* [PATCH 1/2] ima_boot_aggregate: Fix openssl 3.0 deprecation warnings
@ 2024-11-01 14:37 Petr Vorel
2024-11-01 14:37 ` [PATCH 2/2] ima_boot_aggregate: TBROK on fread() failure Petr Vorel
2024-11-15 5:10 ` [PATCH 1/2] ima_boot_aggregate: Fix openssl 3.0 deprecation warnings Mimi Zohar
0 siblings, 2 replies; 4+ messages in thread
From: Petr Vorel @ 2024-11-01 14:37 UTC (permalink / raw)
To: ltp; +Cc: Petr Vorel, Mimi Zohar, linux-integrity
From the docs:
https://docs.openssl.org/3.0/man7/migration_guide/#deprecated-low-level-digest-functions
Use of low-level digest functions such as SHA1_Init(3) have been
informally discouraged from use for a long time. Applications should
instead use the high level EVP APIs EVP_DigestInit_ex(3),
EVP_DigestUpdate(3) and EVP_DigestFinal_ex(3), or the quick one-shot
EVP_Q_digest(3).
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
.../integrity/ima/src/ima_boot_aggregate.c | 32 +++++++++++++++++++
1 file changed, 32 insertions(+)
diff --git a/testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c b/testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c
index 62468e0d19..68d12fc3c2 100644
--- a/testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c
+++ b/testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c
@@ -24,6 +24,7 @@
#if HAVE_LIBCRYPTO
#include <openssl/sha.h>
+#include <openssl/evp.h>
#define MAX_EVENT_SIZE (1024*1024)
#define EVENT_HEADER_SIZE 32
@@ -61,7 +62,11 @@ static void display_sha1_digest(unsigned char *pcr)
static void do_test(void)
{
FILE *fp;
+#if OPENSSL_VERSION_NUMBER > 0x030000000L
+ EVP_MD_CTX *c = NULL;
+#else
SHA_CTX c;
+#endif
int i;
if (!file)
@@ -85,12 +90,24 @@ static void do_test(void)
}
if (event.header.pcr < NUM_PCRS) {
+#if OPENSSL_VERSION_NUMBER > 0x030000000L
+ if ((c = EVP_MD_CTX_new()) == NULL)
+ tst_brk(TBROK, "can't get new context");
+
+ EVP_DigestInit_ex(c, EVP_sha1(), NULL);
+ EVP_DigestUpdate(c, pcr[event.header.pcr].digest,
+ SHA_DIGEST_LENGTH);
+ EVP_DigestUpdate(c, event.header.digest, SHA_DIGEST_LENGTH);
+ EVP_DigestFinal_ex(c, pcr[event.header.pcr].digest, NULL);
+ EVP_MD_CTX_free(c);
+#else
SHA1_Init(&c);
SHA1_Update(&c, pcr[event.header.pcr].digest,
SHA_DIGEST_LENGTH);
SHA1_Update(&c, event.header.digest,
SHA_DIGEST_LENGTH);
SHA1_Final(pcr[event.header.pcr].digest, &c);
+#endif
}
#if MAX_EVENT_DATA_SIZE < USHRT_MAX
@@ -107,15 +124,30 @@ static void do_test(void)
/* Extend the boot aggregate with the pseudo PCR digest values */
memset(&boot_aggregate, 0, SHA_DIGEST_LENGTH);
+
+#if OPENSSL_VERSION_NUMBER > 0x030000000L
+ EVP_DigestInit_ex(c, EVP_sha1(), NULL);
+#else
SHA1_Init(&c);
+#endif
+
for (i = 0; i < NUM_PCRS; i++) {
if (debug) {
printf("PCR-%2.2x: ", i);
display_sha1_digest(pcr[i].digest);
}
+#if OPENSSL_VERSION_NUMBER > 0x030000000L
+ EVP_DigestUpdate(c, pcr[i].digest, SHA_DIGEST_LENGTH);
+#else
SHA1_Update(&c, pcr[i].digest, SHA_DIGEST_LENGTH);
+#endif
}
+
+#if OPENSSL_VERSION_NUMBER > 0x030000000L
+ EVP_MD_CTX_free(c);
+#else
SHA1_Final(boot_aggregate, &c);
+#endif
printf("sha1:");
display_sha1_digest(boot_aggregate);
--
2.45.2
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 2/2] ima_boot_aggregate: TBROK on fread() failure
2024-11-01 14:37 [PATCH 1/2] ima_boot_aggregate: Fix openssl 3.0 deprecation warnings Petr Vorel
@ 2024-11-01 14:37 ` Petr Vorel
2024-11-14 21:48 ` Petr Vorel
2024-11-15 5:10 ` [PATCH 1/2] ima_boot_aggregate: Fix openssl 3.0 deprecation warnings Mimi Zohar
1 sibling, 1 reply; 4+ messages in thread
From: Petr Vorel @ 2024-11-01 14:37 UTC (permalink / raw)
To: ltp; +Cc: Petr Vorel, Mimi Zohar, linux-integrity
fread() should read 1 byte, quit when it fails it.
This fixes warning: ignoring return value of ‘fread’ declared with
attribute ‘warn_unused_result’ [-Wunused-result].
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
.../kernel/security/integrity/ima/src/ima_boot_aggregate.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c b/testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c
index 68d12fc3c2..420b0c736d 100644
--- a/testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c
+++ b/testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c
@@ -116,7 +116,8 @@ static void do_test(void)
break;
}
#endif
- fread(event.data, event.header.len, 1, fp);
+ if (fread(event.data, event.header.len, 1, fp) != 1)
+ tst_brk(TBROK, "failed to read 1 byte");
}
SAFE_FCLOSE(fp);
--
2.45.2
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH 2/2] ima_boot_aggregate: TBROK on fread() failure
2024-11-01 14:37 ` [PATCH 2/2] ima_boot_aggregate: TBROK on fread() failure Petr Vorel
@ 2024-11-14 21:48 ` Petr Vorel
0 siblings, 0 replies; 4+ messages in thread
From: Petr Vorel @ 2024-11-14 21:48 UTC (permalink / raw)
To: ltp; +Cc: Mimi Zohar, linux-integrity
Hi all,
both patches merged.
Kind regards,
Petr
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 1/2] ima_boot_aggregate: Fix openssl 3.0 deprecation warnings
2024-11-01 14:37 [PATCH 1/2] ima_boot_aggregate: Fix openssl 3.0 deprecation warnings Petr Vorel
2024-11-01 14:37 ` [PATCH 2/2] ima_boot_aggregate: TBROK on fread() failure Petr Vorel
@ 2024-11-15 5:10 ` Mimi Zohar
1 sibling, 0 replies; 4+ messages in thread
From: Mimi Zohar @ 2024-11-15 5:10 UTC (permalink / raw)
To: Petr Vorel, ltp; +Cc: linux-integrity
On Fri, 2024-11-01 at 15:37 +0100, Petr Vorel wrote:
> From the docs:
> https://docs.openssl.org/3.0/man7/migration_guide/#deprecated-low-level-digest-functions
>
> Use of low-level digest functions such as SHA1_Init(3) have been
> informally discouraged from use for a long time. Applications should
> instead use the high level EVP APIs EVP_DigestInit_ex(3),
> EVP_DigestUpdate(3) and EVP_DigestFinal_ex(3), or the quick one-shot
> EVP_Q_digest(3).
>
> Signed-off-by: Petr Vorel <pvorel@suse.cz>
Sorry for the long delay in responding. The patch nicely cleans up all the
warnings.
thanks,
Mimi
> ---
> .../integrity/ima/src/ima_boot_aggregate.c | 32 +++++++++++++++++++
> 1 file changed, 32 insertions(+)
>
> diff --git a/testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c b/testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c
> index 62468e0d19..68d12fc3c2 100644
> --- a/testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c
> +++ b/testcases/kernel/security/integrity/ima/src/ima_boot_aggregate.c
> @@ -24,6 +24,7 @@
>
> #if HAVE_LIBCRYPTO
> #include <openssl/sha.h>
> +#include <openssl/evp.h>
>
> #define MAX_EVENT_SIZE (1024*1024)
> #define EVENT_HEADER_SIZE 32
> @@ -61,7 +62,11 @@ static void display_sha1_digest(unsigned char *pcr)
> static void do_test(void)
> {
> FILE *fp;
> +#if OPENSSL_VERSION_NUMBER > 0x030000000L
> + EVP_MD_CTX *c = NULL;
> +#else
> SHA_CTX c;
> +#endif
> int i;
>
> if (!file)
> @@ -85,12 +90,24 @@ static void do_test(void)
> }
>
> if (event.header.pcr < NUM_PCRS) {
> +#if OPENSSL_VERSION_NUMBER > 0x030000000L
> + if ((c = EVP_MD_CTX_new()) == NULL)
> + tst_brk(TBROK, "can't get new context");
> +
> + EVP_DigestInit_ex(c, EVP_sha1(), NULL);
> + EVP_DigestUpdate(c, pcr[event.header.pcr].digest,
> + SHA_DIGEST_LENGTH);
> + EVP_DigestUpdate(c, event.header.digest, SHA_DIGEST_LENGTH);
> + EVP_DigestFinal_ex(c, pcr[event.header.pcr].digest, NULL);
> + EVP_MD_CTX_free(c);
> +#else
> SHA1_Init(&c);
> SHA1_Update(&c, pcr[event.header.pcr].digest,
> SHA_DIGEST_LENGTH);
> SHA1_Update(&c, event.header.digest,
> SHA_DIGEST_LENGTH);
> SHA1_Final(pcr[event.header.pcr].digest, &c);
> +#endif
> }
>
> #if MAX_EVENT_DATA_SIZE < USHRT_MAX
> @@ -107,15 +124,30 @@ static void do_test(void)
>
> /* Extend the boot aggregate with the pseudo PCR digest values */
> memset(&boot_aggregate, 0, SHA_DIGEST_LENGTH);
> +
> +#if OPENSSL_VERSION_NUMBER > 0x030000000L
> + EVP_DigestInit_ex(c, EVP_sha1(), NULL);
> +#else
> SHA1_Init(&c);
> +#endif
> +
> for (i = 0; i < NUM_PCRS; i++) {
> if (debug) {
> printf("PCR-%2.2x: ", i);
> display_sha1_digest(pcr[i].digest);
> }
> +#if OPENSSL_VERSION_NUMBER > 0x030000000L
> + EVP_DigestUpdate(c, pcr[i].digest, SHA_DIGEST_LENGTH);
> +#else
> SHA1_Update(&c, pcr[i].digest, SHA_DIGEST_LENGTH);
> +#endif
> }
> +
> +#if OPENSSL_VERSION_NUMBER > 0x030000000L
> + EVP_MD_CTX_free(c);
> +#else
> SHA1_Final(boot_aggregate, &c);
> +#endif
>
> printf("sha1:");
> display_sha1_digest(boot_aggregate);
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-11-15 5:10 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-11-01 14:37 [PATCH 1/2] ima_boot_aggregate: Fix openssl 3.0 deprecation warnings Petr Vorel
2024-11-01 14:37 ` [PATCH 2/2] ima_boot_aggregate: TBROK on fread() failure Petr Vorel
2024-11-14 21:48 ` Petr Vorel
2024-11-15 5:10 ` [PATCH 1/2] ima_boot_aggregate: Fix openssl 3.0 deprecation warnings Mimi Zohar
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).