Linux-Integrity Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH] ima-evm-utils: Allow EVM verify to determine hash algo
@ 2019-07-29  6:18 Vitaly Chikunov
  2019-07-30 14:20 ` Mimi Zohar
  0 siblings, 1 reply; 2+ messages in thread
From: Vitaly Chikunov @ 2019-07-29  6:18 UTC (permalink / raw)
  To: Mimi Zohar, Dmitry Kasatkin, linux-integrity

Previously for EVM verify you should specify `--hashalgo' option while
for IMA ima_verify you didn't.

Allow EVM verify to determine hash algo from signature.

Also, this makes two previously static functions to become exportable
and renamed:

  get_hash_algo_from_sig -> imaevm_hash_algo_from_sig
  get_hash_algo_by_id    -> imaevm_hash_algo_by_id

This is needed because EVM hash is calculated (in calc_evm_hash) outside
of library.

imaevm_hash_algo_by_id() will now return NULL if algo is not found.

Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
---
 src/evmctl.c    | 18 +++++++++++++-----
 src/imaevm.h    |  2 ++
 src/libimaevm.c | 10 +++++-----
 3 files changed, 20 insertions(+), 10 deletions(-)

diff --git a/src/evmctl.c b/src/evmctl.c
index 0f821e4..e7e5fbf 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -810,14 +810,10 @@ static int verify_evm(const char *file)
 {
 	unsigned char hash[MAX_DIGEST_SIZE];
 	unsigned char sig[MAX_SIGNATURE_SIZE];
+	int sig_hash_algo;
 	int mdlen;
 	int len;
 
-	mdlen = calc_evm_hash(file, hash);
-	if (mdlen <= 1)
-		return mdlen;
-	assert(mdlen <= sizeof(hash));
-
 	len = lgetxattr(file, xattr_evm, sig, sizeof(sig));
 	if (len < 0) {
 		log_err("getxattr failed: %s\n", file);
@@ -829,6 +825,18 @@ static int verify_evm(const char *file)
 		return -1;
 	}
 
+	sig_hash_algo = imaevm_hash_algo_from_sig(sig + 1);
+	if (sig_hash_algo < 0) {
+		log_err("unknown hash algo: %s\n", file);
+		return -1;
+	}
+	imaevm_params.hash_algo = imaevm_hash_algo_by_id(sig_hash_algo);
+
+	mdlen = calc_evm_hash(file, hash);
+	if (mdlen <= 1)
+		return mdlen;
+	assert(mdlen <= sizeof(hash));
+
 	return verify_hash(file, hash, mdlen, sig + 1, len - 1);
 }
 
diff --git a/src/imaevm.h b/src/imaevm.h
index b881d92..30e9730 100644
--- a/src/imaevm.h
+++ b/src/imaevm.h
@@ -223,5 +223,7 @@ int sign_hash(const char *algo, const unsigned char *hash, int size, const char
 int verify_hash(const char *file, const unsigned char *hash, int size, unsigned char *sig, int siglen);
 int ima_verify_signature(const char *file, unsigned char *sig, int siglen, unsigned char *digest, int digestlen);
 void init_public_keys(const char *keyfiles);
+int imaevm_hash_algo_from_sig(unsigned char *sig);
+const char *imaevm_hash_algo_by_id(int algo);
 
 #endif
diff --git a/src/libimaevm.c b/src/libimaevm.c
index 4f4b207..c35a47d 100644
--- a/src/libimaevm.c
+++ b/src/libimaevm.c
@@ -105,7 +105,7 @@ void imaevm_hexdump(const void *ptr, int len)
 	imaevm_do_hexdump(stdout, ptr, len, true);
 }
 
-static const char *get_hash_algo_by_id(int algo)
+const char *imaevm_hash_algo_by_id(int algo)
 {
 	if (algo < PKEY_HASH__LAST)
 		return pkey_hash_algo[algo];
@@ -113,7 +113,7 @@ static const char *get_hash_algo_by_id(int algo)
 		return hash_algo_name[algo];
 
 	log_err("digest %d not found\n", algo);
-	return "unknown";
+	return NULL;
 }
 
 /* Output all remaining openssl error messages. */
@@ -575,7 +575,7 @@ int imaevm_get_hash_algo(const char *algo)
 	return -1;
 }
 
-static int get_hash_algo_from_sig(unsigned char *sig)
+int imaevm_hash_algo_from_sig(unsigned char *sig)
 {
 	uint8_t hashalgo;
 
@@ -632,13 +632,13 @@ int ima_verify_signature(const char *file, unsigned char *sig, int siglen,
 		return -1;
 	}
 
-	sig_hash_algo = get_hash_algo_from_sig(sig + 1);
+	sig_hash_algo = imaevm_hash_algo_from_sig(sig + 1);
 	if (sig_hash_algo < 0) {
 		log_err("Invalid signature\n");
 		return -1;
 	}
 	/* Use hash algorithm as retrieved from signature */
-	imaevm_params.hash_algo = get_hash_algo_by_id(sig_hash_algo);
+	imaevm_params.hash_algo = imaevm_hash_algo_by_id(sig_hash_algo);
 
 	/*
 	 * Validate the signature based on the digest included in the
-- 
2.11.0


^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [PATCH] ima-evm-utils: Allow EVM verify to determine hash algo
  2019-07-29  6:18 [PATCH] ima-evm-utils: Allow EVM verify to determine hash algo Vitaly Chikunov
@ 2019-07-30 14:20 ` Mimi Zohar
  0 siblings, 0 replies; 2+ messages in thread
From: Mimi Zohar @ 2019-07-30 14:20 UTC (permalink / raw)
  To: Vitaly Chikunov, Dmitry Kasatkin, linux-integrity

On Mon, 2019-07-29 at 09:18 +0300, Vitaly Chikunov wrote:
> Previously for EVM verify you should specify `--hashalgo' option while
> for IMA ima_verify you didn't.
> 
> Allow EVM verify to determine hash algo from signature.

Vitaly, EVM signatures were originally included with an image, but on
first use were replaced with an EVM hmac.  Only once the EVM portable
and immutable signature support was upstreamed, which is relatively
recently, there was a need to support other hash algorithms.

Thank you for taking the time to really clean up ima-evm-utils.  It's
needed some attention for a while now.

> Also, this makes two previously static functions to become exportable
> and renamed:
> 
>   get_hash_algo_from_sig -> imaevm_hash_algo_from_sig
>   get_hash_algo_by_id    -> imaevm_hash_algo_by_id
> 
> This is needed because EVM hash is calculated (in calc_evm_hash) outside
> of library.
> 
> imaevm_hash_algo_by_id() will now return NULL if algo is not found.
> 
> Signed-off-by: Vitaly Chikunov <vt@altlinux.org>

Thanks!

Mimi

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, back to index

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-07-29  6:18 [PATCH] ima-evm-utils: Allow EVM verify to determine hash algo Vitaly Chikunov
2019-07-30 14:20 ` Mimi Zohar

Linux-Integrity Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-integrity/0 linux-integrity/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-integrity linux-integrity/ https://lore.kernel.org/linux-integrity \
		linux-integrity@vger.kernel.org linux-integrity@archiver.kernel.org
	public-inbox-index linux-integrity


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-integrity


AGPL code for this site: git clone https://public-inbox.org/ public-inbox