| Message ID | 20220902162836.554839-6-zohar@linux.ibm.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | address deprecated warnings | expand |
On 9/2/22 12:28, Mimi Zohar wrote: > OpenSSL v3 emits deprecated warnings for SHA1 functions. Use the > EVP_ functions when walking the TPM 1.2 binary bios measurements > to calculate the TPM 1.2 PCRs. > > Reviewed-by: Petr Vorel <pvorel@suse.cz> > Signed-off-by: Mimi Zohar <zohar@linux.ibm.com> > --- > src/evmctl.c | 65 +++++++++++++++++++++++++++++++++++++++++++++++----- > 1 file changed, 59 insertions(+), 6 deletions(-) > > diff --git a/src/evmctl.c b/src/evmctl.c > index 13b0105af8c4..641504047a36 100644 > --- a/src/evmctl.c > +++ b/src/evmctl.c > @@ -2295,6 +2295,11 @@ static int cmd_ima_measurement(struct command *cmd) > return ima_measurement(file); > } > > +/* > + * read_binary_bios_measurements - read the TPM 1.2 event log > + * > + * Returns 0 on success, 1 on failure. > + */ > #define MAX_EVENT_DATA_SIZE 200000 > static int read_binary_bios_measurements(char *file, struct tpm_bank_info *bank) > { > @@ -2307,12 +2312,19 @@ static int read_binary_bios_measurements(char *file, struct tpm_bank_info *bank) > } header; > unsigned char data[MAX_EVENT_DATA_SIZE]; > } event; > + EVP_MD_CTX *mdctx; > + const EVP_MD *md; > + unsigned int mdlen; > + int evp_err = 1; /* success */ > struct stat s; > FILE *fp; > - SHA_CTX c; > int err = 0; > int len; > int i; > +#if OPENSSL_VERSION_NUMBER < 0x10100000 > + EVP_MD_CTX ctx; > + mdctx = &ctx; > +#endif > > if (stat(file, &s) == -1) { > errno = 0; > @@ -2334,6 +2346,23 @@ static int read_binary_bios_measurements(char *file, struct tpm_bank_info *bank) > if (imaevm_params.verbose > LOG_INFO) > log_info("Reading the TPM 1.2 event log %s.\n", file); > > + md = EVP_get_digestbyname(bank->algo_name); > + if (!md) { > + log_errno("Unknown message digest %s\n", bank->algo_name); > + errno = 0; > + fclose(fp); > + return 1; > + } > + > +#if OPENSSL_VERSION_NUMBER >= 0x10100000 > + mdctx = EVP_MD_CTX_new(); > + if (!mdctx) { > + log_err("EVP_MD_CTX_new failed\n"); > + fclose(fp); > + return 1; > + } > +#endif > + > /* Extend the pseudo TPM PCRs with the event digest */ > while (fread(&event, sizeof(event.header), 1, fp) == 1) { > if (imaevm_params.verbose > LOG_INFO) { > @@ -2342,13 +2371,30 @@ static int read_binary_bios_measurements(char *file, struct tpm_bank_info *bank) > } > if (event.header.pcr >= NUM_PCRS) { > log_err("Invalid PCR %d.\n", event.header.pcr); > - err = 1; > break; > } > - SHA1_Init(&c); > - SHA1_Update(&c, bank->pcr[event.header.pcr], 20); > - SHA1_Update(&c, event.header.digest, 20); > - SHA1_Final(bank->pcr[event.header.pcr], &c); > + > + evp_err = EVP_DigestInit(mdctx, md); > + if (evp_err == 0) { > + log_err("EVP_DigestInit() failed\n"); > + break; > + } > + > + evp_err = EVP_DigestUpdate(mdctx, bank->pcr[event.header.pcr], 20); > + if (evp_err == 0) { > + log_err("EVP_DigestUpdate() failed\n"); > + break; > + } > + evp_err = EVP_DigestUpdate(mdctx, event.header.digest, 20); > + if (evp_err == 0) { > + log_err("EVP_DigestUpdate() failed\n"); > + break; > + } > + evp_err = EVP_DigestFinal(mdctx, bank->pcr[event.header.pcr], &mdlen); > + if (evp_err == 0) { > + log_err("EVP_DigestFinal() failed\n"); > + break; > + } > if (event.header.len > MAX_EVENT_DATA_SIZE) { > log_err("Event data event too long.\n"); > err = 1; > @@ -2357,10 +2403,17 @@ static int read_binary_bios_measurements(char *file, struct tpm_bank_info *bank) > len = fread(event.data, event.header.len, 1, fp); > if (len != 1) { > log_errno("Failed reading event data (short read)\n"); > + err = 1; > break; > } > } > + > + if (evp_err == 0) /* EVP_ functions return 1 on success, 0 on failure */ > + err = 1; > fclose(fp); > +#if OPENSSL_VERSION_NUMBER >= 0x10100000 > + EVP_MD_CTX_free(mdctx); > +#endif > > if (imaevm_params.verbose <= LOG_INFO) > return err; Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
diff --git a/src/evmctl.c b/src/evmctl.c index 13b0105af8c4..641504047a36 100644 --- a/src/evmctl.c +++ b/src/evmctl.c @@ -2295,6 +2295,11 @@ static int cmd_ima_measurement(struct command *cmd) return ima_measurement(file); } +/* + * read_binary_bios_measurements - read the TPM 1.2 event log + * + * Returns 0 on success, 1 on failure. + */ #define MAX_EVENT_DATA_SIZE 200000 static int read_binary_bios_measurements(char *file, struct tpm_bank_info *bank) { @@ -2307,12 +2312,19 @@ static int read_binary_bios_measurements(char *file, struct tpm_bank_info *bank) } header; unsigned char data[MAX_EVENT_DATA_SIZE]; } event; + EVP_MD_CTX *mdctx; + const EVP_MD *md; + unsigned int mdlen; + int evp_err = 1; /* success */ struct stat s; FILE *fp; - SHA_CTX c; int err = 0; int len; int i; +#if OPENSSL_VERSION_NUMBER < 0x10100000 + EVP_MD_CTX ctx; + mdctx = &ctx; +#endif if (stat(file, &s) == -1) { errno = 0; @@ -2334,6 +2346,23 @@ static int read_binary_bios_measurements(char *file, struct tpm_bank_info *bank) if (imaevm_params.verbose > LOG_INFO) log_info("Reading the TPM 1.2 event log %s.\n", file); + md = EVP_get_digestbyname(bank->algo_name); + if (!md) { + log_errno("Unknown message digest %s\n", bank->algo_name); + errno = 0; + fclose(fp); + return 1; + } + +#if OPENSSL_VERSION_NUMBER >= 0x10100000 + mdctx = EVP_MD_CTX_new(); + if (!mdctx) { + log_err("EVP_MD_CTX_new failed\n"); + fclose(fp); + return 1; + } +#endif + /* Extend the pseudo TPM PCRs with the event digest */ while (fread(&event, sizeof(event.header), 1, fp) == 1) { if (imaevm_params.verbose > LOG_INFO) { @@ -2342,13 +2371,30 @@ static int read_binary_bios_measurements(char *file, struct tpm_bank_info *bank) } if (event.header.pcr >= NUM_PCRS) { log_err("Invalid PCR %d.\n", event.header.pcr); - err = 1; break; } - SHA1_Init(&c); - SHA1_Update(&c, bank->pcr[event.header.pcr], 20); - SHA1_Update(&c, event.header.digest, 20); - SHA1_Final(bank->pcr[event.header.pcr], &c); + + evp_err = EVP_DigestInit(mdctx, md); + if (evp_err == 0) { + log_err("EVP_DigestInit() failed\n"); + break; + } + + evp_err = EVP_DigestUpdate(mdctx, bank->pcr[event.header.pcr], 20); + if (evp_err == 0) { + log_err("EVP_DigestUpdate() failed\n"); + break; + } + evp_err = EVP_DigestUpdate(mdctx, event.header.digest, 20); + if (evp_err == 0) { + log_err("EVP_DigestUpdate() failed\n"); + break; + } + evp_err = EVP_DigestFinal(mdctx, bank->pcr[event.header.pcr], &mdlen); + if (evp_err == 0) { + log_err("EVP_DigestFinal() failed\n"); + break; + } if (event.header.len > MAX_EVENT_DATA_SIZE) { log_err("Event data event too long.\n"); err = 1; @@ -2357,10 +2403,17 @@ static int read_binary_bios_measurements(char *file, struct tpm_bank_info *bank) len = fread(event.data, event.header.len, 1, fp); if (len != 1) { log_errno("Failed reading event data (short read)\n"); + err = 1; break; } } + + if (evp_err == 0) /* EVP_ functions return 1 on success, 0 on failure */ + err = 1; fclose(fp); +#if OPENSSL_VERSION_NUMBER >= 0x10100000 + EVP_MD_CTX_free(mdctx); +#endif if (imaevm_params.verbose <= LOG_INFO) return err;