dh/ima-evm-utils
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Compare commits

base: dh:master
Branches Tags
dh:master
dh:openssl1.1
dh:next
dh:v1.0
dh:v0.9
dh:v0.8
dh:v0.7
dh:v0.6
dh:v0.5
dh:v0.4
dh:v0.3
dh:v0.1.1
dh:v0.2
dh:v0.1.0
..
compare: dh:v0.9
Branches Tags
dh:openssl1.1
dh:next
dh:master
dh:v1.0
dh:v0.9
dh:v0.8
dh:v0.7
dh:v0.6
dh:v0.5
dh:v0.4
dh:v0.3
dh:v0.1.1
dh:v0.2
dh:v0.1.0

No commits in common. "master" and "v0.9" have entirely different histories.
master ... v0.9

8 changed files with 160 additions and 327 deletions
Show Stats Expand all files Collapse all files

9
ChangeLog
View File

@ -1,12 +1,3 @@
2014-07-30 Dmitry Kasatkin <dmitry.kasatkin@huawei.com>
version 1.0
* Recursive hashing
* Immutable EVM signatures (experimental)
* Command 'ima_clear' to remove xattrs
* Support for passing password to the library
* Support for asking password safely from the user
2014-09-23 Dmitry Kasatkin <d.kasatkin@samsung.com>
version 0.9

4
README
View File

@ -142,7 +142,7 @@ EVM encrypted key is used for EVM HMAC calculation:
keyctl pipe `keyctl search @u user kmk` > /etc/keys/kmk
# create the EVM encrypted key
keyctl add encrypted evm-key "new user:kmk 64" @u
keyctl add encrypted evm-key "new user:kmk 32" @u
keyctl pipe `keyctl search @u encrypted evm-key` >/etc/keys/evm-key
@ -403,7 +403,7 @@ When using plain RSA public keys in PEM format, use 'evmctl import --rsa' for im
Latest version of keyctl allows to import X509 public key certificates:
cat /etc/keys/x509_ima.der | keyctl padd asymmetric '' $ima_id
cat /etc/keys/x509_ima.der | keyctl padd asymmetric '' @ima_id
FILES

4
build-static.sh
View File

@ -1,4 +0,0 @@
#!/bin/sh
gcc -static -o evmctl.static -include config.h src/evmctl.c src/libimaevm.c -lcrypto -lkeyutils -ldl

2
configure.ac
View File

@ -1,7 +1,7 @@
# autoconf script
AC_PREREQ([2.65])
AC_INIT(ima-evm-utils, 1.0, dmitry.kasatkin@huawei.com)
AC_INIT(ima-evm-utils, 0.9, d.kasatkin@samsung.com)
AM_INIT_AUTOMAKE
AC_CONFIG_HEADERS([config.h])
AC_CONFIG_MACRO_DIR([m4])

2
packaging/ima-evm-utils.spec
View File

@ -1,5 +1,5 @@
Name: ima-evm-utils
Version: 1.0
Version: 0.9
Release: 1%{?dist}
Summary: ima-evm-utils - IMA/EVM control utility
Group: System/Libraries

368
src/evmctl.c
View File

@ -54,7 +54,6 @@
#include <getopt.h>
#include <keyutils.h>
#include <ctype.h>
#include <termios.h>
#include <openssl/sha.h>
#include <openssl/pem.h>
@ -104,24 +103,14 @@ static int digest;
static int digsig;
static int sigfile;
static char *uuid_str;
static char *ino_str;
static char *uid_str;
static char *gid_str;
static char *mode_str;
static char *generation_str;
static char *caps_str;
static char *ima_str;
static char *selinux_str;
static char *search_type;
static int recursive;
static int msize;
static dev_t fs_dev;
static bool evm_immutable;
#define HMAC_FLAG_NO_UUID 0x0001
#define HMAC_FLAG_CAPS_SET 0x0002
static unsigned long hmac_flags;
#define HMAC_FLAG_UUID 0x0001
#define HMAC_FLAG_UUID_SET 0x0002
static unsigned long hmac_flags = HMAC_FLAG_UUID;
typedef int (*find_cb_t)(const char *path);
static int find(const char *path, int dts, find_cb_t func);
@ -209,7 +198,7 @@ static int hex_to_bin(char ch)
return -1;
}
static int hex2bin(void *dst, const char *src, size_t count)
static int hex2bin(uint8_t *dst, const char *src, size_t count)
{
int hi, lo;
@ -223,7 +212,7 @@ static int hex2bin(void *dst, const char *src, size_t count)
if ((hi < 0) || (lo < 0))
return -1;
*(uint8_t *)dst++ = (hi << 4) | lo;
*dst++ = (hi << 4) | lo;
}
return 0;
}
@ -284,7 +273,7 @@ static int get_uuid(struct stat *st, char *uuid)
FILE *fp;
size_t len;
if (uuid_str)
if (hmac_flags & HMAC_FLAG_UUID_SET)
return pack_uuid(uuid_str, uuid);
dev = st->st_dev;
@ -329,21 +318,9 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
return -1;
}
if (generation_str)
generation = strtoul(generation_str, NULL, 10);
if (ino_str)
st.st_ino = strtoul(ino_str, NULL, 10);
if (uid_str)
st.st_uid = strtoul(uid_str, NULL, 10);
if (gid_str)
st.st_gid = strtoul(gid_str, NULL, 10);
if (mode_str)
st.st_mode = strtoul(mode_str, NULL, 10);
if (!evm_immutable) {
if ((S_ISREG(st.st_mode) || S_ISDIR(st.st_mode)) && !generation_str) {
/* we cannot at the momement to get generation of
special files kernel API does not support it */
if (S_ISREG(st.st_mode) || S_ISDIR(st.st_mode)) {
/* we cannot at the momement to get generation of special files..
* kernel API does not support it */
int fd = open(file, 0);
if (fd < 0) {
@ -352,13 +329,12 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
}
if (ioctl(fd, FS_IOC_GETVERSION, &generation)) {
log_err("ioctl() failed\n");
close(fd);
return -1;
}
close(fd);
}
log_info("generation: %u\n", generation);
}
list_size = llistxattr(file, list, sizeof(list));
if (list_size < 0) {
@ -373,18 +349,6 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
}
for (xattrname = evm_config_xattrnames; *xattrname != NULL; xattrname++) {
if (!strcmp(*xattrname, XATTR_NAME_SELINUX) && selinux_str) {
strcpy(xattr_value, selinux_str);
err = strlen(selinux_str) + 1;
} else if (!strcmp(*xattrname, XATTR_NAME_IMA) && ima_str) {
hex2bin(xattr_value, ima_str, strlen(ima_str) / 2);
err = strlen(ima_str) / 2;
} else if (!strcmp(*xattrname, XATTR_NAME_CAPS) && (hmac_flags & HMAC_FLAG_CAPS_SET)) {
if (!caps_str)
continue;
strcpy(xattr_value, caps_str);
err = strlen(caps_str);
} else {
err = lgetxattr(file, *xattrname, xattr_value, sizeof(xattr_value));
if (err < 0) {
log_info("no xattr: %s\n", *xattrname);
@ -394,7 +358,6 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
log_info("skipping xattr: %s\n", *xattrname);
continue;
}
}
/*log_debug("name: %s, value: %s, size: %d\n", *xattrname, xattr_value, err);*/
log_info("name: %s, size: %d\n", *xattrname, err);
log_debug_dump(xattr_value, err);
@ -407,14 +370,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
memset(&hmac_misc, 0, sizeof(hmac_misc));
if (evm_immutable) {
struct h_misc_digsig *hmac = (struct h_misc_digsig *)&hmac_misc;
hmac_size = sizeof(*hmac);
hmac->uid = st.st_uid;
hmac->gid = st.st_gid;
hmac->mode = st.st_mode;
} else if (msize == 0) {
if (msize == 0) {
struct h_misc *hmac = (struct h_misc *)&hmac_misc;
hmac_size = sizeof(*hmac);
@ -452,7 +408,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash)
return 1;
}
if (!evm_immutable && !(hmac_flags & HMAC_FLAG_NO_UUID)) {
if (hmac_flags & HMAC_FLAG_UUID) {
err = get_uuid(&st, uuid);
if (err)
return -1;
@ -483,7 +439,7 @@ static int sign_evm(const char *file, const char *key)
if (len <= 1)
return len;
len = sign_hash("sha1", hash, len, key, NULL, sig + 1);
len = sign_hash("sha1", hash, len, key, sig + 1);
if (len <= 1)
return len;
@ -491,9 +447,6 @@ static int sign_evm(const char *file, const char *key)
len++;
sig[0] = EVM_IMA_XATTR_DIGSIG;
if (evm_immutable)
sig[1] = 3; /* immutable signature version */
if (sigdump || params.verbose >= LOG_INFO)
dump(sig, len);
@ -546,6 +499,19 @@ static int hash_ima(const char *file)
return 0;
}
static int cmd_hash_ima(struct command *cmd)
{
char *file = g_argv[optind++];
if (!file) {
log_err("Parameters missing\n");
print_usage(cmd);
return -1;
}
return hash_ima(file);
}
static int sign_ima(const char *file, const char *key)
{
unsigned char hash[64];
@ -556,7 +522,7 @@ static int sign_ima(const char *file, const char *key)
if (len <= 1)
return len;
len = sign_hash(params.hash_algo, hash, len, key, NULL, sig + 1);
len = sign_hash(params.hash_algo, hash, len, key, sig + 1);
if (len <= 1)
return len;
@ -611,39 +577,9 @@ static int get_file_type(const char *path, const char *search_type)
return dts;
}
static int do_cmd(struct command *cmd, find_cb_t func)
{
char *path = g_argv[optind++];
int err, dts = REG_MASK; /* only regular files by default */
if (!path) {
log_err("Parameters missing\n");
print_usage(cmd);
return -1;
}
if (recursive) {
if (search_type) {
dts = get_file_type(path, search_type);
if (dts < 0)
return dts;
}
err = find(path, dts, func);
} else {
err = func(path);
}
return err;
}
static int cmd_hash_ima(struct command *cmd)
{
return do_cmd(cmd, hash_ima);
}
static int sign_ima_file(const char *file)
{
const char *key;
char *key;
key = params.keyfile ? : "/etc/keys/privkey_evm.pem";
@ -652,13 +588,32 @@ static int sign_ima_file(const char *file)
static int cmd_sign_ima(struct command *cmd)
{
return do_cmd(cmd, sign_ima_file);
char *file = g_argv[optind++];
int err, dts = REG_MASK; /* only regular files by default */
if (!file) {
log_err("Parameters missing\n");
print_usage(cmd);
return -1;
}
if (recursive) {
if (search_type) {
dts = get_file_type(file, search_type);
if (dts < 0)
return dts;
}
err = find(file, dts, sign_ima_file);
} else {
err = sign_ima_file(file);
}
return err;
}
static int cmd_sign_hash(struct command *cmd)
{
const char *key;
char *token, *line = NULL;
char *key, *token, *line = NULL;
int hashlen = 0;
size_t line_len;
ssize_t len;
@ -680,7 +635,7 @@ static int cmd_sign_hash(struct command *cmd)
hex2bin(hash, line, hashlen);
siglen = sign_hash(params.hash_algo, hash, hashlen/2,
key, NULL, sig + 1);
key, sig + 1);
if (siglen <= 1)
return siglen;
@ -701,7 +656,7 @@ static int cmd_sign_hash(struct command *cmd)
static int sign_evm_path(const char *file)
{
const char *key;
char *key;
int err;
key = params.keyfile ? : "/etc/keys/privkey_evm.pem";
@ -723,7 +678,27 @@ static int sign_evm_path(const char *file)
static int cmd_sign_evm(struct command *cmd)
{
return do_cmd(cmd, sign_evm_path);
char *path = g_argv[optind++];
int err, dts = REG_MASK; /* only regular files by default */
if (!path) {
log_err("Parameters missing\n");
print_usage(cmd);
return -1;
}
if (recursive) {
if (search_type) {
dts = get_file_type(path, search_type);
if (dts < 0)
return dts;
}
err = find(path, dts, sign_evm_path);
} else {
err = sign_evm_path(path);
}
return err;
}
static int verify_evm(const char *file)
@ -768,12 +743,7 @@ static int verify_ima(const char *file)
unsigned char sig[1024];
int len;
if (sigfile) {
void *tmp = file2bin(file, "sig", &len);
memcpy(sig, tmp, len);
free(tmp);
} else {
if (xattr) {
len = lgetxattr(file, "security.ima", sig, sizeof(sig));
if (len < 0) {
log_err("getxattr failed: %s\n", file);
@ -781,6 +751,13 @@ static int verify_ima(const char *file)
}
}
if (sigfile) {
void *tmp = file2bin(file, "sig", &len);
memcpy(sig, tmp, len);
free(tmp);
}
return ima_verify_signature(file, sig, len);
}
@ -797,38 +774,6 @@ static int cmd_verify_ima(struct command *cmd)
return verify_ima(file);
}
static int cmd_convert(struct command *cmd)
{
char *inkey;
unsigned char _pub[1024], *pub = _pub;
int len, err = 0;
char name[20];
uint8_t keyid[8];
RSA *key;
params.x509 = 0;
inkey = g_argv[optind++];
if (!inkey) {
inkey = params.x509 ? "/etc/keys/x509_evm.der" :
"/etc/keys/pubkey_evm.pem";
}
key = read_pub_key(inkey, params.x509);
if (!key)
return 1;
len = key2bin(key, pub);
calc_keyid_v1(keyid, name, pub, len);
bin2file(inkey, "bin", pub, len);
bin2file(inkey, "keyid", (const unsigned char *)name, strlen(name));
RSA_free(key);
return err;
}
static int cmd_import(struct command *cmd)
{
char *inkey, *ring = NULL;
@ -951,7 +896,6 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h
}
if (ioctl(fd, FS_IOC_GETVERSION, &generation)) {
log_err("ioctl() failed\n");
close(fd);
goto out;
}
close(fd);
@ -1068,7 +1012,7 @@ static int hmac_evm(const char *file, const char *key)
static int cmd_hmac_evm(struct command *cmd)
{
const char *key, *file = g_argv[optind++];
char *key, *file = g_argv[optind++];
int err;
if (!file) {
@ -1185,30 +1129,36 @@ static int find(const char *path, int dts, find_cb_t func)
static int cmd_ima_fix(struct command *cmd)
{
return do_cmd(cmd, ima_fix);
char *path = g_argv[optind++];
int err, dts = REG_MASK; /* only regular files by default */
if (!path) {
log_err("Parameters missing\n");
print_usage(cmd);
return -1;
}
static int ima_clear(const char *path)
{
log_info("%s\n", path);
lremovexattr(path, "security.ima");
lremovexattr(path, "security.evm");
return 0;
if (recursive) {
if (search_type) {
dts = get_file_type(path, search_type);
if (dts < 0)
return dts;
}
err = find(path, dts, ima_fix);
} else {
err = ima_fix(path);
}
static int cmd_ima_clear(struct command *cmd)
{
return do_cmd(cmd, ima_clear);
return err;
}
static char *pcrs = "/sys/class/misc/tpm0/device/pcrs";
static int tpm_pcr_read(int idx, uint8_t *pcr, int len)
{
FILE *fp;
char *p, pcr_str[7], buf[70]; /* length of the TPM string */
int result = -1;
sprintf(pcr_str, "PCR-%d", idx);
@ -1224,12 +1174,11 @@ static int tpm_pcr_read(int idx, uint8_t *pcr, int len)
break;
if (!strncmp(p, pcr_str, 6)) {
hex2bin(pcr, p + 7, len);
result = 0;
break;
return 0;
}
}
fclose(fp);
return result;
return -1;
}
#define TCG_EVENT_NAME_LEN_MAX 255
@ -1527,14 +1476,6 @@ static void usage(void)
" --smack use extra SMACK xattrs for EVM\n"
" --m32 force EVM hmac/signature for 32 bit target system\n"
" --m64 force EVM hmac/signature for 64 bit target system\n"
" --ino use custom inode for EVM\n"
" --uid use custom UID for EVM\n"
" --gid use custom GID for EVM\n"
" --mode use custom Mode for EVM\n"
" --generation use custom Generation for EVM(unspecified: from FS, empty: use 0)\n"
" --ima use custom IMA signature for EVM\n"
" --selinux use custom Selinux label for EVM\n"
" --caps use custom Capabilities for EVM(unspecified: from FS, empty: do not use)\n"
" -v increase verbosity level\n"
" -h, --help display this help and exit\n"
"\n");
@ -1544,16 +1485,14 @@ struct command cmds[] = {
{"--version", NULL, 0, ""},
{"help", cmd_help, 0, "<command>"},
{"import", cmd_import, 0, "[--rsa] pubkey keyring", "Import public key into the keyring.\n"},
{"convert", cmd_convert, 0, "key", "convert public key into the keyring.\n"},
{"sign", cmd_sign_evm, 0, "[-r] [--imahash | --imasig ] [--key key] [--pass [password] file", "Sign file metadata.\n"},
{"sign", cmd_sign_evm, 0, "[-r] [--imahash | --imasig ] [--key key] [--pass password] file", "Sign file metadata.\n"},
{"verify", cmd_verify_evm, 0, "file", "Verify EVM signature (for debugging).\n"},
{"ima_sign", cmd_sign_ima, 0, "[--sigfile] [--key key] [--pass [password] file", "Make file content signature.\n"},
{"ima_sign", cmd_sign_ima, 0, "[--sigfile] [--key key] [--pass password] file", "Make file content signature.\n"},
{"ima_verify", cmd_verify_ima, 0, "file", "Verify IMA signature (for debugging).\n"},
{"ima_hash", cmd_hash_ima, 0, "file", "Make file content hash.\n"},
{"ima_measurement", cmd_ima_measurement, 0, "file", "Verify measurement list (experimental).\n"},
{"ima_fix", cmd_ima_fix, 0, "[-t fdsxm] path", "Recursively fix IMA/EVM xattrs in fix mode.\n"},
{"ima_clear", cmd_ima_clear, 0, "[-t fdsxm] path", "Recursively remove IMA/EVM xattrs.\n"},
{"sign_hash", cmd_sign_hash, 0, "[--key key] [--pass [password]", "Sign hashes from shaXsum output.\n"},
{"sign_hash", cmd_sign_hash, 0, "[--key key] [--pass password]", "Sign hashes from shaXsum output.\n"},
#ifdef DEBUG
{"hmac", cmd_hmac_evm, 0, "[--imahash | --imasig ] file", "Sign file metadata with HMAC using symmetric key (for testing purpose).\n"},
#endif
@ -1565,7 +1504,7 @@ static struct option opts[] = {
{"imasig", 0, 0, 's'},
{"imahash", 0, 0, 'd'},
{"hashalgo", 1, 0, 'a'},
{"pass", 2, 0, 'p'},
{"pass", 1, 0, 'p'},
{"sigfile", 0, 0, 'f'},
{"uuid", 2, 0, 'u'},
{"rsa", 0, 0, '1'},
@ -1574,54 +1513,12 @@ static struct option opts[] = {
{"recursive", 0, 0, 'r'},
{"m32", 0, 0, '3'},
{"m64", 0, 0, '6'},
{"smack", 0, 0, 128},
{"version", 0, 0, 129},
{"inode", 1, 0, 130},
{"uid", 1, 0, 131},
{"gid", 1, 0, 132},
{"mode", 1, 0, 133},
{"generation", 1, 0, 134},
{"ima", 1, 0, 135},
{"selinux", 1, 0, 136},
{"caps", 2, 0, 137},
{"smack", 0, 0, 256},
{"version", 0, 0, 257},
{}
};
static char *get_password(void)
{
struct termios flags, tmp_flags;
char *password, *pwd;
int passlen = 64;
password = malloc(passlen);
if (!password) {
perror("malloc");
return NULL;
}
tcgetattr(fileno(stdin), &flags);
tmp_flags = flags;
tmp_flags.c_lflag &= ~ECHO;
tmp_flags.c_lflag |= ECHONL;
if (tcsetattr(fileno(stdin), TCSANOW, &tmp_flags) != 0) {
perror("tcsetattr");
return NULL;
}
printf("PEM password: ");
pwd = fgets(password, passlen, stdin);
/* restore terminal */
if (tcsetattr(fileno(stdin), TCSANOW, &flags) != 0) {
perror("tcsetattr");
return NULL;
}
return pwd;
}
int main(int argc, char *argv[])
{
int err = 0, c, lind;
@ -1630,7 +1527,7 @@ int main(int argc, char *argv[])
g_argc = argc;
while (1) {
c = getopt_long(argc, argv, "hvnsda:p::fu::k:t:ri", opts, &lind);
c = getopt_long(argc, argv, "hvnsda:p:fu::k:t:r", opts, &lind);
if (c == -1)
break;
@ -1657,18 +1554,18 @@ int main(int argc, char *argv[])
params.hash_algo = optarg;
break;
case 'p':
if (optarg)
params.keypass = optarg;
else
params.keypass = get_password();
break;
case 'f':
sigfile = 1;
xattr = 0;
break;
case 'u':
uuid_str = optarg;
if (!uuid_str)
hmac_flags |= HMAC_FLAG_NO_UUID;
if (uuid_str)
hmac_flags |= HMAC_FLAG_UUID_SET;
else
hmac_flags &= ~HMAC_FLAG_UUID;
break;
case '1':
params.x509 = 0;
@ -1676,9 +1573,6 @@ int main(int argc, char *argv[])
case 'k':
params.keyfile = optarg;
break;
case 'i':
evm_immutable = true;
break;
case 't':
search_type = optarg;
break;
@ -1691,38 +1585,13 @@ int main(int argc, char *argv[])
case '6':
msize = 64;
break;
case 128:
case 256:
evm_config_xattrnames = evm_extra_smack_xattrs;
break;
case 129:
case 257:
printf("evmctl %s\n", VERSION);
exit(0);
break;
case 130:
ino_str = optarg;
break;
case 131:
uid_str = optarg;
break;
case 132:
gid_str = optarg;
break;
case 133:
mode_str = optarg;
break;
case 134:
generation_str = optarg;
break;
case 135:
ima_str = optarg;
break;
case 136:
selinux_str = optarg;
break;
case 137:
caps_str = optarg;
hmac_flags |= HMAC_FLAG_CAPS_SET;
break;
case '?':
exit(1);
break;
@ -1731,6 +1600,9 @@ int main(int argc, char *argv[])
}
}
OpenSSL_add_all_algorithms();
ERR_load_crypto_strings();
if (argv[optind] == NULL)
usage();
else
@ -1751,6 +1623,6 @@ int main(int argc, char *argv[])
ERR_free_strings();
EVP_cleanup();
BIO_free(NULL);
return err;
}

12
src/imaevm.h
View File

@ -108,12 +108,6 @@ struct h_misc_64 {
unsigned short mode;
};
struct h_misc_digsig {
uid_t uid;
gid_t gid;
unsigned short mode;
};
enum pubkey_algo {
PUBKEY_ALGO_RSA,
PUBKEY_ALGO_MAX,
@ -178,8 +172,8 @@ struct libevm_params {
int verbose;
int x509;
const char *hash_algo;
const char *keyfile;
const char *keypass;
char *keyfile;
char *keypass;
};
struct RSA_ASN1_template {
@ -201,7 +195,7 @@ void calc_keyid_v1(uint8_t *keyid, char *str, const unsigned char *pkey, int len
void calc_keyid_v2(uint32_t *keyid, char *str, RSA *key);
int key2bin(RSA *key, unsigned char *pub);
int sign_hash(const char *algo, const unsigned char *hash, int size, const char *keyfile, const char *keypass, unsigned char *sig);
int sign_hash(const char *algo, const unsigned char *hash, int size, const char *keyfile, unsigned char *sig);
int verify_hash(const unsigned char *hash, int size, unsigned char *sig, int siglen);
int ima_verify_signature(const char *file, unsigned char *sig, int siglen);

42
src/libimaevm.c
View File

@ -53,7 +53,6 @@
#include <openssl/pem.h>
#include <openssl/evp.h>
#include <openssl/x509.h>
#include <openssl/err.h>
#include "imaevm.h"
@ -131,8 +130,6 @@ struct libevm_params params = {
.hash_algo = "sha1",
};
static void __attribute__ ((constructor)) libinit(void);
void do_dump(FILE *fp, const void *ptr, int len, bool cr)
{
int i;
@ -214,7 +211,6 @@ static int add_dir_hash(const char *file, EVP_MD_CTX *ctx)
DIR *dir;
unsigned long long ino, off;
unsigned int type;
int result = 0;
dir = opendir(file);
if (!dir) {
@ -234,14 +230,13 @@ static int add_dir_hash(const char *file, EVP_MD_CTX *ctx)
err |= EVP_DigestUpdate(ctx, &type, sizeof(type));
if (!err) {
log_err("EVP_DigestUpdate() failed\n");
result = 1;
break;
return 1;
}
}
closedir(dir);
return result;
return 0;
}
static int add_link_hash(const char *path, EVP_MD_CTX *ctx)
@ -375,7 +370,7 @@ int verify_hash_v1(const unsigned char *hash, int size, unsigned char *sig, int
unsigned char sighash[20];
struct signature_hdr *hdr = (struct signature_hdr *)sig;
log_info("hash-v1: ");
log_info("hash: ");
log_dump(hash, size);
key = read_pub_key(keyfile, 0);
@ -493,7 +488,7 @@ static int get_hash_algo_from_sig(unsigned char *sig)
int verify_hash(const unsigned char *hash, int size, unsigned char *sig, int siglen)
{
const char *key;
char *key;
int x509;
verify_hash_fn_t verify_hash;
@ -589,7 +584,7 @@ void calc_keyid_v1(uint8_t *keyid, char *str, const unsigned char *pkey, int len
id = __be64_to_cpup((__be64 *) keyid);
sprintf(str, "%llX", (unsigned long long)id);
log_info("keyid-v1: %s\n", str);
log_info("keyid: %s\n", str);
}
void calc_keyid_v2(uint32_t *keyid, char *str, RSA *key)
@ -613,7 +608,7 @@ void calc_keyid_v2(uint32_t *keyid, char *str, RSA *key)
free(pkey);
}
static RSA *read_priv_key(const char *keyfile, const char *keypass)
static RSA *read_priv_key(const char *keyfile, char *keypass)
{
FILE *fp;
RSA *key;
@ -623,14 +618,9 @@ static RSA *read_priv_key(const char *keyfile, const char *keypass)
log_err("Failed to open keyfile: %s\n", keyfile);
return NULL;
}
ERR_load_crypto_strings();
key = PEM_read_RSAPrivateKey(fp, NULL, NULL, (void *)keypass);
if (!key) {
char str[256];
ERR_error_string(ERR_get_error(), str);
log_err("PEM_read_RSAPrivateKey() failed: %s\n", str);
}
key = PEM_read_RSAPrivateKey(fp, NULL, NULL, keypass);
if (!key)
log_err("PEM_read_RSAPrivateKey() failed\n");
fclose(fp);
return key;
@ -721,7 +711,7 @@ int sign_hash_v1(const char *hashalgo, const unsigned char *hash, int size, cons
blen = (uint16_t *) (sig + sizeof(*hdr));
*blen = __cpu_to_be16(len << 3);
len += sizeof(*hdr) + 2;
log_info("evm/ima signature-v1: %d bytes\n", len);
log_info("evm/ima signature: %d bytes\n", len);
out:
RSA_free(key);
return len;
@ -796,18 +786,8 @@ out:
return len;
}
int sign_hash(const char *hashalgo, const unsigned char *hash, int size, const char *keyfile, const char *keypass, unsigned char *sig)
int sign_hash(const char *hashalgo, const unsigned char *hash, int size, const char *keyfile, unsigned char *sig)
{
if (keypass)
params.keypass = keypass;
return params.x509 ? sign_hash_v2(hashalgo, hash, size, keyfile, sig) :
sign_hash_v1(hashalgo, hash, size, keyfile, sig);
}
static void libinit()
{
OpenSSL_add_all_algorithms();
ERR_load_crypto_strings();
}