Release version 1.0

Signed-off-by: Dmitry Kasatkin <dmitry.kasatkin@huawei.com>

ChangeLog

@@ -1,3 +1,12 @@
+2014-07-30  Dmitry Kasatkin <dmitry.kasatkin@huawei.com>
+
+	version 1.0
+	* Recursive hashing
+	* Immutable EVM signatures (experimental)
+	* Command 'ima_clear' to remove xattrs
+	* Support for passing password to the library
+	* Support for asking password safely from the user
+
 2014-09-23  Dmitry Kasatkin <d.kasatkin@samsung.com>
 
 	version 0.9

README

@@ -403,7 +403,7 @@ When using plain RSA public keys in PEM format, use 'evmctl import --rsa' for im
 
 Latest version of keyctl allows to import X509 public key certificates:
 
-    cat /etc/keys/x509_ima.der | keyctl padd asymmetric '' @ima_id
+    cat /etc/keys/x509_ima.der | keyctl padd asymmetric '' $ima_id
 
 
 FILES

configure.ac

@@ -1,7 +1,7 @@
 # autoconf script
 
 AC_PREREQ([2.65])
-AC_INIT(ima-evm-utils, 0.9, d.kasatkin@samsung.com)
+AC_INIT(ima-evm-utils, 1.0, dmitry.kasatkin@huawei.com)
 AM_INIT_AUTOMAKE
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_MACRO_DIR([m4])

packaging/ima-evm-utils.spec

@@ -1,5 +1,5 @@
 Name:		ima-evm-utils
-Version:	0.9
+Version:	1.0
 Release:	1%{?dist}
 Summary:	ima-evm-utils - IMA/EVM control utility
 Group:		System/Libraries

src/evmctl.c

@@ -54,6 +54,7 @@
 #include <getopt.h>
 #include <keyutils.h>
 #include <ctype.h>
+#include <termios.h>
 
 #include <openssl/sha.h>
 #include <openssl/pem.h>
@@ -107,6 +108,7 @@ static char *search_type;
 static int recursive;
 static int msize;
 static dev_t fs_dev;
+static bool evm_immutable;
 
 #define HMAC_FLAG_UUID			0x0001
 #define HMAC_FLAG_UUID_SET		0x0002
@@ -318,6 +320,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
 		return -1;
 	}
 
+	if (!evm_immutable) {
 		if (S_ISREG(st.st_mode) || S_ISDIR(st.st_mode)) {
 			/* we cannot at the momement to get generation of special files..
 			 * kernel API does not support it */
@@ -333,8 +336,8 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
 			}
 			close(fd);
 		}
-
 		log_info("generation: %u\n", generation);
+	}
 
 	list_size = llistxattr(file, list, sizeof(list));
 	if (list_size < 0) {
@@ -370,7 +373,14 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
 
 	memset(&hmac_misc, 0, sizeof(hmac_misc));
 
-	if (msize == 0) {
+	if (evm_immutable) {
+		struct h_misc_digsig *hmac = (struct h_misc_digsig *)&hmac_misc;
+
+		hmac_size = sizeof(*hmac);
+		hmac->uid = st.st_uid;
+		hmac->gid = st.st_gid;
+		hmac->mode = st.st_mode;
+	} else if (msize == 0) {
 		struct h_misc *hmac = (struct h_misc *)&hmac_misc;
 
 		hmac_size = sizeof(*hmac);
@@ -408,7 +418,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
 		return 1;
 	}
 
-	if (hmac_flags & HMAC_FLAG_UUID) {
+	if (!evm_immutable && (hmac_flags & HMAC_FLAG_UUID)) {
 		err = get_uuid(&st, uuid);
 		if (err)
 			return -1;
@@ -439,7 +449,7 @@ static int sign_evm(const char *file, const char *key)
 	if (len <= 1)
 		return len;
 
-	len = sign_hash("sha1", hash, len, key, sig + 1);
+	len = sign_hash("sha1", hash, len, key, NULL, sig + 1);
 	if (len <= 1)
 		return len;
 
@@ -447,6 +457,9 @@ static int sign_evm(const char *file, const char *key)
 	len++;
 	sig[0] = EVM_IMA_XATTR_DIGSIG;
 
+	if (evm_immutable)
+		sig[1] = 3; /* immutable signature version */
+
 	if (sigdump || params.verbose >= LOG_INFO)
 		dump(sig, len);
 
@@ -499,19 +512,6 @@ static int hash_ima(const char *file)
 	return 0;
 }
 
-static int cmd_hash_ima(struct command *cmd)
-{
-	char *file = g_argv[optind++];
-
-	if (!file) {
-		log_err("Parameters missing\n");
-		print_usage(cmd);
-		return -1;
-	}
-
-	return hash_ima(file);
-}
-
 static int sign_ima(const char *file, const char *key)
 {
 	unsigned char hash[64];
@@ -522,7 +522,7 @@ static int sign_ima(const char *file, const char *key)
 	if (len <= 1)
 		return len;
 
-	len = sign_hash(params.hash_algo, hash, len, key, sig + 1);
+	len = sign_hash(params.hash_algo, hash, len, key, NULL, sig + 1);
 	if (len <= 1)
 		return len;
 
@@ -577,9 +577,39 @@ static int get_file_type(const char *path, const char *search_type)
 	return dts;
 }
 
+static int do_cmd(struct command *cmd, find_cb_t func)
+{
+	char *path = g_argv[optind++];
+	int err, dts = REG_MASK; /* only regular files by default */
+
+	if (!path) {
+		log_err("Parameters missing\n");
+		print_usage(cmd);
+		return -1;
+	}
+
+	if (recursive) {
+		if (search_type) {
+			dts = get_file_type(path, search_type);
+			if (dts < 0)
+				return dts;
+		}
+		err = find(path, dts, func);
+	} else {
+		err = func(path);
+	}
+
+	return err;
+}
+
+static int cmd_hash_ima(struct command *cmd)
+{
+	return do_cmd(cmd, hash_ima);
+}
+
 static int sign_ima_file(const char *file)
 {
-	char *key;
+	const char *key;
 
 	key = params.keyfile ? : "/etc/keys/privkey_evm.pem";
 
@@ -588,32 +618,13 @@ static int sign_ima_file(const char *file)
 
 static int cmd_sign_ima(struct command *cmd)
 {
-	char *file = g_argv[optind++];
+	return do_cmd(cmd, sign_ima_file);
-	int err, dts = REG_MASK; /* only regular files by default */
-
-	if (!file) {
-		log_err("Parameters missing\n");
-		print_usage(cmd);
-		return -1;
-	}
-
-	if (recursive) {
-		if (search_type) {
-			dts = get_file_type(file, search_type);
-			if (dts < 0)
-				return dts;
-		}
-		err = find(file, dts, sign_ima_file);
-	} else {
-		err = sign_ima_file(file);
-	}
-
-	return err;
 }
 
 static int cmd_sign_hash(struct command *cmd)
 {
-	char *key, *token, *line = NULL;
+	const char *key;
+	char *token, *line = NULL;
 	int hashlen = 0;
 	size_t line_len;
 	ssize_t len;
@@ -635,7 +646,7 @@ static int cmd_sign_hash(struct command *cmd)
 
 		hex2bin(hash, line, hashlen);
 		siglen = sign_hash(params.hash_algo, hash, hashlen/2,
-				 key, sig + 1);
+				 key, NULL, sig + 1);
 		if (siglen <= 1)
 			return siglen;
 
@@ -656,7 +667,7 @@ static int cmd_sign_hash(struct command *cmd)
 
 static int sign_evm_path(const char *file)
 {
-	char *key;
+	const char *key;
 	int err;
 
 	key = params.keyfile ? : "/etc/keys/privkey_evm.pem";
@@ -678,27 +689,7 @@ static int sign_evm_path(const char *file)
 
 static int cmd_sign_evm(struct command *cmd)
 {
-	char *path = g_argv[optind++];
+	return do_cmd(cmd, sign_evm_path);
-	int err, dts = REG_MASK; /* only regular files by default */
-
-	if (!path) {
-		log_err("Parameters missing\n");
-		print_usage(cmd);
-		return -1;
-	}
-
-	if (recursive) {
-		if (search_type) {
-			dts = get_file_type(path, search_type);
-			if (dts < 0)
-				return dts;
-		}
-		err = find(path, dts, sign_evm_path);
-	} else {
-		err = sign_evm_path(path);
-	}
-
-	return err;
 }
 
 static int verify_evm(const char *file)
@@ -1012,7 +1003,7 @@ static int hmac_evm(const char *file, const char *key)
 
 static int cmd_hmac_evm(struct command *cmd)
 {
-	char *key, *file = g_argv[optind++];
+	const char *key, *file = g_argv[optind++];
 	int err;
 
 	if (!file) {
@@ -1129,29 +1120,22 @@ static int find(const char *path, int dts, find_cb_t func)
 
 static int cmd_ima_fix(struct command *cmd)
 {
-	char *path = g_argv[optind++];
+	return do_cmd(cmd, ima_fix);
-	int err, dts = REG_MASK; /* only regular files by default */
-
-	if (!path) {
-		log_err("Parameters missing\n");
-		print_usage(cmd);
-		return -1;
-	}
-
-	if (recursive) {
-		if (search_type) {
-			dts = get_file_type(path, search_type);
-			if (dts < 0)
-				return dts;
-		}
-		err = find(path, dts, ima_fix);
-	} else {
-		err = ima_fix(path);
-	}
-
-	return err;
 }
 
+static int ima_clear(const char *path)
+{
+	log_info("%s\n", path);
+	lremovexattr(path, "security.ima");
+	lremovexattr(path, "security.evm");
+
+	return 0;
+}
+
+static int cmd_ima_clear(struct command *cmd)
+{
+	return do_cmd(cmd, ima_clear);
+}
 
 static char *pcrs = "/sys/class/misc/tpm0/device/pcrs";
 
@@ -1485,14 +1469,15 @@ struct command cmds[] = {
 	{"--version", NULL, 0, ""},
 	{"help", cmd_help, 0, "<command>"},
 	{"import", cmd_import, 0, "[--rsa] pubkey keyring", "Import public key into the keyring.\n"},
-	{"sign", cmd_sign_evm, 0, "[-r] [--imahash | --imasig ] [--key key] [--pass password] file", "Sign file metadata.\n"},
+	{"sign", cmd_sign_evm, 0, "[-r] [--imahash | --imasig ] [--key key] [--pass [password] file", "Sign file metadata.\n"},
 	{"verify", cmd_verify_evm, 0, "file", "Verify EVM signature (for debugging).\n"},
-	{"ima_sign", cmd_sign_ima, 0, "[--sigfile] [--key key] [--pass password] file", "Make file content signature.\n"},
+	{"ima_sign", cmd_sign_ima, 0, "[--sigfile] [--key key] [--pass [password] file", "Make file content signature.\n"},
 	{"ima_verify", cmd_verify_ima, 0, "file", "Verify IMA signature (for debugging).\n"},
 	{"ima_hash", cmd_hash_ima, 0, "file", "Make file content hash.\n"},
 	{"ima_measurement", cmd_ima_measurement, 0, "file", "Verify measurement list (experimental).\n"},
 	{"ima_fix", cmd_ima_fix, 0, "[-t fdsxm] path", "Recursively fix IMA/EVM xattrs in fix mode.\n"},
-	{"sign_hash", cmd_sign_hash, 0, "[--key key] [--pass password]", "Sign hashes from shaXsum output.\n"},
+	{"ima_clear", cmd_ima_clear, 0, "[-t fdsxm] path", "Recursively remove IMA/EVM xattrs.\n"},
+	{"sign_hash", cmd_sign_hash, 0, "[--key key] [--pass [password]", "Sign hashes from shaXsum output.\n"},
 #ifdef DEBUG
 	{"hmac", cmd_hmac_evm, 0, "[--imahash | --imasig ] file", "Sign file metadata with HMAC using symmetric key (for testing purpose).\n"},
 #endif
@@ -1504,7 +1489,7 @@ static struct option opts[] = {
 	{"imasig", 0, 0, 's'},
 	{"imahash", 0, 0, 'd'},
 	{"hashalgo", 1, 0, 'a'},
-	{"pass", 1, 0, 'p'},
+	{"pass", 2, 0, 'p'},
 	{"sigfile", 0, 0, 'f'},
 	{"uuid", 2, 0, 'u'},
 	{"rsa", 0, 0, '1'},
@@ -1519,6 +1504,40 @@ static struct option opts[] = {
 
 };
 
+static char *get_password(void)
+{
+	struct termios flags, tmp_flags;
+	char *password, *pwd;
+	int passlen = 64;
+
+	password = malloc(passlen);
+	if (!password) {
+		perror("malloc");
+		return NULL;
+	}
+
+	tcgetattr(fileno(stdin), &flags);
+	tmp_flags = flags;
+	tmp_flags.c_lflag &= ~ECHO;
+	tmp_flags.c_lflag |= ECHONL;
+
+	if (tcsetattr(fileno(stdin), TCSANOW, &tmp_flags) != 0) {
+		perror("tcsetattr");
+		return NULL;
+	}
+
+	printf("PEM password: ");
+	pwd = fgets(password, passlen, stdin);
+
+	/* restore terminal */
+	if (tcsetattr(fileno(stdin), TCSANOW, &flags) != 0) {
+		perror("tcsetattr");
+		return NULL;
+	}
+
+	return pwd;
+}
+
 int main(int argc, char *argv[])
 {
 	int err = 0, c, lind;
@@ -1527,7 +1546,7 @@ int main(int argc, char *argv[])
 	g_argc = argc;
 
 	while (1) {
-		c = getopt_long(argc, argv, "hvnsda:p:fu::k:t:r", opts, &lind);
+		c = getopt_long(argc, argv, "hvnsda:p::fu::k:t:ri", opts, &lind);
 		if (c == -1)
 			break;
 
@@ -1554,7 +1573,10 @@ int main(int argc, char *argv[])
 			params.hash_algo = optarg;
 			break;
 		case 'p':
+			if (optarg)
 				params.keypass = optarg;
+			else
+				params.keypass = get_password();
 			break;
 		case 'f':
 			sigfile = 1;
@@ -1573,6 +1595,9 @@ int main(int argc, char *argv[])
 		case 'k':
 			params.keyfile = optarg;
 			break;
+		case 'i':
+			evm_immutable = true;
+			break;
 		case 't':
 			search_type = optarg;
 			break;
@@ -1600,9 +1625,6 @@ int main(int argc, char *argv[])
 		}
 	}
 
-	OpenSSL_add_all_algorithms();
-	ERR_load_crypto_strings();
-
 	if (argv[optind] == NULL)
 		usage();
 	else
@@ -1623,6 +1645,6 @@ int main(int argc, char *argv[])
 
 	ERR_free_strings();
 	EVP_cleanup();
-
+	BIO_free(NULL);
 	return err;
 }

src/imaevm.h

@@ -108,6 +108,12 @@ struct h_misc_64 {
 	unsigned short mode;
 };
 
+struct h_misc_digsig {
+	uid_t uid;
+	gid_t gid;
+	unsigned short mode;
+};
+
 enum pubkey_algo {
 	PUBKEY_ALGO_RSA,
 	PUBKEY_ALGO_MAX,
@@ -172,8 +178,8 @@ struct libevm_params {
 	int verbose;
 	int x509;
 	const char *hash_algo;
-	char *keyfile;
+	const char *keyfile;
-	char *keypass;
+	const char *keypass;
 };
 
 struct RSA_ASN1_template {
@@ -195,7 +201,7 @@ void calc_keyid_v1(uint8_t *keyid, char *str, const unsigned char *pkey, int len
 void calc_keyid_v2(uint32_t *keyid, char *str, RSA *key);
 int key2bin(RSA *key, unsigned char *pub);
 
-int sign_hash(const char *algo, const unsigned char *hash, int size, const char *keyfile, unsigned char *sig);
+int sign_hash(const char *algo, const unsigned char *hash, int size, const char *keyfile, const char *keypass, unsigned char *sig);
 int verify_hash(const unsigned char *hash, int size, unsigned char *sig, int siglen);
 int ima_verify_signature(const char *file, unsigned char *sig, int siglen);
 

src/libimaevm.c

@@ -53,6 +53,7 @@
 #include <openssl/pem.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
+#include <openssl/err.h>
 
 #include "imaevm.h"
 
@@ -130,6 +131,8 @@ struct libevm_params params = {
 	.hash_algo = "sha1",
 };
 
+static void __attribute__ ((constructor)) libinit(void);
+
 void do_dump(FILE *fp, const void *ptr, int len, bool cr)
 {
 	int i;
@@ -488,7 +491,7 @@ static int get_hash_algo_from_sig(unsigned char *sig)
 
 int verify_hash(const unsigned char *hash, int size, unsigned char *sig, int siglen)
 {
-	char *key;
+	const char *key;
 	int x509;
 	verify_hash_fn_t verify_hash;
 
@@ -608,7 +611,7 @@ void calc_keyid_v2(uint32_t *keyid, char *str, RSA *key)
 	free(pkey);
 }
 
-static RSA *read_priv_key(const char *keyfile, char *keypass)
+static RSA *read_priv_key(const char *keyfile, const char *keypass)
 {
 	FILE *fp;
 	RSA *key;
@@ -618,9 +621,14 @@ static RSA *read_priv_key(const char *keyfile, char *keypass)
 		log_err("Failed to open keyfile: %s\n", keyfile);
 		return NULL;
 	}
-	key = PEM_read_RSAPrivateKey(fp, NULL, NULL, keypass);
+	ERR_load_crypto_strings();
-	if (!key)
+	key = PEM_read_RSAPrivateKey(fp, NULL, NULL, (void *)keypass);
-		log_err("PEM_read_RSAPrivateKey() failed\n");
+	if (!key) {
+		char str[256];
+
+		ERR_error_string(ERR_get_error(), str);
+		log_err("PEM_read_RSAPrivateKey() failed: %s\n", str);
+	}
 
 	fclose(fp);
 	return key;
@@ -786,8 +794,18 @@ out:
 	return len;
 }
 
-int sign_hash(const char *hashalgo, const unsigned char *hash, int size, const char *keyfile, unsigned char *sig)
+
+int sign_hash(const char *hashalgo, const unsigned char *hash, int size, const char *keyfile, const char *keypass, unsigned char *sig)
 {
+	if (keypass)
+		params.keypass = keypass;
+
 	return params.x509 ? sign_hash_v2(hashalgo, hash, size, keyfile, sig) :
 			     sign_hash_v1(hashalgo, hash, size, keyfile, sig);
 }
+
+static void libinit()
+{
+	OpenSSL_add_all_algorithms();
+	ERR_load_crypto_strings();
+}