@@ -27,12 +27,18 @@ AC_HEADER_STDC
PKG_CHECK_MODULES(OPENSSL, [ openssl >= 0.9.8 ])
AC_SUBST(OPENSSL_CFLAGS)
AC_SUBST(OPENSSL_LIBS)
+AC_SUBST(KERNEL_HEADERS)
AC_CHECK_HEADER(unistd.h)
AC_CHECK_HEADERS(openssl/conf.h)
AC_CHECK_HEADERS(sys/xattr.h, , [AC_MSG_ERROR([sys/xattr.h header not found. You need the c-library development package.])])
AC_CHECK_HEADERS(keyutils.h, , [AC_MSG_ERROR([keyutils.h header not found. You need the libkeyutils development package.])])
+AC_ARG_WITH(kernel_headers, [AS_HELP_STRING([--with-kernel-headers[[=ARG]]],
+ [specifies the Linux kernel-headers package location or kernel root directory you want to use])],
+ [KERNEL_HEADERS="$withval"],
+ [KERNEL_HEADERS=/lib/modules/$(uname -r)/source])
+
#debug support - yes for a while
PKG_ARG_ENABLE(debug, "yes", DEBUG, [Enable Debug support])
if test $pkg_cv_enable_debug = yes; then
@@ -9,6 +9,11 @@ libimaevm_la_LIBADD = $(OPENSSL_LIBS)
include_HEADERS = imaevm.h
+nodist_libimaevm_la_SOURCES = hash_info.h
+BUILT_SOURCES = hash_info.h
+hash_info.h: Makefile
+ ./hash_info.gen $(KERNEL_HEADERS) >$@
+
bin_PROGRAMS = evmctl
evmctl_SOURCES = evmctl.c
@@ -18,5 +23,6 @@ evmctl_LDADD = $(OPENSSL_LIBS) -lkeyutils libimaevm.la
INCLUDES = -I$(top_srcdir) -include config.h
+CLEANFILES = hash_info.h
DISTCLEANFILES = @DISTCLEANFILES@
new file mode 100755
@@ -0,0 +1,43 @@
+#!/bin/sh
+#
+# Generate hash_info.h from kernel headers
+#
+# Copyright (C) 2018 <vt@altlinux.org>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2, or (at your option)
+# any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+
+KERNEL_HEADERS=$1
+HASH_INFO_H=uapi/linux/hash_info.h
+HASH_INFO=$KERNEL_HEADERS/include/$HASH_INFO_H
+
+# Allow to specify kernel-headers past include/
+if [ ! -e $HASH_INFO ]; then
+ HASH_INFO2=$KERNEL_HEADERS/$HASH_INFO_H
+ if [ -e $HASH_INFO2 ]; then
+ HASH_INFO=$HASH_INFO2
+ fi
+fi
+
+if [ ! -e $HASH_INFO ]; then
+ echo "/* $HASH_INFO is not found */"
+ HASH_INFO=/dev/null
+else
+ echo "/* $HASH_INFO is found */"
+fi
+
+echo "enum hash_algo {"
+grep HASH_ALGO_.*, $HASH_INFO
+printf "\tHASH_ALGO__LAST\n"
+echo "};"
+
+echo "const char *const hash_algo_name[HASH_ALGO__LAST] = {"
+sed -n 's/HASH_ALGO_\(.*\),/[HASH_ALGO_\1] = "\L\1\E",/p' $HASH_INFO
+echo "};"
@@ -50,6 +50,7 @@
#include <string.h>
#include <stdio.h>
#include <assert.h>
+#include <ctype.h>
#include <openssl/crypto.h>
#include <openssl/pem.h>
@@ -58,6 +59,7 @@
#include <openssl/err.h>
#include "imaevm.h"
+#include "hash_info.h"
const char *const pkey_hash_algo[PKEY_HASH__LAST] = {
[PKEY_HASH_MD4] = "md4",
@@ -153,6 +155,17 @@ void dump(const void *ptr, int len)
do_dump(stdout, ptr, len, true);
}
+const char *get_hash_algo_by_id(int algo)
+{
+ if (algo < PKEY_HASH__LAST)
+ return pkey_hash_algo[algo];
+ if (algo < HASH_ALGO__LAST)
+ return hash_algo_name[algo];
+
+ log_err("digest %d not found\n", algo);
+ return "unknown";
+}
+
int get_filesize(const char *filename)
{
struct stat stats;
@@ -528,15 +541,44 @@ int verify_hash_v2(const char *file, const unsigned char *hash, int size,
return 0;
}
+/* compare algo names case insensitively and ignoring separators */
+static int algocmp(const char *a, const char *b)
+{
+ while (*a && *b) {
+ int cha, chb;
+
+ cha = tolower((unsigned char)*a++);
+ if (!isalnum(cha))
+ continue;
+ chb = tolower((unsigned char)*b++);
+ if (!isalnum(chb)) {
+ a--;
+ continue;
+ }
+ if (cha != chb)
+ return -1;
+ }
+ return *a || *b;
+}
+
int get_hash_algo(const char *algo)
{
int i;
+ /* first iterate over builtin algorithms */
for (i = 0; i < PKEY_HASH__LAST; i++)
if (pkey_hash_algo[i] &&
!strcmp(algo, pkey_hash_algo[i]))
return i;
+ /* iterate over algorithms provided by kernel-headers */
+ for (i = 0; i < HASH_ALGO__LAST; i++) {
+ if (hash_algo_name[i] &&
+ !algocmp(algo, hash_algo_name[i]))
+ return i;
+ }
+
+ log_info("digest %s not found, fall back to sha1\n", algo);
return PKEY_HASH_SHA1;
}
@@ -611,7 +653,7 @@ int ima_verify_signature(const char *file, unsigned char *sig, int siglen,
return -1;
}
/* Use hash algorithm as retrieved from signature */
- params.hash_algo = pkey_hash_algo[sig_hash_algo];
+ params.hash_algo = get_hash_algo_by_id(sig_hash_algo);
/*
* Validate the signature based on the digest included in the
If configured with "--with-kernel-headers[=PATH]" try to extract hash algorithms from "hash_info.h" from the kernel source tree or kernel-headers package. (From the specified PATH or from the installed kernel.) This also introduces two algorithm lists, one is built-in and another is from the kernel source. (They should never contain conflicting algorithm IDs by their append-only nature.) If the digest is not found in the built-in list it will be searched in the list from kernel's "hash_info.h". This patch will allow evmctl to be just recompiled to work with digest algorithms introduced in the newer kernels. Suggested-by: Mimi Zohar <zohar@linux.ibm.com> Signed-off-by: Vitaly Chikunov <vt@altlinux.org> --- Changes since v1: - New patch. configure.ac | 6 ++++++ src/Makefile.am | 6 ++++++ src/hash_info.gen | 43 +++++++++++++++++++++++++++++++++++++++++++ src/libimaevm.c | 44 +++++++++++++++++++++++++++++++++++++++++++- 4 files changed, 98 insertions(+), 1 deletion(-) create mode 100755 src/hash_info.gen