From: Vitaly Chikunov <vt@altlinux.org>
To: Mimi Zohar <zohar@linux.vnet.ibm.com>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
linux-integrity@vger.kernel.org
Subject: [PATCH v3 4/7] ima-evm-utils: Allow using Streebog hash function
Date: Mon, 3 Dec 2018 06:35:22 +0300 [thread overview]
Message-ID: <20181203033525.20431-4-vt@altlinux.org> (raw)
In-Reply-To: <20181203033525.20431-1-vt@altlinux.org>
This patch will allow using GOST algorithms from OpenSSL's
gost-engine[1] via config extension (which is the usual way).
[1] https://github.com/gost-engine/engine
Full usage example:
1. Install the gost-engine package for your distro, this could be
libengine-gost-openssl1.1, openssl-gost-engine, or openssl-engines.
2. Edit openssl.cnf appropriately. Reference INSTALL.md of gost-engine
for the detailed instructions.
3. Then GOST algorithms should work:
$ cp /dev/null a
$ openssl dgst -streebog256 a
md_gost12_256(a)= 3f539a213e97c802cc229d474c6aa32a825a360b2a933a949fd925208d9ce1bb
$ evmctl -v ima_hash -a streebog256 --xattr-user a
hash: 04123f539a213e97c802cc229d474c6aa32a825a360b2a933a949fd925208d9ce1bb
$ getfattr -d -m. -ehex a
# file: a
user.ima=0x04123f539a213e97c802cc229d474c6aa32a825a360b2a933a949fd925208d9ce1bb
Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
---
Changes since v1:
- "--engine" option is removed into separate patch.
Changes since v2:
- Add usage example to description.
src/evmctl.c | 6 +++---
src/imaevm.h | 13 +++++++++++++
src/libimaevm.c | 15 +++++++++++----
3 files changed, 27 insertions(+), 7 deletions(-)
diff --git a/src/evmctl.c b/src/evmctl.c
index f4df027..1f6dad5 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -388,7 +388,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
md = EVP_get_digestbyname(params.hash_algo);
if (!md) {
- log_err("EVP_get_digestbyname() failed\n");
+ log_err("EVP_get_digestbyname(%s) failed\n", params.hash_algo);
return 1;
}
@@ -1064,7 +1064,7 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h
md = EVP_get_digestbyname(params.hash_algo);
if (!md) {
- log_err("EVP_get_digestbyname() failed\n");
+ log_err("EVP_get_digestbyname(%s) failed\n", params.hash_algo);
goto out;
}
@@ -1653,7 +1653,7 @@ static void usage(void)
printf(
"\n"
- " -a, --hashalgo sha1 (default), sha224, sha256, sha384, sha512\n"
+ " -a, --hashalgo sha1 (default), sha224, sha256, sha384, sha512, streebog256, streebog512\n"
" -s, --imasig make IMA signature\n"
" -d, --imahash make IMA hash\n"
" -f, --sigfile store IMA signature in .sig file instead of xattr\n"
diff --git a/src/imaevm.h b/src/imaevm.h
index 2ebe7e7..c81bf21 100644
--- a/src/imaevm.h
+++ b/src/imaevm.h
@@ -152,6 +152,7 @@ struct signature_hdr {
char mpi[0];
} __packed;
+/* reflect enum hash_algo from include/uapi/linux/hash_info.h */
enum pkey_hash_algo {
PKEY_HASH_MD4,
PKEY_HASH_MD5,
@@ -161,6 +162,18 @@ enum pkey_hash_algo {
PKEY_HASH_SHA384,
PKEY_HASH_SHA512,
PKEY_HASH_SHA224,
+ PKEY_HASH_RIPE_MD_128,
+ PKEY_HASH_RIPE_MD_256,
+ PKEY_HASH_RIPE_MD_320,
+ PKEY_HASH_WP_256,
+ PKEY_HASH_WP_384,
+ PKEY_HASH_WP_512,
+ PKEY_HASH_TGR_128,
+ PKEY_HASH_TGR_160,
+ PKEY_HASH_TGR_192,
+ PKEY_HASH_SM3_256,
+ PKEY_HASH_STREEBOG_256,
+ PKEY_HASH_STREEBOG_512,
PKEY_HASH__LAST
};
diff --git a/src/libimaevm.c b/src/libimaevm.c
index 34501ca..7b2b62c 100644
--- a/src/libimaevm.c
+++ b/src/libimaevm.c
@@ -51,6 +51,7 @@
#include <stdio.h>
#include <assert.h>
+#include <openssl/crypto.h>
#include <openssl/pem.h>
#include <openssl/evp.h>
#include <openssl/x509.h>
@@ -67,6 +68,8 @@ const char *const pkey_hash_algo[PKEY_HASH__LAST] = {
[PKEY_HASH_SHA384] = "sha384",
[PKEY_HASH_SHA512] = "sha512",
[PKEY_HASH_SHA224] = "sha224",
+ [PKEY_HASH_STREEBOG_256] = "streebog256",
+ [PKEY_HASH_STREEBOG_512] = "streebog512",
};
/*
@@ -291,7 +294,7 @@ int ima_calc_hash(const char *file, uint8_t *hash)
md = EVP_get_digestbyname(params.hash_algo);
if (!md) {
- log_err("EVP_get_digestbyname() failed\n");
+ log_err("EVP_get_digestbyname(%s) failed\n", params.hash_algo);
return 1;
}
@@ -509,14 +512,16 @@ int verify_hash_v2(const char *file, const unsigned char *hash, int size,
asn1 = &RSA_ASN1_templates[hdr->hash_algo];
if (len < asn1->size || memcmp(out, asn1->data, asn1->size)) {
- log_err("%s: verification failed: %d\n", file, err);
+ log_err("%s: verification failed: %d (asn1 mismatch)\n",
+ file, err);
return -1;
}
len -= asn1->size;
if (len != size || memcmp(out + asn1->size, hash, len)) {
- log_err("%s: verification failed: %d\n", file, err);
+ log_err("%s: verification failed: %d (digest mismatch)\n",
+ file, err);
return -1;
}
@@ -528,7 +533,8 @@ int get_hash_algo(const char *algo)
int i;
for (i = 0; i < PKEY_HASH__LAST; i++)
- if (!strcmp(algo, pkey_hash_algo[i]))
+ if (pkey_hash_algo[i] &&
+ !strcmp(algo, pkey_hash_algo[i]))
return i;
return PKEY_HASH_SHA1;
@@ -901,5 +907,6 @@ int sign_hash(const char *hashalgo, const unsigned char *hash, int size, const c
static void libinit()
{
OpenSSL_add_all_algorithms();
+ OPENSSL_add_all_algorithms_conf();
ERR_load_crypto_strings();
}
--
2.11.0
next prev parent reply other threads:[~2018-12-03 3:35 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-03 3:35 [PATCH v3 1/7] ima-evm-utils: Fix hash buffer overflow in verify_evm and hmac_evm Vitaly Chikunov
2018-12-03 3:35 ` [PATCH v3 2/7] ima-evm-utils: Define hash and sig buffer sizes and add asserts Vitaly Chikunov
2018-12-03 3:35 ` [PATCH v3 3/7] ima-evm-utils: Define the '--xattr-user' option for testing Vitaly Chikunov
2018-12-03 3:35 ` Vitaly Chikunov [this message]
2018-12-03 3:35 ` [PATCH v3 5/7] ima-evm-utils: Preload OpenSSL engine via '--engine' option Vitaly Chikunov
2018-12-03 3:35 ` [PATCH v3 6/7] ima-evm-utils: Extract digest algorithms from hash_info.h Vitaly Chikunov
2018-12-03 3:35 ` [PATCH v3 7/7] ima-evm-utils: Try to load digest by its alias Vitaly Chikunov
2019-02-11 17:38 ` Mimi Zohar
2019-02-11 17:52 ` Vitaly Chikunov
2019-02-11 17:59 ` Mimi Zohar
2019-02-11 18:13 ` Vitaly Chikunov
2019-02-11 18:21 ` Vitaly Chikunov
2019-02-11 19:26 ` Vitaly Chikunov
2019-02-11 20:21 ` Mimi Zohar
2019-02-11 20:37 ` Vitaly Chikunov
2019-02-12 15:41 ` Mimi Zohar
2019-02-12 17:07 ` Vitaly Chikunov
2018-12-03 13:03 ` [PATCH v3 1/7] ima-evm-utils: Fix hash buffer overflow in verify_evm and hmac_evm Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181203033525.20431-4-vt@altlinux.org \
--to=vt@altlinux.org \
--cc=dmitry.kasatkin@gmail.com \
--cc=linux-integrity@vger.kernel.org \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.