash_info.h +HASH_INFO=$KERNEL_HEADERS/include/$HASH_INFO_H + +# Allow to specify kernel-headers past include/ +if [ ! -e $HASH_INFO ]; then + HASH_INFO2=$KERNEL_HEADERS/$HASH_INFO_H + if [ -e $HASH_INFO2 ]; then + HASH_INFO=$HASH_INFO2 + fi +fi + +if [ ! -e $HASH_INFO ]; then + echo "/* $HASH_INFO is not found */" + HASH_INFO=/dev/null +else + echo "/* $HASH_INFO is found */" +fi + +echo "enum hash_algo {" +grep HASH_ALGO_.*, $HASH_INFO +printf "\tHASH_ALGO__LAST\n" +echo "};" + +echo "const char *const hash_algo_name[HASH_ALGO__LAST] = {" +sed -n 's/HASH_ALGO_\(.*\),/\1 \L\1\E/p' $HASH_INFO | \ + while read a b; do + # Normalize text hash name: if it contains underscore between + # digits replace it with a dash, other underscores are removed. + b=$(echo "$b" | sed "s/\([0-9]\)_\([0-9]\)/\1-\2/g;s/_//g") + printf '\t%-26s = "%s",\n' "[HASH_ALGO_$a]" "$b" + done +echo "};" diff --git a/src/libimaevm.c b/src/libimaevm.c index ca77532..bc7be1e 100644 --- a/src/libimaevm.c +++ b/src/libimaevm.c @@ -50,6 +50,7 @@ #include #include #include +#include #include #include @@ -58,6 +59,7 @@ #include #include "imaevm.h" +#include "hash_info.h" const char *const pkey_hash_algo[PKEY_HASH__LAST] = { [PKEY_HASH_MD4] = "md4", @@ -153,6 +155,17 @@ void dump(const void *ptr, int len) do_dump(stdout, ptr, len, true); } +const char *get_hash_algo_by_id(int algo) +{ + if (algo < PKEY_HASH__LAST) + return pkey_hash_algo[algo]; + if (algo < HASH_ALGO__LAST) + return hash_algo_name[algo]; + + log_err("digest %d not found\n", algo); + return "unknown"; +} + int get_filesize(const char *filename) { struct stat stats; @@ -532,11 +545,19 @@ int get_hash_algo(const char *algo) { int i; + /* first iterate over builtin algorithms */ for (i = 0; i < PKEY_HASH__LAST; i++) if (pkey_hash_algo[i] && !strcmp(algo, pkey_hash_algo[i])) return i; + /* iterate over algorithms provided by kernel-headers */ + for (i = 0; i < HASH_ALGO__LAST; i++) + if (hash_algo_name[i] && + !strcmp(algo, hash_algo_name[i])) + return i; + + log_info("digest %s not found, fall back to sha1\n", algo); return PKEY_HASH_SHA1; } @@ -611,7 +632,7 @@ int ima_verify_signature(const char *file, unsigned char *sig, int siglen, return -1; } /* Use hash algorithm as retrieved from signature */ - params.hash_algo = pkey_hash_algo[sig_hash_algo]; + params.hash_algo = get_hash_algo_by_id(sig_hash_algo); /* * Validate the signature based on the digest included in the From patchwork Sat Mar 23 01:41:52 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Vitaly Chikunov X-Patchwork-Id: 10866695 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 411E8925 for ; Sat, 23 Mar 2019 01:42:16 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2B7E42A908 for ; Sat, 23 Mar 2019 01:42:16 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 1D25E2A970; Sat, 23 Mar 2019 01:42:16 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id AA0FB2A908 for ; Sat, 23 Mar 2019 01:42:15 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727554AbfCWBmP (ORCPT ); Fri, 22 Mar 2019 21:42:15 -0400 Received: from vmicros1.altlinux.org ([194.107.17.57]:58248 "EHLO vmicros1.altlinux.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727982AbfCWBmP (ORCPT ); Fri, 22 Mar 2019 21:42:15 -0400 Received: from imap.altlinux.org (imap.altlinux.org [194.107.17.38]) by vmicros1.altlinux.org (Postfix) with ESMTP id 4A19D72CCAC; Sat, 23 Mar 2019 04:42:13 +0300 (MSK) Received: from beacon.altlinux.org (unknown [185.6.174.98]) by imap.altlinux.org (Postfix) with ESMTPSA id 0E9C84A4A16; Sat, 23 Mar 2019 04:42:12 +0300 (MSK) From: Vitaly Chikunov To: Mimi Zohar , Dmitry Kasatkin , linux-integrity@vger.kernel.org Subject: [PATCH 2/2] ima-evm-utils: try to load digest by its alias Date: Sat, 23 Mar 2019 04:41:52 +0300 Message-Id: <20190323014152.14701-3-vt@altlinux.org> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20190323014152.14701-1-vt@altlinux.org> References: <20190323014152.14701-1-vt@altlinux.org> MIME-Version: 1.0 Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Primary names of the algorithms are different for OpenSSL and Kernel. Allow to use both of them. Signed-off-by: Vitaly Chikunov Reviewed-by:  Mimi Zohar --- src/libimaevm.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/src/libimaevm.c b/src/libimaevm.c index bc7be1e..6783110 100644 --- a/src/libimaevm.c +++ b/src/libimaevm.c @@ -61,6 +61,7 @@ #include "imaevm.h" #include "hash_info.h" +/* Names that are primary for OpenSSL. */ const char *const pkey_hash_algo[PKEY_HASH__LAST] = { [PKEY_HASH_MD4] = "md4", [PKEY_HASH_MD5] = "md5", @@ -70,6 +71,12 @@ const char *const pkey_hash_algo[PKEY_HASH__LAST] = { [PKEY_HASH_SHA384] = "sha384", [PKEY_HASH_SHA512] = "sha512", [PKEY_HASH_SHA224] = "sha224", + [PKEY_HASH_STREEBOG_256] = "md_gost12_256", + [PKEY_HASH_STREEBOG_512] = "md_gost12_512", +}; + +/* Names that are primary for the kernel. */ +const char *const pkey_hash_algo_kern[PKEY_HASH__LAST] = { [PKEY_HASH_STREEBOG_256] = "streebog256", [PKEY_HASH_STREEBOG_512] = "streebog512", }; @@ -551,6 +558,11 @@ int get_hash_algo(const char *algo) !strcmp(algo, pkey_hash_algo[i])) return i; + for (i = 0; i < PKEY_HASH__LAST; i++) + if (pkey_hash_algo_kern[i] && + !strcmp(algo, pkey_hash_algo_kern[i])) + return i; + /* iterate over algorithms provided by kernel-headers */ for (i = 0; i < HASH_ALGO__LAST; i++) if (hash_algo_name[i] &&