[PATCH] ima-evm-utils: Fix compatibility with LibreSSL

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

>From 4ae52f3cfb459c59e2e48f0d30c20c3763c8a0e7 Mon Sep 17 00:00:00 2001
From: Mikhail Novosyolov <m.novosyolov@xxxxxxxxxxxx>
Date: Wed, 4 Dec 2019 01:07:50 +0300
Subject: [PATCH] ima-evm-utils: Fix compatibility with LibreSSL

LibreSSL in most cases can be used as a drop-in replacement of OpenSSL.
Commit 07d799cb6c37 "ima-evm-utils: Preload OpenSSL engine via '--engine' option"
added OpenSSL-specific functions: "engines" were removed from LibreSSL long ago.
Instead of requiring to attach GOST support via an external library ("engine"),
LibreSSL has build-in implementation of GOST.

Commit ebbfc41ad6ba "ima-evm-utils: try to load digest by its alias" is also not OK
for LibreSSL because LibreSSL uses different digest names:
md_gost12_256 -> streebog256
md_gost12_512 -> streebog512

Example how it works when linked with LibreSSL:
$ libressl dgst -streebog256 testfile
streebog256(a)= 04123f539a213e97c802cc229d474c6aa32a825a360b2a933a949fd925208d9ce1bb
$ evmctl -v ima_hash -a streebog256 testfile
hash(streebog256): 04123f539a213e97c802cc229d474c6aa32a825a360b2a933a949fd925208d9ce1bb
$ evmctl -v ima_hash -a md_gost12_256 testfile
EVP_get_digestbyname(md_gost12_256) failed

TODO: it would be nice to map
md_gost12_256 <-> streebog256
md_gost12_512 <-> streebog512
in evmctl CLI arguements to make the same commands work on systems both
where evmctl is linked with LibreSSL and with OpenSSL.

Fixes: 07d799cb6c37 ("ima-evm-utils: Preload OpenSSL engine via '--engine' option")
Fixes: ebbfc41ad6ba ("ima-evm-utils: try to load digest by its alias")
Signed-off-by: Mikhail Novosyolov <m.novosyolov@xxxxxxxxxxxx>
---
 README          |  2 +-
 src/evmctl.c    | 15 ++++++++++++++-
 src/libimaevm.c |  2 ++
 3 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/README b/README
index 3603ae8..f843bbe 100644
--- a/README
+++ b/README
@@ -58,7 +58,7 @@ OPTIONS
       --smack        use extra SMACK xattrs for EVM
       --m32          force EVM hmac/signature for 32 bit target system
       --m64          force EVM hmac/signature for 64 bit target system
-      --engine e     preload OpenSSL engine e (such as: gost)
+      --engine e     preload OpenSSL engine e (such as: gost) (not valid for LibreSSL)
   -v                 increase verbosity level
   -h, --help         display this help and exit
 
diff --git a/src/evmctl.c b/src/evmctl.c
index 3d2a10b..f6507c1 100644
--- a/src/evmctl.c
+++ b/src/evmctl.c
@@ -62,7 +62,10 @@
 #include <openssl/hmac.h>
 #include <openssl/err.h>
 #include <openssl/rsa.h>
+/* LibreSSL removed engines */
+#ifndef LIBRESSL_VERSION_NUMBER
 #include <openssl/engine.h>
+#endif
 
 #ifndef XATTR_APPAARMOR_SUFFIX
 #define XATTR_APPARMOR_SUFFIX "apparmor"
@@ -1849,7 +1852,9 @@ static void usage(void)
         "      --selinux      use custom Selinux label for EVM\n"
         "      --caps         use custom Capabilities for EVM(unspecified: from FS, empty: do not use)\n"
         "      --list         measurement list verification\n"
+#ifndef LIBRESSL_VERSION_NUMBER /* LibreSSL removed engines */
         "      --engine e     preload OpenSSL engine e (such as: gost)\n"
+#endif
         "  -v                 increase verbosity level\n"
         "  -h, --help         display this help and exit\n"
         "\n");
@@ -1902,7 +1907,9 @@ static struct option opts[] = {
     {"selinux", 1, 0, 136},
     {"caps", 2, 0, 137},
     {"list", 0, 0, 138},
+#ifndef LIBRESSL_VERSION_NUMBER
     {"engine", 1, 0, 139},
+#endif
     {"xattr-user", 0, 0, 140},
     {}
 
@@ -1947,7 +1954,9 @@ static char *get_password(void)
 int main(int argc, char *argv[])
 {
     int err = 0, c, lind;
+#ifndef LIBRESSL_VERSION_NUMBER
     ENGINE *eng = NULL;
+#endif
 
 #if !(OPENSSL_VERSION_NUMBER < 0x10100000)
     OPENSSL_init_crypto(
@@ -2065,7 +2074,8 @@ int main(int argc, char *argv[])
         case 138:
             measurement_list = 1;
             break;
-        case 139: /* --engine e */
+#ifndef LIBRESSL_VERSION_NUMBER
+        case 139: /* --engine e, only in OpenSSL, not in LibreSSL */
             eng = ENGINE_by_id(optarg);
             if (!eng) {
                 log_err("engine %s isn't available\n", optarg);
@@ -2078,6 +2088,7 @@ int main(int argc, char *argv[])
             }
             ENGINE_set_default(eng, ENGINE_METHOD_ALL);
             break;
+#endif
         case 140: /* --xattr-user */
             xattr_ima = "user.ima";
             xattr_evm = "user.evm";
@@ -2108,6 +2119,7 @@ int main(int argc, char *argv[])
         }
     }
 
+#ifndef LIBRESSL_VERSION_NUMBER
     if (eng) {
         ENGINE_finish(eng);
         ENGINE_free(eng);
@@ -2115,6 +2127,7 @@ int main(int argc, char *argv[])
         ENGINE_cleanup();
 #endif
     }
+#endif
     ERR_free_strings();
     EVP_cleanup();
     BIO_free(NULL);
diff --git a/src/libimaevm.c b/src/libimaevm.c
index 7c17bf4..050ea78 100644
--- a/src/libimaevm.c
+++ b/src/libimaevm.c
@@ -71,8 +71,10 @@ static const char *const pkey_hash_algo[PKEY_HASH__LAST] = {
     [PKEY_HASH_SHA384]    = "sha384",
     [PKEY_HASH_SHA512]    = "sha512",
     [PKEY_HASH_SHA224]    = "sha224",
+#ifndef LIBRESSL_VERSION_NUMBER
     [PKEY_HASH_STREEBOG_256] = "md_gost12_256",
     [PKEY_HASH_STREEBOG_512] = "md_gost12_512",
+#endif
 };
 
 /* Names that are primary for the kernel. */
-- 
2.20.1

P.S. Patch is against commit 3eab1f93 "ima-evm-utils: Release version 1.2.1", I did not find newer git.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux Kernel]     [Linux Kernel Hardening]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux SCSI]

  Powered by Linux