* [PATCH 1/2] ima_evm_utils: erroneous "verification failed: 0 (invalid padding)" message @ 2019-07-16 14:30 Mimi Zohar 2019-07-16 14:30 ` [PATCH 2/2] ima_evm_utils: limit duplicate "Failed to open keyfile" messages Mimi Zohar 2019-07-16 21:37 ` [PATCH 1/2] ima_evm_utils: erroneous "verification failed: 0 (invalid padding)" message Vitaly Chikunov 0 siblings, 2 replies; 7+ messages in thread From: Mimi Zohar @ 2019-07-16 14:30 UTC (permalink / raw) To: linux-integrity; +Cc: Mimi Zohar When keys are not provided, the default key is used to verify the file signature, resulting in this erroneous message. Before using the default key to verify the file signature, verify the keyid is correct. Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> --- src/libimaevm.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/src/libimaevm.c b/src/libimaevm.c index ae487f9fe36c..472ab53c7b42 100644 --- a/src/libimaevm.c +++ b/src/libimaevm.c @@ -302,6 +302,9 @@ EVP_PKEY *read_pub_pkey(const char *keyfile, int x509) X509 *crt = NULL; EVP_PKEY *pkey = NULL; + if (!keyfile) + return NULL; + fp = fopen(keyfile, "r"); if (!fp) { log_err("Failed to open keyfile: %s\n", keyfile); @@ -569,27 +572,25 @@ static int get_hash_algo_from_sig(unsigned char *sig) int verify_hash(const char *file, const unsigned char *hash, int size, unsigned char *sig, int siglen) { - const char *key; - int x509; + const char *key = NULL; verify_hash_fn_t verify_hash; /* Get signature type from sig header */ if (sig[0] == DIGSIG_VERSION_1) { verify_hash = verify_hash_v1; + /* Read pubkey from RSA key */ - x509 = 0; + if (!params.keyfile) + key = "/etc/keys/pubkey_evm.pem"; } else if (sig[0] == DIGSIG_VERSION_2) { verify_hash = verify_hash_v2; + /* Read pubkey from x509 cert */ - x509 = 1; + if (!params.keyfile) + init_public_keys("/etc/keys/x509_evm.der"); } else return -1; - /* Determine what key to use for verification*/ - key = params.keyfile ? : x509 ? - "/etc/keys/x509_evm.der" : - "/etc/keys/pubkey_evm.pem"; - return verify_hash(file, hash, size, sig, siglen, key); } -- 2.7.5 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 2/2] ima_evm_utils: limit duplicate "Failed to open keyfile" messages 2019-07-16 14:30 [PATCH 1/2] ima_evm_utils: erroneous "verification failed: 0 (invalid padding)" message Mimi Zohar @ 2019-07-16 14:30 ` Mimi Zohar 2019-07-16 21:49 ` Vitaly Chikunov 2019-07-16 21:37 ` [PATCH 1/2] ima_evm_utils: erroneous "verification failed: 0 (invalid padding)" message Vitaly Chikunov 1 sibling, 1 reply; 7+ messages in thread From: Mimi Zohar @ 2019-07-16 14:30 UTC (permalink / raw) To: linux-integrity; +Cc: Mimi Zohar Unlike the user provided list of public keys, we don't know which default public key file to use until verify_hash(). As a result, the "Failed to open keyfile" message may be repeated multiple times. Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> --- src/libimaevm.c | 33 ++++++++++++++++++++++++++++++++- 1 file changed, 32 insertions(+), 1 deletion(-) diff --git a/src/libimaevm.c b/src/libimaevm.c index 472ab53c7b42..793643331f4b 100644 --- a/src/libimaevm.c +++ b/src/libimaevm.c @@ -296,18 +296,49 @@ err: return err; } +/* + * Keep track of missing keyfile names. + * + * Return 1 for found, return 0 for not found. + */ +static int lookup_keyfile_name(const char *keyfile_name) +{ + struct keyfile_name_entry { + struct keyfile_name_entry *next; + char name[]; + } *entry; + static struct keyfile_name_entry *keyfile_names = NULL; + + for (entry = keyfile_names; entry != NULL; entry = entry->next) { + if (strcmp(entry->name, keyfile_name) == 0) + return 1; + } + + entry = malloc(sizeof(struct keyfile_name_entry) + + strlen(keyfile_name) + 1); + if (entry) { + strcpy(entry->name, keyfile_name); + entry->next = keyfile_names; + keyfile_names = entry; + } + return 0; +} + EVP_PKEY *read_pub_pkey(const char *keyfile, int x509) { FILE *fp; X509 *crt = NULL; EVP_PKEY *pkey = NULL; + int found; if (!keyfile) return NULL; fp = fopen(keyfile, "r"); if (!fp) { - log_err("Failed to open keyfile: %s\n", keyfile); + found = lookup_keyfile_name(keyfile); + if (!found) + log_err("Failed to open keyfile: %s\n", keyfile); return NULL; } -- 2.7.5 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH 2/2] ima_evm_utils: limit duplicate "Failed to open keyfile" messages 2019-07-16 14:30 ` [PATCH 2/2] ima_evm_utils: limit duplicate "Failed to open keyfile" messages Mimi Zohar @ 2019-07-16 21:49 ` Vitaly Chikunov 2019-07-16 22:13 ` Mimi Zohar 2019-07-17 13:23 ` Mimi Zohar 0 siblings, 2 replies; 7+ messages in thread From: Vitaly Chikunov @ 2019-07-16 21:49 UTC (permalink / raw) To: Mimi Zohar; +Cc: linux-integrity Mimi, On Tue, Jul 16, 2019 at 10:30:17AM -0400, Mimi Zohar wrote: > Unlike the user provided list of public keys, we don't know which > default public key file to use until verify_hash(). As a result, the > "Failed to open keyfile" message may be repeated multiple times. > > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> > --- > src/libimaevm.c | 33 ++++++++++++++++++++++++++++++++- > 1 file changed, 32 insertions(+), 1 deletion(-) > > diff --git a/src/libimaevm.c b/src/libimaevm.c > index 472ab53c7b42..793643331f4b 100644 > --- a/src/libimaevm.c > +++ b/src/libimaevm.c > @@ -296,18 +296,49 @@ err: > return err; > } > > +/* > + * Keep track of missing keyfile names. > + * > + * Return 1 for found, return 0 for not found. > + */ > +static int lookup_keyfile_name(const char *keyfile_name) > +{ > + struct keyfile_name_entry { > + struct keyfile_name_entry *next; > + char name[]; > + } *entry; > + static struct keyfile_name_entry *keyfile_names = NULL; > + > + for (entry = keyfile_names; entry != NULL; entry = entry->next) { > + if (strcmp(entry->name, keyfile_name) == 0) > + return 1; > + } > + > + entry = malloc(sizeof(struct keyfile_name_entry) + > + strlen(keyfile_name) + 1); > + if (entry) { > + strcpy(entry->name, keyfile_name); > + entry->next = keyfile_names; > + keyfile_names = entry; > + } > + return 0; > +} > + > EVP_PKEY *read_pub_pkey(const char *keyfile, int x509) > { > FILE *fp; > X509 *crt = NULL; > EVP_PKEY *pkey = NULL; > + int found; > > if (!keyfile) > return NULL; > > fp = fopen(keyfile, "r"); > if (!fp) { > - log_err("Failed to open keyfile: %s\n", keyfile); > + found = lookup_keyfile_name(keyfile); > + if (!found) > + log_err("Failed to open keyfile: %s\n", keyfile); > return NULL; Now filename list is decoupled from keys themselves. Also we have key list creation in init_public_keys(). Maybe we should just always call init_public_keys for verify operations? Thanks, > } > > -- > 2.7.5 ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 2/2] ima_evm_utils: limit duplicate "Failed to open keyfile" messages 2019-07-16 21:49 ` Vitaly Chikunov @ 2019-07-16 22:13 ` Mimi Zohar 2019-07-17 13:23 ` Mimi Zohar 1 sibling, 0 replies; 7+ messages in thread From: Mimi Zohar @ 2019-07-16 22:13 UTC (permalink / raw) To: Vitaly Chikunov; +Cc: linux-integrity On Wed, 2019-07-17 at 00:49 +0300, Vitaly Chikunov wrote: > Mimi, > > On Tue, Jul 16, 2019 at 10:30:17AM -0400, Mimi Zohar wrote: > > Unlike the user provided list of public keys, we don't know which > > default public key file to use until verify_hash(). As a result, the > > "Failed to open keyfile" message may be repeated multiple times. > > > > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> > > --- > > src/libimaevm.c | 33 ++++++++++++++++++++++++++++++++- > > 1 file changed, 32 insertions(+), 1 deletion(-) > > > > diff --git a/src/libimaevm.c b/src/libimaevm.c > > index 472ab53c7b42..793643331f4b 100644 > > --- a/src/libimaevm.c > > +++ b/src/libimaevm.c > > @@ -296,18 +296,49 @@ err: > > return err; > > } > > > > +/* > > + * Keep track of missing keyfile names. > > + * > > + * Return 1 for found, return 0 for not found. > > + */ > > +static int lookup_keyfile_name(const char *keyfile_name) > > +{ > > + struct keyfile_name_entry { > > + struct keyfile_name_entry *next; > > + char name[]; > > + } *entry; > > + static struct keyfile_name_entry *keyfile_names = NULL; > > + > > + for (entry = keyfile_names; entry != NULL; entry = entry->next) { > > + if (strcmp(entry->name, keyfile_name) == 0) > > + return 1; > > + } > > + > > + entry = malloc(sizeof(struct keyfile_name_entry) + > > + strlen(keyfile_name) + 1); > > + if (entry) { > > + strcpy(entry->name, keyfile_name); > > + entry->next = keyfile_names; > > + keyfile_names = entry; > > + } > > + return 0; > > +} > > + > > EVP_PKEY *read_pub_pkey(const char *keyfile, int x509) > > { > > FILE *fp; > > X509 *crt = NULL; > > EVP_PKEY *pkey = NULL; > > + int found; > > > > if (!keyfile) > > return NULL; > > > > fp = fopen(keyfile, "r"); > > if (!fp) { > > - log_err("Failed to open keyfile: %s\n", keyfile); > > + found = lookup_keyfile_name(keyfile); > > + if (!found) > > + log_err("Failed to open keyfile: %s\n", keyfile); > > return NULL; > > > Now filename list is decoupled from keys themselves. Also we have key > list creation in init_public_keys(). Maybe we should just always call > init_public_keys for verify operations? Initially, I tried that. The code snippet, below, would be called once. The problem is that only during verify_hash() do we know which default public key file to use. if (params.keyfile) params.keyfile = <default key file> init_public_keys(params.keyfile); Mimi > > Thanks, > > > } > > > > -- > > 2.7.5 > ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 2/2] ima_evm_utils: limit duplicate "Failed to open keyfile" messages 2019-07-16 21:49 ` Vitaly Chikunov 2019-07-16 22:13 ` Mimi Zohar @ 2019-07-17 13:23 ` Mimi Zohar 1 sibling, 0 replies; 7+ messages in thread From: Mimi Zohar @ 2019-07-17 13:23 UTC (permalink / raw) To: Vitaly Chikunov; +Cc: linux-integrity Vitaly, On Wed, 2019-07-17 at 00:49 +0300, Vitaly Chikunov wrote: > > EVP_PKEY *read_pub_pkey(const char *keyfile, int x509) > > { > > FILE *fp; > > X509 *crt = NULL; > > EVP_PKEY *pkey = NULL; > > + int found; > > > > if (!keyfile) > > return NULL; > > > > fp = fopen(keyfile, "r"); > > if (!fp) { > > - log_err("Failed to open keyfile: %s\n", keyfile); > > + found = lookup_keyfile_name(keyfile); > > + if (!found) > > + log_err("Failed to open keyfile: %s\n", keyfile); > > return NULL; > > > Now filename list is decoupled from keys themselves. Also we have key > list creation in init_public_keys(). Maybe we should just always call > init_public_keys for verify operations? With v2 of "ima_evm_utils: erroneous "verification failed: 0 (invalid padding)" message", I was able to drop this patch. Mimi ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 1/2] ima_evm_utils: erroneous "verification failed: 0 (invalid padding)" message 2019-07-16 14:30 [PATCH 1/2] ima_evm_utils: erroneous "verification failed: 0 (invalid padding)" message Mimi Zohar 2019-07-16 14:30 ` [PATCH 2/2] ima_evm_utils: limit duplicate "Failed to open keyfile" messages Mimi Zohar @ 2019-07-16 21:37 ` Vitaly Chikunov 2019-07-16 21:55 ` Mimi Zohar 1 sibling, 1 reply; 7+ messages in thread From: Vitaly Chikunov @ 2019-07-16 21:37 UTC (permalink / raw) To: Mimi Zohar; +Cc: linux-integrity Mimi, On Tue, Jul 16, 2019 at 10:30:16AM -0400, Mimi Zohar wrote: > When keys are not provided, the default key is used to verify the file > signature, resulting in this erroneous message. Before using the default > key to verify the file signature, verify the keyid is correct. 1. What is default key when keys are not provided? 2. I don't see keyid verification in the patch. 3. Now we have so complicated keyfile handling. > > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> > --- > src/libimaevm.c | 19 ++++++++++--------- > 1 file changed, 10 insertions(+), 9 deletions(-) > > diff --git a/src/libimaevm.c b/src/libimaevm.c > index ae487f9fe36c..472ab53c7b42 100644 > --- a/src/libimaevm.c > +++ b/src/libimaevm.c > @@ -302,6 +302,9 @@ EVP_PKEY *read_pub_pkey(const char *keyfile, int x509) > X509 *crt = NULL; > EVP_PKEY *pkey = NULL; > > + if (!keyfile) > + return NULL; > + > fp = fopen(keyfile, "r"); > if (!fp) { > log_err("Failed to open keyfile: %s\n", keyfile); > @@ -569,27 +572,25 @@ static int get_hash_algo_from_sig(unsigned char *sig) > int verify_hash(const char *file, const unsigned char *hash, int size, unsigned char *sig, > int siglen) > { > - const char *key; > - int x509; > + const char *key = NULL; > verify_hash_fn_t verify_hash; > > /* Get signature type from sig header */ > if (sig[0] == DIGSIG_VERSION_1) { > verify_hash = verify_hash_v1; > + > /* Read pubkey from RSA key */ > - x509 = 0; > + if (!params.keyfile) > + key = "/etc/keys/pubkey_evm.pem"; > } else if (sig[0] == DIGSIG_VERSION_2) { > verify_hash = verify_hash_v2; > + > /* Read pubkey from x509 cert */ > - x509 = 1; > + if (!params.keyfile) > + init_public_keys("/etc/keys/x509_evm.der"); Also, in "ima-evm-utils: Preload public keys for ima_verify" I call init_public_keys in cmd_verify_ima() which calls this verify_hash(). So there will be double calling of init_public_keys(). ps. Btw, I think we should remove this verify_hash_fn_t indirect call trick and replace it with two normal calls in each if branch. verify_hash() calling verify_hash() obscures cscope, and with direct calls it will be easier to parse. I may send patch for this. Thanks, > } else > return -1; > > - /* Determine what key to use for verification*/ > - key = params.keyfile ? : x509 ? > - "/etc/keys/x509_evm.der" : > - "/etc/keys/pubkey_evm.pem"; > - > return verify_hash(file, hash, size, sig, siglen, key); > } > > -- > 2.7.5 ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 1/2] ima_evm_utils: erroneous "verification failed: 0 (invalid padding)" message 2019-07-16 21:37 ` [PATCH 1/2] ima_evm_utils: erroneous "verification failed: 0 (invalid padding)" message Vitaly Chikunov @ 2019-07-16 21:55 ` Mimi Zohar 0 siblings, 0 replies; 7+ messages in thread From: Mimi Zohar @ 2019-07-16 21:55 UTC (permalink / raw) To: Vitaly Chikunov; +Cc: linux-integrity On Wed, 2019-07-17 at 00:37 +0300, Vitaly Chikunov wrote: > Mimi, > > On Tue, Jul 16, 2019 at 10:30:16AM -0400, Mimi Zohar wrote: > > When keys are not provided, the default key is used to verify the file > > signature, resulting in this erroneous message. Before using the default > > key to verify the file signature, verify the keyid is correct. > > 1. What is default key when keys are not provided? The defaults was either "/etc/keys/x509_evm.der" for DIGSIG_VERSION_1 or "/etc/keys/pubkey_evm.pem" for DIGSIG_VERSION_2. > 2. I don't see keyid verification in the patch. Since no keys were provided, this patch loads the default key onto the list of public_keys. The normal find_keyid() is then called. > 3. Now we have so complicated keyfile handling. It would definitely be simpler to remove support for these default keys, but I'm hesitant to remove it. > > > > > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> > > --- > > src/libimaevm.c | 19 ++++++++++--------- > > 1 file changed, 10 insertions(+), 9 deletions(-) > > > > diff --git a/src/libimaevm.c b/src/libimaevm.c > > index ae487f9fe36c..472ab53c7b42 100644 > > --- a/src/libimaevm.c > > +++ b/src/libimaevm.c > > @@ -302,6 +302,9 @@ EVP_PKEY *read_pub_pkey(const char *keyfile, int x509) > > X509 *crt = NULL; > > EVP_PKEY *pkey = NULL; > > > > + if (!keyfile) > > + return NULL; > > + > > fp = fopen(keyfile, "r"); > > if (!fp) { > > log_err("Failed to open keyfile: %s\n", keyfile); > > @@ -569,27 +572,25 @@ static int get_hash_algo_from_sig(unsigned char *sig) > > int verify_hash(const char *file, const unsigned char *hash, int size, unsigned char *sig, > > int siglen) > > { > > - const char *key; > > - int x509; > > + const char *key = NULL; > > verify_hash_fn_t verify_hash; > > > > /* Get signature type from sig header */ > > if (sig[0] == DIGSIG_VERSION_1) { > > verify_hash = verify_hash_v1; > > + > > /* Read pubkey from RSA key */ > > - x509 = 0; > > + if (!params.keyfile) > > + key = "/etc/keys/pubkey_evm.pem"; > > } else if (sig[0] == DIGSIG_VERSION_2) { > > verify_hash = verify_hash_v2; > > + > > /* Read pubkey from x509 cert */ > > - x509 = 1; > > + if (!params.keyfile) > > + init_public_keys("/etc/keys/x509_evm.der"); > > Also, in "ima-evm-utils: Preload public keys for ima_verify" I call > init_public_keys in cmd_verify_ima() which calls this verify_hash(). > > So there will be double calling of init_public_keys(). init_public_keys() will only be called once, either there or here. It depends on whether params.keyfile is defined or not. > > ps. Btw, I think we should remove this verify_hash_fn_t indirect call > trick and replace it with two normal calls in each if branch. > > verify_hash() calling verify_hash() obscures cscope, and with direct > calls it will be easier to parse. I may send patch for this. > > Thanks, Agreed, every time I come back to this code it takes me a few minutes to remember. Mimi > > > > } else > > return -1; > > > > - /* Determine what key to use for verification*/ > > - key = params.keyfile ? : x509 ? > > - "/etc/keys/x509_evm.der" : > > - "/etc/keys/pubkey_evm.pem"; > > - > > return verify_hash(file, hash, size, sig, siglen, key); > > } > > > > -- > > 2.7.5 ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2019-07-17 13:23 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2019-07-16 14:30 [PATCH 1/2] ima_evm_utils: erroneous "verification failed: 0 (invalid padding)" message Mimi Zohar 2019-07-16 14:30 ` [PATCH 2/2] ima_evm_utils: limit duplicate "Failed to open keyfile" messages Mimi Zohar 2019-07-16 21:49 ` Vitaly Chikunov 2019-07-16 22:13 ` Mimi Zohar 2019-07-17 13:23 ` Mimi Zohar 2019-07-16 21:37 ` [PATCH 1/2] ima_evm_utils: erroneous "verification failed: 0 (invalid padding)" message Vitaly Chikunov 2019-07-16 21:55 ` Mimi Zohar
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).