From: Mimi Zohar <zohar@linux.ibm.com>
To: Vitaly Chikunov <vt@altlinux.org>,
Mimi Zohar <zohar@linux.vnet.ibm.com>,
Dmitry Kasatkin <dmitry.kasatkin@gmail.com>,
linux-integrity@vger.kernel.org
Subject: Re: [PATCH v3 7/7] ima-evm-utils: Try to load digest by its alias
Date: Mon, 11 Feb 2019 12:38:58 -0500 [thread overview]
Message-ID: <1549906738.12743.167.camel@linux.ibm.com> (raw)
In-Reply-To: <20181203033525.20431-7-vt@altlinux.org>
Hi Vitaly,
On Mon, 2018-12-03 at 06:35 +0300, Vitaly Chikunov wrote:
> For compatibility with older OpenSSL try to load digest by its alias if
> load by its proper name is failed.
>
> This is configured in pkey_hash_algo by mentioning loadable alias first in the
> comma separated list of algo names.
After this patch, I can not verify the signature. It's failing to
find the hash algorithm.
evmctl ima_sign -k <private key> -p -a streebog256 ./foo.txt --xattr-user
evmctl ima_verify -k <public key> ./foo.txt --xattr-user
Mimi
>
> Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
> ---
> Changes since v1:
> - New patch.
> Changes since v2:
> - No changes.
>
> src/imaevm.h | 1 +
> src/libimaevm.c | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++----
> 2 files changed, 52 insertions(+), 4 deletions(-)
>
> diff --git a/src/imaevm.h b/src/imaevm.h
> index c81bf21..795966a 100644
> --- a/src/imaevm.h
> +++ b/src/imaevm.h
> @@ -75,6 +75,7 @@
> #define DATA_SIZE 4096
> #define SHA1_HASH_LEN 20
>
> +#define MAX_DIGEST_NAME 32
> #define MAX_DIGEST_SIZE 64
> #define MAX_SIGNATURE_SIZE 1024
>
> diff --git a/src/libimaevm.c b/src/libimaevm.c
> index cb4721b..7501303 100644
> --- a/src/libimaevm.c
> +++ b/src/libimaevm.c
> @@ -41,6 +41,7 @@
> /* should we use logger instead for library? */
> #define USE_FPRINTF
>
> +#define _GNU_SOURCE
> #include <sys/types.h>
> #include <sys/param.h>
> #include <sys/stat.h>
> @@ -56,6 +57,7 @@
> #include <openssl/pem.h>
> #include <openssl/evp.h>
> #include <openssl/x509.h>
> +#include <openssl/engine.h>
> #include <openssl/err.h>
>
> #include "imaevm.h"
> @@ -70,8 +72,8 @@ const char *const pkey_hash_algo[PKEY_HASH__LAST] = {
> [PKEY_HASH_SHA384] = "sha384",
> [PKEY_HASH_SHA512] = "sha512",
> [PKEY_HASH_SHA224] = "sha224",
> - [PKEY_HASH_STREEBOG_256] = "streebog256",
> - [PKEY_HASH_STREEBOG_512] = "streebog512",
> + [PKEY_HASH_STREEBOG_256] = "md_gost12_256,streebog256",
> + [PKEY_HASH_STREEBOG_512] = "md_gost12_512,streebog512",
> };
>
> /*
> @@ -284,6 +286,35 @@ static int add_dev_hash(struct stat *st, EVP_MD_CTX *ctx)
> return !EVP_DigestUpdate(ctx, &dev, sizeof(dev));
> }
>
> +/* Call EVP_get_digestbyname with provided name and with alias,
> + * which is first name in the comma separated list of names
> + * in pkey_hash_algo.
> + */
> +static const EVP_MD *get_digestbyname(const char *name)
> +{
> + const EVP_MD *md;
> +
> + md = EVP_get_digestbyname(params.hash_algo);
> + if (!md) {
> + char alias[MAX_DIGEST_NAME];
> + int len;
> + int algo_id;
> + const char *algo_alias;
> +
> + /* try to get algo by its alias */
> + algo_id = get_hash_algo(params.hash_algo);
> + algo_alias = get_hash_algo_by_id(algo_id);
> + len = strchrnul(algo_alias, ',') - algo_alias;
> + if (len < sizeof(alias)) {
> + memcpy(alias, algo_alias, len);
> + alias[len] = '\0';
> + if (strcmp(params.hash_algo, alias))
> + md = EVP_get_digestbyname(alias);
> + }
> + }
> + return md;
> +}
> +
> int ima_calc_hash(const char *file, uint8_t *hash)
> {
> const EVP_MD *md;
> @@ -305,7 +336,7 @@ int ima_calc_hash(const char *file, uint8_t *hash)
> return err;
> }
>
> - md = EVP_get_digestbyname(params.hash_algo);
> + md = get_digestbyname(params.hash_algo);
> if (!md) {
> log_err("EVP_get_digestbyname(%s) failed\n", params.hash_algo);
> return 1;
> @@ -561,6 +592,22 @@ static int algocmp(const char *a, const char *b)
> return *a || *b;
> }
>
> +static int strmatch(const char *needle, const char *haystack)
> +{
> + int len = strlen(needle);
> + const char *p = haystack;
> + const char *t;
> +
> + for (t = strchrnul(p, ','); *p; p = t, t = strchrnul(p, ',')) {
> + if (t - p == len &&
> + !strncmp(needle, p, len))
> + return 0;
> + if (!*t++)
> + break;
> + }
> + return 1;
> +}
> +
> int get_hash_algo(const char *algo)
> {
> int i;
> @@ -568,7 +615,7 @@ int get_hash_algo(const char *algo)
> /* first iterate over builtin algorithms */
> for (i = 0; i < PKEY_HASH__LAST; i++)
> if (pkey_hash_algo[i] &&
> - !strcmp(algo, pkey_hash_algo[i]))
> + !strmatch(algo, pkey_hash_algo[i]))
> return i;
>
> /* iterate over algorithms provided by kernel-headers */
next prev parent reply other threads:[~2019-02-11 17:39 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-03 3:35 [PATCH v3 1/7] ima-evm-utils: Fix hash buffer overflow in verify_evm and hmac_evm Vitaly Chikunov
2018-12-03 3:35 ` [PATCH v3 2/7] ima-evm-utils: Define hash and sig buffer sizes and add asserts Vitaly Chikunov
2018-12-03 3:35 ` [PATCH v3 3/7] ima-evm-utils: Define the '--xattr-user' option for testing Vitaly Chikunov
2018-12-03 3:35 ` [PATCH v3 4/7] ima-evm-utils: Allow using Streebog hash function Vitaly Chikunov
2018-12-03 3:35 ` [PATCH v3 5/7] ima-evm-utils: Preload OpenSSL engine via '--engine' option Vitaly Chikunov
2018-12-03 3:35 ` [PATCH v3 6/7] ima-evm-utils: Extract digest algorithms from hash_info.h Vitaly Chikunov
2018-12-03 3:35 ` [PATCH v3 7/7] ima-evm-utils: Try to load digest by its alias Vitaly Chikunov
2019-02-11 17:38 ` Mimi Zohar [this message]
2019-02-11 17:52 ` Vitaly Chikunov
2019-02-11 17:59 ` Mimi Zohar
2019-02-11 18:13 ` Vitaly Chikunov
2019-02-11 18:21 ` Vitaly Chikunov
2019-02-11 19:26 ` Vitaly Chikunov
2019-02-11 20:21 ` Mimi Zohar
2019-02-11 20:37 ` Vitaly Chikunov
2019-02-12 15:41 ` Mimi Zohar
2019-02-12 17:07 ` Vitaly Chikunov
2018-12-03 13:03 ` [PATCH v3 1/7] ima-evm-utils: Fix hash buffer overflow in verify_evm and hmac_evm Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1549906738.12743.167.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=dmitry.kasatkin@gmail.com \
--cc=linux-integrity@vger.kernel.org \
--cc=vt@altlinux.org \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).