From patchwork Tue Dec 3 22:41:31 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Mikhail Novosyolov X-Patchwork-Id: 11271933 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 82117138C for ; Tue, 3 Dec 2019 22:47:40 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 1590C2084F for ; Tue, 3 Dec 2019 22:47:40 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=rosalinux.ru header.i=@rosalinux.ru header.b="FoAKeCwP" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728773AbfLCWrj (ORCPT ); Tue, 3 Dec 2019 17:47:39 -0500 Received: from mail.rosalinux.ru ([195.19.76.54]:36134 "EHLO mail.rosalinux.ru" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728910AbfLCWrf (ORCPT ); Tue, 3 Dec 2019 17:47:35 -0500 X-Greylist: delayed 361 seconds by postgrey-1.27 at vger.kernel.org; Tue, 03 Dec 2019 17:47:34 EST Received: from localhost (localhost [127.0.0.1]) by mail.rosalinux.ru (Postfix) with ESMTP id A954ED505A982; Wed, 4 Dec 2019 01:41:32 +0300 (MSK) Received: from mail.rosalinux.ru ([127.0.0.1]) by localhost (mail.rosalinux.ru [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id KfbY5ihBT_x5; Wed, 4 Dec 2019 01:41:32 +0300 (MSK) Received: from localhost (localhost [127.0.0.1]) by mail.rosalinux.ru (Postfix) with ESMTP id EBC85D47BB998; Wed, 4 Dec 2019 01:41:31 +0300 (MSK) DKIM-Filter: OpenDKIM Filter v2.10.3 mail.rosalinux.ru EBC85D47BB998 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rosalinux.ru; s=A1AAD92A-9767-11E6-A27F-AC75C9F78EF4; t=1575412892; bh=AM3gmah5YTXbwngjs5wa16BFX4Q+UrwLS4Z/5wT42SU=; h=To:From:Message-ID:Date:MIME-Version; b=FoAKeCwPUy0gGzs68pyihosu/8XNCPLnykY+XmueVJhOxeI1/8OBHwEDK0oVJ2O8V a300MxsYpymB0ABZVfVKNXcVToqafxf5hCQ4pNCsvpWz9F25jyDM8oQLD5IsUarVDd iBRX0/r3UmGUIVSD6oD52DdyD6jm7vuXYbt3s2LiLsNvGJs6naRytzkFlEqRtaU8Vg 2VOCHvLpPYem640tzgnUIeDUbZcPhgt3qSUMbKvZRUEneBKfdgo6KaFIWE0MMVu4E8 eTNm8eFHZQOhCfflWnExUpMPktlhKh66dSfo0iCrgku733L3GbAXgGQNVuWULYAEkN 0ukgldlnMECCQ== X-Virus-Scanned: amavisd-new at rosalinux.ru Received: from mail.rosalinux.ru ([127.0.0.1]) by localhost (mail.rosalinux.ru [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id GUpLsFdyLnpc; Wed, 4 Dec 2019 01:41:31 +0300 (MSK) Received: from [192.168.1.173] (broadband-90-154-70-11.ip.moscow.rt.ru [90.154.70.11]) by mail.rosalinux.ru (Postfix) with ESMTPSA id B2ADBD3C4649E; Wed, 4 Dec 2019 01:41:31 +0300 (MSK) To: linux-integrity@vger.kernel.org Cc: Mimi Zohar , Vitaly Chikunov , Mikhail Novosyolov From: Mikhail Novosyolov Subject: [PATCH] ima-evm-utils: Fix compatibility with LibreSSL Message-ID: <85a96cad-dc04-a617-abfa-fb9427412e52@rosalinux.ru> Date: Wed, 4 Dec 2019 01:41:31 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.1 MIME-Version: 1.0 Content-Language: ru-RU Sender: linux-integrity-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-integrity@vger.kernel.org From 4ae52f3cfb459c59e2e48f0d30c20c3763c8a0e7 Mon Sep 17 00:00:00 2001 From: Mikhail Novosyolov Date: Wed, 4 Dec 2019 01:07:50 +0300 Subject: [PATCH] ima-evm-utils: Fix compatibility with LibreSSL LibreSSL in most cases can be used as a drop-in replacement of OpenSSL. Commit 07d799cb6c37 "ima-evm-utils: Preload OpenSSL engine via '--engine' option" added OpenSSL-specific functions: "engines" were removed from LibreSSL long ago. Instead of requiring to attach GOST support via an external library ("engine"), LibreSSL has build-in implementation of GOST. Commit ebbfc41ad6ba "ima-evm-utils: try to load digest by its alias" is also not OK for LibreSSL because LibreSSL uses different digest names: md_gost12_256 -> streebog256 md_gost12_512 -> streebog512 Example how it works when linked with LibreSSL: $ libressl dgst -streebog256 testfile streebog256(a)= 04123f539a213e97c802cc229d474c6aa32a825a360b2a933a949fd925208d9ce1bb $ evmctl -v ima_hash -a streebog256 testfile hash(streebog256): 04123f539a213e97c802cc229d474c6aa32a825a360b2a933a949fd925208d9ce1bb $ evmctl -v ima_hash -a md_gost12_256 testfile EVP_get_digestbyname(md_gost12_256) failed TODO: it would be nice to map md_gost12_256 <-> streebog256 md_gost12_512 <-> streebog512 in evmctl CLI arguements to make the same commands work on systems both where evmctl is linked with LibreSSL and with OpenSSL. Fixes: 07d799cb6c37 ("ima-evm-utils: Preload OpenSSL engine via '--engine' option") Fixes: ebbfc41ad6ba ("ima-evm-utils: try to load digest by its alias") Signed-off-by: Mikhail Novosyolov ---  README          |  2 +-  src/evmctl.c    | 15 ++++++++++++++-  src/libimaevm.c |  2 ++  3 files changed, 17 insertions(+), 2 deletions(-) diff --git a/README b/README index 3603ae8..f843bbe 100644 --- a/README +++ b/README @@ -58,7 +58,7 @@ OPTIONS        --smack        use extra SMACK xattrs for EVM        --m32          force EVM hmac/signature for 32 bit target system        --m64          force EVM hmac/signature for 64 bit target system -      --engine e     preload OpenSSL engine e (such as: gost) +      --engine e     preload OpenSSL engine e (such as: gost) (not valid for LibreSSL)    -v                 increase verbosity level    -h, --help         display this help and exit   diff --git a/src/evmctl.c b/src/evmctl.c index 3d2a10b..f6507c1 100644 --- a/src/evmctl.c +++ b/src/evmctl.c @@ -62,7 +62,10 @@  #include  #include  #include +/* LibreSSL removed engines */ +#ifndef LIBRESSL_VERSION_NUMBER  #include +#endif    #ifndef XATTR_APPAARMOR_SUFFIX  #define XATTR_APPARMOR_SUFFIX "apparmor" @@ -1849,7 +1852,9 @@ static void usage(void)          "      --selinux      use custom Selinux label for EVM\n"          "      --caps         use custom Capabilities for EVM(unspecified: from FS, empty: do not use)\n"          "      --list         measurement list verification\n" +#ifndef LIBRESSL_VERSION_NUMBER /* LibreSSL removed engines */          "      --engine e     preload OpenSSL engine e (such as: gost)\n" +#endif          "  -v                 increase verbosity level\n"          "  -h, --help         display this help and exit\n"          "\n"); @@ -1902,7 +1907,9 @@ static struct option opts[] = {      {"selinux", 1, 0, 136},      {"caps", 2, 0, 137},      {"list", 0, 0, 138}, +#ifndef LIBRESSL_VERSION_NUMBER      {"engine", 1, 0, 139}, +#endif      {"xattr-user", 0, 0, 140},      {}   @@ -1947,7 +1954,9 @@ static char *get_password(void)  int main(int argc, char *argv[])  {      int err = 0, c, lind; +#ifndef LIBRESSL_VERSION_NUMBER      ENGINE *eng = NULL; +#endif    #if !(OPENSSL_VERSION_NUMBER < 0x10100000)      OPENSSL_init_crypto( @@ -2065,7 +2074,8 @@ int main(int argc, char *argv[])          case 138:              measurement_list = 1;              break; -        case 139: /* --engine e */ +#ifndef LIBRESSL_VERSION_NUMBER +        case 139: /* --engine e, only in OpenSSL, not in LibreSSL */              eng = ENGINE_by_id(optarg);              if (!eng) {                  log_err("engine %s isn't available\n", optarg); @@ -2078,6 +2088,7 @@ int main(int argc, char *argv[])              }              ENGINE_set_default(eng, ENGINE_METHOD_ALL);              break; +#endif          case 140: /* --xattr-user */              xattr_ima = "user.ima";              xattr_evm = "user.evm"; @@ -2108,6 +2119,7 @@ int main(int argc, char *argv[])          }      }   +#ifndef LIBRESSL_VERSION_NUMBER      if (eng) {          ENGINE_finish(eng);          ENGINE_free(eng); @@ -2115,6 +2127,7 @@ int main(int argc, char *argv[])          ENGINE_cleanup();  #endif      } +#endif      ERR_free_strings();      EVP_cleanup();      BIO_free(NULL); diff --git a/src/libimaevm.c b/src/libimaevm.c index 7c17bf4..050ea78 100644 --- a/src/libimaevm.c +++ b/src/libimaevm.c @@ -71,8 +71,10 @@ static const char *const pkey_hash_algo[PKEY_HASH__LAST] = {      [PKEY_HASH_SHA384]    = "sha384",      [PKEY_HASH_SHA512]    = "sha512",      [PKEY_HASH_SHA224]    = "sha224", +#ifndef LIBRESSL_VERSION_NUMBER      [PKEY_HASH_STREEBOG_256] = "md_gost12_256",      [PKEY_HASH_STREEBOG_512] = "md_gost12_512", +#endif  };    /* Names that are primary for the kernel. */