From: Mimi Zohar <zohar@linux.ibm.com>
To: linux-integrity@vger.kernel.org
Cc: Mimi Zohar <zohar@linux.ibm.com>, Petr Vorel <pvorel@suse.cz>,
Vitaly Chikunov <vt@altlinux.org>,
Stefan Berger <stefanb@linux.ibm.com>
Subject: [PATCH ima-evm-utils v3 05/15] Replace the low level HMAC calls when calculating the EVM HMAC
Date: Tue, 13 Sep 2022 22:29:46 -0400 [thread overview]
Message-ID: <20220914022956.1359218-6-zohar@linux.ibm.com> (raw)
In-Reply-To: <20220914022956.1359218-1-zohar@linux.ibm.com>
Calculating the EVM HMAC and labeling the filesystem was originally
included in ima-evm-utils for debugging purposes only. For now,
instead of removing EVM HMAC support just replace the low level
HMAC_ calls with EVP_ calls.
The '-a, --hashalgo' specifies the IMA hash or signature algorithm.
The kernel EVM HMAC is limited to SHA1. Fix ima-evm-utils by hard
coding the EVM HMAC algorithm to SHA1.
Reviewed-by: Petr Vorel <pvorel@suse.cz>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
---
src/evmctl.c | 58 ++++++++++++++++++++++++++++++----------------------
1 file changed, 33 insertions(+), 25 deletions(-)
diff --git a/src/evmctl.c b/src/evmctl.c
index 641504047a36..27d2061f23be 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -61,6 +61,7 @@
#include <openssl/asn1.h>
#include <openssl/sha.h>
#include <openssl/pem.h>
+#include <openssl/evp.h>
#include <openssl/hmac.h>
#include <openssl/err.h>
#include <openssl/rsa.h>
@@ -1159,12 +1160,12 @@ static int cmd_setxattr_ima(struct command *cmd)
static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *hash)
{
- const EVP_MD *md;
+ size_t mdlen;
+ EVP_MD_CTX *pctx;
+ EVP_PKEY *pkey = NULL;
struct stat st;
int err = -1;
uint32_t generation = 0;
- HMAC_CTX *pctx;
- unsigned int mdlen;
char **xattrname;
unsigned char xattr_value[1024];
unsigned char *key;
@@ -1175,10 +1176,8 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h
struct h_misc_64 hmac_misc;
int hmac_size;
#if OPENSSL_VERSION_NUMBER < 0x10100000
- HMAC_CTX ctx;
+ EVP_MD_CTX ctx;
pctx = &ctx;
-#else
- pctx = HMAC_CTX_new();
#endif
key = file2bin(keyfile, NULL, &keylen);
@@ -1226,19 +1225,26 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h
goto out;
}
- md = EVP_get_digestbyname(imaevm_params.hash_algo);
- if (!md) {
- log_err("EVP_get_digestbyname(%s) failed\n",
- imaevm_params.hash_algo);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000
+ pctx = EVP_MD_CTX_new();
+ if (!pctx) {
+ log_err("EVP_MD_CTX_new failed\n");
goto out;
}
+#endif
- err = !HMAC_Init_ex(pctx, evmkey, sizeof(evmkey), md, NULL);
- if (err) {
+ pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, evmkey, sizeof(evmkey));
+ if (!pkey) {
log_err("HMAC_Init() failed\n");
goto out;
}
+ err = EVP_DigestSignInit(pctx, NULL, EVP_sha1(), NULL, pkey);
+ if (err != 1) {
+ log_err("EVP_DigestSignInit() failed\n");
+ goto out;
+ }
+
for (xattrname = evm_config_xattrnames; *xattrname != NULL; xattrname++) {
err = lgetxattr(file, *xattrname, xattr_value, sizeof(xattr_value));
if (err < 0) {
@@ -1249,12 +1255,12 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h
log_info("skipping xattr: %s\n", *xattrname);
continue;
}
- /*log_debug("name: %s, value: %s, size: %d\n", *xattrname, xattr_value, err);*/
log_info("name: %s, size: %d\n", *xattrname, err);
log_debug_dump(xattr_value, err);
- err = !HMAC_Update(pctx, xattr_value, err);
- if (err) {
- log_err("HMAC_Update() failed\n");
+
+ err = EVP_DigestSignUpdate(pctx, xattr_value, err);
+ if (err != 1) {
+ log_err("EVP_DigestSignUpdate() failed\n");
goto out_ctx_cleanup;
}
}
@@ -1293,23 +1299,24 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h
log_debug("hmac_misc (%d): ", hmac_size);
log_debug_dump(&hmac_misc, hmac_size);
- err = !HMAC_Update(pctx, (const unsigned char *)&hmac_misc, hmac_size);
- if (err) {
+ err = EVP_DigestSignUpdate(pctx, &hmac_misc, hmac_size);
+ if (err != 1) {
log_err("HMAC_Update() failed\n");
goto out_ctx_cleanup;
}
- err = !HMAC_Final(pctx, hash, &mdlen);
- if (err)
+ err = EVP_DigestSignFinal(pctx, hash, &mdlen);
+ if (err != 1)
log_err("HMAC_Final() failed\n");
out_ctx_cleanup:
-#if OPENSSL_VERSION_NUMBER < 0x10100000
- HMAC_CTX_cleanup(pctx);
-#else
- HMAC_CTX_free(pctx);
+ EVP_PKEY_free(pkey);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000
+ EVP_MD_CTX_free(pctx);
#endif
out:
free(key);
- return err ?: mdlen;
+ if (err == 1)
+ return mdlen;
+ return err;
}
static int hmac_evm(const char *file, const char *key)
@@ -1333,6 +1340,7 @@ static int hmac_evm(const char *file, const char *key)
err = lsetxattr(file, xattr_evm, sig, len + 1, 0);
if (err < 0) {
log_err("setxattr failed: %s\n", file);
+ errno = 0;
return err;
}
}
--
2.31.1
next prev parent reply other threads:[~2022-09-14 2:30 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-14 2:29 [PATCH ima-evm-utils v3 00/15] address deprecated warnings Mimi Zohar
2022-09-14 2:29 ` [PATCH ima-evm-utils v3 01/15] travis: update dist=focal Mimi Zohar
2022-09-14 2:29 ` [PATCH ima-evm-utils v3 02/15] Update configure.ac to address a couple of obsolete warnings Mimi Zohar
2022-09-14 2:29 ` [PATCH ima-evm-utils v3 03/15] Deprecate IMA signature version 1 Mimi Zohar
2022-09-14 2:29 ` [PATCH ima-evm-utils v3 04/15] Replace the low level SHA1 calls when calculating the TPM 1.2 PCRs Mimi Zohar
2022-09-14 2:29 ` Mimi Zohar [this message]
2022-09-14 2:29 ` [PATCH ima-evm-utils v3 06/15] Add missing EVP_MD_CTX_free() call in calc_evm_hash() Mimi Zohar
2022-09-14 14:51 ` Vitaly Chikunov
2022-09-15 11:58 ` Mimi Zohar
2022-09-15 15:36 ` Vitaly Chikunov
2022-09-16 13:07 ` Mimi Zohar
2022-09-14 2:29 ` [PATCH ima-evm-utils v3 07/15] Disable use of OpenSSL "engine" support Mimi Zohar
2022-09-14 16:38 ` Vitaly Chikunov
2022-09-14 2:29 ` [PATCH ima-evm-utils v3 08/15] Fix potential use after free in read_tpm_banks() Mimi Zohar
2022-09-14 2:29 ` [PATCH ima-evm-utils v3 09/15] Limit the file hash algorithm name length Mimi Zohar
2022-09-14 2:29 ` [PATCH ima-evm-utils v3 10/15] Missing template data size lower bounds checking Mimi Zohar
2022-09-14 2:29 ` [PATCH ima-evm-utils v3 11/15] Limit configuring OpenSSL engine support Mimi Zohar
2022-09-14 14:59 ` Vitaly Chikunov
2022-09-14 2:29 ` [PATCH ima-evm-utils v3 12/15] Base sm2/sm3 test on openssl version installed Mimi Zohar
2022-09-14 2:29 ` [PATCH ima-evm-utils v3 13/15] Compile a newer version of OpenSSL Mimi Zohar
2022-09-14 2:29 ` [PATCH ima-evm-utils v3 14/15] Build OpenSSL without engine support Mimi Zohar
2022-09-14 2:29 ` [PATCH ima-evm-utils v3 15/15] Fix d2i_x509_fp failure Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220914022956.1359218-6-zohar@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=linux-integrity@vger.kernel.org \
--cc=pvorel@suse.cz \
--cc=stefanb@linux.ibm.com \
--cc=vt@altlinux.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox