Release new version v0.7

Signed-off-by: Dmitry Kasatkin <d.kasatkin@samsung.com>

AUTHORS

@@ -1,2 +1,5 @@
-Dmitry Kasatkin <dmitry.kasatkin@intel.com>
+Dmitry Kasatkin <d.kasatkin@samsung.com>
+
+CONTRIBUTORS:
+Vivek Goyal <vgoyal@redhat.com>
 

ChangeLog

@@ -1,3 +1,24 @@
+2014-02-17  Dmitry Kasatkin <d.kasatkin@samsung.com>
+
+	version 0.7
+	* Fix symbolic links related bugs
+	* Provide recursive fixing
+	* Provide recursive signing
+	* Move IMA verification to the library (first for LTP use)
+	* Support for target architecture data size
+	* Remove obsolete module signing code
+	* Code cleanup
+
+2013-08-28  Dmitry Kasatkin <d.kasatkin@samsung.com>
+
+	version 0.6
+	* support for asymmetric crypto keys and new signature format (v2)
+	* fixes to set correct hash algo for digital signature v1
+	* uuid support for EVM
+	* signature verification support
+	* test scripts removed
+	* README updates
+
 2012-05-18  Dmitry Kasatkin  <dmitry.kasatkin@intel.com>
 
 	version 0.3

INSTALL

@@ -1,7 +1,7 @@
 Installation Instructions
 *************************
 
-Copyright (C) 1994-1996, 1999-2002, 2004-2011 Free Software Foundation,
+Copyright (C) 1994-1996, 1999-2002, 2004-2013 Free Software Foundation,
 Inc.
 
    Copying and distribution of this file, with or without modification,
@@ -309,9 +309,10 @@ causes the specified `gcc' to be used as the C compiler (unless it is
 overridden in the site shell script).
 
 Unfortunately, this technique does not work for `CONFIG_SHELL' due to
-an Autoconf bug.  Until the bug is fixed you can use this workaround:
+an Autoconf limitation.  Until the limitation is lifted, you can use
+this workaround:
 
-     CONFIG_SHELL=/bin/bash /bin/bash ./configure CONFIG_SHELL=/bin/bash
+     CONFIG_SHELL=/bin/bash ./configure CONFIG_SHELL=/bin/bash
 
 `configure' Invocation
 ======================
@@ -367,4 +368,3 @@ operates.
 
 `configure' also accepts some other, not widely useful, options.  Run
 `configure --help' for more details.
-

Makefile.am

@@ -1,6 +1,6 @@
-SUBDIRS = src tests
+SUBDIRS = src
 
-#EXTRA_DIST = LEGAL acinclude.m4 include
+EXTRA_DIST = autogen.sh
 
 ACLOCAL_AMFLAGS = -I m4
 
@@ -11,7 +11,6 @@ pkgname = $(PACKAGE_NAME)-$(PACKAGE_VERSION)
 tarname = $(pkgname).tar.gz
 
 $(tarname):
-	git tag v$(PACKAGE_VERSION)
 	git archive --format=tar --prefix=$(pkgname)/ v$(PACKAGE_VERSION) $(FILES) | gzip >$@
 
 tar: $(tarname)

README

@@ -1,52 +1,155 @@
+ima-evm-utils - IMA/EVM signing utility
+=========================================
 
-1. Generate private key
+Contents:
 
-# plain key
-openssl genrsa -out privkey_evm.pem 1024
+   1. Key and signature formats
+   2. Key generation
+   3. Initialization
+   4. Signing
 
-# encrypted key
-openssl genrsa -des3 -out privkey_evm.pem 1024
 
-# set password for the key
-openssl rsa -in /etc/keys/privkey_evm.pem -out privkey_evm_enc.pem -des3
+Key and signature formats
+-------------------------
+
+EVM support (v2) in latest version of the kernel adds the file system UUID to
+the HMAC calculation. It is controlled by the CONFIG_EVM_HMAC_VERSION and
+version 2 is enabled by default. In this version default UUID is included by
+default. Custom value can be supplied via '--uuid=UUID' or '-uUUID' parameter
+to the 'sign' command. To use old format HMAC format use '-' as a parameter.
+
+Latest kernel got IMA/EVM support for using X509 certificates and asymmetric key
+support for verifying digital signatures. This version uses x509 format by default.
+Use '--rsa' or '-1' parameter to use old signature format and API.
+
+
+Key generation
+--------------
+
+Generate private key in plain text format
+
+    $ openssl genrsa -out privkey_evm.pem 1024
+
+Generate encrypted private key
+
+    $ openssl genrsa -des3 -out privkey_evm.pem 1024
+
+Make encrypted private key from unencrypted
+
+    $ openssl rsa -in /etc/keys/privkey_evm.pem -out privkey_evm_enc.pem -des3
+
+Generate self-signed X509 certificate and private key for using kernel asymmetric
+keys support
+
+	$ openssl req -new -nodes -utf8 -sha1 -days 36500 -batch \
+	      -x509 -config x509_evm.genkey \
+	      -outform DER -out x509_evm.der -keyout privkey_evm.pem
+
+Configuration file x509_evm.genkey:
+
+	# Begining of the file
+	[ req ]
+	default_bits = 1024
+	distinguished_name = req_distinguished_name
+	prompt = no
+	string_mask = utf8only
+	x509_extensions = myexts
+
+	[ req_distinguished_name ]
+	O = Magrathea
+	CN = Glacier signing key
+	emailAddress = slartibartfast@magrathea.h2g2
+
+	[ myexts ]
+	basicConstraints=critical,CA:FALSE
+	keyUsage=digitalSignature
+	subjectKeyIdentifier=hash
+	authorityKeyIdentifier=keyid
+	# EOF
+
+
+Get public key
+
+    $ openssl rsa -pubout -in privkey_evm.pem -out pubkey_evm.pem
+
+Copy keys to /etc/keys
+
+    $ cp pubkey_evm.pem /etc/keys
+    $ scp pubkey_evm.pem target:/etc/keys
+
 or
-openssl pkcs8 -topk8 -in /etc/keys/privkey_evm.pem -out privkey_evm_enc.pem
+    $ cp x509_evm.pem /etc/keys
+    $ scp x509_evm.pem target:/etc/keys
 
-2. Generate public key
 
-openssl rsa -pubout -in privkey_evm.pem -out pubkey_evm.pem
+Generation of EVM keys
 
-3. Copy public (+private if to sign on device) key to the device/qemu /etc/keys
+    $ # create and save the kernel master key (user type)
+    $ keyctl add user kmk "`dd if=/dev/urandom bs=1 count=32 2>/dev/null`" @u
+    $ keyctl pipe `keyctl search @u user kmk` > /etc/keys/kmk
+    $ # create the EVM encrypted key
+    $ keyctl add encrypted evm-key "new user:kmk 32" @u
+    $ keyctl pipe `keyctl search @u encrypted evm-key` >/etc/keys/evm-key
 
-scp pubkey_evm.pem mad:/etc/keys
 
-4. Load keys and enable EVM
+Initialization
+--------------
 
-evm_enable.sh
+IMA/EVM initialization should be normally done from initial RAM file system
+before mounting root filesystem.
 
-This should be done at early phase, before mounting root filesystem.
+Here is an example script /etc/initramfs-tools/scripts/local-top/ima.sh
 
-5. Sign EVM and use hash value for IMA - common case
+    # import EVM HMAC key
+    keyctl clear @u
+    cat /etc/keys/kmk | keyctl padd user kmk @u
+    keyctl add encrypted evm-key "load `cat /etc/keys/evm-key`" @u
 
-evmctl sign --imahash test.txt
+    # import IMA public key
+    ima_id=`keyctl newring _ima @u`
+    evmctl --rsa import /etc/keys/pubkey_evm.pem $ima_id
 
-6. Sign IMA and EVM - for immutable files and modules
+    # import EVM public key
+    evm_id=`keyctl newring _evm @u`
+    evmctl --rsa import /etc/keys/pubkey_evm.pem $evm_id
 
-evmctl sign --imasig test.txt
+    # enable EVM
+    echo "1" > /sys/kernel/security/evm
 
-7. Sign whole filesystem
 
-evm_sign_all.sh
-or
-find / \( -fstype rootfs -o -fstype ext3 -o -fstype ext4 \) ! -path "/lib/modules/*" -type f -uid 0 -exec evmctl sign --imahash '{}' \;
-find /lib/modules ! -name "*.ko" -type f -uid 0 -exec evmctl sign --imahash '{}' \;
-# security.ima needs to have signature for modules
-find /lib/modules -name "*.ko" -type f -uid 0 -exec evmctl sign --imasig '{}' \;
+Import X509 certificate into the kernel keyring (since kernel 3.9?)
 
-# generate signatures in .sig files
-find /lib/modules -name "*.ko" -type f -uid 0 -exec evmctl -n --sigfile ima_sign '{}' \;
+    $ evmctl import /etc/keys/x509_evm.der `keyctl search @u keyring _ima`
+    $ evmctl import /etc/keys/x509_evm.der `keyctl search @u keyring _evm`
 
-8. Label filesystem in fix mode...
 
-ima_fix_dir.sh <dir>
+Signing
+-------
+
+Default public key: /etc/keys/pubkey_evm.pem
+Default private key: /etc/keys/privkey_evm.pem
+Default X509 certificate: /etc/keys/x509_evm.der
+
+Signing for using old RSA format is done using '-1' or '--rsa' parameter.
+Signing for using old EVM HMAC format is done using '-u-' or '--uuid=-' parameter.
+
+Sign file with EVM signature and use hash value for IMA - common case
+
+    $ evmctl sign [-u] [-1] --imahash test.txt
+
+Sign file with both IMA and EVM signatures - for immutable files
+
+    $ evmctl sign [-u] [-1] --imasig test.txt
+
+Sign file with IMA signature - for immutable files
+
+    $ evmctl ima_sign [-1] test.txt
+
+Label whole filesystem with EVM signatures
+
+    $ find / \( -fstype rootfs -o -fstype ext4 \) -exec evmctl sign [-u] [-1] --imahash '{}' \;
+
+Label filesystem in fix mode - kernel sets correct values to IMA and EVM xattrs
+
+    $ find / \( -fstype rootfs -o -fstype ext4 \) -exec sh -c "< '{}'" \;
 

configure.ac

@@ -1,8 +1,8 @@
 # autoconf script
 
 AC_PREREQ([2.65])
-AC_INIT(ima-evm-utils, 0.3, dmitry.kasatkin@intel.com)
-AM_INIT_AUTOMAKE(AC_PACKAGE_NAME, AC_PACKAGE_VERSION)
+AC_INIT(ima-evm-utils, 0.7, d.kasatkin@samsung.com)
+AM_INIT_AUTOMAKE
 AC_CONFIG_HEADERS([config.h])
 AC_CONFIG_MACRO_DIR([m4])
  
@@ -30,6 +30,9 @@ AC_SUBST(OPENSSL_LIBS)
 AC_CHECK_HEADER(unistd.h)
 AC_CHECK_HEADERS(openssl/conf.h)
 
+AC_CHECK_HEADERS(attr/xattr.h, , [AC_MSG_ERROR([attr/xattr.h header not found. You need the libattr development package.])])
+AC_CHECK_HEADERS(keyutils.h, , [AC_MSG_ERROR([keyutils.h header not found. You need the libkeyutils development package.])])
+
 #debug support - yes for a while
 PKG_ARG_ENABLE(debug, "yes", DEBUG, [Enable Debug support])
 if test $pkg_cv_enable_debug = yes; then
@@ -46,8 +49,7 @@ fi
 
 AC_CONFIG_FILES([Makefile
 		src/Makefile
-		tests/Makefile
-		ima-evm-utils.spec
+		packaging/ima-evm-utils.spec
 		])
 AC_OUTPUT
 

examples/ima-gen-local-ca.sh

@@ -0,0 +1,29 @@
+#!/bin/sh
+
+GENKEY=ima-local-ca.genkey
+
+cat << __EOF__ >$GENKEY
+[ req ]
+default_bits = 2048
+distinguished_name = req_distinguished_name
+prompt = no
+string_mask = utf8only
+x509_extensions = v3_ca
+
+[ req_distinguished_name ]
+O = IMA-CA
+CN = IMA/EVM certificate signing key
+emailAddress = ca@ima-ca
+
+[ v3_ca ]
+basicConstraints=CA:TRUE
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer
+# keyUsage = cRLSign, keyCertSign
+__EOF__
+
+openssl req -new -x509 -utf8 -sha1 -days 3650 -batch -config $GENKEY \
+		-outform DER -out ima-local-ca.x509 -keyout ima-local-ca.priv
+
+openssl x509 -inform DER -in ima-local-ca.x509 -out ima-local-ca.pem
+

examples/ima-genkey-self.sh

@@ -0,0 +1,29 @@
+#!/bin/sh
+
+GENKEY=x509_evm.genkey
+
+cat << __EOF__ >$GENKEY
+[ req ]
+default_bits = 1024
+distinguished_name = req_distinguished_name
+prompt = no
+string_mask = utf8only
+x509_extensions = myexts
+
+[ req_distinguished_name ]
+O = `hostname`
+CN = `whoami` signing key
+emailAddress = `whoami`@`hostname`
+
+[ myexts ]
+basicConstraints=critical,CA:FALSE
+keyUsage=digitalSignature
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid
+__EOF__
+
+openssl req -x509 -new -nodes -utf8 -sha1 -days 3650 -batch -config $GENKEY \
+		-outform DER -out x509_evm.der -keyout privkey_evm.pem
+
+openssl rsa -pubout -in privkey_evm.pem -out pubkey_evm.pem
+

examples/ima-genkey.sh

@@ -0,0 +1,33 @@
+#!/bin/sh
+
+GENKEY=ima.genkey
+
+cat << __EOF__ >$GENKEY
+[ req ]
+default_bits = 1024
+distinguished_name = req_distinguished_name
+prompt = no
+string_mask = utf8only
+x509_extensions = v3_usr
+
+[ req_distinguished_name ]
+O = `hostname`
+CN = `whoami` signing key
+emailAddress = `whoami`@`hostname`
+
+[ v3_usr ]
+basicConstraints=critical,CA:FALSE
+#basicConstraints=CA:FALSE
+keyUsage=digitalSignature
+#keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid
+#authorityKeyIdentifier=keyid,issuer
+__EOF__
+
+openssl req -new -nodes -utf8 -sha1 -days 365 -batch -config $GENKEY \
+		-out csr_ima.pem -keyout privkey_ima.pem
+openssl x509 -req -in csr_ima.pem -days 365 -extfile $GENKEY -extensions v3_usr \
+		-CA ima-local-ca.pem -CAkey ima-local-ca.priv -CAcreateserial \
+		-outform DER -out x509_ima.der
+

packaging/ima-evm-utils.spec

@@ -0,0 +1,53 @@
+Name:		ima-evm-utils
+Version:	0.7
+Release:	1%{?dist}
+Summary:	ima-evm-utils - IMA/EVM control utility
+Group:		System/Libraries
+License:	GPLv2
+#URL:		
+Source0:	%{name}-%{version}.tar.gz
+BuildRoot:	%{_tmppath}/%{name}-%{version}-%{release}-root
+
+BuildRequires:    autoconf
+BuildRequires:    automake
+BuildRequires:    openssl-devel
+BuildRequires:    libattr-devel
+BuildRequires:    keyutils-libs-devel
+
+%description
+This package provide IMA/EVM control utility
+
+%prep
+%setup -q
+
+%build
+./autogen.sh
+%configure --prefix=/usr
+make
+
+%install
+rm -rf %{buildroot}
+make DESTDIR=%{buildroot} install
+
+%clean
+rm -rf %{buildroot}
+
+%post
+/sbin/ldconfig
+exit 0
+
+%preun -p /sbin/ldconfig
+
+%postun
+/sbin/ldconfig
+
+%files
+%defattr(-,root,root,-)
+%{_bindir}/*
+%{_libdir}/libimaevm.*
+%{_includedir}/*
+
+%changelog
+* Thu Apr 05 2012 Dmitry Kasatkin <dmitry.kasatkin@intel.com>
+- Initial RPM spec file
+

packaging/ima-evm-utils.spec.in

@@ -3,7 +3,7 @@ Version:	@PACKAGE_VERSION@
 Release:	1%{?dist}
 Summary:	@PACKAGE_NAME@ - IMA/EVM control utility
 Group:		System/Libraries
-License:	LGPLv2
+License:	GPLv2
 #URL:		
 Source0:	%{name}-%{version}.tar.gz
 BuildRoot:	%{_tmppath}/%{name}-%{version}-%{release}-root
@@ -44,7 +44,8 @@ exit 0
 %files
 %defattr(-,root,root,-)
 %{_bindir}/*
-%{_libdir}/*
+%{_libdir}/libimaevm.*
+%{_includedir}/*
 
 %changelog
 * Thu Apr 05 2012 Dmitry Kasatkin <dmitry.kasatkin@intel.com>

src/Makefile.am

@@ -1,10 +1,20 @@
+lib_LTLIBRARIES = libimaevm.la
+
+libimaevm_la_SOURCES = libimaevm.c
+libimaevm_la_CPPFLAGS = $(OPENSSL_CFLAGS)
+# current[:revision[:age]]
+# result: [current-age].age.revision
+libimaevm_la_LDFLAGS = -version-info 0:0:0
+libimaevm_la_LIBADD =  $(OPENSSL_LIBS)
+
+include_HEADERS = imaevm.h
 
 bin_PROGRAMS = evmctl
 
 evmctl_SOURCES = evmctl.c
 evmctl_CPPFLAGS = $(OPENSSL_CFLAGS)
 evmctl_LDFLAGS = $(LDFLAGS_READLINE)
-evmctl_LDADD =  $(OPENSSL_LIBS) -lkeyutils
+evmctl_LDADD =  $(OPENSSL_LIBS) -lkeyutils libimaevm.la
 
 INCLUDES = -I$(top_srcdir) -include config.h
 

src/imaevm.h

@@ -0,0 +1,155 @@
+#ifndef _LIBIMAEVM_H
+#define _LIBIMAEVM_H
+
+#include <stdint.h>
+#include <syslog.h>
+#include <stdbool.h>
+#include <errno.h>
+
+#include <openssl/rsa.h>
+
+#ifdef USE_FPRINTF
+#define do_log(level, fmt, args...)	({ if (level <= params.verbose) fprintf(stderr, fmt, ##args); })
+#define do_log_dump(level, p, len, cr)	({ if (level <= params.verbose) do_dump(stderr, p, len, cr); })
+#else
+#define do_log(level, fmt, args...)	syslog(level, fmt, ##args)
+#define do_log_dump(level, p, len, cr)
+#endif
+
+#ifdef DEBUG
+#define log_debug(fmt, args...)		do_log(LOG_DEBUG, "%s:%d " fmt, __func__ , __LINE__ , ##args)
+#define log_debug_dump(p, len)		do_log_dump(LOG_DEBUG, p, len, true)
+#define log_debug_dump_n(p, len)	do_log_dump(LOG_DEBUG, p, len, false)
+#else
+#define log_debug(fmt, args...)
+#define log_debug_dump(p, len)
+#endif
+
+#define log_dump(p, len)		do_log_dump(LOG_INFO, p, len, true)
+#define log_dump_n(p, len)		do_log_dump(LOG_INFO, p, len, false)
+#define log_info(fmt, args...)		do_log(LOG_INFO, fmt, ##args)
+#define log_err(fmt, args...)		do_log(LOG_ERR, fmt, ##args)
+#define log_errno(fmt, args...)		do_log(LOG_ERR, fmt ": errno: %s (%d)\n", ##args, strerror(errno), errno)
+
+#define	DATA_SIZE	4096
+#define SHA1_HASH_LEN   20
+
+#define	EXT2_IOC_GETVERSION	_IOR('v', 1, long)
+#define	EXT34_IOC_GETVERSION	_IOR('f', 3, long)
+
+#define	FS_IOC_GETFLAGS		_IOR('f', 1, long)
+#define	FS_IOC_SETFLAGS		_IOW('f', 2, long)
+#define FS_IOC32_GETFLAGS	_IOR('f', 1, int)
+#define FS_IOC32_SETFLAGS	_IOW('f', 2, int)
+
+#define __packed __attribute__((packed))
+
+struct h_misc {
+	unsigned long ino;
+	uint32_t generation;
+	uid_t uid;
+	gid_t gid;
+	unsigned short mode;
+};
+
+struct h_misc_32 {
+	uint32_t ino;
+	uint32_t generation;
+	uid_t uid;
+	gid_t gid;
+	unsigned short mode;
+};
+
+struct h_misc_64 {
+	uint64_t ino;
+	uint32_t generation;
+	uid_t uid;
+	gid_t gid;
+	unsigned short mode;
+};
+
+enum pubkey_algo {
+	PUBKEY_ALGO_RSA,
+	PUBKEY_ALGO_MAX,
+};
+
+enum digest_algo {
+	DIGEST_ALGO_SHA1,
+	DIGEST_ALGO_SHA256,
+	DIGEST_ALGO_MAX
+};
+
+enum digsig_version {
+	DIGSIG_VERSION_1 = 1,
+	DIGSIG_VERSION_2
+};
+
+struct pubkey_hdr {
+	uint8_t version;	/* key format version */
+	uint32_t timestamp;	/* key made, always 0 for now */
+	uint8_t algo;
+	uint8_t nmpi;
+	char mpi[0];
+} __packed;
+
+struct signature_hdr {
+	uint8_t version;	/* signature format version */
+	uint32_t timestamp;	/* signature made */
+	uint8_t algo;
+	uint8_t hash;
+	uint8_t keyid[8];
+	uint8_t nmpi;
+	char mpi[0];
+} __packed;
+
+enum pkey_hash_algo {
+	PKEY_HASH_MD4,
+	PKEY_HASH_MD5,
+	PKEY_HASH_SHA1,
+	PKEY_HASH_RIPE_MD_160,
+	PKEY_HASH_SHA256,
+	PKEY_HASH_SHA384,
+	PKEY_HASH_SHA512,
+	PKEY_HASH_SHA224,
+	PKEY_HASH__LAST
+};
+
+/*
+ * signature format v2 - for using with asymmetric keys
+ */
+struct signature_v2_hdr {
+	uint8_t version;	/* signature format version */
+	uint8_t	hash_algo;	/* Digest algorithm [enum pkey_hash_algo] */
+	uint32_t keyid;		/* IMA key identifier - not X509/PGP specific*/
+	uint16_t sig_size;	/* signature size */
+	uint8_t sig[0];		/* signature payload */
+} __packed;
+
+
+typedef int (*verify_hash_fn_t)(const unsigned char *hash, int size, unsigned char *sig, int siglen, const char *keyfile);
+
+struct libevm_params {
+	int verbose;
+	const char *hash_algo;
+	char *keyfile;
+};
+
+struct RSA_ASN1_template {
+	const uint8_t *data;
+	size_t size;
+};
+
+extern const struct RSA_ASN1_template RSA_ASN1_templates[PKEY_HASH__LAST];
+extern struct libevm_params params;
+
+void do_dump(FILE *fp, const void *ptr, int len, bool cr);
+void dump(const void *ptr, int len);
+int get_filesize(const char *filename);
+int ima_calc_hash(const char *file, uint8_t *hash);
+int get_hash_algo(const char *algo);
+RSA *read_pub_key(const char *keyfile, int x509);
+
+int verify_hash(const unsigned char *hash, int size, unsigned char *sig, int siglen);
+int ima_verify_signature(const char *file, unsigned char *sig, int siglen);
+
+#endif

src/libimaevm.c

@@ -0,0 +1,520 @@
+/*
+ * ima-evm-utils - IMA/EVM support utilities
+ *
+ * Copyright (C) 2011 Nokia Corporation
+ * Copyright (C) 2011,2012,2013 Intel Corporation
+ * Copyright (C) 2013,2014 Samsung Electronics
+ *
+ * Authors:
+ * Dmitry Kasatkin <dmitry.kasatkin@nokia.com>
+ *                 <dmitry.kasatkin@intel.com>
+ *                 <d.kasatkin@samsung.com>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * version 2 as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * File: libevm.c
+ *	 IMA/EVM library
+ */
+
+/* should we use logger instead for library? */
+#define USE_FPRINTF
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/stat.h>
+#include <unistd.h>
+#include <dirent.h>
+#include <string.h>
+#include <stdio.h>
+
+#include <openssl/pem.h>
+#include <openssl/evp.h>
+#include <openssl/x509.h>
+
+#include "imaevm.h"
+
+const char *const pkey_hash_algo[PKEY_HASH__LAST] = {
+	[PKEY_HASH_MD4]		= "md4",
+	[PKEY_HASH_MD5]		= "md5",
+	[PKEY_HASH_SHA1]	= "sha1",
+	[PKEY_HASH_RIPE_MD_160]	= "rmd160",
+	[PKEY_HASH_SHA256]	= "sha256",
+	[PKEY_HASH_SHA384]	= "sha384",
+	[PKEY_HASH_SHA512]	= "sha512",
+	[PKEY_HASH_SHA224]	= "sha224",
+};
+
+/*
+ * Hash algorithm OIDs plus ASN.1 DER wrappings [RFC4880 sec 5.2.2].
+ */
+static const uint8_t RSA_digest_info_MD5[] = {
+	0x30, 0x20, 0x30, 0x0C, 0x06, 0x08,
+	0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x02, 0x05, /* OID */
+	0x05, 0x00, 0x04, 0x10
+};
+
+static const uint8_t RSA_digest_info_SHA1[] = {
+	0x30, 0x21, 0x30, 0x09, 0x06, 0x05,
+	0x2B, 0x0E, 0x03, 0x02, 0x1A,
+	0x05, 0x00, 0x04, 0x14
+};
+
+static const uint8_t RSA_digest_info_RIPE_MD_160[] = {
+	0x30, 0x21, 0x30, 0x09, 0x06, 0x05,
+	0x2B, 0x24, 0x03, 0x02, 0x01,
+	0x05, 0x00, 0x04, 0x14
+};
+
+static const uint8_t RSA_digest_info_SHA224[] = {
+	0x30, 0x2d, 0x30, 0x0d, 0x06, 0x09,
+	0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x04,
+	0x05, 0x00, 0x04, 0x1C
+};
+
+static const uint8_t RSA_digest_info_SHA256[] = {
+	0x30, 0x31, 0x30, 0x0d, 0x06, 0x09,
+	0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01,
+	0x05, 0x00, 0x04, 0x20
+};
+
+static const uint8_t RSA_digest_info_SHA384[] = {
+	0x30, 0x41, 0x30, 0x0d, 0x06, 0x09,
+	0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x02,
+	0x05, 0x00, 0x04, 0x30
+};
+
+static const uint8_t RSA_digest_info_SHA512[] = {
+	0x30, 0x51, 0x30, 0x0d, 0x06, 0x09,
+	0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03,
+	0x05, 0x00, 0x04, 0x40
+};
+
+const struct RSA_ASN1_template RSA_ASN1_templates[PKEY_HASH__LAST] = {
+#define _(X) { RSA_digest_info_##X, sizeof(RSA_digest_info_##X) }
+	[PKEY_HASH_MD5]		= _(MD5),
+	[PKEY_HASH_SHA1]	= _(SHA1),
+	[PKEY_HASH_RIPE_MD_160]	= _(RIPE_MD_160),
+	[PKEY_HASH_SHA256]	= _(SHA256),
+	[PKEY_HASH_SHA384]	= _(SHA384),
+	[PKEY_HASH_SHA512]	= _(SHA512),
+	[PKEY_HASH_SHA224]	= _(SHA224),
+#undef _
+};
+
+struct libevm_params params = {
+	.verbose = LOG_INFO - 1,
+	.hash_algo = "sha1",
+};
+
+void do_dump(FILE *fp, const void *ptr, int len, bool cr)
+{
+	int i;
+	uint8_t *data = (uint8_t *) ptr;
+
+	for (i = 0; i < len; i++)
+		fprintf(fp, "%02x", data[i]);
+	if (cr)
+		fprintf(fp, "\n");
+}
+
+void dump(const void *ptr, int len)
+{
+	do_dump(stdout, ptr, len, true);
+}
+
+int get_filesize(const char *filename)
+{
+	struct stat stats;
+	/*  Need to know the file length */
+	stat(filename, &stats);
+	return (int)stats.st_size;
+}
+
+static inline int get_fdsize(int fd)
+{
+	struct stat stats;
+	/*  Need to know the file length */
+	fstat(fd, &stats);
+	return (int)stats.st_size;
+}
+
+static int add_file_hash(const char *file, EVP_MD_CTX *ctx)
+{
+	uint8_t *data;
+	int err, size, bs = DATA_SIZE;
+	size_t len;
+	FILE *fp;
+
+	data = malloc(bs);
+	if (!data) {
+		log_err("malloc failed\n");
+		return -1;
+	}
+
+	fp = fopen(file, "r");
+	if (!fp) {
+		log_err("Unable to open %s\n", file);
+		return -1;
+	}
+
+	for (size = get_fdsize(fileno(fp)); size; size -= len) {
+		len = MIN(size, bs);
+		err = fread(data, len, 1, fp);
+		if (!err) {
+			if (ferror(fp)) {
+				log_err("fread() error\n\n");
+				return -1;
+			}
+			break;
+		}
+		err = EVP_DigestUpdate(ctx, data, len);
+		if (!err) {
+			log_err("EVP_DigestUpdate() failed\n");
+			return 1;
+		}
+	}
+
+	fclose(fp);
+	free(data);
+
+	return 0;
+}
+
+static int add_dir_hash(const char *file, EVP_MD_CTX *ctx)
+{
+	int err;
+	struct dirent *de;
+	DIR *dir;
+	unsigned long long ino, off;
+	unsigned int type;
+
+	dir = opendir(file);
+	if (!dir) {
+		log_err("Unable to open %s\n", file);
+		return -1;
+	}
+
+	while ((de = readdir(dir))) {
+		ino = de->d_ino;
+		off = de->d_off;
+		type = de->d_type;
+		log_debug("entry: %s, ino: %llu, type: %u, off: %llu, reclen: %hu\n",
+			  de->d_name, ino, type, off, de->d_reclen);
+		err = EVP_DigestUpdate(ctx, de->d_name, strlen(de->d_name));
+		/*err |= EVP_DigestUpdate(ctx, &off, sizeof(off));*/
+		err |= EVP_DigestUpdate(ctx, &ino, sizeof(ino));
+		err |= EVP_DigestUpdate(ctx, &type, sizeof(type));
+		if (!err) {
+			log_err("EVP_DigestUpdate() failed\n");
+			return 1;
+		}
+	}
+
+	closedir(dir);
+
+	return 0;
+}
+
+static int add_link_hash(const char *path, EVP_MD_CTX *ctx)
+{
+	int err;
+	char buf[1024];
+
+	err = readlink(path, buf, sizeof(buf));
+	if (err <= 0)
+		return -1;
+
+	log_info("link: %s -> %.*s\n", path, err, buf);
+	return !EVP_DigestUpdate(ctx, buf, err);
+}
+
+static int add_dev_hash(struct stat *st, EVP_MD_CTX *ctx)
+{
+	uint32_t dev = st->st_rdev;
+	unsigned major = (dev & 0xfff00) >> 8;
+	unsigned minor = (dev & 0xff) | ((dev >> 12) & 0xfff00);
+	log_info("device: %u:%u\n", major, minor);
+	return !EVP_DigestUpdate(ctx, &dev, sizeof(dev));
+}
+
+int ima_calc_hash(const char *file, uint8_t *hash)
+{
+	struct stat st;
+	EVP_MD_CTX ctx;
+	const EVP_MD *md;
+	unsigned int mdlen;
+	int err;
+
+	/*  Need to know the file length */
+	err = lstat(file, &st);
+	if (err < 0) {
+		log_err("stat() failed\n");
+		return err;
+	}
+
+	md = EVP_get_digestbyname(params.hash_algo);
+	if (!md) {
+		log_err("EVP_get_digestbyname() failed\n");
+		return 1;
+	}
+
+	err = EVP_DigestInit(&ctx, md);
+	if (!err) {
+		log_err("EVP_DigestInit() failed\n");
+		return 1;
+	}
+
+	switch (st.st_mode & S_IFMT) {
+	case S_IFREG:
+		err = add_file_hash(file, &ctx);
+		break;
+	case S_IFDIR:
+		err = add_dir_hash(file, &ctx);
+		break;
+	case S_IFLNK:
+		err = add_link_hash(file, &ctx);
+		break;
+	case S_IFIFO: case S_IFSOCK:
+	case S_IFCHR: case S_IFBLK:
+		err = add_dev_hash(&st, &ctx);
+		break;
+	default:
+		log_errno("Unsupported file type");
+		return -1;
+	}
+
+	if (err)
+		return err;
+
+	err = EVP_DigestFinal(&ctx, hash, &mdlen);
+	if (!err) {
+		log_err("EVP_DigestFinal() failed\n");
+		return 1;
+	}
+
+	return mdlen;
+}
+
+RSA *read_pub_key(const char *keyfile, int x509)
+{
+	FILE *fp;
+	RSA *key = NULL;
+	X509 *crt = NULL;
+	EVP_PKEY *pkey = NULL;
+
+	fp = fopen(keyfile, "r");
+	if (!fp) {
+		log_err("Unable to open keyfile %s\n", keyfile);
+		return NULL;
+	}
+
+	if (x509) {
+		crt = d2i_X509_fp(fp, NULL);
+		if (!crt) {
+			log_err("d2i_X509_fp() failed\n");
+			goto out;
+		}
+		pkey = X509_extract_key(crt);
+		if (!pkey) {
+			log_err("X509_extract_key() failed\n");
+			goto out;
+		}
+		key = EVP_PKEY_get1_RSA(pkey);
+	} else {
+		key = PEM_read_RSA_PUBKEY(fp, NULL, NULL, NULL);
+	}
+
+	if (!key)
+		log_err("PEM_read_RSA_PUBKEY() failed\n");
+
+out:
+	if (pkey)
+		EVP_PKEY_free(pkey);
+	if (crt)
+		X509_free(crt);
+	fclose(fp);
+	return key;
+}
+
+int verify_hash_v1(const unsigned char *hash, int size, unsigned char *sig, int siglen, const char *keyfile)
+{
+	int err, len;
+	SHA_CTX ctx;
+	unsigned char out[1024];
+	RSA *key;
+	unsigned char sighash[20];
+	struct signature_hdr *hdr = (struct signature_hdr *)sig;
+
+	log_info("hash: ");
+	log_dump(hash, size);
+
+	key = read_pub_key(keyfile, 0);
+	if (!key)
+		return 1;
+
+	SHA1_Init(&ctx);
+	SHA1_Update(&ctx, hash, size);
+	SHA1_Update(&ctx, hdr, sizeof(*hdr));
+	SHA1_Final(sighash, &ctx);
+	log_info("sighash: ");
+	log_dump(sighash, sizeof(sighash));
+
+	err = RSA_public_decrypt(siglen - sizeof(*hdr) - 2, sig + sizeof(*hdr) + 2, out, key, RSA_PKCS1_PADDING);
+	RSA_free(key);
+	if (err < 0) {
+		log_err("RSA_public_decrypt() failed: %d\n", err);
+		return 1;
+	}
+
+	len = err;
+
+	if (len != sizeof(sighash) || memcmp(out, sighash, len) != 0) {
+		log_err("Verification failed: %d\n", err);
+		return -1;
+	} else {
+		/*log_info("Verification is OK\n");*/
+		printf("Verification is OK\n");
+	}
+
+	return 0;
+}
+
+int verify_hash_v2(const unsigned char *hash, int size, unsigned char *sig, int siglen, const char *keyfile)
+{
+	int err, len;
+	unsigned char out[1024];
+	RSA *key;
+	struct signature_v2_hdr *hdr = (struct signature_v2_hdr *)sig;
+	const struct RSA_ASN1_template *asn1;
+
+	log_info("hash: ");
+	log_dump(hash, size);
+
+	key = read_pub_key(keyfile, 1);
+	if (!key)
+		return 1;
+
+	err = RSA_public_decrypt(siglen - sizeof(*hdr), sig + sizeof(*hdr), out, key, RSA_PKCS1_PADDING);
+	RSA_free(key);
+	if (err < 0) {
+		log_err("RSA_public_decrypt() failed: %d\n", err);
+		return 1;
+	}
+
+	len = err;
+
+	asn1 = &RSA_ASN1_templates[hdr->hash_algo];
+
+	if (len < asn1->size || memcmp(out, asn1->data, asn1->size)) {
+		log_err("Verification failed: %d\n", err);
+		return -1;
+	}
+
+	len -= asn1->size;
+
+	if (len != size || memcmp(out + asn1->size, hash, len)) {
+		log_err("Verification failed: %d\n", err);
+		return -1;
+	}
+
+	/*log_info("Verification is OK\n");*/
+	printf("Verification is OK\n");
+
+	return 0;
+}
+
+int get_hash_algo(const char *algo)
+{
+	int i;
+
+	for (i = 0; i < PKEY_HASH__LAST; i++)
+		if (!strcmp(algo, pkey_hash_algo[i]))
+			return i;
+
+	return PKEY_HASH_SHA1;
+}
+
+static int get_hash_algo_from_sig(unsigned char *sig)
+{
+	uint8_t hashalgo;
+
+	if (sig[0] == 1) {
+		hashalgo = ((struct signature_hdr *)sig)->hash;
+
+		if (hashalgo >= DIGEST_ALGO_MAX)
+			return -1;
+
+		switch (hashalgo) {
+		case DIGEST_ALGO_SHA1:
+			return PKEY_HASH_SHA1;
+		case DIGEST_ALGO_SHA256:
+			return PKEY_HASH_SHA256;
+		default:
+			return -1;
+		}
+	} else if (sig[0] == 2) {
+		hashalgo = ((struct signature_v2_hdr *)sig)->hash_algo;
+		if (hashalgo >= PKEY_HASH__LAST)
+			return -1;
+		return hashalgo;
+	} else
+		return -1;
+}
+
+int verify_hash(const unsigned char *hash, int size, unsigned char *sig, int siglen)
+{
+	char *key;
+	int x509;
+	verify_hash_fn_t verify_hash;
+
+	/* Get signature type from sig header */
+	if (sig[0] == DIGSIG_VERSION_1) {
+		verify_hash = verify_hash_v1;
+		/* Read pubkey from RSA key */
+		x509 = 0;
+	} else if (sig[0] == DIGSIG_VERSION_2) {
+		verify_hash = verify_hash_v2;
+		/* Read pubkey from x509 cert */
+		x509 = 1;
+	} else
+		return -1;
+
+	/* Determine what key to use for verification*/
+	key = params.keyfile ? : x509 ?
+			"/etc/keys/x509_evm.der" :
+			"/etc/keys/pubkey_evm.pem";
+
+	return verify_hash(hash, size, sig, siglen, key);
+}
+
+int ima_verify_signature(const char *file, unsigned char *sig, int siglen)
+{
+	unsigned char hash[64];
+	int hashlen, sig_hash_algo;
+
+	if (sig[0] != 0x03) {
+		log_err("security.ima has no signature\n");
+		return -1;
+	}
+
+	sig_hash_algo = get_hash_algo_from_sig(sig + 1);
+	if (sig_hash_algo < 0) {
+		log_err("Invalid signature\n");
+		return -1;
+	}
+	/* Use hash algorithm as retrieved from signature */
+	params.hash_algo = pkey_hash_algo[sig_hash_algo];
+
+	hashlen = ima_calc_hash(file, hash);
+	if (hashlen <= 1)
+		return hashlen;
+
+	return verify_hash(hash, hashlen, sig + 1, siglen - 1);
+}

tests/Makefile.am

@@ -1,7 +0,0 @@
-pkglibexec_PROGRAMS = openclose
-
-openclose_SOURCES = openclose.c
-
-dist_pkglibexec_SCRIPTS = evm_enable.sh evm_genkey.sh evm_sign_all.sh evm_sign_modules.sh \
-			ima_fix_dir.sh evm_hmac_all.sh evm_hmac_modules.sh
-

tests/evm_enable.sh

@@ -1,25 +0,0 @@
-#!/bin/sh
-
-# import EVM HMAC key
-keyctl clear @u
-keyctl add user kmk "testing123" @u
-keyctl add encrypted evm-key "load `cat /etc/keys/evm-key`" @u
-
-# import Moule public key
-mod_id=`keyctl newring _module @u`
-evmctl import /etc/keys/pubkey_evm.pem $mod_id
-
-# import IMA public key
-ima_id=`keyctl newring _ima @u`
-evmctl import /etc/keys/pubkey_evm.pem $ima_id
-
-# import EVM public key
-evm_id=`keyctl newring _evm @u`
-evmctl import /etc/keys/pubkey_evm.pem $evm_id
-
-# enable EVM
-echo "1" > /sys/kernel/security/evm
-
-# enable module checking
-echo "1" > /sys/kernel/security/ima/module_check
-

tests/evm_genkey.sh

@@ -1,8 +0,0 @@
-#!/bin/sh
-
-keyctl add user kmk "testing123" @u
-key=`keyctl add encrypted evm-key "new user:kmk 32" @u`
-keyctl print $key >/etc/keys/evm-key
-
-keyctl list @u
-

tests/evm_hmac_all.sh

@@ -1,14 +0,0 @@
-#!/bin/sh
-
-verbose=""
-if [ "$1" = "-v" ] ; then
-	verbose="-v"
-	shift 1
-fi
-
-dir=${1:-/}
-
-echo "Label: $dir"
-
-find $dir \( -fstype rootfs -o -fstype ext3 -o -fstype ext4 \) \( -type f -o -type d \) -exec evmctl hmac --imahash $verbose '{}' \;
-

tests/evm_hmac_modules.sh

@@ -1,14 +0,0 @@
-#!/bin/sh
-
-verbose=""
-if [ "$1" = "-v" ] ; then
-	verbose="-v"
-	shift 1
-fi
-
-dir=${1:-/lib/modules}
-
-echo "HMAC modules: $dir"
-
-find $dir -name "*.ko" -type f -exec evmctl hmac --imasig $verbose '{}' \;
-

tests/evm_sign_all.sh

@@ -1,14 +0,0 @@
-#!/bin/sh
-
-verbose=""
-if [ "$1" = "-v" ] ; then
-	verbose="-v"
-	shift 1
-fi
-
-dir=${1:-/}
-
-echo "Label: $dir"
-
-find $dir \( -fstype rootfs -o -fstype ext3 -o -fstype ext4 \) -type f -exec evmctl sign --imahash $verbose '{}' \;
-

tests/evm_sign_modules.sh

@@ -1,14 +0,0 @@
-#!/bin/sh
-
-verbose=""
-if [ "$1" = "-v" ] ; then
-	verbose="-v"
-	shift 1
-fi
-
-dir=${1:-/lib/modules}
-
-echo "Signing modules: $dir"
-
-find $dir -name "*.ko" -type f -exec evmctl sign --imasig $verbose '{}' \;
-

tests/ima_fix_dir.sh

@@ -1,8 +0,0 @@
-#!/bin/sh
-
-dir=${1:-/}
-
-echo "Fixing dir: $dir"
-
-find $dir \( -fstype rootfs -o -fstype ext3 -o -fstype ext4 \) -type f -exec openclose '{}' \;
-

tests/openclose.c

@@ -1,20 +0,0 @@
-#include <unistd.h>
-#include <stdio.h>
-#include <fcntl.h>
-#include <stdlib.h>
-
-int main(int argc, char *argv[])
-{
-	int fd;
-
-	fd = open(argv[1], O_RDONLY);
-	if (fd < 0) {
-		perror("open()");
-		exit(1);
-	}
-
-	close(fd);
-
-	return 0;
-}
-