|
Packit Service |
087331 |
/*
|
|
Packit Service |
087331 |
* ima-evm-utils - IMA/EVM support utilities
|
|
Packit Service |
087331 |
*
|
|
Packit Service |
087331 |
* Copyright (C) 2011 Nokia Corporation
|
|
Packit Service |
087331 |
* Copyright (C) 2011,2012,2013 Intel Corporation
|
|
Packit Service |
087331 |
* Copyright (C) 2013,2014 Samsung Electronics
|
|
Packit Service |
087331 |
*
|
|
Packit Service |
087331 |
* Authors:
|
|
Packit Service |
087331 |
* Dmitry Kasatkin <dmitry.kasatkin@nokia.com>
|
|
Packit Service |
087331 |
* <dmitry.kasatkin@intel.com>
|
|
Packit Service |
087331 |
* <d.kasatkin@samsung.com>
|
|
Packit Service |
087331 |
*
|
|
Packit Service |
087331 |
* This program is free software; you can redistribute it and/or
|
|
Packit Service |
087331 |
* modify it under the terms of the GNU General Public License
|
|
Packit Service |
087331 |
* version 2 as published by the Free Software Foundation.
|
|
Packit Service |
087331 |
*
|
|
Packit Service |
087331 |
* This program is distributed in the hope that it will be useful,
|
|
Packit Service |
087331 |
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
Packit Service |
087331 |
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
Packit Service |
087331 |
* GNU General Public License for more details.
|
|
Packit Service |
087331 |
*
|
|
Packit Service |
087331 |
* You should have received a copy of the GNU General Public License
|
|
Packit Service |
087331 |
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
Packit Service |
087331 |
*
|
|
Packit Service |
087331 |
* As a special exception, the copyright holders give permission to link the
|
|
Packit Service |
087331 |
* code of portions of this program with the OpenSSL library under certain
|
|
Packit Service |
087331 |
* conditions as described in each individual source file and distribute
|
|
Packit Service |
087331 |
* linked combinations including the program with the OpenSSL library. You
|
|
Packit Service |
087331 |
* must comply with the GNU General Public License in all respects
|
|
Packit Service |
087331 |
* for all of the code used other than as permitted herein. If you modify
|
|
Packit Service |
087331 |
* file(s) with this exception, you may extend this exception to your
|
|
Packit Service |
087331 |
* version of the file(s), but you are not obligated to do so. If you do not
|
|
Packit Service |
087331 |
* wish to do so, delete this exception statement from your version. If you
|
|
Packit Service |
087331 |
* delete this exception statement from all source files in the program,
|
|
Packit Service |
087331 |
* then also delete it in the license file.
|
|
Packit Service |
087331 |
*
|
|
Packit Service |
087331 |
* File: libimaevm.c
|
|
Packit Service |
087331 |
* IMA/EVM library
|
|
Packit Service |
087331 |
*/
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
/* should we use logger instead for library? */
|
|
Packit Service |
087331 |
#define USE_FPRINTF
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
#include <sys/types.h>
|
|
Packit Service |
087331 |
#include <sys/param.h>
|
|
Packit Service |
087331 |
#include <sys/stat.h>
|
|
Packit Service |
087331 |
#include <asm/byteorder.h>
|
|
Packit Service |
087331 |
#include <unistd.h>
|
|
Packit Service |
087331 |
#include <dirent.h>
|
|
Packit Service |
087331 |
#include <string.h>
|
|
Packit Service |
087331 |
#include <stdio.h>
|
|
Packit Service |
087331 |
#include <assert.h>
|
|
Packit Service |
087331 |
#include <ctype.h>
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
#include <openssl/crypto.h>
|
|
Packit Service |
087331 |
#include <openssl/pem.h>
|
|
Packit Service |
087331 |
#include <openssl/evp.h>
|
|
Packit Service |
087331 |
#include <openssl/x509.h>
|
|
Packit Service |
087331 |
#include <openssl/err.h>
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
#include "imaevm.h"
|
|
Packit Service |
087331 |
#include "hash_info.h"
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
/* Names that are primary for OpenSSL. */
|
|
Packit Service |
087331 |
static const char *const pkey_hash_algo[PKEY_HASH__LAST] = {
|
|
Packit Service |
087331 |
[PKEY_HASH_MD4] = "md4",
|
|
Packit Service |
087331 |
[PKEY_HASH_MD5] = "md5",
|
|
Packit Service |
087331 |
[PKEY_HASH_SHA1] = "sha1",
|
|
Packit Service |
087331 |
[PKEY_HASH_RIPE_MD_160] = "rmd160",
|
|
Packit Service |
087331 |
[PKEY_HASH_SHA256] = "sha256",
|
|
Packit Service |
087331 |
[PKEY_HASH_SHA384] = "sha384",
|
|
Packit Service |
087331 |
[PKEY_HASH_SHA512] = "sha512",
|
|
Packit Service |
087331 |
[PKEY_HASH_SHA224] = "sha224",
|
|
Packit Service |
087331 |
[PKEY_HASH_SM3_256] = "sm3",
|
|
Packit Service |
087331 |
[PKEY_HASH_STREEBOG_256] = "md_gost12_256",
|
|
Packit Service |
087331 |
[PKEY_HASH_STREEBOG_512] = "md_gost12_512",
|
|
Packit Service |
087331 |
};
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
/* Names that are primary for the kernel. */
|
|
Packit Service |
087331 |
static const char *const pkey_hash_algo_kern[PKEY_HASH__LAST] = {
|
|
Packit Service |
087331 |
[PKEY_HASH_STREEBOG_256] = "streebog256",
|
|
Packit Service |
087331 |
[PKEY_HASH_STREEBOG_512] = "streebog512",
|
|
Packit Service |
087331 |
};
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
struct libimaevm_params imaevm_params = {
|
|
Packit Service |
087331 |
.verbose = LOG_INFO,
|
|
Packit Service |
087331 |
.x509 = 1,
|
|
Packit Service |
087331 |
.hash_algo = "sha1",
|
|
Packit Service |
087331 |
};
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
static void __attribute__ ((constructor)) libinit(void);
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
void imaevm_do_hexdump(FILE *fp, const void *ptr, int len, bool cr)
|
|
Packit Service |
087331 |
{
|
|
Packit Service |
087331 |
int i;
|
|
Packit Service |
087331 |
uint8_t *data = (uint8_t *) ptr;
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
for (i = 0; i < len; i++)
|
|
Packit Service |
087331 |
fprintf(fp, "%02x", data[i]);
|
|
Packit Service |
087331 |
if (cr)
|
|
Packit Service |
087331 |
fprintf(fp, "\n");
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
void imaevm_hexdump(const void *ptr, int len)
|
|
Packit Service |
087331 |
{
|
|
Packit Service |
087331 |
imaevm_do_hexdump(stdout, ptr, len, true);
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
const char *imaevm_hash_algo_by_id(int algo)
|
|
Packit Service |
087331 |
{
|
|
Packit Service |
087331 |
if (algo < PKEY_HASH__LAST)
|
|
Packit Service |
087331 |
return pkey_hash_algo[algo];
|
|
Packit Service |
087331 |
if (algo < HASH_ALGO__LAST)
|
|
Packit Service |
087331 |
return hash_algo_name[algo];
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
log_err("digest %d not found\n", algo);
|
|
Packit Service |
087331 |
return NULL;
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
/* Output all remaining openssl error messages. */
|
|
Packit Service |
087331 |
static void output_openssl_errors(void)
|
|
Packit Service |
087331 |
{
|
|
Packit Service |
087331 |
while (ERR_peek_error()) {
|
|
Packit Service |
087331 |
char buf[256];
|
|
Packit Service |
087331 |
/* buf must be at least 256 bytes long according to man */
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
ERR_error_string(ERR_get_error(), buf);
|
|
Packit Service |
087331 |
log_err("openssl: %s\n", buf);
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
static int add_file_hash(const char *file, EVP_MD_CTX *ctx)
|
|
Packit Service |
087331 |
{
|
|
Packit Service |
087331 |
uint8_t *data;
|
|
Packit Service |
087331 |
int err = -1, bs = DATA_SIZE;
|
|
Packit Service |
087331 |
off_t size, len;
|
|
Packit Service |
087331 |
FILE *fp;
|
|
Packit Service |
087331 |
struct stat stats;
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
fp = fopen(file, "r");
|
|
Packit Service |
087331 |
if (!fp) {
|
|
Packit Service |
087331 |
log_err("Failed to open: %s\n", file);
|
|
Packit Service |
087331 |
return -1;
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
data = malloc(bs);
|
|
Packit Service |
087331 |
if (!data) {
|
|
Packit Service |
087331 |
log_err("malloc failed\n");
|
|
Packit Service |
087331 |
goto out;
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
if (fstat(fileno(fp), &stats) == -1) {
|
|
Packit Service |
087331 |
log_err("Failed to fstat: %s (%s)\n", file, strerror(errno));
|
|
Packit Service |
087331 |
goto out;
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
for (size = stats.st_size; size; size -= len) {
|
|
Packit Service |
087331 |
len = MIN(size, bs);
|
|
Packit Service |
087331 |
if (!fread(data, len, 1, fp)) {
|
|
Packit Service |
087331 |
if (ferror(fp)) {
|
|
Packit Service |
087331 |
log_err("fread() failed\n\n");
|
|
Packit Service |
087331 |
goto out;
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
break;
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
if (!EVP_DigestUpdate(ctx, data, len)) {
|
|
Packit Service |
087331 |
log_err("EVP_DigestUpdate() failed\n");
|
|
Packit Service |
087331 |
err = 1;
|
|
Packit Service |
087331 |
goto out;
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
err = 0;
|
|
Packit Service |
087331 |
out:
|
|
Packit Service |
087331 |
fclose(fp);
|
|
Packit Service |
087331 |
free(data);
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
return err;
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
static int add_dir_hash(const char *file, EVP_MD_CTX *ctx)
|
|
Packit Service |
087331 |
{
|
|
Packit Service |
087331 |
int err;
|
|
Packit Service |
087331 |
struct dirent *de;
|
|
Packit Service |
087331 |
DIR *dir;
|
|
Packit Service |
087331 |
unsigned long long ino, off;
|
|
Packit Service |
087331 |
unsigned int type;
|
|
Packit Service |
087331 |
int result = 0;
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
dir = opendir(file);
|
|
Packit Service |
087331 |
if (!dir) {
|
|
Packit Service |
087331 |
log_err("Failed to open: %s\n", file);
|
|
Packit Service |
087331 |
return -1;
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
while ((de = readdir(dir))) {
|
|
Packit Service |
087331 |
ino = de->d_ino;
|
|
Packit Service |
087331 |
off = de->d_off;
|
|
Packit Service |
087331 |
type = de->d_type;
|
|
Packit Service |
087331 |
log_debug("entry: %s, ino: %llu, type: %u, off: %llu, reclen: %hu\n",
|
|
Packit Service |
087331 |
de->d_name, ino, type, off, de->d_reclen);
|
|
Packit Service |
087331 |
err = EVP_DigestUpdate(ctx, de->d_name, strlen(de->d_name));
|
|
Packit Service |
087331 |
/*err |= EVP_DigestUpdate(ctx, &off, sizeof(off));*/
|
|
Packit Service |
087331 |
err |= EVP_DigestUpdate(ctx, &ino, sizeof(ino));
|
|
Packit Service |
087331 |
err |= EVP_DigestUpdate(ctx, &type, sizeof(type));
|
|
Packit Service |
087331 |
if (!err) {
|
|
Packit Service |
087331 |
log_err("EVP_DigestUpdate() failed\n");
|
|
Packit Service |
087331 |
output_openssl_errors();
|
|
Packit Service |
087331 |
result = 1;
|
|
Packit Service |
087331 |
break;
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
closedir(dir);
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
return result;
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
static int add_link_hash(const char *path, EVP_MD_CTX *ctx)
|
|
Packit Service |
087331 |
{
|
|
Packit Service |
087331 |
int err;
|
|
Packit Service |
087331 |
char buf[1024];
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
err = readlink(path, buf, sizeof(buf));
|
|
Packit Service |
087331 |
if (err <= 0)
|
|
Packit Service |
087331 |
return -1;
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
log_info("link: %s -> %.*s\n", path, err, buf);
|
|
Packit Service |
087331 |
return !EVP_DigestUpdate(ctx, buf, err);
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
static int add_dev_hash(struct stat *st, EVP_MD_CTX *ctx)
|
|
Packit Service |
087331 |
{
|
|
Packit Service |
087331 |
uint32_t dev = st->st_rdev;
|
|
Packit Service |
087331 |
unsigned major = (dev & 0xfff00) >> 8;
|
|
Packit Service |
087331 |
unsigned minor = (dev & 0xff) | ((dev >> 12) & 0xfff00);
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
log_info("device: %u:%u\n", major, minor);
|
|
Packit Service |
087331 |
return !EVP_DigestUpdate(ctx, &dev, sizeof(dev));
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
int ima_calc_hash(const char *file, uint8_t *hash)
|
|
Packit Service |
087331 |
{
|
|
Packit Service |
087331 |
const EVP_MD *md;
|
|
Packit Service |
087331 |
struct stat st;
|
|
Packit Service |
087331 |
EVP_MD_CTX *pctx;
|
|
Packit Service |
087331 |
unsigned int mdlen;
|
|
Packit Service |
087331 |
int err;
|
|
Packit Service |
087331 |
#if OPENSSL_VERSION_NUMBER < 0x10100000
|
|
Packit Service |
087331 |
EVP_MD_CTX ctx;
|
|
Packit Service |
087331 |
pctx = &ctx;
|
|
Packit Service |
087331 |
#else
|
|
Packit Service |
087331 |
pctx = EVP_MD_CTX_new();
|
|
Packit Service |
087331 |
#endif
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
/* Need to know the file length */
|
|
Packit Service |
087331 |
err = lstat(file, &st);
|
|
Packit Service |
087331 |
if (err < 0) {
|
|
Packit Service |
087331 |
log_err("Failed to stat: %s\n", file);
|
|
Packit Service |
087331 |
goto err;
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
md = EVP_get_digestbyname(imaevm_params.hash_algo);
|
|
Packit Service |
087331 |
if (!md) {
|
|
Packit Service |
087331 |
log_err("EVP_get_digestbyname(%s) failed\n",
|
|
Packit Service |
087331 |
imaevm_params.hash_algo);
|
|
Packit Service |
087331 |
err = 1;
|
|
Packit Service |
087331 |
goto err;
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
err = EVP_DigestInit(pctx, md);
|
|
Packit Service |
087331 |
if (!err) {
|
|
Packit Service |
087331 |
log_err("EVP_DigestInit() failed\n");
|
|
Packit Service |
087331 |
err = 1;
|
|
Packit Service |
087331 |
goto err;
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
switch (st.st_mode & S_IFMT) {
|
|
Packit Service |
087331 |
case S_IFREG:
|
|
Packit Service |
087331 |
err = add_file_hash(file, pctx);
|
|
Packit Service |
087331 |
break;
|
|
Packit Service |
087331 |
case S_IFDIR:
|
|
Packit Service |
087331 |
err = add_dir_hash(file, pctx);
|
|
Packit Service |
087331 |
break;
|
|
Packit Service |
087331 |
case S_IFLNK:
|
|
Packit Service |
087331 |
err = add_link_hash(file, pctx);
|
|
Packit Service |
087331 |
break;
|
|
Packit Service |
087331 |
case S_IFIFO: case S_IFSOCK:
|
|
Packit Service |
087331 |
case S_IFCHR: case S_IFBLK:
|
|
Packit Service |
087331 |
err = add_dev_hash(&st, pctx);
|
|
Packit Service |
087331 |
break;
|
|
Packit Service |
087331 |
default:
|
|
Packit Service |
087331 |
log_errno("Unsupported file type");
|
|
Packit Service |
087331 |
err = -1;
|
|
Packit Service |
087331 |
goto err;
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
if (err)
|
|
Packit Service |
087331 |
goto err;
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
err = EVP_DigestFinal(pctx, hash, &mdlen);
|
|
Packit Service |
087331 |
if (!err) {
|
|
Packit Service |
087331 |
log_err("EVP_DigestFinal() failed\n");
|
|
Packit Service |
087331 |
err = 1;
|
|
Packit Service |
087331 |
goto err;
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
err = mdlen;
|
|
Packit Service |
087331 |
err:
|
|
Packit Service |
087331 |
if (err == 1)
|
|
Packit Service |
087331 |
output_openssl_errors();
|
|
Packit Service |
087331 |
#if OPENSSL_VERSION_NUMBER >= 0x10100000
|
|
Packit Service |
087331 |
EVP_MD_CTX_free(pctx);
|
|
Packit Service |
087331 |
#endif
|
|
Packit Service |
087331 |
return err;
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
EVP_PKEY *read_pub_pkey(const char *keyfile, int x509)
|
|
Packit Service |
087331 |
{
|
|
Packit Service |
087331 |
FILE *fp;
|
|
Packit Service |
087331 |
EVP_PKEY *pkey = NULL;
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
if (!keyfile)
|
|
Packit Service |
087331 |
return NULL;
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
fp = fopen(keyfile, "r");
|
|
Packit Service |
087331 |
if (!fp) {
|
|
Packit Service |
087331 |
if (imaevm_params.verbose > LOG_INFO)
|
|
Packit Service |
087331 |
log_info("Failed to open keyfile: %s\n", keyfile);
|
|
Packit Service |
087331 |
return NULL;
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
if (x509) {
|
|
Packit Service |
087331 |
X509 *crt = d2i_X509_fp(fp, NULL);
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
if (!crt) {
|
|
Packit Service |
087331 |
log_err("Failed to d2i_X509_fp key file: %s\n",
|
|
Packit Service |
087331 |
keyfile);
|
|
Packit Service |
087331 |
goto out;
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
pkey = X509_extract_key(crt);
|
|
Packit Service |
087331 |
X509_free(crt);
|
|
Packit Service |
087331 |
if (!pkey) {
|
|
Packit Service |
087331 |
log_err("Failed to X509_extract_key key file: %s\n",
|
|
Packit Service |
087331 |
keyfile);
|
|
Packit Service |
087331 |
goto out;
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
} else {
|
|
Packit Service |
087331 |
pkey = PEM_read_PUBKEY(fp, NULL, NULL, NULL);
|
|
Packit Service |
087331 |
if (!pkey)
|
|
Packit Service |
087331 |
log_err("Failed to PEM_read_PUBKEY key file: %s\n",
|
|
Packit Service |
087331 |
keyfile);
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
out:
|
|
Packit Service |
087331 |
if (!pkey)
|
|
Packit Service |
087331 |
output_openssl_errors();
|
|
Packit Service |
087331 |
fclose(fp);
|
|
Packit Service |
087331 |
return pkey;
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
RSA *read_pub_key(const char *keyfile, int x509)
|
|
Packit Service |
087331 |
{
|
|
Packit Service |
087331 |
EVP_PKEY *pkey;
|
|
Packit Service |
087331 |
RSA *key;
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
pkey = read_pub_pkey(keyfile, x509);
|
|
Packit Service |
087331 |
if (!pkey)
|
|
Packit Service |
087331 |
return NULL;
|
|
Packit Service |
087331 |
key = EVP_PKEY_get1_RSA(pkey);
|
|
Packit Service |
087331 |
EVP_PKEY_free(pkey);
|
|
Packit Service |
087331 |
if (!key) {
|
|
Packit Service |
087331 |
log_err("read_pub_key: unsupported key type\n");
|
|
Packit Service |
087331 |
output_openssl_errors();
|
|
Packit Service |
087331 |
return NULL;
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
return key;
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
static int verify_hash_v1(const char *file, const unsigned char *hash, int size,
|
|
Packit Service |
087331 |
unsigned char *sig, int siglen, const char *keyfile)
|
|
Packit Service |
087331 |
{
|
|
Packit Service |
087331 |
int err, len;
|
|
Packit Service |
087331 |
SHA_CTX ctx;
|
|
Packit Service |
087331 |
unsigned char out[1024];
|
|
Packit Service |
087331 |
RSA *key;
|
|
Packit Service |
087331 |
unsigned char sighash[20];
|
|
Packit Service |
087331 |
struct signature_hdr *hdr = (struct signature_hdr *)sig;
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
log_info("hash-v1: ");
|
|
Packit Service |
087331 |
log_dump(hash, size);
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
key = read_pub_key(keyfile, 0);
|
|
Packit Service |
087331 |
if (!key)
|
|
Packit Service |
087331 |
return 1;
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
SHA1_Init(&ctx;;
|
|
Packit Service |
087331 |
SHA1_Update(&ctx, hash, size);
|
|
Packit Service |
087331 |
SHA1_Update(&ctx, hdr, sizeof(*hdr));
|
|
Packit Service |
087331 |
SHA1_Final(sighash, &ctx;;
|
|
Packit Service |
087331 |
log_info("sighash: ");
|
|
Packit Service |
087331 |
log_dump(sighash, sizeof(sighash));
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
err = RSA_public_decrypt(siglen - sizeof(*hdr) - 2, sig + sizeof(*hdr) + 2, out, key, RSA_PKCS1_PADDING);
|
|
Packit Service |
087331 |
RSA_free(key);
|
|
Packit Service |
087331 |
if (err < 0) {
|
|
Packit Service |
087331 |
log_err("%s: RSA_public_decrypt() failed: %d\n", file, err);
|
|
Packit Service |
087331 |
output_openssl_errors();
|
|
Packit Service |
087331 |
return 1;
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
len = err;
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
if (len != sizeof(sighash) || memcmp(out, sighash, len) != 0) {
|
|
Packit Service |
087331 |
log_err("%s: verification failed: %d\n", file, err);
|
|
Packit Service |
087331 |
return -1;
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
return 0;
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
struct public_key_entry {
|
|
Packit Service |
087331 |
struct public_key_entry *next;
|
|
Packit Service |
087331 |
uint32_t keyid;
|
|
Packit Service |
087331 |
char name[9];
|
|
Packit Service |
087331 |
EVP_PKEY *key;
|
|
Packit Service |
087331 |
};
|
|
Packit Service |
087331 |
static struct public_key_entry *public_keys = NULL;
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
static EVP_PKEY *find_keyid(uint32_t keyid)
|
|
Packit Service |
087331 |
{
|
|
Packit Service |
087331 |
struct public_key_entry *entry, *tail = public_keys;
|
|
Packit Service |
087331 |
int i = 1;
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
for (entry = public_keys; entry != NULL; entry = entry->next) {
|
|
Packit Service |
087331 |
if (entry->keyid == keyid)
|
|
Packit Service |
087331 |
return entry->key;
|
|
Packit Service |
087331 |
i++;
|
|
Packit Service |
087331 |
tail = entry;
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
/* add unknown keys to list */
|
|
Packit Service |
087331 |
entry = calloc(1, sizeof(struct public_key_entry));
|
|
Packit Service |
087331 |
if (!entry) {
|
|
Packit Service |
087331 |
perror("calloc");
|
|
Packit Service |
087331 |
return 0;
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
entry->keyid = keyid;
|
|
Packit Service |
087331 |
if (tail)
|
|
Packit Service |
087331 |
tail->next = entry;
|
|
Packit Service |
087331 |
else
|
|
Packit Service |
087331 |
public_keys = entry;
|
|
Packit Service |
087331 |
log_err("key %d: %x (unknown keyid)\n", i, __be32_to_cpup(&keyid));
|
|
Packit Service |
087331 |
return 0;
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
void init_public_keys(const char *keyfiles)
|
|
Packit Service |
087331 |
{
|
|
Packit Service |
087331 |
struct public_key_entry *entry;
|
|
Packit Service |
087331 |
char *tmp_keyfiles, *keyfiles_free;
|
|
Packit Service |
087331 |
char *keyfile;
|
|
Packit Service |
087331 |
int i = 1;
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
tmp_keyfiles = strdup(keyfiles);
|
|
Packit Service |
087331 |
keyfiles_free = tmp_keyfiles;
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
while ((keyfile = strsep(&tmp_keyfiles, ", \t")) != NULL) {
|
|
Packit Service |
087331 |
if (!keyfile)
|
|
Packit Service |
087331 |
break;
|
|
Packit Service |
087331 |
if ((*keyfile == '\0') || (*keyfile == ' ') ||
|
|
Packit Service |
087331 |
(*keyfile == '\t'))
|
|
Packit Service |
087331 |
continue;
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
entry = malloc(sizeof(struct public_key_entry));
|
|
Packit Service |
087331 |
if (!entry) {
|
|
Packit Service |
087331 |
perror("malloc");
|
|
Packit Service |
087331 |
break;
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
entry->key = read_pub_pkey(keyfile, 1);
|
|
Packit Service |
087331 |
if (!entry->key) {
|
|
Packit Service |
087331 |
free(entry);
|
|
Packit Service |
087331 |
continue;
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
calc_keyid_v2(&entry->keyid, entry->name, entry->key);
|
|
Packit Service |
087331 |
sprintf(entry->name, "%x", __be32_to_cpup(&entry->keyid));
|
|
Packit Service |
087331 |
log_info("key %d: %s %s\n", i++, entry->name, keyfile);
|
|
Packit Service |
087331 |
entry->next = public_keys;
|
|
Packit Service |
087331 |
public_keys = entry;
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
free(keyfiles_free);
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
/*
|
|
Packit Service |
087331 |
* Return: 0 verification good, 1 verification bad, -1 error.
|
|
Packit Service |
087331 |
*/
|
|
Packit Service |
087331 |
static int verify_hash_v2(const char *file, const unsigned char *hash, int size,
|
|
Packit Service |
087331 |
unsigned char *sig, int siglen)
|
|
Packit Service |
087331 |
{
|
|
Packit Service |
087331 |
int ret = -1;
|
|
Packit Service |
087331 |
EVP_PKEY *pkey, *pkey_free = NULL;
|
|
Packit Service |
087331 |
struct signature_v2_hdr *hdr = (struct signature_v2_hdr *)sig;
|
|
Packit Service |
087331 |
EVP_PKEY_CTX *ctx;
|
|
Packit Service |
087331 |
const EVP_MD *md;
|
|
Packit Service |
087331 |
const char *st;
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
if (imaevm_params.verbose > LOG_INFO) {
|
|
Packit Service |
087331 |
log_info("hash(%s): ", imaevm_params.hash_algo);
|
|
Packit Service |
087331 |
log_dump(hash, size);
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
pkey = find_keyid(hdr->keyid);
|
|
Packit Service |
087331 |
if (!pkey) {
|
|
Packit Service |
087331 |
uint32_t keyid = hdr->keyid;
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
if (imaevm_params.verbose > LOG_INFO)
|
|
Packit Service |
087331 |
log_info("%s: verification failed: unknown keyid %x\n",
|
|
Packit Service |
087331 |
file, __be32_to_cpup(&keyid));
|
|
Packit Service |
087331 |
return -1;
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
st = "EVP_PKEY_CTX_new";
|
|
Packit Service |
087331 |
if (!(ctx = EVP_PKEY_CTX_new(pkey, NULL)))
|
|
Packit Service |
087331 |
goto err;
|
|
Packit Service |
087331 |
st = "EVP_PKEY_verify_init";
|
|
Packit Service |
087331 |
if (!EVP_PKEY_verify_init(ctx))
|
|
Packit Service |
087331 |
goto err;
|
|
Packit Service |
087331 |
st = "EVP_get_digestbyname";
|
|
Packit Service |
087331 |
if (!(md = EVP_get_digestbyname(imaevm_params.hash_algo)))
|
|
Packit Service |
087331 |
goto err;
|
|
Packit Service |
087331 |
st = "EVP_PKEY_CTX_set_signature_md";
|
|
Packit Service |
087331 |
if (!EVP_PKEY_CTX_set_signature_md(ctx, md))
|
|
Packit Service |
087331 |
goto err;
|
|
Packit Service |
087331 |
st = "EVP_PKEY_verify";
|
|
Packit Service |
087331 |
ret = EVP_PKEY_verify(ctx, sig + sizeof(*hdr),
|
|
Packit Service |
087331 |
siglen - sizeof(*hdr), hash, size);
|
|
Packit Service |
087331 |
if (ret == 1)
|
|
Packit Service |
087331 |
ret = 0;
|
|
Packit Service |
087331 |
else if (ret == 0) {
|
|
Packit Service |
087331 |
log_err("%s: verification failed: %d (%s)\n",
|
|
Packit Service |
087331 |
file, ret, ERR_reason_error_string(ERR_get_error()));
|
|
Packit Service |
087331 |
output_openssl_errors();
|
|
Packit Service |
087331 |
ret = 1;
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
err:
|
|
Packit Service |
087331 |
if (ret < 0 || ret > 1) {
|
|
Packit Service |
087331 |
log_err("%s: verification failed: %d (%s) in %s\n",
|
|
Packit Service |
087331 |
file, ret, ERR_reason_error_string(ERR_peek_error()),
|
|
Packit Service |
087331 |
st);
|
|
Packit Service |
087331 |
output_openssl_errors();
|
|
Packit Service |
087331 |
ret = -1;
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
EVP_PKEY_CTX_free(ctx);
|
|
Packit Service |
087331 |
EVP_PKEY_free(pkey_free);
|
|
Packit Service |
087331 |
return ret;
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
int imaevm_get_hash_algo(const char *algo)
|
|
Packit Service |
087331 |
{
|
|
Packit Service |
087331 |
int i;
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
/* first iterate over builtin algorithms */
|
|
Packit Service |
087331 |
for (i = 0; i < PKEY_HASH__LAST; i++)
|
|
Packit Service |
087331 |
if (pkey_hash_algo[i] &&
|
|
Packit Service |
087331 |
!strcmp(algo, pkey_hash_algo[i]))
|
|
Packit Service |
087331 |
return i;
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
for (i = 0; i < PKEY_HASH__LAST; i++)
|
|
Packit Service |
087331 |
if (pkey_hash_algo_kern[i] &&
|
|
Packit Service |
087331 |
!strcmp(algo, pkey_hash_algo_kern[i]))
|
|
Packit Service |
087331 |
return i;
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
/* iterate over algorithms provided by kernel-headers */
|
|
Packit Service |
087331 |
for (i = 0; i < HASH_ALGO__LAST; i++)
|
|
Packit Service |
087331 |
if (hash_algo_name[i] &&
|
|
Packit Service |
087331 |
!strcmp(algo, hash_algo_name[i]))
|
|
Packit Service |
087331 |
return i;
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
return -1;
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
int imaevm_hash_algo_from_sig(unsigned char *sig)
|
|
Packit Service |
087331 |
{
|
|
Packit Service |
087331 |
uint8_t hashalgo;
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
if (sig[0] == DIGSIG_VERSION_1) {
|
|
Packit Service |
087331 |
hashalgo = ((struct signature_hdr *)sig)->hash;
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
if (hashalgo >= DIGEST_ALGO_MAX)
|
|
Packit Service |
087331 |
return -1;
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
switch (hashalgo) {
|
|
Packit Service |
087331 |
case DIGEST_ALGO_SHA1:
|
|
Packit Service |
087331 |
return PKEY_HASH_SHA1;
|
|
Packit Service |
087331 |
case DIGEST_ALGO_SHA256:
|
|
Packit Service |
087331 |
return PKEY_HASH_SHA256;
|
|
Packit Service |
087331 |
default:
|
|
Packit Service |
087331 |
return -1;
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
} else if (sig[0] == DIGSIG_VERSION_2) {
|
|
Packit Service |
087331 |
hashalgo = ((struct signature_v2_hdr *)sig)->hash_algo;
|
|
Packit Service |
087331 |
if (hashalgo >= PKEY_HASH__LAST)
|
|
Packit Service |
087331 |
return -1;
|
|
Packit Service |
087331 |
return hashalgo;
|
|
Packit Service |
087331 |
} else
|
|
Packit Service |
087331 |
return -1;
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
int verify_hash(const char *file, const unsigned char *hash, int size, unsigned char *sig,
|
|
Packit Service |
087331 |
int siglen)
|
|
Packit Service |
087331 |
{
|
|
Packit Service |
087331 |
/* Get signature type from sig header */
|
|
Packit Service |
087331 |
if (sig[0] == DIGSIG_VERSION_1) {
|
|
Packit Service |
087331 |
const char *key = NULL;
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
/* Read pubkey from RSA key */
|
|
Packit Service |
087331 |
if (!imaevm_params.keyfile)
|
|
Packit Service |
087331 |
key = "/etc/keys/pubkey_evm.pem";
|
|
Packit Service |
087331 |
else
|
|
Packit Service |
087331 |
key = imaevm_params.keyfile;
|
|
Packit Service |
087331 |
return verify_hash_v1(file, hash, size, sig, siglen, key);
|
|
Packit Service |
087331 |
} else if (sig[0] == DIGSIG_VERSION_2) {
|
|
Packit Service |
087331 |
return verify_hash_v2(file, hash, size, sig, siglen);
|
|
Packit Service |
087331 |
} else
|
|
Packit Service |
087331 |
return -1;
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
int ima_verify_signature(const char *file, unsigned char *sig, int siglen,
|
|
Packit Service |
087331 |
unsigned char *digest, int digestlen)
|
|
Packit Service |
087331 |
{
|
|
Packit Service |
087331 |
unsigned char hash[MAX_DIGEST_SIZE];
|
|
Packit Service |
087331 |
int hashlen, sig_hash_algo;
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
if (sig[0] != EVM_IMA_XATTR_DIGSIG) {
|
|
Packit Service |
087331 |
log_err("%s: xattr ima has no signature\n", file);
|
|
Packit Service |
087331 |
return -1;
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
sig_hash_algo = imaevm_hash_algo_from_sig(sig + 1);
|
|
Packit Service |
087331 |
if (sig_hash_algo < 0) {
|
|
Packit Service |
087331 |
log_err("%s: Invalid signature\n", file);
|
|
Packit Service |
087331 |
return -1;
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
/* Use hash algorithm as retrieved from signature */
|
|
Packit Service |
087331 |
imaevm_params.hash_algo = imaevm_hash_algo_by_id(sig_hash_algo);
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
/*
|
|
Packit Service |
087331 |
* Validate the signature based on the digest included in the
|
|
Packit Service |
087331 |
* measurement list, not by calculating the local file digest.
|
|
Packit Service |
087331 |
*/
|
|
Packit Service |
087331 |
if (digestlen > 0)
|
|
Packit Service |
087331 |
return verify_hash(file, digest, digestlen, sig + 1, siglen - 1);
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
hashlen = ima_calc_hash(file, hash);
|
|
Packit Service |
087331 |
if (hashlen <= 1)
|
|
Packit Service |
087331 |
return hashlen;
|
|
Packit Service |
087331 |
assert(hashlen <= sizeof(hash));
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
return verify_hash(file, hash, hashlen, sig + 1, siglen - 1);
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
/*
|
|
Packit Service |
087331 |
* Create binary key representation suitable for kernel
|
|
Packit Service |
087331 |
*/
|
|
Packit Service |
087331 |
int key2bin(RSA *key, unsigned char *pub)
|
|
Packit Service |
087331 |
{
|
|
Packit Service |
087331 |
int len, b, offset = 0;
|
|
Packit Service |
087331 |
struct pubkey_hdr *pkh = (struct pubkey_hdr *)pub;
|
|
Packit Service |
087331 |
const BIGNUM *n, *e;
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
#if OPENSSL_VERSION_NUMBER < 0x10100000
|
|
Packit Service |
087331 |
n = key->n;
|
|
Packit Service |
087331 |
e = key->e;
|
|
Packit Service |
087331 |
#else
|
|
Packit Service |
087331 |
RSA_get0_key(key, &n, &e, NULL);
|
|
Packit Service |
087331 |
#endif
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
/* add key header */
|
|
Packit Service |
087331 |
pkh->version = 1;
|
|
Packit Service |
087331 |
pkh->timestamp = 0; /* PEM has no timestamp?? */
|
|
Packit Service |
087331 |
pkh->algo = PUBKEY_ALGO_RSA;
|
|
Packit Service |
087331 |
pkh->nmpi = 2;
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
offset += sizeof(*pkh);
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
len = BN_num_bytes(n);
|
|
Packit Service |
087331 |
b = BN_num_bits(n);
|
|
Packit Service |
087331 |
pub[offset++] = b >> 8;
|
|
Packit Service |
087331 |
pub[offset++] = b & 0xff;
|
|
Packit Service |
087331 |
BN_bn2bin(n, &pub[offset]);
|
|
Packit Service |
087331 |
offset += len;
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
len = BN_num_bytes(e);
|
|
Packit Service |
087331 |
b = BN_num_bits(e);
|
|
Packit Service |
087331 |
pub[offset++] = b >> 8;
|
|
Packit Service |
087331 |
pub[offset++] = b & 0xff;
|
|
Packit Service |
087331 |
BN_bn2bin(e, &pub[offset]);
|
|
Packit Service |
087331 |
offset += len;
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
return offset;
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
void calc_keyid_v1(uint8_t *keyid, char *str, const unsigned char *pkey, int len)
|
|
Packit Service |
087331 |
{
|
|
Packit Service |
087331 |
uint8_t sha1[SHA_DIGEST_LENGTH];
|
|
Packit Service |
087331 |
uint64_t id;
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
SHA1(pkey, len, sha1);
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
/* sha1[12 - 19] is exactly keyid from gpg file */
|
|
Packit Service |
087331 |
memcpy(keyid, sha1 + 12, 8);
|
|
Packit Service |
087331 |
log_debug("keyid: ");
|
|
Packit Service |
087331 |
log_debug_dump(keyid, 8);
|
|
Packit Service |
087331 |
id = __be64_to_cpup((__be64 *) keyid);
|
|
Packit Service |
087331 |
sprintf(str, "%llX", (unsigned long long)id);
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
if (imaevm_params.verbose > LOG_INFO)
|
|
Packit Service |
087331 |
log_info("keyid-v1: %s\n", str);
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
/*
|
|
Packit Service |
087331 |
* Calculate keyid of the public_key part of EVP_PKEY
|
|
Packit Service |
087331 |
*/
|
|
Packit Service |
087331 |
void calc_keyid_v2(uint32_t *keyid, char *str, EVP_PKEY *pkey)
|
|
Packit Service |
087331 |
{
|
|
Packit Service |
087331 |
X509_PUBKEY *pk = NULL;
|
|
Packit Service |
087331 |
const unsigned char *public_key = NULL;
|
|
Packit Service |
087331 |
int len;
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
/* This is more generic than i2d_PublicKey() */
|
|
Packit Service |
087331 |
if (X509_PUBKEY_set(&pk, pkey) &&
|
|
Packit Service |
087331 |
X509_PUBKEY_get0_param(NULL, &public_key, &len, NULL, pk)) {
|
|
Packit Service |
087331 |
uint8_t sha1[SHA_DIGEST_LENGTH];
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
SHA1(public_key, len, sha1);
|
|
Packit Service |
087331 |
/* sha1[12 - 19] is exactly keyid from gpg file */
|
|
Packit Service |
087331 |
memcpy(keyid, sha1 + 16, 4);
|
|
Packit Service |
087331 |
} else
|
|
Packit Service |
087331 |
*keyid = 0;
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
log_debug("keyid: ");
|
|
Packit Service |
087331 |
log_debug_dump(keyid, 4);
|
|
Packit Service |
087331 |
sprintf(str, "%x", __be32_to_cpup(keyid));
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
if (imaevm_params.verbose > LOG_INFO)
|
|
Packit Service |
087331 |
log_info("keyid: %s\n", str);
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
X509_PUBKEY_free(pk);
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
static EVP_PKEY *read_priv_pkey(const char *keyfile, const char *keypass)
|
|
Packit Service |
087331 |
{
|
|
Packit Service |
087331 |
FILE *fp;
|
|
Packit Service |
087331 |
EVP_PKEY *pkey;
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
fp = fopen(keyfile, "r");
|
|
Packit Service |
087331 |
if (!fp) {
|
|
Packit Service |
087331 |
log_err("Failed to open keyfile: %s\n", keyfile);
|
|
Packit Service |
087331 |
return NULL;
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
pkey = PEM_read_PrivateKey(fp, NULL, NULL, (void *)keypass);
|
|
Packit Service |
087331 |
if (!pkey) {
|
|
Packit Service |
087331 |
log_err("Failed to PEM_read_PrivateKey key file: %s\n",
|
|
Packit Service |
087331 |
keyfile);
|
|
Packit Service |
087331 |
output_openssl_errors();
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
fclose(fp);
|
|
Packit Service |
087331 |
return pkey;
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
static RSA *read_priv_key(const char *keyfile, const char *keypass)
|
|
Packit Service |
087331 |
{
|
|
Packit Service |
087331 |
EVP_PKEY *pkey;
|
|
Packit Service |
087331 |
RSA *key;
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
pkey = read_priv_pkey(keyfile, keypass);
|
|
Packit Service |
087331 |
if (!pkey)
|
|
Packit Service |
087331 |
return NULL;
|
|
Packit Service |
087331 |
key = EVP_PKEY_get1_RSA(pkey);
|
|
Packit Service |
087331 |
EVP_PKEY_free(pkey);
|
|
Packit Service |
087331 |
if (!key) {
|
|
Packit Service |
087331 |
log_err("read_priv_key: unsupported key type\n");
|
|
Packit Service |
087331 |
output_openssl_errors();
|
|
Packit Service |
087331 |
return NULL;
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
return key;
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
static int get_hash_algo_v1(const char *algo)
|
|
Packit Service |
087331 |
{
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
if (!strcmp(algo, "sha1"))
|
|
Packit Service |
087331 |
return DIGEST_ALGO_SHA1;
|
|
Packit Service |
087331 |
else if (!strcmp(algo, "sha256"))
|
|
Packit Service |
087331 |
return DIGEST_ALGO_SHA256;
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
return -1;
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
static int sign_hash_v1(const char *hashalgo, const unsigned char *hash,
|
|
Packit Service |
087331 |
int size, const char *keyfile, unsigned char *sig)
|
|
Packit Service |
087331 |
{
|
|
Packit Service |
087331 |
int len = -1, hashalgo_idx;
|
|
Packit Service |
087331 |
SHA_CTX ctx;
|
|
Packit Service |
087331 |
unsigned char pub[1024];
|
|
Packit Service |
087331 |
RSA *key;
|
|
Packit Service |
087331 |
char name[20];
|
|
Packit Service |
087331 |
unsigned char sighash[20];
|
|
Packit Service |
087331 |
struct signature_hdr *hdr;
|
|
Packit Service |
087331 |
uint16_t *blen;
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
if (!hash) {
|
|
Packit Service |
087331 |
log_err("sign_hash_v1: hash is null\n");
|
|
Packit Service |
087331 |
return -1;
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
if (size < 0) {
|
|
Packit Service |
087331 |
log_err("sign_hash_v1: size is negative: %d\n", size);
|
|
Packit Service |
087331 |
return -1;
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
if (!hashalgo) {
|
|
Packit Service |
087331 |
log_err("sign_hash_v1: hashalgo is null\n");
|
|
Packit Service |
087331 |
return -1;
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
if (!sig) {
|
|
Packit Service |
087331 |
log_err("sign_hash_v1: sig is null\n");
|
|
Packit Service |
087331 |
return -1;
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
log_info("hash(%s): ", hashalgo);
|
|
Packit Service |
087331 |
log_dump(hash, size);
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
key = read_priv_key(keyfile, imaevm_params.keypass);
|
|
Packit Service |
087331 |
if (!key)
|
|
Packit Service |
087331 |
return -1;
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
hdr = (struct signature_hdr *)sig;
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
/* now create a new hash */
|
|
Packit Service |
087331 |
hdr->version = (uint8_t) DIGSIG_VERSION_1;
|
|
Packit Service |
087331 |
hdr->timestamp = time(NULL);
|
|
Packit Service |
087331 |
hdr->algo = PUBKEY_ALGO_RSA;
|
|
Packit Service |
087331 |
hashalgo_idx = get_hash_algo_v1(hashalgo);
|
|
Packit Service |
087331 |
if (hashalgo_idx < 0) {
|
|
Packit Service |
087331 |
log_err("Signature version 1 does not support hash algo %s\n",
|
|
Packit Service |
087331 |
hashalgo);
|
|
Packit Service |
087331 |
goto out;
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
hdr->hash = (uint8_t) hashalgo_idx;
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
len = key2bin(key, pub);
|
|
Packit Service |
087331 |
calc_keyid_v1(hdr->keyid, name, pub, len);
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
hdr->nmpi = 1;
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
SHA1_Init(&ctx;;
|
|
Packit Service |
087331 |
SHA1_Update(&ctx, hash, size);
|
|
Packit Service |
087331 |
SHA1_Update(&ctx, hdr, sizeof(*hdr));
|
|
Packit Service |
087331 |
SHA1_Final(sighash, &ctx;;
|
|
Packit Service |
087331 |
log_info("sighash: ");
|
|
Packit Service |
087331 |
log_dump(sighash, sizeof(sighash));
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
len = RSA_private_encrypt(sizeof(sighash), sighash, sig + sizeof(*hdr) + 2, key, RSA_PKCS1_PADDING);
|
|
Packit Service |
087331 |
if (len < 0) {
|
|
Packit Service |
087331 |
log_err("RSA_private_encrypt() failed: %d\n", len);
|
|
Packit Service |
087331 |
output_openssl_errors();
|
|
Packit Service |
087331 |
goto out;
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
/* we add bit length of the signature to make it gnupg compatible */
|
|
Packit Service |
087331 |
blen = (uint16_t *) (sig + sizeof(*hdr));
|
|
Packit Service |
087331 |
*blen = __cpu_to_be16(len << 3);
|
|
Packit Service |
087331 |
len += sizeof(*hdr) + 2;
|
|
Packit Service |
087331 |
log_info("evm/ima signature-v1: %d bytes\n", len);
|
|
Packit Service |
087331 |
out:
|
|
Packit Service |
087331 |
RSA_free(key);
|
|
Packit Service |
087331 |
return len;
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
/*
|
|
Packit Service |
087331 |
* @sig is assumed to be of (MAX_SIGNATURE_SIZE - 1) size
|
|
Packit Service |
087331 |
* Return: -1 signing error, >0 length of signature
|
|
Packit Service |
087331 |
*/
|
|
Packit Service |
087331 |
static int sign_hash_v2(const char *algo, const unsigned char *hash,
|
|
Packit Service |
087331 |
int size, const char *keyfile, unsigned char *sig)
|
|
Packit Service |
087331 |
{
|
|
Packit Service |
087331 |
struct signature_v2_hdr *hdr;
|
|
Packit Service |
087331 |
int len = -1;
|
|
Packit Service |
087331 |
EVP_PKEY *pkey;
|
|
Packit Service |
087331 |
char name[20];
|
|
Packit Service |
087331 |
EVP_PKEY_CTX *ctx = NULL;
|
|
Packit Service |
087331 |
const EVP_MD *md;
|
|
Packit Service |
087331 |
size_t sigsize;
|
|
Packit Service |
087331 |
const char *st;
|
|
Packit Service |
087331 |
uint32_t keyid;
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
if (!hash) {
|
|
Packit Service |
087331 |
log_err("sign_hash_v2: hash is null\n");
|
|
Packit Service |
087331 |
return -1;
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
if (size < 0) {
|
|
Packit Service |
087331 |
log_err("sign_hash_v2: size is negative: %d\n", size);
|
|
Packit Service |
087331 |
return -1;
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
if (!sig) {
|
|
Packit Service |
087331 |
log_err("sign_hash_v2: sig is null\n");
|
|
Packit Service |
087331 |
return -1;
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
if (!algo) {
|
|
Packit Service |
087331 |
log_err("sign_hash_v2: algo is null\n");
|
|
Packit Service |
087331 |
return -1;
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
|
|
Packit Service |
a14ff8 |
log_info("hash(%s): ", imaevm_params.hash_algo);
|
|
Packit Service |
087331 |
log_dump(hash, size);
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
pkey = read_priv_pkey(keyfile, imaevm_params.keypass);
|
|
Packit Service |
087331 |
if (!pkey)
|
|
Packit Service |
087331 |
return -1;
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
hdr = (struct signature_v2_hdr *)sig;
|
|
Packit Service |
087331 |
hdr->version = (uint8_t) DIGSIG_VERSION_2;
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
hdr->hash_algo = imaevm_get_hash_algo(algo);
|
|
Packit Service |
087331 |
if (hdr->hash_algo == (uint8_t)-1) {
|
|
Packit Service |
087331 |
log_err("sign_hash_v2: hash algo is unknown: %s\n", algo);
|
|
Packit Service |
087331 |
return -1;
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
calc_keyid_v2(&keyid, name, pkey);
|
|
Packit Service |
087331 |
hdr->keyid = keyid;
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
st = "EVP_PKEY_CTX_new";
|
|
Packit Service |
087331 |
if (!(ctx = EVP_PKEY_CTX_new(pkey, NULL)))
|
|
Packit Service |
087331 |
goto err;
|
|
Packit Service |
087331 |
st = "EVP_PKEY_sign_init";
|
|
Packit Service |
087331 |
if (!EVP_PKEY_sign_init(ctx))
|
|
Packit Service |
087331 |
goto err;
|
|
Packit Service |
087331 |
st = "EVP_get_digestbyname";
|
|
Packit Service |
a14ff8 |
if (!(md = EVP_get_digestbyname(imaevm_params.hash_algo)))
|
|
Packit Service |
087331 |
goto err;
|
|
Packit Service |
087331 |
st = "EVP_PKEY_CTX_set_signature_md";
|
|
Packit Service |
087331 |
if (!EVP_PKEY_CTX_set_signature_md(ctx, md))
|
|
Packit Service |
087331 |
goto err;
|
|
Packit Service |
087331 |
st = "EVP_PKEY_sign";
|
|
Packit Service |
087331 |
sigsize = MAX_SIGNATURE_SIZE - sizeof(struct signature_v2_hdr) - 1;
|
|
Packit Service |
087331 |
if (!EVP_PKEY_sign(ctx, hdr->sig, &sigsize, hash, size))
|
|
Packit Service |
087331 |
goto err;
|
|
Packit Service |
087331 |
len = (int)sigsize;
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
/* we add bit length of the signature to make it gnupg compatible */
|
|
Packit Service |
087331 |
hdr->sig_size = __cpu_to_be16(len);
|
|
Packit Service |
087331 |
len += sizeof(*hdr);
|
|
Packit Service |
087331 |
log_info("evm/ima signature: %d bytes\n", len);
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
err:
|
|
Packit Service |
087331 |
if (len == -1) {
|
|
Packit Service |
087331 |
log_err("sign_hash_v2: signing failed: (%s) in %s\n",
|
|
Packit Service |
087331 |
ERR_reason_error_string(ERR_peek_error()), st);
|
|
Packit Service |
087331 |
output_openssl_errors();
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
EVP_PKEY_CTX_free(ctx);
|
|
Packit Service |
087331 |
EVP_PKEY_free(pkey);
|
|
Packit Service |
087331 |
return len;
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
int sign_hash(const char *hashalgo, const unsigned char *hash, int size, const char *keyfile, const char *keypass, unsigned char *sig)
|
|
Packit Service |
087331 |
{
|
|
Packit Service |
087331 |
if (keypass)
|
|
Packit Service |
087331 |
imaevm_params.keypass = keypass;
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
return imaevm_params.x509 ?
|
|
Packit Service |
087331 |
sign_hash_v2(hashalgo, hash, size, keyfile, sig) :
|
|
Packit Service |
087331 |
sign_hash_v1(hashalgo, hash, size, keyfile, sig);
|
|
Packit Service |
087331 |
}
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
static void libinit()
|
|
Packit Service |
087331 |
{
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
#if OPENSSL_VERSION_NUMBER < 0x10100000
|
|
Packit Service |
087331 |
OpenSSL_add_all_algorithms();
|
|
Packit Service |
087331 |
OPENSSL_add_all_algorithms_conf();
|
|
Packit Service |
087331 |
#else
|
|
Packit Service |
087331 |
|
|
Packit Service |
087331 |
OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS |
|
|
Packit Service |
087331 |
OPENSSL_INIT_ADD_ALL_DIGESTS, NULL);
|
|
Packit Service |
087331 |
ERR_load_crypto_strings();
|
|
Packit Service |
087331 |
#endif
|
|
Packit Service |
087331 |
}
|