| Message ID | 85a96cad-dc04-a617-abfa-fb9427412e52@rosalinux.ru (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | ima-evm-utils: Fix compatibility with LibreSSL | expand |
Hi Mikhail, On Wed, 2019-12-04 at 01:41 +0300, Mikhail Novosyolov wrote: > P.S. Patch is against commit 3eab1f93 "ima-evm-utils: Release > version 1.2.1", I did not find newer git. This patch doesn't apply to my current working branch or to that tag. Mimi
25.03.2020 00:05, Mimi Zohar пишет: > Hi Mikhail, > > On Wed, 2019-12-04 at 01:41 +0300, Mikhail Novosyolov wrote: >> P.S. Patch is against commit 3eab1f93 "ima-evm-utils: Release >> version 1.2.1", I did not find newer git. > This patch doesn't apply to my current working branch or to that tag. > > Mimi > Mimi, sorry for not replying for long, I was going to send a new version of the patch in the next few days. Please point me to your working branch, I failed to find it at sourceforge. Thank you!
On Wed, 2020-03-25 at 01:17 +0300, Mikhail Novosyolov wrote: > 25.03.2020 00:05, Mimi Zohar пишет: > > Hi Mikhail, > > > > On Wed, 2019-12-04 at 01:41 +0300, Mikhail Novosyolov wrote: > >> P.S. Patch is against commit 3eab1f93 "ima-evm-utils: Release > >> version 1.2.1", I did not find newer git. > > This patch doesn't apply to my current working branch or to that tag. > > > > Mimi > > > Mimi, sorry for not replying for long, I was going to send a new > version of the patch in the next few days. Please point me to your > working branch, I failed to find it at sourceforge. The next branch is fine. Everything else is still being reviewed. Please remember to include in the patch description the hint on compiling ima-evm-utils with libressl. Mimi
On Wed, 2020-03-25 at 01:17 +0300, Mikhail Novosyolov wrote: > 25.03.2020 00:05, Mimi Zohar пишет: > > Hi Mikhail, > > > > On Wed, 2019-12-04 at 01:41 +0300, Mikhail Novosyolov wrote: > >> P.S. Patch is against commit 3eab1f93 "ima-evm-utils: Release > >> version 1.2.1", I did not find newer git. > > This patch doesn't apply to my current working branch or to that tag. > > > > Mimi > > > Mimi, sorry for not replying for long, I was going to send a new > version of the patch in the next few days. Please point me to your > working branch, I failed to find it at sourceforge. I've just pushed out the "next-testing" topic branch[1]. Please base your changes on this branch. There might need to be some additional changes. thanks, Mimi [1] https://git.code.sf.net/p/linux-ima/ima-evm-utils
Hi Mikhail, On Wed, 2019-12-04 at 01:41 +0300, Mikhail Novosyolov wrote: > From 4ae52f3cfb459c59e2e48f0d30c20c3763c8a0e7 Mon Sep 17 00:00:00 2001 > From: Mikhail Novosyolov <m.novosyolov@rosalinux.ru> > Date: Wed, 4 Dec 2019 01:07:50 +0300 > Subject: [PATCH] ima-evm-utils: Fix compatibility with LibreSSL > > LibreSSL in most cases can be used as a drop-in replacement of OpenSSL. > Commit 07d799cb6c37 "ima-evm-utils: Preload OpenSSL engine via '--engine' option" > added OpenSSL-specific functions: "engines" were removed from LibreSSL long ago. > Instead of requiring to attach GOST support via an external library ("engine"), > LibreSSL has build-in implementation of GOST. > > Commit ebbfc41ad6ba "ima-evm-utils: try to load digest by its alias" is also not OK > for LibreSSL because LibreSSL uses different digest names: > md_gost12_256 -> streebog256 > md_gost12_512 -> streebog512 > > Example how it works when linked with LibreSSL: > $ libressl dgst -streebog256 testfile > streebog256(a)= 04123f539a213e97c802cc229d474c6aa32a825a360b2a933a949fd925208d9ce1bb > $ evmctl -v ima_hash -a streebog256 testfile > hash(streebog256): 04123f539a213e97c802cc229d474c6aa32a825a360b2a933a949fd925208d9ce1bb > $ evmctl -v ima_hash -a md_gost12_256 testfile > EVP_get_digestbyname(md_gost12_256) failed > > TODO: it would be nice to map > md_gost12_256 <-> streebog256 > md_gost12_512 <-> streebog512 > in evmctl CLI arguements to make the same commands work on systems both > where evmctl is linked with LibreSSL and with OpenSSL. > > Fixes: 07d799cb6c37 ("ima-evm-utils: Preload OpenSSL engine via '--engine' option") > Fixes: ebbfc41ad6ba ("ima-evm-utils: try to load digest by its alias") > Signed-off-by: Mikhail Novosyolov <m.novosyolov@rosalinux.ru> Since you posted this patch, I've added support for calculating the boot_aggregate. Could you verify that this patch still works? As I mentioned in response to Patrick Uiterwijk's support for Intel's TSS2, "testing ima-evm-utils support for multiple crypto and TSS packages requires building a matrix. As I'm new to travis, the travis code is in the next-testing-travis branch, but will not be upstreamed at this point." From .travis.yml: matrix: include: - env: TSS=ibmtss SSL=openssl - env: TSS=ibmtss SSL=libressl; - env: TSS=tpm2-tss SSL=openssl I might have set up libressl incorrectly. (Refer to tests/install- libressl.sh). Here's the report: libtool: link: ranlib .libs/libimaevm.a libtool: link: ( cd ".libs" && rm -f "libimaevm.la" && ln -s "../libimaevm.la" "libimaevm.la" ) /bin/bash ../libtool --tag=CC --mode=link gcc -g -O2 -g -O1 -Wall -Wstrict-prototypes -pipe -o evmctl evmctl-evmctl.o evmctl-utils.o evmctl-pcr_tsspcrread.o -lcrypto -lkeyutils libimaevm.la libtool: link: gcc -g -O2 -g -O1 -Wall -Wstrict-prototypes -pipe -o .libs/evmctl evmctl-evmctl.o evmctl-utils.o evmctl-pcr_tsspcrread.o -lcrypto -lkeyutils ./.libs/libimaevm.so evmctl-evmctl.o: In function `main': /home/travis/build/linux-integrity/ima-evm-utils/src/evmctl.c:2353: undefined reference to `ERR_free_strings' /home/travis/build/linux-integrity/ima-evm-utils/src/evmctl.c:2354: undefined reference to `EVP_cleanup' ./.libs/libimaevm.so: undefined reference to `ERR_load_crypto_strings' collect2: error: ld returned 1 exit status Makefile:500: recipe for target 'evmctl' failed make[3]: Leaving directory '/home/travis/build/linux-integrity/ima-evm-utils/src' Makefile:378: recipe for target 'all' failed make[2]: Leaving directory '/home/travis/build/linux-integrity/ima-evm-utils/src' make[3]: *** [evmctl] Error 1 make[2]: *** [all] Error 2 Makefile:515: recipe for target 'all-recursive' failed make[1]: Leaving directory '/home/travis/build/linux-integrity/ima-evm-utils' make[1]: *** [all-recursive] Error 1 Makefile:381: recipe for target 'all' failed make: *** [all] Error 2 The command "autoreconf -i && ./configure && make -j$(nproc) && sudo make install && VERBOSE=1 make check;" exited with 2. thank, Mimi
diff --git a/README b/README index 3603ae8..f843bbe 100644 --- a/README +++ b/README @@ -58,7 +58,7 @@ OPTIONS --smack use extra SMACK xattrs for EVM --m32 force EVM hmac/signature for 32 bit target system --m64 force EVM hmac/signature for 64 bit target system - --engine e preload OpenSSL engine e (such as: gost) + --engine e preload OpenSSL engine e (such as: gost) (not valid for LibreSSL) -v increase verbosity level -h, --help display this help and exit diff --git a/src/evmctl.c b/src/evmctl.c index 3d2a10b..f6507c1 100644 --- a/src/evmctl.c +++ b/src/evmctl.c @@ -62,7 +62,10 @@ #include <openssl/hmac.h> #include <openssl/err.h> #include <openssl/rsa.h> +/* LibreSSL removed engines */ +#ifndef LIBRESSL_VERSION_NUMBER #include <openssl/engine.h> +#endif #ifndef XATTR_APPAARMOR_SUFFIX #define XATTR_APPARMOR_SUFFIX "apparmor" @@ -1849,7 +1852,9 @@ static void usage(void) " --selinux use custom Selinux label for EVM\n" " --caps use custom Capabilities for EVM(unspecified: from FS, empty: do not use)\n" " --list measurement list verification\n" +#ifndef LIBRESSL_VERSION_NUMBER /* LibreSSL removed engines */ " --engine e preload OpenSSL engine e (such as: gost)\n" +#endif " -v increase verbosity level\n" " -h, --help display this help and exit\n" "\n"); @@ -1902,7 +1907,9 @@ static struct option opts[] = { {"selinux", 1, 0, 136}, {"caps", 2, 0, 137}, {"list", 0, 0, 138}, +#ifndef LIBRESSL_VERSION_NUMBER {"engine", 1, 0, 139}, +#endif {"xattr-user", 0, 0, 140}, {} @@ -1947,7 +1954,9 @@ static char *get_password(void) int main(int argc, char *argv[]) { int err = 0, c, lind; +#ifndef LIBRESSL_VERSION_NUMBER ENGINE *eng = NULL; +#endif #if !(OPENSSL_VERSION_NUMBER < 0x10100000) OPENSSL_init_crypto( @@ -2065,7 +2074,8 @@ int main(int argc, char *argv[]) case 138: measurement_list = 1; break; - case 139: /* --engine e */ +#ifndef LIBRESSL_VERSION_NUMBER + case 139: /* --engine e, only in OpenSSL, not in LibreSSL */ eng = ENGINE_by_id(optarg); if (!eng) { log_err("engine %s isn't available\n", optarg); @@ -2078,6 +2088,7 @@ int main(int argc, char *argv[]) } ENGINE_set_default(eng, ENGINE_METHOD_ALL); break; +#endif case 140: /* --xattr-user */ xattr_ima = "user.ima"; xattr_evm = "user.evm"; @@ -2108,6 +2119,7 @@ int main(int argc, char *argv[]) } } +#ifndef LIBRESSL_VERSION_NUMBER if (eng) { ENGINE_finish(eng); ENGINE_free(eng); @@ -2115,6 +2127,7 @@ int main(int argc, char *argv[]) ENGINE_cleanup(); #endif } +#endif ERR_free_strings(); EVP_cleanup(); BIO_free(NULL); diff --git a/src/libimaevm.c b/src/libimaevm.c index 7c17bf4..050ea78 100644 --- a/src/libimaevm.c +++ b/src/libimaevm.c @@ -71,8 +71,10 @@ static const char *const pkey_hash_algo[PKEY_HASH__LAST] = { [PKEY_HASH_SHA384] = "sha384", [PKEY_HASH_SHA512] = "sha512", [PKEY_HASH_SHA224] = "sha224", +#ifndef LIBRESSL_VERSION_NUMBER [PKEY_HASH_STREEBOG_256] = "md_gost12_256", [PKEY_HASH_STREEBOG_512] = "md_gost12_512", +#endif }; /* Names that are primary for the kernel. */