From bd81576153cd9e3ebf45692d74858f4cb31661f5 Mon Sep 17 00:00:00 2001 From: Roberto Sassu Date: Tue, 8 Sep 2020 10:37:44 +0200 Subject: [PATCH 01/17] Initialize list_struct after determining modifiers --- generators/compact.c | 46 ++++++++++++++++++++++--------------------- generators/rpm.c | 38 +++++++++++++++++------------------ generators/unknown.c | 47 ++++++++++++++++++++++---------------------- 3 files changed, 67 insertions(+), 64 deletions(-) diff --git a/generators/compact.c b/generators/compact.c index 849d5b5..94fcc57 100644 --- a/generators/compact.c +++ b/generators/compact.c @@ -34,12 +34,12 @@ #define FORMAT_TLV "compact_tlv" static int add_file(int dirfd, int fd, char *path, u16 type, u16 modifiers, - struct stat *st, struct list_struct *list, - struct list_struct *list_file, enum hash_algo algo, - enum hash_algo ima_algo, bool tlv, bool gen_list, - bool include_lsm_label, bool root_cred, bool set_ima_xattr, - bool set_evm_xattr, char *alt_root, char *caps, - char *file_digest, char *label) + struct list_head *list_head, struct stat *st, + enum hash_algo algo, enum hash_algo ima_algo, bool tlv, + bool gen_list, bool include_lsm_label, + bool include_ima_digests, bool root_cred, + bool set_ima_xattr, bool set_evm_xattr, char *alt_root, + char *caps, char *file_digest, char *label) { cap_t c; u8 ima_xattr[2048]; @@ -52,6 +52,7 @@ static int add_file(int dirfd, int fd, char *path, u16 type, u16 modifiers, LIST_HEAD(items); struct stat s; int gen_ima_xattr = 1; + struct list_struct *list = NULL, *list_file = NULL; int ret, ima_xattr_len, obj_label_len = 0, caps_bin_len = 0; if (!S_ISREG(st->st_mode)) @@ -76,6 +77,18 @@ static int add_file(int dirfd, int fd, char *path, u16 type, u16 modifiers, st->st_size) modifiers |= (1 << COMPACT_MOD_IMMUTABLE); + list = compact_list_init(list_head, type, modifiers, algo, tlv); + if (!list) + return -ENOMEM; + + if (type == COMPACT_METADATA && include_ima_digests) { + list_file = compact_list_init(list_head, COMPACT_FILE, + modifiers, algo, tlv); + if (!list_file) + return -ENOMEM; + } + + if (!file_digest) { ret = calc_file_digest(digest, -1, path, algo); if (ret < 0) { @@ -201,7 +214,7 @@ static int add_file(int dirfd, int fd, char *path, u16 type, u16 modifiers, } if (!tlv) { - if (type == COMPACT_METADATA && list_file) { + if (type == COMPACT_METADATA && include_ima_digests) { ret = compact_list_add_digest(fd, list_file, ima_digest); if (ret < 0) @@ -260,7 +273,6 @@ int generator(int dirfd, int pos, struct list_head *head_in, char filename[NAME_MAX + 1], *basename = NULL, *link = NULL; char path[PATH_MAX], *path_list = NULL, *data_ptr, *line_ptr; char *path_ptr = NULL, *gen_list_path = NULL, *real_path; - struct list_struct *list = NULL, *list_file = NULL; struct path_struct *cur, *cur_i, *cur_e; LIST_HEAD(list_head); FTS *fts = NULL; @@ -390,17 +402,6 @@ int generator(int dirfd, int pos, struct list_head *head_in, goto out_selinux; } - list = compact_list_init(&list_head, type, modifiers, algo, tlv); - if (!list) - goto out_close; - - if (type == COMPACT_METADATA && include_ima_digests) { - list_file = compact_list_init(&list_head, COMPACT_FILE, - modifiers, algo, tlv); - if (!list_file) - goto out_close; - } - list_for_each_entry(cur, head_in, list) { if (cur->path[0] != 'I') continue; @@ -501,10 +502,11 @@ int generator(int dirfd, int pos, struct list_head *head_in, continue; ret = add_file(dirfd, fd, ftsent->fts_path, - type, modifiers, statp, list, - list_file, algo, ima_algo, tlv, + type, modifiers, &list_head, + statp, algo, ima_algo, tlv, gen_list_path != NULL, - include_lsm_label, root_cred, + include_lsm_label, + include_ima_digests, root_cred, set_ima_xattr, set_evm_xattr, alt_root, cur->attrs[ATTR_CAPS], cur->attrs[ATTR_DIGEST], diff --git a/generators/rpm.c b/generators/rpm.c index 482a393..8cc2f87 100644 --- a/generators/rpm.c +++ b/generators/rpm.c @@ -61,9 +61,8 @@ static int add_file(int dirfd, char *filename, Header *hdr, u16 type, rpmtd filedigestalgo, filedigests, filemodes, filesizes, filecaps; rpmtd basenames, dirnames, dirindexes; struct path_struct *cur; - uint16_t mode; + uint16_t mode, cur_modifiers; uint32_t size, dirindex; - u16 file_modifiers; cap_t c; struct vfs_cap_data rawvfscap; int rawvfscap_len, fd; @@ -102,18 +101,9 @@ static int add_file(int dirfd, char *filename, Header *hdr, u16 type, } algo = pgp_algo_mapping[pgp_algo]; - list = compact_list_init(&list_head, type, modifiers, algo, tlv); - if (!list) - goto out_close; - - if (type == COMPACT_METADATA && include_ima_digests) { - list_file = compact_list_init(&list_head, COMPACT_FILE, - modifiers, algo, tlv); - if (!list_file) - goto out_close; - } while ((ima_digest_str = rpmtdNextString(filedigests))) { + cur_modifiers = modifiers; include_file = 0; ret = 0; @@ -161,15 +151,25 @@ static int add_file(int dirfd, char *filename, Header *hdr, u16 type, if (!include_file) continue; - if (type == COMPACT_METADATA) { - file_modifiers = modifiers; - if (((mode & S_IXUGO) || - !(mode & S_IWUGO)) && size) - file_modifiers |= (1 << COMPACT_MOD_IMMUTABLE); + if (((mode & S_IXUGO) || !(mode & S_IWUGO)) && size) + cur_modifiers |= (1 << COMPACT_MOD_IMMUTABLE); + + list = compact_list_init(&list_head, type, cur_modifiers, algo, + tlv); + if (!list) + goto out_close; + + if (type == COMPACT_METADATA && include_ima_digests) { + list_file = compact_list_init(&list_head, COMPACT_FILE, + modifiers, algo, tlv); + if (!list_file) + goto out_close; + } + if (type == COMPACT_METADATA) { ret = gen_write_ima_xattr(ima_xattr, &ima_xattr_len, file_path, algo, ima_digest, - (file_modifiers & (1 << COMPACT_MOD_IMMUTABLE)), + (modifiers & (1 << COMPACT_MOD_IMMUTABLE)), set_ima_xattr); if (ret < 0) goto out_close; @@ -177,7 +177,7 @@ static int add_file(int dirfd, char *filename, Header *hdr, u16 type, if (set_evm_xattr) { ret = write_evm_xattr(file_path, algo); if (ret < 0) - return ret; + goto out_close; } if (include_lsm_label) { diff --git a/generators/unknown.c b/generators/unknown.c index 8eaf97c..f182dd6 100644 --- a/generators/unknown.c +++ b/generators/unknown.c @@ -35,12 +35,12 @@ #define FORMAT_TLV "compact_tlv" static int add_file(int dirfd, int fd, char *path, u16 type, u16 modifiers, - struct stat *st, struct list_struct *list, - struct list_struct *list_file, enum hash_algo algo, - enum hash_algo ima_algo, bool tlv, bool gen_list, - bool include_lsm_label, bool root_cred, bool set_ima_xattr, - bool set_evm_xattr, char *alt_root, char *caps, - char *file_digest, char *label) + struct list_head *list_head, struct stat *st, + enum hash_algo algo, enum hash_algo ima_algo, bool tlv, + bool gen_list, bool include_lsm_label, + bool include_ima_digests, bool root_cred, + bool set_ima_xattr, bool set_evm_xattr, char *alt_root, + char *caps, char *file_digest, char *label) { cap_t c; struct ima_digest *found_digest; @@ -54,6 +54,7 @@ static int add_file(int dirfd, int fd, char *path, u16 type, u16 modifiers, struct stat s; LIST_HEAD(items); int gen_ima_xattr = 1; + struct list_struct *list = NULL, *list_file = NULL; int ret, ima_xattr_len, obj_label_len = 0, caps_bin_len = 0; if (!S_ISREG(st->st_mode)) @@ -70,6 +71,17 @@ static int add_file(int dirfd, int fd, char *path, u16 type, u16 modifiers, st->st_size) modifiers |= (1 << COMPACT_MOD_IMMUTABLE); + list = compact_list_init(list_head, type, modifiers, algo, tlv); + if (!list) + return -ENOMEM; + + if (type == COMPACT_METADATA && include_ima_digests) { + list_file = compact_list_init(list_head, COMPACT_FILE, + modifiers, algo, tlv); + if (!list_file) + return -ENOMEM; + } + if (!file_digest) { ret = calc_file_digest(digest, -1, path, algo); if (ret < 0) { @@ -209,7 +221,7 @@ static int add_file(int dirfd, int fd, char *path, u16 type, u16 modifiers, } if (!tlv) { - if (type == COMPACT_METADATA && list_file) { + if (type == COMPACT_METADATA && include_ima_digests) { ret = compact_list_add_digest(fd, list_file, ima_digest); if (ret < 0) @@ -256,7 +268,6 @@ int generator(int dirfd, int pos, struct list_head *head_in, FTS *fts = NULL; FTSENT *ftsent; char *paths[2] = { "/", NULL }; - struct list_struct *list = NULL, *list_file = NULL; char filename[NAME_MAX + 1]; char path[PATH_MAX]; char *digest_lists_dir = NULL, *path_list = NULL, *gen_list_path = NULL; @@ -397,17 +408,6 @@ int generator(int dirfd, int pos, struct list_head *head_in, goto out_selinux; } - list = compact_list_init(&list_head, type, modifiers, algo, tlv); - if (!list) - goto out_close; - - if (type == COMPACT_METADATA && include_ima_digests) { - list_file = compact_list_init(&list_head, COMPACT_FILE, - modifiers, algo, tlv); - if (!list_file) - goto out_close; - } - list_for_each_entry(cur, head_in, list) { if (cur->path[0] != 'I') continue; @@ -506,11 +506,12 @@ int generator(int dirfd, int pos, struct list_head *head_in, continue; ret = add_file(dirfd, fd, ftsent->fts_path, - type, modifiers, statp, - list, list_file, algo, ima_algo, tlv, + type, modifiers, &list_head, statp, + algo, ima_algo, tlv, gen_list_path != NULL, - include_lsm_label, root_cred, - set_ima_xattr, set_evm_xattr, alt_root, + include_lsm_label, include_ima_digests, + root_cred, set_ima_xattr, set_evm_xattr, + alt_root, cur->attrs[ATTR_CAPS], cur->attrs[ATTR_DIGEST], cur->attrs[ATTR_OBJ_LABEL]); -- Gitee From fece5bc446e2f85f245425939be917c0cd75698b Mon Sep 17 00:00:00 2001 From: Roberto Sassu Date: Mon, 28 Sep 2020 14:23:41 +0200 Subject: [PATCH 02/17] Fix DIGEST_LIST_PCR --- lib/ima_list.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/ima_list.c b/lib/ima_list.c index 2faf7fa..eea4a39 100644 --- a/lib/ima_list.c +++ b/lib/ima_list.c @@ -19,7 +19,7 @@ #include "ima_list.h" #define TCG_EVENT_NAME_LEN_MAX 255 -#define DIGEST_LIST_PCR 16 +#define DIGEST_LIST_PCR 11 #define IMA_SIG_TEMPLATE "ima-sig" #define IMA_DIGEST_ALGO HASH_ALGO_SHA256 #define IMA_PATH "/sys/kernel/security/ima/binary_runtime_measurements" -- Gitee From 723eacef7c7a9a82cd6c4b56baf92c7d65958ac2 Mon Sep 17 00:00:00 2001 From: Roberto Sassu Date: Thu, 22 Oct 2020 11:24:12 +0200 Subject: [PATCH 03/17] Set EVM xattr for repair-meta parser op --- lib/parser_lib.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lib/parser_lib.c b/lib/parser_lib.c index c68cc98..e20bcff 100644 --- a/lib/parser_lib.c +++ b/lib/parser_lib.c @@ -211,6 +211,9 @@ int check_repair_xattr(char *path, char *xattr_name, void *xattr_value, } } + if (repair) + write_evm_xattr(path, ima_algo); + ret = 0; out: free(cur_xattr_value); -- Gitee From 7b863307b6d47e22edc2e5e5ae1e5c0c5a173d5c Mon Sep 17 00:00:00 2001 From: Roberto Sassu Date: Tue, 9 Feb 2021 12:31:16 +0100 Subject: [PATCH 04/17] Add support for PGP keys --- include/crypto.h | 2 + include/pgp.h | 27 +++ lib/crypto.c | 31 +++- lib/pgp.c | 451 +++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 510 insertions(+), 1 deletion(-) diff --git a/include/crypto.h b/include/crypto.h index 615f11e..7284c6b 100644 --- a/include/crypto.h +++ b/include/crypto.h @@ -46,6 +46,8 @@ struct key_struct { void free_keys(struct list_head *head); struct key_struct *new_key(struct list_head *head, int dirfd, char *key_path, char *keypass, bool private); +struct key_struct *new_key_pgp(struct list_head *head, int dirfd, + char *key_path); struct key_struct *lookup_key(struct list_head *head, int dirfd, char *key_path, u8 *keyid); int verify_file(struct list_head *head, int dirfd, char *filename); diff --git a/include/pgp.h b/include/pgp.h index 067ec37..36dd15b 100644 --- a/include/pgp.h +++ b/include/pgp.h @@ -19,6 +19,7 @@ #define _PGP_H #include +#include #include "kernel_lib.h" #include "lib.h" @@ -195,4 +196,30 @@ struct pgp_signature_v4_packet { int pgp_get_signature_data(const u8 *signature, size_t signature_len, u8 **data, size_t *data_len, u8 **sig, size_t *sig_len, u8 **issuer, u16 *algo); + +/* + * Key (tag 5, 6, 7 and 14) packet + */ +enum pgp_key_version { + PGP_KEY_VERSION_2 = 2, + PGP_KEY_VERSION_3 = 3, + PGP_KEY_VERSION_4 = 4, +}; + +struct pgp_key_v3_packet { + enum pgp_key_version version : 8; + struct pgp_time creation_time; + u8 expiry[2]; /* 0 or time in days till expiry */ + enum pgp_pubkey_algo pubkey_algo : 8; + u8 key_material[0]; +} __attribute__((packed)); + +struct pgp_key_v4_packet { + enum pgp_key_version version : 8; + struct pgp_time creation_time; + enum pgp_pubkey_algo pubkey_algo : 8; + u8 key_material[0]; +} __attribute__((packed)); + +RSA *pgp_key_parse(const u8 *data, size_t datalen, u8 *keyid); #endif /* _PGP_H */ diff --git a/lib/crypto.c b/lib/crypto.c index c3b72ae..585cc05 100644 --- a/lib/crypto.c +++ b/lib/crypto.c @@ -21,7 +21,7 @@ #include "crypto.h" #include "xattr.h" - +#include "pgp.h" int calc_digest(u8 *digest, void *data, u64 len, enum hash_algo algo) { @@ -226,6 +226,35 @@ out: return new; } +struct key_struct *new_key_pgp(struct list_head *head, int dirfd, + char *key_path) +{ + struct key_struct *new = NULL; + void *data; + loff_t size; + int ret; + + ret = read_file_from_path(-1, key_path, &data, &size); + if (ret < 0) + return NULL; + + new = calloc(1, sizeof(*new)); + if (!new) + goto out; + + new->key = pgp_key_parse(data, size, new->keyid); + if (!new->key) { + free(new); + new = NULL; + goto out; + } + + list_add_tail(&new->list, head); +out: + munmap(data, size); + return new; +} + struct key_struct *lookup_key(struct list_head *head, int dirfd, char *key_path, u8 *keyid) { diff --git a/lib/pgp.c b/lib/pgp.c index 8c33077..dd8d135 100644 --- a/lib/pgp.c +++ b/lib/pgp.c @@ -1,4 +1,5 @@ /* + * Copyright (C) 1998, 1999 Free Software Foundation, Inc. * Copyright (C) 2011 Red Hat, Inc. All Rights Reserved. * Copyright (C) 2018 Huawei Technologies Duesseldorf GmbH * @@ -16,6 +17,8 @@ */ #include #include +#include +#include #include #include @@ -23,6 +26,9 @@ #define BIT_WORD(nr) ((nr) / __BITS_PER_LONG) #define BIT_MASK(nr) (1UL << ((nr) % __BITS_PER_LONG)) +#define MAX_MPI 5 +#define MAX_EXTERN_MPI_BITS 16384 +#define __KERNEL_DIV_ROUND_UP(n, d) (((n) + (d) - 1) / (d)) /** * test_bit - Determine whether a bit is set @@ -551,3 +557,448 @@ out: return ret; } + +struct pgp_parse_pubkey { + enum pgp_key_version version : 8; + enum pgp_pubkey_algo pubkey_algo : 8; + unsigned int creation_time; + unsigned int expires_at; +}; + +/** + * pgp_parse_public_key - Parse the common part of a PGP pubkey packet + * @_data: Content of packet (updated) + * @_datalen: Length of packet remaining (updated) + * @pk: Public key data + * + * Parse the common data struct for a PGP pubkey packet [RFC 4880: 5.5.2]. + */ +int pgp_parse_public_key(const u8 **_data, size_t *_datalen, + struct pgp_parse_pubkey *pk) +{ + const u8 *data = *_data; + size_t datalen = *_datalen; + unsigned int tmp; + + if (datalen < 12) { + pr_debug("Public key packet too short\n"); + return -EBADMSG; + } + + pk->version = *data++; + switch (pk->version) { + case PGP_KEY_VERSION_2: + case PGP_KEY_VERSION_3: + case PGP_KEY_VERSION_4: + break; + default: + pr_debug("Public key packet with unhandled version %d\n", + pk->version); + return -EBADMSG; + } + + tmp = *data++ << 24; + tmp |= *data++ << 16; + tmp |= *data++ << 8; + tmp |= *data++; + pk->creation_time = tmp; + if (pk->version == PGP_KEY_VERSION_4) { + pk->expires_at = 0; /* Have to get it from the selfsignature */ + } else { + unsigned short ndays; + + ndays = *data++ << 8; + ndays |= *data++; + if (ndays) + pk->expires_at = pk->creation_time + ndays * 86400UL; + else + pk->expires_at = 0; + datalen -= 2; + } + + pk->pubkey_algo = *data++; + datalen -= 6; + + *_data = data; + *_datalen = datalen; + return 0; +} + +const char *pgp_to_public_key_algo[PGP_PUBKEY__LAST] = { + [PGP_PUBKEY_RSA_ENC_OR_SIG] = "rsa", + [PGP_PUBKEY_RSA_ENC_ONLY] = "rsa", + [PGP_PUBKEY_RSA_SIG_ONLY] = "rsa", + [PGP_PUBKEY_ELGAMAL] = NULL, + [PGP_PUBKEY_DSA] = NULL, +}; + +/* + * PGP library packet parser + */ +struct pgp_parse_context { + u64 types_of_interest; + int (*process_packet)(struct pgp_parse_context *context, + enum pgp_packet_tag type, + u8 headerlen, + const u8 *data, + size_t datalen); +}; + +/** + * pgp_parse_packets - Parse a set of PGP packets + * @_data: Data to be parsed (updated) + * @_datalen: Amount of data (updated) + * @ctx: Parsing context + * + * Parse a set of PGP packets [RFC 4880: 4]. + */ +int pgp_parse_packets(const u8 *data, size_t datalen, + struct pgp_parse_context *ctx) +{ + enum pgp_packet_tag type; + ssize_t pktlen; + u8 headerlen; + int ret; + + while (datalen > 2) { + pktlen = pgp_parse_packet_header(&data, &datalen, &type, + &headerlen); + if (pktlen < 0) + return pktlen; + + if ((ctx->types_of_interest >> type) & 1) { + ret = ctx->process_packet(ctx, type, headerlen, + data, pktlen); + if (ret < 0) + return ret; + } + data += pktlen; + datalen -= pktlen; + } + + if (datalen != 0) { + pr_debug("Excess octets in packet stream\n"); + return -EBADMSG; + } + + return 0; +} + +static inline void digest_putc(EVP_MD_CTX *mdctx, uint8_t ch) +{ + EVP_DigestUpdate(mdctx, &ch, 1); +} + +struct pgp_key_data_parse_context { + struct pgp_parse_context pgp; + unsigned char *raw_fingerprint; + char *fingerprint; + const char *user_id; + size_t user_id_len; + size_t fingerprint_len; + u8 *key; + size_t key_len; +}; + +int mpi_key_length(const void *xbuffer, unsigned int ret_nread, + unsigned int *nbits_arg, unsigned int *nbytes_arg) +{ + const uint8_t *buffer = xbuffer; + unsigned int nbits; + + if (ret_nread < 2) + return -EINVAL; + nbits = buffer[0] << 8 | buffer[1]; + + if (nbits > MAX_EXTERN_MPI_BITS) { + pr_info("MPI: mpi too large (%u bits)\n", nbits); + return -EINVAL; + } + + if (nbits_arg) + *nbits_arg = nbits; + if (nbytes_arg) + *nbytes_arg = __KERNEL_DIV_ROUND_UP(nbits, 8); + + return 0; +} + +/* + * Calculate the public key ID (RFC4880 12.2) + */ +static int pgp_calc_pkey_keyid(EVP_MD_CTX *digest, + struct pgp_parse_pubkey *pgp, + u8 *key_ptr, size_t keylen) +{ + unsigned int nb[MAX_MPI]; + unsigned int nn[MAX_MPI]; + unsigned int n; + u8 *pp[MAX_MPI]; + u32 a32; + int npkey; + int i, ret; + + n = (pgp->version < PGP_KEY_VERSION_4) ? 8 : 6; + for (i = 0; i < MAX_MPI && keylen > 0; i++) { + ret = mpi_key_length(key_ptr, keylen, nb + i, nn + i); + if (ret < 0) + return ret; + + pp[i] = key_ptr + 2; + key_ptr += 2 + nn[i]; + keylen -= 2 + nn[i]; + n += 2 + nn[i]; + } + + if (keylen != 0) { + pr_debug("excess %zu\n", keylen); + return -EBADMSG; + } + + npkey = i; + + digest_putc(digest, 0x99); /* ctb */ + digest_putc(digest, n >> 8); /* 16-bit header length */ + digest_putc(digest, n); + digest_putc(digest, pgp->version); + + a32 = pgp->creation_time; + digest_putc(digest, a32 >> 24); + digest_putc(digest, a32 >> 16); + digest_putc(digest, a32 >> 8); + digest_putc(digest, a32 >> 0); + + if (pgp->version < PGP_KEY_VERSION_4) { + u16 a16; + + if (pgp->expires_at) + a16 = (pgp->expires_at - pgp->creation_time) / 86400UL; + else + a16 = 0; + digest_putc(digest, a16 >> 8); + digest_putc(digest, a16 >> 0); + } + + digest_putc(digest, pgp->pubkey_algo); + + for (i = 0; i < npkey; i++) { + digest_putc(digest, nb[i] >> 8); + digest_putc(digest, nb[i]); + EVP_DigestUpdate(digest, pp[i], nn[i]); + } + ret = 0; + + return ret; +} + +/* + * Calculate the public key ID fingerprint + */ +static int pgp_generate_fingerprint(struct pgp_key_data_parse_context *ctx, + struct pgp_parse_pubkey *pgp, + u8 *key_ptr, size_t key_len) +{ + EVP_MD_CTX *mdctx; + const EVP_MD *md; + char *fingerprint; + u8 *raw_fingerprint; + int digest_size, offset; + int ret, i; + + ret = -ENOMEM; + OpenSSL_add_all_algorithms(); + + md = EVP_get_digestbyname(pgp->version < PGP_KEY_VERSION_4 ? + "md5" : "sha1"); + if (!md) { + ret = -ENOENT; + goto cleanup; + } + + mdctx = EVP_MD_CTX_create(); + if (!mdctx) { + ret = -ENOENT; + goto cleanup; + } + + if (EVP_DigestInit_ex(mdctx, md, NULL) != 1) { + ret = -EINVAL; + goto cleanup_tfm; + } + + ret = pgp_calc_pkey_keyid(mdctx, pgp, key_ptr, key_len); + if (ret < 0) + goto cleanup_tfm; + + digest_size = EVP_MD_size(md); + raw_fingerprint = malloc(digest_size); + if (!raw_fingerprint) + goto cleanup_tfm; + + if (EVP_DigestFinal_ex(mdctx, raw_fingerprint, NULL) != 1) { + ret = -EINVAL; + goto cleanup_raw_fingerprint; + } + + ctx->fingerprint_len = digest_size * 2; + fingerprint = malloc(digest_size * 2 + 1); + if (!fingerprint) + goto cleanup_raw_fingerprint; + + offset = digest_size - 8; + pr_debug("offset %u/%u\n", offset, digest_size); + + for (i = 0; i < digest_size; i++) + sprintf(fingerprint + i * 2, "%02x", raw_fingerprint[i]); + pr_debug("fingerprint %s\n", fingerprint); + + ctx->raw_fingerprint = raw_fingerprint; + ctx->fingerprint = fingerprint; + ret = 0; +cleanup_raw_fingerprint: + if (ret < 0) + free(raw_fingerprint); +cleanup_tfm: + EVP_MD_CTX_destroy(mdctx); +cleanup: + EVP_cleanup(); + return ret; +} + +/* + * Extract a public key or public subkey from the PGP stream. + */ +static int pgp_process_public_key(struct pgp_parse_context *context, + enum pgp_packet_tag type, + u8 headerlen, + const u8 *data, + size_t datalen) +{ + struct pgp_key_data_parse_context *ctx = + container_of(context, struct pgp_key_data_parse_context, pgp); + struct pgp_parse_pubkey pgp; + int ret; + + if (type == PGP_PKT_USER_ID) { + ctx->user_id = (const char *)data; + ctx->user_id_len = datalen; + return 0; + } + + if (ctx->fingerprint) { + return -EBADMSG; + } + + ret = pgp_parse_public_key(&data, &datalen, &pgp); + if (ret < 0) + goto cleanup; + + if (pgp.pubkey_algo >= PGP_PUBKEY__LAST) + goto cleanup_unsupported_pkey_algo; + + ctx->key = malloc(datalen); + if (!ctx->key) + goto cleanup_nomem; + + memcpy(ctx->key, data, datalen); + ctx->key_len = datalen; + + ret = pgp_generate_fingerprint(ctx, &pgp, ctx->key, ctx->key_len); + if (ret < 0) + goto cleanup; + + return 0; + +cleanup_unsupported_pkey_algo: + pr_debug("Unsupported public key algorithm %u\n", + pgp.pubkey_algo); + ret = -ENOPKG; + goto cleanup; +cleanup_nomem: + ret = -ENOMEM; + goto cleanup; +cleanup: + pr_devel("cleanup"); + free(ctx->key); + return ret; +} + +static RSA *raw_to_openssl_public_rsa(u8 *key_ptr, size_t key_len) +{ + RSA *rsa = RSA_new(); + unsigned int mpi_bytes; + BIGNUM *n, *e; + int ret; + + if (!rsa) + return NULL; + + e = BN_new(); + if (!e) + goto err_free_rsa; + n = BN_new(); + if (!n) + goto err_free_e; + + ret = mpi_key_length(key_ptr, 2, NULL, &mpi_bytes); + if (ret < 0) + goto err_free; + + key_ptr += 2; + + if (!BN_bin2bn(key_ptr, mpi_bytes, n)) + goto err_free; + + key_ptr += mpi_bytes; + + ret = mpi_key_length(key_ptr, 2, NULL, &mpi_bytes); + if (ret < 0) + goto err_free; + + key_ptr += 2; + if (!BN_bin2bn(key_ptr, mpi_bytes, e)) + goto err_free; + +#if OPENSSL_VERSION_NUMBER < 0x10100000 + rsa->n = n; + rsa->e = e; +#else + RSA_set0_key(rsa, n, e, NULL); +#endif + + return rsa; + +err_free: + BN_free(n); +err_free_e: + BN_free(e); +err_free_rsa: + RSA_free(rsa); + + return NULL; +} + +RSA *pgp_key_parse(const u8 *data, size_t datalen, u8 *keyid) +{ + struct pgp_key_data_parse_context ctx; + RSA *rsa; + int ret; + + memset(&ctx, 0, sizeof(ctx)); + ctx.pgp.types_of_interest = (1 << PGP_PKT_PUBLIC_KEY) | + (1 << PGP_PKT_USER_ID); + ctx.pgp.process_packet = pgp_process_public_key; + + ret = pgp_parse_packets(data, datalen, &ctx.pgp); + if (ret < 0) + return NULL; + + memcpy(keyid, ctx.raw_fingerprint + (ctx.fingerprint_len / 2) - 4, 4); + + rsa = raw_to_openssl_public_rsa(ctx.key, ctx.key_len); + free(ctx.raw_fingerprint); + free(ctx.fingerprint); + free(ctx.key); + + return rsa; +} -- Gitee From 9fd55d52638f4f037f6971546dd5670f58d25949 Mon Sep 17 00:00:00 2001 From: Roberto Sassu Date: Tue, 9 Feb 2021 14:59:57 +0100 Subject: [PATCH 05/17] Introduce free_key() --- include/crypto.h | 1 + lib/crypto.c | 16 ++++++++++++---- 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/include/crypto.h b/include/crypto.h index 7284c6b..00fec1b 100644 --- a/include/crypto.h +++ b/include/crypto.h @@ -43,6 +43,7 @@ struct key_struct { u8 keyid[4]; }; +void free_key(struct list_head *head, struct key_struct *key); void free_keys(struct list_head *head); struct key_struct *new_key(struct list_head *head, int dirfd, char *key_path, char *keypass, bool private); diff --git a/lib/crypto.c b/lib/crypto.c index 585cc05..7617d9f 100644 --- a/lib/crypto.c +++ b/lib/crypto.c @@ -128,22 +128,30 @@ const struct RSA_ASN1_template RSA_ASN1_templates[HASH_ALGO__LAST] = { #undef _ }; -static void free_key(struct key_struct *k) +static void _free_key(struct key_struct *k) { RSA_free(k->key); free(k); } -void free_keys(struct list_head *head) +void free_key(struct list_head *head, struct key_struct *key) { struct key_struct *cur, *tmp; list_for_each_entry_safe(cur, tmp, head, list) { + if (key && cur != key) + continue; + list_del(&cur->list); - free_key(cur); + _free_key(cur); } } +void free_keys(struct list_head *head) +{ + return free_key(head, NULL); +} + struct key_struct *new_key(struct list_head *head, int dirfd, char *key_path, char *keypass, bool private) { @@ -212,7 +220,7 @@ struct key_struct *new_key(struct list_head *head, int dirfd, char *key_path, free(pkey); out_key: if (ret < 0) { - free_key(new); + _free_key(new); new = NULL; } out_fp: -- Gitee From a6f1e70a567b68347028e29ce0fd65d2359cac3a Mon Sep 17 00:00:00 2001 From: Roberto Sassu Date: Tue, 9 Feb 2021 16:05:51 +0100 Subject: [PATCH 06/17] Fix lookup_key() and print correct key ID --- lib/crypto.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/lib/crypto.c b/lib/crypto.c index 7617d9f..b9a7d54 100644 --- a/lib/crypto.c +++ b/lib/crypto.c @@ -272,8 +272,8 @@ struct key_struct *lookup_key(struct list_head *head, int dirfd, char *key_path, if (!memcmp(cur->keyid, keyid, sizeof(cur->keyid))) return cur; - if (key_path) - return cur; + if (!key_path) + return NULL; return new_key(head, dirfd, key_path, NULL, false); } @@ -387,7 +387,8 @@ static int verify_common(struct list_head *head, int dirfd, char *filename, k = lookup_key(head, dirfd, NULL, keyid); if (!k) { - printf("No key found for id %d\n", be32_to_cpu(keyid)); + printf("No key found for id %08x\n", + __be32_to_cpu(*(uint32_t *)keyid)); ret = -ENOENT; goto out; } -- Gitee From f4e21368c948ce21c391e6ded30c4a729eba09ef Mon Sep 17 00:00:00 2001 From: Roberto Sassu Date: Wed, 10 Feb 2021 16:05:58 +0100 Subject: [PATCH 07/17] Add setup_grub2 script --- dist/rpm/digest-list-tools.spec | 1 + scripts/Makefile.am | 2 +- scripts/setup_grub2 | 56 +++++++++++++++++++++++++++++++++ 3 files changed, 58 insertions(+), 1 deletion(-) create mode 100755 scripts/setup_grub2 diff --git a/dist/rpm/digest-list-tools.spec b/dist/rpm/digest-list-tools.spec index b5a3563..97fc7e7 100644 --- a/dist/rpm/digest-list-tools.spec +++ b/dist/rpm/digest-list-tools.spec @@ -55,6 +55,7 @@ rm -rf $RPM_BUILD_ROOT %{_bindir}/gen_digest_lists %{_bindir}/setup_ima_digest_lists %{_bindir}/setup_ima_digest_lists_demo +%{_bindir}/setup_grub2 %{_bindir}/manage_digest_lists %{_bindir}/upload_digest_lists %{_bindir}/verify_digest_lists diff --git a/scripts/Makefile.am b/scripts/Makefile.am index 5dab829..0de3061 100644 --- a/scripts/Makefile.am +++ b/scripts/Makefile.am @@ -1 +1 @@ -bin_SCRIPTS=setup_ima_digest_lists setup_ima_digest_lists_demo +bin_SCRIPTS=setup_ima_digest_lists setup_ima_digest_lists_demo setup_grub2 diff --git a/scripts/setup_grub2 b/scripts/setup_grub2 new file mode 100755 index 0000000..e785ef2 --- /dev/null +++ b/scripts/setup_grub2 @@ -0,0 +1,56 @@ +#! /bin/bash + +# Copyright (C) 2021 Huawei Technologies Duesseldorf GmbH +# +# Author: Roberto Sassu +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation, version 2 of the +# License. +# +# File: setup_grub2 +# Configure grub2 boot loader. + +#! /bin/bash + +if [ -z "$(which new-kernel-pkg)" ]; then + echo "new-kernel-pkg binary not found" + exit 1 +fi + +if [ $# -lt 2 ]; then + echo "Syntax: $0 [--mkinitrd]" + echo + echo "Features:" + echo -e "\t- measurement" + echo -e "\t- appraisal" + echo -e "\t- measurement+appraisal" + exit 1 +fi + +. /etc/os-release + +opts_measurement='ima_template=ima-sig ima_policy=\\\"exec_tcb\\\" initramtmpfs + ima_hash=sha256 ima_digest_list_pcr=11' +opts_appraisal='ima_template=ima-sig + ima_policy=\\\"appraise_exec_tcb|appraise_exec_immutable\\\" initramtmpfs + ima_hash=sha256 ima_appraise=enforce-evm evm=x509 evm=complete + ima_appraise_digest_list=digest' +opts="" + +if [ "$1" = "measurement" ]; then + opts="$opts_measurement" +elif [ "$1" = "appraisal" ]; then + opts="$opts_appraisal" +elif [ "$1" = "measurement+appraisal" ]; then + opts="$opts_measurement $opts_appraisal" +else + echo "Unknown feature $1" + exit 1 +fi + +initrdfile=$(ls /boot/ | grep $(uname -r) | grep init | head -n 1 | + sed "s/$(uname -r)/$2/") +new-kernel-pkg $3 --initrdfile /boot/$initrdfile --kernel-args "$opts" \ + --install --banner "$NAME $VERSION - ${1^^}" $2 -- Gitee From efed019a7eef0ce5ffe027c75ead54dd7cf8debd Mon Sep 17 00:00:00 2001 From: Roberto Sassu Date: Tue, 28 Jul 2020 16:01:14 +0200 Subject: [PATCH 08/17] Fix compact_tlv test --- tests/compact_tlv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/compact_tlv.c b/tests/compact_tlv.c index 4e6f9a5..921891b 100644 --- a/tests/compact_tlv.c +++ b/tests/compact_tlv.c @@ -185,7 +185,6 @@ static void test_compact_tlv_parser(void **state) free_path_structs(&head_in); free_path_structs(&head_out); free_libs(&generator_lib_head); - free_libs(&parser_lib_head); /* parse converted list */ ret = read_file_from_path(dirfd, NEW_COMPACT_LIST, &buf, &size); @@ -203,6 +202,7 @@ static void test_compact_tlv_parser(void **state) gen_list_size, gen_list_buf, PARSER_OP_ADD_META_DIGEST); assert_return_code(ret, 0); + free_libs(&parser_lib_head); ret = compact_list_flush_all(fd_compact_list, &list_head); assert_return_code(ret, 0); -- Gitee From f4d7fada3d98caf1faa508eb04b7cf9e89c3f957 Mon Sep 17 00:00:00 2001 From: Roberto Sassu Date: Mon, 3 Aug 2020 09:44:12 +0200 Subject: [PATCH 09/17] Fix digest-list-tools.spec --- dist/rpm/digest-list-tools.spec | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/dist/rpm/digest-list-tools.spec b/dist/rpm/digest-list-tools.spec index 97fc7e7..f9c7dcc 100644 --- a/dist/rpm/digest-list-tools.spec +++ b/dist/rpm/digest-list-tools.spec @@ -9,7 +9,7 @@ License: GPL-2.0 Url: https://gitee.com/openeuler/digest-list-tools BuildRequires: autoconf automake libcurl-devel libtool rpm-devel dracut gzip -BuildRequires: libcap-devel libcmocka-devel +BuildRequires: libcap-devel libcmocka-devel libselinux-devel %if 0%{?suse_version} BuildRequires: libopenssl-devel glibc-devel-static @@ -35,6 +35,8 @@ make check rm -rf $RPM_BUILD_ROOT make install DESTDIR=$RPM_BUILD_ROOT mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/ima/digest_lists +mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/ima/digest_lists.tlv +mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/ima/digest_lists.sig mkdir -p ${RPM_BUILD_ROOT}%{_mandir}/man1 %post @@ -52,6 +54,8 @@ rm -rf $RPM_BUILD_ROOT %{_sysconfdir}/dracut.conf.d/digestlist.conf %dir %{_sysconfdir}/ima %dir %{_sysconfdir}/ima/digest_lists +%dir %{_sysconfdir}/ima/digest_lists.tlv +%dir %{_sysconfdir}/ima/digest_lists.sig %{_bindir}/gen_digest_lists %{_bindir}/setup_ima_digest_lists %{_bindir}/setup_ima_digest_lists_demo @@ -60,7 +64,8 @@ rm -rf $RPM_BUILD_ROOT %{_bindir}/upload_digest_lists %{_bindir}/verify_digest_lists %{_bindir}/write_rpm_pgp_sig -%{_libexecdir}/rpm_parser +%dir %{_prefix}/libexec +%{_prefix}/libexec/rpm_parser %{_libdir}/libdigestlist-base.so %dir %{_libdir}/digestlist %{_libdir}/digestlist/libgenerator-compact.so -- Gitee From 5460683dae00a71bab0ee5930c0da5264ece76cb Mon Sep 17 00:00:00 2001 From: Roberto Sassu Date: Tue, 28 Jul 2020 22:49:32 +0200 Subject: [PATCH 10/17] Install awk in module-setup.sh --- initrd/dracut/module-setup.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/initrd/dracut/module-setup.sh b/initrd/dracut/module-setup.sh index fa478d0..487ee98 100755 --- a/initrd/dracut/module-setup.sh +++ b/initrd/dracut/module-setup.sh @@ -24,6 +24,7 @@ install() { inst_binary find inst_binary basename inst_binary cut + inst_binary awk inst_binary getfattr inst_binary /usr/bin/upload_digest_lists inst_binary /usr/libexec/rpm_parser -- Gitee From d41ada1d45280dd171fd441fb51e67e42d0a54b9 Mon Sep 17 00:00:00 2001 From: Roberto Sassu Date: Wed, 24 Feb 2021 09:53:15 +0100 Subject: [PATCH 11/17] Set security.ima in the generators when requested --- generators/compact.c | 14 ++++++++------ generators/rpm.c | 12 ++++++++++++ generators/unknown.c | 10 ++++++++++ 3 files changed, 30 insertions(+), 6 deletions(-) diff --git a/generators/compact.c b/generators/compact.c index 94fcc57..138cf1e 100644 --- a/generators/compact.c +++ b/generators/compact.c @@ -249,19 +249,21 @@ static int add_file(int dirfd, int fd, char *path, u16 type, u16 modifiers, printf("Cannot add digest to compact list\n"); goto out_free_items; } +out_free_items: + compact_list_tlv_free_items(&items); +out: + free(obj_label); + free(caps_bin); - if (algo != ima_algo && getuid() == 0) { + if (set_ima_xattr && getxattr(path, XATTR_NAME_IMA, NULL, 0) < 0 && + algo != ima_algo && getuid() == 0) { ret = write_ima_xattr(-1, path, NULL, 0, NULL, 0, algo); if (ret < 0) { printf("Cannot write xattr to %s\n", path); goto out_free_items; } } -out_free_items: - compact_list_tlv_free_items(&items); -out: - free(obj_label); - free(caps_bin); + return ret; } diff --git a/generators/rpm.c b/generators/rpm.c index 8cc2f87..5c7d3cd 100644 --- a/generators/rpm.c +++ b/generators/rpm.c @@ -220,9 +220,21 @@ static int add_file(int dirfd, char *filename, Header *hdr, u16 type, s.st_gid = 0; s.st_mode = mode; s.st_size = size; + } else { + if (set_ima_xattr && algo != ima_algo && + getuid() == 0) { + ret = write_ima_xattr(-1, file_path, NULL, 0, + NULL, 0, algo); + if (ret < 0) { + printf("Cannot write xattr to %s\n", + file_path); + goto out_free_items; + } + } } if (!tlv) { + if (type == COMPACT_METADATA && include_ima_digests) { ret = compact_list_add_digest(fd, list_file, ima_digest); diff --git a/generators/unknown.c b/generators/unknown.c index f182dd6..5043162 100644 --- a/generators/unknown.c +++ b/generators/unknown.c @@ -256,6 +256,16 @@ out_free_items: out: free(obj_label); free(caps_bin); + + if (set_ima_xattr && getxattr(path, XATTR_NAME_IMA, NULL, 0) < 0 && + algo != ima_algo && getuid() == 0) { + ret = write_ima_xattr(-1, path, NULL, 0, NULL, 0, algo); + if (ret < 0) { + printf("Cannot write xattr to %s\n", path); + goto out_free_items; + } + } + return ret; } -- Gitee From a0c09bc90cccaa00c02ee55217624ee4dcace0e5 Mon Sep 17 00:00:00 2001 From: Roberto Sassu Date: Wed, 24 Feb 2021 12:45:52 +0100 Subject: [PATCH 12/17] Add numeric UID/GID fields for extended path list --- generators/compact.c | 6 ++++++ generators/unknown.c | 6 ++++++ include/lib.h | 2 +- lib/lib.c | 2 ++ 4 files changed, 15 insertions(+), 1 deletion(-) diff --git a/generators/compact.c b/generators/compact.c index 138cf1e..1cc7ee0 100644 --- a/generators/compact.c +++ b/generators/compact.c @@ -421,11 +421,17 @@ int generator(int dirfd, int pos, struct list_head *head_in, pwd = getpwnam(cur->attrs[ATTR_UNAME]); if (pwd) st.st_uid = pwd->pw_uid; + if (cur->attrs[ATTR_UID]) + st.st_uid = strtol(cur->attrs[ATTR_UID], + NULL, 10); st.st_gid = 0; if (cur->attrs[ATTR_GNAME]) grp = getgrnam(cur->attrs[ATTR_GNAME]); if (grp) st.st_gid = grp->gr_gid; + if (cur->attrs[ATTR_GID]) + st.st_gid = strtol(cur->attrs[ATTR_GID], + NULL, 10); if (cur->attrs[ATTR_DIGESTALGO]) list_algo = strtol(cur->attrs[ATTR_DIGESTALGO], NULL, 10); diff --git a/generators/unknown.c b/generators/unknown.c index 5043162..4409b88 100644 --- a/generators/unknown.c +++ b/generators/unknown.c @@ -435,11 +435,17 @@ int generator(int dirfd, int pos, struct list_head *head_in, pwd = getpwnam(cur->attrs[ATTR_UNAME]); if (pwd) st.st_uid = pwd->pw_uid; + if (cur->attrs[ATTR_UID]) + st.st_uid = strtol(cur->attrs[ATTR_UID], + NULL, 10); st.st_gid = 0; if (cur->attrs[ATTR_GNAME]) grp = getgrnam(cur->attrs[ATTR_GNAME]); if (grp) st.st_gid = grp->gr_gid; + if (cur->attrs[ATTR_GID]) + st.st_gid = strtol(cur->attrs[ATTR_GID], + NULL, 10); if (cur->attrs[ATTR_DIGESTALGO]) list_algo = strtol(cur->attrs[ATTR_DIGESTALGO], NULL, 10); diff --git a/include/lib.h b/include/lib.h index 072f09f..604871b 100644 --- a/include/lib.h +++ b/include/lib.h @@ -65,7 +65,7 @@ void free_libs(struct list_head *head); enum file_attrs { ATTR_PATH, ATTR_DIGESTALGO, ATTR_DIGESTALGOPGP, ATTR_DIGEST, ATTR_MODE, ATTR_UNAME, ATTR_GNAME, ATTR_CAPS, ATTR_OBJ_LABEL, - ATTR__LAST }; + ATTR_UID, ATTR_GID, ATTR__LAST }; struct path_struct { struct list_head list; diff --git a/lib/lib.c b/lib/lib.c index eff1e24..d4e477d 100644 --- a/lib/lib.c +++ b/lib/lib.c @@ -38,6 +38,8 @@ static const char *file_attrs_str[ATTR__LAST] = { [ATTR_GNAME] = "gname", [ATTR_CAPS] = "caps", [ATTR_OBJ_LABEL] = "obj_label", + [ATTR_UID] = "uid", + [ATTR_GID] = "gid", }; enum hash_algo pgp_algo_mapping[PGP_HASH__LAST] = { -- Gitee From a05175d806c094487cdf4ae63d111b3f56bbb3db Mon Sep 17 00:00:00 2001 From: Roberto Sassu Date: Thu, 25 Feb 2021 15:24:50 +0100 Subject: [PATCH 13/17] Fix digest-list-tools.spec --- dist/rpm/digest-list-tools.spec | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/dist/rpm/digest-list-tools.spec b/dist/rpm/digest-list-tools.spec index f9c7dcc..4a81ead 100644 --- a/dist/rpm/digest-list-tools.spec +++ b/dist/rpm/digest-list-tools.spec @@ -1,9 +1,9 @@ name: digest-list-tools Version: 0.3.94 -Release: 1 -Summary: Digest list tools +Release: 3 +Summary: Utilities for IMA Digest Lists extension -Source0: %{name}-%{version}.tar.gz +Source0: https://gitee.com/openeuler/%{name}/repository/archive/v%{version}.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) License: GPL-2.0 Url: https://gitee.com/openeuler/digest-list-tools @@ -64,8 +64,7 @@ rm -rf $RPM_BUILD_ROOT %{_bindir}/upload_digest_lists %{_bindir}/verify_digest_lists %{_bindir}/write_rpm_pgp_sig -%dir %{_prefix}/libexec -%{_prefix}/libexec/rpm_parser +%{_libexecdir}/rpm_parser %{_libdir}/libdigestlist-base.so %dir %{_libdir}/digestlist %{_libdir}/digestlist/libgenerator-compact.so @@ -106,6 +105,12 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man1/%{name}.1.gz %changelog +* Mon Sep 14 2020 Anakin Zhang - 0.3.94-3 +- fix Source0 and Summary in spec + +* Thu Sep 10 2020 Anakin Zhang - 0.3.94-2 +- fix invalid format in i686 + * Thu Sep 03 2020 Roberto Sassu - 0.3.94-1 - Add obj_label attribute in file list - Replace hard coded permission -- Gitee From 15cc33f9c8a3bf042f54c1274630c0ea6d87afa4 Mon Sep 17 00:00:00 2001 From: Roberto Sassu Date: Fri, 5 Mar 2021 08:45:39 +0100 Subject: [PATCH 14/17] Fix type of include_lsm_label in compact and unknown generators --- generators/compact.c | 2 +- generators/unknown.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/generators/compact.c b/generators/compact.c index 1cc7ee0..4107e44 100644 --- a/generators/compact.c +++ b/generators/compact.c @@ -36,7 +36,7 @@ static int add_file(int dirfd, int fd, char *path, u16 type, u16 modifiers, struct list_head *list_head, struct stat *st, enum hash_algo algo, enum hash_algo ima_algo, bool tlv, - bool gen_list, bool include_lsm_label, + bool gen_list, int include_lsm_label, bool include_ima_digests, bool root_cred, bool set_ima_xattr, bool set_evm_xattr, char *alt_root, char *caps, char *file_digest, char *label) diff --git a/generators/unknown.c b/generators/unknown.c index 4409b88..ad17a23 100644 --- a/generators/unknown.c +++ b/generators/unknown.c @@ -37,7 +37,7 @@ static int add_file(int dirfd, int fd, char *path, u16 type, u16 modifiers, struct list_head *list_head, struct stat *st, enum hash_algo algo, enum hash_algo ima_algo, bool tlv, - bool gen_list, bool include_lsm_label, + bool gen_list, int include_lsm_label, bool include_ima_digests, bool root_cred, bool set_ima_xattr, bool set_evm_xattr, char *alt_root, char *caps, char *file_digest, char *label) -- Gitee From 5c1bd9f58d7f0024d1b1a84f0369ded66c6448bd Mon Sep 17 00:00:00 2001 From: Roberto Sassu Date: Fri, 5 Mar 2021 08:49:45 +0100 Subject: [PATCH 15/17] Fix variable increment in write_check() --- lib/lib.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/lib.c b/lib/lib.c index d4e477d..7360868 100644 --- a/lib/lib.c +++ b/lib/lib.c @@ -117,7 +117,7 @@ ssize_t write_check(int fd, const void *buf, size_t count) return -EIO; } - buf += ret; + buf = (u8 *)buf + ret; count -= ret; } -- Gitee From 1d28fa93f6115c35fd681d135f66571708f3aa66 Mon Sep 17 00:00:00 2001 From: Roberto Sassu Date: Fri, 5 Mar 2021 08:53:03 +0100 Subject: [PATCH 16/17] Check pointers in verify_common() --- lib/crypto.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/lib/crypto.c b/lib/crypto.c index b9a7d54..d81992e 100644 --- a/lib/crypto.c +++ b/lib/crypto.c @@ -370,6 +370,11 @@ static int verify_common(struct list_head *head, int dirfd, char *filename, if (ret < 0) goto out; } else { + if (!sig_in) { + printf("Signature not provided\n"); + return -ENOENT; + } + ret = parse_ima_xattr(sig_in, sig_in_len, &keyid, &keyid_len, &sig, &sig_len, &algo); if (ret) { @@ -382,6 +387,11 @@ static int verify_common(struct list_head *head, int dirfd, char *filename, return -EINVAL; } + if (!digest_in) { + printf("Digest not provided\n"); + return -ENOENT; + } + memcpy(digest, digest_in, hash_digest_size[algo]); } -- Gitee From 355592d49baf11ae0affe5330185cf7e9964f358 Mon Sep 17 00:00:00 2001 From: Roberto Sassu Date: Thu, 25 Feb 2021 15:27:06 +0100 Subject: [PATCH 17/17] Update to version 0.3.95 --- CHANGES | 6 ++++++ dist/rpm/digest-list-tools.spec | 9 +++++++-- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index 127079f..35797ce 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,9 @@ +2021-02-16 Roberto Sassu + version 0.3.95 + * Add support for PGP keys + * Add setup_grub2 script + * Bug fixes + 2020-09-03 Roberto Sassu version 0.3.94 * Add obj_label attribute in file list diff --git a/dist/rpm/digest-list-tools.spec b/dist/rpm/digest-list-tools.spec index 4a81ead..3fc6ab7 100644 --- a/dist/rpm/digest-list-tools.spec +++ b/dist/rpm/digest-list-tools.spec @@ -1,6 +1,6 @@ name: digest-list-tools -Version: 0.3.94 -Release: 3 +Version: 0.3.95 +Release: 1 Summary: Utilities for IMA Digest Lists extension Source0: https://gitee.com/openeuler/%{name}/repository/archive/v%{version}.tar.gz @@ -105,6 +105,11 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man1/%{name}.1.gz %changelog +* Tue Feb 16 2021 Roberto Sassu - 0.3.95-1 +- Add support for PGP keys +- Add setup_grub2 script +- Bug fixes + * Mon Sep 14 2020 Anakin Zhang - 0.3.94-3 - fix Source0 and Summary in spec -- Gitee