| Message ID | 20181128200610.21214-4-vt@altlinux.org (mailing list archive) |
|---|---|
| State | Changes Requested |
| Headers | show |
| Series | [v2,1/7] ima-evm-utils: Fix hash buffer overflow in verify_evm and hmac_evm | expand |
On Wed, 2018-11-28 at 23:06 +0300, Vitaly Chikunov wrote: > This patch will allow using GOST algorithms from OpenSSL's > gost-engine[1] via config extension (which is the usual way). > > [1] https://github.com/gost-engine/engine > > Signed-off-by: Vitaly Chikunov <vt@altlinux.org> > --- > Changes since v1: > - "--engine" option is removed into separate patch. Thanks! > > src/evmctl.c | 6 +++--- > src/imaevm.h | 13 +++++++++++++ > src/libimaevm.c | 15 +++++++++++---- > 3 files changed, 27 insertions(+), 7 deletions(-) > > diff --git a/src/evmctl.c b/src/evmctl.c > index 9cbc2cb..f4b2e7d 100644 > --- a/src/evmctl.c > +++ b/src/evmctl.c > @@ -388,7 +388,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash) > > md = EVP_get_digestbyname(params.hash_algo); > if (!md) { > - log_err("EVP_get_digestbyname() failed\n"); > + log_err("EVP_get_digestbyname(%s) failed\n", params.hash_algo); > return 1; > } > > @@ -1064,7 +1064,7 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h > > md = EVP_get_digestbyname(params.hash_algo); > if (!md) { > - log_err("EVP_get_digestbyname() failed\n"); > + log_err("EVP_get_digestbyname(%s) failed\n", params.hash_algo); > goto out; > } > > @@ -1653,7 +1653,7 @@ static void usage(void) > > printf( > "\n" > - " -a, --hashalgo sha1 (default), sha224, sha256, sha384, sha512\n" > + " -a, --hashalgo sha1 (default), sha224, sha256, sha384, sha512, streebog256, streebog512\n" > " -s, --imasig make IMA signature\n" > " -d, --imahash make IMA hash\n" > " -f, --sigfile store IMA signature in .sig file instead of xattr\n" > diff --git a/src/imaevm.h b/src/imaevm.h > index 2ebe7e7..c81bf21 100644 > --- a/src/imaevm.h > +++ b/src/imaevm.h > @@ -152,6 +152,7 @@ struct signature_hdr { > char mpi[0]; > } __packed; > > +/* reflect enum hash_algo from include/uapi/linux/hash_info.h */ > enum pkey_hash_algo { > PKEY_HASH_MD4, > PKEY_HASH_MD5, > @@ -161,6 +162,18 @@ enum pkey_hash_algo { > PKEY_HASH_SHA384, > PKEY_HASH_SHA512, > PKEY_HASH_SHA224, > + PKEY_HASH_RIPE_MD_128, > + PKEY_HASH_RIPE_MD_256, > + PKEY_HASH_RIPE_MD_320, > + PKEY_HASH_WP_256, > + PKEY_HASH_WP_384, > + PKEY_HASH_WP_512, > + PKEY_HASH_TGR_128, > + PKEY_HASH_TGR_160, > + PKEY_HASH_TGR_192, > + PKEY_HASH_SM3_256, > + PKEY_HASH_STREEBOG_256, > + PKEY_HASH_STREEBOG_512, > PKEY_HASH__LAST > }; > > diff --git a/src/libimaevm.c b/src/libimaevm.c > index 34501ca..7b2b62c 100644 > --- a/src/libimaevm.c > +++ b/src/libimaevm.c > @@ -51,6 +51,7 @@ > #include <stdio.h> > #include <assert.h> > > +#include <openssl/crypto.h> > #include <openssl/pem.h> > #include <openssl/evp.h> > #include <openssl/x509.h> > @@ -67,6 +68,8 @@ const char *const pkey_hash_algo[PKEY_HASH__LAST] = { > [PKEY_HASH_SHA384] = "sha384", > [PKEY_HASH_SHA512] = "sha512", > [PKEY_HASH_SHA224] = "sha224", > + [PKEY_HASH_STREEBOG_256] = "streebog256", > + [PKEY_HASH_STREEBOG_512] = "streebog512", > }; > > /* > @@ -291,7 +294,7 @@ int ima_calc_hash(const char *file, uint8_t *hash) > > md = EVP_get_digestbyname(params.hash_algo); > if (!md) { > - log_err("EVP_get_digestbyname() failed\n"); > + log_err("EVP_get_digestbyname(%s) failed\n", params.hash_algo); > return 1; > } > > @@ -509,14 +512,16 @@ int verify_hash_v2(const char *file, const unsigned char *hash, int size, > asn1 = &RSA_ASN1_templates[hdr->hash_algo]; > > if (len < asn1->size || memcmp(out, asn1->data, asn1->size)) { > - log_err("%s: verification failed: %d\n", file, err); > + log_err("%s: verification failed: %d (asn1 mismatch)\n", > + file, err); > return -1; > } > > len -= asn1->size; > > if (len != size || memcmp(out + asn1->size, hash, len)) { > - log_err("%s: verification failed: %d\n", file, err); > + log_err("%s: verification failed: %d (digest mismatch)\n", > + file, err); > return -1; > } > > @@ -528,7 +533,8 @@ int get_hash_algo(const char *algo) > int i; > > for (i = 0; i < PKEY_HASH__LAST; i++) > - if (!strcmp(algo, pkey_hash_algo[i])) > + if (pkey_hash_algo[i] && > + !strcmp(algo, pkey_hash_algo[i])) > return i; > > return PKEY_HASH_SHA1; > @@ -901,5 +907,6 @@ int sign_hash(const char *hashalgo, const unsigned char *hash, int size, const c > static void libinit() > { > OpenSSL_add_all_algorithms(); > + OPENSSL_add_all_algorithms_conf(); > ERR_load_crypto_strings(); > }
diff --git a/src/evmctl.c b/src/evmctl.c index 9cbc2cb..f4b2e7d 100644 --- a/src/evmctl.c +++ b/src/evmctl.c @@ -388,7 +388,7 @@ static int calc_evm_hash(const char *file, unsigned char *hash) md = EVP_get_digestbyname(params.hash_algo); if (!md) { - log_err("EVP_get_digestbyname() failed\n"); + log_err("EVP_get_digestbyname(%s) failed\n", params.hash_algo); return 1; } @@ -1064,7 +1064,7 @@ static int calc_evm_hmac(const char *file, const char *keyfile, unsigned char *h md = EVP_get_digestbyname(params.hash_algo); if (!md) { - log_err("EVP_get_digestbyname() failed\n"); + log_err("EVP_get_digestbyname(%s) failed\n", params.hash_algo); goto out; } @@ -1653,7 +1653,7 @@ static void usage(void) printf( "\n" - " -a, --hashalgo sha1 (default), sha224, sha256, sha384, sha512\n" + " -a, --hashalgo sha1 (default), sha224, sha256, sha384, sha512, streebog256, streebog512\n" " -s, --imasig make IMA signature\n" " -d, --imahash make IMA hash\n" " -f, --sigfile store IMA signature in .sig file instead of xattr\n" diff --git a/src/imaevm.h b/src/imaevm.h index 2ebe7e7..c81bf21 100644 --- a/src/imaevm.h +++ b/src/imaevm.h @@ -152,6 +152,7 @@ struct signature_hdr { char mpi[0]; } __packed; +/* reflect enum hash_algo from include/uapi/linux/hash_info.h */ enum pkey_hash_algo { PKEY_HASH_MD4, PKEY_HASH_MD5, @@ -161,6 +162,18 @@ enum pkey_hash_algo { PKEY_HASH_SHA384, PKEY_HASH_SHA512, PKEY_HASH_SHA224, + PKEY_HASH_RIPE_MD_128, + PKEY_HASH_RIPE_MD_256, + PKEY_HASH_RIPE_MD_320, + PKEY_HASH_WP_256, + PKEY_HASH_WP_384, + PKEY_HASH_WP_512, + PKEY_HASH_TGR_128, + PKEY_HASH_TGR_160, + PKEY_HASH_TGR_192, + PKEY_HASH_SM3_256, + PKEY_HASH_STREEBOG_256, + PKEY_HASH_STREEBOG_512, PKEY_HASH__LAST }; diff --git a/src/libimaevm.c b/src/libimaevm.c index 34501ca..7b2b62c 100644 --- a/src/libimaevm.c +++ b/src/libimaevm.c @@ -51,6 +51,7 @@ #include <stdio.h> #include <assert.h> +#include <openssl/crypto.h> #include <openssl/pem.h> #include <openssl/evp.h> #include <openssl/x509.h> @@ -67,6 +68,8 @@ const char *const pkey_hash_algo[PKEY_HASH__LAST] = { [PKEY_HASH_SHA384] = "sha384", [PKEY_HASH_SHA512] = "sha512", [PKEY_HASH_SHA224] = "sha224", + [PKEY_HASH_STREEBOG_256] = "streebog256", + [PKEY_HASH_STREEBOG_512] = "streebog512", }; /* @@ -291,7 +294,7 @@ int ima_calc_hash(const char *file, uint8_t *hash) md = EVP_get_digestbyname(params.hash_algo); if (!md) { - log_err("EVP_get_digestbyname() failed\n"); + log_err("EVP_get_digestbyname(%s) failed\n", params.hash_algo); return 1; } @@ -509,14 +512,16 @@ int verify_hash_v2(const char *file, const unsigned char *hash, int size, asn1 = &RSA_ASN1_templates[hdr->hash_algo]; if (len < asn1->size || memcmp(out, asn1->data, asn1->size)) { - log_err("%s: verification failed: %d\n", file, err); + log_err("%s: verification failed: %d (asn1 mismatch)\n", + file, err); return -1; } len -= asn1->size; if (len != size || memcmp(out + asn1->size, hash, len)) { - log_err("%s: verification failed: %d\n", file, err); + log_err("%s: verification failed: %d (digest mismatch)\n", + file, err); return -1; } @@ -528,7 +533,8 @@ int get_hash_algo(const char *algo) int i; for (i = 0; i < PKEY_HASH__LAST; i++) - if (!strcmp(algo, pkey_hash_algo[i])) + if (pkey_hash_algo[i] && + !strcmp(algo, pkey_hash_algo[i])) return i; return PKEY_HASH_SHA1; @@ -901,5 +907,6 @@ int sign_hash(const char *hashalgo, const unsigned char *hash, int size, const c static void libinit() { OpenSSL_add_all_algorithms(); + OPENSSL_add_all_algorithms_conf(); ERR_load_crypto_strings(); }
This patch will allow using GOST algorithms from OpenSSL's gost-engine[1] via config extension (which is the usual way). [1] https://github.com/gost-engine/engine Signed-off-by: Vitaly Chikunov <vt@altlinux.org> --- Changes since v1: - "--engine" option is removed into separate patch. src/evmctl.c | 6 +++--- src/imaevm.h | 13 +++++++++++++ src/libimaevm.c | 15 +++++++++++---- 3 files changed, 27 insertions(+), 7 deletions(-)