dh/ima-evm-utils-mirror
1
0
Fork 0
mirror of https://git.code.sf.net/p/linux-ima/ima-evm-utils synced 2025-07-04 06:25:15 +02:00
Code Releases Activity

Compare commits

base: dh:v1.2
Branches Tags
dh:master dh:next dh:next-testing dh:ima-evm-utils-1.3.1-y dh:ima-evm-utils-1.2.y
dh:v1.5 dh:v1.4 dh:v1.3.2 dh:v1.3.1 dh:v1.3 dh:v1.2.1 dh:v1.2 dh:v1.1 dh:v1.0 dh:v0.9 dh:v0.8 dh:v0.7 dh:v0.6 dh:v0.5 dh:v0.4 dh:v0.1.0 dh:v0.2 dh:v0.3 dh:v0.1.1
...
compare: dh:ima-evm-utils-1.2.y
Branches Tags
dh:next dh:next-testing dh:master dh:ima-evm-utils-1.3.1-y dh:ima-evm-utils-1.2.y
dh:v1.5 dh:v1.4 dh:v1.3.2 dh:v1.3.1 dh:v1.3 dh:v1.2.1 dh:v1.2 dh:v1.1 dh:v1.0 dh:v0.9 dh:v0.8 dh:v0.7 dh:v0.6 dh:v0.5 dh:v0.4 dh:v0.1.0 dh:v0.2 dh:v0.3 dh:v0.1.1

6 Commits
v1.2 ... ima-evm-ut

Author SHA1 Message Date
Mimi Zohar
3eab1f93b6 ima-evm-utils: Release version 1.2.1 
This release contains a few bug fixes:
autoconf, keys for v1 signature verification, return code error, and
openssl version.

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
 2019-07-30 15:19:00 -04:00
Vitaly Chikunov
90176e835a ima-evm-utils: Do not load keys from x509 certs if user pass --rsa 
If user wants to verify v1 signature and specify RSA public key in `-k'
option, this key will be attempted to be loaded as x509 certificate and
this process will output errors.

Do not load a key as a x509 cert if user pass `--rsa'.

This is not perfect solution. As now it's possible to specify `-k' and
`--rsa' and v2 signatures will not verify, because of no keys.

This improvement is not added into ima_measurement().

Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
 2019-07-30 13:32:28 -04:00
Vitaly Chikunov
2b491be5e2 ima-evm-utils: Fix ima_verify return value on multiple files 
If any tested file results in failure produce failure exit code.
Previously exit code affected only by the last file tested.

Fixes: "Allow multiple files in ima_verify"
Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
 2019-07-30 07:33:56 -04:00
Mimi Zohar
bd8b503206 ima-evm-utils: limit OPENSSL_init_crypto calls 
OPENSSL_init_crypto() was introduced in version 1.1.  When using an
older version of openssl, don't call OPENSSL_init_crypto.  Partially
revert commit 782224f33c ("ima-evm-utils: Rework openssl init").

Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
 2019-07-30 07:15:18 -04:00
Vitaly Chikunov
d8e7d63feb ima-evm-utils: Fix ima_verify for v1 signatures 
Use user supplied key in verify_hash for DIGSIG_VERSION_1.
Otherwise v1 signatures don't pass verification.

Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
 2019-07-30 07:15:10 -04:00
Bruno E. O. Meneguele
e1bd9c9887 ima-evm-utils: fix trailing chars from configure script 
Two chars were left in a AC_DEFINE() in configure.ac, leading to an error
message during ./configure call:

checking for tsspcrread... yes
./configure: line 9894: ],: command not found

Signed-off-by: Bruno E. O. Meneguele <bmeneg@redhat.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
 2019-07-30 07:14:18 -04:00
4 changed files with 30 additions and 13 deletions
Expand all files Collapse all files

4
configure.ac
View File

@ -1,7 +1,7 @@
# autoconf script # autoconf script
AC_PREREQ([2.65]) AC_PREREQ([2.65])
AC_INIT(ima-evm-utils, 1.2, zohar@linux.ibm.com) AC_INIT(ima-evm-utils, 1.2.1, zohar@linux.ibm.com)
AM_INIT_AUTOMAKE AM_INIT_AUTOMAKE
AC_CONFIG_HEADERS([config.h]) AC_CONFIG_HEADERS([config.h])
AC_CONFIG_MACRO_DIR([m4]) AC_CONFIG_MACRO_DIR([m4])
@ -32,7 +32,7 @@ AC_CHECK_HEADERS(openssl/conf.h)
AC_CHECK_PROG(TSSPCRREAD, [tsspcrread], yes, no) AC_CHECK_PROG(TSSPCRREAD, [tsspcrread], yes, no)
if test "x$TSSPCRREAD" = "xyes"; then if test "x$TSSPCRREAD" = "xyes"; then
AC_DEFINE(HAVE_TSSPCRREAD, 1, [Define to 1 if you have tsspcrread binary installed])], AC_DEFINE(HAVE_TSSPCRREAD, 1, [Define to 1 if you have tsspcrread binary installed])
fi fi
AC_CHECK_HEADERS(sys/xattr.h, , [AC_MSG_ERROR([sys/xattr.h header not found. You need the c-library development package.])]) AC_CHECK_HEADERS(sys/xattr.h, , [AC_MSG_ERROR([sys/xattr.h header not found. You need the c-library development package.])])

2
packaging/ima-evm-utils.spec
View File

@ -1,5 +1,5 @@
Name: ima-evm-utils Name: ima-evm-utils
Version: 1.2 Version: 1.2.1
Release: 1%{?dist} Release: 1%{?dist}
Summary: ima-evm-utils - IMA/EVM control utility Summary: ima-evm-utils - IMA/EVM control utility
Group: System/Libraries Group: System/Libraries

12
src/evmctl.c
View File

@ -843,10 +843,12 @@ static int cmd_verify_evm(struct command *cmd)
return -1; return -1;
} }
if (imaevm_params.x509) {
if (imaevm_params.keyfile) /* Support multiple public keys */ if (imaevm_params.keyfile) /* Support multiple public keys */
init_public_keys(imaevm_params.keyfile); init_public_keys(imaevm_params.keyfile);
else /* assume read pubkey from x509 cert */ else /* assume read pubkey from x509 cert */
init_public_keys("/etc/keys/x509_evm.der"); init_public_keys("/etc/keys/x509_evm.der");
}
err = verify_evm(file); err = verify_evm(file);
if (!err && imaevm_params.verbose >= LOG_INFO) if (!err && imaevm_params.verbose >= LOG_INFO)
@ -887,12 +889,14 @@ static int verify_ima(const char *file)
static int cmd_verify_ima(struct command *cmd) static int cmd_verify_ima(struct command *cmd)
{ {
char *file = g_argv[optind++]; char *file = g_argv[optind++];
int err; int err, fails = 0;
if (imaevm_params.x509) {
if (imaevm_params.keyfile) /* Support multiple public keys */ if (imaevm_params.keyfile) /* Support multiple public keys */
init_public_keys(imaevm_params.keyfile); init_public_keys(imaevm_params.keyfile);
else /* assume read pubkey from x509 cert */ else /* assume read pubkey from x509 cert */
init_public_keys("/etc/keys/x509_evm.der"); init_public_keys("/etc/keys/x509_evm.der");
}
errno = 0; errno = 0;
if (!file) { if (!file) {
@ -903,10 +907,12 @@ static int cmd_verify_ima(struct command *cmd)
do { do {
err = verify_ima(file); err = verify_ima(file);
if (err)
fails++;
if (!err && imaevm_params.verbose >= LOG_INFO) if (!err && imaevm_params.verbose >= LOG_INFO)
log_info("%s: verification is OK\n", file); log_info("%s: verification is OK\n", file);
} while ((file = g_argv[optind++])); } while ((file = g_argv[optind++]));
return err; return fails > 0;
} }
static int cmd_convert(struct command *cmd) static int cmd_convert(struct command *cmd)
@ -1943,11 +1949,13 @@ int main(int argc, char *argv[])
int err = 0, c, lind; int err = 0, c, lind;
ENGINE *eng = NULL; ENGINE *eng = NULL;
#if !(OPENSSL_VERSION_NUMBER < 0x10100000)
OPENSSL_init_crypto( OPENSSL_init_crypto(
#ifndef DISABLE_OPENSSL_CONF #ifndef DISABLE_OPENSSL_CONF
OPENSSL_INIT_LOAD_CONFIG | OPENSSL_INIT_LOAD_CONFIG |
#endif #endif
OPENSSL_INIT_ENGINE_ALL_BUILTIN, NULL); OPENSSL_INIT_ENGINE_ALL_BUILTIN, NULL);
#endif
g_argv = argv; g_argv = argv;
g_argc = argc; g_argc = argc;

9
src/libimaevm.c
View File

@ -612,6 +612,8 @@ int verify_hash(const char *file, const unsigned char *hash, int size, unsigned
/* Read pubkey from RSA key */ /* Read pubkey from RSA key */
if (!imaevm_params.keyfile) if (!imaevm_params.keyfile)
key = "/etc/keys/pubkey_evm.pem"; key = "/etc/keys/pubkey_evm.pem";
else
key = imaevm_params.keyfile;
return verify_hash_v1(file, hash, size, sig, siglen, key); return verify_hash_v1(file, hash, size, sig, siglen, key);
} else if (sig[0] == DIGSIG_VERSION_2) { } else if (sig[0] == DIGSIG_VERSION_2) {
return verify_hash_v2(file, hash, size, sig, siglen); return verify_hash_v2(file, hash, size, sig, siglen);
@ -977,7 +979,14 @@ int sign_hash(const char *hashalgo, const unsigned char *hash, int size, const c
static void libinit() static void libinit()
{ {
#if OPENSSL_VERSION_NUMBER < 0x10100000
OpenSSL_add_all_algorithms();
OPENSSL_add_all_algorithms_conf();
#else
OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS | OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS |
OPENSSL_INIT_ADD_ALL_DIGESTS, NULL); OPENSSL_INIT_ADD_ALL_DIGESTS, NULL);
ERR_load_crypto_strings(); ERR_load_crypto_strings();
#endif
} }