Re: [PATCH ima-evm-utils v2 2/2] Add test for using sign_hash API

[Mimi Zohar <zohar@linux.ibm.com>]

Hi Patrick,

On Mon, 2021-07-05 at 17:49 +0200, Patrick Uiterwijk wrote:
> This adds a test with a small program that calls the sign_hash API, to
> ensure that that codepath works.
> 
> Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>

Somehow I missed that running the test without this patch the summary
"SKIP" info matches the "skipped" messages, but running with the patch
there's a discrepancy.

$ ./sign_verify.test &> /tmp/sign_verify.log
$ tail -5  /tmp/sign_verify.log
evmctl ima_sign failed properly with (1) 
  EVP_get_digestbyname(md_gost12_512) failed
  errno: No such file or directory (2)
PASS: 127 SKIP: 20 FAIL: 0

$ grep "skipped" /tmp/sign_verify.log | wc -l
20

$ tail -5  /tmp/sign_verify.log-api
evmctl ima_sign: no detached signature md_gost12_512.txt~.sig

rm: cannot remove 'md_gost12_512.txt~': No such file or directory
PASS: 175 SKIP: 32 FAIL: 0

$ grep "skipped" /tmp/sign_verify.log-api | wc -l
30

> diff --git a/tests/sign_verify.apitest.c b/tests/sign_verify.apitest.c
> new file mode 100644
> index 0000000..3fcd043
> --- /dev/null
> +++ b/tests/sign_verify.apitest.c
> @@ -0,0 +1,55 @@
> +// SPDX-License-Identifier: GPL-2.0
> +/*
> + * sign_verify.apitest: Test program for verifying sign_hash
> + *
> + * Copyright (C) 2021 Patrick Uiterwijk <patrick@puiterwijk.org>
> + * Copyright (C) 2013,2014 Samsung Electronics
> + * Copyright (C) 2011,2012,2013 Intel Corporation
> + * Copyright (C) 2011 Nokia Corporation
> + */

As this is a new file and test, the copyrights other than your own are
unnecessary.

> +
> +#include <assert.h>
> +#include <stdio.h>
> +#include <string.h>
> +#include <sys/types.h>
> +#include <sys/xattr.h>
> +
> +#include "../src/imaevm.h"
> +#include "../src/utils.h"
> +
> +int main(int argc, char **argv)
> +{
> +	unsigned char hash[MAX_DIGEST_SIZE];
> +	unsigned char sig[MAX_SIGNATURE_SIZE];
> +	int len, err;
> +	char *file = argv[1];
> +	char *key = argv[2];
> +	char *algo = argv[3];
> +	char *digest = argv[4];
> +

How about testing 'argc' before continuing?

> +	len = strlen(digest) / 2;
> +	if (hex2bin(hash, digest, len) != 0) {
> +		fprintf(stderr, "Error during hex2bin\n");
> +		return 1;
> +	}
> +
> +	len = sign_hash(algo, hash, len, key, NULL, sig + 1);
> +	if (len <= 1) {
> +		fprintf(stderr, "Error signing\n");
> +		return 1;
> +	}
> +
> +	/* add header */
> +	len++;
> +	sig[0] = EVM_IMA_XATTR_DIGSIG;
> +
> +	bin2file(file, "sig", sig, len);
> +
> +	err = lsetxattr(file, "user.ima", sig, len, 0);
> +	if (err < 0) {
> +		log_err("setxattr failed: %s\n", file);
> +		return 1;
> +	}
> +
> +	return 0;
> +}


> diff --git a/tests/sign_verify.test b/tests/sign_verify.test
> index 3d7aa51..6f92801 100755
> --- a/tests/sign_verify.test
> +++ b/tests/sign_verify.test

> @@ -125,12 +127,14 @@ _evmctl_sign() {
>  # Run and test {ima_,}sign operation
>  check_sign() {
>    # Arguments are passed via global vars:
> -  # TYPE (ima or evm),
> +  # TYPE (ima, ima_api or evm),

Similarly TYPE should be updated in verify_sign as well.

thanks,

Mimi

>    # KEY,
>    # ALG (hash algo),
>    # PREFIX (signature header prefix in hex),
>    # OPTS (additional options for evmctl),
>    # FILE (working file to sign).
> +  [ "$TYPE" = ima_api ] && [[ "$OPTS" =~ --rsa ]] && return "$SKIP"
> +
>    local "$@"
>    local KEY=${KEY%.*}.key
>    local FILE=${FILE:-$ALG.txt}
> @@ -268,6 +272,20 @@ sign_verify() {
>      # Multiple files and some don't verify
>      expect_fail check_verify FILE="/dev/null $file"
>  
> +    setfattr -x user.ima "$FILE"
> +    rm "$FILE.sig"
> +  fi
> +
> +  TYPE=ima_api
> +  if expect_pass check_sign; then
> +
> +    # Normal verify with proper key should pass
> +    expect_pass check_verify
> +    expect_pass check_verify OPTS="--sigfile"
> +
> +    # Multiple files and some don't verify
> +    expect_fail check_verify FILE="/dev/null $file"
> +
>      rm "$FILE.sig"
>    fi
>