* [PATCH] ima-evm-utils: Allow EVM verify to determine hash algo
@ 2019-07-29 6:18 Vitaly Chikunov
2019-07-30 14:20 ` Mimi Zohar
0 siblings, 1 reply; 2+ messages in thread
From: Vitaly Chikunov @ 2019-07-29 6:18 UTC (permalink / raw)
To: Mimi Zohar, Dmitry Kasatkin, linux-integrity
Previously for EVM verify you should specify `--hashalgo' option while
for IMA ima_verify you didn't.
Allow EVM verify to determine hash algo from signature.
Also, this makes two previously static functions to become exportable
and renamed:
get_hash_algo_from_sig -> imaevm_hash_algo_from_sig
get_hash_algo_by_id -> imaevm_hash_algo_by_id
This is needed because EVM hash is calculated (in calc_evm_hash) outside
of library.
imaevm_hash_algo_by_id() will now return NULL if algo is not found.
Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
---
src/evmctl.c | 18 +++++++++++++-----
src/imaevm.h | 2 ++
src/libimaevm.c | 10 +++++-----
3 files changed, 20 insertions(+), 10 deletions(-)
diff --git a/src/evmctl.c b/src/evmctl.c
index 0f821e4..e7e5fbf 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -810,14 +810,10 @@ static int verify_evm(const char *file)
{
unsigned char hash[MAX_DIGEST_SIZE];
unsigned char sig[MAX_SIGNATURE_SIZE];
+ int sig_hash_algo;
int mdlen;
int len;
- mdlen = calc_evm_hash(file, hash);
- if (mdlen <= 1)
- return mdlen;
- assert(mdlen <= sizeof(hash));
-
len = lgetxattr(file, xattr_evm, sig, sizeof(sig));
if (len < 0) {
log_err("getxattr failed: %s\n", file);
@@ -829,6 +825,18 @@ static int verify_evm(const char *file)
return -1;
}
+ sig_hash_algo = imaevm_hash_algo_from_sig(sig + 1);
+ if (sig_hash_algo < 0) {
+ log_err("unknown hash algo: %s\n", file);
+ return -1;
+ }
+ imaevm_params.hash_algo = imaevm_hash_algo_by_id(sig_hash_algo);
+
+ mdlen = calc_evm_hash(file, hash);
+ if (mdlen <= 1)
+ return mdlen;
+ assert(mdlen <= sizeof(hash));
+
return verify_hash(file, hash, mdlen, sig + 1, len - 1);
}
diff --git a/src/imaevm.h b/src/imaevm.h
index b881d92..30e9730 100644
--- a/src/imaevm.h
+++ b/src/imaevm.h
@@ -223,5 +223,7 @@ int sign_hash(const char *algo, const unsigned char *hash, int size, const char
int verify_hash(const char *file, const unsigned char *hash, int size, unsigned char *sig, int siglen);
int ima_verify_signature(const char *file, unsigned char *sig, int siglen, unsigned char *digest, int digestlen);
void init_public_keys(const char *keyfiles);
+int imaevm_hash_algo_from_sig(unsigned char *sig);
+const char *imaevm_hash_algo_by_id(int algo);
#endif
diff --git a/src/libimaevm.c b/src/libimaevm.c
index 4f4b207..c35a47d 100644
--- a/src/libimaevm.c
+++ b/src/libimaevm.c
@@ -105,7 +105,7 @@ void imaevm_hexdump(const void *ptr, int len)
imaevm_do_hexdump(stdout, ptr, len, true);
}
-static const char *get_hash_algo_by_id(int algo)
+const char *imaevm_hash_algo_by_id(int algo)
{
if (algo < PKEY_HASH__LAST)
return pkey_hash_algo[algo];
@@ -113,7 +113,7 @@ static const char *get_hash_algo_by_id(int algo)
return hash_algo_name[algo];
log_err("digest %d not found\n", algo);
- return "unknown";
+ return NULL;
}
/* Output all remaining openssl error messages. */
@@ -575,7 +575,7 @@ int imaevm_get_hash_algo(const char *algo)
return -1;
}
-static int get_hash_algo_from_sig(unsigned char *sig)
+int imaevm_hash_algo_from_sig(unsigned char *sig)
{
uint8_t hashalgo;
@@ -632,13 +632,13 @@ int ima_verify_signature(const char *file, unsigned char *sig, int siglen,
return -1;
}
- sig_hash_algo = get_hash_algo_from_sig(sig + 1);
+ sig_hash_algo = imaevm_hash_algo_from_sig(sig + 1);
if (sig_hash_algo < 0) {
log_err("Invalid signature\n");
return -1;
}
/* Use hash algorithm as retrieved from signature */
- imaevm_params.hash_algo = get_hash_algo_by_id(sig_hash_algo);
+ imaevm_params.hash_algo = imaevm_hash_algo_by_id(sig_hash_algo);
/*
* Validate the signature based on the digest included in the
--
2.11.0
^ permalink raw reply related [flat|nested] 2+ messages in thread* Re: [PATCH] ima-evm-utils: Allow EVM verify to determine hash algo
2019-07-29 6:18 [PATCH] ima-evm-utils: Allow EVM verify to determine hash algo Vitaly Chikunov
@ 2019-07-30 14:20 ` Mimi Zohar
0 siblings, 0 replies; 2+ messages in thread
From: Mimi Zohar @ 2019-07-30 14:20 UTC (permalink / raw)
To: Vitaly Chikunov, Dmitry Kasatkin, linux-integrity
On Mon, 2019-07-29 at 09:18 +0300, Vitaly Chikunov wrote:
> Previously for EVM verify you should specify `--hashalgo' option while
> for IMA ima_verify you didn't.
>
> Allow EVM verify to determine hash algo from signature.
Vitaly, EVM signatures were originally included with an image, but on
first use were replaced with an EVM hmac. Only once the EVM portable
and immutable signature support was upstreamed, which is relatively
recently, there was a need to support other hash algorithms.
Thank you for taking the time to really clean up ima-evm-utils. It's
needed some attention for a while now.
> Also, this makes two previously static functions to become exportable
> and renamed:
>
> get_hash_algo_from_sig -> imaevm_hash_algo_from_sig
> get_hash_algo_by_id -> imaevm_hash_algo_by_id
>
> This is needed because EVM hash is calculated (in calc_evm_hash) outside
> of library.
>
> imaevm_hash_algo_by_id() will now return NULL if algo is not found.
>
> Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
Thanks!
Mimi
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-07-30 14:20 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-07-29 6:18 [PATCH] ima-evm-utils: Allow EVM verify to determine hash algo Vitaly Chikunov
2019-07-30 14:20 ` Mimi Zohar
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).