linux-integrity.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Mimi Zohar <zohar@linux.ibm.com>
To: Patrick Uiterwijk <patrick@puiterwijk.org>,
	linux-integrity@vger.kernel.org
Cc: pbrobinson@redhat.com, Vitaly Chikunov <vt@altlinux.org>
Subject: Re: [PATCH ima-evm-utils v2 2/2] Add test for using sign_hash API
Date: Tue, 06 Jul 2021 11:53:09 -0400	[thread overview]
Message-ID: <2c6df7edf61d2e694a2bbba964c5a2ae81b2b3be.camel@linux.ibm.com> (raw)
In-Reply-To: <20210705154950.497359-3-patrick@puiterwijk.org>

Hi Patrick,

On Mon, 2021-07-05 at 17:49 +0200, Patrick Uiterwijk wrote:
> This adds a test with a small program that calls the sign_hash API, to
> ensure that that codepath works.
> 
> Signed-off-by: Patrick Uiterwijk <patrick@puiterwijk.org>
> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>

Somehow I missed that running the test without this patch the summary
"SKIP" info matches the "skipped" messages, but running with the patch
there's a discrepancy.

$ ./sign_verify.test &> /tmp/sign_verify.log
$ tail -5  /tmp/sign_verify.log
evmctl ima_sign failed properly with (1) 
  EVP_get_digestbyname(md_gost12_512) failed
  errno: No such file or directory (2)
PASS: 127 SKIP: 20 FAIL: 0

$ grep "skipped" /tmp/sign_verify.log | wc -l
20

$ tail -5  /tmp/sign_verify.log-api
evmctl ima_sign: no detached signature md_gost12_512.txt~.sig

rm: cannot remove 'md_gost12_512.txt~': No such file or directory
PASS: 175 SKIP: 32 FAIL: 0

$ grep "skipped" /tmp/sign_verify.log-api | wc -l
30

> diff --git a/tests/sign_verify.apitest.c b/tests/sign_verify.apitest.c
> new file mode 100644
> index 0000000..3fcd043
> --- /dev/null
> +++ b/tests/sign_verify.apitest.c
> @@ -0,0 +1,55 @@
> +// SPDX-License-Identifier: GPL-2.0
> +/*
> + * sign_verify.apitest: Test program for verifying sign_hash
> + *
> + * Copyright (C) 2021 Patrick Uiterwijk <patrick@puiterwijk.org>
> + * Copyright (C) 2013,2014 Samsung Electronics
> + * Copyright (C) 2011,2012,2013 Intel Corporation
> + * Copyright (C) 2011 Nokia Corporation
> + */

As this is a new file and test, the copyrights other than your own are
unnecessary.

> +
> +#include <assert.h>
> +#include <stdio.h>
> +#include <string.h>
> +#include <sys/types.h>
> +#include <sys/xattr.h>
> +
> +#include "../src/imaevm.h"
> +#include "../src/utils.h"
> +
> +int main(int argc, char **argv)
> +{
> +	unsigned char hash[MAX_DIGEST_SIZE];
> +	unsigned char sig[MAX_SIGNATURE_SIZE];
> +	int len, err;
> +	char *file = argv[1];
> +	char *key = argv[2];
> +	char *algo = argv[3];
> +	char *digest = argv[4];
> +

How about testing 'argc' before continuing?

> +	len = strlen(digest) / 2;
> +	if (hex2bin(hash, digest, len) != 0) {
> +		fprintf(stderr, "Error during hex2bin\n");
> +		return 1;
> +	}
> +
> +	len = sign_hash(algo, hash, len, key, NULL, sig + 1);
> +	if (len <= 1) {
> +		fprintf(stderr, "Error signing\n");
> +		return 1;
> +	}
> +
> +	/* add header */
> +	len++;
> +	sig[0] = EVM_IMA_XATTR_DIGSIG;
> +
> +	bin2file(file, "sig", sig, len);
> +
> +	err = lsetxattr(file, "user.ima", sig, len, 0);
> +	if (err < 0) {
> +		log_err("setxattr failed: %s\n", file);
> +		return 1;
> +	}
> +
> +	return 0;
> +}


> diff --git a/tests/sign_verify.test b/tests/sign_verify.test
> index 3d7aa51..6f92801 100755
> --- a/tests/sign_verify.test
> +++ b/tests/sign_verify.test

> @@ -125,12 +127,14 @@ _evmctl_sign() {
>  # Run and test {ima_,}sign operation
>  check_sign() {
>    # Arguments are passed via global vars:
> -  # TYPE (ima or evm),
> +  # TYPE (ima, ima_api or evm),

Similarly TYPE should be updated in verify_sign as well.

thanks,

Mimi

>    # KEY,
>    # ALG (hash algo),
>    # PREFIX (signature header prefix in hex),
>    # OPTS (additional options for evmctl),
>    # FILE (working file to sign).
> +  [ "$TYPE" = ima_api ] && [[ "$OPTS" =~ --rsa ]] && return "$SKIP"
> +
>    local "$@"
>    local KEY=${KEY%.*}.key
>    local FILE=${FILE:-$ALG.txt}
> @@ -268,6 +272,20 @@ sign_verify() {
>      # Multiple files and some don't verify
>      expect_fail check_verify FILE="/dev/null $file"
>  
> +    setfattr -x user.ima "$FILE"
> +    rm "$FILE.sig"
> +  fi
> +
> +  TYPE=ima_api
> +  if expect_pass check_sign; then
> +
> +    # Normal verify with proper key should pass
> +    expect_pass check_verify
> +    expect_pass check_verify OPTS="--sigfile"
> +
> +    # Multiple files and some don't verify
> +    expect_fail check_verify FILE="/dev/null $file"
> +
>      rm "$FILE.sig"
>    fi
>  


      reply	other threads:[~2021-07-06 15:53 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-01-06  9:43 [PATCH 0/2] ima-evm-utils: Fix use of sign_hash via API Patrick Uiterwijk
2021-01-06  9:43 ` [PATCH 1/2] Fix sign_hash not observing the hashalgo argument Patrick Uiterwijk
2021-01-07 12:24   ` Mimi Zohar
2021-01-07 13:08     ` Vitaly Chikunov
2021-01-07 13:15       ` Vitaly Chikunov
2021-01-07 14:55         ` Mimi Zohar
2021-01-07 15:13         ` Patrick Uiterwijk
2021-01-06  9:43 ` [PATCH 2/2] Add test for using sign_hash API Patrick Uiterwijk
2021-01-07 12:25   ` Mimi Zohar
2021-01-07 12:53     ` Vitaly Chikunov
2021-01-07 15:08       ` Patrick Uiterwijk
2021-07-05 15:49 ` [PATCH ima-evm-utils v2 0/2] Fix use of sign_hash via API Patrick Uiterwijk
2021-07-05 15:49   ` [PATCH ima-evm-utils v2 1/2] Fix sign_hash not observing the hashalgo argument Patrick Uiterwijk
2021-07-05 15:49   ` [PATCH ima-evm-utils v2 2/2] Add test for using sign_hash API Patrick Uiterwijk
2021-07-06 15:53     ` Mimi Zohar [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=2c6df7edf61d2e694a2bbba964c5a2ae81b2b3be.camel@linux.ibm.com \
    --to=zohar@linux.ibm.com \
    --cc=linux-integrity@vger.kernel.org \
    --cc=patrick@puiterwijk.org \
    --cc=pbrobinson@redhat.com \
    --cc=vt@altlinux.org \
    --subject='Re: [PATCH ima-evm-utils v2 2/2] Add test for using sign_hash API' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).