From patchwork Sun Feb 16 11:10:03 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
X-Patchwork-Id: 11384415
Return-Path: <SRS0=Av9O=4E=vger.kernel.org=linux-integrity-owner@kernel.org>
Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org
 [172.30.200.123])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 1C7DD139A
	for <patchwork-linux-integrity@patchwork.kernel.org>;
 Sun, 16 Feb 2020 11:16:48 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 6BC792086A
	for <patchwork-linux-integrity@patchwork.kernel.org>;
 Sun, 16 Feb 2020 11:16:47 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (2048-bit key) header.d=rosalinux.ru header.i=@rosalinux.ru
 header.b="i1LXMQLS"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727989AbgBPLQq (ORCPT
        <rfc822;patchwork-linux-integrity@patchwork.kernel.org>);
        Sun, 16 Feb 2020 06:16:46 -0500
Received: from mail.rosalinux.ru ([195.19.76.54]:50910 "EHLO
 mail.rosalinux.ru"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726651AbgBPLQq (ORCPT <rfc822;linux-integrity@vger.kernel.org>);
        Sun, 16 Feb 2020 06:16:46 -0500
X-Greylist: delayed 399 seconds by postgrey-1.27 at vger.kernel.org;
 Sun, 16 Feb 2020 06:16:45 EST
Received: from localhost (localhost [127.0.0.1])
        by mail.rosalinux.ru (Postfix) with ESMTP id 4C344D4A2F3EB
        for <linux-integrity@vger.kernel.org>;
 Sun, 16 Feb 2020 14:10:04 +0300 (MSK)
Received: from mail.rosalinux.ru ([127.0.0.1])
        by localhost (mail.rosalinux.ru [127.0.0.1]) (amavisd-new, port 10032)
        with ESMTP id biMcTOlXfKHw for <linux-integrity@vger.kernel.org>;
        Sun, 16 Feb 2020 14:10:03 +0300 (MSK)
Received: from localhost (localhost [127.0.0.1])
        by mail.rosalinux.ru (Postfix) with ESMTP id 954E0D4B2C287
        for <linux-integrity@vger.kernel.org>;
 Sun, 16 Feb 2020 14:10:03 +0300 (MSK)
DKIM-Filter: OpenDKIM Filter v2.10.3 mail.rosalinux.ru 954E0D4B2C287
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rosalinux.ru;
        s=A1AAD92A-9767-11E6-A27F-AC75C9F78EF4; t=1581851403;
        bh=Yzeu1A+QZMYdDzVL2MDIIXDTL8qyAMZSKVk5twbP3QM=;
        h=To:From:Message-ID:Date:MIME-Version;
        b=i1LXMQLSSDBIsTOY/OvJMvW8d4Cjfn9YTeq6U8F2vGcfNZHmQfTobHUkkaxzzctk7
         0iOVWmTwxwrT+uvtB0qs5JIbwr/2B5jy4WYqy9GktiTdyHtKQXbQLUNywWsjMq//kD
         UGG+dKye81oKZbedrMe6GAQGhvQuHMEtNaeZ9iSx7ZaQPrLRFJpPNARfkRlUqSihEm
         ArBzXCWls7xrsu2nyMatSZyymUVbe9+WsDOPOIgSwnflcxX+wa928nBVWZrsXRZB6d
         HmuBzwL/ef8RCNKcTj52MLELqPFrFr50UwThRUQHNonDeXT05quuqcGpMtY/rHNaOo
         EOHoWL/dKHNvA==
X-Virus-Scanned: amavisd-new at rosalinux.ru
Received: from mail.rosalinux.ru ([127.0.0.1])
        by localhost (mail.rosalinux.ru [127.0.0.1]) (amavisd-new, port 10026)
        with ESMTP id 6ltUB2GC4Bkw for <linux-integrity@vger.kernel.org>;
        Sun, 16 Feb 2020 14:10:03 +0300 (MSK)
Received: from [192.168.1.173] (broadband-90-154-70-222.ip.moscow.rt.ru
 [90.154.70.222])
        by mail.rosalinux.ru (Postfix) with ESMTPSA id 5A52BD4A2F3EB
        for <linux-integrity@vger.kernel.org>;
 Sun, 16 Feb 2020 14:10:03 +0300 (MSK)
To: linux-integrity@vger.kernel.org
From: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
Subject: [PATCH] ima-evm-utils: Fix compatibility with LibreSSL
Message-ID: <63ba8482-0085-f2d3-dbb9-70bb81990f07@rosalinux.ru>
Date: Sun, 16 Feb 2020 14:10:03 +0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.4.1
MIME-Version: 1.0
Content-Language: ru-RU
Sender: linux-integrity-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-integrity.vger.kernel.org>
X-Mailing-List: linux-integrity@vger.kernel.org

LibreSSL in most cases can be used as a drop-in replacement of OpenSSL.
Commit 07d799cb6c37 "ima-evm-utils: Preload OpenSSL engine via '--engine' option"
added OpenSSL-specific functions: "engines" were removed from LibreSSL long ago.
Instead of requiring to attach GOST support via an external library ("engine"),
LibreSSL has build-in implementation of GOST.

Commit ebbfc41ad6ba "ima-evm-utils: try to load digest by its alias" is also not OK
for LibreSSL because LibreSSL uses different digest names:
md_gost12_256 -> streebog256
md_gost12_512 -> streebog512

Example how it works when linked with LibreSSL:
$ libressl dgst -streebog256 testfile
streebog256(a)= 04123f539a213e97c802cc229d474c6aa32a825a360b2a933a949fd925208d9ce1bb
$ evmctl -v ima_hash -a streebog256 testfile
hash(streebog256): 04123f539a213e97c802cc229d474c6aa32a825a360b2a933a949fd925208d9ce1bb
$ evmctl -v ima_hash -a md_gost12_256 testfile
EVP_get_digestbyname(md_gost12_256) failed

TODO: it would be nice to map
md_gost12_256 <-> streebog256
md_gost12_512 <-> streebog512
in evmctl CLI arguements to make the same commands work on systems both
where evmctl is linked with LibreSSL and with OpenSSL.

Fixes: 07d799cb6c37 ("ima-evm-utils: Preload OpenSSL engine via '--engine' option")
Fixes: ebbfc41ad6ba ("ima-evm-utils: try to load digest by its alias")
Signed-off-by: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
---
 README          |  2 +-
 src/evmctl.c    | 15 ++++++++++++++-
 src/libimaevm.c |  2 ++
 3 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/README b/README
index 3603ae8..f843bbe 100644
--- a/README
+++ b/README
@@ -58,7 +58,7 @@ OPTIONS
       --smack        use extra SMACK xattrs for EVM
       --m32          force EVM hmac/signature for 32 bit target system
       --m64          force EVM hmac/signature for 64 bit target system
-      --engine e     preload OpenSSL engine e (such as: gost)
+      --engine e     preload OpenSSL engine e (such as: gost) (not valid for LibreSSL)
   -v                 increase verbosity level
   -h, --help         display this help and exit
 
diff --git a/src/evmctl.c b/src/evmctl.c
index 3d2a10b..f6507c1 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -62,7 +62,10 @@
 #include <openssl/hmac.h>
 #include <openssl/err.h>
 #include <openssl/rsa.h>
+/* LibreSSL removed engines */
+#ifndef LIBRESSL_VERSION_NUMBER
 #include <openssl/engine.h>
+#endif
 
 #ifndef XATTR_APPAARMOR_SUFFIX
 #define XATTR_APPARMOR_SUFFIX "apparmor"
@@ -1849,7 +1852,9 @@ static void usage(void)
         "      --selinux      use custom Selinux label for EVM\n"
         "      --caps         use custom Capabilities for EVM(unspecified: from FS, empty: do not use)\n"
         "      --list         measurement list verification\n"
+#ifndef LIBRESSL_VERSION_NUMBER /* LibreSSL removed engines */
         "      --engine e     preload OpenSSL engine e (such as: gost)\n"
+#endif
         "  -v                 increase verbosity level\n"
         "  -h, --help         display this help and exit\n"
         "\n");
@@ -1902,7 +1907,9 @@ static struct option opts[] = {
     {"selinux", 1, 0, 136},
     {"caps", 2, 0, 137},
     {"list", 0, 0, 138},
+#ifndef LIBRESSL_VERSION_NUMBER
     {"engine", 1, 0, 139},
+#endif
     {"xattr-user", 0, 0, 140},
     {}
 
@@ -1947,7 +1954,9 @@ static char *get_password(void)
 int main(int argc, char *argv[])
 {
     int err = 0, c, lind;
+#ifndef LIBRESSL_VERSION_NUMBER
     ENGINE *eng = NULL;
+#endif
 
 #if !(OPENSSL_VERSION_NUMBER < 0x10100000)
     OPENSSL_init_crypto(
@@ -2065,7 +2074,8 @@ int main(int argc, char *argv[])
         case 138:
             measurement_list = 1;
             break;
-        case 139: /* --engine e */
+#ifndef LIBRESSL_VERSION_NUMBER
+        case 139: /* --engine e, only in OpenSSL, not in LibreSSL */
             eng = ENGINE_by_id(optarg);
             if (!eng) {
                 log_err("engine %s isn't available\n", optarg);
@@ -2078,6 +2088,7 @@ int main(int argc, char *argv[])
             }
             ENGINE_set_default(eng, ENGINE_METHOD_ALL);
             break;
+#endif
         case 140: /* --xattr-user */
             xattr_ima = "user.ima";
             xattr_evm = "user.evm";
@@ -2108,6 +2119,7 @@ int main(int argc, char *argv[])
         }
     }
 
+#ifndef LIBRESSL_VERSION_NUMBER
     if (eng) {
         ENGINE_finish(eng);
         ENGINE_free(eng);
@@ -2115,6 +2127,7 @@ int main(int argc, char *argv[])
         ENGINE_cleanup();
 #endif
     }
+#endif
     ERR_free_strings();
     EVP_cleanup();
     BIO_free(NULL);
diff --git a/src/libimaevm.c b/src/libimaevm.c
index 7c17bf4..050ea78 100644
--- a/src/libimaevm.c
+++ b/src/libimaevm.c
@@ -71,8 +71,10 @@ static const char *const pkey_hash_algo[PKEY_HASH__LAST] = {
     [PKEY_HASH_SHA384]    = "sha384",
     [PKEY_HASH_SHA512]    = "sha512",
     [PKEY_HASH_SHA224]    = "sha224",
+#ifndef LIBRESSL_VERSION_NUMBER
     [PKEY_HASH_STREEBOG_256] = "md_gost12_256",
     [PKEY_HASH_STREEBOG_512] = "md_gost12_512",
+#endif
 };
 
 /* Names that are primary for the kernel. */